- Include commented staging caServer in config template
- Add troubleshooting section for test environment certificate conflicts
- Document rate limit avoidance strategies for development/testing
- Remove explicit DNS resolvers from dnsChallenge to fix propagation check failures
- Add note about resolvers causing issues with DuckDNS TXT record resolution
- Preserve knowledge from certificate debugging session
- Added Traefik labels and routing to prometheus, grafana, loki, cadvisor
- Fixed Grafana ROOT_URL to use domain-based URL (https://grafana.${DOMAIN})
- Added uptime-kuma bypass rule in Authelia (needs initial setup)
- Updated all services to use traefik-network
- Synced domain from kelin-hass to kelin-casa across all configs
- Fixed missing tls=true label on uptime-kuma
- Note: Loki is API-only service (no web UI, accessed via Grafana)
Fixes:
- docker-compose/infrastructure.yml:
- Uncommented Watchtower service
- Updated image from 1.7.1 to latest
- Changed DOCKER_API_VERSION from 1.44 to 1.52 (current Docker version)
- Added default empty value for WATCHTOWER_NOTIFICATION_URL
- scripts/deploy-homelab.sh:
- Removed "temporarily disabled" note
- Added Watchtower to infrastructure stack list
- docs/services-overview.md:
- Updated infrastructure stack count from 7 to 8
- Added Watchtower to service list
Watchtower now runs successfully with scheduled updates at 4 AM daily
Changes:
- scripts/setup-homelab.sh: Remove interactive deployment prompt
- Users must now run deploy script manually
- Simplifies both scripts (no sudo workarounds needed)
- Clearer two-step process: setup then deploy
- Documentation updates:
- README.md: Updated step 3-4 with manual deployment
- docs/getting-started.md: Removed step 6 (log out), clarified steps
- docs/manual-setup.md: Added sudo to deploy command
- docs/troubleshooting/COMMON-ISSUES.md: Added sudo to all deploy commands
Rationale:
- Automatic deployment via 'su -' cannot work with sudo requirement
- Manual two-step process is clearer and more reliable
- Setup focuses on configuration, deploy focuses on services
- Updated Getting Started Checklist with clone repo as first step
- Clarified deployment script description
- Added VS Code SSH tip in Simple Setup
- Enhanced VS Code integration section
- Added Debloat/custom service section with AI agent guidance
- README.md: Updated Traefik feature to mention wildcard certificates via DNS challenge
- README.md: Added wildcard cert note to deployment script section
- getting-started.md: Explicitly mention wildcard certificate generation in deploy step
All documentation now clearly states the project uses wildcard SSL certificates with DNS challenge.
- getting-started.md: Moved checklist before Simple Setup, removed Round 4 section
- authelia-customization.md: Updated Authentik reference to alternatives stack
- services-overview.md: Added clickable links to all stack compose files
- setup-homelab.sh: Added prompt to run deployment script after setup (defaults to yes)
- traefik.yml: Changed default to DNS challenge for wildcard certificates (DuckDNS)
All documentation now reflects wildcard certificate usage with DNS challenge.
- README.md: Fixed .env step order, updated to 60+ services
- getting-started.md: Service count updates, credential clarifications, moved Manual Setup to separate file
- manual-setup.md: Created comprehensive manual setup guide
- authelia-customization.md: Moved Authelia customization from services-overview
- services-overview.md: Added clickable links to service docs, removed disabled section and Quick Deployment
- quick-reference.md: Linked to scripts/README.md instead of duplicating content
- Removed services-reference.md as requested
Changes:
- Updated infrastructure.yaml section (6 active services)
- Moved Portainer and Authentik to alternatives.yaml section
- Added note about Watchtower being disabled (Docker API issue)
- Clarified which services are deployed by default vs available
- Corrected stack organization to match actual deployment
Critical fix for argon2 password hash preservation:
- Root cause: Bash variable expansion of $ characters in argon2id hashes
- Solution: Write hash directly from Docker output to file, bypass bash variables entirely
- setup-homelab.sh: Stream Docker output directly to /tmp/authelia_password_hash.tmp
- deploy-homelab.sh: Read hash file in Python to avoid any bash expansion
- Result: Password hash correctly preserved with full $argon2id$v=19$m=... format
Other changes:
- Added DOCKER_API_VERSION=1.44 env var for watchtower (API compatibility)
- Watchtower still has issues with Docker 29.1.4 - keeping version pinned for investigation
Tested on Debian 12 with Docker 29.1.4:
✅ All 11 critical containers healthy
✅ Authelia authentication working correctly
✅ Password hash preserved through entire deployment workflow
⚠️ Watchtower restart loop (non-critical, under investigation)
- Fix password file ownership (user can now read without sudo)
- Add dashboards stack to automated deployment (Step 5/6)
- Add SSL certificate notes to deploy script output
- Clarify .env file location in documentation (stays in repo folder)
- Update README and getting-started.md with accurate deployment steps
- Add Watchtower notification URL documentation
- Improve user feedback with admin credentials and dashboard URLs
- Remove dashboards from 'Next Steps' since it's now automated
User experience improvements:
- Password file readable by user immediately
- Homepage and Homarr deployed automatically
- Clear guidance on .env file management
- Better SSL certificate expectations
- Added compose files for core, infrastructure, and dashboards stacks
- Added Traefik, Authelia, and DuckDNS configuration files
- Added dockge.managed and dockge.url labels to all services
- Updated Watchtower to latest version with DOCKER_API_VERSION=1.44
- Created comprehensive SSL certificate troubleshooting guide for DuckDNS issues
- Add wildcard certificate configuration to Traefik docs
- Document DuckDNS DNS challenge limitations
- Add SSL troubleshooting commands to quick reference
- Update getting-started with certificate verification steps
- Emphasize single wildcard cert vs individual certs best practice
Documentation now reflects production wildcard certificate setup.
- Refactored README.md, getting-started.md, quick-reference.md
- Enhanced setup-homelab.sh with 9-step automated process
- Created services-overview.md with all stacks
- Added comprehensive documentation for 57 services in docs/service-docs/
- All services include: overview, configuration, resources, educational content
- Coverage: Core, Infrastructure, Dashboards, Media, Media-Extended, Home Assistant, Productivity, Utilities, Monitoring, Development stacks
- Educational focus with links to tutorials, videos, and guides
- Remove Authelia middleware from Vaultwarden
- Add comment explaining SSO bypass for app compatibility
- Update services-reference.md to show SSO disabled (✗)
Vaultwarden requires direct access for browser extensions and mobile apps to function properly, similar to Jellyfin and Plex.
Co-authored-by: kelinfoxy <67766943+kelinfoxy@users.noreply.github.com>
- Add Vaultwarden (Bitwarden) password manager to utilities.yml
- Self-hosted password manager with web UI
- SMTP configuration for email notifications
- Admin token for management
- Access at bitwarden.${DOMAIN}
- Protected by Authelia SSO
- Create automated first-run setup script (scripts/setup-homelab.sh)
- Installs Docker Engine and Compose V2
- Configures user groups (sudo, docker)
- Enables SSH for remote management
- Detects NVIDIA GPU and provides manual driver installation instructions
- Creates directory structure and Docker networks
- Comprehensive instructions for post-setup deployment
- Remove redundant compose files (now in core.yml)
- Deleted authelia.yml, duckdns.yml, gluetun.yml, traefik.yml
- All services consolidated into unified core.yml stack
- Eliminates confusion and duplication
- Update disk space requirements across documentation
- Changed from "100GB+ system, 1TB+ media" to:
- "120GB+ system drive (NVMe or SSD highly recommended)"
- "2TB+ for media & additional disks for services like Nextcloud"
- Updated in README.md and getting-started.md
- Add preference for LinuxServer.io images
- Updated copilot-instructions.md
- LinuxServer images support PUID/PGID for proper file permissions
- Preference noted in consistency guidelines
- Update core stack documentation
- Emphasize unified core.yml deployment
- Add both deployment methods (cd to directory vs full path)
- Update getting-started.md with correct deployment steps
- Note removal of separate stack files
- Add Bitwarden environment variables to .env.example
- BITWARDEN_ADMIN_TOKEN, SIGNUPS_ALLOWED, INVITATIONS_ALLOWED
- SMTP configuration for email notifications
- Generation instructions included
- Update services-reference.md
- Add Vaultwarden to utilities section (now 7 services)
- Update service count and access URLs
All documentation now consistent with unified core stack approach and includes all requested features.
Co-authored-by: kelinfoxy <67766943+kelinfoxy@users.noreply.github.com>
- Add Authentik service stack to infrastructure.yml
- Includes Authentik server, worker, PostgreSQL database, and Redis
- Alternative SSO with web UI for user management
- Access at authentik.${DOMAIN}
- Protected by Authelia SSO (comment out to use standalone)
- Fix Uptime Kuma duplicate listing
- Remove from utilities.yml
- Keep only in monitoring.yml where it belongs
- Add Traefik labels and SSO protection to monitoring instance
- Enable SSO on Jellyseerr by default
- Changed from bypass to protected (security-first approach)
- Users can comment out SSO if needed for public access
- Update SSO toggling documentation
- Emphasize commenting out (not removing) middleware line
- Add docker command examples for running from outside stack folder
- Show both "cd to directory" and "full path" methods
- Add examples for starting and stopping services multiple ways
- Enhance security-first methodology
- Update copilot instructions to default SSO to enabled
- Only Plex and Jellyfin bypass SSO by default
- All other services start secured, expose gradually
- Emphasize commenting (not removing) for easier re-enable
- Update services-reference.md
- Add Authentik to infrastructure section (12 services)
- Move Uptime Kuma to monitoring section (8 services)
- Remove from utilities (now 6 services)
- Update Jellyseerr SSO status from ✗ to ✓
- Improve Authentik documentation with deployment guidance
- Add Authentik environment variables to .env.example
- AUTHENTIK_SECRET_KEY, DB credentials
- Generation instructions included
All changes align with security-first principle: start secure, expose services only when ready for deployment.
Co-authored-by: kelinfoxy <67766943+kelinfoxy@users.noreply.github.com>
- Create core.yml combining DuckDNS, Traefik, Authelia, and Gluetun into single stack
- Simplifies initial deployment (deploy all core services with one command)
- All core services in /opt/stacks/core/ directory
- Reduces complexity for first-time setup
- Add Authelia SSO protection to Homepage and Homarr dashboards
- Prevents exposing service list before authentication
- Both dashboards now require sign-in to access
- Redesign services-reference.md with compact tree-view table
- Reduced from ~460 lines to ~150 lines while keeping all info
- Single comprehensive table with tree structure
- Shows: Stack, Services, SSO status, Storage paths, Access URLs
- Fits on 1-2 screen heights as requested
- Add comprehensive "Toggling SSO On/Off" section
- Quick guide to enable/disable Authelia middleware
- Use cases for development vs production
- AI can automatically toggle SSO when asked
- Add "Authelia Customization" section with:
- Branding and appearance options
- User management via YAML files
- Access control rules examples
- 2FA/TOTP configuration
- Session management settings
- Email notification setup
- Explanation of no web UI (by design, perfect for AI)
- Alternatives with web UI (Authentik, Keycloak)
- Update .github/copilot-instructions.md
- Add core stack explanation
- Update file organization to show core stack structure
- Add SSO toggling instructions
- Update docs/getting-started.md
- Simplify Step 7 to deploy single core stack
- Remove separate steps for DuckDNS, Traefik, Authelia
- Add verification and troubleshooting for core deployment
- Update subsequent steps to Step 8, 9, 10
Co-authored-by: kelinfoxy <67766943+kelinfoxy@users.noreply.github.com>
- Add Dockge to infrastructure (primary over Portainer)
- Create dashboards.yml with Homepage and Homarr (AI-configurable)
- Create homeassistant.yml with HA, ESPHome, TasmoAdmin, Node-RED, Mosquitto, Zigbee2MQTT, MotionEye
- Create media-extended.yml with Readarr, Lidarr, Lazy Librarian, Mylar3, Calibre-Web, Jellyseerr, FlareSolverr, Tdarr, Unmanic
- Create productivity.yml with Nextcloud, Mealie, WordPress, Gitea, DokuWiki, BookStack, MediaWiki (all with databases)
- Create utilities.yml with Backrest, Duplicati, Uptime Kuma, Code Server, Form.io, Authelia Redis
- Add Homepage configuration templates (services.yaml, docker.yaml, settings.yaml, widgets.yaml)
- All services include container names for Docker integration
- Widgets configured for services that support them (Sonarr, Radarr, Plex, Jellyfin, etc.)
- Organized by category with proper layouts
- Create docs/proxying-external-hosts.md - comprehensive guide for proxying Raspberry Pi and other external hosts via Traefik
- Update .env.example with all new service credentials and Homepage API keys
- Update infrastructure.yml to prioritize Dockge, add Dozzle, Glances, Docker Proxy
- All services configured with /opt/stacks paths, Traefik labels, and appropriate Authelia middleware
Co-authored-by: kelinfoxy <67766943+kelinfoxy@users.noreply.github.com>
