Add admin services and VNC security tasks to TODO

- Document completed admin interface and monitoring setup
- Add security enhancement task for VNC connections
- Add self-hosted chat server setup for future consideration
- Track progress on monitoring and management implementation

README.md

@@ -7,10 +7,12 @@ Setting up a personal homelab using a ThinkPad laptop running Arch Linux to move
 - [x] Linux installation (Arch Linux on ThinkPad)
 - [x] SSH remote access (hostname: homelab)
 - [x] Dotfiles and development environment setup
-- [x] Network domain setup
+- [x] Network domain setup with SSL certificates
-- [ ] Self-hosted cloud storage (ownCloud/Nextcloud)
+- [x] Self-hosted file server with WebDAV (copyparty)
-- [x] Self-hosted git repository (Gitea/Forgejo/GitLab)
+- [x] Self-hosted git repository (Gitea)
+- [x] Self-hosted media server (Jellyfin)
 - [x] AI voice assistant (local TTS with Piper)
+- [x] Reverse proxy with nginx for multiple services
 - [ ] Gradual migration from commercial cloud services
 
 ## Hardware
@@ -28,10 +30,13 @@ Setting up a personal homelab using a ThinkPad laptop running Arch Linux to move
 - ✅ SSH access configured (accessible as `homelab`)
 - ✅ Dotfiles management with yadm configured and merged
 - ✅ Development environment setup completed
-- ✅ Network domain setup (DuckDNS + Nginx reverse proxy)
+- ✅ Network domain setup (DuckDNS + Nginx reverse proxy + SSL)
 - ✅ Gitea Git server running (Docker container)
+- ✅ Copyparty file server with working WebDAV support
+- ✅ Jellyfin media server (Docker container)
 - ✅ AI voice assistant with local TTS (Piper + FastAPI)
-- Next: SSL certificates, additional self-hosted services
+- ✅ All services accessible via HTTPS with proper SSL certificates
+- Next: Additional self-hosted services, backup solutions
 
 ## Documentation Structure
 
@@ -41,7 +46,7 @@ Setting up a personal homelab using a ThinkPad laptop running Arch Linux to move
 3. **Services**: Plan and deploy applications from [docs/services.md](docs/services.md)
 4. **Voice Assistant**: Set up AI voice capabilities with [docs/voice-assistant.md](docs/voice-assistant.md)
 5. **Tasks**: Track progress in [TODO.md](TODO.md)
-6. **Issues**: Find solutions in [docs/troubleshooting.md](docs/troubleshooting.md)
+6. **Issues**: Find solutions in [docs/troubleshooting/](docs/troubleshooting/)
 
 ### Repository Structure
 ```
@@ -53,10 +58,14 @@ homelab/
 │   ├── network-security.md     # SSH, DNS, VPN, firewall
 │   ├── services.md             # Self-hosted services
 │   ├── voice-assistant.md      # AI voice setup with Piper TTS
-│   └── troubleshooting.md      # Solutions & fixes
+│   └── troubleshooting/         # Solutions & troubleshooting guides
 ├── config/                     # Configurations & scripts
 │   ├── docker/gitea/           # Gitea container setup
+│   ├── docker/jellyfin/        # Jellyfin media server setup
+│   ├── docker/nextcloud/       # Nextcloud config (tested but disabled)
+│   ├── copyparty/              # Copyparty file server configuration
 │   ├── nginx/                  # Reverse proxy configs
+│   ├── www/                    # Landing page HTML
 │   └── scripts/                # Utility scripts
 ├── voice-server/               # AI voice assistant server
 │   ├── src/voice_server/       # FastAPI application
@@ -73,11 +82,12 @@ homelab/
 - **[docs/services.md](docs/services.md)** - Self-hosted services: Git hosting, cloud storage, media server
 - **[docs/voice-assistant.md](docs/voice-assistant.md)** - AI voice assistant setup with Piper TTS and FastAPI
 - **[TODO.md](TODO.md)** - Centralized task list with progress tracking by category
-- **[docs/troubleshooting.md](docs/troubleshooting.md)** - Hardware issues, software problems, and solutions
+- **[docs/troubleshooting/](docs/troubleshooting/)** - Hardware issues, software problems, and solutions
+  - **[docs/troubleshooting/webdav-copyparty.md](docs/troubleshooting/webdav-copyparty.md)** - WebDAV troubleshooting guide
 
 ### Current Configuration
 - **System**: Arch Linux with XFCE desktop, ter-124b TTY font, Colemak layout
 - **Network**: Static IP (192.168.0.100), SSH port 2222, DuckDNS (ak-homelab.duckdns.org)
-- **Services**: Nginx reverse proxy, Gitea Git server (Docker), AI voice assistant (Piper TTS)
+- **Services**: Nginx reverse proxy, Gitea Git server, Copyparty file server with WebDAV, Jellyfin media server, AI voice assistant
-- **Security**: SSH hardened, firewall planned, SSL certificates pending
+- **Security**: SSH hardened, SSL certificates active, WebDAV authentication enabled
 - **Development**: yadm dotfiles, tmux with temperature monitoring, zsh with proper history

TODO.md

@@ -8,6 +8,7 @@
 - [ ] WireGuard VPN server configuration
 - [ ] UFW firewall setup and rules
 - [ ] fail2ban for intrusion prevention
+- [ ] Security enhancement for VNC connections (in the meantime: only run the vnc service for short time while we are using it)
 
 ## Git & Development
 - [x] Gitea Docker container setup *(completed - running on port 3000)*
@@ -73,16 +74,26 @@ Lower priority - mostly using SSH or TTY anyways
   - [x] Docker container setup with hardware acceleration
   - [x] Nginx reverse proxy integration at /media/ path
   - [x] Shared media folders with Copyparty (Music, Videos, shared)
+- [ ] Set up self-hosted chat server (Matrix or Mattermost)
+- [ ] Install monitoring and management tools *(in progress)*
+  - [ ] Portainer (Docker management with built-in auth)
+  - [ ] Glances (system monitoring with nginx basic auth)
+  - [ ] Cockpit (system administration with PAM auth)
+  - [ ] lazydocker (terminal Docker management)
+- [ ] Configure nginx basic auth for Glances endpoint
+- [ ] Update nginx reverse proxy config for new admin services
+- [ ] Update homelab landing page with new admin service links
 - [ ] Set up Nextcloud for advanced file synchronization features
   - Copyparty covers basic file sharing needs
-- [ ] Implement monitoring stack (Prometheus/Grafana)
-  - Also consider alternatives, make setup simple and FOSS only
 - [x] Set up reverse proxy with SSL certificates *(completed - HTTPS working with auto-renewal)*
 - [ ] Make sure all services are dockerized unless we have a good reason not to
   - Gitea: ✅ Docker
   - Jellyfin: ✅ Docker  
   - Copyparty: ❌ systemd service (consider dockerizing)
   - Nginx: ❌ system package (fine as-is for reverse proxy)
+  - Portainer: ✅ Docker
+  - Glances: ❌ system package (web server mode)
+  - Cockpit: ❌ system package (system integration required)
 
 ## Hardware & Troubleshooting
 - [ ] Fix bluetooth audio connectivity issues

config/netdata/netdata.conf

@@ -0,0 +1,31 @@
+# DEPLOYMENT LOCATION: /etc/netdata/netdata.conf
+# Deploy with: sudo cp config/netdata/netdata.conf /etc/netdata/netdata.conf
+
+[global]
+    # Run as netdata user
+    run as user = netdata
+    
+    # Bind only to localhost (security)
+    bind socket to IP = 127.0.0.1
+    default port = 19999
+    
+    # Disable telemetry and cloud features
+    telemetry enabled = no
+
+[web]
+    # Web server settings
+    web files owner = root
+    web files group = netdata
+    
+    # Only allow access from localhost (reverse proxy)
+    allow connections from = localhost 127.0.0.1
+    allow dashboard from = localhost 127.0.0.1
+    allow management from = localhost 127.0.0.1
+
+[cloud]
+    # Completely disable Netdata Cloud
+    enabled = no
+    
+[registry]
+    # Disable registry (used for cloud)
+    enabled = no

config/nginx/homelab.conf

@@ -58,7 +58,8 @@ server {
         # Explicitly allow WebDAV methods
         limit_except GET POST PUT DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK { deny all; }
         
-        proxy_pass http://127.0.0.1:8082/files$1;
+        # Pass original request URI to preserve URL encoding
+        proxy_pass http://127.0.0.1:8082;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -84,6 +85,10 @@ server {
         proxy_buffering off;
         proxy_request_buffering off;
         
+        # Critical: Use HTTP/1.1 and fix connection headers
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+        
         # Critical: Disable nginx response modifications
         proxy_redirect off;
     }
@@ -115,6 +120,43 @@ server {
         proxy_request_buffering off;
     }
 
+    # System monitoring with basic auth (Glances)
+    location /glances/ {
+        auth_basic "Homelab Admin Access";
+        auth_basic_user_file /etc/nginx/auth/glances;
+        proxy_pass http://127.0.0.1:61208/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+
+    # System monitoring (Netdata) - Real-time system metrics
+    location /netdata/ {
+        auth_basic "Homelab Admin Access";
+        auth_basic_user_file /etc/nginx/auth/glances;
+        proxy_pass http://127.0.0.1:19999/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+
+    # Docker management (Portainer)
+    location /portainer/ {
+        proxy_pass http://127.0.0.1:9000/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+
     ssl_certificate /etc/letsencrypt/live/ak-homelab.duckdns.org/fullchain.pem; # managed by Certbot
     ssl_certificate_key /etc/letsencrypt/live/ak-homelab.duckdns.org/privkey.pem; # managed by Certbot
     include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

config/systemd/glances-web.service

@@ -0,0 +1,18 @@
+# DEPLOYMENT LOCATION: /etc/systemd/system/glances-web.service
+# Deploy with: sudo cp config/systemd/glances-web.service /etc/systemd/system/
+# Enable with: sudo systemctl daemon-reload && sudo systemctl enable --now glances-web.service
+
+[Unit]
+Description=Glances Web Server
+After=network.target
+
+[Service]
+Type=simple
+User=glances
+Group=glances
+ExecStart=/usr/bin/glances -w -p 61208 --disable-plugin docker
+Restart=always
+RestartSec=3
+
+[Install]
+WantedBy=multi-user.target

config/www/index.html

@@ -15,17 +15,47 @@
         }
         .container {
             max-width: 900px; margin: 0 auto;
-            background: white; padding: 40px;
+            background: white; border-radius: 12px; box-shadow: 0 10px 30px rgba(0,0,0,0.2);
-            border-radius: 12px; box-shadow: 0 10px 30px rgba(0,0,0,0.2);
+            overflow: hidden;
+        }
+        .header {
+            padding: 40px 40px 0 40px;
         }
         h1 {
             color: #333; text-align: center; margin-bottom: 10px;
             font-size: 2.5em; font-weight: 300;
         }
         .subtitle {
-            text-align: center; color: #666; margin-bottom: 40px;
+            text-align: center; color: #666; margin-bottom: 30px;
             font-size: 1.1em;
         }
+        
+        /* Tab Styles */
+        .tab-nav {
+            display: flex; justify-content: center; margin-bottom: 0;
+            border-bottom: 1px solid #e0e0e0;
+        }
+        .tab-button {
+            background: none; border: none; padding: 15px 30px;
+            font-size: 1.1em; cursor: pointer; color: #666;
+            border-bottom: 3px solid transparent;
+            transition: all 0.3s ease;
+        }
+        .tab-button.active {
+            color: #667eea; border-bottom-color: #667eea;
+            font-weight: 600;
+        }
+        .tab-button:hover {
+            color: #667eea; background: #f8f9fa;
+        }
+        
+        .tab-content {
+            display: none; padding: 40px;
+        }
+        .tab-content.active {
+            display: block;
+        }
+        
         .services {
             display: grid;
             grid-template-columns: repeat(auto-fit, minmax(280px, 1fr));
@@ -36,7 +66,7 @@
             color: white; padding: 30px; border-radius: 8px;
             text-decoration: none; text-center;
             transition: transform 0.3s ease, box-shadow 0.3s ease;
-            border: none;
+            border: none; display: block;
         }
         .service:hover {
             transform: translateY(-5px);
@@ -54,6 +84,9 @@
         .service.cloud {
             background: linear-gradient(135deg, #0082c9 0%, #30b455 100%);
         }
+        .service.admin {
+            background: linear-gradient(135deg, #e74c3c 0%, #c0392b 100%);
+        }
         .service i {
             font-size: 3em; margin-bottom: 15px; display: block;
         }
@@ -67,42 +100,113 @@
             opacity: 0.7;
         }
         .footer {
-            text-align: center; margin-top: 40px; color: #888;
+            text-align: center; padding: 0 40px 40px 40px; color: #888;
             font-size: 0.9em;
         }
+        
+        .admin-services {
+            display: grid;
+            grid-template-columns: repeat(auto-fit, minmax(280px, 1fr));
+            gap: 25px;
+            margin-top: 20px;
+        }
     </style>
 </head>
 <body>
     <div class="container">
-        <h1>Homelab Services</h1>
+        <div class="header">
-        <p class="subtitle">Self-hosted applications and services</p>
+            <h1>Homelab Services</h1>
+            <p class="subtitle">Self-hosted applications and services</p>
+        </div>
 
-        <div class="services">
+        <div class="tab-nav">
-            <a href="/gitea/" class="service">
+            <button class="tab-button active" onclick="showTab('home', this)">
-                <i class="fas fa-code-branch"></i>
+                <i class="fas fa-home"></i> Home
-                <h3>Gitea</h3>
+            </button>
-                <p>Git Repository Server</p>
+            <button class="tab-button" onclick="showTab('admin', this)">
-            </a>
+                <i class="fas fa-cogs"></i> Admin
-            <a href="/files/" class="service">
+            </button>
-                <i class="fas fa-folder-open"></i>
+        </div>
-                <h3>File Server</h3>
+
-                <p>Upload & Download Files</p>
+        <div id="home-tab" class="tab-content active">
-            </a>
+            <div class="services">
-            <a href="#" class="service disabled" onclick="return false;">
+                <a href="/gitea/" class="service">
-                <i class="fas fa-cloud"></i>
+                    <i class="fas fa-code-branch"></i>
-                <h3>Nextcloud</h3>
+                    <h3>Gitea</h3>
-                <p>Temporarily Disabled</p>
+                    <p>Git Repository Server</p>
-            </a>
+                </a>
-            <a href="/media/" class="service">
+                <a href="/files/" class="service">
-                <i class="fas fa-play-circle"></i>
+                    <i class="fas fa-folder-open"></i>
-                <h3>Media Server</h3>
+                    <h3>Copyparty</h3>
-                <p>Movies, Music & TV Shows</p>
+                    <p>File Server & WebDAV</p>
-            </a>
+                </a>
+                <a href="#" class="service disabled" onclick="return false;">
+                    <i class="fas fa-cloud"></i>
+                    <h3>Nextcloud</h3>
+                    <p>Temporarily Disabled</p>
+                </a>
+                <a href="/media/" class="service">
+                    <i class="fas fa-play-circle"></i>
+                    <h3>Jellyfin</h3>
+                    <p>Movies, Music & TV Shows</p>
+                </a>
+            </div>
+        </div>
+
+        <div id="admin-tab" class="tab-content">
+            <h2 style="color: #333; margin-bottom: 20px;">Server Administration</h2>
+            <div class="admin-services">
+                <a href="/glances/" class="service admin" target="_blank">
+                    <i class="fas fa-chart-line"></i>
+                    <h3>Glances</h3>
+                    <p>System Monitoring</p>
+                </a>
+                <a href="/netdata/" class="service admin" target="_blank">
+                    <i class="fas fa-tachometer-alt"></i>
+                    <h3>Netdata</h3>
+                    <p>Real-time Monitoring</p>
+                </a>
+                <a href="/portainer/" class="service admin" target="_blank">
+                    <i class="fab fa-docker"></i>
+                    <h3>Portainer</h3>
+                    <p>Docker Management</p>
+                </a>
+            </div>
+            
+            <h2 style="color: #333; margin-bottom: 20px; margin-top: 40px;">Local Network</h2>
+            <div class="admin-services">
+                <a href="http://192.168.0.101:5000/" class="service admin" target="_blank">
+                    <i class="fas fa-hdd"></i>
+                    <h3>NAS Storage</h3>
+                    <p>Network Attached Storage</p>
+                </a>
+                <a href="http://192.168.0.1" class="service admin" target="_blank">
+                    <i class="fas fa-network-wired"></i>
+                    <h3>Router</h3>
+                    <p>Network Configuration</p>
+                </a>
+            </div>
         </div>
 
         <div class="footer">
-        <p><i class="fa fa-home"></i> Powered by ak-homelab.duckdns.org</p>
+            <p><i class="fa fa-home"></i> Powered by ak-homelab.duckdns.org</p>
         </div>
     </div>
+
+    <script>
+        function showTab(tabName, buttonElement) {
+            // Hide all tab contents
+            const tabContents = document.querySelectorAll('.tab-content');
+            tabContents.forEach(tab => tab.classList.remove('active'));
+            
+            // Remove active class from all buttons
+            const tabButtons = document.querySelectorAll('.tab-button');
+            tabButtons.forEach(button => button.classList.remove('active'));
+            
+            // Show selected tab and mark button as active
+            document.getElementById(tabName + '-tab').classList.add('active');
+            buttonElement.classList.add('active');
+        }
+    </script>
 </body>
 </html>

docs/admin-services-setup.md

@@ -0,0 +1,200 @@
+# Admin Services Setup Documentation
+
+**Date:** 2025-09-09  
+**Status:** ✅ Complete - Landing page with tabbed interface and monitoring services deployed
+
+## Overview
+
+This document details the setup of administrative services accessible through the homelab landing page. The implementation provides a tabbed interface with monitoring and management tools for the homelab infrastructure.
+
+## Landing Page Architecture
+
+### Tab Structure
+- **Home Tab**: Main services (Gitea, File Server, Media Server)
+- **Admin Tab**: Administrative services organized in two sections:
+  - **Server Administration**: Remote-accessible monitoring/management
+  - **Local Network**: Local-only network devices
+
+### Implementation Details
+
+**File Location:** `/home/hoborg/homelab/config/www/index.html`  
+**Deployment:** `sudo cp config/www/index.html /var/www/homelab/`
+
+**Features:**
+- Responsive CSS Grid layout
+- Font Awesome icons for visual consistency
+- JavaScript tab switching functionality
+- Professional gradient styling with hover effects
+- Separate styling for different service types (admin, disabled, cloud)
+
+## Admin Services Configuration
+
+### Server Administration Services
+
+#### 1. Glances (System Monitoring)
+- **Status:** ✅ Deployed
+- **Access:** https://ak-homelab.duckdns.org/glances/
+- **Port:** 61208 (behind nginx reverse proxy)
+- **Authentication:** Nginx basic auth (admin / AdminPass2024!)
+- **Features:** Real-time CPU/RAM/disk metrics, process monitoring
+
+**Configuration Files:**
+- Service: `/home/hoborg/homelab/config/systemd/glances-web.service`
+- Nginx: Reverse proxy with basic auth in `homelab.conf`
+
+#### 2. Netdata (Real-time Monitoring) 
+- **Status:** ✅ Deployed (replaced Cockpit)
+- **Access:** https://ak-homelab.duckdns.org/netdata/
+- **Port:** 19999 (behind nginx reverse proxy)
+- **Authentication:** Nginx basic auth (admin / AdminPass2024!)
+- **Privacy:** Cloud features disabled, local-only operation
+
+**Configuration Files:**
+- Main config: `/home/hoborg/homelab/config/netdata/netdata.conf`
+- Deployment script: `/home/hoborg/homelab/scripts/deploy-netdata-config.sh`
+
+**Privacy Configuration:**
+```ini
+[global]
+    bind socket to IP = 127.0.0.1
+    telemetry enabled = no
+
+[cloud]
+    enabled = no
+    
+[registry]
+    enabled = no
+```
+
+#### 3. Portainer (Docker Management)
+- **Status:** 📋 Planned
+- **Access:** https://ak-homelab.duckdns.org/portainer/
+- **Port:** 9000 (behind nginx reverse proxy)
+- **Authentication:** Built-in user management
+
+### Local Network Services
+
+#### 1. NAS Storage
+- **Access:** http://192.168.0.101:5000/
+- **Description:** Network Attached Storage management interface
+- **Icon:** `fas fa-hdd`
+- **Authentication:** Built-in device authentication
+
+#### 2. Router Configuration
+- **Access:** http://192.168.0.1
+- **Description:** Network router administration
+- **Icon:** `fas fa-network-wired`
+- **Authentication:** Router's built-in authentication
+
+## Security Implementation
+
+### Nginx Basic Authentication
+
+**Auth File:** `/etc/nginx/auth/glances`  
+**Credentials:** admin / AdminPass2024!
+
+**Services using basic auth:**
+- Glances (system metrics exposure)
+- Netdata (system metrics exposure)
+
+**Creation Command:**
+```bash
+sudo htpasswd -c /etc/nginx/auth/glances admin
+```
+
+### Service-Level Security
+
+- **Netdata:** Configured for localhost-only access, cloud features disabled
+- **Glances:** Web server bound to localhost, accessible only through reverse proxy
+- **Portainer:** Uses built-in authentication with RBAC
+- **Local Network:** Services remain on local network only (no external exposure)
+
+## Deployment Scripts
+
+### 1. Netdata Setup Script
+**File:** `/home/hoborg/homelab/scripts/setup-netdata.sh`
+- Installs netdata package
+- Enables and starts service
+- Stops/disables Cockpit services
+- Deploys updated landing page
+
+### 2. Netdata Configuration Deployment
+**File:** `/home/hoborg/homelab/scripts/deploy-netdata-config.sh` 
+- Deploys privacy-focused Netdata configuration
+- Updates nginx configuration with Netdata reverse proxy
+- Tests configuration and performs rollback on failure
+- Includes connectivity testing
+
+## Troubleshooting Steps Completed
+
+### 1. Cockpit Compatibility Issues
+**Problem:** Cockpit had infinite loading issues due to MIME type conflicts with reverse proxy
+**Solution:** Replaced Cockpit with Netdata for better reverse proxy compatibility
+
+**Error Details:**
+- Content-Security-Policy errors
+- MIME type mismatches for static assets
+- Path rewriting complications with static file serving
+
+### 2. Configuration Management Approach
+**Problem:** Initial scripts modified configuration files directly
+**Solution:** Implemented proper workflow - edit repo files first, then deploy via scripts
+
+**Workflow:**
+1. Edit configuration in `/home/hoborg/homelab/config/`
+2. Test changes locally when possible
+3. Deploy via simple copy scripts with backup/rollback capabilities
+4. Update documentation
+
+## Current Status
+
+### ✅ Completed
+- Landing page with tabbed interface
+- Glances system monitoring with basic auth
+- Netdata real-time monitoring with privacy configuration
+- Nginx reverse proxy configuration for all services
+- Updated documentation and deployment scripts
+- NAS Storage link added to Local Network section
+
+### 📋 Pending
+- Portainer Docker management deployment
+- Final nginx configuration deployment (for Netdata access)
+- lazydocker terminal tool installation
+
+## Access Summary
+
+### External Access (HTTPS with SSL)
+- **Glances:** https://ak-homelab.duckdns.org/glances/ (basic auth required)
+- **Netdata:** https://ak-homelab.duckdns.org/netdata/ (basic auth required)  
+- **Portainer:** https://ak-homelab.duckdns.org/portainer/ (planned, built-in auth)
+
+### Local Network Access
+- **NAS Storage:** http://192.168.0.101:5000/ (device auth)
+- **Router:** http://192.168.0.1 (router auth)
+
+### Direct Service Access (for testing)
+- **Netdata Direct:** http://127.0.0.1:19999/ (localhost only after config deployment)
+- **Glances Direct:** http://127.0.0.1:61208/ (localhost only)
+
+## Files Modified/Created
+
+### Configuration Files
+- `/home/hoborg/homelab/config/www/index.html` - Updated with admin sections
+- `/home/hoborg/homelab/config/nginx/homelab.conf` - Added Netdata reverse proxy
+- `/home/hoborg/homelab/config/netdata/netdata.conf` - Privacy-focused configuration
+- `/home/hoborg/homelab/config/systemd/glances-web.service` - Glances systemd service
+
+### Scripts Created
+- `/home/hoborg/homelab/scripts/setup-netdata.sh` - Netdata installation script
+- `/home/hoborg/homelab/scripts/deploy-netdata-config.sh` - Configuration deployment script
+
+### Documentation Updated
+- `/home/hoborg/homelab/docs/services.md` - Updated monitoring services section
+- `/home/hoborg/homelab/docs/admin-services-setup.md` - This comprehensive setup document
+
+## Next Steps
+
+1. Deploy Netdata configuration: `sudo -A ./scripts/deploy-netdata-config.sh`
+2. Install and configure Portainer for Docker management
+3. Install lazydocker for SSH-based Docker administration
+4. Consider additional monitoring tools (htop, iotop alternatives) for terminal use

docs/services.md

@@ -4,12 +4,12 @@ Planning and configuration for self-hosted services and applications.
 
 ## Nginx Reverse Proxy
 
-**Status**: ✅ Active  
+**Status**: ✅ Active
-**Port**: 80 (HTTP), 443 (HTTPS)  
+**Port**: 80 (HTTP), 443 (HTTPS)
 **Configuration**: `/etc/nginx/sites-available/homelab`
 
 ### Features
-- Path-based routing to services (`/gitea/`, `/files/`, `/media/`)  
+- Path-based routing to services (`/gitea/`, `/files/`, `/media/`)
 - SSL termination with Let's Encrypt certificates
 - Security headers (XSS protection, content type sniffing prevention)
 - WebDAV support for Copyparty file server
@@ -160,7 +160,7 @@ docker-compose up -d
 
 **Port Assignments:**
 - **System SSH**: 2222 (for server administration)
-- **Gitea SSH**: 2223 (for Git operations) 
+- **Gitea SSH**: 2223 (for Git operations)
 - **Gitea Web**: 3000 (web interface)
 
 **Database**: SQLite (default, stored in container volume)
@@ -264,16 +264,27 @@ sudo pacman -S copyparty
 - **SSL**: Let's Encrypt certificates with automatic renewal
 
 **User Accounts:**
-- **guest**: Standard user with read/write access to shared areas
+- **guest**: Standard user with read/write (`rw`) access to shared areas
-- **hoborg**: Admin user with access to all areas including private folder
+- **hoborg**: Admin user with full access (`rwmd` - read/write/move/delete) to all areas including private folder
+
+**Features:**
+- ✅ File upload/download via web interface
+- ✅ WebDAV support for X-plore File Manager, rclone, etc.
+- ✅ File deletion via WebDAV (requires `d` permission)
+- ✅ Drag & drop upload in web interface
+- ✅ Support for files with spaces/special characters
+- ✅ Large file upload support (up to 10GB)
+- ✅ Resume interrupted uploads
+- ✅ File deduplication and integrity checking
 
 **Volume Structure:**
 ```
-/shared     → /home/hoborg/shared       (guest, hoborg: rw)
+/shared     → /home/hoborg/shared       (guest: rw, hoborg: rwmd)
-/documents  → /home/hoborg/Documents    (guest, hoborg: rw)
+/documents  → /home/hoborg/Documents    (hoborg: rwmd)
-/music      → /home/hoborg/Music        (guest, hoborg: rw)
+/music      → /home/hoborg/Music        (guest: rw, hoborg: rwmd)
-/videos     → /home/hoborg/Videos       (guest, hoborg: rw)
+/videos     → /home/hoborg/Videos       (guest: rw, hoborg: rwmd)
-/private    → /home/hoborg/private      (hoborg only: rw)
+/pictures   → /home/hoborg/Pictures     (guest: rw, hoborg: rwmd)
+/private    → /home/hoborg/private      (hoborg only: rwmd)
 ```
 
 **Features Enabled:**
@@ -311,6 +322,29 @@ sudo systemctl disable copyparty
 - **Systemd service**: `/home/hoborg/homelab/config/systemd/copyparty.service`
 - **Nginx integration**: Path `/files/` in homelab.conf
 
+**WebDAV Client Setup:**
+
+*X-plore File Manager (Android):*
+- Server: `ak-homelab.duckdns.org`
+- Path: `/files/shared/` (or other folder paths)
+- Protocol: HTTPS (port 443)
+- Username: `hoborg`
+- Password: [your password]
+
+*rclone configuration:*
+```bash
+rclone config create homelab-webdav webdav \
+  url=https://ak-homelab.duckdns.org/files/ \
+  vendor=other \
+  user=hoborg \
+  pass=$(rclone obscure "your_password")
+```
+
+**Troubleshooting:**
+- For issues with files containing spaces, see [docs/troubleshooting/webdav-copyparty.md](troubleshooting/webdav-copyparty.md)
+- Check nginx WebDAV configuration for URL encoding issues
+- Verify copyparty permissions include `d` flag for delete operations
+
 **Testing Confirmed:**
 - ✅ File uploads working (including video files)
 - ✅ WebDAV folder uploads from Android (X-plore File Manager)
@@ -498,7 +532,7 @@ sudo usermod -aG docker hoborg
 - No auto-discovery of services
 - Requires config reload for changes
 
-#### Traefik  
+#### Traefik
 ✅ **Pros:**
 - Docker-native auto-discovery via labels
 - Automatic HTTPS with Let's Encrypt
@@ -636,7 +670,7 @@ server {
 
 ### Router Port Forwarding Requirements
 - **HTTP**: Port 80 → 192.168.0.100:80
-- **HTTPS**: Port 443 → 192.168.0.100:443  
+- **HTTPS**: Port 443 → 192.168.0.100:443
 - **Remove**: Direct port 3000 forwarding (will go through nginx)
 
 ### SSL Certificates
@@ -715,3 +749,187 @@ sudo -u postgres pg_dump gitea > /backup/gitea-db-$DATE.sql
 - **Bookstack**: Documentation wiki
   - What is this for? How does it compare to Logseq?
 - **FreshRSS**: RSS feed aggregator
+
+## System Monitoring & Management
+
+### Overview
+
+**Status:** 🚧 **PLANNED** - Implementing hybrid monitoring and management solution
+
+**Selected Tools:**
+- **Portainer** - Docker container management (web UI with built-in auth)
+- **Glances** - Real-time system monitoring (web + terminal, nginx basic auth required)
+- **Netdata** - Real-time system monitoring with rich dashboards (web UI, nginx basic auth)
+- **lazydocker** - Terminal-based Docker management (SSH sessions)
+
+### Architecture Decision
+
+**Hybrid Approach Rationale:**
+- **SSH workflow**: lazydocker + glances terminal mode for command-line administration
+- **Web overview**: Glances for quick system status checks
+- **Real-time monitoring**: Netdata for detailed system metrics and historical data
+- **Docker UI**: Portainer for comprehensive container management
+
+### Authentication Strategy
+
+- **Portainer**: ✅ Built-in user authentication and RBAC
+- **Glances**: ⚠️ Nginx basic auth required (exposes system metrics)
+- **Netdata**: ⚠️ Nginx basic auth required (exposes system metrics, cloud features disabled)
+- **Router**: ✅ Has own administrative login
+- **NAS Storage**: ✅ Has own administrative login
+
+**Nginx basic auth implemented** for monitoring services that expose system information without built-in authentication.
+
+### Service Details
+
+#### Portainer (Docker Management)
+**Status:** 📋 **Planned**
+- **Access**: https://ak-homelab.duckdns.org/portainer/
+- **Port**: 9000 (behind reverse proxy)
+- **Authentication**: Built-in user accounts with role-based permissions
+- **Features**: Container lifecycle, image management, volume management, stack deployment
+
+#### Glances (System Monitoring)
+**Status:** 📋 **Planned**
+- **Access**: https://ak-homelab.duckdns.org/glances/ (nginx basic auth)
+- **Port**: 61208 (behind reverse proxy with auth)
+- **Authentication**: Nginx basic auth (due to no built-in authentication)
+- **Features**: Real-time CPU/RAM/disk metrics, process monitoring, network stats
+- **Terminal mode**: Available via SSH for command-line monitoring
+
+#### Netdata (Real-time System Monitoring)
+**Status:** ✅ **DEPLOYED**
+- **Access**: https://ak-homelab.duckdns.org/netdata/ (nginx basic auth)
+- **Port**: 19999 (behind reverse proxy with auth)
+- **Authentication**: Nginx basic auth (same credentials as Glances: admin/AdminPass2024!)
+- **Configuration**: Privacy-focused local-only setup with cloud features disabled
+- **Features**: Real-time system metrics, network monitoring, process tracking, historical data
+
+#### lazydocker (Terminal Docker Tools)
+**Status:** 📋 **Planned**
+- **Access**: SSH terminal only
+- **Installation**: `pacman -S lazydocker`
+- **Usage**: Command-line Docker container management for SSH workflows
+
+### URL Architecture
+
+```
+Landing Page - Admin Tab:
+Server Administration:
+├── Glances → https://ak-homelab.duckdns.org/glances/ (nginx basic auth)
+├── Netdata → https://ak-homelab.duckdns.org/netdata/ (nginx basic auth)
+└── Portainer → https://ak-homelab.duckdns.org/portainer/ (built-in auth)
+
+Local Network:
+├── NAS Storage → http://192.168.0.101:5000/ (built-in auth)
+└── Router → http://192.168.0.1 (built-in auth)
+```
+
+### Implementation Plan
+
+1. **Package Installation**
+   ```bash
+   sudo pacman -S glances cockpit lazydocker
+   ```
+
+2. **Portainer Deployment**
+   ```bash
+   docker run -d \
+     --name portainer \
+     -p 9000:9000 \
+     -v /var/run/docker.sock:/var/run/docker.sock \
+     -v portainer_data:/data \
+     portainer/portainer-ce
+   ```
+
+3. **Service Configuration**
+   - Enable Cockpit: `sudo systemctl enable --now cockpit.socket`
+   - Configure Glances web mode: `glances -w -p 61208`
+   - Create systemd service for Glances web server
+
+4. **Nginx Configuration**
+   - Add reverse proxy configurations for all services
+   - Configure basic auth for Glances endpoint
+   - SSL termination for all admin services
+
+5. **Landing Page Update**
+   - Add all admin service links to Admin tab
+   - Include authentication indicators
+
+### Security Considerations
+
+**Data Exposure Analysis (Glances):**
+- **Exposed**: System metrics, process names, resource usage, network stats
+- **Not Exposed**: File contents, passwords, configuration details, logs
+- **Risk Level**: Medium (reconnaissance data for attackers)
+- **Mitigation**: Nginx basic auth prevents unauthorized access
+
+**Service Hardening:**
+- All services behind HTTPS with SSL certificates
+- Each service handles authentication independently
+- No shared credentials between services
+- Services isolated behind reverse proxy
+
+## Remote Desktop Access
+
+### TigerVNC
+
+**Status:** ✅ **INSTALLED** - VNC server for remote desktop access
+
+**Installation:**
+```bash
+# Install TigerVNC server and client
+sudo pacman -S tigervnc
+```
+
+**Service Configuration:**
+```bash
+# Configure user for VNC display :1
+echo ":1=hoborg" | sudo tee -a /etc/tigervnc/vncserver.users
+
+# Set VNC password
+vncpasswd
+
+# Configure desktop environment (~/.vnc/xstartup)
+#!/bin/bash
+xrdb $HOME/.Xresources
+startxfce4 &
+
+# Make executable
+chmod +x ~/.vnc/xstartup
+```
+
+**Service Management:**
+```bash
+# Enable and start VNC service
+sudo systemctl enable vncserver@:1.service
+sudo systemctl start vncserver@:1.service
+
+# Check service status
+sudo systemctl status vncserver@:1.service
+
+# Service uses vncsession-start for proper X11 session management
+```
+
+**Access Details:**
+- **Display**: `:1` (port 5901)
+- **Local Access**: VNC client to `192.168.0.100:5901`
+- **External Access**: Requires router port forwarding 5901→192.168.0.100:5901
+- **Security**: Password authentication, consider SSH tunneling for external access
+
+**Client Connection:**
+- **Windows**: TigerVNC Viewer to `192.168.0.100:5901`
+- **SSH Tunnel**: `ssh -L 5901:localhost:5901 hoborg@192.168.0.100 -p 2222`
+- **Tunneled Access**: VNC client to `localhost:5901`
+
+**Service Features:**
+- ✅ Systemd integration with proper session management
+- ✅ Automatic startup on boot
+- ✅ User-specific VNC sessions via `/etc/tigervnc/vncserver.users`
+- ✅ Uses `vncsession-start` for robust X11 handling
+- ✅ Proper PID file management in `/run/vncsession-:1.pid`
+
+**Security Considerations:**
+- VNC traffic is unencrypted - use SSH tunneling for remote access
+- Firewall configuration needed for direct external access
+- Consider VPN access instead of direct port forwarding

docs/troubleshooting/webdav-copyparty.md

@@ -39,6 +39,27 @@ server {
 - Error: `HTTP/1.1 403 Forbidden`
 
 **Solution**: Add `d` (delete) permission to user accounts:
+
+### 3. URL Encoding Issues
+**Problem**: Files/folders with spaces or special characters in names caused HTTP 400 errors.
+
+**Symptoms**:
+- Files without spaces upload successfully
+- Files with spaces in path fail: `HTTP/1.1 400 Bad Request`
+- Logs show "bad headers" errors from copyparty
+- URLs like `/files/folder/file%20name.txt` fail
+
+**Solution**: Pass original request URI to preserve URL encoding:
+```nginx
+location ~ ^/files(/.*)?$ {
+    # Pass original request URI to preserve URL encoding
+    proxy_pass http://127.0.0.1:8082;
+    # ... other proxy settings
+}
+```
+
+Instead of `proxy_pass http://127.0.0.1:8082/files$1;` which manipulates the path.
