Fix Traefik routing for qbittorrent and vaultwarden

- Add tls=true label to vaultwarden for HTTPS routing
- Add Traefik routing labels to Gluetun for qbittorrent access
- Move qbittorrent service to media-management stack (proper location)
- Update copilot-instructions.md with project-specific architecture details
- Clean up outdated gluetun.yml references in media.yml template

Both services now accessible via HTTPS with proper SSL certificates.

docker-compose/core.yml

@@ -132,6 +132,12 @@ services:
     labels:
       - "homelab.category=infrastructure"
       - "homelab.description=VPN client for secure downloads"
+      - "traefik.enable=true"
+      - "traefik.http.routers.qbittorrent.rule=Host(`qbit.${DOMAIN}`)"
+      - "traefik.http.routers.qbittorrent.entrypoints=websecure"
+      - "traefik.http.routers.qbittorrent.tls=true"
+      - "traefik.http.routers.qbittorrent.middlewares=authelia@docker"
+      - "traefik.http.services.qbittorrent.loadbalancer.server.port=8080"
 
 volumes:
   authelia-data:

docker-compose/media-management.yml

@@ -15,6 +15,23 @@
 # - Unmanic: https://unmanic.${DOMAIN}
 
 services:
+  # qBittorrent - Torrent client
+  # Access at: https://qbit.${DOMAIN}
+  # Routes through Gluetun VPN in core stack
+  qbittorrent:
+    image: lscr.io/linuxserver/qbittorrent:latest
+    container_name: qbittorrent
+    restart: unless-stopped
+    network_mode: "container:gluetun"  # Routes through VPN (gluetun container in core stack)
+    volumes:
+      - ./qbittorrent/config:/config
+      - /mnt/downloads:/downloads
+    environment:
+      - PUID=${PUID:-1000}
+      - PGID=${PGID:-1000}
+      - TZ=${TZ:-America/New_York}
+      - WEBUI_PORT=8080
+
   # Sonarr - TV show automation
   # Access at: https://sonarr.yourdomain.duckdns.org
   sonarr:

docker-compose/media.yml

@@ -1,7 +1,7 @@
 # Media Services
-# Services for media management and streaming
+# Default Services for media management and streaming
 # Place in /opt/stacks/media/docker-compose.yml
-# NOTE: qBittorrent is configured to use Gluetun VPN (see gluetun.yml)
+
 
 # Service Access URLs:
 # - Jellyfin: https://jellyfin.${DOMAIN} (no SSO - app access)
@@ -70,12 +70,6 @@ services:
       - "traefik.http.routers.calibre.middlewares=authelia@docker"
       - "traefik.http.services.calibre.loadbalancer.server.port=8083"
 
-  # qBittorrent - Torrent client
-  # Access at: https://qbit.yourdomain.duckdns.org
-  # Routes through Gluetun VPN - configure in gluetun.yml
-  # NOTE: This is a placeholder. Configure qBittorrent in gluetun.yml with network_mode: "service:gluetun"
-  # See gluetun.yml for the actual qBittorrent configuration
-
 networks:
   media-network:
     driver: bridge

docker-compose/utilities.yml

@@ -133,6 +133,7 @@ services:
       - "traefik.enable=true"
       - "traefik.http.routers.vaultwarden.rule=Host(`bitwarden.${DOMAIN}`)"
       - "traefik.http.routers.vaultwarden.entrypoints=websecure"
+      - "traefik.http.routers.vaultwarden.tls=true"
       - "traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt"
       # SSO disabled for browser extension and mobile app compatibility
       # - "traefik.http.routers.vaultwarden.middlewares=authelia@docker"