Implement fixes from test results

- Update Docker install to use curl method - Rename ADMIN_PASSWORD to AUTHELIA_ADMIN_PASSWORD - Fix Authelia password hash generation (remove grep, no quotes) - Revert compose labels to single quotes - Ensure users_database.yml has unquoted password placeholder
2026-02-02 20:59:07 -05:00
parent 7e4799f27e
commit 3d5979b5f1
19 changed files with 1232 additions and 467 deletions
--- a/.env.example
+++ b/.env.example
@@ -60,6 +60,7 @@ ACME_EMAIL=${DEFAULT_EMAIL}
 ADMIN_EMAIL=${DEFAULT_EMAIL}  # Used for admin user account
 AUTHELIA_ADMIN_USER=${DEFAULT_USER}
 AUTHELIA_ADMIN_EMAIL=${DEFAULT_EMAIL}
 AUTHELIA_ADMIN_PASSWORD=${DEFAULT_PASSWORD}
 AUTHELIA_ADMIN_PASSWORD_HASH=generate-with-openssl-rand-hex-64
 # SMTP for Authelia Notifications
--- a/config-templates/authelia/users_database.yml
+++ b/config-templates/authelia/users_database.yml
@@ -5,7 +5,7 @@
 users:
  ${AUTHELIA_ADMIN_USER}:
    displayname: ${AUTHELIA_ADMIN_USER}
-    password: "${AUTHELIA_ADMIN_PASSWORD_HASH}"
+    password: ${AUTHELIA_ADMIN_PASSWORD_HASH}
    email: ${AUTHELIA_ADMIN_EMAIL}
    groups:
      - admins
--- a/docker-compose/alternatives/docker-compose.yml
+++ b/docker-compose/alternatives/docker-compose.yml
@@ -26,15 +26,15 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=alternatives"
+      - 'homelab.category=alternatives"
-      - "homelab.description=Docker container management UI (Alternative to Dockge)"
+      - 'homelab.description=Docker container management UI (Alternative to Dockge)"
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
-      - "traefik.http.routers.portainer.rule=Host(`portainer.${DOMAIN}`)"
+      - 'traefik.http.routers.portainer.rule=Host(`portainer.${DOMAIN}`)"
-      - "traefik.http.routers.portainer.entrypoints=websecure"
+      - 'traefik.http.routers.portainer.entrypoints=websecure"
-      - "traefik.http.routers.portainer.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.portainer.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.portainer.middlewares=authelia@docker"
+      - 'traefik.http.routers.portainer.middlewares=authelia@docker"
-      - "traefik.http.services.portainer.loadbalancer.server.port=9000"
+      - 'traefik.http.services.portainer.loadbalancer.server.port=9000"
  # Authentik - Alternative SSO/Identity Provider with Web UI
  # Access at: https://authentik.${DOMAIN}
@@ -66,15 +66,15 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=alternatives"
+      - 'homelab.category=alternatives"
-      - "homelab.description=SSO/Identity provider with web UI (Alternative to Authelia)"
+      - 'homelab.description=SSO/Identity provider with web UI (Alternative to Authelia)"
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
-      - "traefik.http.routers.authentik.rule=Host(`authentik.${DOMAIN}`)"
+      - 'traefik.http.routers.authentik.rule=Host(`authentik.${DOMAIN}`)"
-      - "traefik.http.routers.authentik.entrypoints=websecure"
+      - 'traefik.http.routers.authentik.entrypoints=websecure"
-      - "traefik.http.routers.authentik.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.authentik.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.authentik.middlewares=authelia@docker"
+      - 'traefik.http.routers.authentik.middlewares=authelia@docker"
-      - "traefik.http.services.authentik.loadbalancer.server.port=9000"
+      - 'traefik.http.services.authentik.loadbalancer.server.port=9000"
    depends_on:
      - authentik-db
      - authentik-redis
@@ -104,8 +104,8 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=alternatives"
+      - 'homelab.category=alternatives"
-      - "homelab.description=Authentik background worker"
+      - 'homelab.description=Authentik background worker"
    depends_on:
      - authentik-db
      - authentik-redis
@@ -128,8 +128,8 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=alternatives"
+      - 'homelab.category=alternatives"
-      - "homelab.description=Authentik database"
+      - 'homelab.description=Authentik database"
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${AUTHENTIK_DB_USER}"]
      interval: 10s
@@ -151,8 +151,8 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=alternatives"
+      - 'homelab.category=alternatives"
-      - "homelab.description=Authentik cache and messaging"
+      - 'homelab.description=Authentik cache and messaging"
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      interval: 10s
@@ -202,15 +202,15 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=alternatives"
+      - 'homelab.category=alternatives"
-      - "homelab.description=Alternative media streaming server to Jellyfin"
+      - 'homelab.description=Alternative media streaming server to Jellyfin"
      # Traefik labels - NO Authelia for app access
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
-      - "traefik.http.routers.plex.rule=Host(`plex.${DOMAIN}`)"
+      - 'traefik.http.routers.plex.rule=Host(`plex.${DOMAIN}`)"
-      - "traefik.http.routers.plex.entrypoints=websecure"
+      - 'traefik.http.routers.plex.entrypoints=websecure"
-      - "traefik.http.routers.plex.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.plex.tls.certresolver=letsencrypt"
-      - "traefik.http.services.plex.loadbalancer.server.port=32400"
+      - 'traefik.http.services.plex.loadbalancer.server.port=32400"
      - "x-dockge.url=https://plex.${DOMAIN}"
      - "x-dockge.url=https://plex.${DOMAIN}"
--- a/docker-compose/core/docker-compose.yml
+++ b/docker-compose/core/docker-compose.yml
@@ -27,7 +27,7 @@ services:
    image: traefik:v3
    container_name: traefik
    restart: unless-stopped
-    command: ["--configFile=/config/traefik.yml"]
+    command: ['--configFile=/config/traefik.yml']
    environment:
      - DUCKDNS_TOKEN=41ef7faa-fc93-41d2-a32f-340fd2b75b2f
    ports:
@@ -45,14 +45,14 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=core"
+      - 'homelab.category=core'
-      - "homelab.description=Reverse proxy and SSL termination"
+      - 'homelab.description=Reverse proxy and SSL termination'
-      - "traefik.enable=true"
+      - 'traefik.enable=true'
-      - "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)"
+      - 'traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)'
-      - "traefik.http.routers.traefik.entrypoints=websecure"
+      - 'traefik.http.routers.traefik.entrypoints=websecure'
-      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.traefik.tls.certresolver=letsencrypt'
-      - "traefik.http.routers.traefik.middlewares=authelia@docker"
+      - 'traefik.http.routers.traefik.middlewares=authelia@docker'
-      - "traefik.http.services.traefik.loadbalancer.server.port=8080"
+      - 'traefik.http.services.traefik.loadbalancer.server.port=8080'
  authelia:
    # Single sign-on authentication service - must always run for user authentication
@@ -62,7 +62,7 @@ services:
    environment:
      - TZ=America/New_York
    ports:
-      - "9091:9091"
+      - '9091:9091'
    volumes:
      - ./authelia/config:/config
      - ./authelia/secrets:/secrets
@@ -74,21 +74,21 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=core"
+      - 'homelab.category=core'
-      - "homelab.description=Single sign-on authentication"
+      - 'homelab.description=Single sign-on authentication'
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # If Traefik is on a remote server: these labels are NOT USED; 
      #   configure external yml files in /traefik/dynamic folder instead.
-      - "traefik.enable=true"
+      - 'traefik.enable=true'
-      - "traefik.http.routers.authelia.rule=Host(`auth.${DOMAIN}`)"
+      - 'traefik.http.routers.authelia.rule=Host(`auth.${DOMAIN}`)'
-      - "traefik.http.routers.authelia.entrypoints=websecure"
+      - 'traefik.http.routers.authelia.entrypoints=websecure'
-      - "traefik.http.routers.authelia.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.authelia.tls.certresolver=letsencrypt'
-      - "traefik.http.routers.authelia.service=authelia"
+      - 'traefik.http.routers.authelia.service=authelia'
-      - "traefik.http.services.authelia.loadbalancer.server.port=9091"
+      - 'traefik.http.services.authelia.loadbalancer.server.port=9091'
      # Authelia forward auth middleware configuration
-      - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.${DOMAIN}/"
+      - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.${DOMAIN}/'
-      - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=X-Secret"
+      - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=X-Secret'
-      - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
+      - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
  # Sablier - Lazy loading service for Docker containers
  # Controls startup/shutdown of lazy-loaded services, must always run
@@ -118,8 +118,8 @@ services:
      - 10000:10000
    labels:
      # Service metadata
-      - "homelab.category=core"
+      - 'homelab.category=core'
-      - "homelab.description=Lazy loading service for Docker containers"
+      - 'homelab.description=Lazy loading service for Docker containers'
 networks:
  traefik-network:
--- a/docker-compose/dashboards/docker-compose.yml
+++ b/docker-compose/dashboards/docker-compose.yml
@@ -38,20 +38,20 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=dashboard"
+      - 'homelab.category=dashboard"
-      - "homelab.description=Application dashboard"
+      - 'homelab.description=Application dashboard"
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # IMPORTANT: On REMOTE SERVERS (where Traefik runs elsewhere):
      #   - COMMENT OUT all traefik.* labels below (don't delete them)
      #   - Routes are configured via external YAML files on the core server
      #   - This prevents conflicts between Docker labels and file provider
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
-      - "traefik.http.routers.homepage.rule=Host(`homepage.${DOMAIN}`)"
+      - 'traefik.http.routers.homepage.rule=Host(`homepage.${DOMAIN}`)"
-      - "traefik.http.routers.homepage.entrypoints=websecure"
+      - 'traefik.http.routers.homepage.entrypoints=websecure"
-      - "traefik.http.routers.homepage.tls=true"
+      - 'traefik.http.routers.homepage.tls=true"
-      - "traefik.http.routers.homepage.middlewares=authelia@docker"
+      - 'traefik.http.routers.homepage.middlewares=authelia@docker"
-      - "traefik.http.services.homepage.loadbalancer.server.port=3000"
+      - 'traefik.http.services.homepage.loadbalancer.server.port=3000"
      # Sablier lazy loading (disabled by default - uncomment to enable)
      # - "sablier.enable=true"
      # - "sablier.group=jasper-homarr"
@@ -94,16 +94,16 @@ services:
      # TRAEFIK CONFIGURATION
      # Service metadata
      - "com.centurylinklabs.watchtower.enable=true"
-      - "homelab.category=dashboard"
+      - 'homelab.category=dashboard"
-      - "homelab.description=Modern homelab dashboard"
+      - 'homelab.description=Modern homelab dashboard"
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
      # Router configuration
-      - "traefik.http.routers.homarr.rule=Host(`homarr.${DOMAIN}`)"
+      - 'traefik.http.routers.homarr.rule=Host(`homarr.${DOMAIN}`)"
-      - "traefik.http.routers.homarr.entrypoints=websecure"
+      - 'traefik.http.routers.homarr.entrypoints=websecure"
-      - "traefik.http.routers.homarr.tls=true"
+      - 'traefik.http.routers.homarr.tls=true"
-      - "traefik.http.routers.homarr.middlewares=authelia@docker"
+      - 'traefik.http.routers.homarr.middlewares=authelia@docker"
      # Service configuration
-      - "traefik.http.services.homarr.loadbalancer.server.port=7575"
+      - 'traefik.http.services.homarr.loadbalancer.server.port=7575"
      # Sablier configuration
      - "sablier.enable=true"
      - "sablier.group=jasper-homarr"
--- a/docker-compose/dockge/docker-compose.yml
+++ b/docker-compose/dockge/docker-compose.yml
@@ -37,18 +37,18 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=infrastructure"
+      - 'homelab.category=infrastructure"
-      - "homelab.description=Docker Compose stack manager (PRIMARY)"
+      - 'homelab.description=Docker Compose stack manager (PRIMARY)"
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # If Traefik is on a remote server: these labels are NOT USED; 
      #   configure external yml files in /traefik/dynamic folder instead.
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
-      - "traefik.http.routers.dockge.rule=Host(`dockge.${DOMAIN}`)"
+      - 'traefik.http.routers.dockge.rule=Host(`dockge.${DOMAIN}`)"
-      - "traefik.http.routers.dockge.entrypoints=websecure"
+      - 'traefik.http.routers.dockge.entrypoints=websecure"
-      - "traefik.http.routers.dockge.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.dockge.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.dockge.middlewares=authelia@docker"
+      - 'traefik.http.routers.dockge.middlewares=authelia@docker"
-      - "traefik.http.services.dockge.loadbalancer.server.port=5001"
+      - 'traefik.http.services.dockge.loadbalancer.server.port=5001"
 networks:
  homelab-network:
--- a/docker-compose/homeassistant/docker-compose.yml
+++ b/docker-compose/homeassistant/docker-compose.yml
@@ -28,8 +28,8 @@ services:
      - TZ=America/New_York
    privileged: true
    labels:
-      - "homelab.category=iot"
+      - 'homelab.category=iot"
-      - "homelab.description=Home automation platform"
+      - 'homelab.description=Home automation platform"
      # Note: network_mode: host means Traefik can't proxy this directly
      # Use Traefik's file provider or external host routing
@@ -63,18 +63,18 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=iot"
+      - 'homelab.category=iot"
-      - "homelab.description=ESP8266/ESP32 firmware manager"
+      - 'homelab.description=ESP8266/ESP32 firmware manager"
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # If Traefik is on a remote server: these labels are NOT USED; 
      #   configure external yml files in /traefik/dynamic folder instead.
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
-      - "traefik.http.routers.esphome.rule=Host(`esphome.${DOMAIN}`)"
+      - 'traefik.http.routers.esphome.rule=Host(`esphome.${DOMAIN}`)"
-      - "traefik.http.routers.esphome.entrypoints=websecure"
+      - 'traefik.http.routers.esphome.entrypoints=websecure"
-      - "traefik.http.routers.esphome.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.esphome.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.esphome.middlewares=authelia@docker"
+      - 'traefik.http.routers.esphome.middlewares=authelia@docker"
-      - "traefik.http.services.esphome.loadbalancer.server.port=6052"
+      - 'traefik.http.services.esphome.loadbalancer.server.port=6052"
  # TasmoAdmin - Tasmota device manager
  tasmoadmin:
@@ -94,18 +94,18 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=iot"
+      - 'homelab.category=iot"
-      - "homelab.description=Tasmota device management"
+      - 'homelab.description=Tasmota device management"
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # If Traefik is on a remote server: these labels are NOT USED; 
      #   configure external yml files in /traefik/dynamic folder instead.
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
-      - "traefik.http.routers.tasmoadmin.rule=Host(`tasmoadmin.${DOMAIN}`)"
+      - 'traefik.http.routers.tasmoadmin.rule=Host(`tasmoadmin.${DOMAIN}`)"
-      - "traefik.http.routers.tasmoadmin.entrypoints=websecure"
+      - 'traefik.http.routers.tasmoadmin.entrypoints=websecure"
-      - "traefik.http.routers.tasmoadmin.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.tasmoadmin.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.tasmoadmin.middlewares=authelia@docker"
+      - 'traefik.http.routers.tasmoadmin.middlewares=authelia@docker"
-      - "traefik.http.services.tasmoadmin.loadbalancer.server.port=80"
+      - 'traefik.http.services.tasmoadmin.loadbalancer.server.port=80"
  # MotionEye - Video surveillance
  motioneye:
@@ -126,18 +126,18 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=iot"
+      - 'homelab.category=iot"
-      - "homelab.description=Video surveillance system"
+      - 'homelab.description=Video surveillance system"
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # If Traefik is on a remote server: these labels are NOT USED; 
      #   configure external yml files in /traefik/dynamic folder instead.
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
-      - "traefik.http.routers.motioneye.rule=Host(`motioneye.${DOMAIN}`)"
+      - 'traefik.http.routers.motioneye.rule=Host(`motioneye.${DOMAIN}`)"
-      - "traefik.http.routers.motioneye.entrypoints=websecure"
+      - 'traefik.http.routers.motioneye.entrypoints=websecure"
-      - "traefik.http.routers.motioneye.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.motioneye.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.motioneye.middlewares=authelia@docker"
+      - 'traefik.http.routers.motioneye.middlewares=authelia@docker"
-      - "traefik.http.services.motioneye.loadbalancer.server.port=8765"
+      - 'traefik.http.services.motioneye.loadbalancer.server.port=8765"
  # Node-RED - Flow-based automation (Home Assistant addon alternative)
  nodered:
@@ -166,18 +166,18 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=iot"
+      - 'homelab.category=iot"
-      - "homelab.description=Flow-based automation programming"
+      - 'homelab.description=Flow-based automation programming"
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # If Traefik is on a remote server: these labels are NOT USED; 
      #   configure external yml files in /traefik/dynamic folder instead.
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
-      - "traefik.http.routers.nodered.rule=Host(`nodered.${DOMAIN}`)"
+      - 'traefik.http.routers.nodered.rule=Host(`nodered.${DOMAIN}`)"
-      - "traefik.http.routers.nodered.entrypoints=websecure"
+      - 'traefik.http.routers.nodered.entrypoints=websecure"
-      - "traefik.http.routers.nodered.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.nodered.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.nodered.middlewares=authelia@docker"
+      - 'traefik.http.routers.nodered.middlewares=authelia@docker"
-      - "traefik.http.services.nodered.loadbalancer.server.port=1880"
+      - 'traefik.http.services.nodered.loadbalancer.server.port=1880"
  # Mosquitto - MQTT broker (Home Assistant addon alternative)
  # Used by: Home Assistant, ESPHome, Tasmota devices
@@ -195,8 +195,8 @@ services:
      - ./mosquitto/data:/mosquitto/data
      - ./mosquitto/log:/mosquitto/log
    labels:
-      - "homelab.category=iot"
+      - 'homelab.category=iot"
-      - "homelab.description=MQTT message broker"
+      - 'homelab.description=MQTT message broker"
  # Zigbee2MQTT - Zigbee to MQTT bridge (DISABLED - requires USB adapter)
  # NOTE: Requires USB Zigbee adapter (e.g., ConBee II, Sonoff ZBDongle)
@@ -219,14 +219,14 @@ services:
  #   environment:
  #     - TZ=America/New_York
  #   labels:
-  #     - "homelab.category=iot"
+  #     - 'homelab.category=iot"
-  #     - "homelab.description=Zigbee to MQTT bridge"
+  #     - 'homelab.description=Zigbee to MQTT bridge"
-  #     - "traefik.enable=true"
+  #     - 'traefik.enable=true"
-  #     - "traefik.http.routers.zigbee2mqtt.rule=Host(`zigbee2mqtt.${DOMAIN}`)"
+  #     - 'traefik.http.routers.zigbee2mqtt.rule=Host(`zigbee2mqtt.${DOMAIN}`)"
-  #     - "traefik.http.routers.zigbee2mqtt.entrypoints=websecure"
+  #     - 'traefik.http.routers.zigbee2mqtt.entrypoints=websecure"
-  #     - "traefik.http.routers.zigbee2mqtt.tls.certresolver=letsencrypt"
+  #     - 'traefik.http.routers.zigbee2mqtt.tls.certresolver=letsencrypt"
-  #     - "traefik.http.routers.zigbee2mqtt.middlewares=authelia@docker"
+  #     - 'traefik.http.routers.zigbee2mqtt.middlewares=authelia@docker"
-  #     - "traefik.http.services.zigbee2mqtt.loadbalancer.server.port=8080"
+  #     - 'traefik.http.services.zigbee2mqtt.loadbalancer.server.port=8080"
 networks:
  homelab-network:
--- a/docker-compose/infrastructure/docker-compose.yml
+++ b/docker-compose/infrastructure/docker-compose.yml
@@ -73,20 +73,20 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=infrastructure"
+      - 'homelab.category=infrastructure"
-      - "homelab.description=Network-wide ad blocking and DNS"
+      - 'homelab.description=Network-wide ad blocking and DNS"
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # IMPORTANT: On REMOTE SERVERS (where Traefik runs elsewhere):
      #   - COMMENT OUT all traefik.* labels below (don't delete them)
      #   - Routes are configured via external YAML files on the core server
      #   - This prevents conflicts between Docker labels and file provider
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
-      - "traefik.http.routers.pihole.rule=Host(`pihole.${DOMAIN}`)"
+      - 'traefik.http.routers.pihole.rule=Host(`pihole.${DOMAIN}`)"
-      - "traefik.http.routers.pihole.entrypoints=websecure"
+      - 'traefik.http.routers.pihole.entrypoints=websecure"
-      - "traefik.http.routers.pihole.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.pihole.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.pihole.middlewares=authelia@docker"
+      - 'traefik.http.routers.pihole.middlewares=authelia@docker"
-      - "traefik.http.services.pihole.loadbalancer.server.port=80"
+      - 'traefik.http.services.pihole.loadbalancer.server.port=80"
  # Watchtower - Automatic container updates
  watchtower:
@@ -105,8 +105,8 @@ services:
      - WATCHTOWER_NOTIFICATIONS=shoutrrr
      - WATCHTOWER_NOTIFICATION_URL=${WATCHTOWER_NOTIFICATION_URL}
    labels:
-      - "homelab.category=infrastructure"
+      - 'homelab.category=infrastructure"
-      - "homelab.description=Automatic Docker container updates"
+      - 'homelab.description=Automatic Docker container updates"
  # Dozzle - Real-time Docker log viewer
  # Uses Sablier lazy loading - starts on-demand, stops after 5min inactivity
@@ -144,17 +144,17 @@ services:
      # TRAEFIK CONFIGURATION
      # Service metadata
      - "com.centurylinklabs.watchtower.enable=true"
-      - "homelab.category=infrastructure"
+      - 'homelab.category=infrastructure"
-      - "homelab.description=Real-time Docker log viewer"
+      - 'homelab.description=Real-time Docker log viewer"
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
      # Router configuration
-      - "traefik.http.routers.dozzle.rule=Host(`dozzle.jasper.${DOMAIN}`)"
+      - 'traefik.http.routers.dozzle.rule=Host(`dozzle.jasper.${DOMAIN}`)"
-      - "traefik.http.routers.dozzle.entrypoints=websecure"
+      - 'traefik.http.routers.dozzle.entrypoints=websecure"
-      - "traefik.http.routers.dozzle.tls=true"
+      - 'traefik.http.routers.dozzle.tls=true"
-      - "traefik.http.routers.dozzle.middlewares=authelia@docker"
+      - 'traefik.http.routers.dozzle.middlewares=authelia@docker"
      # Service configuration
-      - "traefik.http.services.dozzle.loadbalancer.server.port=8085"
+      - 'traefik.http.services.dozzle.loadbalancer.server.port=8085"
      # Sablier configuration
      - "sablier.enable=true"
      - "sablier.group=jasper-dozzle"
@@ -196,17 +196,17 @@ services:
      # TRAEFIK CONFIGURATION
      # Service metadata
      - "com.centurylinklabs.watchtower.enable=true"
-      - "homelab.category=infrastructure"
+      - 'homelab.category=infrastructure"
-      - "homelab.description=System and Docker monitoring"
+      - 'homelab.description=System and Docker monitoring"
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
      # Router configuration
-      - "traefik.http.routers.glances.rule=Host(`glances.jasper.${DOMAIN}`)"
+      - 'traefik.http.routers.glances.rule=Host(`glances.jasper.${DOMAIN}`)"
-      - "traefik.http.routers.glances.entrypoints=websecure"
+      - 'traefik.http.routers.glances.entrypoints=websecure"
-      - "traefik.http.routers.glances.tls=true"
+      - 'traefik.http.routers.glances.tls=true"
-      - "traefik.http.routers.glances.middlewares=authelia@docker"
+      - 'traefik.http.routers.glances.middlewares=authelia@docker"
      # Service configuration
-      - "traefik.http.services.glances.loadbalancer.server.port=61208"
+      - 'traefik.http.services.glances.loadbalancer.server.port=61208"
      # Sablier configuration
      - "sablier.enable=true"
      - "sablier.group=jasper-glances"
@@ -252,17 +252,17 @@ services:
      # TRAEFIK CONFIGURATION
      # Service metadata
      - "com.centurylinklabs.watchtower.enable=true"
-      - "homelab.category=infrastructure"
+      - 'homelab.category=infrastructure"
-      - "homelab.description=VS Code in browser"
+      - 'homelab.description=VS Code in browser"
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
      # Router configuration
-      - "traefik.http.routers.code-server.rule=Host(`code.${DOMAIN}`)"
+      - 'traefik.http.routers.code-server.rule=Host(`code.${DOMAIN}`)"
-      - "traefik.http.routers.code-server.entrypoints=websecure"
+      - 'traefik.http.routers.code-server.entrypoints=websecure"
-      - "traefik.http.routers.code-server.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.code-server.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.code-server.middlewares=authelia@docker"
+      - 'traefik.http.routers.code-server.middlewares=authelia@docker"
      # Service configuration
-      - "traefik.http.services.code-server.loadbalancer.server.port=8443"
+      - 'traefik.http.services.code-server.loadbalancer.server.port=8443"
      # Sablier configuration
      - "sablier.enable=true"
      - "sablier.group=jasper-code-server"
--- a/docker-compose/media-management/docker-compose.yml
+++ b/docker-compose/media-management/docker-compose.yml
@@ -33,19 +33,19 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=media"
+      - 'homelab.category=media"
-      - "homelab.description=TV show management and automation"
+      - 'homelab.description=TV show management and automation"
      - "com.centurylinklabs.watchtower.enable=true"
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # If Traefik is on a remote server: these labels are NOT USED; 
