Merge remote updates, accepting remote versions for conflicted files

docs/service-docs/qbittorrent.md

@@ -19,9 +19,9 @@
 **Docker Image:** [linuxserver/qbittorrent](https://hub.docker.com/r/linuxserver/qbittorrent)  
 **Default Stack:** `media.yml`  
 **Network Mode:** Via Gluetun (VPN container)  
-**Web UI:** `http://SERVER_IP:8080` (via Gluetun)  
+**Web UI:** `http://SERVER_IP:8081` (via Gluetun)  
 **Authentication:** Username/password (default: admin/adminadmin)  
-**Ports:** 8080 (WebUI via Gluetun), 6881 (incoming connections via Gluetun)
+**Ports:** 8081 (WebUI via Gluetun), 6881 (incoming connections via Gluetun)
 
 ## What is qBittorrent?
 
@@ -158,7 +158,7 @@ gluetun:
   devices:
     - /dev/net/tun
   ports:
-    - "8080:8080"   # qBittorrent WebUI
+    - "8081:8080"   # qBittorrent WebUI (host:container)
     - "6881:6881"   # qBittorrent incoming
     - "6881:6881/udp"
   environment:
@@ -181,7 +181,7 @@ qbittorrent:
     - PUID=1000
     - PGID=1000
     - TZ=America/New_York
-    - WEBUI_PORT=8080
+    - WEBUI_PORT=8081
   volumes:
     - /opt/stacks/media/qbittorrent/config:/config
     - /mnt/downloads:/downloads
@@ -191,7 +191,7 @@ qbittorrent:
 - `network_mode: "service:gluetun"` routes all traffic through VPN
 - Ports exposed on Gluetun, not qBittorrent
 - No internet access if VPN down (kill switch)
-- Access via `http://SERVER_IP:8080` (Gluetun's port)
+- Access via `http://SERVER_IP:8081` (Gluetun's port)
 
 ### Standalone Configuration (without VPN - NOT RECOMMENDED)
 
@@ -201,7 +201,7 @@ qbittorrent:
   container_name: qbittorrent
   restart: unless-stopped
   ports:
-    - "8080:8080"
+    - "8081:8080"
     - "6881:6881"
     - "6881:6881/udp"
   environment:
@@ -238,7 +238,7 @@ qbittorrent:
    ```
 
 4. **Access Web UI:**
-   - Navigate to: `http://SERVER_IP:8080`
+   - Navigate to: `http://SERVER_IP:8081`
    - Username: `admin`
    - Password: From logs above
 
@@ -542,7 +542,7 @@ docker logs qbittorrent | tail -20
 docker logs gluetun | grep -i "connected"
 
 # Test access
-curl http://localhost:8080
+curl http://localhost:8081
 ```
 
 ### Slow Download Speeds

docs/services-overview.md

@@ -6,48 +6,45 @@ This document provides a comprehensive overview of all 60+ pre-configured servic
 
 | Stacks (10) | Services (70 + 6db) | SSO | Storage | Access URLs |
 |-------|----------|-----|---------|-------------|
-| **📦 [core.yaml](../docker-compose/core.yml) (4)** | **Deploy First** | | | |
-| ├─ [DuckDNS](service-docs/duckdns.md) | Dynamic DNS updater | - | /opt/stacks/core/duckdns | No UI |
-| ├─ [Traefik](service-docs/traefik.md) | Reverse proxy + SSL | ✓ | /opt/stacks/core/traefik | traefik.${DOMAIN} |
-| ├─ [Authelia](service-docs/authelia.md) | SSO authentication | - | /opt/stacks/core/authelia | auth.${DOMAIN} |
-| └─ [Gluetun](service-docs/gluetun.md) | VPN (Surfshark) | - | /opt/stacks/core/gluetun | No UI |
-| **🔧 [infrastructure.yaml](../docker-compose/infrastructure.yml) (8+5)** | **Deployed: 8** | | | |
-| ├─ [Dockge](service-docs/dockge.md) | Stack manager (PRIMARY) | ✓ | /opt/stacks/infrastructure | dockge.${DOMAIN} |
-| ├─ [Pi-hole](service-docs/pihole.md) | DNS + Ad blocking | ✓ | /opt/stacks/infrastructure | pihole.${DOMAIN} |
-| ├─ [Dozzle](service-docs/dozzle.md) | Docker log viewer | ✓ | /opt/stacks/infrastructure | dozzle.${DOMAIN} |
-| ├─ [Glances](service-docs/glances.md) | System monitoring | ✓ | /opt/stacks/infrastructure | glances.${DOMAIN} |
+| **📦 core.yaml (4)** | **Deploy First** | | | |
+| ├─ DuckDNS | Dynamic DNS updater | - | /opt/stacks/core/duckdns | No UI |
+| ├─ Traefik | Reverse proxy + SSL | ✓ | /opt/stacks/core/traefik | traefik.${DOMAIN} |
+| ├─ Authelia | SSO authentication | - | /opt/stacks/core/authelia | auth.${DOMAIN} |
+| └─ Gluetun | VPN (Surfshark) | - | /opt/stacks/core/gluetun | No UI |
+| **🔧 infrastructure.yaml** (12) | | | | |
+| ├─ Dockge | Stack manager (PRIMARY) | ✓ | /opt/stacks/infrastructure | dockge.${DOMAIN} |
+| ├─ Portainer | Container management | ✓ | /opt/stacks/infrastructure | portainer.${DOMAIN} |
+| ├─ Authentik Server | SSO with web UI | ✓ | /opt/stacks/authentik | authentik.${DOMAIN} |
+| │  ├─ authentik-worker | Background tasks | - | /opt/stacks/authentik | No UI |
+| │  ├─ authentik-db | PostgreSQL | - | /opt/stacks/authentik | No UI |
+| │  └─ authentik-redis | Cache/messaging | - | /opt/stacks/authentik | No UI |
+| ├─ Pi-hole | DNS + Ad blocking | ✓ | /opt/stacks/infrastructure | pihole.${DOMAIN} |
 | ├─ Watchtower | Auto container updates | - | /opt/stacks/infrastructure | No UI |
-| ├─ Code Server | VS Code in browser | ✓ | /opt/stacks/infrastructure | code.${DOMAIN} |
-| └─ [Docker Proxy](service-docs/docker-proxy.md) | Secure socket access | - | /opt/stacks/infrastructure | No UI |
-| **📦 [alternatives.yaml](../docker-compose/alternatives.yml) (6)** | **Not deployed** | | | |
-| ├─ Plex | Media server (Alt) | ✗ | /mnt/media, /mnt/transcode | plex.${DOMAIN} |
-| ├─ Portainer | Container management | ✓ | /opt/stacks/alternatives | portainer.${DOMAIN} |
-| ├─ Authentik Server | SSO with web UI | ✓ | /opt/stacks/alternatives | authentik.${DOMAIN} |
-| │  ├─ authentik-worker | Background tasks | - | /opt/stacks/alternatives | No UI |
-| │  ├─ authentik-db | PostgreSQL | - | /opt/stacks/alternatives | No UI |
-| │  └─ authentik-redis | Cache/messaging | - | /opt/stacks/alternatives | No UI |
-| **📊 [dashboards.yaml](../docker-compose/dashboards.yml)** (2) | | | | |
+| ├─ Dozzle | Docker log viewer | ✓ | /opt/stacks/infrastructure | dozzle.${DOMAIN} |
+| ├─ Glances | System monitoring | ✓ | /opt/stacks/infrastructure | glances.${DOMAIN} |
+| └─ Docker Proxy | Secure socket access | - | /opt/stacks/infrastructure | No UI |
+| **📊 dashboards.yaml** (2) | | | | |
 | ├─ Homepage | App dashboard (AI cfg) | ✓ | /opt/stacks/dashboards | home.${DOMAIN} |
 | └─ Homarr | Modern dashboard | ✓ | /opt/stacks/dashboards | homarr.${DOMAIN} |
-| **🎬 [media.yml](../docker-compose/media.yml)** (3) | | | | |
+| **🎬 media** (6) | | | | |
+| ├─ Plex | Media server | ✗ | /mnt/media, /mnt/transcode | plex.${DOMAIN} |
 | ├─ Jellyfin | Media server (OSS) | ✗ | /mnt/media, /mnt/transcode | jellyfin.${DOMAIN} |
-| ├─ Calibre-Web | Ebook reader | ✓ | /opt/stacks/media, /mnt/media | calibre.${DOMAIN} |
+| ├─ Sonarr | TV automation | ✓ | /opt/stacks/media, /mnt/media | sonarr.${DOMAIN} |
+| ├─ Radarr | Movie automation | ✓ | /opt/stacks/media, /mnt/media | radarr.${DOMAIN} |
+| ├─ Prowlarr | Indexer manager | ✓ | /opt/stacks/media | prowlarr.${DOMAIN} |
 | └─ qBittorrent | Torrent (via VPN) | ✓ | /mnt/downloads | qbit.${DOMAIN} |
-| **📚 [media-management.yml](../docker-compose/media-management.yml)** (10) | | | | |
-| ├─ Sonarr | TV automation | ✓ | /opt/stacks/media-mgmt, /mnt/media | sonarr.${DOMAIN} |
-| ├─ Radarr | Movie automation | ✓ | /opt/stacks/media-mgmt, /mnt/media | radarr.${DOMAIN} |
-| ├─ Prowlarr | Indexer manager | ✓ | /opt/stacks/media-mgmt | prowlarr.${DOMAIN} |
-| ├─ Readarr | Ebooks/Audiobooks | ✓ | /opt/stacks/media-mgmt, /mnt/media | readarr.${DOMAIN} |
-| ├─ Lidarr | Music manager | ✓ | /opt/stacks/media-mgmt, /mnt/media | lidarr.${DOMAIN} |
-| ├─ Lazy Librarian | Book automation | ✓ | /opt/stacks/media-mgmt, /mnt/media | lazylibrarian.${DOMAIN} |
-| ├─ Mylar3 | Comic manager | ✓ | /opt/stacks/media-mgmt, /mnt/media | mylar.${DOMAIN} |
-| ├─ Jellyseerr | Media requests | ✓ | /opt/stacks/media-mgmt | jellyseerr.${DOMAIN} |
-| ├─ FlareSolverr | Cloudflare bypass | - | /opt/stacks/media-mgmt | No UI |
-| ├─ Tdarr Server | Transcoding server | ✓ | /opt/stacks/media-mgmt, /mnt/transcode | tdarr.${DOMAIN} |
+| **📚 media-extended.yaml** (10) | | | | |
+| ├─ Readarr | Ebooks/Audiobooks | ✓ | /opt/stacks/media-ext, /mnt/media | readarr.${DOMAIN} |
+| ├─ Lidarr | Music manager | ✓ | /opt/stacks/media-ext, /mnt/media | lidarr.${DOMAIN} |
+| ├─ Lazy Librarian | Book automation | ✓ | /opt/stacks/media-ext, /mnt/media | lazylibrarian.${DOMAIN} |
+| ├─ Mylar3 | Comic manager | ✓ | /opt/stacks/media-ext, /mnt/media | mylar.${DOMAIN} |
+| ├─ Calibre-Web | Ebook reader | ✓ | /opt/stacks/media-ext, /mnt/media | calibre.${DOMAIN} |
+| ├─ Jellyseerr | Media requests | ✓ | /opt/stacks/media-ext | jellyseerr.${DOMAIN} |
+| ├─ FlareSolverr | Cloudflare bypass | - | /opt/stacks/media-ext | No UI |
+| ├─ Tdarr Server | Transcoding server | ✓ | /opt/stacks/media-ext, /mnt/transcode | tdarr.${DOMAIN} |
 | ├─ Tdarr Node | Transcoding worker | - | /mnt/transcode-cache | No UI |
-| ├─ Unmanic | Library optimizer | ✓ | /opt/stacks/media-mgmt, /mnt/transcode | unmanic.${DOMAIN} |
-| └─ Bazarr | Subtitle automation | ✓ | /opt/stacks/media-mgmt, /mnt/media | bazarr.${DOMAIN} |
-| **🏠 [homeassistant.yaml](../docker-compose/homeassistant.yml)** (7) | | | | |
+| └─ Unmanic | Library optimizer | ✓ | /opt/stacks/media-ext, /mnt/transcode | unmanic.${DOMAIN} |
+| **🏠 homeassistant.yaml** (7) | | | | |
 | ├─ Home Assistant | HA platform | ✗ | /opt/stacks/homeassistant | ha.${DOMAIN} |
 | ├─ ESPHome | ESP firmware mgr | ✓ | /opt/stacks/homeassistant | esphome.${DOMAIN} |
 | ├─ TasmoAdmin | Tasmota device mgr | ✓ | /opt/stacks/homeassistant | tasmoadmin.${DOMAIN} |
@@ -55,7 +52,7 @@ This document provides a comprehensive overview of all 60+ pre-configured servic
 | ├─ Mosquitto | MQTT broker | - | /opt/stacks/homeassistant | Ports 1883, 9001 |
 | ├─ Zigbee2MQTT | Zigbee bridge | ✓ | /opt/stacks/homeassistant | zigbee2mqtt.${DOMAIN} |
 | └─ MotionEye | Video surveillance | ✓ | /opt/stacks/homeassistant, /mnt/surveillance | motioneye.${DOMAIN} |
-| **💼 [productivity.yaml](../docker-compose/productivity.yml)** (8 + 6 DBs) | | | | |
+| **💼 productivity.yaml** (8 + 6 DBs) | | | | |
 | ├─ Nextcloud | File sync platform | ✓ | /opt/stacks/productivity, /mnt/nextcloud | nextcloud.${DOMAIN} |
 | │  └─ nextcloud-db | MariaDB | - | /opt/stacks/productivity | No UI |
 | ├─ Mealie | Recipe manager | ✗ | /opt/stacks/productivity | mealie.${DOMAIN} |
@@ -70,14 +67,15 @@ This document provides a comprehensive overview of all 60+ pre-configured servic
 | │  └─ mediawiki-db | MariaDB | - | /opt/stacks/productivity | No UI |
 | └─ Form.io | Form builder | ✓ | /opt/stacks/productivity | forms.${DOMAIN} |
 |    └─ formio-mongo | MongoDB | - | /opt/stacks/productivity | No UI |
-| **🛠️ [utilities.yaml](../docker-compose/utilities.yml)** (6) | | | | |
+| **🛠️ utilities.yaml** (7) | | | | |
 | ├─ Vaultwarden | Password manager | ✗ | /opt/stacks/utilities | bitwarden.${DOMAIN} |
 | ├─ Backrest | Backup (restic) | ✓ | /opt/stacks/utilities, /mnt/backups | backrest.${DOMAIN} |
 | ├─ Duplicati | Encrypted backups | ✓ | /opt/stacks/utilities, /mnt/backups | duplicati.${DOMAIN} |
+| ├─ Code Server | VS Code in browser | ✓ | /opt/stacks/utilities | code.${DOMAIN} |
 | ├─ Form.io | Form platform | ✓ | /opt/stacks/utilities | forms.${DOMAIN} |
 | │  └─ formio-mongo | MongoDB | - | /opt/stacks/utilities | No UI |
 | └─ Authelia-Redis | Session storage | - | /opt/stacks/utilities | No UI |
-| **📈 [monitoring.yaml](../docker-compose/monitoring.yml)** (8) | | | | |
+| **📈 monitoring.yaml** (8) | | | | |
 | ├─ Prometheus | Metrics collection | ✓ | /opt/stacks/monitoring | prometheus.${DOMAIN} |
 | ├─ Grafana | Visualization | ✓ | /opt/stacks/monitoring | grafana.${DOMAIN} |
 | ├─ Loki | Log aggregation | - | /opt/stacks/monitoring | Via Grafana |
@@ -85,7 +83,7 @@ This document provides a comprehensive overview of all 60+ pre-configured servic
 | ├─ Node Exporter | Host metrics | - | /opt/stacks/monitoring | No UI |
 | ├─ cAdvisor | Container metrics | - | /opt/stacks/monitoring | Internal :8080 |
 | └─ Uptime Kuma | Uptime monitoring | ✓ | /opt/stacks/monitoring | status.${DOMAIN} |
-| **👨‍💻 [development.yaml](../docker-compose/development.yml)** (6) | | | | |
+| **👨‍💻 development.yaml** (6) | | | | |
 | ├─ GitLab CE | Git + CI/CD | ✓ | /opt/stacks/development, /mnt/git | gitlab.${DOMAIN} |
 | ├─ PostgreSQL | SQL database | - | /opt/stacks/development | Port 5432 |
 | ├─ Redis | In-memory store | - | /opt/stacks/development | Port 6379 |
@@ -95,6 +93,42 @@ This document provides a comprehensive overview of all 60+ pre-configured servic
 
 **Legend:** ✓ = Protected by SSO | ✗ = Bypasses SSO | - = No web UI
 
+## Quick Deployment Order
+
+1. **Create Networks** (one-time setup)
+   ```bash
+   docker network create traefik-network
+   docker network create homelab-network
+   docker network create dockerproxy-network
+   ```
+
+2. **Deploy Core Stack** (required first)
+   ```bash
+   cd /opt/stacks/core/
+   docker compose up -d
+   ```
+
+3. **Deploy Infrastructure**
+   ```bash
+   cd /opt/stacks/infrastructure/
+   docker compose up -d
+   ```
+
+4. **Deploy Dashboards**
+   ```bash
+   cd /opt/stacks/dashboards/
+   docker compose up -d
+   ```
+
+5. **Deploy Additional Stacks** (as needed)
+   - Media: `/opt/stacks/media/`
+   - Extended Media: `/opt/stacks/media-extended/`
+   - Home Automation: `/opt/stacks/homeassistant/`
+   - Productivity: `/opt/stacks/productivity/`
+   - Utilities: `/opt/stacks/utilities/`
+   - Monitoring: `/opt/stacks/monitoring/`
+   - Development: `/opt/stacks/development/`
+
 ## Toggling SSO (Authelia) On/Off
 
 You can easily enable or disable SSO protection for any service by modifying its Traefik labels in the docker-compose.yml file.
@@ -156,6 +190,137 @@ docker compose -f /opt/stacks/stack-name/docker-compose.yml down
 - **Gradual Exposure**: Comment out SSO only when ready to expose a service
 - **Quick Toggle**: AI assistant can modify these labels automatically when you ask
 
+## Authelia Customization
+
+### Available Customization Options
+
+**1. Branding and Appearance**
+Edit `/opt/stacks/core/authelia/configuration.yml`:
+
+```yaml
+# Custom logo and branding
+theme: dark  # Options: light, dark, grey, auto
+
+# No built-in web UI for configuration
+# All settings managed via YAML files
+```
+
+**2. User Management**
+Users are managed in `/opt/stacks/core/authelia/users_database.yml`:
+
+```yaml
+users:
+  username:
+    displayname: "Display Name"
+    password: "$argon2id$v=19$m=65536..." # Generated with authelia hash-password
+    email: user@example.com
+    groups:
+      - admins
+      - users
+```
+
+Generate password hash:
+```bash
+docker run --rm authelia/authelia:4.37 authelia hash-password 'yourpassword'
+```
+
+**3. Access Control Rules**
+Customize who can access what in `configuration.yml`:
+
+```yaml
+access_control:
+  default_policy: deny
+  
+  rules:
+    # Public services (no auth)
+    - domain:
+        - "jellyfin.yourdomain.com"
+        - "plex.yourdomain.com"
+      policy: bypass
+    
+    # Admin only services
+    - domain:
+        - "dockge.yourdomain.com"
+        - "portainer.yourdomain.com"
+      policy: two_factor
+      subject:
+        - "group:admins"
+    
+    # All authenticated users
+    - domain: "*.yourdomain.com"
+      policy: one_factor
+```
+
+**4. Two-Factor Authentication (2FA)**
+- TOTP (Time-based One-Time Password) via apps like Google Authenticator, Authy
+- Configure in `configuration.yml` under `totp:` section
+- Per-user enrollment via Authelia UI at `https://auth.${DOMAIN}`
+
+**5. Session Management**
+Edit `configuration.yml`:
+
+```yaml
+session:
+  name: authelia_session
+  expiration: 1h  # How long before re-login required
+  inactivity: 5m  # Timeout after inactivity
+  remember_me_duration: 1M  # "Remember me" checkbox duration
+```
+
+**6. Notification Settings**
+Email notifications for password resets, 2FA enrollment:
+
+```yaml
+notifier:
+  smtp:
+    host: smtp.gmail.com
+    port: 587
+    username: your-email@gmail.com
+    password: app-password
+    sender: authelia@yourdomain.com
+```
+
+### No Web UI for Configuration
+
+⚠️ **Important**: Authelia does **not** have a configuration web UI. All configuration is done via YAML files:
+- `/opt/stacks/core/authelia/configuration.yml` - Main settings
+- `/opt/stacks/core/authelia/users_database.yml` - User accounts
+
+This is **by design** and makes Authelia perfect for AI management and security-first approach:
+- AI can read and modify YAML files
+- Version control friendly
+- No UI clicks required
+- Infrastructure as code
+- Secure by default
+
+**Web UI Available For:**
+- Login page: `https://auth.${DOMAIN}`
+- User profile: Change password, enroll 2FA
+- Device enrollment: Manage trusted devices
+
+**Alternative with Web UI: Authentik**
+If you need a web UI for user management, Authentik is included in the infrastructure stack:
+- **Authentik**: Full-featured SSO with web UI for user/group management
+- Access at: `https://authentik.${DOMAIN}`
+- Includes PostgreSQL database and Redis cache
+- More complex but offers GUI-based configuration
+- Deploy only if you need web-based user management
+
+**Other Alternatives:**
+- **Keycloak**: Enterprise-grade SSO with web UI
+- **Authelia + LDAP**: Use LDAP with web management (phpLDAPadmin, etc.)
+
+### Quick Configuration with AI
+
+Since all Authelia configuration is file-based, you can use the AI assistant to:
+- Add/remove users
+- Modify access rules
+- Change session settings
+- Update branding
+- Enable/disable features
+
+Just ask: "Add a new user to Authelia" or "Change session timeout to 2 hours"
+
 ## Storage Recommendations
 
 | Data Type | Recommended Location | Reason |