Round 10: Add Traefik routing to monitoring services

- Added Traefik labels and routing to prometheus, grafana, loki, cadvisor - Fixed Grafana ROOT_URL to use domain-based URL (https://grafana.${DOMAIN}) - Added uptime-kuma bypass rule in Authelia (needs initial setup) - Updated all services to use traefik-network - Synced domain from kelin-hass to kelin-casa across all configs - Fixed missing tls=true label on uptime-kuma - Note: Loki is API-only service (no web UI, accessed via Grafana)
2026-01-14 23:08:37 -05:00
parent 258e8eec94
commit adb894d35e
15 changed files with 1342 additions and 229 deletions
--- a/docker-compose/core.yml
+++ b/docker-compose/core.yml
@@ -3,6 +3,12 @@
 # Deploy this stack FIRST before any other services
 # Place in /opt/stacks/core/docker-compose.yml

+# Service Access URLs:
+# - DuckDNS: No web UI (updates IP automatically)
+# - Traefik: https://traefik.${DOMAIN}
+# - Authelia: https://auth.${DOMAIN}
+# - Gluetun: No web UI (VPN client for other services)
+
 services:
  # DuckDNS - Dynamic DNS updater
  # Updates your public IP automatically for Let's Encrypt SSL
--- a/docker-compose/core/authelia/configuration.yml
+++ b/docker-compose/core/authelia/configuration.yml
@@ -1,6 +1,6 @@
 # Authelia Configuration
 # Copy to /opt/stacks/authelia/configuration.yml
-# IMPORTANT: Replace 'kelin-hass.duckdns.org' with your actual DuckDNS domain
+# IMPORTANT: Replace 'kelin-casa.duckdns.org' with your actual DuckDNS domain

 server:
  host: 0.0.0.0
@@ -13,10 +13,10 @@ theme: dark

 jwt_secret: ${AUTHELIA_JWT_SECRET}

-default_redirection_url: https://auth.kelin-hass.duckdns.org
+default_redirection_url: https://auth.kelin-casa.duckdns.org

 totp:
-  issuer: kelin-hass.duckdns.org
+  issuer: kelin-casa.duckdns.org
  period: 30
  skew: 1

@@ -36,34 +36,38 @@ access_control:
  
  rules:
    # Bypass Authelia for Jellyfin (allow app access)
-    - domain: jellyfin.kelin-hass.duckdns.org
+    - domain: jellyfin.kelin-casa.duckdns.org
      policy: bypass
    
    # Bypass for Plex (allow app access)
-    - domain: plex.kelin-hass.duckdns.org
+    - domain: plex.kelin-casa.duckdns.org
      policy: bypass
    
    # Bypass for Home Assistant (has its own auth)
-    - domain: ha.kelin-hass.duckdns.org
+    - domain: ha.kelin-casa.duckdns.org
+      policy: bypass
+    
+    # Bypass for Uptime Kuma (has its own auth + needs initial setup)
+    - domain: status.kelin-casa.duckdns.org
      policy: bypass
    
    # Protected: All other services require authentication
-    - domain: "*.kelin-hass.duckdns.org"
+    - domain: "*.kelin-casa.duckdns.org"
      policy: one_factor
    
    # Two-factor for admin services (optional)
    # - domain:
-    #     - "admin.kelin-hass.duckdns.org"
-    #     - "portainer.kelin-hass.duckdns.org"
+    #     - "admin.kelin-casa.duckdns.org"
+    #     - "portainer.kelin-casa.duckdns.org"
    #   policy: two_factor

 session:
  name: authelia_session
  secret: ${AUTHELIA_SESSION_SECRET}
-  expiration: 1h
-  inactivity: 5m
+  expiration: 24h      # Session expires after 24 hours
+  inactivity: 24h      # Session expires after 24 hours of inactivity
  remember_me_duration: 1M
-  domain: kelin-hass.duckdns.org
+  domain: kelin-casa.duckdns.org

 regulation:
  max_retries: 3
--- a/docker-compose/dashboards.yml
+++ b/docker-compose/dashboards.yml
@@ -2,6 +2,10 @@
 # Homepage and Homarr for homelab dashboards
 # Place in /opt/stacks/dashboards/docker-compose.yml

+# Service Access URLs:
+# - Homepage: https://home.${DOMAIN}
+# - Homarr: https://homarr.${DOMAIN}
+
 services:
  # Homepage - Application dashboard (AI-configurable via YAML)
  # Access at: https://home.${DOMAIN}
--- a/docker-compose/homeassistant.yml
+++ b/docker-compose/homeassistant.yml
@@ -2,6 +2,13 @@
 # Home automation platform and related tools
 # Place in /opt/stacks/homeassistant/docker-compose.yml

+# Service Access URLs:
+# - Home Assistant: https://ha.${DOMAIN} (configure via Traefik file provider - uses host network)
+# - ESPHome: https://esphome.${DOMAIN}
+# - Node-RED: https://nodered.${DOMAIN}
+# - Mosquitto MQTT: mqtt://server-ip:1883 (no web UI)
+# - Zigbee2MQTT: https://zigbee2mqtt.${DOMAIN} (requires USB adapter)
+
 services:
  # Home Assistant - Home automation platform
  # Access at: https://ha.${DOMAIN}
@@ -12,7 +19,7 @@ services:
    restart: unless-stopped
    network_mode: host  # Required for device discovery
    volumes:
-      - ./$(basename $file .yml)/config:/config
+      - ./homeassistant/config:/config
      - /etc/localtime:/etc/localtime:ro
    environment:
      - TZ=${TZ}
@@ -33,7 +40,7 @@ services:
      - homelab-network
      - traefik-network
    volumes:
-      - ./$(basename $file .yml)/config:/config
+      - ./esphome/config:/config
      - /etc/localtime:/etc/localtime:ro
    environment:
      - TZ=${TZ}
@@ -133,38 +140,43 @@ services:
      - "1883:1883"  # MQTT
      - "9001:9001"  # Websockets
    volumes:
-      - ./$(basename $file .yml)/config:/mosquitto/config
-      - /opt/stacks/mosquitto/data:/mosquitto/data
-      - /opt/stacks/mosquitto/log:/mosquitto/log
+      - ./mosquitto/config:/mosquitto/config
+      - ./mosquitto/data:/mosquitto/data
+      - ./mosquitto/log:/mosquitto/log
    labels:
      - "homelab.category=iot"
      - "homelab.description=MQTT message broker"

