Implement full system backup with Restic including:
- Docker volume exports (Gitea, Jellyfin, Nextcloud, Portainer)
- System configuration backup (/etc/)
- Package list exports (pacman explicit, all, AUR)
- Automated retention policy (7 daily, 4 weekly, 3 monthly, 1 yearly)
- Separate temporary directories for Docker and system data
Initialize encrypted backup repository on NAS with:
- Auto-install of Restic if needed
- Secure password generation and storage
- Repository initialization with AES-256 encryption
- Mark dockerization task as complete
- Document reasons for non-dockerized services:
- Glances/Netdata: Need full system access for monitoring
- Syncthing: Docker permission issues with config directory
- Nginx: Reverse proxy requires system integration
- Update service status: Copyparty now dockerized
- Remove Cockpit references (removed from system)
- Update VNC documentation to reflect temporary usage pattern
- Add automatic directory creation in create_symlink function
- Include copyparty, portainer, and qbittorrent configs
- Add landing page symlink for easier updates
- Update verification commands to include all services
- Replace config file with command-line arguments for Docker compatibility
- Enable file search, deduplication, and partial upload features
- Configure reverse proxy support with xff-src and rproxy flags
- Add password database integration with chpw support
- Map all NAS volumes with appropriate permissions
- Fix health check to use /files/ path
- Remove obsolete copyparty.conf (incompatible with Docker image)
- Document interactive installation process
- Add complete EU country whitelist configuration
- Include setup commands and wizard prompts
- Clarify that geoip-shell was used instead of manual iptables setup
- Automates symlinking of docker-compose.yml files from repo to /opt/docker
- Includes Gitea, Jellyfin, qBittorrent, Portainer
- Symlinks daemon.json to /etc/docker
- Creates timestamped backups before replacing files
- Eliminates need for manual config copying
- Renamed docker-compose.yml to .disabled
- Service can be re-enabled by renaming file back to .yml
- Nextcloud not currently needed with Copyparty in place
- Web UI for Docker container management
- Bound to localhost (reverse proxy recommended)
- Uses named volume for persistent data
- Configured for Europe/Budapest timezone
- Resource limits and health checks included
- Removed comments from daemon.json (JSON doesn't support comments)
- Synced with deployed working version
- Maintains minimal working configuration with logging only
- New /installers volume for game installers and ISO files
- Accessible to both guest and hoborg users
- Complements existing torrent categorization structure
- Add CLAUDE.md with AI assistant configuration
- Add scripts/permanent-ban-repeat-offenders.sh for automated permanent banning
- Script automatically detects and permanently bans IPs banned >4 times by fail2ban
- Integrates with iptables and geoip-shell for comprehensive security
- Add docs/geoip-blocking.md with complete geoip-shell setup documentation
- Update README.md to include geoip blocking in goals, status, and documentation structure
- Update docs/network-security.md with geoip blocking and permanent ban sections
- Mark geoip blocking task as completed in TODO.md
- Document permanent-ban-repeat-offenders.sh script and its cron job
- Document common Docker issues and filesystem permission problems
- Include service management and configuration validation steps
- Provide systematic debugging approach for Gitea deployment issues
- Add security hardening guidelines to CLAUDE.md with container-specific notes
- Update TODO.md with new security and dockerization tasks
- Add geoblocking and syncthing sync items to task list
- Simplify daemon.json to minimal working version, removing problematic
security settings that caused read-only filesystem issues
- Update Gitea docker-compose.yml to working configuration:
- Remove read-only filesystem (breaks s6-overlay init)
- Keep user privilege dropping via USER_UID/USER_GID
- Bind SSH port directly for Git operations
- Maintain localhost binding for web interface
- scripts/setup-security-hardening.sh: One-command deployment of all security configurations
- Includes SSH hardening, kernel parameters, Docker security, fail2ban, and nginx rate limiting
- Provides status output and next steps for verification
- config/docker/daemon.json: Docker security hardening with logging limits and security options
- config/systemd/nginx.service.d/rate-limit.conf: Nginx resource limits and connection throttling
- Includes deployment instructions for container and service security
- config/fail2ban/jail.local: Main jail configuration with SSH, web, and service protection
- config/fail2ban/filter.d/sshd-ddos.conf: SSH connection flooding protection
- config/fail2ban/filter.d/nginx-badbots.conf: Web scanner and bot detection
- config/fail2ban/filter.d/gitea-auth.conf: Gitea authentication failure detection
- Includes deployment instructions for automated IP banning
- config/systemd/ssh-honeypot.service: Systemd service for port 22 honeypot
- config/honeypot/response.sh: Response script that logs connections and sends fake SSH banner
- Both files include deployment instructions and setup commands
- Document critical security vulnerabilities found
- Provide step-by-step hardening procedures
- Include SSL certificate recovery from git history
- Add SSH hardening with Mosh compatibility
- Document VPN setup with WireGuard
- Create implementation checklists and status tracking
- setup-glances.sh: Install Glances with web interface and systemd service
- setup-netdata.sh: Install Netdata without nginx configuration changes
- deploy-netdata-config.sh: Complete Netdata deployment with privacy config
- Remove redundant iterative scripts from troubleshooting process
- Each script handles one specific deployment task cleanly
- Add Netdata config with cloud features disabled
- Configure localhost-only binding for security
- Disable telemetry and registry features
- Add systemd service configuration for Glances web server
- Ensure monitoring services run with proper isolation
- Remove Cockpit reverse proxy configuration
- Add Netdata reverse proxy with basic auth protection
- Configure same authentication as Glances for consistency
- Maintain security headers and WebSocket support
- Use port 19999 for Netdata service
- Add tabbed navigation with Home and Admin tabs
- Organize Admin tab into Server Administration and Local Network sections
- Update service names to actual application names (Copyparty, Jellyfin)
- Add NAS Storage link for network management
- Improve service descriptions and icons
- Implement responsive design with Font Awesome icons
- Add comprehensive copyparty feature list and status
- Document WebDAV client setup (X-plore, rclone)
- Update permission structure with rwmd flags
- Add troubleshooting references for WebDAV issues
- Include working client configuration examples
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Mark all major services as completed (file server, media server, SSL)
- Update repository structure with new config directories
- Fix troubleshooting documentation references
- Reflect current working state of homelab setup
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add section on URL encoding issues causing HTTP 400 errors
- Document nginx proxy_pass solution for preserving request URI
- Update final working configuration with HTTP/1.1 fixes
- Include Connection header and proxy_http_version settings
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Change proxy_pass to preserve original request URI for URL encoding
- Add HTTP/1.1 and Connection header fixes for copyparty compatibility
- Remove path manipulation that broke files with spaces/special characters
Fixes HTTP 400 "bad headers" errors when uploading files with spaces
in filenames via WebDAV clients like X-plore.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