      #   configure external yml files in /traefik/dynamic folder instead.
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
-      - "traefik.http.routers.sonarr.rule=Host(`sonarr.${DOMAIN}`)"
+      - 'traefik.http.routers.sonarr.rule=Host(`sonarr.${DOMAIN}`)"
-      - "traefik.http.routers.sonarr.entrypoints=websecure"
+      - 'traefik.http.routers.sonarr.entrypoints=websecure"
-      - "traefik.http.routers.sonarr.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.sonarr.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.sonarr.middlewares=authelia@docker"
+      - 'traefik.http.routers.sonarr.middlewares=authelia@docker"
-      - "traefik.http.services.sonarr.loadbalancer.server.port=8989"
+      - 'traefik.http.services.sonarr.loadbalancer.server.port=8989"
      - "sablier.enable=true"
      - "sablier.group=jasper-arr"
      - "sablier.start-on-demand=true"
@@ -78,19 +78,19 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=media"
+      - 'homelab.category=media"
-      - "homelab.description=Movie management and automation"
+      - 'homelab.description=Movie management and automation"
      - "com.centurylinklabs.watchtower.enable=true"
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # If Traefik is on a remote server: these labels are NOT USED; 
      #   configure external yml files in /traefik/dynamic folder instead.
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
-      - "traefik.http.routers.radarr.rule=Host(`radarr.${DOMAIN}`)"
+      - 'traefik.http.routers.radarr.rule=Host(`radarr.${DOMAIN}`)"
-      - "traefik.http.routers.radarr.entrypoints=websecure"
+      - 'traefik.http.routers.radarr.entrypoints=websecure"
-      - "traefik.http.routers.radarr.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.radarr.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.radarr.middlewares=authelia@docker"
+      - 'traefik.http.routers.radarr.middlewares=authelia@docker"
-      - "traefik.http.services.radarr.loadbalancer.server.port=7878"
+      - 'traefik.http.services.radarr.loadbalancer.server.port=7878"
      - "sablier.enable=true"
      - "sablier.group=jasper-arr"
      - "sablier.start-on-demand=true"
@@ -122,19 +122,19 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=media"
+      - 'homelab.category=media"
-      - "homelab.description=Indexer manager for Sonarr/Radarr"
+      - 'homelab.description=Indexer manager for Sonarr/Radarr"
      - "com.centurylinklabs.watchtower.enable=true"
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # If Traefik is on a remote server: these labels are NOT USED; 
      #   configure external yml files in /traefik/dynamic folder instead.
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
-      - "traefik.http.routers.prowlarr.rule=Host(`prowlarr.${DOMAIN}`)"
+      - 'traefik.http.routers.prowlarr.rule=Host(`prowlarr.${DOMAIN}`)"
-      - "traefik.http.routers.prowlarr.entrypoints=websecure"
+      - 'traefik.http.routers.prowlarr.entrypoints=websecure"
-      - "traefik.http.routers.prowlarr.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.prowlarr.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.prowlarr.middlewares=authelia@docker"
+      - 'traefik.http.routers.prowlarr.middlewares=authelia@docker"
-      - "traefik.http.services.prowlarr.loadbalancer.server.port=9696"
+      - 'traefik.http.services.prowlarr.loadbalancer.server.port=9696"
      - "sablier.enable=true"
      - "sablier.group=jasper-arr"
      - "sablier.start-on-demand=true"
@@ -161,19 +161,19 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=media"
+      - 'homelab.category=media"
-      - "homelab.description=Ebook and audiobook management"
+      - 'homelab.description=Ebook and audiobook management"
      - "com.centurylinklabs.watchtower.enable=true"
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # If Traefik is on a remote server: these labels are NOT USED; 
      #   configure external yml files in /traefik/dynamic folder instead.
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
-      - "traefik.http.routers.readarr.rule=Host(`readarr.${DOMAIN}`)"
+      - 'traefik.http.routers.readarr.rule=Host(`readarr.${DOMAIN}`)"
-      - "traefik.http.routers.readarr.entrypoints=websecure"
+      - 'traefik.http.routers.readarr.entrypoints=websecure"
-      - "traefik.http.routers.readarr.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.readarr.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.readarr.middlewares=authelia@docker"
+      - 'traefik.http.routers.readarr.middlewares=authelia@docker"
-      - "traefik.http.services.readarr.loadbalancer.server.port=8787"
+      - 'traefik.http.services.readarr.loadbalancer.server.port=8787"
      - "sablier.enable=true"
      - "sablier.group=jasper-arr"
      - "sablier.start-on-demand=true"
@@ -200,19 +200,19 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=media"
+      - 'homelab.category=media"
-      - "homelab.description=Music collection manager"
+      - 'homelab.description=Music collection manager"
      - "com.centurylinklabs.watchtower.enable=true"
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # If Traefik is on a remote server: these labels are NOT USED; 
      #   configure external yml files in /traefik/dynamic folder instead.
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
-      - "traefik.http.routers.lidarr.rule=Host(`lidarr.${DOMAIN}`)"
+      - 'traefik.http.routers.lidarr.rule=Host(`lidarr.${DOMAIN}`)"
-      - "traefik.http.routers.lidarr.entrypoints=websecure"
+      - 'traefik.http.routers.lidarr.entrypoints=websecure"
-      - "traefik.http.routers.lidarr.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.lidarr.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.lidarr.middlewares=authelia@docker"
+      - 'traefik.http.routers.lidarr.middlewares=authelia@docker"
-      - "traefik.http.services.lidarr.loadbalancer.server.port=8686"
+      - 'traefik.http.services.lidarr.loadbalancer.server.port=8686"
      - "sablier.enable=true"
      - "sablier.group=jasper-arr"
      - "sablier.start-on-demand=true"
@@ -240,19 +240,19 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=media"
+      - 'homelab.category=media"
-      - "homelab.description=Book download automation"
+      - 'homelab.description=Book download automation"
      - "com.centurylinklabs.watchtower.enable=true"
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # If Traefik is on a remote server: these labels are NOT USED; 
      #   configure external yml files in /traefik/dynamic folder instead.
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
-      - "traefik.http.routers.lazylibrarian.rule=Host(`lazylibrarian.${DOMAIN}`)"
+      - 'traefik.http.routers.lazylibrarian.rule=Host(`lazylibrarian.${DOMAIN}`)"
-      - "traefik.http.routers.lazylibrarian.entrypoints=websecure"
+      - 'traefik.http.routers.lazylibrarian.entrypoints=websecure"
-      - "traefik.http.routers.lazylibrarian.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.lazylibrarian.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.lazylibrarian.middlewares=authelia@docker"
+      - 'traefik.http.routers.lazylibrarian.middlewares=authelia@docker"
-      - "traefik.http.services.lazylibrarian.loadbalancer.server.port=5299"
+      - 'traefik.http.services.lazylibrarian.loadbalancer.server.port=5299"
      - "sablier.enable=true"
      - "sablier.group=jasper-arr"
      - "sablier.start-on-demand=true"
@@ -279,19 +279,19 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=media"
+      - 'homelab.category=media"
-      - "homelab.description=Comic book collection manager"
+      - 'homelab.description=Comic book collection manager"
      - "com.centurylinklabs.watchtower.enable=true"
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # If Traefik is on a remote server: these labels are NOT USED; 
      #   configure external yml files in /traefik/dynamic folder instead.
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
-      - "traefik.http.routers.mylar.rule=Host(`mylar.${DOMAIN}`)"
+      - 'traefik.http.routers.mylar.rule=Host(`mylar.${DOMAIN}`)"
-      - "traefik.http.routers.mylar.entrypoints=websecure"
+      - 'traefik.http.routers.mylar.entrypoints=websecure"
-      - "traefik.http.routers.mylar.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.mylar.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.mylar.middlewares=authelia@docker"
+      - 'traefik.http.routers.mylar.middlewares=authelia@docker"
-      - "traefik.http.services.mylar.loadbalancer.server.port=8090"
+      - 'traefik.http.services.mylar.loadbalancer.server.port=8090"
      - "sablier.enable=true"
      - "sablier.group=jasper-arr"
      - "sablier.start-on-demand=true"
@@ -321,19 +321,19 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=media"
+      - 'homelab.category=media"
-      - "homelab.description=Media request management"
+      - 'homelab.description=Media request management"
      - "com.centurylinklabs.watchtower.enable=true"
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # If Traefik is on a remote server: these labels are NOT USED; 
      #   configure external yml files in /traefik/dynamic folder instead.
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
-      - "traefik.http.routers.jellyseerr.rule=Host(`jellyseerr.${DOMAIN}`)"
+      - 'traefik.http.routers.jellyseerr.rule=Host(`jellyseerr.${DOMAIN}`)"
-      - "traefik.http.routers.jellyseerr.entrypoints=websecure"
+      - 'traefik.http.routers.jellyseerr.entrypoints=websecure"
-      - "traefik.http.routers.jellyseerr.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.jellyseerr.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.jellyseerr.middlewares=authelia@docker"
+      - 'traefik.http.routers.jellyseerr.middlewares=authelia@docker"
-      - "traefik.http.services.jellyseerr.loadbalancer.server.port=5055"
+      - 'traefik.http.services.jellyseerr.loadbalancer.server.port=5055"
      - "sablier.enable=true"
      - "sablier.group=jasper-arr"
      - "sablier.start-on-demand=true"
--- a/docker-compose/media/docker-compose.yml
+++ b/docker-compose/media/docker-compose.yml
@@ -50,17 +50,17 @@ services:
    labels:
      # Service metadata
      - "com.centurylinklabs.watchtower.enable=true"
-      - "homelab.category=media"
+      - 'homelab.category=media"
-      - "homelab.description=Open-source media streaming server"
+      - 'homelab.description=Open-source media streaming server"
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
      # Router configuration
-      - "traefik.http.routers.jellyfin.rule=Host(`jellyfin.${DOMAIN}`)"
+      - 'traefik.http.routers.jellyfin.rule=Host(`jellyfin.${DOMAIN}`)"
-      - "traefik.http.routers.jellyfin.entrypoints=websecure"
+      - 'traefik.http.routers.jellyfin.entrypoints=websecure"
-      - "traefik.http.routers.jellyfin.tls=true"
+      - 'traefik.http.routers.jellyfin.tls=true"
-      - "traefik.http.routers.jellyfin.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.jellyfin.tls.certresolver=letsencrypt"
      # Service configuration
-      - "traefik.http.services.jellyfin.loadbalancer.server.port=8096"
+      - 'traefik.http.services.jellyfin.loadbalancer.server.port=8096"
      # Sablier configuration
      - "sablier.enable=true"
      - "sablier.group=jasper-jellyfin"
@@ -98,17 +98,17 @@ services:
    labels:
      # Service metadata
      - "com.centurylinklabs.watchtower.enable=true"
-      - "homelab.category=media"
+      - 'homelab.category=media"
-      - "homelab.description=Ebook reader and library management"
+      - 'homelab.description=Ebook reader and library management"
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
      # Router configuration
-      - "traefik.http.routers.calibre.rule=Host(`calibre.${DOMAIN}`)"
+      - 'traefik.http.routers.calibre.rule=Host(`calibre.${DOMAIN}`)"
-      - "traefik.http.routers.calibre.entrypoints=websecure"
+      - 'traefik.http.routers.calibre.entrypoints=websecure"
-      - "traefik.http.routers.calibre.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.calibre.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.calibre.middlewares=authelia@docker"
+      - 'traefik.http.routers.calibre.middlewares=authelia@docker"
      # Service configuration
-      - "traefik.http.services.calibre.loadbalancer.server.port=8083"
+      - 'traefik.http.services.calibre.loadbalancer.server.port=8083"
      # Sablier configuration (disabled by default)
      - "sablier.enable=true"
      - "sablier.group=jasper-calibre-web"
--- a/docker-compose/monitoring/docker-compose.yml
+++ b/docker-compose/monitoring/docker-compose.yml
@@ -38,19 +38,19 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=monitoring"
+      - 'homelab.category=monitoring"
-      - "homelab.description=Metrics collection and time-series database"
+      - 'homelab.description=Metrics collection and time-series database"
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # If Traefik is on a remote server: these labels are NOT USED; 