-  # Zigbee2MQTT - Zigbee to MQTT bridge (Home Assistant addon alternative)
+  # Zigbee2MQTT - Zigbee to MQTT bridge (DISABLED - requires USB adapter)
  # Access at: https://zigbee2mqtt.${DOMAIN}
-  zigbee2mqtt:
-    image: koenkk/zigbee2mqtt:latest
-    container_name: zigbee2mqtt
-    restart: unless-stopped
-    networks:
-      - homelab-network
-      - traefik-network
-    volumes:
-      - /opt/stacks/zigbee2mqtt/data:/app/data
-      - /run/udev:/run/udev:ro
-    devices:
-      - /dev/ttyACM0:/dev/ttyACM0  # Zigbee adapter - adjust as needed
-    environment:
-      - TZ=${TZ}
-    labels:
-      - "homelab.category=iot"
-      - "homelab.description=Zigbee to MQTT bridge"
-      - "traefik.enable=true"
-      - "traefik.http.routers.zigbee2mqtt.rule=Host(`zigbee2mqtt.${DOMAIN}`)"
-      - "traefik.http.routers.zigbee2mqtt.entrypoints=websecure"
-      - "traefik.http.routers.zigbee2mqtt.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.zigbee2mqtt.middlewares=authelia@docker"
-      - "traefik.http.services.zigbee2mqtt.loadbalancer.server.port=8080"
+  # NOTE: Requires USB Zigbee adapter (e.g., ConBee II, Sonoff ZBDongle)
+  # Uncomment after connecting adapter
+  # zigbee2mqtt:
+  #   image: koenkk/zigbee2mqtt:1.35.1
+  #   container_name: zigbee2mqtt
+  #   restart: unless-stopped
+  #   networks:
+  #     - homelab-network
+  #     - traefik-network
+  #   volumes:
+  #     - ./zigbee2mqtt/data:/app/data
+  #     - /run/udev:/run/udev:ro
+  #   # Uncomment and adjust device path after connecting USB adapter:
+  #   # devices:
+  #   #   - /dev/ttyACM0:/dev/ttyACM0  # Adjust based on your adapter
+  #   # Common paths: /dev/ttyACM0, /dev/ttyUSB0, /dev/serial/by-id/...
+  #   # Run 'ls -l /dev/serial/by-id/' to find your adapter
+  #   environment:
+  #     - TZ=${TZ}
+  #   labels:
+  #     - "homelab.category=iot"
+  #     - "homelab.description=Zigbee to MQTT bridge"
+  #     - "traefik.enable=true"
+  #     - "traefik.http.routers.zigbee2mqtt.rule=Host(`zigbee2mqtt.${DOMAIN}`)"
+  #     - "traefik.http.routers.zigbee2mqtt.entrypoints=websecure"
+  #     - "traefik.http.routers.zigbee2mqtt.tls.certresolver=letsencrypt"
+  #     - "traefik.http.routers.zigbee2mqtt.middlewares=authelia@docker"
+  #     - "traefik.http.services.zigbee2mqtt.loadbalancer.server.port=8080"

 networks:
  homelab-network:
--- a/docker-compose/infrastructure.yml
+++ b/docker-compose/infrastructure.yml
@@ -4,6 +4,14 @@
 # NOTE: Traefik, Authelia, DuckDNS, and Gluetun have their own separate stacks
 # See /opt/stacks/traefik/, /opt/stacks/authelia/, etc.

+# Service Access URLs:
+# - Dockge: https://dockge.${DOMAIN}
+# - Portainer: https://portainer.${DOMAIN}
+# - Pi-hole: https://pihole.${DOMAIN}
+# - Dozzle: https://dozzle.${DOMAIN}
+# - Glances: https://glances.${DOMAIN}
+# - Netdata: https://netdata.${DOMAIN}
+
 services:
  # Dockge - Docker Compose Stack Manager (PRIMARY - preferred over Portainer)
  # Access at: https://dockge.${DOMAIN}
@@ -22,6 +30,7 @@ services:
      - /opt/dockge/data:/app/data
    environment:
      - DOCKGE_STACKS_DIR=/opt/stacks
+      - DOCKGE_ENABLE_CONSOLE=true
    labels:
      - "homelab.category=infrastructure"
      - "homelab.description=Docker Compose stack manager (PRIMARY)"
@@ -63,6 +72,7 @@ services:
      - "traefik.http.routers.pihole.rule=Host(`pihole.${DOMAIN}`)"
      - "traefik.http.routers.pihole.entrypoints=websecure"
      - "traefik.http.routers.pihole.tls=true"
+      - "traefik.http.routers.pihole.tls.certresolver=letsencrypt"
      - "traefik.http.routers.pihole.middlewares=authelia@docker"
      - "traefik.http.services.pihole.loadbalancer.server.port=80"

--- a/docker-compose/media-management.yml
+++ b/docker-compose/media-management.yml
@@ -2,11 +2,23 @@
 # Content automation and library management (*arr apps, transcoders, etc.)
 # Place in /opt/stacks/media-management/docker-compose.yml

+# Service Access URLs:
+# - Sonarr: https://sonarr.${DOMAIN}
+# - Radarr: https://radarr.${DOMAIN}
+# - Prowlarr: https://prowlarr.${DOMAIN}
+# - Readarr: https://readarr.${DOMAIN}
+# - Lidarr: https://lidarr.${DOMAIN}
+# - LazyLibrarian: https://lazylibrarian.${DOMAIN}
+# - Mylar3: https://mylar.${DOMAIN}
+# - Jellyseerr: https://jellyseerr.${DOMAIN}
+# - Tdarr: https://tdarr.${DOMAIN}
+# - Unmanic: https://unmanic.${DOMAIN}
+
 services:
  # Sonarr - TV show automation
  # Access at: https://sonarr.yourdomain.duckdns.org
  sonarr:
-    image: lscr.io/linuxserver/sonarr:4.0.0
+    image: linuxserver/sonarr:4.0.0
    container_name: sonarr
    restart: unless-stopped
    networks:
@@ -16,26 +28,25 @@ services:
    volumes:
      - ./sonarr/config:/config
      - /mnt/media:/media
-      - /mnt/downloads:/downloads  # Large downloads on separate drive
+      - /mnt/downloads:/downloads # Large downloads on separate drive
    environment:
      - PUID=${PUID:-1000}
      - PGID=${PGID:-1000}
      - TZ=${TZ:-America/New_York}
    labels:
-      - "homelab.category=media"
-      - "homelab.description=TV show management and automation"
+      - homelab.category=media
+      - homelab.description=TV show management and automation
      # Traefik labels with Authelia
-      - "traefik.enable=true"
-      - "traefik.http.routers.sonarr.rule=Host(`sonarr.${DOMAIN}`)"
-      - "traefik.http.routers.sonarr.entrypoints=websecure"
-      - "traefik.http.routers.sonarr.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.sonarr.middlewares=authelia@docker"
-      - "traefik.http.services.sonarr.loadbalancer.server.port=8989"
-
+      - traefik.enable=true
+      - traefik.http.routers.sonarr.rule=Host(`sonarr.${DOMAIN}`)
+      - traefik.http.routers.sonarr.entrypoints=websecure
+      - traefik.http.routers.sonarr.tls.certresolver=letsencrypt
+      - traefik.http.routers.sonarr.middlewares=authelia@docker
+      - traefik.http.services.sonarr.loadbalancer.server.port=8989
  # Radarr - Movie automation
  # Access at: https://radarr.yourdomain.duckdns.org
  radarr:
-    image: lscr.io/linuxserver/radarr:5.2.6
+    image: linuxserver/radarr:5.2.6
    container_name: radarr
    restart: unless-stopped
    networks:
@@ -45,26 +56,25 @@ services:
    volumes:
      - ./radarr/config:/config
      - /mnt/media:/media
-      - /mnt/downloads:/downloads  # Large downloads on separate drive
+      - /mnt/downloads:/downloads # Large downloads on separate drive
    environment:
      - PUID=${PUID:-1000}
      - PGID=${PGID:-1000}
      - TZ=${TZ:-America/New_York}
    labels:
-      - "homelab.category=media"
-      - "homelab.description=Movie management and automation"
+      - homelab.category=media
+      - homelab.description=Movie management and automation
      # Traefik labels with Authelia
-      - "traefik.enable=true"
-      - "traefik.http.routers.radarr.rule=Host(`radarr.${DOMAIN}`)"
-      - "traefik.http.routers.radarr.entrypoints=websecure"
-      - "traefik.http.routers.radarr.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.radarr.middlewares=authelia@docker"
-      - "traefik.http.services.radarr.loadbalancer.server.port=7878"
-
+      - traefik.enable=true
+      - traefik.http.routers.radarr.rule=Host(`radarr.${DOMAIN}`)
+      - traefik.http.routers.radarr.entrypoints=websecure
+      - traefik.http.routers.radarr.tls.certresolver=letsencrypt
+      - traefik.http.routers.radarr.middlewares=authelia@docker
+      - traefik.http.services.radarr.loadbalancer.server.port=7878
  # Prowlarr - Indexer manager
  # Access at: https://prowlarr.yourdomain.duckdns.org
  prowlarr:
-    image: lscr.io/linuxserver/prowlarr:1.11.4
+    image: linuxserver/prowlarr:1.11.4
    container_name: prowlarr
    restart: unless-stopped
    networks:
@@ -78,20 +88,19 @@ services:
      - PGID=${PGID:-1000}
      - TZ=${TZ:-America/New_York}
    labels:
-      - "homelab.category=media"
-      - "homelab.description=Indexer manager for Sonarr/Radarr"
+      - homelab.category=media
+      - homelab.description=Indexer manager for Sonarr/Radarr
      # Traefik labels with Authelia
-      - "traefik.enable=true"
-      - "traefik.http.routers.prowlarr.rule=Host(`prowlarr.${DOMAIN}`)"
-      - "traefik.http.routers.prowlarr.entrypoints=websecure"
-      - "traefik.http.routers.prowlarr.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.prowlarr.middlewares=authelia@docker"
-      - "traefik.http.services.prowlarr.loadbalancer.server.port=9696"
-
+      - traefik.enable=true
+      - traefik.http.routers.prowlarr.rule=Host(`prowlarr.${DOMAIN}`)
+      - traefik.http.routers.prowlarr.entrypoints=websecure
+      - traefik.http.routers.prowlarr.tls.certresolver=letsencrypt
+      - traefik.http.routers.prowlarr.middlewares=authelia@docker
+      - traefik.http.services.prowlarr.loadbalancer.server.port=9696
  # Readarr - Ebook and audiobook management
  # Access at: https://readarr.${DOMAIN}
  readarr:
-    image: lscr.io/linuxserver/readarr:develop
+    image: linuxserver/readarr:0.4.19-nightly
    container_name: readarr
    restart: unless-stopped
    networks:
@@ -99,7 +108,7 @@ services:
      - homelab-network
      - traefik-network
    volumes:
-      - ./$(basename $file .yml)/config:/config
+      - ./readarr/config:/config
      - /mnt/media/books:/books
      - /mnt/downloads:/downloads
    environment:
@@ -107,19 +116,18 @@ services:
      - PGID=${PGID:-1000}
      - TZ=${TZ}
    labels:
-      - "homelab.category=media"
-      - "homelab.description=Ebook and audiobook management"
-      - "traefik.enable=true"
-      - "traefik.http.routers.readarr.rule=Host(`readarr.${DOMAIN}`)"
-      - "traefik.http.routers.readarr.entrypoints=websecure"
-      - "traefik.http.routers.readarr.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.readarr.middlewares=authelia@docker"
-      - "traefik.http.services.readarr.loadbalancer.server.port=8787"
-
+      - homelab.category=media
+      - homelab.description=Ebook and audiobook management
+      - traefik.enable=true
+      - traefik.http.routers.readarr.rule=Host(`readarr.${DOMAIN}`)
+      - traefik.http.routers.readarr.entrypoints=websecure
+      - traefik.http.routers.readarr.tls.certresolver=letsencrypt
+      - traefik.http.routers.readarr.middlewares=authelia@docker
+      - traefik.http.services.readarr.loadbalancer.server.port=8787
  # Lidarr - Music collection manager
  # Access at: https://lidarr.${DOMAIN}
  lidarr:
-    image: lscr.io/linuxserver/lidarr:latest
+    image: linuxserver/lidarr:2.0.7
    container_name: lidarr
    restart: unless-stopped
    networks:
@@ -127,7 +135,7 @@ services:
      - homelab-network
      - traefik-network
    volumes:
-      - ./$(basename $file .yml)/config:/config
+      - ./lidarr/config:/config
      - /mnt/media/music:/music
      - /mnt/downloads:/downloads
    environment:
@@ -135,19 +143,18 @@ services:
      - PGID=${PGID:-1000}
      - TZ=${TZ}
    labels:
-      - "homelab.category=media"
-      - "homelab.description=Music collection manager"
-      - "traefik.enable=true"
-      - "traefik.http.routers.lidarr.rule=Host(`lidarr.${DOMAIN}`)"
-      - "traefik.http.routers.lidarr.entrypoints=websecure"
-      - "traefik.http.routers.lidarr.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.lidarr.middlewares=authelia@docker"
-      - "traefik.http.services.lidarr.loadbalancer.server.port=8686"
-
+      - homelab.category=media
+      - homelab.description=Music collection manager
+      - traefik.enable=true
+      - traefik.http.routers.lidarr.rule=Host(`lidarr.${DOMAIN}`)
+      - traefik.http.routers.lidarr.entrypoints=websecure
+      - traefik.http.routers.lidarr.tls.certresolver=letsencrypt
+      - traefik.http.routers.lidarr.middlewares=authelia@docker
+      - traefik.http.services.lidarr.loadbalancer.server.port=8686
  # Lazy Librarian - Book manager
  # Access at: https://lazylibrarian.${DOMAIN}
  lazylibrarian:
-    image: lscr.io/linuxserver/lazylibrarian:latest
+    image: linuxserver/lazylibrarian:latest
    container_name: lazylibrarian
    restart: unless-stopped
    networks:
@@ -155,7 +162,7 @@ services:
      - homelab-network
      - traefik-network
    volumes:
-      - ./$(basename $file .yml)/config:/config
+      - ./lazylibrarian/config:/config
      - /mnt/media/books:/books
      - /mnt/downloads:/downloads
    environment:
@@ -164,19 +171,18 @@ services:
      - TZ=${TZ}
      - DOCKER_MODS=linuxserver/mods:lazylibrarian-ffmpeg
    labels:
-      - "homelab.category=media"
-      - "homelab.description=Book download automation"
-      - "traefik.enable=true"
-      - "traefik.http.routers.lazylibrarian.rule=Host(`lazylibrarian.${DOMAIN}`)"
-      - "traefik.http.routers.lazylibrarian.entrypoints=websecure"
-      - "traefik.http.routers.lazylibrarian.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.lazylibrarian.middlewares=authelia@docker"
-      - "traefik.http.services.lazylibrarian.loadbalancer.server.port=5299"
-
+      - homelab.category=media
+      - homelab.description=Book download automation
+      - traefik.enable=true
+      - traefik.http.routers.lazylibrarian.rule=Host(`lazylibrarian.${DOMAIN}`)
+      - traefik.http.routers.lazylibrarian.entrypoints=websecure
+      - traefik.http.routers.lazylibrarian.tls.certresolver=letsencrypt
+      - traefik.http.routers.lazylibrarian.middlewares=authelia@docker
+      - traefik.http.services.lazylibrarian.loadbalancer.server.port=5299
  # Mylar3 - Comic book manager
  # Access at: https://mylar.${DOMAIN}
  mylar3:
-    image: lscr.io/linuxserver/mylar3:latest
+    image: linuxserver/mylar3:latest
    container_name: mylar3
    restart: unless-stopped
    networks:
@@ -184,7 +190,7 @@ services:
      - homelab-network
      - traefik-network
    volumes:
-      - /opt/stacks/mylar3/config:/config
+      - ./mylar3/config:/config
      - /mnt/media/comics:/comics
      - /mnt/downloads:/downloads
    environment:
@@ -192,15 +198,14 @@ services:
      - PGID=${PGID:-1000}
      - TZ=${TZ}
    labels:
-      - "homelab.category=media"
-      - "homelab.description=Comic book collection manager"
-      - "traefik.enable=true"
-      - "traefik.http.routers.mylar.rule=Host(`mylar.${DOMAIN}`)"
-      - "traefik.http.routers.mylar.entrypoints=websecure"
-      - "traefik.http.routers.mylar.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.mylar.middlewares=authelia@docker"
-      - "traefik.http.services.mylar.loadbalancer.server.port=8090"
-
+      - homelab.category=media
+      - homelab.description=Comic book collection manager
+      - traefik.enable=true
+      - traefik.http.routers.mylar.rule=Host(`mylar.${DOMAIN}`)
+      - traefik.http.routers.mylar.entrypoints=websecure
+      - traefik.http.routers.mylar.tls.certresolver=letsencrypt
+      - traefik.http.routers.mylar.middlewares=authelia@docker
+      - traefik.http.services.mylar.loadbalancer.server.port=8090
  # Jellyseerr - Request management for Jellyfin/Plex
  # Access at: https://jellyseerr.${DOMAIN}
  jellyseerr:
@@ -212,24 +217,23 @@ services:
      - homelab-network
      - traefik-network
    volumes:
-      - ./$(basename $file .yml)/config:/app/config
+      - ./jellyseerr/config:/app/config
    environment:
      - LOG_LEVEL=info
      - TZ=${TZ}
    labels:
-      - "homelab.category=media"
-      - "homelab.description=Media request management"
-      - "traefik.enable=true"
-      - "traefik.http.routers.jellyseerr.rule=Host(`jellyseerr.${DOMAIN}`)"
-      - "traefik.http.routers.jellyseerr.entrypoints=websecure"
-      - "traefik.http.routers.jellyseerr.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.jellyseerr.middlewares=authelia@docker"
-      - "traefik.http.services.jellyseerr.loadbalancer.server.port=5055"
-
+      - homelab.category=media
+      - homelab.description=Media request management
+      - traefik.enable=true
+      - traefik.http.routers.jellyseerr.rule=Host(`jellyseerr.${DOMAIN}`)
+      - traefik.http.routers.jellyseerr.entrypoints=websecure
+      - traefik.http.routers.jellyseerr.tls.certresolver=letsencrypt
+      - traefik.http.routers.jellyseerr.middlewares=authelia@docker
+      - traefik.http.services.jellyseerr.loadbalancer.server.port=5055
  # FlareSolverr - Cloudflare bypass for Prowlarr
  # No web UI - used by Prowlarr
  flaresolverr:
-    image: ghcr.io/flaresolverr/flaresolverr:latest
+    image: flaresolverr/flaresolverr:latest
    container_name: flaresolverr
    restart: unless-stopped
    networks:
@@ -238,9 +242,8 @@ services:
      - LOG_LEVEL=info
      - TZ=${TZ}
    labels:
-      - "homelab.category=media"
-      - "homelab.description=Cloudflare bypass for indexers"
-
+      - homelab.category=media
+      - homelab.description=Cloudflare bypass for indexers
  # Tdarr Server - Distributed transcoding server
  # Access at: https://tdarr.${DOMAIN}
  tdarr-server:
@@ -252,13 +255,13 @@ services:
      - homelab-network
      - traefik-network
    ports:
-      - "8266:8266"  # Server port
+      - 8266:8266 # Server port
    volumes:
-      - /opt/stacks/tdarr/server:/app/server
-      - ./$(basename $file .yml)/configs:/app/configs
-      - /opt/stacks/tdarr/logs:/app/logs
+      - ./tdarr/server:/app/server
+      - ./tdarr/configs:/app/configs
+      - ./tdarr/logs:/app/logs
      - /mnt/media:/media
-      - /mnt/tdarr-transcode:/temp  # Transcode cache on separate drive
+      - /mnt/tdarr-transcode:/temp # Transcode cache on separate drive
    environment:
      - PUID=${PUID:-1000}
      - PGID=${PGID:-1000}
@@ -267,15 +270,14 @@ services:
      - serverPort=8266
      - webUIPort=8265
    labels:
-      - "homelab.category=media"
-      - "homelab.description=Distributed transcoding server"
-      - "traefik.enable=true"
-      - "traefik.http.routers.tdarr.rule=Host(`tdarr.${DOMAIN}`)"
-      - "traefik.http.routers.tdarr.entrypoints=websecure"
-      - "traefik.http.routers.tdarr.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.tdarr.middlewares=authelia@docker"
-      - "traefik.http.services.tdarr.loadbalancer.server.port=8265"
-
+      - homelab.category=media
+      - homelab.description=Distributed transcoding server
+      - traefik.enable=true
+      - traefik.http.routers.tdarr.rule=Host(`tdarr.${DOMAIN}`)
+      - traefik.http.routers.tdarr.entrypoints=websecure
+      - traefik.http.routers.tdarr.tls.certresolver=letsencrypt
+      - traefik.http.routers.tdarr.middlewares=authelia@docker
+      - traefik.http.services.tdarr.loadbalancer.server.port=8265
  # Tdarr Node - Transcoding worker
  # No web UI - controlled by server
  tdarr-node:
@@ -285,8 +287,8 @@ services:
    networks:
      - media-network
    volumes:
-      - ./$(basename $file .yml)/configs:/app/configs
-      - /opt/stacks/tdarr/logs:/app/logs
+      - ./tdarr/configs:/app/configs
+      - ./tdarr/logs:/app/logs
      - /mnt/media:/media
      - /mnt/tdarr-transcode:/temp
    environment:
@@ -299,9 +301,8 @@ services:
      - serverIP=tdarr-server
      - serverPort=8266
    labels:
-      - "homelab.category=media"
-      - "homelab.description=Tdarr transcoding worker node"
-
+      - homelab.category=media
+      - homelab.description=Tdarr transcoding worker node
  # Unmanic - Another transcoding option
  # Access at: https://unmanic.${DOMAIN}
  unmanic:
@@ -313,23 +314,22 @@ services:
      - homelab-network
      - traefik-network
    volumes:
-      - ./$(basename $file .yml)/config:/config
+      - ./unmanic/config:/config
      - /mnt/media:/library
-      - /mnt/unmanic-cache:/tmp/unmanic  # Transcode cache on separate drive
+      - /mnt/unmanic-cache:/tmp/unmanic # Transcode cache on separate drive
    environment:
      - PUID=${PUID:-1000}
      - PGID=${PGID:-1000}
      - TZ=${TZ}
    labels:
-      - "homelab.category=media"
-      - "homelab.description=Library optimization and transcoding"
-      - "traefik.enable=true"
-      - "traefik.http.routers.unmanic.rule=Host(`unmanic.${DOMAIN}`)"
-      - "traefik.http.routers.unmanic.entrypoints=websecure"
-      - "traefik.http.routers.unmanic.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.unmanic.middlewares=authelia@docker"
-      - "traefik.http.services.unmanic.loadbalancer.server.port=8888"
-
+      - homelab.category=media
+      - homelab.description=Library optimization and transcoding
+      - traefik.enable=true
+      - traefik.http.routers.unmanic.rule=Host(`unmanic.${DOMAIN}`)
+      - traefik.http.routers.unmanic.entrypoints=websecure
+      - traefik.http.routers.unmanic.tls.certresolver=letsencrypt
+      - traefik.http.routers.unmanic.middlewares=authelia@docker
+      - traefik.http.services.unmanic.loadbalancer.server.port=8888
 networks:
  media-network:
    external: true
--- a/docker-compose/media.yml
+++ b/docker-compose/media.yml
@@ -3,6 +3,11 @@
 # Place in /opt/stacks/media/docker-compose.yml
 # NOTE: qBittorrent is configured to use Gluetun VPN (see gluetun.yml)

+# Service Access URLs:
+# - Jellyfin: https://jellyfin.${DOMAIN} (no SSO - app access)
+# - Plex: https://plex.${DOMAIN} (no SSO - app access)
+# - qBittorrent: https://qbit.${DOMAIN} (routed through Gluetun VPN)
+
 services:
  # Jellyfin - Open-source media streaming server
  # Access at: https://jellyfin.yourdomain.duckdns.org
@@ -33,6 +38,7 @@ services:
      - "traefik.enable=true"
      - "traefik.http.routers.jellyfin.rule=Host(`jellyfin.${DOMAIN}`)"
      - "traefik.http.routers.jellyfin.entrypoints=websecure"
+      - "traefik.http.routers.jellyfin.tls=true"
      - "traefik.http.routers.jellyfin.tls.certresolver=letsencrypt"
      - "traefik.http.services.jellyfin.loadbalancer.server.port=8096"

--- a/docker-compose/monitoring.yml
+++ b/docker-compose/monitoring.yml
@@ -1,5 +1,16 @@
 # Monitoring and Observability Services
 # Services for monitoring your homelab infrastructure
+# Place in /opt/stacks/monitoring/docker-compose.yml
+
+# Service Access URLs:
+# - Prometheus: http://server-ip:9090 (or configure Traefik)
+# - Grafana: http://server-ip:3000 (or configure Traefik)
+# - Uptime Kuma: https://status.${DOMAIN}
+# - Node Exporter: http://server-ip:9100/metrics
+# - cAdvisor: http://server-ip:8082
+# - Loki: http://server-ip:3100
+# NOTE: Prometheus, Grafana, Loki use ports because they need to be accessible to other services
+#       Add Traefik labels if you want https://prometheus.${DOMAIN} access

 services:
  # Prometheus - Metrics collection and storage
@@ -11,6 +22,7 @@ services:
    networks:
      - monitoring-network
      - homelab-network
+      - traefik-network
    ports:
      - "9090:9090"
    volumes:
@@ -27,6 +39,13 @@ services:
    labels:
      - "homelab.category=monitoring"
      - "homelab.description=Metrics collection and time-series database"
+      - "traefik.enable=true"
+      - "traefik.http.routers.prometheus.rule=Host(`prometheus.${DOMAIN}`)"
+      - "traefik.http.routers.prometheus.entrypoints=websecure"
+      - "traefik.http.routers.prometheus.tls=true"
+      - "traefik.http.routers.prometheus.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.prometheus.middlewares=authelia@docker"
+      - "traefik.http.services.prometheus.loadbalancer.server.port=9090"

  # Grafana - Metrics visualization
  # Access at: http://server-ip:3000
@@ -38,6 +57,7 @@ services:
    networks:
      - monitoring-network
      - homelab-network
+      - traefik-network
    ports:
      - "3000:3000"
    volumes:
@@ -46,7 +66,7 @@ services:
    environment:
      - GF_SECURITY_ADMIN_PASSWORD=${GRAFANA_ADMIN_PASSWORD:-admin}
      - GF_USERS_ALLOW_SIGN_UP=false
-      - GF_SERVER_ROOT_URL=http://${SERVER_IP}:3000
+      - GF_SERVER_ROOT_URL=https://grafana.${DOMAIN}
      - GF_INSTALL_PLUGINS=grafana-clock-panel,grafana-simple-json-datasource,grafana-piechart-panel
    user: "${PUID:-1000}:${PGID:-1000}"
    depends_on:
@@ -54,6 +74,13 @@ services:
    labels:
      - "homelab.category=monitoring"
      - "homelab.description=Metrics visualization and dashboards"
+      - "traefik.enable=true"
+      - "traefik.http.routers.grafana.rule=Host(`grafana.${DOMAIN}`)"
+      - "traefik.http.routers.grafana.entrypoints=websecure"
+      - "traefik.http.routers.grafana.tls=true"
+      - "traefik.http.routers.grafana.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.grafana.middlewares=authelia@docker"
+      - "traefik.http.services.grafana.loadbalancer.server.port=3000"

  # Node Exporter - Host metrics exporter
  # Metrics at: http://server-ip:9100/metrics
@@ -86,6 +113,8 @@ services:
    restart: unless-stopped
    networks:
      - monitoring-network
+      - homelab-network
+      - traefik-network
    ports:
      - "8082:8080"
    volumes:
@@ -100,6 +129,13 @@ services:
    labels:
      - "homelab.category=monitoring"
      - "homelab.description=Container metrics and performance monitoring"
+      - "traefik.enable=true"
+      - "traefik.http.routers.cadvisor.rule=Host(`cadvisor.${DOMAIN}`)"
+      - "traefik.http.routers.cadvisor.entrypoints=websecure"
+      - "traefik.http.routers.cadvisor.tls=true"
+      - "traefik.http.routers.cadvisor.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.cadvisor.middlewares=authelia@docker"
+      - "traefik.http.services.cadvisor.loadbalancer.server.port=8080"

  # Uptime Kuma - Uptime monitoring
  # Access at: https://status.${DOMAIN}
@@ -120,6 +156,7 @@ services:
      - "traefik.enable=true"
      - "traefik.http.routers.uptime-kuma.rule=Host(`status.${DOMAIN}`)"
      - "traefik.http.routers.uptime-kuma.entrypoints=websecure"
+      - "traefik.http.routers.uptime-kuma.tls=true"
      - "traefik.http.routers.uptime-kuma.tls.certresolver=letsencrypt"
      - "traefik.http.routers.uptime-kuma.middlewares=authelia@docker"
      - "traefik.http.services.uptime-kuma.loadbalancer.server.port=3001"
@@ -132,6 +169,8 @@ services:
    restart: unless-stopped
    networks:
      - monitoring-network
+      - homelab-network
+      - traefik-network
    ports:
      - "3100:3100"
    volumes:
@@ -142,6 +181,13 @@ services:
    labels:
      - "homelab.category=monitoring"
      - "homelab.description=Log aggregation system"
+      - "traefik.enable=true"
+      - "traefik.http.routers.loki.rule=Host(`loki.${DOMAIN}`)"
+      - "traefik.http.routers.loki.entrypoints=websecure"
+      - "traefik.http.routers.loki.tls=true"
+      - "traefik.http.routers.loki.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.loki.middlewares=authelia@docker"
+      - "traefik.http.services.loki.loadbalancer.server.port=3100"

  # Promtail - Log shipper for Loki
  # Ships Docker container logs to Loki
--- a/docker-compose/productivity.yml
+++ b/docker-compose/productivity.yml
@@ -1,11 +1,20 @@
 # Productivity and Content Management Services
 # Place in /opt/stacks/productivity/docker-compose.yml

