- Add CORE_SERVER_IP variable for remote server configuration
- Implement setup_multi_server_tls() function for shared CA management
- Change TLS failure handling from exit-on-error to warning-based approach
- Add TLS_ISSUES_SUMMARY for end-of-deployment remediation guidance
- Update documentation for automated TLS setup process
- Add comprehensive AI assistant instructions for project management
This allows deployments to complete successfully even with TLS issues,
providing clear remediation steps instead of failing the entire setup.
- Generate shared CA during core deployment for consistent trust across servers
- Modify setup_docker_tls() to use shared CA instead of per-server CAs
- Update share_certs_with_core() to copy shared CA from core server
- Re-enable TLS verification (DOCKER_TLS_VERIFY=1) in Sablier
- Fix Sablier certificate mounting for proper TLS connection
- Add docker-tls/ to .gitignore to prevent certificate leaks
- Update documentation for shared CA approach
- Add Sablier middleware to all 32 services across stacks
- Update vaultwarden port from 80 to 8091 to avoid conflicts
- Add tdarr-server and unmanic services with lazy loading
- Optimize health checks (wget for some services, dozzle built-in)
- Update Traefik routers and service definitions
- Update port documentation
All services now support on-demand startup via Sablier middleware.
- Change MediaWiki from port 8084 to 8086 to resolve conflict with TasmoAdmin
- Update Traefik loadbalancer port for MediaWiki
- Add MediaWiki to ports-in-use.md documentation
- TasmoAdmin now uses port 8084, MediaWiki uses port 8086
- Resolve port conflicts: TasmoAdmin (8084), Form.io (3002), Gitea (3010)
- Add missing Authelia SSO and Sablier lazy loading to utilities stack
- Standardize Form.io labels to match TRAEFIK CONFIGURATION guidelines
- Reorganize ports-in-use.md with stack-based table and proper column order
- Remove Dokuwiki deployment from ez-homelab.sh (already in productivity stack)
- Update service restart policies for lazy loading compatibility
- Changed all Sablier groups to ${SERVER_HOSTNAME}-arr for coordinated lazy loading
- Moved x-dockge URLs to top-level section with urls list format
- Added both HTTPS and localhost URLs for service discovery
- Updated guidelines and instructions to reflect new x-dockge format
- Reorganize Sablier middlewares in alphabetical order with authelia first
- Add service definitions comment to external-host-production.yml
- Update docker-guidelines.md with comprehensive Traefik configuration:
* Emphasize authelia SSO and sablier lazy loading as defaults
* Add detailed remote server configuration instructions
* Include complete TRAEFIK CONFIGURATION examples in service creation/modification guidelines
* Expand remote server setup with YAML file examples
* Update planning phase with Traefik considerations
* Enhance documentation phase with HTTPS URLs and routing notes
- Remove redundant .yml files from main docker-compose folder
- Update deploy script to use folder-based structure for all stacks
- Update documentation to reflect new folder-based organization
- Standardize all stacks to use docker-compose.yml in individual folders
This eliminates confusion between file-based and folder-based structures,
making the repository more maintainable and consistent.
- Updated all documentation references from AI-Homelab to EZ-Homelab
- Changed repository URLs and directory paths
- Updated wiki content and navigation
- Maintained AI assistance functionality while emphasizing ease of use
- Updated copilot instructions and agent guidelines
- Document safe stack removal process with proper cleanup steps
- Explain consequences of just deleting folders without stopping containers
- Add restoration instructions for accidentally removed stacks
- Include warnings about data loss and dependency checking
- Explain Let's Encrypt + DuckDNS integration
- Document staging vs production certificate servers
- Add troubleshooting guide for certificate issues
- Include best practices and validation commands
- Cover wildcard certificates and DNS challenge process
- Include commented staging caServer in config template
- Add troubleshooting section for test environment certificate conflicts
- Document rate limit avoidance strategies for development/testing
- Remove explicit DNS resolvers from dnsChallenge to fix propagation check failures
- Add note about resolvers causing issues with DuckDNS TXT record resolution
- Preserve knowledge from certificate debugging session
- Added Traefik labels and routing to prometheus, grafana, loki, cadvisor
- Fixed Grafana ROOT_URL to use domain-based URL (https://grafana.${DOMAIN})
- Added uptime-kuma bypass rule in Authelia (needs initial setup)
- Updated all services to use traefik-network
- Synced domain from kelin-hass to kelin-casa across all configs
- Fixed missing tls=true label on uptime-kuma
- Note: Loki is API-only service (no web UI, accessed via Grafana)
Fixes:
- docker-compose/infrastructure.yml:
- Uncommented Watchtower service
- Updated image from 1.7.1 to latest
- Changed DOCKER_API_VERSION from 1.44 to 1.52 (current Docker version)
- Added default empty value for WATCHTOWER_NOTIFICATION_URL
- scripts/deploy-homelab.sh:
- Removed "temporarily disabled" note
- Added Watchtower to infrastructure stack list
- docs/services-overview.md:
- Updated infrastructure stack count from 7 to 8
- Added Watchtower to service list
Watchtower now runs successfully with scheduled updates at 4 AM daily
Changes:
- scripts/setup-homelab.sh: Remove interactive deployment prompt
- Users must now run deploy script manually
- Simplifies both scripts (no sudo workarounds needed)
- Clearer two-step process: setup then deploy
- Documentation updates:
- README.md: Updated step 3-4 with manual deployment
- docs/getting-started.md: Removed step 6 (log out), clarified steps
- docs/manual-setup.md: Added sudo to deploy command
- docs/troubleshooting/COMMON-ISSUES.md: Added sudo to all deploy commands
Rationale:
- Automatic deployment via 'su -' cannot work with sudo requirement
- Manual two-step process is clearer and more reliable
- Setup focuses on configuration, deploy focuses on services
- Updated Getting Started Checklist with clone repo as first step
- Clarified deployment script description
- Added VS Code SSH tip in Simple Setup
- Enhanced VS Code integration section
- Added Debloat/custom service section with AI agent guidance
- README.md: Updated Traefik feature to mention wildcard certificates via DNS challenge
- README.md: Added wildcard cert note to deployment script section
- getting-started.md: Explicitly mention wildcard certificate generation in deploy step
All documentation now clearly states the project uses wildcard SSL certificates with DNS challenge.
- getting-started.md: Moved checklist before Simple Setup, removed Round 4 section
- authelia-customization.md: Updated Authentik reference to alternatives stack
- services-overview.md: Added clickable links to all stack compose files
- setup-homelab.sh: Added prompt to run deployment script after setup (defaults to yes)
- traefik.yml: Changed default to DNS challenge for wildcard certificates (DuckDNS)
All documentation now reflects wildcard certificate usage with DNS challenge.
- README.md: Fixed .env step order, updated to 60+ services
- getting-started.md: Service count updates, credential clarifications, moved Manual Setup to separate file
- manual-setup.md: Created comprehensive manual setup guide
- authelia-customization.md: Moved Authelia customization from services-overview
- services-overview.md: Added clickable links to service docs, removed disabled section and Quick Deployment
- quick-reference.md: Linked to scripts/README.md instead of duplicating content
- Removed services-reference.md as requested
Changes:
- Updated infrastructure.yaml section (6 active services)
- Moved Portainer and Authentik to alternatives.yaml section
- Added note about Watchtower being disabled (Docker API issue)
- Clarified which services are deployed by default vs available
- Corrected stack organization to match actual deployment
Critical fix for argon2 password hash preservation:
- Root cause: Bash variable expansion of $ characters in argon2id hashes
- Solution: Write hash directly from Docker output to file, bypass bash variables entirely
- setup-homelab.sh: Stream Docker output directly to /tmp/authelia_password_hash.tmp
- deploy-homelab.sh: Read hash file in Python to avoid any bash expansion
- Result: Password hash correctly preserved with full $argon2id$v=19$m=... format
Other changes:
- Added DOCKER_API_VERSION=1.44 env var for watchtower (API compatibility)
- Watchtower still has issues with Docker 29.1.4 - keeping version pinned for investigation
Tested on Debian 12 with Docker 29.1.4:
✅ All 11 critical containers healthy
✅ Authelia authentication working correctly
✅ Password hash preserved through entire deployment workflow
⚠️ Watchtower restart loop (non-critical, under investigation)
- Fix password file ownership (user can now read without sudo)
- Add dashboards stack to automated deployment (Step 5/6)
- Add SSL certificate notes to deploy script output
- Clarify .env file location in documentation (stays in repo folder)
- Update README and getting-started.md with accurate deployment steps
- Add Watchtower notification URL documentation
- Improve user feedback with admin credentials and dashboard URLs
- Remove dashboards from 'Next Steps' since it's now automated
User experience improvements:
- Password file readable by user immediately
- Homepage and Homarr deployed automatically
- Clear guidance on .env file management
- Better SSL certificate expectations
- Added compose files for core, infrastructure, and dashboards stacks
- Added Traefik, Authelia, and DuckDNS configuration files
- Added dockge.managed and dockge.url labels to all services
- Updated Watchtower to latest version with DOCKER_API_VERSION=1.44
- Created comprehensive SSL certificate troubleshooting guide for DuckDNS issues
- Add wildcard certificate configuration to Traefik docs
- Document DuckDNS DNS challenge limitations
- Add SSL troubleshooting commands to quick reference
- Update getting-started with certificate verification steps
- Emphasize single wildcard cert vs individual certs best practice
Documentation now reflects production wildcard certificate setup.
