Implement Dockge structure with Traefik, Authelia, DuckDNS, and Gluetun VPN

- Update AI copilot instructions for /opt/stacks structure and automated config management
- Replace Nginx Proxy Manager with Traefik (file-based configuration for AI)
- Add Authelia for SSO with bypass rules for Jellyfin/Plex apps
- Add DuckDNS for dynamic DNS with Let's Encrypt integration
- Add Gluetun VPN with Surfshark (WireGuard) for secure downloads
- Update all services to use /opt/stacks paths instead of local directories
- Add Traefik labels to all services for automatic routing
- Configure qBittorrent to route through Gluetun VPN
- Update .env.example with all new required variables
- Create configuration templates for Traefik and Authelia
- Add comprehensive Dockge deployment guide

Co-authored-by: kelinfoxy <67766943+kelinfoxy@users.noreply.github.com>

config-templates/authelia/configuration.yml

@@ -0,0 +1,93 @@
+# Authelia Configuration
+# Copy to /opt/stacks/authelia/configuration.yml
+
+server:
+  host: 0.0.0.0
+  port: 9091
+
+log:
+  level: info
+
+theme: dark
+
+jwt_secret: ${AUTHELIA_JWT_SECRET}
+
+default_redirection_url: https://auth.${DOMAIN}
+
+totp:
+  issuer: ${DOMAIN}
+  period: 30
+  skew: 1
+
+authentication_backend:
+  file:
+    path: /config/users_database.yml
+    password:
+      algorithm: argon2id
+      iterations: 1
+      key_length: 32
+      salt_length: 16
+      memory: 1024
+      parallelism: 8
+
+access_control:
+  default_policy: deny
+  
+  rules:
+    # Bypass Authelia for Jellyfin (allow app access)
+    - domain: jellyfin.${DOMAIN}
+      policy: bypass
+    
+    # Bypass for Plex (allow app access)
+    - domain: plex.${DOMAIN}
+      policy: bypass
+    
+    # Bypass for Home Assistant (has its own auth)
+    - domain: ha.${DOMAIN}
+      policy: bypass
+    
+    # Protected: All other services require authentication
+    - domain: "*.${DOMAIN}"
+      policy: one_factor
+    
+    # Two-factor for admin services (optional)
+    # - domain:
+    #     - "admin.${DOMAIN}"
+    #     - "portainer.${DOMAIN}"
+    #   policy: two_factor
+
+session:
+  name: authelia_session
+  secret: ${AUTHELIA_SESSION_SECRET}
+  expiration: 1h
+  inactivity: 5m
+  remember_me_duration: 1M
+  domain: ${DOMAIN}
+
+regulation:
+  max_retries: 3
+  find_time: 2m
+  ban_time: 5m
+
+storage:
+  encryption_key: ${AUTHELIA_STORAGE_ENCRYPTION_KEY}
+  local:
+    path: /config/db.sqlite3
+
+notifier:
+  # File-based notifications (for testing)
+  filesystem:
+    filename: /config/notification.txt
+  
+  # SMTP notifications (recommended for production)
+  # smtp:
+  #   host: smtp.gmail.com
+  #   port: 587
+  #   username: ${SMTP_USERNAME}
+  #   password: ${AUTHELIA_NOTIFIER_SMTP_PASSWORD}
+  #   sender: authelia@${DOMAIN}
+  #   identifier: localhost
+  #   subject: "[Authelia] {title}"
+  #   startup_check_address: test@authelia.com
+  #   disable_require_tls: false
+  #   disable_html_emails: false

config-templates/authelia/users_database.yml

@@ -0,0 +1,20 @@
+# Authelia Users Database
+# Copy to /opt/stacks/authelia/users_database.yml
+# Generate password hashes with: docker run authelia/authelia:latest authelia crypto hash generate argon2 --password 'yourpassword'
+
+users:
+  admin:
+    displayname: "Admin User"
+    password: "$argon2id$v=19$m=65536,t=3,p=4$CHANGEME"  # Replace with your hashed password
+    email: admin@example.com
+    groups:
+      - admins
+      - users
+  
+  # Example: Additional user
+  # user1:
+  #   displayname: "User One"
+  #   password: "$argon2id$v=19$m=65536,t=3,p=4$CHANGEME"
+  #   email: user1@example.com
+  #   groups:
+  #     - users

config-templates/traefik/dynamic/routes.yml

@@ -0,0 +1,31 @@
+# Traefik Dynamic Configuration
+# Copy to /opt/stacks/traefik/dynamic/routes.yml
+# Add custom routes here that aren't defined via Docker labels
+
+http:
+  routers:
+    # Example custom route
+    # custom-service:
+    #   rule: "Host(`custom.example.com`)"
+    #   entryPoints:
+    #     - websecure
+    #   middlewares:
+    #     - authelia@docker
+    #   tls:
+    #     certResolver: letsencrypt
+    #   service: custom-service
+  
+  services:
+    # Example custom service
+    # custom-service:
+    #   loadBalancer:
+    #     servers:
+    #       - url: "http://192.168.1.100:8080"
+  
+  middlewares:
+    # Additional middlewares can be defined here
+    # Example: Rate limiting
+    # rate-limit:
+    #   rateLimit:
+    #     average: 100
+    #     burst: 50

config-templates/traefik/traefik.yml

@@ -0,0 +1,58 @@
+# Traefik Static Configuration
+# Copy to /opt/stacks/traefik/traefik.yml
+
+global:
+  checkNewVersion: true
+  sendAnonymousUsage: false
+
+api:
+  dashboard: true
+  insecure: false  # Dashboard accessible via Traefik route with Authelia
+
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+  
+  websecure:
+    address: ":443"
+    http:
+      tls:
+        certResolver: letsencrypt
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: ${ACME_EMAIL}
+      storage: /acme.json
+      # Use HTTP challenge (port 80 must be accessible)
+      httpChallenge:
+        entryPoint: web
+      # Or use DNS challenge (requires API token):
+      # dnsChallenge:
+      #   provider: duckdns
+      #   resolvers:
+      #     - "1.1.1.1:53"
+      #     - "8.8.8.8:53"
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false  # Only expose services with traefik.enable=true
+    network: traefik-network
+  
+  file:
+    directory: /dynamic
+    watch: true
+
+log:
+  level: INFO  # DEBUG, INFO, WARN, ERROR
+  filePath: /var/log/traefik/traefik.log
+
+accessLog:
+  filePath: /var/log/traefik/access.log
+  bufferingSize: 100