+# Service Access URLs:
+# - Nextcloud: https://nextcloud.${DOMAIN}
+# - Mealie: https://mealie.${DOMAIN}
+# - WordPress: https://blog.${DOMAIN}
+# - Gitea: https://git.${DOMAIN}
+# - DokuWiki: https://wiki.${DOMAIN}
+# - BookStack: https://docs.${DOMAIN}
+# - MediaWiki: https://mediawiki.${DOMAIN}
+
 services:
  # Nextcloud - File sync and collaboration
  # Access at: https://nextcloud.${DOMAIN}
  nextcloud:
-    image: nextcloud:latest
+    image: nextcloud:28
    container_name: nextcloud
    restart: unless-stopped
    networks:
@@ -13,7 +22,7 @@ services:
      - traefik-network
      - nextcloud-network
    volumes:
-      - /opt/stacks/nextcloud/html:/var/www/html
+      - ./nextcloud/html:/var/www/html
      - /mnt/nextcloud-data:/var/www/html/data  # Large data on separate drive
    environment:
      - MYSQL_HOST=nextcloud-db
@@ -22,9 +31,10 @@ services:
      - MYSQL_PASSWORD=${NEXTCLOUD_DB_PASSWORD}
      - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER:-admin}
      - NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD}
-      - NEXTCLOUD_TRUSTED_DOMAINS=${DOMAIN}
+      - NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.${DOMAIN}
      - TRUSTED_PROXIES=172.18.0.0/16
      - OVERWRITEPROTOCOL=https
+      - OVERWRITEHOST=nextcloud.${DOMAIN}
    depends_on:
      - nextcloud-db
    labels:
@@ -65,7 +75,7 @@ services:
      - homelab-network
      - traefik-network
    volumes:
-      - /opt/stacks/mealie/data:/app/data
+      - ./mealie/data:/app/data
    environment:
      - PUID=${PUID:-1000}
      - PGID=${PGID:-1000}
@@ -93,7 +103,7 @@ services:
      - traefik-network
      - wordpress-network
    volumes:
-      - /opt/stacks/wordpress/html:/var/www/html
+      - ./wordpress/html:/var/www/html
    environment:
      - WORDPRESS_DB_HOST=wordpress-db
      - WORDPRESS_DB_USER=wordpress
@@ -105,7 +115,7 @@ services:
      - "homelab.category=productivity"
      - "homelab.description=Blog and website platform"
      - "traefik.enable=true"
-      - "traefik.http.routers.wordpress.rule=Host(`blog.${DOMAIN}`)"
+      - "traefik.http.routers.wordpress.rule=Host(`wordpress.${DOMAIN}`)"
      - "traefik.http.routers.wordpress.entrypoints=websecure"
      - "traefik.http.routers.wordpress.tls.certresolver=letsencrypt"
      - "traefik.http.services.wordpress.loadbalancer.server.port=80"
@@ -139,7 +149,7 @@ services:
      - traefik-network
      - gitea-network
    volumes:
-      - /opt/stacks/gitea/data:/data
+      - ./gitea/data:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    environment:
@@ -156,7 +166,7 @@ services:
      - "homelab.category=productivity"
      - "homelab.description=Self-hosted Git service"
      - "traefik.enable=true"
-      - "traefik.http.routers.gitea.rule=Host(`git.${DOMAIN}`)"
+      - "traefik.http.routers.gitea.rule=Host(`gitea.${DOMAIN}`)"
      - "traefik.http.routers.gitea.entrypoints=websecure"
      - "traefik.http.routers.gitea.tls.certresolver=letsencrypt"
      - "traefik.http.routers.gitea.middlewares=authelia@docker"
@@ -188,7 +198,7 @@ services:
      - homelab-network
      - traefik-network
    volumes:
-      - ./$(basename $file .yml)/config:/config
+      - ./dokuwiki/config:/config
    environment:
      - PUID=${PUID:-1000}
      - PGID=${PGID:-1000}
@@ -197,7 +207,7 @@ services:
      - "homelab.category=productivity"
      - "homelab.description=File-based wiki"
      - "traefik.enable=true"
-      - "traefik.http.routers.dokuwiki.rule=Host(`wiki.${DOMAIN}`)"
+      - "traefik.http.routers.dokuwiki.rule=Host(`dokuwiki.${DOMAIN}`)"
      - "traefik.http.routers.dokuwiki.entrypoints=websecure"
      - "traefik.http.routers.dokuwiki.tls.certresolver=letsencrypt"
      - "traefik.http.routers.dokuwiki.middlewares=authelia@docker"
@@ -214,23 +224,24 @@ services:
      - traefik-network
      - bookstack-network
    volumes:
-      - ./$(basename $file .yml)/config:/config
+      - ./bookstack/config:/config
    environment:
      - PUID=${PUID:-1000}
      - PGID=${PGID:-1000}
-      - APP_URL=https://docs.${DOMAIN}
+      - APP_URL=https://bookstack.${DOMAIN}
      - DB_HOST=bookstack-db
      - DB_PORT=3306
      - DB_DATABASE=bookstack
      - DB_USERNAME=bookstack
      - DB_PASSWORD=${BOOKSTACK_DB_PASSWORD}
+      - APP_KEY=base64:NsYD8+8MAvtBhK8xw9p8pxQDy4x8aOQi/78M3CsseAw=
    depends_on:
      - bookstack-db
    labels:
      - "homelab.category=productivity"
      - "homelab.description=Documentation and wiki platform"
      - "traefik.enable=true"
-      - "traefik.http.routers.bookstack.rule=Host(`docs.${DOMAIN}`)"
+      - "traefik.http.routers.bookstack.rule=Host(`bookstack.${DOMAIN}`)"
      - "traefik.http.routers.bookstack.entrypoints=websecure"
      - "traefik.http.routers.bookstack.tls.certresolver=letsencrypt"
      - "traefik.http.routers.bookstack.middlewares=authelia@docker"
@@ -264,8 +275,8 @@ services:
      - traefik-network
      - mediawiki-network
    volumes:
-      - /opt/stacks/mediawiki/images:/var/www/html/images
-      - /opt/stacks/mediawiki/LocalSettings.php:/var/www/html/LocalSettings.php
+      - ./mediawiki/images:/var/www/html/images
+      - ./mediawiki/LocalSettings.php:/var/www/html/LocalSettings.php
    environment:
      - MEDIAWIKI_DB_HOST=mediawiki-db
      - MEDIAWIKI_DB_NAME=mediawiki
--- a/docker-compose/utilities.yml
+++ b/docker-compose/utilities.yml
@@ -1,6 +1,12 @@
 # Backup and Utility Services
 # Place in /opt/stacks/utilities/docker-compose.yml