      #   configure external yml files in /traefik/dynamic folder instead.
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
-      - "traefik.http.routers.prometheus.rule=Host(`prometheus.${DOMAIN}`)"
+      - 'traefik.http.routers.prometheus.rule=Host(`prometheus.${DOMAIN}`)"
-      - "traefik.http.routers.prometheus.entrypoints=websecure"
+      - 'traefik.http.routers.prometheus.entrypoints=websecure"
-      - "traefik.http.routers.prometheus.tls=true"
+      - 'traefik.http.routers.prometheus.tls=true"
-      - "traefik.http.routers.prometheus.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.prometheus.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.prometheus.middlewares=authelia@docker"
+      - 'traefik.http.routers.prometheus.middlewares=authelia@docker"
-      - "traefik.http.services.prometheus.loadbalancer.server.port=9090"
+      - 'traefik.http.services.prometheus.loadbalancer.server.port=9090"
  # Grafana - Metrics visualization
  # Default credentials: admin / admin (change on first login)
@@ -87,19 +87,19 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=monitoring"
+      - 'homelab.category=monitoring"
-      - "homelab.description=Metrics visualization and dashboards"
+      - 'homelab.description=Metrics visualization and dashboards"
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # If Traefik is on a remote server: these labels are NOT USED; 
      #   configure external yml files in /traefik/dynamic folder instead.
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
-      - "traefik.http.routers.grafana.rule=Host(`grafana.${DOMAIN}`)"
+      - 'traefik.http.routers.grafana.rule=Host(`grafana.${DOMAIN}`)"
-      - "traefik.http.routers.grafana.entrypoints=websecure"
+      - 'traefik.http.routers.grafana.entrypoints=websecure"
-      - "traefik.http.routers.grafana.tls=true"
+      - 'traefik.http.routers.grafana.tls=true"
-      - "traefik.http.routers.grafana.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.grafana.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.grafana.middlewares=authelia@docker"
+      - 'traefik.http.routers.grafana.middlewares=authelia@docker"
-      - "traefik.http.services.grafana.loadbalancer.server.port=3000"
+      - 'traefik.http.services.grafana.loadbalancer.server.port=3000"
  # Node Exporter - Host metrics exporter
  # Metrics at: http://192.168.4.4:9100/metrics
@@ -121,8 +121,8 @@ services:
      - '--path.sysfs=/host/sys'
      - '--collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc)($$|/)'
    labels:
-      - "homelab.category=monitoring"
+      - 'homelab.category=monitoring"
-      - "homelab.description=Hardware and OS metrics exporter"
+      - 'homelab.description=Hardware and OS metrics exporter"
  # cAdvisor - Container metrics exporter
  # Access at: http://192.168.4.4:8082
@@ -148,19 +148,19 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=monitoring"
+      - 'homelab.category=monitoring"
-      - "homelab.description=Container metrics and performance monitoring"
+      - 'homelab.description=Container metrics and performance monitoring"
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # If Traefik is on a remote server: these labels are NOT USED; 
      #   configure external yml files in /traefik/dynamic folder instead.
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
-      - "traefik.http.routers.cadvisor.rule=Host(`cadvisor.${DOMAIN}`)"
+      - 'traefik.http.routers.cadvisor.rule=Host(`cadvisor.${DOMAIN}`)"
-      - "traefik.http.routers.cadvisor.entrypoints=websecure"
+      - 'traefik.http.routers.cadvisor.entrypoints=websecure"
-      - "traefik.http.routers.cadvisor.tls=true"
+      - 'traefik.http.routers.cadvisor.tls=true"
-      - "traefik.http.routers.cadvisor.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.cadvisor.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.cadvisor.middlewares=authelia@docker"
+      - 'traefik.http.routers.cadvisor.middlewares=authelia@docker"
-      - "traefik.http.services.cadvisor.loadbalancer.server.port=8080"
+      - 'traefik.http.services.cadvisor.loadbalancer.server.port=8080"
  # Uptime Kuma - Uptime monitoring
  uptime-kuma:
@@ -188,19 +188,19 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=monitoring"
+      - 'homelab.category=monitoring"
-      - "homelab.description=Service uptime monitoring and alerts"
+      - 'homelab.description=Service uptime monitoring and alerts"
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # If Traefik is on a remote server: these labels are NOT USED; 
      #   configure external yml files in /traefik/dynamic folder instead.
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
-      - "traefik.http.routers.uptime-kuma.rule=Host(`uptime-kuma.${DOMAIN}`)"
+      - 'traefik.http.routers.uptime-kuma.rule=Host(`uptime-kuma.${DOMAIN}`)"
-      - "traefik.http.routers.uptime-kuma.entrypoints=websecure"
+      - 'traefik.http.routers.uptime-kuma.entrypoints=websecure"
-      - "traefik.http.routers.uptime-kuma.tls=true"
+      - 'traefik.http.routers.uptime-kuma.tls=true"
-      - "traefik.http.routers.uptime-kuma.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.uptime-kuma.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.uptime-kuma.middlewares=authelia@docker"
+      - 'traefik.http.routers.uptime-kuma.middlewares=authelia@docker"
-      - "traefik.http.services.uptime-kuma.loadbalancer.server.port=3001"
+      - 'traefik.http.services.uptime-kuma.loadbalancer.server.port=3001"
  # Loki - Log aggregation
  # Access at: http://192.168.4.4:3100
@@ -230,19 +230,19 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=monitoring"
+      - 'homelab.category=monitoring"
-      - "homelab.description=Log aggregation system"
+      - 'homelab.description=Log aggregation system"
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # If Traefik is on a remote server: these labels are NOT USED; 
      #   configure external yml files in /traefik/dynamic folder instead.
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
-      - "traefik.http.routers.loki.rule=Host(`loki.${DOMAIN}`)"
+      - 'traefik.http.routers.loki.rule=Host(`loki.${DOMAIN}`)"
-      - "traefik.http.routers.loki.entrypoints=websecure"
+      - 'traefik.http.routers.loki.entrypoints=websecure"
-      - "traefik.http.routers.loki.tls=true"
+      - 'traefik.http.routers.loki.tls=true"
-      - "traefik.http.routers.loki.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.loki.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.loki.middlewares=authelia@docker"
+      - 'traefik.http.routers.loki.middlewares=authelia@docker"
-      - "traefik.http.services.loki.loadbalancer.server.port=3100"
+      - 'traefik.http.services.loki.loadbalancer.server.port=3100"
  # Promtail - Log shipper for Loki
  # Ships Docker container logs to Loki
@@ -260,8 +260,8 @@ services:
    depends_on:
      - loki
    labels:
-      - "homelab.category=monitoring"
+      - 'homelab.category=monitoring"
-      - "homelab.description=Log collector for Loki"
+      - 'homelab.description=Log collector for Loki"
 volumes:
  prometheus-data:
--- a/docker-compose/productivity/docker-compose.yml
+++ b/docker-compose/productivity/docker-compose.yml
@@ -52,17 +52,17 @@ services:
      # TRAEFIK CONFIGURATION
      # Service metadata
      - "com.centurylinklabs.watchtower.enable=true"
-      - "homelab.category=productivity"
+      - 'homelab.category=productivity"
-      - "homelab.description=File sync and collaboration"
+      - 'homelab.description=File sync and collaboration"
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
      # Router configuration
-      - "traefik.http.routers.nextcloud.rule=Host(`nextcloud.${DOMAIN}`)"
+      - 'traefik.http.routers.nextcloud.rule=Host(`nextcloud.${DOMAIN}`)"
-      - "traefik.http.routers.nextcloud.entrypoints=websecure"
+      - 'traefik.http.routers.nextcloud.entrypoints=websecure"
-      - "traefik.http.routers.nextcloud.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.nextcloud.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.nextcloud.middlewares=authelia@docker"
+      - 'traefik.http.routers.nextcloud.middlewares=authelia@docker"
      # Service configuration
-      - "traefik.http.services.nextcloud.loadbalancer.server.port=8089"
+      - 'traefik.http.services.nextcloud.loadbalancer.server.port=8089"
      # Sablier configuration
      - "sablier.enable=true"
      - "sablier.group=jasper-nextcloud"
@@ -83,8 +83,8 @@ services:
      - MYSQL_PASSWORD=${NEXTCLOUD_DB_PASSWORD}
    command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
    labels:
-      - "homelab.category=productivity"
+      - 'homelab.category=productivity"
-      - "homelab.description=Nextcloud database"
+      - 'homelab.description=Nextcloud database"
  # Mealie - Recipe manager
  mealie:
@@ -108,17 +108,17 @@ services:
      # TRAEFIK CONFIGURATION
      # Service metadata
      - "com.centurylinklabs.watchtower.enable=true"
-      - "homelab.category=productivity"
+      - 'homelab.category=productivity"
-      - "homelab.description=Recipe manager and meal planner"
+      - 'homelab.description=Recipe manager and meal planner"
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
      # Router configuration
-      - "traefik.http.routers.mealie.rule=Host(`mealie.${DOMAIN}`)"
+      - 'traefik.http.routers.mealie.rule=Host(`mealie.${DOMAIN}`)"
-      - "traefik.http.routers.mealie.entrypoints=websecure"
+      - 'traefik.http.routers.mealie.entrypoints=websecure"
-      - "traefik.http.routers.mealie.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.mealie.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.mealie.middlewares=authelia@docker"
+      - 'traefik.http.routers.mealie.middlewares=authelia@docker"
      # Service configuration
-      - "traefik.http.services.mealie.loadbalancer.server.port=9000"
+      - 'traefik.http.services.mealie.loadbalancer.server.port=9000"
      # Sablier configuration
      - "sablier.enable=true"
      - "sablier.group=jasper-mealie"
@@ -153,17 +153,17 @@ services:
      # TRAEFIK CONFIGURATION
      # Service metadata
      - "com.centurylinklabs.watchtower.enable=true"
-      - "homelab.category=productivity"
+      - 'homelab.category=productivity"
-      - "homelab.description=Blog and website platform"
+      - 'homelab.description=Blog and website platform"
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
      # Router configuration
-      - "traefik.http.routers.wordpress.rule=Host(`wordpress.${DOMAIN}`)"
+      - 'traefik.http.routers.wordpress.rule=Host(`wordpress.${DOMAIN}`)"
-      - "traefik.http.routers.wordpress.entrypoints=websecure"
+      - 'traefik.http.routers.wordpress.entrypoints=websecure"
-      - "traefik.http.routers.wordpress.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.wordpress.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.wordpress.middlewares=authelia@docker"
+      - 'traefik.http.routers.wordpress.middlewares=authelia@docker"
      # Service configuration
-      - "traefik.http.services.wordpress.loadbalancer.server.port=8088"
+      - 'traefik.http.services.wordpress.loadbalancer.server.port=8088"
      # Sablier configuration
      - "sablier.enable=true"
      - "sablier.group=jasper-wordpress"
@@ -183,8 +183,8 @@ services:
      - MYSQL_USER=wordpress
      - MYSQL_PASSWORD=${WORDPRESS_DB_PASSWORD}
    labels:
-      - "homelab.category=productivity"
+      - 'homelab.category=productivity"
-      - "homelab.description=WordPress database"
+      - 'homelab.description=WordPress database"
  # Gitea - Self-hosted Git service
  gitea:
@@ -229,17 +229,17 @@ services:
      # TRAEFIK CONFIGURATION
      # Service metadata
      - "com.centurylinklabs.watchtower.enable=true"
-      - "homelab.category=productivity"
+      - 'homelab.category=productivity"
-      - "homelab.description=Self-hosted Git service"
+      - 'homelab.description=Self-hosted Git service"
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
      # Router configuration
-      - "traefik.http.routers.gitea.rule=Host(`gitea.${DOMAIN}`)"
+      - 'traefik.http.routers.gitea.rule=Host(`gitea.${DOMAIN}`)"
-      - "traefik.http.routers.gitea.entrypoints=websecure"
+      - 'traefik.http.routers.gitea.entrypoints=websecure"
-      - "traefik.http.routers.gitea.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.gitea.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.gitea.middlewares=authelia@docker"
+      - 'traefik.http.routers.gitea.middlewares=authelia@docker"
      # Service configuration
-      - "traefik.http.services.gitea.loadbalancer.server.port=3010"
+      - 'traefik.http.services.gitea.loadbalancer.server.port=3010"
      # Sablier configuration
      - "sablier.enable=true"
      - "sablier.group=jasper-gitea"
@@ -258,8 +258,8 @@ services:
      - POSTGRES_PASSWORD=${GITEA_DB_PASSWORD}
      - POSTGRES_DB=gitea
    labels:
-      - "homelab.category=productivity"
+      - 'homelab.category=productivity"
-      - "homelab.description=Gitea database"
+      - 'homelab.description=Gitea database"
  # Jupyter Lab - Interactive computing notebooks
@@ -292,18 +292,18 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=productivity"
+      - 'homelab.category=productivity"
-      - "homelab.description=Jupyter Lab for data science and ML"
+      - 'homelab.description=Jupyter Lab for data science and ML"
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # If Traefik is on a remote server: these labels are NOT USED; 
      #   configure external yml files in /traefik/dynamic folder instead.
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
-      - "traefik.http.routers.jupyter.rule=Host(`jupyter.${DOMAIN}`)"
+      - 'traefik.http.routers.jupyter.rule=Host(`jupyter.${DOMAIN}`)"
-      - "traefik.http.routers.jupyter.entrypoints=websecure"
+      - 'traefik.http.routers.jupyter.entrypoints=websecure"
-      - "traefik.http.routers.jupyter.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.jupyter.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.jupyter.middlewares=authelia@docker"
+      - 'traefik.http.routers.jupyter.middlewares=authelia@docker"
-      - "traefik.http.services.jupyter.loadbalancer.server.port=8890"
+      - 'traefik.http.services.jupyter.loadbalancer.server.port=8890"
      # Sablier configuration
      - "sablier.enable=true"
      - "sablier.group=jasper-jupyter"
--- a/docker-compose/transcoders/docker-compose.yml
+++ b/docker-compose/transcoders/docker-compose.yml
@@ -33,19 +33,19 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=media"
+      - 'homelab.category=media"
-      - "homelab.description=Distributed transcoding server"
+      - 'homelab.description=Distributed transcoding server"
      - "com.centurylinklabs.watchtower.enable=true"
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # If Traefik is on a remote server: these labels are NOT USED; 
      #   configure external yml files in /traefik/dynamic folder instead.
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
-      - "traefik.http.routers.tdarr.rule=Host(`tdarr.${DOMAIN}`)"
+      - 'traefik.http.routers.tdarr.rule=Host(`tdarr.${DOMAIN}`)"
-      - "traefik.http.routers.tdarr.entrypoints=websecure"
+      - 'traefik.http.routers.tdarr.entrypoints=websecure"
-      - "traefik.http.routers.tdarr.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.tdarr.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.tdarr.middlewares=authelia@docker"
+      - 'traefik.http.routers.tdarr.middlewares=authelia@docker"
-      - "traefik.http.services.tdarr.loadbalancer.server.port=8265"
+      - 'traefik.http.services.tdarr.loadbalancer.server.port=8265"
      - "sablier.enable=true"
      - "sablier.group=jasper-tdarr"
      - "sablier.start-on-demand=true"
@@ -101,19 +101,19 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=media"
+      - 'homelab.category=media"
-      - "homelab.description=Library optimization and transcoding"
+      - 'homelab.description=Library optimization and transcoding"
      - "com.centurylinklabs.watchtower.enable=true"
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # If Traefik is on a remote server: these labels are NOT USED; 
      #   configure external yml files in /traefik/dynamic folder instead.
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
-      - "traefik.http.routers.unmanic.rule=Host(`unmanic.${DOMAIN}`)"
+      - 'traefik.http.routers.unmanic.rule=Host(`unmanic.${DOMAIN}`)"
-      - "traefik.http.routers.unmanic.entrypoints=websecure"
+      - 'traefik.http.routers.unmanic.entrypoints=websecure"
-      - "traefik.http.routers.unmanic.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.unmanic.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.unmanic.middlewares=authelia@docker"
+      - 'traefik.http.routers.unmanic.middlewares=authelia@docker"
-      - "traefik.http.services.unmanic.loadbalancer.server.port=8889"
+      - 'traefik.http.services.unmanic.loadbalancer.server.port=8889"
      - "sablier.enable=true"
      - "sablier.group=jasper-unmanic"
      - "sablier.start-on-demand=true"
--- a/docker-compose/utilities/docker-compose.yml
+++ b/docker-compose/utilities/docker-compose.yml
@@ -36,17 +36,17 @@ services:
      # TRAEFIK CONFIGURATION
      # Service metadata
      - "com.centurylinklabs.watchtower.enable=true"
-      - "homelab.category=utilities"
+      - 'homelab.category=utilities"
-      - "homelab.description=Backup management with restic"
+      - 'homelab.description=Backup management with restic"
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
      # Router configuration
-      - "traefik.http.routers.backrest.rule=Host(`backrest.${DOMAIN}`)"
+      - 'traefik.http.routers.backrest.rule=Host(`backrest.${DOMAIN}`)"
-      - "traefik.http.routers.backrest.entrypoints=websecure"
+      - 'traefik.http.routers.backrest.entrypoints=websecure"
-      - "traefik.http.routers.backrest.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.backrest.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.backrest.middlewares=authelia@docker"
+      - 'traefik.http.routers.backrest.middlewares=authelia@docker"
      # Service configuration
-      - "traefik.http.services.backrest.loadbalancer.server.port=9898"
+      - 'traefik.http.services.backrest.loadbalancer.server.port=9898"
      # Sablier configuration
      - "sablier.enable=true"
      - "sablier.group=jasper-backrest"
@@ -81,17 +81,17 @@ services:
      # TRAEFIK CONFIGURATION
      # Service metadata
      - "com.centurylinklabs.watchtower.enable=true"
-      - "homelab.category=utilities"
+      - 'homelab.category=utilities"
-      - "homelab.description=Backup software with encryption"
+      - 'homelab.description=Backup software with encryption"
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
      # Router configuration
-      - "traefik.http.routers.duplicati.rule=Host(`duplicati.${DOMAIN}`)"
+      - 'traefik.http.routers.duplicati.rule=Host(`duplicati.${DOMAIN}`)"
-      - "traefik.http.routers.duplicati.entrypoints=websecure"
+      - 'traefik.http.routers.duplicati.entrypoints=websecure"
-      - "traefik.http.routers.duplicati.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.duplicati.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.duplicati.middlewares=authelia@docker"
+      - 'traefik.http.routers.duplicati.middlewares=authelia@docker"
      # Service configuration
-      - "traefik.http.services.duplicati.loadbalancer.server.port=8200"
+      - 'traefik.http.services.duplicati.loadbalancer.server.port=8200"
      # Sablier configuration
      - "sablier.enable=true"
      - "sablier.group=jasper-duplicati"
@@ -125,17 +125,17 @@ services:
      # ==========================================
      # Service metadata
      - "com.centurylinklabs.watchtower.enable=true"
-      - "homelab.category=utilities"
+      - 'homelab.category=utilities"
-      - "homelab.description=Form builder platform"
+      - 'homelab.description=Form builder platform"
      # Traefik labels
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
      # Router configuration
-      - "traefik.http.routers.formio.rule=Host(`forms.${DOMAIN}`)"
+      - 'traefik.http.routers.formio.rule=Host(`forms.${DOMAIN}`)"
-      - "traefik.http.routers.formio.entrypoints=websecure"
+      - 'traefik.http.routers.formio.entrypoints=websecure"
-      - "traefik.http.routers.formio.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.formio.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.formio.middlewares=authelia@docker"
+      - 'traefik.http.routers.formio.middlewares=authelia@docker"
      # Service configuration
-      - "traefik.http.services.formio.loadbalancer.server.port=3001"
+      - 'traefik.http.services.formio.loadbalancer.server.port=3001"
      # Sablier configuration
      - "sablier.enable=true"
      - "sablier.group=jasper-formio"
@@ -148,8 +148,8 @@ services:
    networks:
      - homelab-network
    labels:
-      - "homelab.category=utilities"
+      - 'homelab.category=utilities"
-      - "homelab.description=Form.io database"
+      - 'homelab.description=Form.io database"
  # Bitwarden (Vaultwarden) - Password manager
  # Note: SSO disabled for browser extension and mobile app compatibility
@@ -187,19 +187,19 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=utilities"
+      - 'homelab.category=utilities"
-      - "homelab.description=Self-hosted password manager (Bitwarden)"
+      - 'homelab.description=Self-hosted password manager (Bitwarden)"
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # If Traefik is on a remote server: these labels are NOT USED; 
      #   configure external yml files in /traefik/dynamic folder instead.
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.http.routers.vaultwarden.rule=Host(`vault.${DOMAIN}`)"
+      - 'traefik.http.routers.vaultwarden.rule=Host(`vault.${DOMAIN}`)"
-      - "traefik.http.routers.vaultwarden.entrypoints=websecure"
+      - 'traefik.http.routers.vaultwarden.entrypoints=websecure"
-      - "traefik.http.routers.vaultwarden.tls=true"
+      - 'traefik.http.routers.vaultwarden.tls=true"
-      - "traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt"
      # SSO disabled for browser extension and mobile app compatibility
-      # - "traefik.http.routers.vaultwarden.middlewares=authelia@docker"
+      # - 'traefik.http.routers.vaultwarden.middlewares=authelia@docker"
-      - "traefik.http.services.vaultwarden.loadbalancer.server.port=80"
+      - 'traefik.http.services.vaultwarden.loadbalancer.server.port=80"
      # Sablier configuration
      - "sablier.enable=true"
      - "sablier.group=jasper-vaultwarden"
--- a/docker-compose/vpn/docker-compose.yml
+++ b/docker-compose/vpn/docker-compose.yml
@@ -38,17 +38,17 @@ services:
    labels:
      # Service metadata
      - "com.centurylinklabs.watchtower.enable=true"
-      - "homelab.category=downloaders"
+      - 'homelab.category=downloaders"
-      - "homelab.description=VPN client for secure downloads"
+      - 'homelab.description=VPN client for secure downloads"
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
      # Router configuration
-      - "traefik.http.routers.qbittorrent.rule=Host(`qbit.${DOMAIN}`)"
+      - 'traefik.http.routers.qbittorrent.rule=Host(`qbit.${DOMAIN}`)"
-      - "traefik.http.routers.qbittorrent.entrypoints=websecure"
+      - 'traefik.http.routers.qbittorrent.entrypoints=websecure"
-      - "traefik.http.routers.qbittorrent.tls=true"
+      - 'traefik.http.routers.qbittorrent.tls=true"
-      - "traefik.http.routers.qbittorrent.middlewares=authelia@docker"
+      - 'traefik.http.routers.qbittorrent.middlewares=authelia@docker"
      # Service configuration
-      - "traefik.http.services.qbittorrent.loadbalancer.server.port=8081"
+      - 'traefik.http.services.qbittorrent.loadbalancer.server.port=8081"
      # Sablier configuration
      - "sablier.enable=true"
      - "sablier.group=jasper-qbittorrent"
--- a/docker-compose/wikis/docker-compose.yml
+++ b/docker-compose/wikis/docker-compose.yml
@@ -26,17 +26,17 @@ services:
      # TRAEFIK CONFIGURATION
      # Service metadata
      - "com.centurylinklabs.watchtower.enable=true"
-      - "homelab.category=productivity"
+      - 'homelab.category=productivity"
-      - "homelab.description=File-based wiki"
+      - 'homelab.description=File-based wiki"
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
      # Router configuration
-      - "traefik.http.routers.dokuwiki.rule=Host(`dokuwiki.${DOMAIN}`)"
+      - 'traefik.http.routers.dokuwiki.rule=Host(`dokuwiki.${DOMAIN}`)"
-      - "traefik.http.routers.dokuwiki.entrypoints=websecure"
+      - 'traefik.http.routers.dokuwiki.entrypoints=websecure"
-      - "traefik.http.routers.dokuwiki.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.dokuwiki.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.dokuwiki.middlewares=authelia@docker"
+      - 'traefik.http.routers.dokuwiki.middlewares=authelia@docker"
      # Service configuration
-      - "traefik.http.services.dokuwiki.loadbalancer.server.port=8087"
+      - 'traefik.http.services.dokuwiki.loadbalancer.server.port=8087"
      # Sablier configuration
      - "sablier.enable=true"
      - "sablier.group=jasper-dokuwiki"
@@ -77,17 +77,17 @@ services:
      # TRAEFIK CONFIGURATION
      # Service metadata
      - "com.centurylinklabs.watchtower.enable=true"
-      - "homelab.category=productivity"
+      - 'homelab.category=productivity"
-      - "homelab.description=Documentation and wiki platform"
+      - 'homelab.description=Documentation and wiki platform"
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
      # Router configuration
-      - "traefik.http.routers.bookstack.rule=Host(`bookstack.${DOMAIN}`)"
+      - 'traefik.http.routers.bookstack.rule=Host(`bookstack.${DOMAIN}`)"
-      - "traefik.http.routers.bookstack.entrypoints=websecure"
+      - 'traefik.http.routers.bookstack.entrypoints=websecure"
-      - "traefik.http.routers.bookstack.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.bookstack.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.bookstack.middlewares=authelia@docker"
+      - 'traefik.http.routers.bookstack.middlewares=authelia@docker"
      # Service configuration
-      - "traefik.http.services.bookstack.loadbalancer.server.port=6875"
+      - 'traefik.http.services.bookstack.loadbalancer.server.port=6875"
      # Sablier configuration
      - "sablier.enable=true"
      - "sablier.group=jasper-bookstack"
@@ -107,8 +107,8 @@ services:
      - MYSQL_USER=bookstack
      - MYSQL_PASSWORD=${BOOKSTACK_DB_PASSWORD}
    labels:
-      - "homelab.category=productivity"
+      - 'homelab.category=productivity"
-      - "homelab.description=BookStack database"
+      - 'homelab.description=BookStack database"
  # MediaWiki - Wiki platform
  mediawiki:
@@ -140,17 +140,17 @@ services:
      # TRAEFIK CONFIGURATION
      # Service metadata
      - "com.centurylinklabs.watchtower.enable=true"
-      - "homelab.category=productivity"
+      - 'homelab.category=productivity"
-      - "homelab.description=MediaWiki platform"
+      - 'homelab.description=MediaWiki platform"
-      - "traefik.enable=true"
+      - 'traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - 'traefik.docker.network=traefik-network"
      # Router configuration
-      - "traefik.http.routers.mediawiki.rule=Host(`mediawiki.${DOMAIN}`)"
+      - 'traefik.http.routers.mediawiki.rule=Host(`mediawiki.${DOMAIN}`)"
-      - "traefik.http.routers.mediawiki.entrypoints=websecure"
+      - 'traefik.http.routers.mediawiki.entrypoints=websecure"
-      - "traefik.http.routers.mediawiki.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.mediawiki.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.mediawiki.middlewares=authelia@docker"
+      - 'traefik.http.routers.mediawiki.middlewares=authelia@docker"
      # Service configuration
-      - "traefik.http.services.mediawiki.loadbalancer.server.port=8086"
+      - 'traefik.http.services.mediawiki.loadbalancer.server.port=8086"
      # Sablier configuration
      - "sablier.enable=true"
      - "sablier.group=jasper-mediawiki"
@@ -170,8 +170,8 @@ services:
      - MYSQL_USER=mediawiki
      - MYSQL_PASSWORD=${MEDIAWIKI_DB_PASSWORD}
    labels:
-      - "homelab.category=productivity"
+      - 'homelab.category=productivity"
-      - "homelab.description=MediaWiki database"
+      - 'homelab.description=MediaWiki database"
 volumes:
  bookstack-db-data:
--- a/get-docker.sh
+++ b/get-docker.sh
@@ -0,0 +1,764 @@
 #!/bin/sh
 set -e
 # Docker Engine for Linux installation script.
 #
 # This script is intended as a convenient way to configure docker's package
 # repositories and to install Docker Engine, This script is not recommended
 # for production environments. Before running this script, make yourself familiar
 # with potential risks and limitations, and refer to the installation manual
 # at https://docs.docker.com/engine/install/ for alternative installation methods.
 #
 # The script:
 #
 # - Requires `root` or `sudo` privileges to run.
 # - Attempts to detect your Linux distribution and version and configure your
 #   package management system for you.
 # - Doesn't allow you to customize most installation parameters.
 # - Installs dependencies and recommendations without asking for confirmation.
 # - Installs the latest stable release (by default) of Docker CLI, Docker Engine,
 #   Docker Buildx, Docker Compose, containerd, and runc. When using this script
 #   to provision a machine, this may result in unexpected major version upgrades
 #   of these packages. Always test upgrades in a test environment before
 #   deploying to your production systems.
 # - Isn't designed to upgrade an existing Docker installation. When using the
 #   script to update an existing installation, dependencies may not be updated
 #   to the expected version, resulting in outdated versions.
 #
 # Source code is available at https://github.com/docker/docker-install/
 #
 # Usage
 # ==============================================================================
 #
 # To install the latest stable versions of Docker CLI, Docker Engine, and their
 # dependencies:
 #
 # 1. download the script
 #
 #   $ curl -fsSL https://get.docker.com -o install-docker.sh
 #
 # 2. verify the script's content
 #
 #   $ cat install-docker.sh
 #
 # 3. run the script with --dry-run to verify the steps it executes
 #
 #   $ sh install-docker.sh --dry-run
 #
 # 4. run the script either as root, or using sudo to perform the installation.
 #
 #   $ sudo sh install-docker.sh
 #
 # Command-line options
 # ==============================================================================
 #
 # --version <VERSION>
 # Use the --version option to install a specific version, for example:
 #
 #   $ sudo sh install-docker.sh --version 23.0
 #
 # --channel <stable|test>
 #
 # Use the --channel option to install from an alternative installation channel.
 # The following example installs the latest versions from the "test" channel,
 # which includes pre-releases (alpha, beta, rc):
 #
 #   $ sudo sh install-docker.sh --channel test
 #
 # Alternatively, use the script at https://test.docker.com, which uses the test
 # channel as default.
 #
 # --mirror <Aliyun|AzureChinaCloud>
 #
 # Use the --mirror option to install from a mirror supported by this script.
 # Available mirrors are "Aliyun" (https://mirrors.aliyun.com/docker-ce), and
 # "AzureChinaCloud" (https://mirror.azure.cn/docker-ce), for example:
 #
 #   $ sudo sh install-docker.sh --mirror AzureChinaCloud
 #
 # --setup-repo
 #
 # Use the --setup-repo option to configure Docker's package repositories without
 # installing Docker packages. This is useful when you want to add the repository
 # but install packages separately:
 #
 #   $ sudo sh install-docker.sh --setup-repo
 #
 # Automatic Service Start
 #
 # By default, this script automatically starts the Docker daemon and enables the docker
 # service after installation if systemd is used as init.
 #
 # If you prefer to start the service manually, use the --no-autostart option:
 #
 #   $ sudo sh install-docker.sh --no-autostart
 #
 # Note: Starting the service requires appropriate privileges to manage system services.
 #
 # ==============================================================================
 # Git commit from https://github.com/docker/docker-install when
 # the script was uploaded (Should only be modified by upload job):
 SCRIPT_COMMIT_SHA="f381ee68b32e515bb4dc034b339266aff1fbc460"
 # strip "v" prefix if present
 VERSION="${VERSION#v}"
 # The channel to install from:
 #   * stable
 #   * test
 DEFAULT_CHANNEL_VALUE="stable"
 if [ -z "$CHANNEL" ]; then
 	CHANNEL=$DEFAULT_CHANNEL_VALUE
 fi
 DEFAULT_DOWNLOAD_URL="https://download.docker.com"
 if [ -z "$DOWNLOAD_URL" ]; then
 	DOWNLOAD_URL=$DEFAULT_DOWNLOAD_URL
 fi
 DEFAULT_REPO_FILE="docker-ce.repo"
 if [ -z "$REPO_FILE" ]; then
 	REPO_FILE="$DEFAULT_REPO_FILE"
 	# Automatically default to a staging repo fora
 	# a staging download url (download-stage.docker.com)
 	case "$DOWNLOAD_URL" in
 		*-stage*) REPO_FILE="docker-ce-staging.repo";;
 	esac
 fi
 mirror=''
 DRY_RUN=${DRY_RUN:-}
 REPO_ONLY=${REPO_ONLY:-0}
 NO_AUTOSTART=${NO_AUTOSTART:-0}
 while [ $# -gt 0 ]; do
 	case "$1" in
 		--channel)
 			CHANNEL="$2"
 			shift
 			;;
 		--dry-run)
 			DRY_RUN=1
 			;;
 		--mirror)
 			mirror="$2"
 			shift
 			;;
 		--version)
 			VERSION="${2#v}"
 			shift
 			;;
 		--setup-repo)
 			REPO_ONLY=1
 			shift
 			;;
 		--no-autostart)
 			NO_AUTOSTART=1
 			;;
 		--*)
 			echo "Illegal option $1"
 			;;
 	esac
 	shift $(( $# > 0 ? 1 : 0 ))
 done
 case "$mirror" in
 	Aliyun)
 		DOWNLOAD_URL="https://mirrors.aliyun.com/docker-ce"
 		;;
 	AzureChinaCloud)
 		DOWNLOAD_URL="https://mirror.azure.cn/docker-ce"
 		;;
 	"")
 		;;
 	*)
 		>&2 echo "unknown mirror '$mirror': use either 'Aliyun', or 'AzureChinaCloud'."
 		exit 1
 		;;
 esac
 case "$CHANNEL" in
 	stable|test)
 		;;
 	*)
 		>&2 echo "unknown CHANNEL '$CHANNEL': use either stable or test."
