feat: standardize Traefik/Sablier labels across all stacks

- Add consistent # TRAEFIK CONFIGURATION headers to all services
- Standardize label structure with service metadata, router config, and Sablier settings
- Update dockerproxy and sablier-service with Docker API requirements documentation
- Fix YAML validation issues in productivity stack
- Ensure all stacks have uniform labeling for easy management

Resolves Docker API connectivity issues for Sablier lazy loading

docker-compose/core/docker-compose.yml

@@ -106,6 +106,12 @@ services:
 
   # Sablier - Lazy loading service for Docker containers
   # Controls startup/shutdown of lazy-loaded services, must always run
+  # REQUIREMENTS FOR DOCKER API ACCESS:
+  # 1. Docker daemon must be configured to listen on TCP port 2375
+  # 2. DOCKER_HOST environment variable must point to accessible Docker API endpoint
+  # 3. Firewall must allow TCP connections to Docker API port (default 2375)
+  # 4. For production, consider using TLS for Docker API communication
+  # 5. Ensure dockerproxy service is running and accessible
   sablier-service:
     image: sablierapp/sablier:latest
     container_name: sablier-service
@@ -114,7 +120,7 @@ services:
       - traefik-network
     environment:
       - SABLIER_PROVIDER=docker
-      - SABLIER_DOCKER_API_VERSION=1.53
+      - SABLIER_DOCKER_API_VERSION=1.51
       - SABLIER_DOCKER_NETWORK=traefik-network
       - SABLIER_LOG_LEVEL=debug
       - DOCKER_HOST=tcp://192.168.4.11:2375

docker-compose/dockge/docker-compose.yml

@@ -41,15 +41,20 @@ services:
       - DOCKGE_STACKS_DIR=/opt/stacks
       - DOCKGE_ENABLE_CONSOLE=true
     labels:
+      # TRAEFIK CONFIGURATION
+      # ==========================================
+      # Service metadata
       - "homelab.category=infrastructure"
       - "homelab.description=Docker Compose stack manager (PRIMARY)"
+      # Traefik reverse proxy (comment/uncomment to disable/enable)
+      # If Traefik is on a remote server: these labels are NOT USED; 
+      #   configure external yml files in /traefik/dynamic folder instead.
       - "traefik.enable=true"
       - "traefik.http.routers.dockge.rule=Host(`dockge.${DOMAIN}`)"
       - "traefik.http.routers.dockge.entrypoints=websecure"
-      - "traefik.http.routers.dockge.tls=true"
+      - "traefik.http.routers.dockge.tls.certresolver=letsencrypt"
       - "traefik.http.routers.dockge.middlewares=authelia@docker"
       - "traefik.http.services.dockge.loadbalancer.server.port=5001"
-      - "x-dockge.url=https://dockge.${DOMAIN}"
 
 networks:
   homelab-network:

docker-compose/infrastructure/docker-compose.yml

@@ -21,6 +21,11 @@
 services:
   dockerproxy:
     # Docker socket proxy for security - provides safe Docker API access, must always run
+    # REQUIREMENTS FOR SABLIER INTEGRATION:
+    # 1. Docker daemon must be configured to listen on TCP port 2375 (not just unix socket)
+    # 2. Firewall must allow access to port 2375 from Sablier service
+    # 3. Docker daemon config should include: "hosts": ["tcp://0.0.0.0:2375", "unix:///var/run/docker.sock"]
+    # 4. For security, consider restricting access to specific IP ranges or using TLS
     image: tecnativa/docker-socket-proxy:latest
     container_name: dockerproxy
     privileged: true
@@ -78,16 +83,20 @@ services:
     cap_add:
       - NET_ADMIN
     labels:
+      # TRAEFIK CONFIGURATION
+      # ==========================================
+      # Service metadata
       - "homelab.category=infrastructure"
       - "homelab.description=Network-wide ad blocking and DNS"
+      # Traefik reverse proxy (comment/uncomment to disable/enable)
+      # If Traefik is on a remote server: these labels are NOT USED; 
+      #   configure external yml files in /traefik/dynamic folder instead.
       - "traefik.enable=true"
       - "traefik.http.routers.pihole.rule=Host(`pihole.${DOMAIN}`)"
       - "traefik.http.routers.pihole.entrypoints=websecure"
-      - "traefik.http.routers.pihole.tls=true"
       - "traefik.http.routers.pihole.tls.certresolver=letsencrypt"
       - "traefik.http.routers.pihole.middlewares=authelia@docker"
       - "traefik.http.services.pihole.loadbalancer.server.port=80"
-      - "x-dockge.url=https://pihole.${DOMAIN}"
 