+# Service Access URLs:
+# - Backrest: https://backrest.${DOMAIN}
+# - Duplicati: https://duplicati.${DOMAIN}
+# - Form.io: https://forms.${DOMAIN}
+# - Vaultwarden (Bitwarden): https://bitwarden.${DOMAIN}
+
 services:
  # Backrest - Backup solution for restic
  # Access at: https://backrest.${DOMAIN}
@@ -12,8 +18,8 @@ services:
      - homelab-network
      - traefik-network
    volumes:
-      - /opt/stacks/backrest/data:/data
-      - ./$(basename $file .yml)/config:/config
+      - ./backrest/data:/data
+      - ./backrest/config:/config
      - /opt/stacks:/opt/stacks:ro  # Backup source
      - /mnt:/mnt:ro  # Backup additional drives
      - backrest-cache:/cache
@@ -34,14 +40,14 @@ services:
  # Duplicati - Backup solution
  # Access at: https://duplicati.${DOMAIN}
  duplicati:
-    image: lscr.io/linuxserver/duplicati:latest
+    image: lscr.io/linuxserver/duplicati:2.0.7
    container_name: duplicati
    restart: unless-stopped
    networks:
      - homelab-network
      - traefik-network
    volumes:
-      - ./$(basename $file .yml)/config:/config
+      - ./duplicati/config:/config
      - /opt/stacks:/source/stacks:ro
      - /mnt:/source/mnt:ro
      - /mnt/backups:/backups
@@ -59,67 +65,68 @@ services:
      - "traefik.http.routers.duplicati.middlewares=authelia@docker"
      - "traefik.http.services.duplicati.loadbalancer.server.port=8200"

-  # Form.io - Form builder (if needed)
-  # Access at: https://forms.${DOMAIN}
-  formio:
-    image: formio/formio:latest
-    container_name: formio
-    restart: unless-stopped
-    networks:
-      - homelab-network
-      - traefik-network
-      - formio-network
-    environment:
-      - MONGO_URL=mongodb://formio-mongo:27017/formio
-      - JWT_SECRET=${FORMIO_JWT_SECRET}
-      - DB_SECRET=${FORMIO_DB_SECRET}
-    depends_on:
-      - formio-mongo
-    labels:
-      - "homelab.category=utilities"
-      - "homelab.description=Form builder platform"
-      - "traefik.enable=true"
-      - "traefik.http.routers.formio.rule=Host(`forms.${DOMAIN}`)"
-      - "traefik.http.routers.formio.entrypoints=websecure"
-      - "traefik.http.routers.formio.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.formio.middlewares=authelia@docker"
-      - "traefik.http.services.formio.loadbalancer.server.port=3000"
+  # Form.io - Form builder (DISABLED - image not available)
+  # Uncomment and configure if formio/formio image becomes available
+  # formio:
+  #   image: formio/formio:latest
+  #   container_name: formio
+  #   restart: unless-stopped
+  #   networks:
+  #     - homelab-network
+  #     - traefik-network
+  #     - formio-network
+  #   environment:
+  #     - MONGO_URL=mongodb://formio-mongo:27017/formio
+  #     - JWT_SECRET=${FORMIO_JWT_SECRET}
+  #     - DB_SECRET=${FORMIO_DB_SECRET}
+  #   depends_on:
+  #     - formio-mongo
+  #   labels:
+  #     - "homelab.category=utilities"
+  #     - "homelab.description=Form builder platform"
+  #     - "traefik.enable=true"
+  #     - "traefik.http.routers.formio.rule=Host(`forms.${DOMAIN}`)"
+  #     - "traefik.http.routers.formio.entrypoints=websecure"
+  #     - "traefik.http.routers.formio.tls.certresolver=letsencrypt"
+  #     - "traefik.http.routers.formio.middlewares=authelia@docker"
+  #     - "traefik.http.services.formio.loadbalancer.server.port=3000"

-  formio-mongo:
-    image: mongo:6
-    container_name: formio-mongo
-    restart: unless-stopped
-    networks:
-      - formio-network
-    volumes:
-      - formio-mongo-data:/data/db
-    labels:
-      - "homelab.category=utilities"
-      - "homelab.description=Form.io database"
+  # formio-mongo:
+  #   image: mongo:6.0
+  #   container_name: formio-mongo
+  #   restart: unless-stopped
+  #   networks:
+  #     - formio-network
+  #   volumes:
+  #     - formio-mongo-data:/data/db
+  #   labels:
+  #     - "homelab.category=utilities"
+  #     - "homelab.description=Form.io database"

  # Bitwarden (Vaultwarden) - Password manager
  # Access at: https://bitwarden.${DOMAIN}
  # Note: SSO disabled for browser extension and mobile app compatibility
  vaultwarden:
-    image: vaultwarden/server:latest
+    image: vaultwarden/server:1.30.1
    container_name: vaultwarden
    restart: unless-stopped
    networks:
      - homelab-network
      - traefik-network
    volumes:
-      - /opt/stacks/vaultwarden/data:/data
+      - ./vaultwarden/data:/data
    environment:
      - DOMAIN=https://bitwarden.${DOMAIN}
      - SIGNUPS_ALLOWED=${BITWARDEN_SIGNUPS_ALLOWED:-true}
      - INVITATIONS_ALLOWED=${BITWARDEN_INVITATIONS_ALLOWED:-true}
      - ADMIN_TOKEN=${BITWARDEN_ADMIN_TOKEN}
-      - SMTP_HOST=${SMTP_HOST}
-      - SMTP_FROM=${SMTP_FROM}
-      - SMTP_PORT=${SMTP_PORT:-587}
-      - SMTP_SECURITY=${SMTP_SECURITY:-starttls}
-      - SMTP_USERNAME=${SMTP_USERNAME}
-      - SMTP_PASSWORD=${SMTP_PASSWORD}
+      # SMTP disabled - uncomment and configure to enable email
+      # - SMTP_HOST=${SMTP_HOST}
+      # - SMTP_FROM=${SMTP_FROM}
+      # - SMTP_PORT=${SMTP_PORT:-587}
+      # - SMTP_SECURITY=${SMTP_SECURITY:-starttls}
+      # - SMTP_USERNAME=${SMTP_USERNAME}
+      # - SMTP_PASSWORD=${SMTP_PASSWORD}
    labels:
      - "homelab.category=utilities"
      - "homelab.description=Self-hosted password manager (Bitwarden)"
@@ -134,7 +141,7 @@ services:
  # Authelia Redis - Session storage for Authelia
  # No web UI - backend service
  authelia-redis:
-    image: redis:alpine
+    image: redis:7-alpine
    container_name: authelia-redis
    restart: unless-stopped
    networks: