kelin/EZ-Homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implement core stack, add SSO to dashboards, and create compact services reference

Browse Source 
- Create core.yml combining DuckDNS, Traefik, Authelia, and Gluetun into single stack
  - Simplifies initial deployment (deploy all core services with one command)
  - All core services in /opt/stacks/core/ directory
  - Reduces complexity for first-time setup

- Add Authelia SSO protection to Homepage and Homarr dashboards
  - Prevents exposing service list before authentication
  - Both dashboards now require sign-in to access

- Redesign services-reference.md with compact tree-view table
  - Reduced from ~460 lines to ~150 lines while keeping all info
  - Single comprehensive table with tree structure
  - Shows: Stack, Services, SSO status, Storage paths, Access URLs
  - Fits on 1-2 screen heights as requested

- Add comprehensive "Toggling SSO On/Off" section
  - Quick guide to enable/disable Authelia middleware
  - Use cases for development vs production
  - AI can automatically toggle SSO when asked

- Add "Authelia Customization" section with:
  - Branding and appearance options
  - User management via YAML files
  - Access control rules examples
  - 2FA/TOTP configuration
  - Session management settings
  - Email notification setup
  - Explanation of no web UI (by design, perfect for AI)
  - Alternatives with web UI (Authentik, Keycloak)

- Update .github/copilot-instructions.md
  - Add core stack explanation
  - Update file organization to show core stack structure
  - Add SSO toggling instructions

- Update docs/getting-started.md
  - Simplify Step 7 to deploy single core stack
  - Remove separate steps for DuckDNS, Traefik, Authelia
  - Add verification and troubleshooting for core deployment
  - Update subsequent steps to Step 8, 9, 10

Co-authored-by: kelinfoxy <67766943+kelinfoxy@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-01-12 01:57:22 +00:00
parent 6fec6b501e
commit 3cdf8606ff
5 changed files with 627 additions and 543 deletions
Download Patch File Download Diff File Expand all files Collapse all files

96
.github/copilot-instructions.md vendored
View File

@@ -242,29 +242,83 @@ environment:
``` ```
/opt/stacks/ /opt/stacks/
├── stack-name/ ├── core/ # Core infrastructure (deploy FIRST)
│ ├── docker-compose.yml # Stack definition │ ├── docker-compose.yml # DuckDNS, Traefik, Authelia, Gluetun
│ ├── config/ # Service configurations │ ├── duckdns/ # DuckDNS config
│ ├── .env # Stack-specific secrets │ ├── traefik/
└── README.md # Stack documentation │ ├── traefik.yml # Traefik static config
├── traefik/ │ │ ├── dynamic/ # Dynamic configuration
├── docker-compose.yml │ │ └── routes.yml # Route definitions
├── traefik.yml # Traefik static config │ └── acme.json # Let's Encrypt certificates
│ ├── dynamic/ # Dynamic configuration │ ├── authelia/
│ │ ── routes.yml # Route definitions │ │ ── configuration.yml # Authelia config
├── acme.json # Let's Encrypt certificates │ └── users_database.yml # User definitions
│ ├── gluetun/ # VPN config
│ └── .env # Core secrets
├── infrastructure/
│ ├── docker-compose.yml # Dockge, Portainer, Pi-hole, etc.
│ ├── config/
│ └── .env │ └── .env
├── authelia/ ├── dashboards/
│ ├── docker-compose.yml │ ├── docker-compose.yml # Homepage, Homarr
│ ├── configuration.yml # Authelia config │ ├── config/
│ ├── users_database.yml # User definitions
│ └── .env │ └── .env
├── gluetun/ ├── media/
│ ├── docker-compose.yml │ ├── docker-compose.yml # Plex, Jellyfin, Sonarr, Radarr, etc.
── .env # VPN credentials ── config/
└── duckdns/ │ └── .env
├── docker-compose.yml └── [other stacks...]
└── .env # DuckDNS token ```
## Core Infrastructure Stack
The `core` stack contains the four essential services that must be deployed **FIRST**:
1. **DuckDNS** - Dynamic DNS updater for Let's Encrypt
2. **Traefik** - Reverse proxy with automatic SSL certificates
3. **Authelia** - SSO authentication for all services
4. **Gluetun** - VPN client (Surfshark WireGuard) for secure downloads
**Why combined in one stack?**
- These services depend on each other
- Simplifies initial deployment (one command)
- Easier to manage core infrastructure together
- Reduces network configuration complexity
**Deployment:**
```bash
cd /opt/stacks/core/
docker compose up -d
```
All other stacks depend on the core stack being deployed first.
## Toggling SSO (Authelia) On/Off
You can easily enable or disable SSO protection for any service by modifying its Traefik labels.
### To Enable SSO
Add the Authelia middleware label:
```yaml
labels:
- "traefik.http.routers.servicename.middlewares=authelia@docker"
```
### To Disable SSO
Remove or comment out the middleware label:
```yaml
labels:
# - "traefik.http.routers.servicename.middlewares=authelia@docker"
```
**Common Use Cases:**
- **Development**: Enable SSO to protect services during testing
- **Production**: Disable SSO for services needing direct app/API access (Plex, Jellyfin)
- **Quick Toggle**: AI can modify these labels when you ask to enable/disable SSO
After changes, redeploy:
```bash
docker compose up -d
``` ```
## VPN Integration with Gluetun ## VPN Integration with Gluetun

137
docker-compose/core.yml Normal file
View File

@@ -0,0 +1,137 @@
# Core Infrastructure Stack
# Essential services required for the homelab to function
# Deploy this stack FIRST before any other services
# Place in /opt/stacks/core/docker-compose.yml
services:
# DuckDNS - Dynamic DNS updater
# Updates your public IP automatically for Let's Encrypt SSL
duckdns:
image: lscr.io/linuxserver/duckdns:latest
container_name: duckdns
restart: unless-stopped
environment:
- PUID=${PUID:-1000}
- PGID=${PGID:-1000}
- TZ=${TZ}
- SUBDOMAINS=${DUCKDNS_SUBDOMAINS} # Your subdomain(s), comma separated
- TOKEN=${DUCKDNS_TOKEN} # Your DuckDNS token
- UPDATE_IP=ipv4 # or ipv6, or both
volumes:
- /opt/stacks/core/duckdns:/config
labels:
- "homelab.category=infrastructure"
- "homelab.description=Dynamic DNS updater"
# Traefik - Reverse proxy with automatic SSL
# Routes all traffic and manages Let's Encrypt certificates
traefik:
image: traefik:v2.11
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- traefik-network
ports:
- "80:80" # HTTP
- "443:443" # HTTPS
- "8080:8080" # Dashboard (protected with Authelia)
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /opt/stacks/core/traefik/traefik.yml:/traefik.yml:ro
- /opt/stacks/core/traefik/dynamic:/dynamic:ro
- /opt/stacks/core/traefik/acme.json:/acme.json
environment:
- CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN} # If using Cloudflare DNS challenge
- DUCKDNS_TOKEN=${DUCKDNS_TOKEN} # If using DuckDNS
labels:
- "traefik.enable=true"
# Dashboard
- "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
- "traefik.http.routers.traefik.middlewares=authelia@docker"
- "traefik.http.routers.traefik.service=api@internal"
# Global HTTP to HTTPS redirect
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.entrypoints=web"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
depends_on:
- duckdns
# Authelia - SSO authentication
# Protects all admin services with single sign-on
authelia:
image: authelia/authelia:4.37
container_name: authelia
restart: unless-stopped
networks:
- traefik-network
volumes:
- /opt/stacks/core/authelia/configuration.yml:/config/configuration.yml:ro
- /opt/stacks/core/authelia/users_database.yml:/config/users_database.yml
- authelia-data:/config
environment:
- TZ=${TZ}
- AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET}
- AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET}
- AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_STORAGE_ENCRYPTION_KEY}
- AUTHELIA_NOTIFIER_SMTP_PASSWORD=${SMTP_PASSWORD} # If using email notifications
labels:
- "traefik.enable=true"
- "traefik.http.routers.authelia.rule=Host(`auth.${DOMAIN}`)"
- "traefik.http.routers.authelia.entrypoints=websecure"
- "traefik.http.routers.authelia.tls.certresolver=letsencrypt"
- "traefik.http.services.authelia.loadbalancer.server.port=9091"
# Authelia middleware for other services
- "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.${DOMAIN}"
- "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
- "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
depends_on:
- traefik
# Gluetun - VPN client (Surfshark WireGuard)
# Routes download clients through VPN for security
gluetun:
image: qmcgaw/gluetun:latest
container_name: gluetun
restart: unless-stopped
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
networks:
- homelab-network
- traefik-network
ports:
- "8888:8888/tcp" # HTTP proxy
- "8388:8388/tcp" # Shadowsocks
- "8388:8388/udp" # Shadowsocks
- "8080:8080" # qBittorrent web UI
- "6881:6881" # qBittorrent
- "6881:6881/udp" # qBittorrent
volumes:
- /opt/stacks/core/gluetun:/gluetun
environment:
- VPN_SERVICE_PROVIDER=surfshark
- VPN_TYPE=wireguard
- WIREGUARD_PRIVATE_KEY=${SURFSHARK_PRIVATE_KEY}
- WIREGUARD_ADDRESSES=${SURFSHARK_ADDRESSES}
- SERVER_COUNTRIES=${VPN_SERVER_COUNTRIES:-Netherlands}
- TZ=${TZ}
labels:
- "homelab.category=infrastructure"
- "homelab.description=VPN client for secure downloads"
volumes:
authelia-data:
driver: local
networks:
traefik-network:
external: true
homelab-network:
external: true

4
docker-compose/dashboards.yml
View File

@@ -28,8 +28,8 @@ services:
- "traefik.http.routers.homepage.rule=Host(`home.${DOMAIN}`)" - "traefik.http.routers.homepage.rule=Host(`home.${DOMAIN}`)"
- "traefik.http.routers.homepage.entrypoints=websecure" - "traefik.http.routers.homepage.entrypoints=websecure"
- "traefik.http.routers.homepage.tls.certresolver=letsencrypt" - "traefik.http.routers.homepage.tls.certresolver=letsencrypt"
- "traefik.http.routers.homepage.middlewares=authelia@docker"
- "traefik.http.services.homepage.loadbalancer.server.port=3000" - "traefik.http.services.homepage.loadbalancer.server.port=3000"
# No Authelia - make it the default landing page
# Homarr - Modern dashboard # Homarr - Modern dashboard
# Access at: https://homarr.${DOMAIN} # Access at: https://homarr.${DOMAIN}
@@ -54,8 +54,8 @@ services:
- "traefik.http.routers.homarr.rule=Host(`homarr.${DOMAIN}`)" - "traefik.http.routers.homarr.rule=Host(`homarr.${DOMAIN}`)"
- "traefik.http.routers.homarr.entrypoints=websecure" - "traefik.http.routers.homarr.entrypoints=websecure"
- "traefik.http.routers.homarr.tls.certresolver=letsencrypt" - "traefik.http.routers.homarr.tls.certresolver=letsencrypt"
- "traefik.http.routers.homarr.middlewares=authelia@docker"
- "traefik.http.services.homarr.loadbalancer.server.port=7575" - "traefik.http.services.homarr.loadbalancer.server.port=7575"
# No Authelia - dashboard should be accessible
networks: networks:
homelab-network: homelab-network:

162
docs/getting-started.md
View File

@@ -134,91 +134,69 @@ docker network create dockerproxy-network
docker network ls | grep -E "traefik|homelab|media|dockerproxy" docker network ls | grep -E "traefik|homelab|media|dockerproxy"
``` ```
## Step 7: Deploy Core Infrastructure (IN ORDER) ## Step 7: Deploy Core Infrastructure Stack
### 7.1 DuckDNS (Dynamic DNS) The **core** stack contains all essential services that must be deployed first: DuckDNS, Traefik, Authelia, and Gluetun.
```bash ```bash
# Create stack directory # Create core stack directory
mkdir -p /opt/stacks/duckdns mkdir -p /opt/stacks/core/{duckdns,traefik/dynamic,authelia,gluetun}
# Copy compose file # Copy the core compose file
cp ~/AI-Homelab/docker-compose/duckdns.yml /opt/stacks/duckdns/docker-compose.yml cp ~/AI-Homelab/docker-compose/core.yml /opt/stacks/core/docker-compose.yml
# Copy .env
cp ~/AI-Homelab/.env /opt/stacks/duckdns/.env
# Deploy
cd /opt/stacks/duckdns
docker compose up -d
# Verify it's working
docker compose logs -f
# Should see: "Your IP was updated to X.X.X.X"
```
### 7.2 Traefik (Reverse Proxy with SSL)
```bash
# Create stack directory with dynamic configs
mkdir -p /opt/stacks/traefik/dynamic
# Copy compose file
cp ~/AI-Homelab/docker-compose/traefik.yml /opt/stacks/traefik/docker-compose.yml
# Copy configuration templates # Copy configuration templates
cp ~/AI-Homelab/config-templates/traefik/traefik.yml /opt/stacks/traefik/ cp ~/AI-Homelab/config-templates/traefik/traefik.yml /opt/stacks/core/traefik/
cp ~/AI-Homelab/config-templates/traefik/dynamic/*.yml /opt/stacks/traefik/dynamic/ cp ~/AI-Homelab/config-templates/traefik/dynamic/*.yml /opt/stacks/core/traefik/dynamic/
cp ~/AI-Homelab/config-templates/authelia/*.yml /opt/stacks/core/authelia/
# Create acme.json for SSL certificates # Create acme.json for SSL certificates
touch /opt/stacks/traefik/acme.json touch /opt/stacks/core/traefik/acme.json
chmod 600 /opt/stacks/traefik/acme.json chmod 600 /opt/stacks/core/traefik/acme.json
# Copy .env # Generate password hash for Authelia user
cp ~/AI-Homelab/.env /opt/stacks/traefik/.env docker run --rm authelia/authelia:4.37 authelia crypto hash generate argon2 --password 'yourpassword'
# Copy the output hash
# Deploy # Edit users_database.yml with your username and password hash
cd /opt/stacks/traefik cd /opt/stacks/core/authelia
docker compose up -d
# Check logs
docker compose logs -f
# Should see Traefik starting and certificate resolver configured
```
### 7.3 Authelia (SSO Authentication)
```bash
# Create stack directory
mkdir -p /opt/stacks/authelia
# Copy compose file
cp ~/AI-Homelab/docker-compose/authelia.yml /opt/stacks/authelia/docker-compose.yml
# Copy configuration templates
cp ~/AI-Homelab/config-templates/authelia/*.yml /opt/stacks/authelia/
# Generate password hash for users_database.yml
docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password 'yourpassword'
# Copy the hash and edit users_database.yml
# Edit users_database.yml
cd /opt/stacks/authelia
nano users_database.yml nano users_database.yml
# Replace the password hash with your generated one # Replace the password hash with your generated one
# Example:
# users:
# admin:
# displayname: "Admin User"
# password: "$argon2id$v=19$m=65536..." # Your generated hash
# email: admin@example.com
# groups:
# - admins
# Copy .env # Copy .env file to core stack
cp ~/AI-Homelab/.env /opt/stacks/authelia/.env cp ~/AI-Homelab/.env /opt/stacks/core/.env
# Deploy # Deploy the entire core stack
cd /opt/stacks/core
docker compose up -d docker compose up -d
# Check logs # Check logs to ensure everything is running
docker compose logs -f docker compose logs -f
# Test login at https://auth.yourdomain.duckdns.org
# You should see:
# - DuckDNS updating your IP
# - Traefik starting and acquiring SSL certificates
# - Authelia initializing
# - Gluetun connecting to VPN
``` ```
### 7.4 Infrastructure Services (Dockge) **Verify Core Services:**
- Traefik dashboard: `https://traefik.yourdomain.duckdns.org` (login with Authelia)
- Authelia login: `https://auth.yourdomain.duckdns.org`
- All services should have valid SSL certificates
**Troubleshooting:**
- If Traefik can't get certificates, check DuckDNS is updating your IP
- If Authelia won't start, check your password hash and configuration.yml
- If Gluetun fails, verify your Surfshark credentials in .env
```bash ```bash
# Create stack directory # Create stack directory
@@ -245,7 +223,57 @@ docker compose up -d dockge
docker compose up -d docker compose up -d
``` ```
## Step 8: Deploy Additional Stacks ## Step 8: Deploy Infrastructure Services (Dockge)
```bash
# Create stack directory
mkdir -p /opt/stacks/infrastructure
# Copy compose file
cp ~/AI-Homelab/docker-compose/infrastructure.yml /opt/stacks/infrastructure/docker-compose.yml
# Create necessary subdirectories
mkdir -p /opt/dockge/data
mkdir -p /opt/stacks/pihole/{etc-pihole,etc-dnsmasq.d}
mkdir -p /opt/stacks/glances/config
# Copy .env
cp ~/AI-Homelab/.env /opt/stacks/infrastructure/.env
# Deploy Dockge first
cd /opt/stacks/infrastructure
docker compose up -d dockge
# Access Dockge at https://dockge.yourdomain.duckdns.org (login with Authelia)
# Deploy remaining infrastructure services
docker compose up -d
```
## Step 9: Deploy Dashboards (Homepage & Homarr)
```bash
# Create stack directory
mkdir -p /opt/stacks/dashboards/{homepage,homarr}
# Copy compose file
cp ~/AI-Homelab/docker-compose/dashboards.yml /opt/stacks/dashboards/docker-compose.yml
# Copy Homepage configuration templates
cp ~/AI-Homelab/config-templates/homepage/* /opt/stacks/dashboards/homepage/
# Copy .env
cp ~/AI-Homelab/.env /opt/stacks/dashboards/.env
# Deploy
cd /opt/stacks/dashboards
docker compose up -d
# Access Homepage at https://home.yourdomain.duckdns.org (login with Authelia)
# Access Homarr at https://homarr.yourdomain.duckdns.org (login with Authelia)
```
## Step 10: Deploy Additional Stacks
Now use Dockge UI at `https://dockge.yourdomain.duckdns.org` to deploy additional stacks, or continue with command line: Now use Dockge UI at `https://dockge.yourdomain.duckdns.org` to deploy additional stacks, or continue with command line:

771
docs/services-reference.md
View File

@@ -1,462 +1,327 @@
# Complete Services Reference # Complete Services Reference
This document lists all 40+ pre-configured services available in the AI-Homelab repository, organized by category. This document provides a comprehensive overview of all 60+ pre-configured services available in the AI-Homelab repository.
## Core Infrastructure (4 services) ## Services Overview
### Required - Deploy First | Stack | Services | SSO | Storage | Access URLs |
|-------|----------|-----|---------|-------------|
1. **DuckDNS** (`duckdns.yml`) | **📦 core** (4) | **Deploy First** | | | |
- Dynamic DNS updater | ├─ DuckDNS | Dynamic DNS updater | - | /opt/stacks/core/duckdns | No UI |
- Updates your public IP automatically | ├─ Traefik | Reverse proxy + SSL | ✓ | /opt/stacks/core/traefik | traefik.${DOMAIN} |
- Integrates with Let's Encrypt for SSL | ├─ Authelia | SSO authentication | - | /opt/stacks/core/authelia | auth.${DOMAIN} |
- No web UI - runs silently | └─ Gluetun | VPN (Surfshark) | - | /opt/stacks/core/gluetun | No UI |
- Stack: `/opt/stacks/duckdns/` | **🔧 infrastructure** (7) | | | | |
| ├─ Dockge | Stack manager (PRIMARY) | ✓ | /opt/stacks/infrastructure | dockge.${DOMAIN} |
2. **Traefik** (`traefik.yml`) | ├─ Portainer | Container management | ✓ | /opt/stacks/infrastructure | portainer.${DOMAIN} |
- Reverse proxy with automatic SSL | ├─ Pi-hole | DNS + Ad blocking | ✓ | /opt/stacks/infrastructure | pihole.${DOMAIN} |
- HTTP to HTTPS redirect | ├─ Watchtower | Auto container updates | - | /opt/stacks/infrastructure | No UI |
- File-based and Docker label routing | ├─ Dozzle | Docker log viewer | ✓ | /opt/stacks/infrastructure | dozzle.${DOMAIN} |
- Dashboard: `https://traefik.${DOMAIN}` | ├─ Glances | System monitoring | ✓ | /opt/stacks/infrastructure | glances.${DOMAIN} |
- Stack: `/opt/stacks/traefik/` | └─ Docker Proxy | Secure socket access | - | /opt/stacks/infrastructure | No UI |
| **📊 dashboards** (2) | | | | |
3. **Authelia** (`authelia.yml`) | ├─ Homepage | App dashboard (AI cfg) | ✓ | /opt/stacks/dashboards | home.${DOMAIN} |
- Single Sign-On (SSO) authentication | └─ Homarr | Modern dashboard | ✓ | /opt/stacks/dashboards | homarr.${DOMAIN} |
- TOTP 2FA support | **🎬 media** (6) | | | | |
- File-based or LDAP user database | ├─ Plex | Media server | ✗ | /mnt/media, /mnt/transcode | plex.${DOMAIN} |
- Smart bypass rules for media apps | ├─ Jellyfin | Media server (OSS) | ✗ | /mnt/media, /mnt/transcode | jellyfin.${DOMAIN} |
- Login: `https://auth.${DOMAIN}` | ├─ Sonarr | TV automation | ✓ | /opt/stacks/media, /mnt/media | sonarr.${DOMAIN} |
- Stack: `/opt/stacks/authelia/` | ├─ Radarr | Movie automation | ✓ | /opt/stacks/media, /mnt/media | radarr.${DOMAIN} |
| ├─ Prowlarr | Indexer manager | ✓ | /opt/stacks/media | prowlarr.${DOMAIN} |
4. **Gluetun** (`gluetun.yml`) | └─ qBittorrent | Torrent (via VPN) | ✓ | /mnt/downloads | qbit.${DOMAIN} |
- VPN client (Surfshark WireGuard) | **📚 media-extended** (10) | | | | |
- Includes qBittorrent | ├─ Readarr | Ebooks/Audiobooks | ✓ | /opt/stacks/media-ext, /mnt/media | readarr.${DOMAIN} |
- Control panel: `http://gluetun:8000` | ├─ Lidarr | Music manager | ✓ | /opt/stacks/media-ext, /mnt/media | lidarr.${DOMAIN} |
- qBittorrent: `https://qbit.${DOMAIN}` | ├─ Lazy Librarian | Book automation | ✓ | /opt/stacks/media-ext, /mnt/media | lazylibrarian.${DOMAIN} |
- Stack: `/opt/stacks/gluetun/` | ├─ Mylar3 | Comic manager | ✓ | /opt/stacks/media-ext, /mnt/media | mylar.${DOMAIN} |
| ├─ Calibre-Web | Ebook reader | ✓ | /opt/stacks/media-ext, /mnt/media | calibre.${DOMAIN} |
## Infrastructure Tools (7 services) | ├─ Jellyseerr | Media requests | ✗ | /opt/stacks/media-ext | jellyseerr.${DOMAIN} |
| ├─ FlareSolverr | Cloudflare bypass | - | /opt/stacks/media-ext | No UI |
From `infrastructure.yml` - Stack: `/opt/stacks/infrastructure/` | ├─ Tdarr Server | Transcoding server | ✓ | /opt/stacks/media-ext, /mnt/transcode | tdarr.${DOMAIN} |
| ├─ Tdarr Node | Transcoding worker | - | /mnt/transcode-cache | No UI |
5. **Dockge** (PRIMARY management tool) | └─ Unmanic | Library optimizer | ✓ | /opt/stacks/media-ext, /mnt/transcode | unmanic.${DOMAIN} |
- Docker Compose stack manager | **🏠 homeassistant** (7) | | | | |
- Web UI for managing /opt/stacks/ | ├─ Home Assistant | HA platform | ✗ | /opt/stacks/homeassistant | ha.${DOMAIN} |
- Direct compose file editing | ├─ ESPHome | ESP firmware mgr | ✓ | /opt/stacks/homeassistant | esphome.${DOMAIN} |
- Access: `https://dockge.${DOMAIN}` | ├─ TasmoAdmin | Tasmota device mgr | ✓ | /opt/stacks/homeassistant | tasmoadmin.${DOMAIN} |
- SSO: Yes | ├─ Node-RED | Automation flows | ✓ | /opt/stacks/homeassistant | nodered.${DOMAIN} |
| ├─ Mosquitto | MQTT broker | - | /opt/stacks/homeassistant | Ports 1883, 9001 |
6. **Portainer** (Secondary) | ├─ Zigbee2MQTT | Zigbee bridge | ✓ | /opt/stacks/homeassistant | zigbee2mqtt.${DOMAIN} |
- Docker container management UI | └─ MotionEye | Video surveillance | ✓ | /opt/stacks/homeassistant, /mnt/surveillance | motioneye.${DOMAIN} |
- Access: `https://portainer.${DOMAIN}` | **💼 productivity** (8 + 6 DBs) | | | | |
- SSO: Yes | ├─ Nextcloud | File sync platform | ✓ | /opt/stacks/productivity, /mnt/nextcloud | nextcloud.${DOMAIN} |
| │ └─ nextcloud-db | MariaDB | - | /opt/stacks/productivity | No UI |
7. **Pi-hole** | ├─ Mealie | Recipe manager | ✗ | /opt/stacks/productivity | mealie.${DOMAIN} |
- Network-wide ad blocking | ├─ WordPress | Blog platform | ✗ | /opt/stacks/productivity | blog.${DOMAIN} |
- DNS server | │ └─ wordpress-db | MariaDB | - | /opt/stacks/productivity | No UI |
- Access: `https://pihole.${DOMAIN}` | ├─ Gitea | Git service | ✓ | /opt/stacks/productivity, /mnt/git | git.${DOMAIN} |
- SSO: Yes | │ └─ gitea-db | PostgreSQL | - | /opt/stacks/productivity | No UI |
| ├─ DokuWiki | File-based wiki | ✓ | /opt/stacks/productivity | wiki.${DOMAIN} |
8. **Watchtower** | ├─ BookStack | Documentation | ✓ | /opt/stacks/productivity | docs.${DOMAIN} |
- Automatic container updates | │ └─ bookstack-db | MariaDB | - | /opt/stacks/productivity | No UI |
- Runs 4 AM daily | ├─ MediaWiki | Wiki platform | ✓ | /opt/stacks/productivity | mediawiki.${DOMAIN} |
- No web UI | │ └─ mediawiki-db | MariaDB | - | /opt/stacks/productivity | No UI |
| └─ Form.io | Form builder | ✓ | /opt/stacks/productivity | forms.${DOMAIN} |
9. **Dozzle** | └─ formio-mongo | MongoDB | - | /opt/stacks/productivity | No UI |
- Real-time Docker log viewer | **🛠️ utilities** (7) | | | | |
- Access: `https://dozzle.${DOMAIN}` | ├─ Backrest | Backup (restic) | ✓ | /opt/stacks/utilities, /mnt/backups | backrest.${DOMAIN} |
- SSO: Yes | ├─ Duplicati | Encrypted backups | ✓ | /opt/stacks/utilities, /mnt/backups | duplicati.${DOMAIN} |
| ├─ Uptime Kuma | Status monitoring | ✗ | /opt/stacks/utilities | status.${DOMAIN} |
10. **Glances** | ├─ Code Server | VS Code in browser | ✓ | /opt/stacks/utilities | code.${DOMAIN} |
- System and Docker monitoring | ├─ Form.io | Form platform | ✓ | /opt/stacks/utilities | forms.${DOMAIN} |
- Access: `https://glances.${DOMAIN}` | │ └─ formio-mongo | MongoDB | - | /opt/stacks/utilities | No UI |
- SSO: Yes | └─ Authelia-Redis | Session storage | - | /opt/stacks/utilities | No UI |
| **📈 monitoring** (7) | | | | |
11. **Docker Proxy** | ├─ Prometheus | Metrics collection | ✓ | /opt/stacks/monitoring | prometheus.${DOMAIN} |
- Secure Docker socket access | ├─ Grafana | Visualization | ✓ | /opt/stacks/monitoring | grafana.${DOMAIN} |
- Backend service | ├─ Loki | Log aggregation | - | /opt/stacks/monitoring | Via Grafana |
- No web UI | ├─ Promtail | Log shipper | - | /opt/stacks/monitoring | No UI |
| ├─ Node Exporter | Host metrics | - | /opt/stacks/monitoring | No UI |
## Dashboards (2 services) | ├─ cAdvisor | Container metrics | - | /opt/stacks/monitoring | Internal :8080 |
| └─ Uptime Kuma | Uptime monitoring | ✗ | /opt/stacks/monitoring | status.${DOMAIN} |
From `dashboards.yml` - Stack: `/opt/stacks/dashboards/` | **👨‍💻 development** (6) | | | | |
| ├─ GitLab CE | Git + CI/CD | ✓ | /opt/stacks/development, /mnt/git | gitlab.${DOMAIN} |
12. **Homepage** (AI-configurable) | ├─ PostgreSQL | SQL database | - | /opt/stacks/development | Port 5432 |
- Application dashboard with Docker integration | ├─ Redis | In-memory store | - | /opt/stacks/development | Port 6379 |
- Service widgets for 15+ services | ├─ pgAdmin | PostgreSQL UI | ✓ | /opt/stacks/development | pgadmin.${DOMAIN} |
- 11 organized categories | ├─ Jupyter Lab | Notebooks | ✓ | /opt/stacks/development | jupyter.${DOMAIN} |
- Access: `https://home.${DOMAIN}` | └─ Code Server | VS Code | ✓ | /opt/stacks/development | code.${DOMAIN} |
- SSO: No (landing page)
**Legend:** ✓ = Protected by SSO | ✗ = Bypasses SSO | - = No web UI
13. **Homarr**
- Modern alternative dashboard ## Quick Deployment Order
- Access: `https://homarr.${DOMAIN}`
- SSO: No 1. **Create Networks** (one-time setup)
```bash
## Media Services (6 services) docker network create traefik-network
docker network create homelab-network
From `media.yml` - Stack: `/opt/stacks/media/` docker network create dockerproxy-network
```
14. **Plex**
- Media streaming server 2. **Deploy Core Stack** (required first)
- Hardware transcoding support ```bash
- Access: `https://plex.${DOMAIN}` cd /opt/stacks/core/
- SSO: No (app access) docker compose up -d
```
15. **Jellyfin**
- Open-source media server 3. **Deploy Infrastructure**
- Hardware transcoding support ```bash
- Access: `https://jellyfin.${DOMAIN}` cd /opt/stacks/infrastructure/
- SSO: No (app access) docker compose up -d
```
16. **Sonarr**
- TV show automation 4. **Deploy Dashboards**
- Access: `https://sonarr.${DOMAIN}` ```bash
- SSO: Yes cd /opt/stacks/dashboards/
docker compose up -d
17. **Radarr** ```
- Movie automation
- Access: `https://radarr.${DOMAIN}` 5. **Deploy Additional Stacks** (as needed)
- SSO: Yes - Media: `/opt/stacks/media/`
- Extended Media: `/opt/stacks/media-extended/`
18. **Prowlarr** - Home Automation: `/opt/stacks/homeassistant/`
- Indexer manager - Productivity: `/opt/stacks/productivity/`
- Integrates with Sonarr, Radarr, etc. - Utilities: `/opt/stacks/utilities/`
- Access: `https://prowlarr.${DOMAIN}` - Monitoring: `/opt/stacks/monitoring/`
- SSO: Yes - Development: `/opt/stacks/development/`
19. **qBittorrent** ## Toggling SSO (Authelia) On/Off
- Torrent client (routes through Gluetun VPN)
- See gluetun.yml You can easily enable or disable SSO protection for any service by modifying its Traefik labels in the docker-compose.yml file.
## Extended Media (10 services) ### To Enable SSO on a Service
From `media-extended.yml` - Stack: `/opt/stacks/media-extended/` Add the Authelia middleware to the service's Traefik labels:
20. **Readarr** ```yaml
- Ebook and audiobook management labels:
- Access: `https://readarr.${DOMAIN}` - "traefik.enable=true"
- SSO: Yes - "traefik.http.routers.servicename.rule=Host(`servicename.${DOMAIN}`)"
- "traefik.http.routers.servicename.entrypoints=websecure"
21. **Lidarr** - "traefik.http.routers.servicename.tls.certresolver=letsencrypt"
- Music collection manager - "traefik.http.routers.servicename.middlewares=authelia@docker" # ← Add this line
- Access: `https://lidarr.${DOMAIN}` - "traefik.http.services.servicename.loadbalancer.server.port=8080"
- SSO: Yes ```
22. **Lazy Librarian** ### To Disable SSO on a Service
- Book download automation
- Access: `https://lazylibrarian.${DOMAIN}` Remove or comment out the middleware line:
- SSO: Yes
```yaml
23. **Mylar3** labels:
- Comic book collection manager - "traefik.enable=true"
- Access: `https://mylar.${DOMAIN}` - "traefik.http.routers.servicename.rule=Host(`servicename.${DOMAIN}`)"
- SSO: Yes - "traefik.http.routers.servicename.entrypoints=websecure"
- "traefik.http.routers.servicename.tls.certresolver=letsencrypt"
24. **Calibre-Web** # - "traefik.http.routers.servicename.middlewares=authelia@docker" # ← Commented out
- Ebook reader and library management - "traefik.http.services.servicename.loadbalancer.server.port=8080"
- Access: `https://calibre.${DOMAIN}` ```
- SSO: Yes
After making changes, redeploy the service:
25. **Jellyseerr** ```bash
- Media request management cd /opt/stacks/stack-name/
- Integrates with Plex/Jellyfin docker compose up -d
- Access: `https://jellyseerr.${DOMAIN}` ```
- SSO: No (family access)
**Use Cases for Development/Production:**
26. **FlareSolverr** - **Development**: Enable SSO to protect services during testing
- Cloudflare bypass for indexers - **Production**: Disable SSO for services that need direct app/API access (Plex, Jellyfin, etc.)
- Used by Prowlarr - **Quick Toggle**: AI assistant can modify these labels automatically when you ask
- No web UI
## Authelia Customization
27. **Tdarr Server**
- Distributed transcoding server ### Available Customization Options
- Access: `https://tdarr.${DOMAIN}`
- SSO: Yes **1. Branding and Appearance**
Edit `/opt/stacks/core/authelia/configuration.yml`:
28. **Tdarr Node**
- Transcoding worker ```yaml
- No web UI # Custom logo and branding
theme: dark # Options: light, dark, grey, auto
29. **Unmanic**
- Library optimization and transcoding # No built-in web UI for configuration
- Access: `https://unmanic.${DOMAIN}` # All settings managed via YAML files
- SSO: Yes ```
## Home Automation (7 services) **2. User Management**
Users are managed in `/opt/stacks/core/authelia/users_database.yml`:
From `homeassistant.yml` - Stack: `/opt/stacks/homeassistant/`
```yaml
30. **Home Assistant** users:
- Home automation platform username:
- Uses host networking displayname: "Display Name"
- Access: `https://ha.${DOMAIN}` (or via proxying external host) password: "$argon2id$v=19$m=65536..." # Generated with authelia hash-password
- SSO: No (has own auth) email: user@example.com
groups:
31. **ESPHome** - admins
- ESP8266/ESP32 firmware manager - users
- Access: `https://esphome.${DOMAIN}` ```
- SSO: Yes
Generate password hash:
32. **TasmoAdmin** ```bash
- Tasmota device management docker run --rm authelia/authelia:4.37 authelia hash-password 'yourpassword'
- Access: `https://tasmoadmin.${DOMAIN}` ```
- SSO: Yes
**3. Access Control Rules**
33. **Node-RED** Customize who can access what in `configuration.yml`:
- Flow-based automation programming
- Access: `https://nodered.${DOMAIN}` ```yaml
- SSO: Yes access_control:
default_policy: deny
34. **Mosquitto**
- MQTT message broker rules:
- Ports: 1883, 9001 # Public services (no auth)
- No web UI - domain:
- "jellyfin.yourdomain.com"
35. **Zigbee2MQTT** - "plex.yourdomain.com"
- Zigbee to MQTT bridge policy: bypass
- Access: `https://zigbee2mqtt.${DOMAIN}`
- SSO: Yes # Admin only services
- domain:
36. **MotionEye** - "dockge.yourdomain.com"
- Video surveillance system - "portainer.yourdomain.com"
- Access: `https://motioneye.${DOMAIN}` policy: two_factor
- SSO: Yes subject:
- "group:admins"
## Productivity (8 services + 6 databases)
# All authenticated users
From `productivity.yml` - Stack: `/opt/stacks/productivity/` - domain: "*.yourdomain.com"
policy: one_factor
37. **Nextcloud** ```
- File sync and collaboration platform
- Access: `https://nextcloud.${DOMAIN}` **4. Two-Factor Authentication (2FA)**
- SSO: Yes - TOTP (Time-based One-Time Password) via apps like Google Authenticator, Authy
- Database: nextcloud-db (MariaDB) - Configure in `configuration.yml` under `totp:` section
- Per-user enrollment via Authelia UI at `https://auth.${DOMAIN}`
38. **Mealie**
- Recipe manager and meal planner **5. Session Management**
- Access: `https://mealie.${DOMAIN}` Edit `configuration.yml`:
- SSO: No (family access)
```yaml
39. **WordPress** session:
- Blog and website platform name: authelia_session
- Access: `https://blog.${DOMAIN}` expiration: 1h # How long before re-login required
- SSO: No (public blog) inactivity: 5m # Timeout after inactivity
- Database: wordpress-db (MariaDB) remember_me_duration: 1M # "Remember me" checkbox duration
```
40. **Gitea**
- Self-hosted Git service **6. Notification Settings**
- Access: `https://git.${DOMAIN}` Email notifications for password resets, 2FA enrollment:
- SSO: Yes
- Database: gitea-db (PostgreSQL) ```yaml
notifier:
41. **DokuWiki** smtp:
- File-based wiki (no database) host: smtp.gmail.com
- Access: `https://wiki.${DOMAIN}` port: 587
- SSO: Yes username: your-email@gmail.com
password: app-password
42. **BookStack** sender: authelia@yourdomain.com
- Documentation platform ```
- Access: `https://docs.${DOMAIN}`
- SSO: Yes ### No Web UI for Configuration
- Database: bookstack-db (MariaDB)
⚠️ **Important**: Authelia does **not** have a configuration web UI. All configuration is done via YAML files:
43. **MediaWiki** - `/opt/stacks/core/authelia/configuration.yml` - Main settings
- Wiki platform - `/opt/stacks/core/authelia/users_database.yml` - User accounts
- Access: `https://mediawiki.${DOMAIN}`
- SSO: Yes This is **by design** and makes Authelia perfect for AI management:
- Database: mediawiki-db (MariaDB) - AI can read and modify YAML files
- Version control friendly
## Utilities (7 services) - No UI clicks required
- Infrastructure as code
From `utilities.yml` - Stack: `/opt/stacks/utilities/`
**Web UI Available For:**
44. **Backrest** - Login page: `https://auth.${DOMAIN}`
- Backup management with restic - User profile: Change password, enroll 2FA
- Access: `https://backrest.${DOMAIN}` - Device enrollment: Manage trusted devices
- SSO: Yes
**Alternatives with Web UI:**
45. **Duplicati** If you need a web UI for user management:
- Backup software with encryption - **Authentik**: More complex but has full web UI
- Access: `https://duplicati.${DOMAIN}` - **Keycloak**: Enterprise-grade SSO with web UI
- SSO: Yes - **Authelia + LDAP**: Use LDAP with web management (phpLDAPadmin, etc.)