   # Watchtower - Automatic container updates
   # Monitors and updates Docker containers to latest versions

docker-compose/media/docker-compose.yml

@@ -55,23 +55,21 @@ services:
     # Uncomment for hardware transcoding
     # devices:
     #   - /dev/dri:/dev/dri
+    # TRAEFIK CONFIGURATION
     labels:
-      # TRAEFIK & SABLIER CONFIGURATION
-      # ==========================================
       # Service metadata
+      - "com.centurylinklabs.watchtower.enable=true"
       - "homelab.category=media"
       - "homelab.description=Open-source media streaming server"
-      # Traefik reverse proxy (comment/uncomment to disable/enable)
-      # If Traefik is on a remote server: these labels are NOT USED; 
-      #   configure external yml files in /traefik/dynamic folder instead.
       - "traefik.enable=true"
+      # Router configuration
       - "traefik.http.routers.jellyfin.rule=Host(`jellyfin.${DOMAIN}`)"
       - "traefik.http.routers.jellyfin.entrypoints=websecure"
       - "traefik.http.routers.jellyfin.tls=true"
       - "traefik.http.routers.jellyfin.tls.certresolver=letsencrypt"
-      # - "traefik.http.routers.jellyfin.middlewares=authelia@docker"  # Disabled for app access
+      # Service configuration
       - "traefik.http.services.jellyfin.loadbalancer.server.port=8096"
-      # Sablier lazy loading (enabled by default - comment out to disable)
+      # Sablier configuration
       - "sablier.enable=true"
       - "sablier.group=${SERVER_HOSTNAME:-debian}-jellyfin"
       - "sablier.start-on-demand=true"
@@ -106,22 +104,21 @@ services:
       - PGID=${PGID:-1000}
       - TZ=${TZ:-America/New_York}
       - DOCKER_MODS=linuxserver/mods:universal-calibre
+    # TRAEFIK CONFIGURATION
     labels:
-      # TRAEFIK & SABLIER CONFIGURATION
-      # ==========================================
       # Service metadata
+      - "com.centurylinklabs.watchtower.enable=true"
       - "homelab.category=media"
       - "homelab.description=Ebook reader and library management"
-      # Traefik reverse proxy (comment/uncomment to disable/enable)
-      # If Traefik is on a remote server: these labels are NOT USED; 
-      #   configure external yml files in /traefik/dynamic folder instead.
       - "traefik.enable=true"
+      # Router configuration
       - "traefik.http.routers.calibre.rule=Host(`calibre.${DOMAIN}`)"
       - "traefik.http.routers.calibre.entrypoints=websecure"
       - "traefik.http.routers.calibre.tls.certresolver=letsencrypt"
       - "traefik.http.routers.calibre.middlewares=authelia@docker"
+      # Service configuration
       - "traefik.http.services.calibre.loadbalancer.server.port=8083"
-      # Sablier lazy loading (disabled by default - uncomment to enable)
+      # Sablier configuration (disabled by default)
       # - "sablier.enable=true"
       # - "sablier.group=${SERVER_HOSTNAME:-debian}-calibre-web"
       # - "sablier.start-on-demand=true"

docker-compose/productivity/docker-compose.yml

@@ -77,7 +77,6 @@ services:
       - "sablier.start-on-demand=true"
 
   nextcloud-db:
-    restart: unless-stopped
     image: mariadb:10.11
     container_name: nextcloud-db
     restart: no
@@ -176,7 +175,6 @@ services:
       - "sablier.start-on-demand=true"
 
   wordpress-db:
-    restart: unless-stopped
     image: mariadb:10.11
     container_name: wordpress-db
     restart: no
@@ -249,7 +247,6 @@ services:
       - "sablier.start-on-demand=true"
 
   gitea-db:
-    restart: unless-stopped
     image: postgres:14-alpine
     container_name: gitea-db
     restart: no
@@ -351,7 +348,6 @@ services:
       - "sablier.start-on-demand=true"
 
   bookstack-db:
-    restart: unless-stopped
     image: mariadb:10.11
     container_name: bookstack-db
     restart: no
@@ -411,7 +407,6 @@ services:
       - "sablier.start-on-demand=true"
 
   mediawiki-db:
-    restart: unless-stopped
     image: mariadb:10.11
     container_name: mediawiki-db
     restart: no
@@ -456,14 +451,20 @@ services:
     #   - NVIDIA_VISIBLE_DEVICES=all
     #   - NVIDIA_DRIVER_CAPABILITIES=compute,utility
     labels:
-      - homelab.category=productivity
+      # TRAEFIK CONFIGURATION
-      - homelab.description=Jupyter Lab for data science and ML
+      # ==========================================
-      - traefik.enable=true
+      # Service metadata
-      - traefik.http.routers.jupyter.rule=Host(`jupyter.${DOMAIN}`)
+      - "homelab.category=productivity"
-      - traefik.http.routers.jupyter.entrypoints=websecure
+      - "homelab.description=Jupyter Lab for data science and ML"
-      - traefik.http.routers.jupyter.tls.certresolver=letsencrypt
+      # Traefik reverse proxy (comment/uncomment to disable/enable)
-      - traefik.http.routers.jupyter.middlewares=authelia@docker
+      # If Traefik is on a remote server: these labels are NOT USED; 
-      - traefik.http.services.jupyter.loadbalancer.server.port=8888
+      #   configure external yml files in /traefik/dynamic folder instead.
+      - "traefik.enable=true"
+      - "traefik.http.routers.jupyter.rule=Host(`jupyter.${DOMAIN}`)"
+      - "traefik.http.routers.jupyter.entrypoints=websecure"
+      - "traefik.http.routers.jupyter.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.jupyter.middlewares=authelia@docker"
+      - "traefik.http.services.jupyter.loadbalancer.server.port=8888"
 
 volumes:
   nextcloud-db-data:

docker-compose/vpn/docker-compose.yml

@@ -41,15 +41,24 @@ services:
       - OPENVPN_PASSWORD=${SURFSHARK_PASSWORD}
       - SERVER_COUNTRIES=${VPN_SERVER_COUNTRIES:-Netherlands}
       - TZ=${TZ}
+    # TRAEFIK CONFIGURATION
     labels:
+      # Service metadata
+      - "com.centurylinklabs.watchtower.enable=true"
       - "homelab.category=downloaders"
       - "homelab.description=VPN client for secure downloads"
       - "traefik.enable=true"
+      # Router configuration
       - "traefik.http.routers.qbittorrent.rule=Host(`qbit.${DOMAIN}`)"
       - "traefik.http.routers.qbittorrent.entrypoints=websecure"
       - "traefik.http.routers.qbittorrent.tls=true"
       - "traefik.http.routers.qbittorrent.middlewares=authelia@docker"
-      - "traefik.http.services.qbittorrent.loadbalancer.server.port=8080"
+      # Service configuration
+      - "traefik.http.services.qbittorrent.loadbalancer.server.port=8081"
+      # Sablier configuration
+      - "sablier.enable=true"
+      - "sablier.group=qbittorrent"
+      - "sablier.sessionDuration=1h"
 
   # qBittorrent - Torrent client
   # Routes through Gluetun VPN