Damien/infra-scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(seedbox): update README for tailscale serve and password handling

Browse Source 
- Add warning about setting TRANSMISSION_PASS explicitly
- Update Quick Start example with password
- Add password recovery section
- Update network access table for tailscale serve
- Add WebUI access section explaining HTTPS via tailnet
- Add troubleshooting section
This commit is contained in:
Damien Arnodo
2025-12-31 19:44:34 +00:00
parent 5a47a8aafc
commit dd052246b5
1 changed files with 66 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
seedbox/README.md
View File

@@ -5,14 +5,17 @@ Deploys a seedbox with Transmission for maintaining Linux ISO mirrors and OS ima
## Quick Start ## Quick Start
```bash ```bash
NFS_SERVER=nas curl -fsSL https://gitea.arnodo.fr/Damien/infra-scripts/raw/branch/main/seedbox/install.sh | bash NFS_SERVER=nas TRANSMISSION_PASS=MySecureP@ss123 \
curl -fsSL https://gitea.arnodo.fr/Damien/infra-scripts/raw/branch/main/seedbox/install.sh | bash
``` ```
> **⚠️ Important:** Always set `TRANSMISSION_PASS` explicitly. If omitted, a random password is generated and displayed only once at the end of the installation. It cannot be recovered afterward without resetting the config.
## Components ## Components
- **Transmission**: BitTorrent client with WebUI - **Transmission**: BitTorrent client with WebUI
- **NFS**: Dual mount to NAS for downloads and media storage - **NFS**: Dual mount to NAS for downloads and media storage
- **Tailscale**: Private access to WebUI - **Tailscale**: Private access to WebUI via `tailscale serve`
- **Docker**: Container runtime - **Docker**: Container runtime
- **UFW**: Firewall (only peer port exposed publicly) - **UFW**: Firewall (only peer port exposed publicly)
- **fail2ban** + **unattended-upgrades**: Basic hardening - **fail2ban** + **unattended-upgrades**: Basic hardening
@@ -29,7 +32,7 @@ NFS_SERVER=nas curl -fsSL https://gitea.arnodo.fr/Damien/infra-scripts/raw/branc
| `SEEDBOX_HOSTNAME` | `seedbox` | Server hostname | | `SEEDBOX_HOSTNAME` | `seedbox` | Server hostname |
| `PEER_PORT` | `51413` | BitTorrent peer port | | `PEER_PORT` | `51413` | BitTorrent peer port |
| `TRANSMISSION_USER` | `admin` | WebUI username | | `TRANSMISSION_USER` | `admin` | WebUI username |
| `TRANSMISSION_PASS` | *auto-generated* | WebUI password | | `TRANSMISSION_PASS` | *auto-generated* | WebUI password (⚠️ set explicitly!) |
| `TZ` | `Europe/Paris` | Timezone | | `TZ` | `Europe/Paris` | Timezone |
Example with custom settings: Example with custom settings:
@@ -39,18 +42,43 @@ NFS_SERVER=nas \
NFS_SHARE_DOWNLOAD=/volume1/torrents \ NFS_SHARE_DOWNLOAD=/volume1/torrents \
NFS_SHARE_MEDIA=/volume1/iso \ NFS_SHARE_MEDIA=/volume1/iso \
TRANSMISSION_USER=damien \ TRANSMISSION_USER=damien \
TRANSMISSION_PASS=MySecurePassword \
curl -fsSL https://gitea.arnodo.fr/Damien/infra-scripts/raw/branch/main/seedbox/install.sh | bash curl -fsSL https://gitea.arnodo.fr/Damien/infra-scripts/raw/branch/main/seedbox/install.sh | bash
``` ```
### Password Recovery
If you forgot to set `TRANSMISSION_PASS` and lost the auto-generated password:
```bash
# Option 1: Check the docker-compose.yml (password in clear text)
grep PASS ~/transmission/docker-compose.yml
# Option 2: Reset by editing docker-compose.yml
cd ~/transmission
sed -i 's/PASS=.*/PASS=NewPassword/' docker-compose.yml
docker compose down && docker compose up -d
```
## Network Access ## Network Access
| Service | Public | Tailscale | | Service | Public | Tailscale |
|---------|--------|-----------| |---------|--------|-----------|
| BitTorrent peers | ✅ Port 51413 | ✅ | | BitTorrent peers | ✅ Port 51413 | ✅ |
| Transmission WebUI | ❌ | ✅ Port 9091 | | Transmission WebUI | ❌ | ✅ HTTPS via `tailscale serve` |
| SSH | ❌ | ✅ Tailscale SSH | | SSH | ❌ | ✅ Tailscale SSH |
| NFS (to NAS) | ❌ | ✅ | | NFS (to NAS) | ❌ | ✅ |
### WebUI Access
The WebUI is exposed via Tailscale Serve with automatic HTTPS:
```
https://seedbox.<your-tailnet>.ts.net
```
The WebUI binds to `localhost:9091` and is proxied through `tailscale serve`, ensuring it's never accessible from the public internet.
## Storage Architecture ## Storage Architecture
``` ```
@@ -86,8 +114,9 @@ NAS (via Tailscale) Seedbox LXC (70GB)
4. Installs Docker 4. Installs Docker
5. Configures dual NFS mounts to NAS (same as Proxmox) 5. Configures dual NFS mounts to NAS (same as Proxmox)
6. Deploys Transmission container with both mounts 6. Deploys Transmission container with both mounts
7. Configures UFW (peer port public, WebUI via Tailscale only) 7. Exposes WebUI via `tailscale serve` (HTTPS on tailnet)
8. Temporarily opens SSH port 22 for 5 minutes (safety net) 8. Configures UFW (peer port public, WebUI via Tailscale only)
9. Temporarily opens SSH port 22 for 5 minutes (safety net)
## SSH Safety Net ## SSH Safety Net
@@ -149,6 +178,37 @@ cd ~/transmission && docker compose logs -f
# Restart Transmission # Restart Transmission
cd ~/transmission && docker compose restart cd ~/transmission && docker compose restart
# Check tailscale serve status
tailscale serve status
# Move completed ISO to final location # Move completed ISO to final location
mv /mnt/download/debian-12.iso /mnt/media/iso/debian/ mv /mnt/download/debian-12.iso /mnt/media/iso/debian/
``` ```
## Troubleshooting
### WebUI not accessible
```bash
# Check tailscale serve is running
tailscale serve status
# Restart if needed
sudo tailscale serve --bg http://localhost:9091
# Check container is running
docker ps | grep transmission
# Check container logs
cd ~/transmission && docker compose logs
```
### Reset Transmission credentials
```bash
cd ~/transmission
docker compose down
# Edit docker-compose.yml to change USER and PASS
vim docker-compose.yml
docker compose up -d
```