Fix Traefik routing for qbittorrent and vaultwarden

- Add tls=true label to vaultwarden for HTTPS routing
- Add Traefik routing labels to Gluetun for qbittorrent access
- Move qbittorrent service to media-management stack (proper location)
- Update copilot-instructions.md with project-specific architecture details
- Clean up outdated gluetun.yml references in media.yml template

Both services now accessible via HTTPS with proper SSL certificates.

docker-compose/media-management.yml

@@ -15,6 +15,23 @@
 # - Unmanic: https://unmanic.${DOMAIN}
 
 services:
+  # qBittorrent - Torrent client
+  # Access at: https://qbit.${DOMAIN}
+  # Routes through Gluetun VPN in core stack
+  qbittorrent:
+    image: lscr.io/linuxserver/qbittorrent:latest
+    container_name: qbittorrent
+    restart: unless-stopped
+    network_mode: "container:gluetun"  # Routes through VPN (gluetun container in core stack)
+    volumes:
+      - ./qbittorrent/config:/config
+      - /mnt/downloads:/downloads
+    environment:
+      - PUID=${PUID:-1000}
+      - PGID=${PGID:-1000}
+      - TZ=${TZ:-America/New_York}
+      - WEBUI_PORT=8080
+
   # Sonarr - TV show automation
   # Access at: https://sonarr.yourdomain.duckdns.org
   sonarr: