From f95275d5c06e394a55606bc572c24750859c1f4a Mon Sep 17 00:00:00 2001
From: kelin <kelinfoxy@gmail.com>
Date: Thu, 15 Jan 2026 00:53:53 -0500
Subject: [PATCH] Refactor: Create downloaders stack for VPN-routed services

- Created new downloaders stack with Gluetun + qBittorrent unified
- Moved Gluetun from core stack to downloaders stack
- Moved qBittorrent from media-management to downloaders stack
- Uses network_mode: service:gluetun for better maintainability
- Eliminates cross-stack container ID dependencies
- Both services now start/stop together as a logical unit
---
 docker-compose/core.yml             | 42 ------------------
 docker-compose/downloaders.yml      | 67 +++++++++++++++++++++++++++++
 docker-compose/media-management.yml | 17 --------
 3 files changed, 67 insertions(+), 59 deletions(-)
 create mode 100644 docker-compose/downloaders.yml

diff --git a/docker-compose/core.yml b/docker-compose/core.yml
index f6db9e8..c799630 100644
--- a/docker-compose/core.yml
+++ b/docker-compose/core.yml
@@ -7,7 +7,6 @@
 # - DuckDNS: No web UI (updates IP automatically)
 # - Traefik: https://traefik.${DOMAIN}
 # - Authelia: https://auth.${DOMAIN}
-# - Gluetun: No web UI (VPN client for other services)
 
 services:
   # DuckDNS - Dynamic DNS updater
@@ -100,45 +99,6 @@ services:
     depends_on:
       - traefik
 
-  # Gluetun - VPN client (Surfshark WireGuard)
-  # Routes download clients through VPN for security
-  gluetun:
-    image: qmcgaw/gluetun:latest
-    container_name: gluetun
-    restart: unless-stopped
-    cap_add:
-      - NET_ADMIN
-    devices:
-      - /dev/net/tun:/dev/net/tun
-    networks:
-      - homelab-network
-      - traefik-network
-    ports:
-      - "8888:8888/tcp"  # HTTP proxy
-      - "8388:8388/tcp"  # Shadowsocks
-      - "8388:8388/udp"  # Shadowsocks
-      - "8081:8080"      # qBittorrent web UI
-      - "6881:6881"      # qBittorrent
-      - "6881:6881/udp"  # qBittorrent
-    volumes:
-      - ./gluetun:/gluetun
-    environment:
-      - VPN_SERVICE_PROVIDER=surfshark
-      - VPN_TYPE=openvpn
-      - OPENVPN_USER=${SURFSHARK_USERNAME}
-      - OPENVPN_PASSWORD=${SURFSHARK_PASSWORD}
-      - SERVER_COUNTRIES=${VPN_SERVER_COUNTRIES:-Netherlands}
-      - TZ=${TZ}
-    labels:
-      - "homelab.category=infrastructure"
-      - "homelab.description=VPN client for secure downloads"
-      - "traefik.enable=true"
-      - "traefik.http.routers.qbittorrent.rule=Host(`qbit.${DOMAIN}`)"
-      - "traefik.http.routers.qbittorrent.entrypoints=websecure"
-      - "traefik.http.routers.qbittorrent.tls=true"
-      - "traefik.http.routers.qbittorrent.middlewares=authelia@docker"
-      - "traefik.http.services.qbittorrent.loadbalancer.server.port=8080"
-
 volumes:
   authelia-data:
     driver: local
@@ -146,5 +106,3 @@ volumes:
 networks:
   traefik-network:
     external: true
-  homelab-network:
-    external: true
diff --git a/docker-compose/downloaders.yml b/docker-compose/downloaders.yml
new file mode 100644
index 0000000..3f6766d
--- /dev/null
+++ b/docker-compose/downloaders.yml
@@ -0,0 +1,67 @@
+version: "3.9"
+
+services:
+  # VPN client for routing download client traffic through Surfshark
+  gluetun:
+    image: qmcgaw/gluetun:latest
+    container_name: gluetun
+    hostname: gluetun
+    cap_add:
+      - NET_ADMIN
+    devices:
+      - /dev/net/tun:/dev/net/tun
+    ports:
+      - "8081:8080"  # qBittorrent WebUI
+      - "6881:6881"  # qBittorrent torrent port
+      - "6881:6881/udp"
+      - "8888:8888/tcp"  # HTTP proxy
+      - "8388:8388/tcp"  # Shadowsocks
+      - "8388:8388/udp"
+    volumes:
+      - ${STACK_DIR}/gluetun:/gluetun
+    environment:
+      - VPN_SERVICE_PROVIDER=surfshark
+      - VPN_TYPE=openvpn
+      - OPENVPN_USER=${SURFSHARK_USER}
+      - OPENVPN_PASSWORD=${SURFSHARK_PASSWORD}
+      - SERVER_COUNTRIES=${VPN_COUNTRY:-Netherlands}
+      - FIREWALL_VPN_INPUT_PORTS=6881
+      - TZ=${TZ}
+      - UPDATER_PERIOD=24h
+    networks:
+      - homelab-network
+      - traefik-network
+    labels:
+      - "traefik.enable=true"
+      # qBittorrent routing through Gluetun
+      - "traefik.http.routers.qbittorrent.rule=Host(`qbit.${DOMAIN}`)"
+      - "traefik.http.routers.qbittorrent.entrypoints=websecure"
+      - "traefik.http.routers.qbittorrent.tls=true"
+      - "traefik.http.routers.qbittorrent.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.qbittorrent.middlewares=authelia@docker"
+      - "traefik.http.services.qbittorrent.loadbalancer.server.port=8080"
+    restart: unless-stopped
+
+  # Torrent client
+  qbittorrent:
+    image: lscr.io/linuxserver/qbittorrent:latest
+    container_name: qbittorrent
+    hostname: qbittorrent
+    network_mode: "service:gluetun"  # Route through VPN
+    environment:
+      - PUID=${PUID}
+      - PGID=${PGID}
+      - TZ=${TZ}
+      - WEBUI_PORT=8080
+    volumes:
+      - ${STACK_DIR}/qbittorrent/config:/config
+      - ${MEDIA_DIR}/downloads:/downloads
+    depends_on:
+      - gluetun
+    restart: unless-stopped
+
+networks:
+  homelab-network:
+    external: true
+  traefik-network:
+    external: true
diff --git a/docker-compose/media-management.yml b/docker-compose/media-management.yml
index b497e06..5d45604 100644
--- a/docker-compose/media-management.yml
+++ b/docker-compose/media-management.yml
@@ -15,23 +15,6 @@
 # - Unmanic: https://unmanic.${DOMAIN}
 
 services:
-  # qBittorrent - Torrent client
-  # Access at: https://qbit.${DOMAIN}
-  # Routes through Gluetun VPN in core stack
-  qbittorrent:
-    image: lscr.io/linuxserver/qbittorrent:latest
-    container_name: qbittorrent
-    restart: unless-stopped
-    network_mode: "container:gluetun"  # Routes through VPN (gluetun container in core stack)
-    volumes:
-      - ./qbittorrent/config:/config
-      - /mnt/downloads:/downloads
-    environment:
-      - PUID=${PUID:-1000}
-      - PGID=${PGID:-1000}
-      - TZ=${TZ:-America/New_York}
-      - WEBUI_PORT=8080
-
   # Sonarr - TV show automation
   # Access at: https://sonarr.yourdomain.duckdns.org
   sonarr: