- Simplify daemon.json to minimal working version, removing problematic
security settings that caused read-only filesystem issues
- Update Gitea docker-compose.yml to working configuration:
- Remove read-only filesystem (breaks s6-overlay init)
- Keep user privilege dropping via USER_UID/USER_GID
- Bind SSH port directly for Git operations
- Maintain localhost binding for web interface
- scripts/setup-security-hardening.sh: One-command deployment of all security configurations
- Includes SSH hardening, kernel parameters, Docker security, fail2ban, and nginx rate limiting
- Provides status output and next steps for verification
- config/docker/daemon.json: Docker security hardening with logging limits and security options
- config/systemd/nginx.service.d/rate-limit.conf: Nginx resource limits and connection throttling
- Includes deployment instructions for container and service security
- config/fail2ban/jail.local: Main jail configuration with SSH, web, and service protection
- config/fail2ban/filter.d/sshd-ddos.conf: SSH connection flooding protection
- config/fail2ban/filter.d/nginx-badbots.conf: Web scanner and bot detection
- config/fail2ban/filter.d/gitea-auth.conf: Gitea authentication failure detection
- Includes deployment instructions for automated IP banning
- config/systemd/ssh-honeypot.service: Systemd service for port 22 honeypot
- config/honeypot/response.sh: Response script that logs connections and sends fake SSH banner
- Both files include deployment instructions and setup commands
- Document critical security vulnerabilities found
- Provide step-by-step hardening procedures
- Include SSL certificate recovery from git history
- Add SSH hardening with Mosh compatibility
- Document VPN setup with WireGuard
- Create implementation checklists and status tracking
- setup-glances.sh: Install Glances with web interface and systemd service
- setup-netdata.sh: Install Netdata without nginx configuration changes
- deploy-netdata-config.sh: Complete Netdata deployment with privacy config
- Remove redundant iterative scripts from troubleshooting process
- Each script handles one specific deployment task cleanly
- Add Netdata config with cloud features disabled
- Configure localhost-only binding for security
- Disable telemetry and registry features
- Add systemd service configuration for Glances web server
- Ensure monitoring services run with proper isolation
- Remove Cockpit reverse proxy configuration
- Add Netdata reverse proxy with basic auth protection
- Configure same authentication as Glances for consistency
- Maintain security headers and WebSocket support
- Use port 19999 for Netdata service
- Add tabbed navigation with Home and Admin tabs
- Organize Admin tab into Server Administration and Local Network sections
- Update service names to actual application names (Copyparty, Jellyfin)
- Add NAS Storage link for network management
- Improve service descriptions and icons
- Implement responsive design with Font Awesome icons
- Add comprehensive copyparty feature list and status
- Document WebDAV client setup (X-plore, rclone)
- Update permission structure with rwmd flags
- Add troubleshooting references for WebDAV issues
- Include working client configuration examples
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Mark all major services as completed (file server, media server, SSL)
- Update repository structure with new config directories
- Fix troubleshooting documentation references
- Reflect current working state of homelab setup
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add section on URL encoding issues causing HTTP 400 errors
- Document nginx proxy_pass solution for preserving request URI
- Update final working configuration with HTTP/1.1 fixes
- Include Connection header and proxy_http_version settings
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Change proxy_pass to preserve original request URI for URL encoding
- Add HTTP/1.1 and Connection header fixes for copyparty compatibility
- Remove path manipulation that broke files with spaces/special characters
Fixes HTTP 400 "bad headers" errors when uploading files with spaces
in filenames via WebDAV clients like X-plore.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Complete Docker Compose setup with MariaDB and Redis
- External storage mounts for existing homelab folders
- Secure password handling using Docker secrets from ~/creds/
- Configured for /cloud path with proper reverse proxy settings
Note: Nextcloud was tested but disabled in favor of copyparty for
file server functionality due to performance and complexity concerns.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add merge_slashes off to prevent automatic redirects
- Add proxy_redirect off to stop nginx from modifying WebDAV responses
- Add explicit WebDAV method support (PUT, DELETE, PROPFIND, etc.)
- Add WebDAV-specific headers (Depth, Destination, etc.)
- Optimize for large file uploads and streaming
Fixes HTTP 301 errors that prevented WebDAV file uploads in clients
like X-plore File Manager.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add explicit 'd' (delete) permission to user accounts to enable
WebDAV DELETE operations. Changed from 'rwm' to 'rwmd' permissions
for all user folders.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add WebDAV access information to copyparty configuration
- Confirm X-plore File Manager compatibility for Android folder uploads
- Update Jellyfin media library structure with private folder mount
- Mark Jellyfin as deployed in service architecture
- Document successful WebDAV folder upload testing
- Update service URLs and access methods
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Document SSL certificate restoration after nginx updates
- Add WebDAV 301 error diagnosis and resolution
- Include media file sync troubleshooting between copyparty and Jellyfin
- Add service deployment best practices
- Provide step-by-step solutions for common configuration issues
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add copyparty and Jellyfin to current services list
- Include WebDAV URL for Android/desktop client access
- Add copyparty service management commands
- Document WebDAV client setup (X-plore, rclone, curl)
- Update external URLs to HTTPS with SSL certificates
- Add configuration management for new services
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Mount /home/hoborg/private as /media/private for shared access with copyparty
- Enable read-only access to private media files uploaded via copyparty WebDAV
- Maintain consistency between file server and media server folder access
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add SSL certificate configuration from Let's Encrypt
- Include WebDAV headers for copyparty upload support (Depth, Destination, Overwrite, If)
- Configure HTTP to HTTPS redirect for all services
- Add SSL security settings managed by certbot
- Enable proxy_request_buffering off for WebDAV compatibility
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Mark Jellyfin media server setup as completed
- Add music collection management tasks
- Update SSL certificate setup status
- Add service dockerization tracking
- Document completed troubleshooting tasks
- Add playlist extraction and legal music source research
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Change Copyparty URL path from /cloud to /files
- Add Jellyfin media server reverse proxy at /media path
- Optimize streaming settings for video content
- Enable websocket support for real-time updates
- Configure large file handling and timeouts
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Docker compose setup with hardware acceleration support
- Network host mode for optimal streaming performance
- Volume mounts for config, cache, and media directories
- Memory limits and resource management
- Device access for GPU hardware transcoding
- Integration with existing media folder structure
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Configure copyparty file server with user authentication
- Set up multi-volume structure (shared, documents, music, videos, private)
- Create systemd service for automatic startup
- Add Nginx reverse proxy integration on /cloud/ path
- Update documentation with complete setup and management guide
- Mark Gitea and file server tasks as completed in TODO
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add permission for mcp__voice-mode__converse tool to enable
voice conversations with the AI assistant.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add AI voice assistant to goals and current status
- Include voice assistant in documentation structure
- Update repository structure diagram
- Add voice server commands to CLAUDE.md
- Include voice assistant service URLs and management commands
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Complete setup guide for Piper TTS installation
- Voice model download instructions with multiple options
- API usage examples and troubleshooting guide
- Available voice models comparison table
- Integration instructions for Claude Code
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- enable-voice.sh: One-command setup for voice assistant
- Automatic prerequisite checking (Poetry, piper-tts, voice models)
- Voice model download with progress indicators
- Server startup with health testing
- Auto-generates disable-voice.sh for cleanup
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- FastAPI-based TTS server using Piper neural text-to-speech
- Poetry for dependency management and virtual environments
- OpenAI-compatible API endpoints for seamless integration
- Support for multiple voice models (Ryan, Alan, Lessac)
- Robust error handling and voice fallback system
- Professional logging and configuration management
- Docker-ready with proper Python packaging
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Resolve SSH lockout after reboot caused by systemd lid switch suspend
- Add systemd-logind configuration to disable lid switch handling
- Add NetworkManager configuration for static IP and power management
- Update network troubleshooting documentation with complete solution
- Include diagnostic commands and deployment steps
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
