hoborg/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: hoborg:64a43c8a961e61e14e3fa30fb1d3e0910ea82049
Branches Tags
hoborg:master
..
compare: hoborg:6894c5f1757f416d1dd487968189e12f0cdc095b
Branches Tags
hoborg:master

6 Commits
64a43c8a96 ... 6894c5f175

Author SHA1 Message Date
Arpad Krejczinger
6894c5f175 Update geoip-shell documentation with implementation details 
- Document interactive installation process
- Add complete EU country whitelist configuration
- Include setup commands and wizard prompts
- Clarify that geoip-shell was used instead of manual iptables setup
 2025-10-06 20:40:27 +02:00
Arpad Krejczinger
6761c8903d Add Docker configuration symlink setup script 
- Automates symlinking of docker-compose.yml files from repo to /opt/docker
- Includes Gitea, Jellyfin, qBittorrent, Portainer
- Symlinks daemon.json to /etc/docker
- Creates timestamped backups before replacing files
- Eliminates need for manual config copying
 2025-10-06 20:40:11 +02:00
Arpad Krejczinger
a8bbf5ea4a Disable Nextcloud service 
- Renamed docker-compose.yml to .disabled
- Service can be re-enabled by renaming file back to .yml
- Nextcloud not currently needed with Copyparty in place
 2025-10-06 20:39:54 +02:00
Arpad Krejczinger
fefdc14398 Add Portainer docker-compose configuration 
- Web UI for Docker container management
- Bound to localhost (reverse proxy recommended)
- Uses named volume for persistent data
- Configured for Europe/Budapest timezone
- Resource limits and health checks included
 2025-10-06 20:39:33 +02:00
Arpad Krejczinger
802d275d6e Fix Docker daemon config: Remove invalid JSON comments 
- Removed comments from daemon.json (JSON doesn't support comments)
- Synced with deployed working version
- Maintains minimal working configuration with logging only
 2025-10-06 20:39:21 +02:00
Arpad Krejczinger
dc16d0302d Add installers folder to copyparty configuration 
- New /installers volume for game installers and ISO files
- Accessible to both guest and hoborg users
- Complements existing torrent categorization structure
 2025-10-06 20:39:01 +02:00
6 changed files with 189 additions and 18 deletions
Expand all files Collapse all files

6
config/copyparty/copyparty.conf
View File

@@ -64,6 +64,12 @@
rw: guest
rwmd: hoborg
[/installers]
/mnt/nas/installers
accs:
rw: guest
rwmd: hoborg
[/torrent]
/mnt/nas/torrent
accs:

12
config/docker/daemon.json
View File

@@ -1,17 +1,7 @@
# Docker Daemon Configuration (Minimal Working Version)
# Deploy to: /etc/docker/daemon.json
#
# Setup commands:
# sudo cp config/docker/daemon.json /etc/docker/
# sudo systemctl restart docker
#
# Note: Removed problematic security settings that caused read-only filesystem issues.
# Only keeping essential logging configuration.
{
"log-driver": "json-file",
"log-opts": {
"max-size": "100m",
"max-file": "3"
}
}
}

0
config/docker/nextcloud/docker-compose.yml → config/docker/nextcloud/docker-compose.yml.disabled
View File

50
config/docker/portainer/docker-compose.yml Normal file
View File

@@ -0,0 +1,50 @@
# Portainer Docker Compose Configuration
# Deploy with: sudo mkdir -p /opt/docker/portainer && sudo cp config/docker/portainer/docker-compose.yml /opt/docker/portainer/
# Start with: cd /opt/docker/portainer && sudo docker-compose up -d
# PORTAINER CONFIGURATION
# - Web UI for Docker container management
# - Bound to localhost only (reverse proxy recommended)
# - Persistent data storage in named volume
services:
portainer:
image: portainer/portainer-ce:latest
container_name: portainer
restart: unless-stopped
# Environment
environment:
- TZ=Europe/Budapest
# Network - bind to localhost for security
ports:
- "127.0.0.1:9000:9000" # Web UI (reverse proxy only)
# Volume mounts
volumes:
# Docker socket for container management
- /var/run/docker.sock:/var/run/docker.sock
# Portainer data
- portainer_data:/data
# Resource limits
deploy:
resources:
limits:
cpus: '0.5'
memory: 512M
reservations:
cpus: '0.1'
memory: 128M
# Health check
healthcheck:
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:9000/api/status"]
interval: 30s
timeout: 10s
retries: 3
start_period: 30s
volumes:
portainer_data:

39
docs/network-security.md
View File

@@ -386,8 +386,11 @@ sudo fail2ban-client get sshd banned
- **Last Update:** September 17, 2025 at 00:57:41
### Whitelisted Countries
**Configuration:** All EU member states plus European territories (full list accepted by geoip-shell)
```
AL (Albania), AD (Andorra), AM (Armenia), AT (Austria), AZ (Azerbaijan)
AL (Albania), AD (Andorra), AM (Armenia), AT (Austria), AX (Åland Islands), AZ (Azerbaijan)
BY (Belarus), BE (Belgium), BA (Bosnia and Herzegovina), BG (Bulgaria)
HR (Croatia), CY (Cyprus), CZ (Czech Republic), DK (Denmark)
EE (Estonia), FO (Faroe Islands), FI (Finland), FR (France)
@@ -440,14 +443,36 @@ journalctl -u geoip-shell
tail -f /var/log/geoip-shell.log
```
### Manual Setup Process
The tool was installed manually with interactive prompts rather than scripted installation due to security considerations. Key decisions made during setup:
### Installation and Setup
**Installation Method:** Interactive CLI setup using geoip-shell installer
The tool was configured using its interactive setup wizard, which prompted for configuration choices and automatically applied all necessary changes to the firewall. This approach ensures proper integration with the existing firewall backend.
**Key Configuration Decisions:**
1. **Whitelist Mode:** Chosen over blacklist for better control
2. **European Focus:** Primary whitelist consists of European countries
3. **Network Exceptions:** Docker and LAN networks automatically detected
4. **Dual Stack:** Both IPv4 and IPv6 protection enabled
5. **Full Protocol Coverage:** TCP and UDP both protected
2. **European Focus:** All EU member states plus European territories
3. **Country List:** Complete list of countries accepted by geoip-shell
4. **Network Exceptions:** Docker and LAN networks automatically detected
5. **Dual Stack:** Both IPv4 and IPv6 protection enabled
6. **Full Protocol Coverage:** TCP and UDP both protected
**Setup Command:**
```bash
# Download and run installer
curl -fsSL https://raw.githubusercontent.com/friendly-bits/geoip-shell/main/install.sh | bash
# Run configuration wizard (prompted automatically after install)
geoip-shell configure
```
During the interactive setup, the wizard prompted for:
- Firewall backend selection (iptables chosen)
- IP list source (RIPE selected)
- Mode selection (whitelist chosen)
- Country selection (all EU countries entered)
- Network interface configuration (all interfaces selected)
### Detailed Documentation
For complete setup details, see **[docs/geoip-blocking.md](docs/geoip-blocking.md)**

100
scripts/setup-docker-symlinks.sh Executable file
View File

@@ -0,0 +1,100 @@
#!/bin/bash
# Set up symlinks for Docker configurations to avoid manual copying
set -e # Exit on error
echo "==================================================================="
echo "Docker Configuration Symlink Setup"
echo "==================================================================="
echo ""
REPO_ROOT="/home/hoborg/homelab"
# Function to create symlink with backup
create_symlink() {
local service=$1
local target=$2
local link=$3
echo "-------------------------------------------------------------------"
echo "Setting up: $service"
echo "-------------------------------------------------------------------"
echo "Target: $target"
echo "Link: $link"
echo ""
# Check if target exists
if [ ! -f "$target" ]; then
echo "ERROR: Target file does not exist: $target"
return 1
fi
# Backup existing file if it's not already a symlink
if [ -f "$link" ] && [ ! -L "$link" ]; then
backup="${link}.backup.$(date +%Y%m%d_%H%M%S)"
echo "Backing up existing file to: $backup"
cp "$link" "$backup"
rm "$link"
elif [ -L "$link" ]; then
echo "Removing existing symlink"
rm "$link"
fi
# Create symlink
ln -s "$target" "$link"
if [ -L "$link" ]; then
echo "✓ Symlink created successfully"
else
echo "✗ Failed to create symlink"
return 1
fi
echo ""
}
# Gitea docker-compose.yml
create_symlink "Gitea docker-compose" \
"$REPO_ROOT/config/docker/gitea/docker-compose.yml" \
"/opt/docker/gitea/docker-compose.yml"
# Jellyfin docker-compose.yml
create_symlink "Jellyfin docker-compose" \
"$REPO_ROOT/config/docker/jellyfin/docker-compose.yml" \
"/opt/docker/jellyfin/docker-compose.yml"
# qBittorrent docker-compose.yml
create_symlink "qBittorrent docker-compose" \
"$REPO_ROOT/config/docker/qbittorrent/docker-compose.yml" \
"/opt/docker/qbittorrent/docker-compose.yml"
# Portainer docker-compose.yml
create_symlink "Portainer docker-compose" \
"$REPO_ROOT/config/docker/portainer/docker-compose.yml" \
"/opt/docker/portainer/docker-compose.yml"
# Docker daemon config
create_symlink "Docker daemon config" \
"$REPO_ROOT/config/docker/daemon.json" \
"/etc/docker/daemon.json"
echo "==================================================================="
echo "Summary"
echo "==================================================================="
echo ""
echo "✓ All symlinks created successfully!"
echo ""
echo "Notes:"
echo " - Original files backed up with timestamp"
echo " - Edit files in $REPO_ROOT/config/docker/"
echo " - Changes take effect immediately (no copying needed)"
echo " - For daemon.json: restart docker after changes"
echo " - For docker-compose: restart containers after changes"
echo ""
echo "Verify symlinks:"
echo " ls -l /opt/docker/gitea/docker-compose.yml"
echo " ls -l /opt/docker/jellyfin/docker-compose.yml"
echo " ls -l /opt/docker/qbittorrent/docker-compose.yml"
echo " ls -l /opt/docker/portainer/docker-compose.yml"
echo " ls -l /etc/docker/daemon.json"
echo ""