# Seedbox Server

Deploys a seedbox with Transmission for maintaining Linux ISO mirrors.

## Quick Start

```bash
NFS_SERVER=nas.tailnet.ts.net curl -fsSL https://gitea.arnodo.fr/Damien/infra-scripts/raw/branch/main/seedbox/install.sh | bash
```

## Components

- **Transmission**: BitTorrent client with WebUI
- **NFS v4.1**: Mount to NAS for ISO storage
- **Tailscale**: Private access to WebUI
- **Docker**: Container runtime
- **UFW**: Firewall (only peer port exposed publicly)
- **fail2ban** + **unattended-upgrades**: Basic hardening

## Environment Variables

| Variable | Default | Description |
|----------|---------|-------------|
| `NFS_SERVER` | *required* | NAS hostname/IP (Tailscale) |
| `NFS_SHARE` | `/volume1/iso` | NFS export path on NAS |
| `NFS_MOUNT` | `/mnt/iso` | Local mount point |
| `SEEDBOX_HOSTNAME` | `seedbox` | Server hostname |
| `PEER_PORT` | `51413` | BitTorrent peer port |
| `TRANSMISSION_USER` | `admin` | WebUI username |
| `TRANSMISSION_PASS` | *auto-generated* | WebUI password |
| `TZ` | `Europe/Paris` | Timezone |

Example with custom settings:

```bash
NFS_SERVER=nas.tailnet.ts.net \
NFS_SHARE=/volume1/linux-iso \
TRANSMISSION_USER=damien \
TRANSMISSION_PASS=mysecurepass \
curl -fsSL https://gitea.arnodo.fr/Damien/infra-scripts/raw/branch/main/seedbox/install.sh | bash
```

## Network Access

| Service | Public | Tailscale |
|---------|--------|-----------|
| BitTorrent peers | ✅ Port 51413 | ✅ |
| Transmission WebUI | ❌ | ✅ Port 9091 |
| SSH | ❌ | ✅ Tailscale SSH |
| NFS (to NAS) | ❌ | ✅ |

## What it does

1. Sets hostname
2. Installs base packages (vim, fail2ban, unattended-upgrades, nfs-common, at)
3. Installs and connects Tailscale
4. Installs Docker
5. Configures NFS mount to NAS (via Tailscale)
6. Deploys Transmission container
7. Configures UFW (peer port public, WebUI via Tailscale only)
8. Temporarily opens SSH port 22 for 5 minutes (safety net)

## SSH Safety Net

During installation, SSH port 22 is temporarily opened for 5 minutes to prevent lockout if you're connected via public IP. After 5 minutes, it will be automatically closed and only Tailscale SSH will work.

```bash
# List scheduled jobs
sudo atq

# Cancel the scheduled SSH closure (replace N with job number)
sudo atrm N

# Manually close SSH port 22 if needed
sudo ufw delete allow 22/tcp
```

## Directory Structure

Organize your downloads by distribution:

```
/mnt/iso/
├── debian/
│   ├── debian-12.7.0-amd64-netinst.iso
│   └── debian-11.11.0-amd64-netinst.iso
├── ubuntu/
│   ├── ubuntu-24.04.1-live-server-amd64.iso
│   └── ubuntu-22.04.5-live-server-amd64.iso
├── rhel/
│   ├── rocky-9.4-x86_64-minimal.iso
│   └── almalinux-9.4-x86_64-minimal.iso
└── proxmox/
    └── proxmox-ve_8.2-1.iso
```

## NAS Configuration (Synology)

Ensure your NAS exports the share via NFS v4.1:

1. Control Panel → Shared Folder → Edit → NFS Permissions
2. Add rule:
   - Hostname/IP: Tailscale IP of seedbox (e.g., `100.x.x.x`)
   - Privilege: Read/Write
   - Squash: No mapping
   - Security: sys
   - Enable NFSv4.1: ✅

## Post-install

```bash
# Check NFS mount
df -h /mnt/iso

# View Transmission logs
cd ~/transmission && docker compose logs -f

# Restart Transmission
cd ~/transmission && docker compose restart
```