Update geoip-shell documentation with implementation details

- Document interactive installation process
- Add complete EU country whitelist configuration
- Include setup commands and wizard prompts
- Clarify that geoip-shell was used instead of manual iptables setup

config/copyparty/copyparty.conf

@@ -64,6 +64,12 @@
     rw: guest
     rwmd: hoborg
 
+[/installers]
+  /mnt/nas/installers
+  accs:
+    rw: guest
+    rwmd: hoborg
+
 [/torrent]
   /mnt/nas/torrent
   accs:

config/docker/daemon.json

@@ -1,13 +1,3 @@
-# Docker Daemon Configuration (Minimal Working Version)
-# Deploy to: /etc/docker/daemon.json
-# 
-# Setup commands:
-#   sudo cp config/docker/daemon.json /etc/docker/
-#   sudo systemctl restart docker
-#
-# Note: Removed problematic security settings that caused read-only filesystem issues.
-# Only keeping essential logging configuration.
-
 {
   "log-driver": "json-file",
   "log-opts": {

config/docker/portainer/docker-compose.yml

@@ -0,0 +1,50 @@
+# Portainer Docker Compose Configuration
+# Deploy with: sudo mkdir -p /opt/docker/portainer && sudo cp config/docker/portainer/docker-compose.yml /opt/docker/portainer/
+# Start with: cd /opt/docker/portainer && sudo docker-compose up -d
+
+# PORTAINER CONFIGURATION
+# - Web UI for Docker container management
+# - Bound to localhost only (reverse proxy recommended)
+# - Persistent data storage in named volume
+
+services:
+  portainer:
+    image: portainer/portainer-ce:latest
+    container_name: portainer
+    restart: unless-stopped
+
+    # Environment
+    environment:
+      - TZ=Europe/Budapest
+
+    # Network - bind to localhost for security
+    ports:
+      - "127.0.0.1:9000:9000"  # Web UI (reverse proxy only)
+
+    # Volume mounts
+    volumes:
+      # Docker socket for container management
+      - /var/run/docker.sock:/var/run/docker.sock
+      # Portainer data
+      - portainer_data:/data
+
+    # Resource limits
+    deploy:
+      resources:
+        limits:
+          cpus: '0.5'
+          memory: 512M
+        reservations:
+          cpus: '0.1'
+          memory: 128M
+
+    # Health check
+    healthcheck:
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:9000/api/status"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 30s
+
+volumes:
+  portainer_data:

docs/network-security.md

@@ -386,8 +386,11 @@ sudo fail2ban-client get sshd banned
 - **Last Update:** September 17, 2025 at 00:57:41
 
 ### Whitelisted Countries
+
+**Configuration:** All EU member states plus European territories (full list accepted by geoip-shell)
+
 ```
-AL (Albania), AD (Andorra), AM (Armenia), AT (Austria), AZ (Azerbaijan)
+AL (Albania), AD (Andorra), AM (Armenia), AT (Austria), AX (Åland Islands), AZ (Azerbaijan)
 BY (Belarus), BE (Belgium), BA (Bosnia and Herzegovina), BG (Bulgaria)
 HR (Croatia), CY (Cyprus), CZ (Czech Republic), DK (Denmark)
 EE (Estonia), FO (Faroe Islands), FI (Finland), FR (France)
@@ -440,14 +443,36 @@ journalctl -u geoip-shell
 tail -f /var/log/geoip-shell.log
 ```
 
-### Manual Setup Process
+### Installation and Setup
-The tool was installed manually with interactive prompts rather than scripted installation due to security considerations. Key decisions made during setup:
+
+**Installation Method:** Interactive CLI setup using geoip-shell installer
+
+The tool was configured using its interactive setup wizard, which prompted for configuration choices and automatically applied all necessary changes to the firewall. This approach ensures proper integration with the existing firewall backend.
+
+**Key Configuration Decisions:**
 
 1. **Whitelist Mode:** Chosen over blacklist for better control
-2. **European Focus:** Primary whitelist consists of European countries
+2. **European Focus:** All EU member states plus European territories
-3. **Network Exceptions:** Docker and LAN networks automatically detected
+3. **Country List:** Complete list of countries accepted by geoip-shell
-4. **Dual Stack:** Both IPv4 and IPv6 protection enabled
+4. **Network Exceptions:** Docker and LAN networks automatically detected
-5. **Full Protocol Coverage:** TCP and UDP both protected
+5. **Dual Stack:** Both IPv4 and IPv6 protection enabled
+6. **Full Protocol Coverage:** TCP and UDP both protected
+
+**Setup Command:**
+```bash
+# Download and run installer
+curl -fsSL https://raw.githubusercontent.com/friendly-bits/geoip-shell/main/install.sh | bash
+
+# Run configuration wizard (prompted automatically after install)
+geoip-shell configure
+```
+
+During the interactive setup, the wizard prompted for:
+- Firewall backend selection (iptables chosen)
+- IP list source (RIPE selected)
+- Mode selection (whitelist chosen)
+- Country selection (all EU countries entered)
+- Network interface configuration (all interfaces selected)
 
 ### Detailed Documentation
 For complete setup details, see **[docs/geoip-blocking.md](docs/geoip-blocking.md)**

scripts/setup-docker-symlinks.sh

@@ -0,0 +1,100 @@
+#!/bin/bash
+# Set up symlinks for Docker configurations to avoid manual copying
+
+set -e  # Exit on error
+
+echo "==================================================================="
+echo "Docker Configuration Symlink Setup"
+echo "==================================================================="
+echo ""
+
+REPO_ROOT="/home/hoborg/homelab"
+
+# Function to create symlink with backup
+create_symlink() {
+    local service=$1
+    local target=$2
+    local link=$3
+
+    echo "-------------------------------------------------------------------"
+    echo "Setting up: $service"
+    echo "-------------------------------------------------------------------"
+    echo "Target: $target"
+    echo "Link:   $link"
+    echo ""
+
+    # Check if target exists
+    if [ ! -f "$target" ]; then
+        echo "ERROR: Target file does not exist: $target"
+        return 1
+    fi
+
+    # Backup existing file if it's not already a symlink
+    if [ -f "$link" ] && [ ! -L "$link" ]; then
+        backup="${link}.backup.$(date +%Y%m%d_%H%M%S)"
+        echo "Backing up existing file to: $backup"
+        cp "$link" "$backup"
+        rm "$link"
+    elif [ -L "$link" ]; then
+        echo "Removing existing symlink"
+        rm "$link"
+    fi
+
+    # Create symlink
+    ln -s "$target" "$link"
+
+    if [ -L "$link" ]; then
+        echo "✓ Symlink created successfully"
+    else
+        echo "✗ Failed to create symlink"
+        return 1
+    fi
+
+    echo ""
+}
+
+# Gitea docker-compose.yml
+create_symlink "Gitea docker-compose" \
+    "$REPO_ROOT/config/docker/gitea/docker-compose.yml" \
+    "/opt/docker/gitea/docker-compose.yml"
+
+# Jellyfin docker-compose.yml
+create_symlink "Jellyfin docker-compose" \
+    "$REPO_ROOT/config/docker/jellyfin/docker-compose.yml" \
+    "/opt/docker/jellyfin/docker-compose.yml"
+
+# qBittorrent docker-compose.yml
+create_symlink "qBittorrent docker-compose" \
+    "$REPO_ROOT/config/docker/qbittorrent/docker-compose.yml" \
+    "/opt/docker/qbittorrent/docker-compose.yml"
+
+# Portainer docker-compose.yml
+create_symlink "Portainer docker-compose" \
+    "$REPO_ROOT/config/docker/portainer/docker-compose.yml" \
+    "/opt/docker/portainer/docker-compose.yml"
+
+# Docker daemon config
+create_symlink "Docker daemon config" \
+    "$REPO_ROOT/config/docker/daemon.json" \
+    "/etc/docker/daemon.json"
+
+echo "==================================================================="
+echo "Summary"
+echo "==================================================================="
+echo ""
+echo "✓ All symlinks created successfully!"
+echo ""
+echo "Notes:"
+echo "  - Original files backed up with timestamp"
+echo "  - Edit files in $REPO_ROOT/config/docker/"
+echo "  - Changes take effect immediately (no copying needed)"
+echo "  - For daemon.json: restart docker after changes"
+echo "  - For docker-compose: restart containers after changes"
+echo ""
+echo "Verify symlinks:"
+echo "  ls -l /opt/docker/gitea/docker-compose.yml"
+echo "  ls -l /opt/docker/jellyfin/docker-compose.yml"
+echo "  ls -l /opt/docker/qbittorrent/docker-compose.yml"
+echo "  ls -l /opt/docker/portainer/docker-compose.yml"
+echo "  ls -l /etc/docker/daemon.json"
+echo ""