feat(netlab): add MOTD configuration

- Clone repo to temp directory
- Rsync only seedbox/stacks/ to /srv/seedbox/stacks/
- Preserve .env and volume data directories

.gitea/workflows/deploy-seedbox.yml

@@ -9,6 +9,7 @@ on:
     branches: [main]
     paths:
       - 'seedbox/**'
+  workflow_dispatch:
 
 jobs:
   deploy:
@@ -22,14 +23,14 @@ jobs:
         run: apk add --no-cache openssh-client git
 
       - name: Checkout repository
-        uses: actions/checkout@v4
+        run: |
+          git clone --depth 1 --branch main https://gitea.arnodo.fr/Damien/infra-scripts.git .
 
       - name: Setup SSH key
         run: |
           mkdir -p ~/.ssh
           echo "${{ secrets.SEEDBOX_SSH_KEY }}" > ~/.ssh/id_ed25519
           chmod 600 ~/.ssh/id_ed25519
-          # Trust the seedbox host
           ssh-keyscan -H seedbox.taila5ad8.ts.net >> ~/.ssh/known_hosts 2>/dev/null || true
 
       - name: Validate compose files (PR only)
@@ -44,15 +45,26 @@ jobs:
           echo "Validation complete."
 
       - name: Deploy to seedbox
-        if: github.event_name == 'push'
+        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
         run: |
           ssh -o StrictHostKeyChecking=accept-new debian@seedbox.taila5ad8.ts.net << 'ENDSSH'
             set -e
             cd /srv/seedbox
             
-            echo "=== Pulling latest changes ==="
+            echo "=== Syncing stacks from repository ==="
-            git fetch origin main
+            # Clone to temp directory and sync only seedbox/ content
-            git reset --hard origin/main
+            TEMP_DIR=$(mktemp -d)
+            git clone --depth 1 --branch main https://gitea.arnodo.fr/Damien/infra-scripts.git "$TEMP_DIR"
+            
+            # Sync stacks directory (preserve .env and volumes)
+            rsync -av --delete \
+              --exclude='.env' \
+              --exclude='*/data/' \
+              --exclude='*/state/' \
+              "$TEMP_DIR/seedbox/stacks/" /srv/seedbox/stacks/
+            
+            # Clean up temp directory
+            rm -rf "$TEMP_DIR"
             
             echo "=== Creating .env file ==="
             cat > .env << 'ENVEOF'
@@ -80,7 +92,7 @@ jobs:
           ENDSSH
 
       - name: Deployment summary
-        if: github.event_name == 'push'
+        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
         run: |
           echo "✅ Deployment complete!"
           echo ""

README.md

@@ -20,10 +20,6 @@ These scripts automate the deployment of personal infrastructure components. The
 
 ## Requirements
 
-- Fresh Debian 11/12 installation
+- Fresh Debian 12/13 installation
 - User with sudo privileges (do not run as root)
 - Internet access
-
-## License
-
-MIT

netlab/install.sh

@@ -107,8 +107,52 @@ EOF
         log_warn "  sudo ufw delete allow 22/tcp"
     }
 
-    # Get Tailscale IP for final message
+    # Configure MOTD
-    TS_IP=$(tailscale ip -4)
+    log_info "Configuring MOTD..."
+    sudo chmod -x /etc/update-motd.d/* 2>/dev/null || true
+    
+    cat << 'MOTD' | sudo tee /etc/update-motd.d/00-netlab > /dev/null
+#!/bin/bash
+TS_FQDN=$(tailscale status --json 2>/dev/null | awk -F'"' '
+    /"Self"/ { in_self=1 }
+    in_self && /"DNSName"/ { gsub(/\.$/, "", $4); print $4; exit }
+')
+[[ -z "$TS_FQDN" ]] && TS_FQDN="$(hostname).ts.net"
+
+# Get configured SSH port from sshd config
+SSH_PORT=$(grep -h "^Port " /etc/ssh/sshd_config.d/*.conf 2>/dev/null | awk '{print $2}' | head -1)
+[[ -z "$SSH_PORT" ]] && SSH_PORT="22"
+
+echo ""
+echo " _   _ _____ _____ _        _    ____"
+echo "| \ | | ____|_   _| |      / \  | __ )"
+echo "|  \| |  _|   | | | |     / _ \ |  _ \\"
+echo "| |\  | |___  | | | |___ / ___ \| |_) |"
+echo "|_| \_|_____| |_| |_____/_/   \_\____/"
+echo ""
+echo "ContainerLab Network Lab Server"
+echo "─────────────────────────────────────────"
+echo "Access:"
+echo "  • SSH (public)    : port ${SSH_PORT}"
+echo "  • SSH (Tailscale) : ${TS_FQDN}"
+echo ""
+echo "Labs:"
+containerlab inspect --all 2>/dev/null | head -20 || echo "  No labs running"
+echo ""
+echo "Useful commands:"
+echo "  containerlab deploy -t <topology>.clab.yml"
+echo "  containerlab inspect --all"
+echo "  containerlab destroy -t <topology>.clab.yml"
+echo "─────────────────────────────────────────"
+echo ""
+MOTD
+    sudo chmod +x /etc/update-motd.d/00-netlab
+
+    # Get Tailscale hostname for display
+    TS_FQDN=$(tailscale status --json 2>/dev/null | awk -F'"' '
+        /"Self"/ { in_self=1 }
+        in_self && /"DNSName"/ { gsub(/\.$/, "", $4); print $4; exit }
+    ' || echo "${HOSTNAME}.ts.net")
 
     echo ""
     log_info "=========================================="
@@ -117,7 +161,7 @@ EOF
     echo ""
     echo "Access:"
     echo "  - Public SSH:    ssh -p ${SSH_PORT} ${USER}@<public-ip>"
-    echo "  - Tailscale SSH: ssh ${USER}@${TS_IP} (or use Tailscale SSH)"
+    echo "  - Tailscale SSH: ssh ${USER}@${TS_FQDN} (or use Tailscale SSH)"
     echo ""
     echo "ContainerLab is ready. Example usage:"
     echo "  containerlab deploy -t mylab.clab.yml"

proxy/install.sh

@@ -118,15 +118,54 @@ EOF
     log_info "Exposing NPM admin panel via Tailscale..."
     sudo tailscale serve --bg http://localhost:81
 
-    # Get Tailscale hostname for final message
+    # Configure MOTD
-    TS_HOSTNAME=$(tailscale status --json | grep -o '"DNSName":"[^"]*' | head -1 | cut -d'"' -f4 | sed 's/\.$//')
+    log_info "Configuring MOTD..."
+    sudo chmod -x /etc/update-motd.d/* 2>/dev/null || true
+    
+    cat << 'MOTD' | sudo tee /etc/update-motd.d/00-proxy > /dev/null
+#!/bin/bash
+TS_FQDN=$(tailscale status --json 2>/dev/null | awk -F'"' '
+    /"Self"/ { in_self=1 }
+    in_self && /"DNSName"/ { gsub(/\.$/, "", $4); print $4; exit }
+')
+[[ -z "$TS_FQDN" ]] && TS_FQDN="$(hostname).ts.net"
+
+echo ""
+echo " ____  ____   _____  ____   __"
+echo "|  _ \|  _ \ / _ \ \/ /\ \ / /"
+echo "| |_) | |_) | | | \  /  \ V /"
+echo "|  __/|  _ <| |_| /  \   | |"
+echo "|_|   |_| \_\\\\___/_/\_\  |_|"
+echo ""
+echo "Nginx Proxy Manager Server"
+echo "─────────────────────────────────────────"
+echo "Access:"
+echo "  • Admin panel : https://${TS_FQDN} (Tailscale)"
+echo "  • HTTP/HTTPS  : Public ports 80/443"
+echo ""
+echo "Services:"
+docker ps --format '  • {{.Names}} : {{.Status}}' 2>/dev/null || echo "  Docker not running"
+echo ""
+echo "Useful commands:"
+echo "  cd ~/npm && docker compose logs -f"
+echo "  sudo tailscale serve status"
+echo "─────────────────────────────────────────"
+echo ""
+MOTD
+    sudo chmod +x /etc/update-motd.d/00-proxy
+
+    # Get Tailscale hostname for display
+    TS_FQDN=$(tailscale status --json 2>/dev/null | awk -F'"' '
+        /"Self"/ { in_self=1 }
+        in_self && /"DNSName"/ { gsub(/\.$/, "", $4); print $4; exit }
+    ' || echo "${HOSTNAME}.ts.net")
 
     echo ""
     log_info "=========================================="
     log_info "Deployment complete!"
     log_info "=========================================="
     echo ""
-    echo "Access NPM admin panel at: https://${TS_HOSTNAME}"
+    echo "Access NPM admin panel at: https://${TS_FQDN}"
     echo "Default login: admin@example.com / changeme"
     echo ""
     echo "Note: Approve exit-node in Tailscale admin console if needed"

seedbox/README.md

@@ -33,7 +33,7 @@ Docker-based seedbox with Tailscale integration. Each service runs in its own co
 │  └─────────────────────────────────────────────────────────┘   │
 │                                                                 │
 │  Storage:                                                      │
-│  ├─ /srv/seedbox/downloads (local SSD)                        │
+│  ├─ /downloads (local RAID - 3.4T)                            │
 │  └─ /mnt/media (NFS from NAS)                                  │
 └─────────────────────────────────────────────────────────────────┘
 ```
@@ -88,15 +88,8 @@ Add this tag to your Tailscale ACL policy (https://login.tailscale.com/admin/acl
 ```json
 {
   "tagOwners": {
-    "tag:container": ["autogroup:admin"]
+    "tag:container": ["autogroup:admins"]
-  },
+  }
-  "acls": [
-    {
-      "action": "accept",
-      "src": ["autogroup:member"],
-      "dst": ["tag:container:*"]
-    }
-  ]
 }
 ```
 
@@ -136,11 +129,10 @@ Or create a PR for validation first.
 │   └── portainer/
 │       ├── docker-compose.yml
 │       └── serve.json
-├── downloads/              # Local downloads (SSD)
+└── .env                        # Secrets (created by pipeline)
-├── .env                    # Secrets (created by pipeline)
+
-└── .gitea/
+/downloads/                     # Local RAID storage (3.4T)
-    └── workflows/
+/mnt/media/                     # NFS mount from NAS
-        └── deploy.yml      # Deployment pipeline
 ```
 
 ## Adding a New Service
@@ -185,6 +177,8 @@ services:
       - TZ=Europe/Paris
     volumes:
       - config:/config
+      - /downloads:/downloads
+      - /mnt/media:/media
     restart: unless-stopped
 
 volumes:
@@ -340,6 +334,9 @@ Ensure your NAS exports the media share via NFS:
 ## Post-install Verification
 
 ```bash
+# Check downloads mount
+df -h /downloads
+
 # Check NFS mount
 df -h /mnt/media
 

seedbox/install.sh

@@ -24,7 +24,6 @@ NFS_SHARE_MEDIA="${NFS_SHARE_MEDIA:-/volume2/Multimédia}"
 NFS_MOUNT_MEDIA="${NFS_MOUNT_MEDIA:-/mnt/media}"
 NFS_OPTS="defaults,_netdev,nofail,x-systemd.automount,x-systemd.mount-timeout=30s"
 SEEDBOX_DIR="/srv/seedbox"
-DOWNLOADS_DIR="${SEEDBOX_DIR}/downloads"
 REPO_URL="${REPO_URL:-https://gitea.arnodo.fr/Damien/infra-scripts.git}"
 
 # Pre-flight checks
@@ -75,14 +74,18 @@ main() {
         ufw \
         at \
         git \
+        rsync \
         > /dev/null
 
+    # Ensure atd service is running (needed for delayed SSH lockdown)
+    sudo systemctl enable --now atd
+
     # Step 4: Install Tailscale
     log_info "Installing Tailscale..."
     curl -fsSL https://tailscale.com/install.sh | sh
 
-    log_info "Connecting to Tailscale (SSH only)..."
+    log_info "Connecting to Tailscale..."
-    sudo tailscale up --ssh
+    sudo tailscale up
     
     # Get Tailscale hostname for display
     TS_FQDN=$(tailscale status --json 2>/dev/null | awk -F'"' '
@@ -118,34 +121,36 @@ EOF
     log_info "Adding current user to docker group..."
     sudo usermod -aG docker "$USER"
 
-    # Step 7: Configure UFW firewall
+    # Step 7: Configure UFW firewall (initial - SSH still open on public)
-    log_info "Configuring UFW firewall..."
+    log_info "Configuring UFW firewall (initial setup)..."
     sudo ufw --force reset > /dev/null
     sudo ufw default deny incoming > /dev/null
     sudo ufw default allow outgoing > /dev/null
+    # SSH temporarily on all interfaces (will be locked down after Tailscale is confirmed)
+    sudo ufw allow 22/tcp > /dev/null
     # BitTorrent peer port (public)
     sudo ufw allow 51413/tcp > /dev/null
     sudo ufw allow 51413/udp > /dev/null
     # Allow all traffic on Tailscale interface
     sudo ufw allow in on tailscale0 > /dev/null
-    # Temporary SSH access (safety net)
-    sudo ufw allow 22/tcp > /dev/null
     sudo ufw --force enable > /dev/null
 
-    # Schedule SSH rule removal in 5 minutes
+    # Step 8: Schedule SSH lockdown via 'at' (2 minutes delay for safety)
-    log_warn "SSH port 22 temporarily open for 5 minutes (safety net)."
+    log_info "Scheduling SSH lockdown to Tailscale-only in 2 minutes..."
-    echo "sudo ufw delete allow 22/tcp && logger 'UFW: SSH port 22 closed'" | sudo at now + 5 minutes 2>/dev/null || {
+    log_warn "IMPORTANT: Reconnect via Tailscale SSH within 2 minutes!"
-        log_warn "Could not schedule automatic SSH cleanup. Run manually:"
+    log_warn "  ssh ${USER}@${TS_FQDN}"
-        log_warn "  sudo ufw delete allow 22/tcp"
+    
+    echo "sudo ufw delete allow 22/tcp" | at now + 2 minutes 2>/dev/null || {
+        log_warn "Failed to schedule SSH lockdown via 'at'. Manual lockdown required."
+        log_warn "Run manually after confirming Tailscale access: sudo ufw delete allow 22/tcp"
     }
 
-    # Step 8: Create directory structure
+    # Step 9: Create directory structure
     log_info "Creating directory structure..."
     sudo mkdir -p "$SEEDBOX_DIR"
-    sudo mkdir -p "$DOWNLOADS_DIR"
     sudo chown -R "$USER:$USER" "$SEEDBOX_DIR"
 
-    # Step 9: Configure NFS mount (if NFS_SERVER provided)
+    # Step 10: Configure NFS mount (if NFS_SERVER provided)
     if [[ -n "$NFS_SERVER" ]]; then
         log_info "Configuring NFS mount..."
         sudo mkdir -p "$NFS_MOUNT_MEDIA"
@@ -160,24 +165,42 @@ EOF
         log_warn "NFS_SERVER not set. NFS mount skipped. Set it later if needed."
     fi
 
-    # Step 10: Clone repository
+    # Step 11: Clone repository (sparse checkout for seedbox/ only)
-    log_info "Cloning infra-scripts repository..."
+    log_info "Cloning seedbox configuration..."
     if [[ -d "${SEEDBOX_DIR}/.git" ]]; then
         cd "$SEEDBOX_DIR"
         git pull origin main || log_warn "Git pull failed"
     else
-        git clone "$REPO_URL" "${SEEDBOX_DIR}/repo-tmp"
+        # Clean any existing content
-        mv "${SEEDBOX_DIR}/repo-tmp/seedbox/"* "$SEEDBOX_DIR/" 2>/dev/null || true
+        rm -rf "${SEEDBOX_DIR:?}"/*
-        mv "${SEEDBOX_DIR}/repo-tmp/seedbox/".* "$SEEDBOX_DIR/" 2>/dev/null || true
+        rm -rf "${SEEDBOX_DIR}"/.[!.]* 2>/dev/null || true
-        rm -rf "${SEEDBOX_DIR}/repo-tmp"
+        
         cd "$SEEDBOX_DIR"
         git init
         git remote add origin "$REPO_URL"
-        git fetch origin
+        
-        git checkout -b main --track origin/main -- seedbox/ 2>/dev/null || true
+        # Configure sparse checkout to only get seedbox/ directory
+        git sparse-checkout init --cone
+        git sparse-checkout set seedbox
+        
+        # Fetch and checkout
+        git fetch origin main
+        git checkout main
+        
+        # Move contents of seedbox/ to root and clean up
+        if [[ -d "${SEEDBOX_DIR}/seedbox" ]]; then
+            # Move all files including hidden ones
+            shopt -s dotglob
+            mv "${SEEDBOX_DIR}/seedbox"/* "${SEEDBOX_DIR}/" 2>/dev/null || true
+            shopt -u dotglob
+            rmdir "${SEEDBOX_DIR}/seedbox" 2>/dev/null || true
+        fi
+        
+        # Disable sparse checkout now that we have the files
+        git sparse-checkout disable 2>/dev/null || true
     fi
 
-    # Step 11: Configure MOTD
+    # Step 12: Configure MOTD
     log_info "Configuring MOTD..."
     sudo chmod -x /etc/update-motd.d/* 2>/dev/null || true
     
@@ -199,14 +222,14 @@ echo ""
 echo "Docker Seedbox Server"
 echo "─────────────────────────────────────────"
 echo "Access:"
-echo "  • SSH        : ${TS_FQDN}"
+echo "  • SSH        : ${TS_FQDN} (Tailscale only)"
 echo "  • Seeding    : Public port 51413"
 echo ""
 echo "Services: (via Tailscale)"
 docker ps --format '  • {{.Names}} : {{.Status}}' 2>/dev/null || echo "  Docker not running"
 echo ""
 echo "Storage:"
-echo "  • Downloads  : /srv/seedbox/downloads"
+echo "  • Downloads  : /downloads (local RAID)"
 echo "  • Media      : /mnt/media (NFS)"
 echo ""
 echo "Useful commands:"
@@ -219,19 +242,27 @@ MOTD
 
     # Final summary
     echo ""
-    log_info "=========================================="
+    log_info "==========================================="
     log_info "Server setup complete!"
-    log_info "=========================================="
+    log_info "==========================================="
+    echo ""
+    log_warn "⚠️  SSH LOCKDOWN SCHEDULED IN 2 MINUTES!"
+    log_warn "    Reconnect NOW via Tailscale:"
+    echo ""
+    echo "    ssh ${USER}@${TS_FQDN}"
     echo ""
     echo "Server accessible at:"
-    echo "  SSH: ${TS_FQDN}"
+    echo "  SSH: ssh user@${TS_FQDN}"
     echo ""
     echo "Directory structure:"
     echo "  ${SEEDBOX_DIR}/"
     echo "  ├── stacks/          # Docker Compose stacks"
-    echo "  ├── downloads/       # Local downloads (SSD)"
     echo "  └── .env             # Secrets (created by Gitea Actions)"
     echo ""
+    echo "Storage:"
+    echo "  • Downloads: /downloads (local RAID - 3.4T)"
+    echo "  • Media:     /mnt/media (NFS)"
+    echo ""
     echo "NFS mount:"
     if [[ -n "$NFS_SERVER" ]]; then
         echo "  ${NFS_SERVER}:${NFS_SHARE_MEDIA} -> ${NFS_MOUNT_MEDIA}"
@@ -240,12 +271,12 @@ MOTD
     fi
     echo ""
     echo "Next steps:"
-    echo "  1. Configure Gitea secrets (see README.md)"
+    echo "  1. Reconnect via Tailscale SSH IMMEDIATELY"
-    echo "  2. Push to main branch to trigger deployment"
+    echo "  2. Configure Gitea secrets (see README.md)"
-    echo "  3. Services will be available at <service>.taila5ad8.ts.net"
+    echo "  3. Push to main branch to trigger deployment"
+    echo "  4. Services will be available at <service>.taila5ad8.ts.net"
     echo ""
-    log_warn "SSH port 22 will be closed in 5 minutes."
+    log_info "SSH access via Tailscale: ssh user@${TS_FQDN}"
-    log_warn "Use Tailscale SSH: ssh ${TS_FQDN}"
     echo ""
 }
 

seedbox/stacks/sonarr/README.md

@@ -18,7 +18,7 @@ TV series management and automation.
 | Path in container | Host path | Description |
 |-------------------|-----------|-------------|
 | `/config` | Docker volume | Sonarr configuration |
-| `/downloads` | `/srv/seedbox/downloads` | Download directory |
+| `/downloads` | `/downloads` | Download directory (local RAID) |
 | `/media` | `/mnt/media` | Media library (NFS) |
 
 ## Configuration

seedbox/stacks/sonarr/docker-compose.yml

@@ -29,7 +29,7 @@ services:
       - TZ=Europe/Paris
     volumes:
       - config:/config
-      - /srv/seedbox/downloads:/downloads
+      - /downloads:/downloads
       - /mnt/media:/media
     restart: unless-stopped
 

seedbox/stacks/sonarr/serve.json

@@ -0,0 +1,16 @@
+{
+  "TCP": {
+    "443": {
+      "HTTPS": true
+    }
+  },
+  "Web": {
+    "sonarr.taila5ad8.ts.net:443": {
+      "Handlers": {
+        "/": {
+          "Proxy": "http://127.0.0.1:8989"
+        }
+      }
+    }
+  }
+}

seedbox/stacks/transmission/README.md

@@ -19,7 +19,7 @@ BitTorrent client with web interface, accessible via Tailscale.
 | Path in container | Host path | Description |
 |-------------------|-----------|-------------|
 | `/config` | Docker volume | Transmission configuration |
-| `/downloads` | `/srv/seedbox/downloads` | Download directory (local SSD) |
+| `/downloads` | `/downloads` | Download directory (local RAID - 3.4T) |
 | `/media` | `/mnt/media` | Media library (NFS) |
 
 ## Configuration

seedbox/stacks/transmission/docker-compose.yml

@@ -36,7 +36,7 @@ services:
       - PEERPORT=51413
     volumes:
       - config:/config
-      - /srv/seedbox/downloads:/downloads
+      - /downloads:/downloads
       - /mnt/media:/media
     restart: unless-stopped