46. **Uptime Kuma** ### Quick Configuration with AI
- Uptime monitoring and status page
- Access: `https://status.${DOMAIN}` Since all Authelia configuration is file-based, you can use the AI assistant to:
- SSO: No (public status) - Add/remove users
- Modify access rules
47. **Code Server** - Change session settings
- VS Code in browser - Update branding
- Full stack access - Enable/disable features
- Access: `https://code.${DOMAIN}`
- SSO: Yes Just ask: "Add a new user to Authelia" or "Change session timeout to 2 hours"
48. **Form.io**
- Form builder platform
- Access: `https://forms.${DOMAIN}`
- SSO: Yes
- Database: formio-mongo (MongoDB)
49. **Authelia-Redis**
- Session storage for Authelia
- No web UI
## Monitoring (7 services)
From `monitoring.yml` - Stack: `/opt/stacks/monitoring/`
50. **Prometheus**
- Metrics collection
- Access: `https://prometheus.${DOMAIN}`
- SSO: Yes
51. **Grafana**
- Metrics visualization
- Access: `https://grafana.${DOMAIN}`
- SSO: Yes
52. **Loki**
- Log aggregation
- No web UI (accessed via Grafana)
53. **Promtail**
- Log shipping to Loki
- No web UI
54. **Node Exporter**
- Host metrics exporter
- No web UI
55. **cAdvisor**
- Container metrics
- Access: Port 8080 (internal)
## Development (6 services)
From `development.yml` - Stack: `/opt/stacks/development/`
56. **GitLab CE**
- Git repository with CI/CD
- Access: `https://gitlab.${DOMAIN}`
- SSO: Yes
57. **PostgreSQL**
- SQL database
- Port: 5432
- No web UI
58. **Redis**
- In-memory data store
- Port: 6379
- No web UI
59. **pgAdmin**
- PostgreSQL management UI
- Access: `https://pgadmin.${DOMAIN}`
- SSO: Yes
60. **Jupyter Lab**
- Interactive notebooks
- Access: `https://jupyter.${DOMAIN}`
- SSO: Yes
## Summary by Stack
| Stack | File | Services Count | Description |
|-------|------|----------------|-------------|
| Core Infrastructure | Multiple files | 4 | Traefik, Authelia, DuckDNS, Gluetun |
| Infrastructure | infrastructure.yml | 7 | Dockge, Portainer, Pi-hole, etc. |
| Dashboards | dashboards.yml | 2 | Homepage, Homarr |
| Media | media.yml | 6 | Plex, Jellyfin, *arr apps |
| Media Extended | media-extended.yml | 10 | Books, comics, music, transcoding |
| Home Automation | homeassistant.yml | 7 | HA, ESPHome, Node-RED, MQTT, etc. |
| Productivity | productivity.yml | 14 | Nextcloud, wikis, Git (includes DBs) |
| Utilities | utilities.yml | 7 | Backups, monitoring, Code Server |
| Monitoring | monitoring.yml | 7 | Prometheus, Grafana, Loki |
| Development | development.yml | 6 | GitLab, databases, Jupyter |
**Total: 60+ services (including databases)**
## Access Patterns
### With SSO (Authelia Required)
- Admin tools (Sonarr, Radarr, Prowlarr, etc.)
- Infrastructure management (Dockge, Portainer, Grafana)
- Development tools (GitLab, Code Server, pgAdmin)
- Personal data (Nextcloud, wikis, BookStack)
### Without SSO (Direct Access)
- Media streaming (Plex, Jellyfin) - for app access
- Public services (WordPress, Uptime Kuma, Homepage)
- Services with own auth (Home Assistant)
- Family-friendly (Mealie, Jellyseerr)
### Via VPN (Gluetun)
- qBittorrent
- Other download clients (add with network_mode: "service:gluetun")
## Storage Recommendations ## Storage Recommendations
### Keep on System Drive (/opt/stacks/) | Data Type | Recommended Location | Reason |
- All configuration files |-----------|---------------------|--------|
- Small databases (< 10GB) | Configuration files | `/opt/stacks/stack-name/` | Easy access, version control |
- Application data | Small databases (< 10GB) | `/opt/stacks/stack-name/db/` | Manageable on system drive |
| Media files (movies, TV, music) | `/mnt/media/` | Large, continuous growth |
| Downloads | `/mnt/downloads/` | Temporary, high throughput |
| Backups | `/mnt/backups/` | Large, separate from system |
| Surveillance footage | `/mnt/surveillance/` | Continuous recording |
| Large databases (> 10GB) | `/mnt/databases/` | Growth over time |
| Transcoding cache | `/mnt/transcode-cache/` | High I/O, large temporary files |
| Git repositories | `/mnt/git/` | Can grow large |
| Nextcloud data | `/mnt/nextcloud/` | User files, photos |
### Move to Separate Drive (/mnt/) ## Configuration Templates
- Media files (movies, TV, music, photos) → /mnt/media/
- Downloads → /mnt/downloads/
- Backups → /mnt/backups/
- Surveillance footage → /mnt/surveillance/
- Large databases → /mnt/databases/
- Transcoding cache → /mnt/transcode-cache/
## Quick Deployment Guide All configuration templates are available in `config-templates/`:
- `traefik/` - Static and dynamic Traefik configuration
- `authelia/` - Complete Authelia setup with user database
- `homepage/` - Dashboard services, widgets, and Docker integration
- `prometheus/` - Metrics scrape configurations
- `loki/` - Log aggregation settings
- `promtail/` - Log shipping configuration
- `redis/` - Redis server configuration
1. **Core (Required)** ## Additional Resources
```bash
# Deploy in this order:
/opt/stacks/duckdns/
/opt/stacks/traefik/
/opt/stacks/authelia/
/opt/stacks/infrastructure/ (dockge)
```
2. **VPN + Downloads** - **Getting Started**: See [docs/getting-started.md](getting-started.md) for detailed deployment
```bash - **Docker Guidelines**: See [docs/docker-guidelines.md](docker-guidelines.md) for management patterns
/opt/stacks/gluetun/ - **Quick Reference**: See [docs/quick-reference.md](quick-reference.md) for common commands
``` - **Proxying External Hosts**: See [docs/proxying-external-hosts.md](proxying-external-hosts.md) for Raspberry Pi, NAS, etc.
- **AI Assistant**: Use GitHub Copilot in VS Code with `.github/copilot-instructions.md` for intelligent homelab management
3. **Dashboard**
```bash
/opt/stacks/homepage/
```
4. **Choose Your Stacks**
- Media: `/opt/stacks/media/` + `/opt/stacks/media-extended/`
- Home Automation: `/opt/stacks/homeassistant/`
- Productivity: `/opt/stacks/productivity/`
- Monitoring: `/opt/stacks/monitoring/`
- Development: `/opt/stacks/development/`
- Utilities: `/opt/stacks/utilities/`
## Configuration Files
All configuration templates available in `config-templates/`:
- `traefik/` - Static and dynamic configs
- `authelia/` - Config and user database
- `homepage/` - Dashboard services and widgets
- `prometheus/` - Scrape configurations
- `loki/` - Log aggregation config
- And more...
## Next Steps
1. Deploy core infrastructure
2. Configure Homepage with API keys
3. Set up Authelia users
4. Deploy service stacks as needed
5. Use VS Code + Copilot for AI assistance
6. Proxy external hosts via Traefik (see docs/proxying-external-hosts.md)
For detailed deployment instructions, see [docs/getting-started.md](../docs/getting-started.md)