 		exit 1
 		;;
 esac
 command_exists() {
 	command -v "$@" > /dev/null 2>&1
 }
 # version_gte checks if the version specified in $VERSION is at least the given
 # SemVer (Maj.Minor[.Patch]), or CalVer (YY.MM) version.It returns 0 (success)
 # if $VERSION is either unset (=latest) or newer or equal than the specified
 # version, or returns 1 (fail) otherwise.
 #
 # examples:
 #
 # VERSION=23.0
 # version_gte 23.0  // 0 (success)
 # version_gte 20.10 // 0 (success)
 # version_gte 19.03 // 0 (success)
 # version_gte 26.1  // 1 (fail)
 version_gte() {
 	if [ -z "$VERSION" ]; then
 			return 0
 	fi
 	version_compare "$VERSION" "$1"
 }
 # version_compare compares two version strings (either SemVer (Major.Minor.Path),
 # or CalVer (YY.MM) version strings. It returns 0 (success) if version A is newer
 # or equal than version B, or 1 (fail) otherwise. Patch releases and pre-release
 # (-alpha/-beta) are not taken into account
 #
 # examples:
 #
 # version_compare 23.0.0 20.10 // 0 (success)
 # version_compare 23.0 20.10   // 0 (success)
 # version_compare 20.10 19.03  // 0 (success)
 # version_compare 20.10 20.10  // 0 (success)
 # version_compare 19.03 20.10  // 1 (fail)
 version_compare() (
 	set +x
 	yy_a="$(echo "$1" | cut -d'.' -f1)"
 	yy_b="$(echo "$2" | cut -d'.' -f1)"
 	if [ "$yy_a" -lt "$yy_b" ]; then
 		return 1
 	fi
 	if [ "$yy_a" -gt "$yy_b" ]; then
 		return 0
 	fi
 	mm_a="$(echo "$1" | cut -d'.' -f2)"
 	mm_b="$(echo "$2" | cut -d'.' -f2)"
 	# trim leading zeros to accommodate CalVer
 	mm_a="${mm_a#0}"
 	mm_b="${mm_b#0}"
 	if [ "${mm_a:-0}" -lt "${mm_b:-0}" ]; then
 		return 1
 	fi
 	return 0
 )
 is_dry_run() {
 	if [ -z "$DRY_RUN" ]; then
 		return 1
 	else
 		return 0
 	fi
 }
 is_wsl() {
 	case "$(uname -r)" in
 	*microsoft* ) true ;; # WSL 2
 	*Microsoft* ) true ;; # WSL 1
 	* ) false;;
 	esac
 }
 is_darwin() {
 	case "$(uname -s)" in
 	*darwin* ) true ;;
 	*Darwin* ) true ;;
 	* ) false;;
 	esac
 }
 deprecation_notice() {
 	distro=$1
 	distro_version=$2
 	echo
 	printf "\033[91;1mDEPRECATION WARNING\033[0m\n"
 	printf "    This Linux distribution (\033[1m%s %s\033[0m) reached end-of-life and is no longer supported by this script.\n" "$distro" "$distro_version"
 	echo   "    No updates or security fixes will be released for this distribution, and users are recommended"
 	echo   "    to upgrade to a currently maintained version of $distro."
 	echo
 	printf   "Press \033[1mCtrl+C\033[0m now to abort this script, or wait for the installation to continue."
 	echo
 	sleep 10
 }
 get_distribution() {
 	lsb_dist=""
 	# Every system that we officially support has /etc/os-release
 	if [ -r /etc/os-release ]; then
 		lsb_dist="$(. /etc/os-release && echo "$ID")"
 	fi
 	# Returning an empty string here should be alright since the
 	# case statements don't act unless you provide an actual value
 	echo "$lsb_dist"
 }
 start_docker_daemon() {
 	# Use systemctl if available (for systemd-based systems)
 	if command_exists systemctl; then
 		is_dry_run || >&2 echo "Using systemd to manage Docker service"
 		if (
 			is_dry_run || set -x
 			$sh_c systemctl enable --now docker.service 2>/dev/null
 		); then
 			is_dry_run || echo "INFO: Docker daemon enabled and started" >&2
 		else
 			is_dry_run || echo "WARNING: unable to enable the docker service" >&2
 		fi
 	else
 		# No service management available (container environment)
 		if ! is_dry_run; then
 			>&2 echo "Note: Running in a container environment without service management"
 			>&2 echo "Docker daemon cannot be started automatically in this environment"
 			>&2 echo "The Docker packages have been installed successfully"
 		fi
 	fi
 	>&2 echo
 }
 echo_docker_as_nonroot() {
 	if is_dry_run; then
 		return
 	fi
 	if command_exists docker && [ -e /var/run/docker.sock ]; then
 		(
 			set -x
 			$sh_c 'docker version'
 		) || true
 	fi
 	# intentionally mixed spaces and tabs here -- tabs are stripped by "<<-EOF", spaces are kept in the output
 	echo
 	echo "================================================================================"
 	echo
 	if version_gte "20.10"; then
 		echo "To run Docker as a non-privileged user, consider setting up the"
 		echo "Docker daemon in rootless mode for your user:"
 		echo
 		echo "    dockerd-rootless-setuptool.sh install"
 		echo
 		echo "Visit https://docs.docker.com/go/rootless/ to learn about rootless mode."
 		echo
 	fi
 	echo
 	echo "To run the Docker daemon as a fully privileged service, but granting non-root"
 	echo "users access, refer to https://docs.docker.com/go/daemon-access/"
 	echo
 	echo "WARNING: Access to the remote API on a privileged Docker daemon is equivalent"
 	echo "         to root access on the host. Refer to the 'Docker daemon attack surface'"
 	echo "         documentation for details: https://docs.docker.com/go/attack-surface/"
 	echo
 	echo "================================================================================"
 	echo
 }
 # Check if this is a forked Linux distro
 check_forked() {
 	# Check for lsb_release command existence, it usually exists in forked distros
 	if command_exists lsb_release; then
 		# Check if the `-u` option is supported
 		set +e
 		lsb_release -a -u > /dev/null 2>&1
 		lsb_release_exit_code=$?
 		set -e
 		# Check if the command has exited successfully, it means we're in a forked distro
 		if [ "$lsb_release_exit_code" = "0" ]; then
 			# Print info about current distro
 			cat <<-EOF
 			You're using '$lsb_dist' version '$dist_version'.
 			EOF
 			# Get the upstream release info
 			lsb_dist=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'id' | cut -d ':' -f 2 | tr -d '[:space:]')
 			dist_version=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'codename' | cut -d ':' -f 2 | tr -d '[:space:]')
 			# Print info about upstream distro
 			cat <<-EOF
 			Upstream release is '$lsb_dist' version '$dist_version'.
 			EOF
 		else
 			if [ -r /etc/debian_version ] && [ "$lsb_dist" != "ubuntu" ] && [ "$lsb_dist" != "raspbian" ]; then
 				if [ "$lsb_dist" = "osmc" ]; then
 					# OSMC runs Raspbian
 					lsb_dist=raspbian
 				else
 					# We're Debian and don't even know it!
 					lsb_dist=debian
 				fi
 				dist_version="$(sed 's/\/.*//' /etc/debian_version | sed 's/\..*//')"
 				case "$dist_version" in
 					13|14|forky)
 						dist_version="trixie"
 					;;
 					12)
 						dist_version="bookworm"
 					;;
 					11)
 						dist_version="bullseye"
 					;;
 					10)
 						dist_version="buster"
 					;;
 					9)
 						dist_version="stretch"
 					;;
 					8)
 						dist_version="jessie"
 					;;
 				esac
 			fi
 		fi
 	fi
 }
 do_install() {
 	echo "# Executing docker install script, commit: $SCRIPT_COMMIT_SHA"
 	if command_exists docker; then
 		cat >&2 <<-'EOF'
 			Warning: the "docker" command appears to already exist on this system.
 			If you already have Docker installed, this script can cause trouble, which is
 			why we're displaying this warning and provide the opportunity to cancel the
 			installation.
 			If you installed the current Docker package using this script and are using it
 			again to update Docker, you can ignore this message, but be aware that the
 			script resets any custom changes in the deb and rpm repo configuration
 			files to match the parameters passed to the script.
 			You may press Ctrl+C now to abort this script.
 		EOF
 		( set -x; sleep 20 )
 	fi
 	user="$(id -un 2>/dev/null || true)"
 	sh_c='sh -c'
 	if [ "$user" != 'root' ]; then
 		if command_exists sudo; then
 			sh_c='sudo -E sh -c'
 		elif command_exists su; then
 			sh_c='su -c'
 		else
 			cat >&2 <<-'EOF'
 			Error: this installer needs the ability to run commands as root.
 			We are unable to find either "sudo" or "su" available to make this happen.
 			EOF
 			exit 1
 		fi
 	fi
 	if is_dry_run; then
 		sh_c="echo"
 	fi
 	# perform some very rudimentary platform detection
 	lsb_dist=$( get_distribution )
 	lsb_dist="$(echo "$lsb_dist" | tr '[:upper:]' '[:lower:]')"
 	if is_wsl; then
 		echo
 		echo "WSL DETECTED: We recommend using Docker Desktop for Windows."
 		echo "Please get Docker Desktop from https://www.docker.com/products/docker-desktop/"
 		echo
 		cat >&2 <<-'EOF'
 			You may press Ctrl+C now to abort this script.
 		EOF
 		( set -x; sleep 20 )
 	fi
 	case "$lsb_dist" in
 		ubuntu)
 			if command_exists lsb_release; then
 				dist_version="$(lsb_release --codename | cut -f2)"
 			fi
 			if [ -z "$dist_version" ] && [ -r /etc/lsb-release ]; then
 				dist_version="$(. /etc/lsb-release && echo "$DISTRIB_CODENAME")"
 			fi
 		;;
 		debian|raspbian)
 			dist_version="$(sed 's/\/.*//' /etc/debian_version | sed 's/\..*//')"
 			case "$dist_version" in
 				13)
 					dist_version="trixie"
 				;;
 				12)
 					dist_version="bookworm"
 				;;
 				11)
 					dist_version="bullseye"
 				;;
 				10)
 					dist_version="buster"
 				;;
 				9)
 					dist_version="stretch"
 				;;
 				8)
 					dist_version="jessie"
 				;;
 			esac
 		;;
 		centos|rhel)
 			if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then
 				dist_version="$(. /etc/os-release && echo "$VERSION_ID")"
 			fi
 		;;
 		*)
 			if command_exists lsb_release; then
 				dist_version="$(lsb_release --release | cut -f2)"
 			fi
 			if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then
 				dist_version="$(. /etc/os-release && echo "$VERSION_ID")"
 			fi
 		;;
 	esac
 	# Check if this is a forked Linux distro
 	check_forked
 	# Print deprecation warnings for distro versions that recently reached EOL,
 	# but may still be commonly used (especially LTS versions).
 	case "$lsb_dist.$dist_version" in
 		centos.8|centos.7|rhel.7)
 			deprecation_notice "$lsb_dist" "$dist_version"
 			;;
 		debian.buster|debian.stretch|debian.jessie)
 			deprecation_notice "$lsb_dist" "$dist_version"
 			;;
 		raspbian.buster|raspbian.stretch|raspbian.jessie)
 			deprecation_notice "$lsb_dist" "$dist_version"
 			;;
 		ubuntu.focal|ubuntu.bionic|ubuntu.xenial|ubuntu.trusty)
 			deprecation_notice "$lsb_dist" "$dist_version"
 			;;
 		ubuntu.oracular|ubuntu.mantic|ubuntu.lunar|ubuntu.kinetic|ubuntu.impish|ubuntu.hirsute|ubuntu.groovy|ubuntu.eoan|ubuntu.disco|ubuntu.cosmic)
 			deprecation_notice "$lsb_dist" "$dist_version"
 			;;
 		fedora.*)
 			if [ "$dist_version" -lt 41 ]; then
 				deprecation_notice "$lsb_dist" "$dist_version"
 			fi
 			;;
 	esac
 	# Run setup for each distro accordingly
 	case "$lsb_dist" in
 		ubuntu|debian|raspbian)
 			pre_reqs="ca-certificates curl"
 			apt_repo="deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] $DOWNLOAD_URL/linux/$lsb_dist $dist_version $CHANNEL"
 			(
 				if ! is_dry_run; then
 					set -x
 				fi
 				$sh_c 'apt-get -qq update >/dev/null'
 				$sh_c "DEBIAN_FRONTEND=noninteractive apt-get -y -qq install $pre_reqs >/dev/null"
 				$sh_c 'install -m 0755 -d /etc/apt/keyrings'
 				$sh_c "curl -fsSL \"$DOWNLOAD_URL/linux/$lsb_dist/gpg\" -o /etc/apt/keyrings/docker.asc"
 				$sh_c "chmod a+r /etc/apt/keyrings/docker.asc"
 				$sh_c "echo \"$apt_repo\" > /etc/apt/sources.list.d/docker.list"
 				$sh_c 'apt-get -qq update >/dev/null'
 			)
 			if [ "$REPO_ONLY" = "1" ]; then
 				exit 0
 			fi
 			pkg_version=""
 			if [ -n "$VERSION" ]; then
 				if is_dry_run; then
 					echo "# WARNING: VERSION pinning is not supported in DRY_RUN"
 				else
 					# Will work for incomplete versions IE (17.12), but may not actually grab the "latest" if in the test channel
 					pkg_pattern="$(echo "$VERSION" | sed 's/-ce-/~ce~.*/g' | sed 's/-/.*/g')"
 					search_command="apt-cache madison docker-ce | grep '$pkg_pattern' | head -1 | awk '{\$1=\$1};1' | cut -d' ' -f 3"
 					pkg_version="$($sh_c "$search_command")"
 					echo "INFO: Searching repository for VERSION '$VERSION'"
 					echo "INFO: $search_command"
 					if [ -z "$pkg_version" ]; then
 						echo
 						echo "ERROR: '$VERSION' not found amongst apt-cache madison results"
 						echo
 						exit 1
 					fi
 					if version_gte "18.09"; then
 							search_command="apt-cache madison docker-ce-cli | grep '$pkg_pattern' | head -1 | awk '{\$1=\$1};1' | cut -d' ' -f 3"
 							echo "INFO: $search_command"
 							cli_pkg_version="=$($sh_c "$search_command")"
 					fi
 					pkg_version="=$pkg_version"
 				fi
 			fi
 			(
 				pkgs="docker-ce${pkg_version%=}"
 				if version_gte "18.09"; then
 						# older versions didn't ship the cli and containerd as separate packages
 						pkgs="$pkgs docker-ce-cli${cli_pkg_version%=} containerd.io"
 				fi
 				if version_gte "20.10"; then
 						pkgs="$pkgs docker-compose-plugin docker-ce-rootless-extras$pkg_version"
 				fi
 				if version_gte "23.0"; then
 						pkgs="$pkgs docker-buildx-plugin"
 				fi
 				if version_gte "28.2"; then
 						pkgs="$pkgs docker-model-plugin"
 				fi
 				if ! is_dry_run; then
 					set -x
 				fi
 				$sh_c "DEBIAN_FRONTEND=noninteractive apt-get -y -qq install $pkgs >/dev/null"
 			)
 			if [ "$NO_AUTOSTART" != "1" ]; then
 				start_docker_daemon
 			fi
 			echo_docker_as_nonroot
 			exit 0
 			;;
 		centos|fedora|rhel)
 			if [ "$(uname -m)" = "s390x" ]; then
 				echo "Effective v27.5, please consult RHEL distro statement for s390x support."
 				exit 1
 			fi
 			repo_file_url="$DOWNLOAD_URL/linux/$lsb_dist/$REPO_FILE"
 			(
 				if ! is_dry_run; then
 					set -x
 				fi
 				if command_exists dnf5; then
 					$sh_c "dnf -y -q --setopt=install_weak_deps=False install dnf-plugins-core"
 					$sh_c "dnf5 config-manager addrepo --overwrite --save-filename=docker-ce.repo --from-repofile='$repo_file_url'"
 					if [ "$CHANNEL" != "stable" ]; then
 						$sh_c "dnf5 config-manager setopt \"docker-ce-*.enabled=0\""
 						$sh_c "dnf5 config-manager setopt \"docker-ce-$CHANNEL.enabled=1\""
 					fi
 					$sh_c "dnf makecache"
 				elif command_exists dnf; then
 					$sh_c "dnf -y -q --setopt=install_weak_deps=False install dnf-plugins-core"
 					$sh_c "rm -f /etc/yum.repos.d/docker-ce.repo  /etc/yum.repos.d/docker-ce-staging.repo"
 					$sh_c "dnf config-manager --add-repo $repo_file_url"
 					if [ "$CHANNEL" != "stable" ]; then
 						$sh_c "dnf config-manager --set-disabled \"docker-ce-*\""
 						$sh_c "dnf config-manager --set-enabled \"docker-ce-$CHANNEL\""
 					fi
 					$sh_c "dnf makecache"
 				else
 					$sh_c "yum -y -q install yum-utils"
 					$sh_c "rm -f /etc/yum.repos.d/docker-ce.repo  /etc/yum.repos.d/docker-ce-staging.repo"
 					$sh_c "yum-config-manager --add-repo $repo_file_url"
 					if [ "$CHANNEL" != "stable" ]; then
 						$sh_c "yum-config-manager --disable \"docker-ce-*\""
 						$sh_c "yum-config-manager --enable \"docker-ce-$CHANNEL\""
 					fi
 					$sh_c "yum makecache"
 				fi
 			)
 			if [ "$REPO_ONLY" = "1" ]; then
 				exit 0
 			fi
 			pkg_version=""
 			if command_exists dnf; then
 				pkg_manager="dnf"
 				pkg_manager_flags="-y -q --best"
 			else
 				pkg_manager="yum"
 				pkg_manager_flags="-y -q"
 			fi
 			if [ -n "$VERSION" ]; then
 				if is_dry_run; then
 					echo "# WARNING: VERSION pinning is not supported in DRY_RUN"
 				else
 					if [ "$lsb_dist" = "fedora" ]; then
 						pkg_suffix="fc$dist_version"
 					else
 						pkg_suffix="el"
 					fi
 					pkg_pattern="$(echo "$VERSION" | sed 's/-ce-/\\\\.ce.*/g' | sed 's/-/.*/g').*$pkg_suffix"
 					search_command="$pkg_manager list --showduplicates docker-ce | grep '$pkg_pattern' | tail -1 | awk '{print \$2}'"
 					pkg_version="$($sh_c "$search_command")"
 					echo "INFO: Searching repository for VERSION '$VERSION'"
 					echo "INFO: $search_command"
 					if [ -z "$pkg_version" ]; then
 						echo
 						echo "ERROR: '$VERSION' not found amongst $pkg_manager list results"
 						echo
 						exit 1
 					fi
 					if version_gte "18.09"; then
 						# older versions don't support a cli package
 						search_command="$pkg_manager list --showduplicates docker-ce-cli | grep '$pkg_pattern' | tail -1 | awk '{print \$2}'"
 						cli_pkg_version="$($sh_c "$search_command" | cut -d':' -f 2)"
 					fi
 					# Cut out the epoch and prefix with a '-'
 					pkg_version="-$(echo "$pkg_version" | cut -d':' -f 2)"
 				fi
 			fi
 			(
 				pkgs="docker-ce$pkg_version"
 				if version_gte "18.09"; then
 					# older versions didn't ship the cli and containerd as separate packages
 					if [ -n "$cli_pkg_version" ]; then
 						pkgs="$pkgs docker-ce-cli-$cli_pkg_version containerd.io"
 					else
 						pkgs="$pkgs docker-ce-cli containerd.io"
 					fi
 				fi
 				if version_gte "20.10"; then
 					pkgs="$pkgs docker-compose-plugin docker-ce-rootless-extras$pkg_version"
 				fi
 				if version_gte "23.0"; then
 						pkgs="$pkgs docker-buildx-plugin docker-model-plugin"
 				fi
 				if ! is_dry_run; then
 					set -x
 				fi
 				$sh_c "$pkg_manager $pkg_manager_flags install $pkgs"
 			)
 			if [ "$NO_AUTOSTART" != "1" ]; then
 				start_docker_daemon
 			fi
 			echo_docker_as_nonroot
 			exit 0
 			;;
 		sles)
 			echo "Effective v27.5, please consult SLES distro statement for s390x support."
 			exit 1
 			;;
 		*)
 			if [ -z "$lsb_dist" ]; then
 				if is_darwin; then
 					echo
 					echo "ERROR: Unsupported operating system 'macOS'"
 					echo "Please get Docker Desktop from https://www.docker.com/products/docker-desktop"
 					echo
 					exit 1
 				fi
 			fi
 			echo
 			echo "ERROR: Unsupported distribution '$lsb_dist'"
 			echo
 			exit 1
 			;;
 	esac
 	exit 1
 }
 # wrapped up in a function so that we have some protection against only getting
 # half the file during "curl | sh"
 do_install
--- a/scripts/ez-homelab.sh
+++ b/scripts/ez-homelab.sh
@@ -384,7 +384,7 @@ SERVER_IP=""
 CORE_SERVER_IP=""
 ADMIN_USER=""
 ADMIN_EMAIL=""
-ADMIN_PASSWORD=""
+AUTHELIA_ADMIN_PASSWORD=""
 DEPLOY_CORE=false
 DEPLOY_INFRASTRUCTURE=false
 DEPLOY_DASHBOARDS=false
@@ -694,9 +694,9 @@ save_env_file() {
        if [ -z "$ADMIN_EMAIL" ]; then
            ADMIN_EMAIL="${DEFAULT_EMAIL:-${ADMIN_USER}@${DOMAIN}}"
        fi
-        if [ -z "$ADMIN_PASSWORD" ]; then
+        if [ -z "$AUTHELIA_ADMIN_PASSWORD" ]; then
-            ADMIN_PASSWORD="${DEFAULT_PASSWORD:-changeme123}"
+            AUTHELIA_ADMIN_PASSWORD="${DEFAULT_PASSWORD}"
-            if [ "$ADMIN_PASSWORD" = "changeme123" ]; then
+            if [ "$AUTHELIA_ADMIN_PASSWORD" = "changeme123" ]; then
                log_info "Using default admin password (changeme123) - please change this after setup!"
            fi
        fi
@@ -727,16 +727,16 @@ save_env_file() {
            if ! docker images | grep -q authelia/authelia; then
                docker pull authelia/authelia:latest > /dev/null 2>&1
            fi
-            AUTHELIA_ADMIN_PASSWORD_HASH=$(docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password "$ADMIN_PASSWORD" 2>&1 | grep -o '\$argon2id.*')
+            AUTHELIA_ADMIN_PASSWORD_HASH=$(docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password "$AUTHELIA_ADMIN_PASSWORD")
            if [ -z "$AUTHELIA_ADMIN_PASSWORD_HASH" ]; then
-                log_error "Failed to generate Authelia password hash. Please check that ADMIN_PASSWORD is set."
+                log_error "Failed to generate Authelia password hash. Please check that AUTHELIA_ADMIN_PASSWORD is set."
                exit 1
            fi
        fi
        # Save password hash
-        sudo -u "$ACTUAL_USER" sed -i "s%# AUTHELIA_ADMIN_PASSWORD_HASH=.*%AUTHELIA_ADMIN_PASSWORD_HASH=\"$AUTHELIA_ADMIN_PASSWORD_HASH\"%" "$REPO_DIR/.env"
+        sudo -u "$ACTUAL_USER" sed -i "s%# AUTHELIA_ADMIN_PASSWORD_HASH=.*%AUTHELIA_ADMIN_PASSWORD_HASH=$AUTHELIA_ADMIN_PASSWORD_HASH%" "$REPO_DIR/.env"
-        sudo -u "$ACTUAL_USER" sed -i "s%AUTHELIA_ADMIN_PASSWORD_HASH=.*%AUTHELIA_ADMIN_PASSWORD_HASH=\"$AUTHELIA_ADMIN_PASSWORD_HASH\"%" "$REPO_DIR/.env"
+        sudo -u "$ACTUAL_USER" sed -i "s%AUTHELIA_ADMIN_PASSWORD_HASH=.*%AUTHELIA_ADMIN_PASSWORD_HASH=$AUTHELIA_ADMIN_PASSWORD_HASH%" "$REPO_DIR/.env"
    fi
    debug_log "Configuration saved to .env file"
--- a/scripts/install-prerequisites.sh
+++ b/scripts/install-prerequisites.sh
@@ -139,7 +139,7 @@ system_setup() {
            log_info "Docker service is already running"
        fi
    else
-        curl -fsSL https://get.docker.com | sh
+        curl -fsSL https://get.docker.com -o get-docker.sh && sudo sh get-docker.sh
        usermod -aG docker "$ACTUAL_USER"
        NEEDS_LOGOUT=true
    fi