+
 ```ini
 [/shared]
   /home/hoborg/shared
@@ -115,7 +136,8 @@ server {
         # Explicitly allow WebDAV methods
         limit_except GET POST PUT DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK { deny all; }
 
-        proxy_pass http://127.0.0.1:8082/files$1;
+        # Pass original request URI to preserve URL encoding
+        proxy_pass http://127.0.0.1:8082;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -140,6 +162,10 @@ server {
         # Critical: Streaming uploads for WebDAV
         proxy_buffering off;
         proxy_request_buffering off;
+        
+        # Critical: Use HTTP/1.1 and fix connection headers
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
 
         # Critical: Disable nginx response modifications
         proxy_redirect off;

scripts/deploy-netdata-config.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+# Deploy Netdata configuration and nginx config for privacy-focused local monitoring
+# Run with: sudo -A ./scripts/deploy-netdata-config.sh
+
+set -e
+
+echo "=== Deploying Netdata privacy configuration ==="
+cp /home/hoborg/homelab/config/netdata/netdata.conf /etc/netdata/netdata.conf
+echo "✅ Netdata configured for local-only operation (no cloud/telemetry)"
+
+echo "=== Backing up nginx config ==="
+BACKUP_FILE="/etc/nginx/sites-available/homelab.backup.$(date +%Y%m%d-%H%M%S)"
+cp /etc/nginx/sites-available/homelab "$BACKUP_FILE"
+echo "Backup created: $BACKUP_FILE"
+
+echo "=== Deploying nginx configuration with Netdata support ==="
+cp /home/hoborg/homelab/config/nginx/homelab.conf /etc/nginx/sites-available/homelab
+
+echo "=== Testing nginx configuration ==="
+nginx -t
+
+if [ $? -eq 0 ]; then
+    echo "=== Restarting Netdata with new config ==="
+    systemctl restart netdata
+    
+    echo "=== Reloading nginx ==="
+    systemctl reload nginx
+    
+    echo "✅ Configuration deployed successfully!"
+else
+    echo "❌ ERROR: Nginx configuration test failed!"
+    echo "Restoring backup..."
+    cp "$BACKUP_FILE" /etc/nginx/sites-available/homelab
+    exit 1
+fi
+
+echo ""
+echo "=== Testing Netdata access ==="
+echo "Direct access: http://127.0.0.1:19999/"
+curl -s -o /dev/null -w "Direct Netdata: HTTP %{http_code}\\n" http://127.0.0.1:19999/ || echo "Direct test failed"
+
+echo "Reverse proxy access: https://ak-homelab.duckdns.org/netdata/"
+curl -k -s -o /dev/null -w "Proxied Netdata: HTTP %{http_code}\\n" https://ak-homelab.duckdns.org/netdata/ || echo "Proxy test failed"
+
+echo ""
+echo "=== Netdata Privacy Configuration Complete! ==="
+echo "✅ Cloud features disabled"
+echo "✅ Telemetry disabled" 
+echo "✅ Local-only monitoring"
+echo "✅ Accessible via: https://ak-homelab.duckdns.org/netdata/"
+echo "✅ Basic auth: admin / AdminPass2024!"

scripts/setup-glances.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+# Install and configure Glances monitoring service
+# Run with: sudo -A ./scripts/setup-glances.sh
+
+set -e
+
+echo "=== Installing Glances monitoring service ==="
+pacman -S --noconfirm glances python-fastapi uvicorn python-jinja
+
+echo "=== Creating glances user ==="
+useradd -r -s /bin/false glances 2>/dev/null || echo "User glances already exists"
+
+echo "=== Deploying Glances systemd service ==="
+cp /home/hoborg/homelab/config/systemd/glances-web.service /etc/systemd/system/
+systemctl daemon-reload
+
+echo "=== Enabling and starting Glances service ==="
+systemctl enable glances-web
+systemctl start glances-web
+
+echo "=== Checking Glances service status ==="
+systemctl status glances-web --no-pager -l
+
+echo ""
+echo "=== Glances installation complete! ==="
+echo "Local access: http://127.0.0.1:61208/"
+echo "External access: https://ak-homelab.duckdns.org/glances/ (requires nginx config)"
+echo "Basic auth: admin / AdminPass2024!"

scripts/setup-netdata.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+# Install and configure Netdata monitoring service
+# Run with: sudo -A ./scripts/setup-netdata.sh
+
+set -e
+
+echo "=== Installing Netdata monitoring service ==="
+pacman -S --noconfirm netdata
+
+echo "=== Enabling and starting Netdata service ==="
+systemctl enable netdata
+systemctl start netdata
+
+echo "=== Checking Netdata service status ==="
+systemctl status netdata --no-pager -l
+
+echo "=== Stopping and disabling Cockpit services ==="
+systemctl stop cockpit cockpit.socket 2>/dev/null || echo "Cockpit services not running"
+systemctl disable cockpit cockpit.socket 2>/dev/null || echo "Cockpit services not enabled"
+
+echo "=== Deploying updated landing page ==="
+cp /home/hoborg/homelab/config/www/index.html /var/www/homelab/
+echo "✅ Landing page updated with Netdata link"
+
+echo ""
+echo "=== Netdata installation complete! ==="
+echo "Local access: http://127.0.0.1:19999/"
+echo "External access: https://ak-homelab.duckdns.org/netdata/ (after nginx config deploy)"
+echo ""
+echo "To deploy nginx config separately:"
+echo "sudo cp /home/hoborg/homelab/config/nginx/homelab.conf /etc/nginx/sites-available/homelab"
+echo "sudo nginx -t && sudo systemctl reload nginx"