From dd052246b573efc6d5a529c1a2e53fbc11eca244 Mon Sep 17 00:00:00 2001
From: Damien Arnodo <damien@noreply.localhost>
Date: Wed, 31 Dec 2025 19:44:34 +0000
Subject: [PATCH] docs(seedbox): update README for tailscale serve and password
 handling

- Add warning about setting TRANSMISSION_PASS explicitly
- Update Quick Start example with password
- Add password recovery section
- Update network access table for tailscale serve
- Add WebUI access section explaining HTTPS via tailnet
- Add troubleshooting section
---
 seedbox/README.md | 72 +++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 66 insertions(+), 6 deletions(-)

diff --git a/seedbox/README.md b/seedbox/README.md
index 4b4bc41..22fabde 100644
--- a/seedbox/README.md
+++ b/seedbox/README.md
@@ -5,14 +5,17 @@ Deploys a seedbox with Transmission for maintaining Linux ISO mirrors and OS ima
 ## Quick Start
 
 ```bash
-NFS_SERVER=nas curl -fsSL https://gitea.arnodo.fr/Damien/infra-scripts/raw/branch/main/seedbox/install.sh | bash
+NFS_SERVER=nas TRANSMISSION_PASS=MySecureP@ss123 \
+curl -fsSL https://gitea.arnodo.fr/Damien/infra-scripts/raw/branch/main/seedbox/install.sh | bash
 ```
 
+> **⚠️ Important:** Always set `TRANSMISSION_PASS` explicitly. If omitted, a random password is generated and displayed only once at the end of the installation. It cannot be recovered afterward without resetting the config.
+
 ## Components
 
 - **Transmission**: BitTorrent client with WebUI
 - **NFS**: Dual mount to NAS for downloads and media storage
-- **Tailscale**: Private access to WebUI
+- **Tailscale**: Private access to WebUI via `tailscale serve`
 - **Docker**: Container runtime
 - **UFW**: Firewall (only peer port exposed publicly)
 - **fail2ban** + **unattended-upgrades**: Basic hardening
@@ -29,7 +32,7 @@ NFS_SERVER=nas curl -fsSL https://gitea.arnodo.fr/Damien/infra-scripts/raw/branc
 | `SEEDBOX_HOSTNAME` | `seedbox` | Server hostname |
 | `PEER_PORT` | `51413` | BitTorrent peer port |
 | `TRANSMISSION_USER` | `admin` | WebUI username |
-| `TRANSMISSION_PASS` | *auto-generated* | WebUI password |
+| `TRANSMISSION_PASS` | *auto-generated* | WebUI password (⚠️ set explicitly!) |
 | `TZ` | `Europe/Paris` | Timezone |
 
 Example with custom settings:
@@ -39,18 +42,43 @@ NFS_SERVER=nas \
 NFS_SHARE_DOWNLOAD=/volume1/torrents \
 NFS_SHARE_MEDIA=/volume1/iso \
 TRANSMISSION_USER=damien \
+TRANSMISSION_PASS=MySecurePassword \
 curl -fsSL https://gitea.arnodo.fr/Damien/infra-scripts/raw/branch/main/seedbox/install.sh | bash
 ```
 
+### Password Recovery
+
+If you forgot to set `TRANSMISSION_PASS` and lost the auto-generated password:
+
+```bash
+# Option 1: Check the docker-compose.yml (password in clear text)
+grep PASS ~/transmission/docker-compose.yml
+
+# Option 2: Reset by editing docker-compose.yml
+cd ~/transmission
+sed -i 's/PASS=.*/PASS=NewPassword/' docker-compose.yml
+docker compose down && docker compose up -d
+```
+
 ## Network Access
 
 | Service | Public | Tailscale |
 |---------|--------|-----------|
 | BitTorrent peers | ✅ Port 51413 | ✅ |
-| Transmission WebUI | ❌ | ✅ Port 9091 |
+| Transmission WebUI | ❌ | ✅ HTTPS via `tailscale serve` |
 | SSH | ❌ | ✅ Tailscale SSH |
 | NFS (to NAS) | ❌ | ✅ |
 
+### WebUI Access
+
+The WebUI is exposed via Tailscale Serve with automatic HTTPS:
+
+```
+https://seedbox.<your-tailnet>.ts.net
+```
+
+The WebUI binds to `localhost:9091` and is proxied through `tailscale serve`, ensuring it's never accessible from the public internet.
+
 ## Storage Architecture
 
 ```
@@ -86,8 +114,9 @@ NAS (via Tailscale)                    Seedbox LXC (70GB)
 4. Installs Docker
 5. Configures dual NFS mounts to NAS (same as Proxmox)
 6. Deploys Transmission container with both mounts
-7. Configures UFW (peer port public, WebUI via Tailscale only)
-8. Temporarily opens SSH port 22 for 5 minutes (safety net)
+7. Exposes WebUI via `tailscale serve` (HTTPS on tailnet)
+8. Configures UFW (peer port public, WebUI via Tailscale only)
+9. Temporarily opens SSH port 22 for 5 minutes (safety net)
 
 ## SSH Safety Net
 
@@ -149,6 +178,37 @@ cd ~/transmission && docker compose logs -f
 # Restart Transmission
 cd ~/transmission && docker compose restart
 
+# Check tailscale serve status
+tailscale serve status
+
 # Move completed ISO to final location
 mv /mnt/download/debian-12.iso /mnt/media/iso/debian/
 ```
+
+## Troubleshooting
+
+### WebUI not accessible
+
+```bash
+# Check tailscale serve is running
+tailscale serve status
+
+# Restart if needed
+sudo tailscale serve --bg http://localhost:9091
+
+# Check container is running
+docker ps | grep transmission
+
+# Check container logs
+cd ~/transmission && docker compose logs
+```
+
+### Reset Transmission credentials
+
+```bash
+cd ~/transmission
+docker compose down
+# Edit docker-compose.yml to change USER and PASS
+vim docker-compose.yml
+docker compose up -d
+```