diff --git a/CLAUDE.md b/CLAUDE.md index 9b9254d..b25029a 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -183,4 +183,5 @@ rclone mount homelab-webdav: ~/homelab-files --daemon # Test WebDAV curl -X PROPFIND https://hoborg:AdminPass2024!@ak-homelab.duckdns.org/files/ \ -H "Depth: 1" -H "Content-Type: text/xml" -``` \ No newline at end of file +``` +- Always edit the local configs before when possible, and then copy them to the proper location. Instead of editing system files directly (and then losing the config and it won't be in this repo) \ No newline at end of file diff --git a/TODO.md b/TODO.md index 0ebc58c..c247b84 100644 --- a/TODO.md +++ b/TODO.md @@ -5,6 +5,19 @@ - [x] SSH security hardening *(documented in network-security.md)* - [x] Figure out why laptop IP changes: Different eth ports have different MAC? - [x] Router port forwarding configuration +- [ ] !!! Modify syncthing to sync the NAS folders where appropriate (e.g. Logseq) +- [ ] !!! IMPORTANT: Run setup scripts made by security reviewer agent + - [ ] Ran out of AI quota mid-security review so continue where we left off. Some scripts created but it's not + complete yet + - [ ] Some logs saved to ~/audit +- [ ] ENCRYPTED FOLDER idea: + - Use tomb to create an encrypted vault e.g. /mnt/nas/nas_encrypted + - Have a local folder that's empty e.g. /nas_plain + - Use tomb to unlock and mount /mnt/nas/nas_encrypted to /nas_plain + - Jellyfin is set up to look at nas_plain + - When locked: Jellyfin sees empty folder + - When unlocked: Jellyfin has access + - TO TEST: What about preview pictures etc. within Jellyfin? Adult content may still be visible - [ ] WireGuard VPN server configuration - [ ] UFW firewall setup and rules - [ ] fail2ban for intrusion prevention @@ -53,7 +66,7 @@ Lower priority - mostly using SSH or TTY anyways - [ ] Copy any media files from other devices ## Music Collection Management -- [ ] Extract playlists from YouTube Music and SoundCloud +- [ ] Extract playlists from YouTube Music and SoundCloud - Store metadata (author, song title) in plaintext format - Tools to consider: ytmusicapi (YouTube Music), scdl (SoundCloud), Google Takeout - Output formats: CSV, JSON, M3U with metadata, plain text lists @@ -88,7 +101,7 @@ Lower priority - mostly using SSH or TTY anyways - [x] Set up reverse proxy with SSL certificates *(completed - HTTPS working with auto-renewal)* - [ ] Make sure all services are dockerized unless we have a good reason not to - Gitea: ✅ Docker - - Jellyfin: ✅ Docker + - Jellyfin: ✅ Docker - Copyparty: ❌ systemd service (consider dockerizing) - Nginx: ❌ system package (fine as-is for reverse proxy) - Portainer: ✅ Docker diff --git a/config/copyparty/copyparty.conf b/config/copyparty/copyparty.conf index a8abce7..6138e9d 100644 --- a/config/copyparty/copyparty.conf +++ b/config/copyparty/copyparty.conf @@ -31,35 +31,41 @@ hoborg: AdminPass2024! [/shared] - /home/hoborg/shared + /mnt/nas/shared accs: rw: guest rwmd: hoborg [/documents] - /home/hoborg/Documents + /mnt/nas/documents accs: rwmd: hoborg [/music] - /home/hoborg/Music + /mnt/nas/music accs: rw: guest rwmd: hoborg [/videos] - /home/hoborg/Videos + /mnt/nas/videos accs: rw: guest rwmd: hoborg [/private] - /home/hoborg/private + /mnt/nas/private accs: rwmd: hoborg [/pictures] - /home/hoborg/Pictures + /mnt/nas/pictures + accs: + rw: guest + rwmd: hoborg + +[/torrent] + /mnt/nas/torrent accs: rw: guest rwmd: hoborg diff --git a/config/nginx/homelab.conf b/config/nginx/homelab.conf index b18cebe..5a7e86e 100644 --- a/config/nginx/homelab.conf +++ b/config/nginx/homelab.conf @@ -21,6 +21,25 @@ server { add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; + # qBittorrent Web UI + location /qbt/ { + proxy_pass http://127.0.0.1:8080/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + + # WebSocket support for real-time updates + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # qBittorrent specific settings + proxy_cookie_path / "/qbt/"; + proxy_redirect off; + } + # Main landing page - highest priority location / { root /var/www/homelab; @@ -157,6 +176,7 @@ server { proxy_set_header Connection "upgrade"; } + ssl_certificate /etc/letsencrypt/live/ak-homelab.duckdns.org/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/ak-homelab.duckdns.org/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot diff --git a/config/www/index.html b/config/www/index.html index 041ca17..c61941a 100644 --- a/config/www/index.html +++ b/config/www/index.html @@ -150,6 +150,11 @@

Jellyfin

Movies, Music & TV Shows

+ + +

Transmission

+

Torrent Downloads

+ @@ -180,6 +185,11 @@

NAS Storage

Network Attached Storage

+ + +

Syncthing

+

File Synchronization

+

Router

diff --git a/docs/services.md b/docs/services.md index 2a8550a..c80b736 100644 --- a/docs/services.md +++ b/docs/services.md @@ -476,6 +476,17 @@ sudo docker-compose logs -f jellyfin - **Immich**: Modern photo backup solution - **LibrePhotos**: Privacy-focused alternative +### Torrent Management + +**Recommendation: Use NAS Direct Torrenting** + +For homelab with NAS storage migration: +- **NAS Direct**: Internet → NAS (50% less network traffic, better performance) +- **Laptop → NAS**: Downloads go laptop → network → NAS (double network load) +- **Access**: Use Synology Download Station via Local Network admin section +- **Integration**: Mount NAS shares for Jellyfin media access +- **Efficiency**: Keeps local network clear for other services + ## Monitoring & Logging ### System Monitoring