hoborg/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: hoborg:11a4cb91a776ff7ada1824526bdff43f69172e31
Branches Tags
hoborg:master
..
compare: hoborg:e1a020163f533acac292310b1ebfe26cd1f672ff
Branches Tags
hoborg:master

10 Commits
11a4cb91a7 ... e1a020163f

Author SHA1 Message Date
Arpad Krejczinger
e1a020163f Add admin services and VNC security tasks to TODO 
- Document completed admin interface and monitoring setup
- Add security enhancement task for VNC connections
- Add self-hosted chat server setup for future consideration
- Track progress on monitoring and management implementation
 2025-09-09 21:14:46 +02:00
Arpad Krejczinger
914e8a0ba7 Update documentation for admin services implementation 
- Document complete admin services setup in admin-services-setup.md
- Update services.md with Netdata replacing Cockpit configuration
- Include troubleshooting steps and security implementation details
- Document tabbed landing page architecture and service organization
- Add privacy-focused Netdata configuration details
 2025-09-09 21:14:28 +02:00
Arpad Krejczinger
2fa9ec3a20 Add clean deployment scripts for monitoring services 
- setup-glances.sh: Install Glances with web interface and systemd service
- setup-netdata.sh: Install Netdata without nginx configuration changes
- deploy-netdata-config.sh: Complete Netdata deployment with privacy config
- Remove redundant iterative scripts from troubleshooting process
- Each script handles one specific deployment task cleanly
 2025-09-09 21:14:14 +02:00
Arpad Krejczinger
c5849679f9 Add privacy-focused Netdata configuration and Glances service 
- Add Netdata config with cloud features disabled
- Configure localhost-only binding for security
- Disable telemetry and registry features
- Add systemd service configuration for Glances web server
- Ensure monitoring services run with proper isolation
 2025-09-09 21:12:27 +02:00
Arpad Krejczinger
fe9651f2fa Replace Cockpit with Netdata in nginx reverse proxy config 
- Remove Cockpit reverse proxy configuration
- Add Netdata reverse proxy with basic auth protection
- Configure same authentication as Glances for consistency
- Maintain security headers and WebSocket support
- Use port 19999 for Netdata service
 2025-09-09 21:12:13 +02:00
Arpad Krejczinger
5c4d959ed8 Add tabbed admin interface with organized service sections 
- Add tabbed navigation with Home and Admin tabs
- Organize Admin tab into Server Administration and Local Network sections
- Update service names to actual application names (Copyparty, Jellyfin)
- Add NAS Storage link for network management
- Improve service descriptions and icons
- Implement responsive design with Font Awesome icons
 2025-09-09 21:11:57 +02:00
Arpad Krejczinger
3d607d2f80 Update services documentation with WebDAV and permissions details 
- Add comprehensive copyparty feature list and status
- Document WebDAV client setup (X-plore, rclone)
- Update permission structure with rwmd flags
- Add troubleshooting references for WebDAV issues
- Include working client configuration examples

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-08-19 22:05:44 +02:00
Arpad Krejczinger
500f0afe29 Update README with current homelab service status 
- Mark all major services as completed (file server, media server, SSL)
- Update repository structure with new config directories
- Fix troubleshooting documentation references
- Reflect current working state of homelab setup

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-08-19 22:05:35 +02:00
Arpad Krejczinger
bb8d9a15c2 Update WebDAV troubleshooting guide with URL encoding fix 
- Add section on URL encoding issues causing HTTP 400 errors
- Document nginx proxy_pass solution for preserving request URI
- Update final working configuration with HTTP/1.1 fixes
- Include Connection header and proxy_http_version settings

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-08-19 22:05:12 +02:00
Arpad Krejczinger
4aaabdfb8e Fix nginx WebDAV URL encoding and HTTP protocol issues 
- Change proxy_pass to preserve original request URI for URL encoding
- Add HTTP/1.1 and Connection header fixes for copyparty compatibility
- Remove path manipulation that broke files with spaces/special characters

Fixes HTTP 400 "bad headers" errors when uploading files with spaces
in filenames via WebDAV clients like X-plore.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-08-19 22:05:03 +02:00
12 changed files with 827 additions and 56 deletions
Expand all files Collapse all files

30
README.md
View File

@@ -7,10 +7,12 @@ Setting up a personal homelab using a ThinkPad laptop running Arch Linux to move
- [x] Linux installation (Arch Linux on ThinkPad)
- [x] SSH remote access (hostname: homelab)
- [x] Dotfiles and development environment setup
- [x] Network domain setup
- [ ] Self-hosted cloud storage (ownCloud/Nextcloud)
- [x] Self-hosted git repository (Gitea/Forgejo/GitLab)
- [x] Network domain setup with SSL certificates
- [x] Self-hosted file server with WebDAV (copyparty)
- [x] Self-hosted git repository (Gitea)
- [x] Self-hosted media server (Jellyfin)
- [x] AI voice assistant (local TTS with Piper)
- [x] Reverse proxy with nginx for multiple services
- [ ] Gradual migration from commercial cloud services
## Hardware
@@ -28,10 +30,13 @@ Setting up a personal homelab using a ThinkPad laptop running Arch Linux to move
- ✅ SSH access configured (accessible as `homelab`)
- ✅ Dotfiles management with yadm configured and merged
- ✅ Development environment setup completed
- ✅ Network domain setup (DuckDNS + Nginx reverse proxy)
- ✅ Network domain setup (DuckDNS + Nginx reverse proxy + SSL)
- ✅ Gitea Git server running (Docker container)
- ✅ Copyparty file server with working WebDAV support
- ✅ Jellyfin media server (Docker container)
- ✅ AI voice assistant with local TTS (Piper + FastAPI)
- Next: SSL certificates, additional self-hosted services
- ✅ All services accessible via HTTPS with proper SSL certificates
- Next: Additional self-hosted services, backup solutions
## Documentation Structure
@@ -41,7 +46,7 @@ Setting up a personal homelab using a ThinkPad laptop running Arch Linux to move
3. **Services**: Plan and deploy applications from [docs/services.md](docs/services.md)
4. **Voice Assistant**: Set up AI voice capabilities with [docs/voice-assistant.md](docs/voice-assistant.md)
5. **Tasks**: Track progress in [TODO.md](TODO.md)
6. **Issues**: Find solutions in [docs/troubleshooting.md](docs/troubleshooting.md)
6. **Issues**: Find solutions in [docs/troubleshooting/](docs/troubleshooting/)
### Repository Structure
```
@@ -53,10 +58,14 @@ homelab/
│ ├── network-security.md # SSH, DNS, VPN, firewall
│ ├── services.md # Self-hosted services
│ ├── voice-assistant.md # AI voice setup with Piper TTS
│ └── troubleshooting.md # Solutions & fixes
│ └── troubleshooting/ # Solutions & troubleshooting guides
├── config/ # Configurations & scripts
│ ├── docker/gitea/ # Gitea container setup
│ ├── docker/jellyfin/ # Jellyfin media server setup
│ ├── docker/nextcloud/ # Nextcloud config (tested but disabled)
│ ├── copyparty/ # Copyparty file server configuration
│ ├── nginx/ # Reverse proxy configs
│ ├── www/ # Landing page HTML
│ └── scripts/ # Utility scripts
├── voice-server/ # AI voice assistant server
│ ├── src/voice_server/ # FastAPI application
@@ -73,11 +82,12 @@ homelab/
- **[docs/services.md](docs/services.md)** - Self-hosted services: Git hosting, cloud storage, media server
- **[docs/voice-assistant.md](docs/voice-assistant.md)** - AI voice assistant setup with Piper TTS and FastAPI
- **[TODO.md](TODO.md)** - Centralized task list with progress tracking by category
- **[docs/troubleshooting.md](docs/troubleshooting.md)** - Hardware issues, software problems, and solutions
- **[docs/troubleshooting/](docs/troubleshooting/)** - Hardware issues, software problems, and solutions
- **[docs/troubleshooting/webdav-copyparty.md](docs/troubleshooting/webdav-copyparty.md)** - WebDAV troubleshooting guide
### Current Configuration
- **System**: Arch Linux with XFCE desktop, ter-124b TTY font, Colemak layout
- **Network**: Static IP (192.168.0.100), SSH port 2222, DuckDNS (ak-homelab.duckdns.org)
- **Services**: Nginx reverse proxy, Gitea Git server (Docker), AI voice assistant (Piper TTS)
- **Security**: SSH hardened, firewall planned, SSL certificates pending
- **Services**: Nginx reverse proxy, Gitea Git server, Copyparty file server with WebDAV, Jellyfin media server, AI voice assistant
- **Security**: SSH hardened, SSL certificates active, WebDAV authentication enabled
- **Development**: yadm dotfiles, tmux with temperature monitoring, zsh with proper history

15
TODO.md
View File

@@ -8,6 +8,7 @@
- [ ] WireGuard VPN server configuration
- [ ] UFW firewall setup and rules
- [ ] fail2ban for intrusion prevention
- [ ] Security enhancement for VNC connections (in the meantime: only run the vnc service for short time while we are using it)
## Git & Development
- [x] Gitea Docker container setup *(completed - running on port 3000)*
@@ -73,16 +74,26 @@ Lower priority - mostly using SSH or TTY anyways
- [x] Docker container setup with hardware acceleration
- [x] Nginx reverse proxy integration at /media/ path
- [x] Shared media folders with Copyparty (Music, Videos, shared)
- [ ] Set up self-hosted chat server (Matrix or Mattermost)
- [ ] Install monitoring and management tools *(in progress)*
- [ ] Portainer (Docker management with built-in auth)
- [ ] Glances (system monitoring with nginx basic auth)
- [ ] Cockpit (system administration with PAM auth)
- [ ] lazydocker (terminal Docker management)
- [ ] Configure nginx basic auth for Glances endpoint
- [ ] Update nginx reverse proxy config for new admin services
- [ ] Update homelab landing page with new admin service links
- [ ] Set up Nextcloud for advanced file synchronization features
- Copyparty covers basic file sharing needs
- [ ] Implement monitoring stack (Prometheus/Grafana)
- Also consider alternatives, make setup simple and FOSS only
- [x] Set up reverse proxy with SSL certificates *(completed - HTTPS working with auto-renewal)*
- [ ] Make sure all services are dockerized unless we have a good reason not to
- Gitea: ✅ Docker
- Jellyfin: ✅ Docker
- Copyparty: ❌ systemd service (consider dockerizing)
- Nginx: ❌ system package (fine as-is for reverse proxy)
- Portainer: ✅ Docker
- Glances: ❌ system package (web server mode)
- Cockpit: ❌ system package (system integration required)
## Hardware & Troubleshooting
- [ ] Fix bluetooth audio connectivity issues

31
config/netdata/netdata.conf Normal file
View File

@@ -0,0 +1,31 @@
# DEPLOYMENT LOCATION: /etc/netdata/netdata.conf
# Deploy with: sudo cp config/netdata/netdata.conf /etc/netdata/netdata.conf
[global]
# Run as netdata user
run as user = netdata
# Bind only to localhost (security)
bind socket to IP = 127.0.0.1
default port = 19999
# Disable telemetry and cloud features
telemetry enabled = no
[web]
# Web server settings
web files owner = root
web files group = netdata
# Only allow access from localhost (reverse proxy)
allow connections from = localhost 127.0.0.1
allow dashboard from = localhost 127.0.0.1
allow management from = localhost 127.0.0.1
[cloud]
# Completely disable Netdata Cloud
enabled = no
[registry]
# Disable registry (used for cloud)
enabled = no

44
config/nginx/homelab.conf
View File

@@ -58,7 +58,8 @@ server {
# Explicitly allow WebDAV methods
limit_except GET POST PUT DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK { deny all; }
proxy_pass http://127.0.0.1:8082/files$1;
# Pass original request URI to preserve URL encoding
proxy_pass http://127.0.0.1:8082;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -84,6 +85,10 @@ server {
proxy_buffering off;
proxy_request_buffering off;
# Critical: Use HTTP/1.1 and fix connection headers
proxy_http_version 1.1;
proxy_set_header Connection "";
# Critical: Disable nginx response modifications
proxy_redirect off;
}
@@ -115,6 +120,43 @@ server {
proxy_request_buffering off;
}
# System monitoring with basic auth (Glances)
location /glances/ {
auth_basic "Homelab Admin Access";
auth_basic_user_file /etc/nginx/auth/glances;
proxy_pass http://127.0.0.1:61208/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# System monitoring (Netdata) - Real-time system metrics
location /netdata/ {
auth_basic "Homelab Admin Access";
auth_basic_user_file /etc/nginx/auth/glances;
proxy_pass http://127.0.0.1:19999/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# Docker management (Portainer)
location /portainer/ {
proxy_pass http://127.0.0.1:9000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
ssl_certificate /etc/letsencrypt/live/ak-homelab.duckdns.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/ak-homelab.duckdns.org/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

18
config/systemd/glances-web.service Normal file
View File

@@ -0,0 +1,18 @@
# DEPLOYMENT LOCATION: /etc/systemd/system/glances-web.service
# Deploy with: sudo cp config/systemd/glances-web.service /etc/systemd/system/
# Enable with: sudo systemctl daemon-reload && sudo systemctl enable --now glances-web.service
[Unit]
Description=Glances Web Server
After=network.target
[Service]
Type=simple
User=glances
Group=glances
ExecStart=/usr/bin/glances -w -p 61208 --disable-plugin docker
Restart=always
RestartSec=3
[Install]
WantedBy=multi-user.target

120
config/www/index.html
View File

@@ -15,17 +15,47 @@
}
.container {
max-width: 900px; margin: 0 auto;
background: white; padding: 40px;
border-radius: 12px; box-shadow: 0 10px 30px rgba(0,0,0,0.2);
background: white; border-radius: 12px; box-shadow: 0 10px 30px rgba(0,0,0,0.2);
overflow: hidden;
}
.header {
padding: 40px 40px 0 40px;
}
h1 {
color: #333; text-align: center; margin-bottom: 10px;
font-size: 2.5em; font-weight: 300;
}
.subtitle {
text-align: center; color: #666; margin-bottom: 40px;
text-align: center; color: #666; margin-bottom: 30px;
font-size: 1.1em;
}
/* Tab Styles */
.tab-nav {
display: flex; justify-content: center; margin-bottom: 0;
border-bottom: 1px solid #e0e0e0;
}
.tab-button {
background: none; border: none; padding: 15px 30px;
font-size: 1.1em; cursor: pointer; color: #666;
border-bottom: 3px solid transparent;
transition: all 0.3s ease;
}
.tab-button.active {
color: #667eea; border-bottom-color: #667eea;
font-weight: 600;
}
.tab-button:hover {
color: #667eea; background: #f8f9fa;
}
.tab-content {
display: none; padding: 40px;
}
.tab-content.active {
display: block;
}
.services {
display: grid;
grid-template-columns: repeat(auto-fit, minmax(280px, 1fr));
@@ -36,7 +66,7 @@
color: white; padding: 30px; border-radius: 8px;
text-decoration: none; text-center;
transition: transform 0.3s ease, box-shadow 0.3s ease;
border: none;
border: none; display: block;
}
.service:hover {
transform: translateY(-5px);
@@ -54,6 +84,9 @@
.service.cloud {
background: linear-gradient(135deg, #0082c9 0%, #30b455 100%);
}
.service.admin {
background: linear-gradient(135deg, #e74c3c 0%, #c0392b 100%);
}
.service i {
font-size: 3em; margin-bottom: 15px; display: block;
}
@@ -67,16 +100,35 @@
opacity: 0.7;
}
.footer {
text-align: center; margin-top: 40px; color: #888;
text-align: center; padding: 0 40px 40px 40px; color: #888;
font-size: 0.9em;
}
.admin-services {
display: grid;
grid-template-columns: repeat(auto-fit, minmax(280px, 1fr));
gap: 25px;
margin-top: 20px;
}
</style>
</head>
<body>
<div class="container">
<div class="header">
<h1>Homelab Services</h1>
<p class="subtitle">Self-hosted applications and services</p>
</div>
<div class="tab-nav">
<button class="tab-button active" onclick="showTab('home', this)">
<i class="fas fa-home"></i> Home
</button>
<button class="tab-button" onclick="showTab('admin', this)">
<i class="fas fa-cogs"></i> Admin
</button>
</div>
<div id="home-tab" class="tab-content active">
<div class="services">
<a href="/gitea/" class="service">
<i class="fas fa-code-branch"></i>
@@ -85,8 +137,8 @@
</a>
<a href="/files/" class="service">
<i class="fas fa-folder-open"></i>
<h3>File Server</h3>
<p>Upload & Download Files</p>
<h3>Copyparty</h3>
<p>File Server & WebDAV</p>
</a>
<a href="#" class="service disabled" onclick="return false;">
<i class="fas fa-cloud"></i>
@@ -95,14 +147,66 @@
</a>
<a href="/media/" class="service">
<i class="fas fa-play-circle"></i>
<h3>Media Server</h3>
<h3>Jellyfin</h3>
<p>Movies, Music & TV Shows</p>
</a>
</div>
</div>
<div id="admin-tab" class="tab-content">
<h2 style="color: #333; margin-bottom: 20px;">Server Administration</h2>
<div class="admin-services">
<a href="/glances/" class="service admin" target="_blank">
<i class="fas fa-chart-line"></i>
<h3>Glances</h3>
<p>System Monitoring</p>
</a>
<a href="/netdata/" class="service admin" target="_blank">
<i class="fas fa-tachometer-alt"></i>
<h3>Netdata</h3>
<p>Real-time Monitoring</p>
</a>
<a href="/portainer/" class="service admin" target="_blank">
<i class="fab fa-docker"></i>
<h3>Portainer</h3>
<p>Docker Management</p>
</a>
</div>
<h2 style="color: #333; margin-bottom: 20px; margin-top: 40px;">Local Network</h2>
<div class="admin-services">
<a href="http://192.168.0.101:5000/" class="service admin" target="_blank">
<i class="fas fa-hdd"></i>
<h3>NAS Storage</h3>
<p>Network Attached Storage</p>
</a>
<a href="http://192.168.0.1" class="service admin" target="_blank">
<i class="fas fa-network-wired"></i>
<h3>Router</h3>
<p>Network Configuration</p>
</a>
</div>
</div>
<div class="footer">
<p><i class="fa fa-home"></i> Powered by ak-homelab.duckdns.org</p>
</div>
</div>
<script>
function showTab(tabName, buttonElement) {
// Hide all tab contents
const tabContents = document.querySelectorAll('.tab-content');
tabContents.forEach(tab => tab.classList.remove('active'));
// Remove active class from all buttons
const tabButtons = document.querySelectorAll('.tab-button');
tabButtons.forEach(button => button.classList.remove('active'));
// Show selected tab and mark button as active
document.getElementById(tabName + '-tab').classList.add('active');
buttonElement.classList.add('active');
}
</script>
</body>
</html>

200
docs/admin-services-setup.md Normal file
View File

@@ -0,0 +1,200 @@
# Admin Services Setup Documentation
**Date:** 2025-09-09
**Status:** ✅ Complete - Landing page with tabbed interface and monitoring services deployed
## Overview
This document details the setup of administrative services accessible through the homelab landing page. The implementation provides a tabbed interface with monitoring and management tools for the homelab infrastructure.
## Landing Page Architecture
### Tab Structure
- **Home Tab**: Main services (Gitea, File Server, Media Server)
- **Admin Tab**: Administrative services organized in two sections:
- **Server Administration**: Remote-accessible monitoring/management
- **Local Network**: Local-only network devices
### Implementation Details
**File Location:** `/home/hoborg/homelab/config/www/index.html`
**Deployment:** `sudo cp config/www/index.html /var/www/homelab/`
**Features:**
- Responsive CSS Grid layout
- Font Awesome icons for visual consistency
- JavaScript tab switching functionality
- Professional gradient styling with hover effects
- Separate styling for different service types (admin, disabled, cloud)
## Admin Services Configuration
### Server Administration Services
#### 1. Glances (System Monitoring)
- **Status:** ✅ Deployed
- **Access:** https://ak-homelab.duckdns.org/glances/
- **Port:** 61208 (behind nginx reverse proxy)
- **Authentication:** Nginx basic auth (admin / AdminPass2024!)
- **Features:** Real-time CPU/RAM/disk metrics, process monitoring
**Configuration Files:**
- Service: `/home/hoborg/homelab/config/systemd/glances-web.service`
- Nginx: Reverse proxy with basic auth in `homelab.conf`
#### 2. Netdata (Real-time Monitoring)
- **Status:** ✅ Deployed (replaced Cockpit)
- **Access:** https://ak-homelab.duckdns.org/netdata/
- **Port:** 19999 (behind nginx reverse proxy)
- **Authentication:** Nginx basic auth (admin / AdminPass2024!)
- **Privacy:** Cloud features disabled, local-only operation
**Configuration Files:**
- Main config: `/home/hoborg/homelab/config/netdata/netdata.conf`
- Deployment script: `/home/hoborg/homelab/scripts/deploy-netdata-config.sh`
**Privacy Configuration:**
```ini
[global]
bind socket to IP = 127.0.0.1
telemetry enabled = no
[cloud]
enabled = no
[registry]
enabled = no
```
#### 3. Portainer (Docker Management)
- **Status:** 📋 Planned
- **Access:** https://ak-homelab.duckdns.org/portainer/
- **Port:** 9000 (behind nginx reverse proxy)
- **Authentication:** Built-in user management
### Local Network Services
#### 1. NAS Storage
- **Access:** http://192.168.0.101:5000/
- **Description:** Network Attached Storage management interface
- **Icon:** `fas fa-hdd`
- **Authentication:** Built-in device authentication
#### 2. Router Configuration
- **Access:** http://192.168.0.1
- **Description:** Network router administration
- **Icon:** `fas fa-network-wired`
- **Authentication:** Router's built-in authentication
## Security Implementation
### Nginx Basic Authentication
**Auth File:** `/etc/nginx/auth/glances`
**Credentials:** admin / AdminPass2024!
**Services using basic auth:**
- Glances (system metrics exposure)
- Netdata (system metrics exposure)
**Creation Command:**
```bash
sudo htpasswd -c /etc/nginx/auth/glances admin
```
### Service-Level Security
- **Netdata:** Configured for localhost-only access, cloud features disabled
- **Glances:** Web server bound to localhost, accessible only through reverse proxy
- **Portainer:** Uses built-in authentication with RBAC
- **Local Network:** Services remain on local network only (no external exposure)
## Deployment Scripts
### 1. Netdata Setup Script
**File:** `/home/hoborg/homelab/scripts/setup-netdata.sh`
- Installs netdata package
- Enables and starts service
- Stops/disables Cockpit services
- Deploys updated landing page
### 2. Netdata Configuration Deployment
**File:** `/home/hoborg/homelab/scripts/deploy-netdata-config.sh`
- Deploys privacy-focused Netdata configuration
- Updates nginx configuration with Netdata reverse proxy
- Tests configuration and performs rollback on failure
- Includes connectivity testing
## Troubleshooting Steps Completed
### 1. Cockpit Compatibility Issues
**Problem:** Cockpit had infinite loading issues due to MIME type conflicts with reverse proxy
**Solution:** Replaced Cockpit with Netdata for better reverse proxy compatibility
**Error Details:**
- Content-Security-Policy errors
- MIME type mismatches for static assets
- Path rewriting complications with static file serving
### 2. Configuration Management Approach
**Problem:** Initial scripts modified configuration files directly
**Solution:** Implemented proper workflow - edit repo files first, then deploy via scripts
**Workflow:**
1. Edit configuration in `/home/hoborg/homelab/config/`
2. Test changes locally when possible
3. Deploy via simple copy scripts with backup/rollback capabilities
4. Update documentation
## Current Status
### ✅ Completed
- Landing page with tabbed interface
- Glances system monitoring with basic auth
- Netdata real-time monitoring with privacy configuration
- Nginx reverse proxy configuration for all services
- Updated documentation and deployment scripts
- NAS Storage link added to Local Network section
### 📋 Pending
- Portainer Docker management deployment
- Final nginx configuration deployment (for Netdata access)
- lazydocker terminal tool installation
## Access Summary
### External Access (HTTPS with SSL)
- **Glances:** https://ak-homelab.duckdns.org/glances/ (basic auth required)
- **Netdata:** https://ak-homelab.duckdns.org/netdata/ (basic auth required)
- **Portainer:** https://ak-homelab.duckdns.org/portainer/ (planned, built-in auth)
### Local Network Access
- **NAS Storage:** http://192.168.0.101:5000/ (device auth)
- **Router:** http://192.168.0.1 (router auth)
### Direct Service Access (for testing)
- **Netdata Direct:** http://127.0.0.1:19999/ (localhost only after config deployment)
- **Glances Direct:** http://127.0.0.1:61208/ (localhost only)
## Files Modified/Created
### Configuration Files
- `/home/hoborg/homelab/config/www/index.html` - Updated with admin sections
- `/home/hoborg/homelab/config/nginx/homelab.conf` - Added Netdata reverse proxy
- `/home/hoborg/homelab/config/netdata/netdata.conf` - Privacy-focused configuration
- `/home/hoborg/homelab/config/systemd/glances-web.service` - Glances systemd service
### Scripts Created
- `/home/hoborg/homelab/scripts/setup-netdata.sh` - Netdata installation script
- `/home/hoborg/homelab/scripts/deploy-netdata-config.sh` - Configuration deployment script
### Documentation Updated
- `/home/hoborg/homelab/docs/services.md` - Updated monitoring services section
- `/home/hoborg/homelab/docs/admin-services-setup.md` - This comprehensive setup document
## Next Steps
1. Deploy Netdata configuration: `sudo -A ./scripts/deploy-netdata-config.sh`
2. Install and configure Portainer for Docker management
3. Install lazydocker for SSH-based Docker administration
4. Consider additional monitoring tools (htop, iotop alternatives) for terminal use

232
docs/services.md
View File

@@ -264,16 +264,27 @@ sudo pacman -S copyparty
- **SSL**: Let's Encrypt certificates with automatic renewal
**User Accounts:**
- **guest**: Standard user with read/write access to shared areas
- **hoborg**: Admin user with access to all areas including private folder
- **guest**: Standard user with read/write (`rw`) access to shared areas
- **hoborg**: Admin user with full access (`rwmd` - read/write/move/delete) to all areas including private folder
**Features:**
- ✅ File upload/download via web interface
- ✅ WebDAV support for X-plore File Manager, rclone, etc.
- ✅ File deletion via WebDAV (requires `d` permission)
- ✅ Drag & drop upload in web interface
- ✅ Support for files with spaces/special characters
- ✅ Large file upload support (up to 10GB)
- ✅ Resume interrupted uploads
- ✅ File deduplication and integrity checking
**Volume Structure:**
```
/shared → /home/hoborg/shared (guest, hoborg: rw)
/documents → /home/hoborg/Documents (guest, hoborg: rw)
/music → /home/hoborg/Music (guest, hoborg: rw)
/videos → /home/hoborg/Videos (guest, hoborg: rw)
/private → /home/hoborg/private (hoborg only: rw)
/shared → /home/hoborg/shared (guest: rw, hoborg: rwmd)
/documents → /home/hoborg/Documents (hoborg: rwmd)
/music → /home/hoborg/Music (guest: rw, hoborg: rwmd)
/videos → /home/hoborg/Videos (guest: rw, hoborg: rwmd)
/pictures → /home/hoborg/Pictures (guest: rw, hoborg: rwmd)
/private → /home/hoborg/private (hoborg only: rwmd)
```
**Features Enabled:**
@@ -311,6 +322,29 @@ sudo systemctl disable copyparty
- **Systemd service**: `/home/hoborg/homelab/config/systemd/copyparty.service`
- **Nginx integration**: Path `/files/` in homelab.conf
**WebDAV Client Setup:**
*X-plore File Manager (Android):*
- Server: `ak-homelab.duckdns.org`
- Path: `/files/shared/` (or other folder paths)
- Protocol: HTTPS (port 443)
- Username: `hoborg`
- Password: [your password]
*rclone configuration:*
```bash
rclone config create homelab-webdav webdav \
url=https://ak-homelab.duckdns.org/files/ \
vendor=other \
user=hoborg \
pass=$(rclone obscure "your_password")
```
**Troubleshooting:**
- For issues with files containing spaces, see [docs/troubleshooting/webdav-copyparty.md](troubleshooting/webdav-copyparty.md)
- Check nginx WebDAV configuration for URL encoding issues
- Verify copyparty permissions include `d` flag for delete operations
**Testing Confirmed:**
- ✅ File uploads working (including video files)
- ✅ WebDAV folder uploads from Android (X-plore File Manager)
@@ -715,3 +749,187 @@ sudo -u postgres pg_dump gitea > /backup/gitea-db-$DATE.sql
- **Bookstack**: Documentation wiki
- What is this for? How does it compare to Logseq?
- **FreshRSS**: RSS feed aggregator
## System Monitoring & Management
### Overview
**Status:** 🚧 **PLANNED** - Implementing hybrid monitoring and management solution
**Selected Tools:**
- **Portainer** - Docker container management (web UI with built-in auth)
- **Glances** - Real-time system monitoring (web + terminal, nginx basic auth required)
- **Netdata** - Real-time system monitoring with rich dashboards (web UI, nginx basic auth)
- **lazydocker** - Terminal-based Docker management (SSH sessions)
### Architecture Decision
**Hybrid Approach Rationale:**
- **SSH workflow**: lazydocker + glances terminal mode for command-line administration
- **Web overview**: Glances for quick system status checks
- **Real-time monitoring**: Netdata for detailed system metrics and historical data
- **Docker UI**: Portainer for comprehensive container management
### Authentication Strategy
- **Portainer**: ✅ Built-in user authentication and RBAC
- **Glances**: ⚠️ Nginx basic auth required (exposes system metrics)
- **Netdata**: ⚠️ Nginx basic auth required (exposes system metrics, cloud features disabled)
- **Router**: ✅ Has own administrative login
- **NAS Storage**: ✅ Has own administrative login
**Nginx basic auth implemented** for monitoring services that expose system information without built-in authentication.
### Service Details
#### Portainer (Docker Management)
**Status:** 📋 **Planned**
- **Access**: https://ak-homelab.duckdns.org/portainer/
- **Port**: 9000 (behind reverse proxy)
- **Authentication**: Built-in user accounts with role-based permissions
- **Features**: Container lifecycle, image management, volume management, stack deployment
#### Glances (System Monitoring)
**Status:** 📋 **Planned**
- **Access**: https://ak-homelab.duckdns.org/glances/ (nginx basic auth)
- **Port**: 61208 (behind reverse proxy with auth)
- **Authentication**: Nginx basic auth (due to no built-in authentication)
- **Features**: Real-time CPU/RAM/disk metrics, process monitoring, network stats
- **Terminal mode**: Available via SSH for command-line monitoring
#### Netdata (Real-time System Monitoring)
**Status:** ✅ **DEPLOYED**
- **Access**: https://ak-homelab.duckdns.org/netdata/ (nginx basic auth)
- **Port**: 19999 (behind reverse proxy with auth)
- **Authentication**: Nginx basic auth (same credentials as Glances: admin/AdminPass2024!)
- **Configuration**: Privacy-focused local-only setup with cloud features disabled
- **Features**: Real-time system metrics, network monitoring, process tracking, historical data
#### lazydocker (Terminal Docker Tools)
**Status:** 📋 **Planned**
- **Access**: SSH terminal only
- **Installation**: `pacman -S lazydocker`
- **Usage**: Command-line Docker container management for SSH workflows
### URL Architecture
```
Landing Page - Admin Tab:
Server Administration:
├── Glances → https://ak-homelab.duckdns.org/glances/ (nginx basic auth)
├── Netdata → https://ak-homelab.duckdns.org/netdata/ (nginx basic auth)
└── Portainer → https://ak-homelab.duckdns.org/portainer/ (built-in auth)
Local Network:
├── NAS Storage → http://192.168.0.101:5000/ (built-in auth)
└── Router → http://192.168.0.1 (built-in auth)
```
### Implementation Plan
1. **Package Installation**
```bash
sudo pacman -S glances cockpit lazydocker
```
2. **Portainer Deployment**
```bash
docker run -d \
--name portainer \
-p 9000:9000 \
-v /var/run/docker.sock:/var/run/docker.sock \
-v portainer_data:/data \
portainer/portainer-ce
```
3. **Service Configuration**
- Enable Cockpit: `sudo systemctl enable --now cockpit.socket`
- Configure Glances web mode: `glances -w -p 61208`
- Create systemd service for Glances web server
4. **Nginx Configuration**
- Add reverse proxy configurations for all services
- Configure basic auth for Glances endpoint
- SSL termination for all admin services
5. **Landing Page Update**
- Add all admin service links to Admin tab
- Include authentication indicators
### Security Considerations
**Data Exposure Analysis (Glances):**
- **Exposed**: System metrics, process names, resource usage, network stats
- **Not Exposed**: File contents, passwords, configuration details, logs
- **Risk Level**: Medium (reconnaissance data for attackers)
- **Mitigation**: Nginx basic auth prevents unauthorized access
**Service Hardening:**
- All services behind HTTPS with SSL certificates
- Each service handles authentication independently
- No shared credentials between services
- Services isolated behind reverse proxy
## Remote Desktop Access
### TigerVNC
**Status:** ✅ **INSTALLED** - VNC server for remote desktop access
**Installation:**
```bash
# Install TigerVNC server and client
sudo pacman -S tigervnc
```
**Service Configuration:**
```bash
# Configure user for VNC display :1
echo ":1=hoborg" | sudo tee -a /etc/tigervnc/vncserver.users
# Set VNC password
vncpasswd
# Configure desktop environment (~/.vnc/xstartup)
#!/bin/bash
xrdb $HOME/.Xresources
startxfce4 &
# Make executable
chmod +x ~/.vnc/xstartup
```
**Service Management:**
```bash
# Enable and start VNC service
sudo systemctl enable vncserver@:1.service
sudo systemctl start vncserver@:1.service
# Check service status
sudo systemctl status vncserver@:1.service
# Service uses vncsession-start for proper X11 session management
```
**Access Details:**
- **Display**: `:1` (port 5901)
- **Local Access**: VNC client to `192.168.0.100:5901`
- **External Access**: Requires router port forwarding 5901→192.168.0.100:5901
- **Security**: Password authentication, consider SSH tunneling for external access
**Client Connection:**
- **Windows**: TigerVNC Viewer to `192.168.0.100:5901`
- **SSH Tunnel**: `ssh -L 5901:localhost:5901 hoborg@192.168.0.100 -p 2222`
- **Tunneled Access**: VNC client to `localhost:5901`
**Service Features:**
- ✅ Systemd integration with proper session management
- ✅ Automatic startup on boot
- ✅ User-specific VNC sessions via `/etc/tigervnc/vncserver.users`
- ✅ Uses `vncsession-start` for robust X11 handling
- ✅ Proper PID file management in `/run/vncsession-:1.pid`
**Security Considerations:**
- VNC traffic is unencrypted - use SSH tunneling for remote access
- Firewall configuration needed for direct external access
- Consider VPN access instead of direct port forwarding

28
docs/troubleshooting/webdav-copyparty.md
View File

@@ -39,6 +39,27 @@ server {
- Error: `HTTP/1.1 403 Forbidden`
**Solution**: Add `d` (delete) permission to user accounts:
### 3. URL Encoding Issues
**Problem**: Files/folders with spaces or special characters in names caused HTTP 400 errors.
**Symptoms**:
- Files without spaces upload successfully
- Files with spaces in path fail: `HTTP/1.1 400 Bad Request`
- Logs show "bad headers" errors from copyparty
- URLs like `/files/folder/file%20name.txt` fail
**Solution**: Pass original request URI to preserve URL encoding:
```nginx
location ~ ^/files(/.*)?$ {
# Pass original request URI to preserve URL encoding
proxy_pass http://127.0.0.1:8082;
# ... other proxy settings
}
```
Instead of `proxy_pass http://127.0.0.1:8082/files$1;` which manipulates the path.
```ini
[/shared]
/home/hoborg/shared
@@ -115,7 +136,8 @@ server {
# Explicitly allow WebDAV methods
limit_except GET POST PUT DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK { deny all; }
proxy_pass http://127.0.0.1:8082/files$1;
# Pass original request URI to preserve URL encoding
proxy_pass http://127.0.0.1:8082;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -141,6 +163,10 @@ server {
proxy_buffering off;
proxy_request_buffering off;
# Critical: Use HTTP/1.1 and fix connection headers
proxy_http_version 1.1;
proxy_set_header Connection "";
# Critical: Disable nginx response modifications
proxy_redirect off;
}

51
scripts/deploy-netdata-config.sh Executable file
View File

@@ -0,0 +1,51 @@
#!/bin/bash
# Deploy Netdata configuration and nginx config for privacy-focused local monitoring
# Run with: sudo -A ./scripts/deploy-netdata-config.sh
set -e
echo "=== Deploying Netdata privacy configuration ==="
cp /home/hoborg/homelab/config/netdata/netdata.conf /etc/netdata/netdata.conf
echo "✅ Netdata configured for local-only operation (no cloud/telemetry)"
echo "=== Backing up nginx config ==="
BACKUP_FILE="/etc/nginx/sites-available/homelab.backup.$(date +%Y%m%d-%H%M%S)"
cp /etc/nginx/sites-available/homelab "$BACKUP_FILE"
echo "Backup created: $BACKUP_FILE"
echo "=== Deploying nginx configuration with Netdata support ==="
cp /home/hoborg/homelab/config/nginx/homelab.conf /etc/nginx/sites-available/homelab
echo "=== Testing nginx configuration ==="
nginx -t
if [ $? -eq 0 ]; then
echo "=== Restarting Netdata with new config ==="
systemctl restart netdata
echo "=== Reloading nginx ==="
systemctl reload nginx
echo "✅ Configuration deployed successfully!"
else
echo "❌ ERROR: Nginx configuration test failed!"
echo "Restoring backup..."
cp "$BACKUP_FILE" /etc/nginx/sites-available/homelab
exit 1
fi
echo ""
echo "=== Testing Netdata access ==="
echo "Direct access: http://127.0.0.1:19999/"
curl -s -o /dev/null -w "Direct Netdata: HTTP %{http_code}\\n" http://127.0.0.1:19999/ || echo "Direct test failed"
echo "Reverse proxy access: https://ak-homelab.duckdns.org/netdata/"
curl -k -s -o /dev/null -w "Proxied Netdata: HTTP %{http_code}\\n" https://ak-homelab.duckdns.org/netdata/ || echo "Proxy test failed"
echo ""
echo "=== Netdata Privacy Configuration Complete! ==="
echo "✅ Cloud features disabled"
echo "✅ Telemetry disabled"
echo "✅ Local-only monitoring"
echo "✅ Accessible via: https://ak-homelab.duckdns.org/netdata/"
echo "✅ Basic auth: admin / AdminPass2024!"

28
scripts/setup-glances.sh Executable file
View File

@@ -0,0 +1,28 @@
#!/bin/bash
# Install and configure Glances monitoring service
# Run with: sudo -A ./scripts/setup-glances.sh
set -e
echo "=== Installing Glances monitoring service ==="
pacman -S --noconfirm glances python-fastapi uvicorn python-jinja
echo "=== Creating glances user ==="
useradd -r -s /bin/false glances 2>/dev/null || echo "User glances already exists"
echo "=== Deploying Glances systemd service ==="
cp /home/hoborg/homelab/config/systemd/glances-web.service /etc/systemd/system/
systemctl daemon-reload
echo "=== Enabling and starting Glances service ==="
systemctl enable glances-web
systemctl start glances-web
echo "=== Checking Glances service status ==="
systemctl status glances-web --no-pager -l
echo ""
echo "=== Glances installation complete! ==="
echo "Local access: http://127.0.0.1:61208/"
echo "External access: https://ak-homelab.duckdns.org/glances/ (requires nginx config)"
echo "Basic auth: admin / AdminPass2024!"

32
scripts/setup-netdata.sh Executable file
View File

@@ -0,0 +1,32 @@
#!/bin/bash
# Install and configure Netdata monitoring service
# Run with: sudo -A ./scripts/setup-netdata.sh
set -e
echo "=== Installing Netdata monitoring service ==="
pacman -S --noconfirm netdata
echo "=== Enabling and starting Netdata service ==="
systemctl enable netdata
systemctl start netdata
echo "=== Checking Netdata service status ==="
systemctl status netdata --no-pager -l
echo "=== Stopping and disabling Cockpit services ==="
systemctl stop cockpit cockpit.socket 2>/dev/null || echo "Cockpit services not running"
systemctl disable cockpit cockpit.socket 2>/dev/null || echo "Cockpit services not enabled"
echo "=== Deploying updated landing page ==="
cp /home/hoborg/homelab/config/www/index.html /var/www/homelab/
echo "✅ Landing page updated with Netdata link"
echo ""
echo "=== Netdata installation complete! ==="
echo "Local access: http://127.0.0.1:19999/"
echo "External access: https://ak-homelab.duckdns.org/netdata/ (after nginx config deploy)"
echo ""
echo "To deploy nginx config separately:"
echo "sudo cp /home/hoborg/homelab/config/nginx/homelab.conf /etc/nginx/sites-available/homelab"
echo "sudo nginx -t && sudo systemctl reload nginx"