Update documentation files with recent tweaks

2026-02-08 18:42:16 -05:00
parent 0de82e55b6
commit 30143d5f75
5 changed files with 94 additions and 1659 deletions
--- a/docs/automated-setup.md
+++ b/docs/automated-setup.md
@@ -7,50 +7,30 @@ For most users, the automated setup script handles everything from system prepar
 - **Root/sudo access**
 - **Internet connection**
 - **Ports 80 and 443 forwarded** from your router to your **core server only** (required for SSL certificates)
 - **VS Code with GitHub Copilot** (for AI assistance)
-**Note**: For multi-server setups, only the core server needs ports forwarded. Remote servers connect via Docker TLS (port 2376).
+**Note**: For multi-server setups, only the core server needs ports forwarded. 
-## Simple Setup
+# Deploy Core Server
-1. **Connect to your server** via SSH
+## Connect to your server via SSH  
-   >Tip: Use VS Code on your local machine to ssh
+   >Tip: Use VS Code on your local machine to ssh in to your server for the easiest install!  
   in to your server for the easiest install!
-2. **Install git if needed**
+## Install commands
   ```bash
-   sudo apt update && sudo apt upgrade -y && sudo apt install git
+   sudo apt update && sudo apt upgrade -y && sudo apt install git -y && git clone https://github.com/kelinfoxy/EZ-Homelab.git
-   ```
+   && cd EZ-Homelab
 3. **Clone the repository**:
   ```bash
   git clone https://github.com/kelinfoxy/EZ-Homelab.git
   cd EZ-Homelab
   ```
 4. **Configure environment**:
   ```bash
   cp .env.example .env
   nano .env  # Edit with your domain and tokens
   ```
   **Required variables in .env:**
   - `DOMAIN` - Your DuckDNS domain (e.g., yourdomain.duckdns.org)
   - `DUCKDNS_TOKEN` - Your DuckDNS token from [duckdns.org](https://www.duckdns.org/)
   - `ACME_EMAIL` - Your email for Let's Encrypt certificates
   - `SURFSHARK_USERNAME` and `SURFSHARK_PASSWORD` - If using VPN
   **Note:** The `.env` file stays in the repository folder (`~/EZ-Homelab/.env`). The deploy script copies it to stack directories automatically. Authelia secrets (JWT, session, encryption key) are auto-generated by the setup script - leave them with default values for now.
 5. **Run the unified setup script:**
   ```bash
   ./scripts/ez-homelab.sh
   ```
-   The script will guide you through:
+## Run the ez-homelab.sh script with sudo:  
-   - System preparation (if needed)
+   `sudo ./scripts/ez-homelab.sh`
-   - Domain and credential configuration
+
-   - Service stack selection
+### Select option 1 Install Prerequesites 
-   - Authelia secrets generation
+   * This will install docker and prepare the local environment.
-   - SSL certificate setup
+
-   - Service deployment
+### Logout and back in to apply docker group changes
 ### Run the script without sudo and select Option 2: Deploy Core Server  
   * It will prompt for required env variables and create/update ~/EZ-Homelab/.env   
   **Note:** Certificate generation may take 2-5 minutes. All services will use the wildcard certificate automatically.  
@@ -61,55 +41,27 @@ For most users, the automated setup script handles everything from system prepar
 **That's it!** Your homelab is ready.  
 **Access Dockge at `https://dockge.yourdomain.duckdns.org`**  
-## Multi-Server Setup
+----
-To deploy services across multiple servers (e.g., Raspberry Pi, mini PCs):
+# Deploy Additional Server
-### Core Server Setup (First)
+>**You must have one and only one core server**
 1. Follow the main setup above (steps 1-5)
 2. This server gets ports 80/443 forwarded from your router
 3. This server generates the shared CA for Docker TLS communication
-### Remote Server Setup (After Core)
+## Follow the steps above but select Option 3: Deploy Additional Server
 1. **Clone repository on remote server**:
   ```bash
   git clone https://github.com/kelinfoxy/EZ-Homelab.git
   cd EZ-Homelab
   ```
-2. **Copy `.env` from core server**:
+   * It will prompt for required env variables if missing from ~/EZ-Homelab/.env
-   ```bash
+   * It includes variables for connecting to the core server
   # On core server
   cd ~/EZ-Homelab
   cat .env  # Copy the contents
-   # On remote server
+----
   nano ~/EZ-Homelab/.env  # Paste and save
   ```
-3. **Run setup with Infrastructure-Only option**:
+## What Gets Deployed Where
   ```bash
   ./scripts/ez-homelab.sh
   # Select option 3: "Deploy Infrastructure Only (Remote Server)"
   ```
 4. **When prompted, provide core server IP** for CA import
 5. **Script automatically**:
   - Copies shared CA from core server via SSH
   - Configures Docker TLS with shared certificates
   - Generates server certificates signed by shared CA
   - Sets up Docker daemon for TLS on port 2376
   - Deploys Traefik for local container discovery
   - Deploys Sablier for local lazy loading
 ### What Gets Deployed Where
 | Component | Core Server | Remote Servers |
 |-----------|-------------|----------------|
 | DuckDNS | ✅ Yes | ❌ No |
 | Authelia | ✅ Yes | ❌ No |
-| Traefik | ✅ Yes (multi-provider) | ✅ Yes (local only) |
+| Traefik | ✅ Yes  | ❌ No |
-| Sablier | ✅ Yes (own stack) | ✅ Yes (own stack) |
+| Sablier | ✅ Yes  | ✅ Yes  |
 | Dockge | ✅ Yes | ✅ Yes |
 | Services | ✅ Any | ✅ Any |
@@ -118,22 +70,8 @@ To deploy services across multiple servers (e.g., Raspberry Pi, mini PCs):
 - **No Port Forwarding**: Remote servers don't need router configuration
 - **Automatic Discovery**: Core Traefik finds services on all servers
 - **Local Control**: Each Sablier manages its own server's containers
 - **Secure Communication**: All inter-server traffic uses TLS encryption
-### Troubleshooting Multi-Server Setup
+## What the ez-homelab.sh Script Does
 If remote server setup fails:
 1. **Check SSH access** from remote to core server
 2. **Verify firewall** allows port 2376 on remote servers
 3. **Test TLS connection** from core:
   ```bash
   cd /opt/stacks/core/shared-ca
   docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem \
     --tlskey=key.pem --host=tcp://REMOTE_IP:2376 ps
   ```
 4. **Check logs**: See setup script output for specific errors
 ## What the Unified Setup Script Does
 The `ez-homelab.sh` script is a comprehensive guided setup and deployment tool:
@@ -147,29 +85,24 @@ The `ez-homelab.sh` script is a comprehensive guided setup and deployment tool:
 - ✅ Enables SSH server
 **Interactive Configuration:**
- ✅ Guides through domain setup (DuckDNS)
+- ✅ Prompts for all required env variables
- ✅ Prompts for admin username, email, and password
+- ✅ Generates three secrets for Authelia (JWT, session, encryption)
- ✅ Generates three cryptographic secrets (JWT, session, encryption)
+- ✅ Generates argon2id password hash for admin password using Docker
 - ✅ Generates argon2id password hash using Docker (30-60s process)
 - ✅ Allows service stack selection
 - ✅ Validates Docker is available before operations
 **Infrastructure Setup & Deployment:**
- ✅ Creates directory structure (`/opt/stacks/`)
+- ✅ Creates directory structure (`/opt/stacks/` & `opt/dockge`)
- ✅ Sets up Docker networks (homelab, traefik, dockerproxy, media)
+- ✅ Sets up Docker networks (homelab, traefik, dockerproxy)
 - ✅ Deploys selected service stacks with individual deployment scripts
 - ✅ Obtains wildcard SSL certificate (*.yourdomain.duckdns.org)
- ✅ Configures Traefik for multi-server support (if applicable)
+- ✅ Configures Traefik for multi-server support
 - ✅ Generates and distributes TLS certificates for Docker API (multi-server)
 - ✅ Detects NVIDIA GPU and offers driver installation
 - ✅ Opens Dockge when ready
 **Safety Features:**
 - Interactive guidance with clear prompts
 - Timeout handling (60s for Docker operations)
 - Comprehensive error messages with troubleshooting hints
 - Safe to re-run (idempotent operations)
 - Confirmation prompts for destructive actions
 ## Release-Specific Notes
 - **Current Version**: Production-ready with comprehensive multi-server support
--- a/docs/how-it-works.md
+++ b/docs/how-it-works.md
@@ -1,6 +1,6 @@
-# How Your AI Homelab Works
+# How Your EZ Homelab Works
-Welcome to your AI-powered homelab! This guide explains how all the components work together to create a production-ready, self-managing infrastructure. Don't worry if it seems complex at first - the AI assistant handles most of the technical details for you.
+This guide explains how all the components work together to create your homelab infrastructure. 
 ## Quick Overview
@@ -29,8 +29,7 @@ EZ-Homelab supports two deployment architectures:
 - **Core Server**: Handles external traffic (ports 80/443), runs DuckDNS/Traefik/Authelia
 - **Remote Servers**: Run their own Traefik/Sablier for local container management
 - Unified domain access: All services through `service.yourdomain.com`
- Servers communicate via HTTP/HTTPS (no Docker API TLS needed)
+- Servers communicate via HTTP/HTTPS
 - Ideal for: Raspberry Pi clusters, NAS + desktop, distributed workloads
 **This guide covers both architectures**, with multi-server notes where relevant.
@@ -40,7 +39,6 @@ EZ-Homelab supports two deployment architectures:
 Your central hub for accessing all services. Think of it as the "start menu" for your homelab.
 - **What it does**: Shows all your deployed services with quick links
 - **AI Integration**: The AI can automatically add new services and configure widgets
 - **Customization**: Add weather, system stats, and service-specific widgets
 - **Configuration**: [docker-compose/dashboards/](docker-compose/dashboards/) | [service-docs/homepage.md](service-docs/homepage.md)
 ### 🐳 **Dockge** (`https://dockge.servername.yourdomain.duckdns.org`)
@@ -48,14 +46,14 @@ Your primary management interface for deploying and managing services.
 - **What it does**: Web-based Docker Compose manager
 - **Stacks**: Groups services into logical units (media, monitoring, productivity)
 - **One-Click Deploy**: Upload compose files and deploy instantly
- **Multi-Server**: Deploy on core or remote servers from one interface
+- **Dockge Agents**: Deploy on core or remote servers from one interface
 - **Configuration**: [docker-compose/dockge/](docker-compose/dockge/) | [service-docs/dockge.md](service-docs/dockge.md)
 ### 🔐 **Authelia** (`https://auth.yourdomain.duckdns.org`)
 Your security gatekeeper that protects sensitive services.
 - **What it does**: Single sign-on (SSO) authentication
 - **Security**: Two-factor authentication, session management
- **Smart Bypass**: Automatically bypasses auth for media apps (Plex, Jellyfin)
+- **Smart Bypass**: Bypasses auth for select apps (Plex, Jellyfin)
 - **Multi-Server**: Core server only; protects all services across all servers
 - **Configuration**: [docker-compose/core/](docker-compose/core/) | [service-docs/authelia.md](service-docs/authelia.md)
@@ -63,8 +61,8 @@ Your security gatekeeper that protects sensitive services.
 Your intelligent traffic director and SSL certificate manager.
 - **What it does**: Reverse proxy that routes web traffic to the right services
 - **SSL**: Automatically obtains and renews free HTTPS certificates
- **Labels**: Services "advertise" themselves to Traefik via Docker labels
+- **Labels**: Services on core server "advertise" themselves to Traefik via Docker labels
- **Multi-Server**: Core uses multi-provider (labels + YAML files); remote servers use labels only
+- **Multi-Server**: Remote servers use yaml (on the core server) only
 - **Configuration**: [docker-compose/core/](docker-compose/core/) | [service-docs/traefik.md](service-docs/traefik.md)
 ### 🦆 **DuckDNS**
@@ -115,7 +113,7 @@ Your download traffic protector.
 **Multi-Server:**
 - **Core Server Ports**: Only core forwards 80/443 to internet
 - **Remote Servers**: No port forwarding needed; accessed through core
- **Traffic Flow**: Internet → Core Traefik → Remote Traefik → Service
+- **Traffic Flow**: Internet → Core Traefik → Service
 - **SSL**: Core handles all SSL termination
 - **Unified Domain**: `service.yourdomain.com` works for all servers
@@ -127,6 +125,9 @@ Your download traffic protector.
 - **Backup**: Included in automatic backups
 ### Media & Large Data
 >You may want additional drives for large downloads & media libraries
 - **Location**: `/mnt/media/`, `/mnt/downloads/`
 - **Purpose**: Movies, TV shows, music, downloads
 - **Performance**: Direct mounted drives for speed
--- a/docs/multi-server-deployment.md
+++ b/docs/multi-server-deployment.md
@@ -16,37 +16,41 @@ This guide explains the **current multi-server architecture** where:
 ┌─────────────────────────────────────────────────────────────────┐
 │                    🌐 PUBLIC INTERNET                          │
 │  HTTPS Traffic (Ports 80/443 forwarded from router)             │
-└─────────────────────┬───────────────────────────────────────────┘
+└─────────────────────────────┬────┬──────────────────────────────┘
-                      │
+                              │    |
-                      ▼ HTTPS (SSL/TLS)
+                     HTTP(S)  ▼       HTTPS
-┌─────────────────────────────────────────────────────────────────┐
+                              |    |
-│                         CORE SERVER                              │
+┌─────────────────────────────┼────┼──────────────────────────────┐
-│  ┌────────────┐  ┌──────────┐  ┌──────────┐  ┌──────────────┐ │
+│  CORE SERVER                │    |                              │
-│  │  DuckDNS   │  │ Traefik  │  │ Authelia │  │ Core Services │ │
+|                             ▼                                   |
-│  │ (SSL DNS)  │  │ (multi-  │  │  (SSO)   │  │   (local)     │ │
+│  ┌───────────────┐       ┌──────────┐      ┌────────────────┐   │
-│  │            │  │ provider)│  │          │  │               │ │
+│  │ Core Services │       │ Traefik  │      │ Local Services │   │
-│  └────────────┘  └────┬─────┘  └──────────┘  └──────────────┘ │
+│  │   Authelia    │ ----  │          │ ---- │                │   │
 │  │   DuckDNS     │       │          │      │                │   │
 │  └───────────────┘       └────┬─────┘      └────────────────┘   │
 │                               │                                 │
-│          ┌──────────────┼──────────────┐                        │
+│                ┌──────────────┼────────────┐                    │
-│          │  Routes:     │              │                        │
+│                │  Routes:                  │                    │
-│          │  • Local     │  (labels)    │                        │
+│                │  • Local (labels)         │                    │
-│          │  • Remote    │  (YAML files)│                        │
+│                │  • Remote (YAML files)    │                    │
-└──────────┼──────────────┼──────────────┼────────────────────────┘
+|                |                           |                    |
-           │              │              │
+|                └──────────────┬────────────┘                    |
-           │ HTTP (internal network)     │
+|                               |                                 |
-           │ No SSL/TLS encryption       │
+└───────────────────────────────┼─────────────────────────────────┘
           ▼              ▼              ▼
    ┌─────────────────────────────────────────┐
    │       ADDITIONAL SERVER (e.g., Pi)      │
    │  ┌──────────┐  ┌───────┐  ┌──────────┐ │
    │  │ Sablier  │  │ Media │  │ Exposed  │ │
    │  │ (lazy    │  │ Apps  │  │ Ports    │ │
    │  │ loading) │  │       │  │ 5001,    │ │
    │  └──────────┘  └───────┘  │ 8085...  │ │
    └────────────────────────────┼──────────┘
                                │
-                    Direct port access
+       HTTP (internal network)  │
-                    (no local reverse proxy)
+       No SSL/TLS encryption    │
                                ▼
 ┌───────────────────────────────┼─────────────────────────────────┐
 │  ADDITIONAL SERVER                                              │
 |                                                                 |
 │    ┌───────────────┐  ┌────────────────┐  ┌────────────────┐    │
 │    │ Sablier       │  │ Your Apps      │  │ Dockge         |    |
 │    │ lazy loading  │  │ expose ports   │  │                |    |
 │    │               │  │                │  │                |    |
 │    └───────────────┘  └────────────────┘  └────────────────┘    │
 └─────────────────────────────────────────────────────────────────┘
 ```
 ### Traffic Flow Summary
@@ -119,12 +123,3 @@ When you deploy an additional server:
 - **Centralized Access**: All services accessed through one domain
 - **Unified SSO**: Authelia on core server protects all services
 - **Local Lazy Loading**: Sablier manages containers on each server independently
 ## Performance Considerations
 - **Latency**: Direct routing (core → service) minimizes hops
 - **Resource Usage**: Additional servers run only Sablier (~50MB) - no Traefik needed
 - **Scalability**: Can add unlimited additional servers without complexity
 - **Network**: Internal 1Gbps+ recommended between servers
 - **Deployment Speed**: Additional servers deploy in ~2 minutes (vs 5-10 with local Traefik)
--- a/docs/multi-server-implementation-plan.md
+++ b/docs/multi-server-implementation-plan.md
--- a/docs/proxying-external-hosts.md
+++ b/docs/proxying-external-hosts.md
@@ -5,7 +5,7 @@ This guide explains how to use Traefik and Authelia to proxy external services (
 ## Overview
 Traefik can proxy services that aren't running in Docker, such as:
- Home Assistant on a Raspberry Pi
+Yea- Home Assistant on a Raspberry Pi
 - Other physical servers on your network
 - Services running on different machines
 - Any HTTP/HTTPS service accessible via IP:PORT
@@ -14,7 +14,7 @@ Traefik can proxy services that aren't running in Docker, such as:
 ### Step 1: Create Configuration File
-Create a YAML file in `/opt/stacks/traefik/dynamic/` named `external-hosts.yml`:
+Create a YAML file in `/opt/stacks/traefik/dynamic/` named `external-host-servername.yml` where servername is the remove server's host name:
 ```yaml
 http:
@@ -68,26 +68,7 @@ Visit `https://ha.yourdomain.duckdns.org` - Traefik will:
 2. Proxy the request to `http://192.168.1.50:8123`
 3. Return the response with proper SSL
 4. (Optionally) Require Authelia login if middleware is configured
-
+``
 ## Common External Services to Proxy
 ### Home Assistant (Raspberry Pi)
 ```yaml
 homeassistant-pi:
  rule: "Host(`ha.yourdomain.duckdns.org`)"
  service: http://192.168.1.50:8123
  # No Authelia - HA has its own auth
 ```
 ### Router/Firewall Admin Panel
 ```yaml
 router-admin:
  rule: "Host(`router.yourdomain.duckdns.org`)"
  service: http://192.168.1.1:80
  middlewares:
    - authelia@docker  # Add SSO protection
 ```
 ## Advanced Configuration
 ### WebSocket Support
@@ -170,47 +151,6 @@ access_control:
      policy: two_factor
 ```
 ## DNS Configuration
 Ensure your DuckDNS domain points to your public IP:
 1. DuckDNS container automatically updates your IP
 2. Port forward 80 and 443 to your Traefik server
 3. All subdomains (`*.yourdomain.duckdns.org`) point to same IP
 4. Traefik routes based on Host header
 ## Troubleshooting
 ### Check Traefik Routing
 ```bash
 # View active routes
 docker logs traefik | grep "Creating router"
 # Check if external host route is loaded
 docker logs traefik | grep homeassistant
 # View Traefik dashboard
 # Visit: https://traefik.yourdomain.duckdns.org
 ```
 ### Test Without SSL
 ```bash
 # Temporarily test direct connection
 curl -H "Host: ha.yourdomain.duckdns.org" http://localhost/
 ```
 ### Check Authelia Logs
 ```bash
 cd /opt/stacks/authelia
 docker compose logs -f authelia
 ```
 ### Verify External Service
 ```bash
 # Test that external service is reachable
 curl http://192.168.1.50:8123
 ```
 ## AI Management
 The AI can manage external host proxying by:
@@ -218,8 +158,7 @@ The AI can manage external host proxying by:
 1. **Reading existing configurations**: Parse `/opt/stacks/traefik/dynamic/*.yml`
 2. **Adding new routes**: Create/update YAML files in dynamic directory
 3. **Configuring Authelia rules**: Edit `configuration.yml` for bypass/require auth
-4. **Testing connectivity**: Suggest verification steps
+4. **Adding Homepage entries**: Update dashboard configuration
 5. **Adding Homepage entries**: Update dashboard configuration
 Example AI prompt:
 > "Add proxying for my Unifi Controller at 192.168.1.5:8443 with Authelia protection"
@@ -231,25 +170,16 @@ AI will:
 4. Add to Homepage dashboard
 5. Provide testing instructions
 ## Security Best Practices
 1. **Always use Authelia** for admin interfaces (routers, NAS, etc.)
 2. **Bypass Authelia** only for services with their own auth (HA, Plex)
 3. **Use IP whitelist** for highly sensitive services
 4. **Enable two-factor** for critical infrastructure
 5. **Monitor access logs** in Traefik and Authelia
 6. **Keep services updated** - Traefik, Authelia, and external services
 ## Example: Complete External Host Setup
 Let's proxy a Raspberry Pi Home Assistant:
-1. **Traefik configuration** (`/opt/stacks/traefik/dynamic/raspberry-pi.yml`):
+1. **Traefik configuration** (`/opt/stacks/traefik/dynamic/extarnal-host-homeassistant.yml`):
 ```yaml
 http:
  routers:
    ha-pi:
-      rule: "Host(`ha.yourdomain.duckdns.org`)"
+      rule: "Host(`homeassistant.yourdomain.duckdns.org`)"
      entryPoints:
        - websecure
      service: ha-pi
@@ -275,7 +205,7 @@ http:
 ```yaml
 access_control:
  rules:
-    - domain: ha.yourdomain.duckdns.org
+    - domain: homeassistant.yourdomain.duckdns.org
      policy: bypass
 ```
@@ -284,7 +214,7 @@ access_control:
 - Home Automation:
    - Home Assistant (Pi):
        icon: home-assistant.png
-        href: https://ha.yourdomain.duckdns.org
+        href: https://homeassistant.yourdomain.duckdns.org
        description: HA on Raspberry Pi
        ping: 192.168.1.50
        widget: