Implement core stack, add SSO to dashboards, and create compact services reference

- Create core.yml combining DuckDNS, Traefik, Authelia, and Gluetun into single stack
  - Simplifies initial deployment (deploy all core services with one command)
  - All core services in /opt/stacks/core/ directory
  - Reduces complexity for first-time setup

- Add Authelia SSO protection to Homepage and Homarr dashboards
  - Prevents exposing service list before authentication
  - Both dashboards now require sign-in to access

- Redesign services-reference.md with compact tree-view table
  - Reduced from ~460 lines to ~150 lines while keeping all info
  - Single comprehensive table with tree structure
  - Shows: Stack, Services, SSO status, Storage paths, Access URLs
  - Fits on 1-2 screen heights as requested

- Add comprehensive "Toggling SSO On/Off" section
  - Quick guide to enable/disable Authelia middleware
  - Use cases for development vs production
  - AI can automatically toggle SSO when asked

- Add "Authelia Customization" section with:
  - Branding and appearance options
  - User management via YAML files
  - Access control rules examples
  - 2FA/TOTP configuration
  - Session management settings
  - Email notification setup
  - Explanation of no web UI (by design, perfect for AI)
  - Alternatives with web UI (Authentik, Keycloak)

- Update .github/copilot-instructions.md
  - Add core stack explanation
  - Update file organization to show core stack structure
  - Add SSO toggling instructions

- Update docs/getting-started.md
  - Simplify Step 7 to deploy single core stack
  - Remove separate steps for DuckDNS, Traefik, Authelia
  - Add verification and troubleshooting for core deployment
  - Update subsequent steps to Step 8, 9, 10

Co-authored-by: kelinfoxy <67766943+kelinfoxy@users.noreply.github.com>

.github/copilot-instructions.md

@@ -242,29 +242,83 @@ environment:
 
 ```
 /opt/stacks/
-├── stack-name/
-│   ├── docker-compose.yml    # Stack definition
-│   ├── config/               # Service configurations
-│   ├── .env                  # Stack-specific secrets
-│   └── README.md            # Stack documentation
-├── traefik/
-│   ├── docker-compose.yml
-│   ├── traefik.yml          # Traefik static config
-│   ├── dynamic/             # Dynamic configuration
-│   │   └── routes.yml       # Route definitions
-│   ├── acme.json           # Let's Encrypt certificates
+├── core/                        # Core infrastructure (deploy FIRST)
+│   ├── docker-compose.yml       # DuckDNS, Traefik, Authelia, Gluetun
+│   ├── duckdns/                 # DuckDNS config
+│   ├── traefik/
+│   │   ├── traefik.yml          # Traefik static config
+│   │   ├── dynamic/             # Dynamic configuration
+│   │   │   └── routes.yml       # Route definitions
+│   │   └── acme.json           # Let's Encrypt certificates
+│   ├── authelia/
+│   │   ├── configuration.yml    # Authelia config
+│   │   └── users_database.yml   # User definitions
+│   ├── gluetun/                 # VPN config
+│   └── .env                     # Core secrets
+├── infrastructure/
+│   ├── docker-compose.yml       # Dockge, Portainer, Pi-hole, etc.
+│   ├── config/
 │   └── .env
-├── authelia/
-│   ├── docker-compose.yml
-│   ├── configuration.yml    # Authelia config
-│   ├── users_database.yml   # User definitions
+├── dashboards/
+│   ├── docker-compose.yml       # Homepage, Homarr
+│   ├── config/
 │   └── .env
-├── gluetun/
-│   ├── docker-compose.yml
-│   └── .env                # VPN credentials
-└── duckdns/
-    ├── docker-compose.yml
-    └── .env                # DuckDNS token
+├── media/
+│   ├── docker-compose.yml       # Plex, Jellyfin, Sonarr, Radarr, etc.
+│   ├── config/
+│   └── .env
+└── [other stacks...]
+```
+
+## Core Infrastructure Stack
+
+The `core` stack contains the four essential services that must be deployed **FIRST**:
+
+1. **DuckDNS** - Dynamic DNS updater for Let's Encrypt
+2. **Traefik** - Reverse proxy with automatic SSL certificates
+3. **Authelia** - SSO authentication for all services
+4. **Gluetun** - VPN client (Surfshark WireGuard) for secure downloads
+
+**Why combined in one stack?**
+- These services depend on each other
+- Simplifies initial deployment (one command)
+- Easier to manage core infrastructure together
+- Reduces network configuration complexity
+
+**Deployment:**
+```bash
+cd /opt/stacks/core/
+docker compose up -d
+```
+
+All other stacks depend on the core stack being deployed first.
+
+## Toggling SSO (Authelia) On/Off
+
+You can easily enable or disable SSO protection for any service by modifying its Traefik labels.
+
+### To Enable SSO
+Add the Authelia middleware label:
+```yaml
+labels:
+  - "traefik.http.routers.servicename.middlewares=authelia@docker"
+```
+
+### To Disable SSO
+Remove or comment out the middleware label:
+```yaml
+labels:
+  # - "traefik.http.routers.servicename.middlewares=authelia@docker"
+```
+
+**Common Use Cases:**
+- **Development**: Enable SSO to protect services during testing
+- **Production**: Disable SSO for services needing direct app/API access (Plex, Jellyfin)
+- **Quick Toggle**: AI can modify these labels when you ask to enable/disable SSO
+
+After changes, redeploy:
+```bash
+docker compose up -d
 ```
 
 ## VPN Integration with Gluetun