Add script improvements documentation and update Arcane compose

- Add Script improvements.md documenting refactoring changes - Update Arcane docker-compose.yml configuration
Refactor: Major script reorganization and improvements
2026-02-11 21:10:38 -05:00 · 2026-02-11 20:41:18 -05:00 · 2026-02-11 14:56:03 -05:00 · 2026-02-11 00:16:13 -05:00 · 2026-02-10 21:19:39 -05:00 · 2026-02-10 21:16:45 -05:00
4643 changed files with 753021 additions and 15905 deletions
--- a/.env.example
+++ b/.env.example
@@ -1,192 +1,207 @@
-# Environment Variables Template
+########################################################
-# Copy this file to .env and fill in your values
+####         EZ-Homelab .env template file          ####
 ####  EZ MODE: just run ez-homelab.sh               ####
 ########################################################
-# User and Group IDs for file permissions (get with: id -u and id -g) 
+########################################################
-PUID=1000
+#  ####           REQUIRED CONFIGURATION            ####
 # Required for file permissions (get with: id -u and id -g)
 TZ=America/New_York
 PUID=1000       
 PGID=1000
-TZ=America/New_York
+# This Server's IP and Hostname
 SERVER_IP=
 SERVER_HOSTNAME=
-SERVER_IP=192.168.1.100
+# Domain Configuration
-SERVER_HOSTNAME=debian  # used for Sablier group naming
+DUCKDNS_SUBDOMAINS=
-
+DUCKDNS_TOKEN=
 # Domain & DuckDNS Configuration
 DUCKDNS_SUBDOMAINS=yourdomain  # Without .duckdns.org
 DOMAIN=${DUCKDNS_SUBDOMAINS}.duckdns.org
 DUCKDNS_TOKEN=your-duckdns-token
-# Default credentials (used by multiple services for easier setup)
+# Default credentials (used by multiple services)
-DEFAULT_USER=admin
+# For better security: replace each ${DEFAULT_PASSWORD} with unique values
-DEFAULT_PASSWORD=changeme
+DEFAULT_USER=                              
-DEFAULT_EMAIL=admin@example.com
+DEFAULT_PASSWORD=
 DEFAULT_EMAIL=
-# DIRECTORY PATHS
+# FOLDER PATHS
 STACKS_DIR=/opt/stacks         # for Dockge 
 PROJECTS_DIR=${STACKS_DIR}     # for Arcane
 MEDIA_DIR=/mnt/media           # Large media files on separate drive
 DOWNLOAD_DIR=/mnt/downloads    # Downloads on separate drive
-USERDIR=/opt/stacks           # all docker-compose stacks
+# PROJECTDIR=~/projects         # User's projects folder
 MEDIADIR=/mnt/media           # Large media files on separate drive
 DOWNLOADDIR=/mnt/downloads    # Downloads on separate drive
 PROJECTDIR=~/projects         # User's projects folder
 #  ##########    END REQUIRED CONFIGURATION         ####
 ########################################################
-###################################################
+########################################################
-# ====  Everything above this line is required ====
+#  ####        OPTION 3: ADDITIONAL SERVER          ####
-###################################################
+CORE_SERVER_IP=
 CORE_SERVER_HOSTNAME=
 CORE_SERVER_USER=${DEFAULT_USER}
 CORE_SERVER_PASSWORD=${DEFAULT_PASSWORD}
 #  ####            END ADDITIONAL SERVER            ####
 ########################################################
-
+########################################################
-# Surfshark OpenVPN (RECOMMENDED - Default)
+#  ####             VPN CONFIGURATIONS              ####
-# Wireguard options are below and commented out
+SURFSHARK_USERNAME=
-SURFSHARK_USERNAME=your-surfshark-username
+SURFSHARK_PASSWORD=
 SURFSHARK_PASSWORD=your-surfshark-password
 VPN_SERVER_COUNTRIES=Netherlands  # Preferred VPN server location
 #  ####           END VPN CONFIGURATIONS            ####
 ########################################################
-# Optional: Email credentials for services that need SMTP
+########################################################
-SMTP_EMAIL_SERVER=smtp.gmail.com
+#  ####           EMAIL CONFIGURATIONS              ####
 SMTP_EMAIL_PASSWORD=
 SMTP_EMAIL_SERVER=smtp.gmail.com 
 SMTP_EMAIL_PORT=587
 SMTP_EMAIL_PASSWORD=your-email-app-password
 SMTP_EMAIL_FROM=${DEFAULT_EMAIL}
 SMTP_EMAIL_SECURITY=starttls
 ##################################################
 # ####   Individual Service Configurations    #### 
 # The default values should work as a starting point
 ##################################################
 # Let's Encrypt / ACME (for SSL certificates)
 ACME_EMAIL=${DEFAULT_EMAIL}
-ADMIN_EMAIL=${DEFAULT_EMAIL}  # Used for admin user account
+SMTP_USERNAME=${SMTP_EMAIL_FROM}
 SMTP_PASSWORD=${SMTP_EMAIL_PASSWORD}
 #  ####         END EMAIL CONFIGURATIONS            ####
 ########################################################
-# AUTHELIA SSO CONFIGURATION
+########################################################
-# The setup script will auto-generate these if not set
+#  ###########    DELETE AFTER DEPLOYMENT    ###########
 #  ####    Used by ez-homelab.sh & deploy scripts   ####
 #  ####       Unused by the actual containers       ####
-AUTHELIA_JWT_SECRET=generate-with-openssl-rand-hex-64
+# Public SSH key from the pc used to access the homelab
-AUTHELIA_SESSION_SECRET=generate-with-openssl-rand-hex-64
+# Will be added to the admin user's authorized_keys
-AUTHELIA_STORAGE_ENCRYPTION_KEY=generate-with-openssl-rand-hex-64
+# ####  DO NOT INCLUDE YOUR PRIVATE KEY  ####
 ADMIN_SSH_PUB_KEY=
-# ####  Authelia Admin Credentials  ####
+# Authelia Admin Credentials
 ADMIN_EMAIL=${DEFAULT_EMAIL}  
 AUTHELIA_ADMIN_USER=${DEFAULT_USER}
 AUTHELIA_ADMIN_EMAIL=${DEFAULT_EMAIL}
 AUTHELIA_ADMIN_PASSWORD=${DEFAULT_PASSWORD}
-# These will be auto-generated by EZ-Homelab.sh
+# Use this command to generate AUTHELIA_ADMIN_PASSWORD_HASH:
-# AUTHELIA_ADMIN_USER=${DEFAULT_USER}
+# docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password "YOUR_PASSWORD_HERE"
-# AUTHELIA_ADMIN_EMAIL=${DEFAULT_EMAIL}
+AUTHELIA_ADMIN_PASSWORD_HASH=
 # AUTHELIA_ADMIN_PASSWORD=${DEFAULT_PASSWORD}
-# SMTP for Authelia Notifications (OPTIONAL)
+# Use this command to generate each secret
-# If not configured, notifications are saved to file instead
+# openssl rand -hex 64
-# SMTP_USERNAME=${SMTP_EMAIL_FROM}
+AUTHELIA_JWT_SECRET=           
-# SMTP_PASSWORD=${SMTP_EMAIL_PASSWORD}
+AUTHELIA_SESSION_SECRET=
 AUTHELIA_STORAGE_ENCRYPTION_KEY=
-# ####   VPN OPTIONAL WIREGUARD CONFIGURATION (GLUETUN)  ####
+# Arcane secrets
-
+ARCANE_ENCRYPTION_KEY=
-# Surfshark WireGuard (OPTIONAL - Advanced users only)
+ARCANE_JWT_SECRET=
-# Get WireGuard details from Surfshark dashboard
+#  ##########    END DELETE AFTER DEPLOYMENT        ####
-# SURFSHARK_PRIVATE_KEY=your-wireguard-private-key
+########################################################
 # SURFSHARK_ADDRESSES=10.14.0.2/16
 # ####   ALTERNATIVE SERVICES (OPTIONAL)  ####
 # Deploy alternatives.yml stack if you want these
 # Authentik SSO (alternative to Authelia with web UI)
 # WARNING: Do not run both Authelia and Authentik at the same time
 # Generate secrets with: openssl rand -hex 50
 # AUTHENTIK_SECRET_KEY=your-authentik-secret-key-here-100-chars
 # AUTHENTIK_DB_USER=authentik
 # AUTHENTIK_DB_PASSWORD=changeme-authentik-db-password
 # AUTHENTIK_DB_NAME=authentik
 # PLEX_CLAIM=claim-xxxxxxxxxx       # Uncomment to user Plex instead of Jellyfin
-# ####  INFRASTRUCTURE SERVICES  ####
+########################################################
 #  #####################################################
 #  ####     Application Specific Configurations     ####
 #  #####################################################
-# Pi-hole
+#  #####################################################
-PIHOLE_PASSWORD=${DEFAULT_PASSWORD}
+#  ####                 Bitwarden                  #####
 #  #### SET TO FALSE AFTER CREATING USERS ####
-# Watchtower Notifications (optional)
+BITWARDEN_SIGNUPS_ALLOWED=true 
 #   If not set, Watchtower will still update containers but without notifications
 #   Supports various notification services via Shoutrrr URL format
 # WATCHTOWER_NOTIFICATION_URL=
 # #### Other Services  ####
 # qBittorrent
 QBITTORRENT_USER=admin
 QBITTORRENT_PASS=${DEFAULT_PASSWORD}
 # GRAFANA
 GRAFANA_ADMIN_PASSWORD=${DEFAULT_PASSWORD}
 # VS Code Server
 CODE_SERVER_PASSWORD=${DEFAULT_PASSWORD}
 CODE_SERVER_SUDO_PASSWORD=${DEFAULT_PASSWORD}
 # Jupyter Notebook
 JUPYTER_TOKEN=${DEFAULT_PASSWORD}
 # DATABASES - GENERAL
 POSTGRES_USER=${DEFAULT_USER}
 POSTGRES_PASSWORD=${DEFAULT_PASSWORD}
 POSTGRES_DB=homelab
 PGADMIN_EMAIL=${DEFAULT_EMAIL}
 PGADMIN_PASSWORD=${DEFAULT_PASSWORD}
 # Nextcloud
 NEXTCLOUD_ADMIN_USER=${DEFAULT_USER}
 NEXTCLOUD_ADMIN_PASSWORD=${DEFAULT_PASSWORD}
 NEXTCLOUD_DB_PASSWORD=${DEFAULT_PASSWORD}
 NEXTCLOUD_DB_ROOT_PASSWORD=${DEFAULT_PASSWORD}
 # Gitea
 GITEA_DB_PASSWORD=${DEFAULT_PASSWORD}
 # WordPress
 WORDPRESS_DB_PASSWORD=${DEFAULT_PASSWORD}
 WORDPRESS_DB_ROOT_PASSWORD=${DEFAULT_PASSWORD}
 # BookStack
 BOOKSTACK_DB_PASSWORD=${DEFAULT_PASSWORD}
 BOOKSTACK_DB_ROOT_PASSWORD=${DEFAULT_PASSWORD}
 # MediaWiki
 MEDIAWIKI_DB_PASSWORD=${DEFAULT_PASSWORD}
 MEDIAWIKI_DB_ROOT_PASSWORD=${DEFAULT_PASSWORD}
 # Bitwarden (Vaultwarden)
 BITWARDEN_ADMIN_TOKEN=${DEFAULT_PASSWORD}
 BITWARDEN_SIGNUPS_ALLOWED=true  # Set to false after creating accounts
 BITWARDEN_INVITATIONS_ALLOWED=true
 SMTP_HOST=${SMTP_EMAIL_SERVER}
 SMTP_FROM=${SMTP_EMAIL_FROM}
 SMTP_PORT=${SMTP_EMAIL_PORT}
 SMTP_SECURITY=${SMTP_EMAIL_SECURITY}
-# Form.io
+#  #####################################################
 #  ####                 Bookstack                  #####
 BOOKSTACK_DB_PASSWORD=${DEFAULT_PASSWORD}
 BOOKSTACK_DB_ROOT_PASSWORD=${DEFAULT_PASSWORD}
 #  #####################################################
 #  ####                 Code Server                #####
 CODE_SERVER_PASSWORD=${DEFAULT_PASSWORD}
 CODE_SERVER_SUDO_PASSWORD=${DEFAULT_PASSWORD}
 #  #####################################################
 #  ####                  Form.io                   #####
 FORMIO_JWT_SECRET=${DEFAULT_PASSWORD}
 FORMIO_DB_SECRET=${DEFAULT_PASSWORD}
-####################################
+#  #####################################################
-# HOMEPAGE DASHBOARD - API KEYS
+#  ####                   Gitea                    #####
 ####################################
-# HOMEPAGE_VAR_DOMAIN=${DOMAIN}
+GITEA_DB_PASSWORD=${DEFAULT_PASSWORD}
-# HOMEPAGE_VAR_SERVER_IP=${SERVER_IP}
+
-# HOMEPAGE_VAR_PORTAINER_KEY=your-portainer-api-key
+#  #####################################################
-# HOMEPAGE_VAR_PIHOLE_KEY=your-pihole-api-key
+#  ####                  Grafana                   #####
-# HOMEPAGE_VAR_PLEX_KEY=your-plex-token
+
-# HOMEPAGE_VAR_JELLYFIN_KEY=your-jellyfin-api-key
+GRAFANA_ADMIN_PASSWORD=${DEFAULT_PASSWORD}
-# HOMEPAGE_VAR_SONARR_KEY=your-sonarr-api-key
+
-# HOMEPAGE_VAR_RADARR_KEY=your-radarr-api-key
+#  #####################################################
-# HOMEPAGE_VAR_LIDARR_KEY=your-lidarr-api-key
+#  ####                 Homepage                   #####
-# HOMEPAGE_VAR_READARR_KEY=your-readarr-api-key
+
-# HOMEPAGE_VAR_PROWLARR_KEY=your-prowlarr-api-key
+# comma separated list NO SPACES!!!
-# HOMEPAGE_VAR_JELLYSEERR_KEY=your-jellyseerr-api-key
+HOMEPAGE_ALLOWED_HOSTS=homepage.${DOMAIN},${SERVER_IP}:3003
-# HOMEPAGE_VAR_QBITTORRENT_USER=${QBITTORRENT_USER}
+
-# HOMEPAGE_VAR_QBITTORRENT_PASS=${QBITTORRENT_PASS}
+#  #####################################################
-# HOMEPAGE_VAR_HA_KEY=your-home-assistant-long-lived-token
+#  ####                  Jupyter                   #####
-# HOMEPAGE_VAR_NEXTCLOUD_USER=${NEXTCLOUD_ADMIN_USER}
+
-# HOMEPAGE_VAR_NEXTCLOUD_PASS=${NEXTCLOUD_ADMIN_PASSWORD}
+JUPYTER_TOKEN=${DEFAULT_PASSWORD}
-# HOMEPAGE_VAR_GRAFANA_USER=admin
+
-# HOMEPAGE_VAR_GRAFANA_PASS=${GRAFANA_ADMIN_PASSWORD}
+#  #####################################################
-# HOMEPAGE_VAR_BOOKSTACK_KEY=your-bookstack-api-token
+#  ####                 MediaWiki                  #####
-# HOMEPAGE_VAR_UPTIMEKUMA_SLUG=your-uptime-kuma-slug
+
-# HOMEPAGE_VAR_OPENWEATHER_KEY=your-openweather-api-key
+MEDIAWIKI_DB_PASSWORD=${DEFAULT_PASSWORD}
-# HOMEPAGE_VAR_WEATHERAPI_KEY=your-weatherapi-key
+MEDIAWIKI_DB_ROOT_PASSWORD=${DEFAULT_PASSWORD}
-# HOMEPAGE_VAR_UNIFI_USER=your-unifi-username
+
-# HOMEPAGE_VAR_UNIFI_PASS=your-unifi-password
+#  #####################################################
 #  ####                 Nextcloud                  #####
 NEXTCLOUD_ADMIN_USER=${DEFAULT_USER}
 NEXTCLOUD_ADMIN_PASSWORD=${DEFAULT_PASSWORD}
 NEXTCLOUD_DB_PASSWORD=${DEFAULT_PASSWORD}
 NEXTCLOUD_DB_ROOT_PASSWORD=${DEFAULT_PASSWORD}
 NEXTCLOUD_DIR=./nextcloud/data
 #  #####################################################
 #  ####                  Pi-hole                   #####
 PIHOLE_PASSWORD=${DEFAULT_PASSWORD}
 #  #####################################################
 #  ####               qBittorrent                  #####
 QBITTORRENT_USER=admin
 QBITTORRENT_PASS=${DEFAULT_PASSWORD}
 #  #####################################################
 #  ####      SURFSHARK OPTIONAL CONFIGURATIONS      ####
 # Surfshark WireGuard (OPTIONAL - Advanced users only)
 # Get WireGuard details from Surfshark dashboard
 # SURFSHARK_PRIVATE_KEY=your-wireguard-private-key
 # SURFSHARK_ADDRESSES=10.14.0.2/16
 #  #####################################################
 #  ####                Watchtower                  #####
 # WATCHTOWER_NOTIFICATION_URL=
 #  #####################################################
 #  ####                 WordPress                  #####
 WORDPRESS_DB_PASSWORD=${DEFAULT_PASSWORD}
 WORDPRESS_DB_ROOT_PASSWORD=${DEFAULT_PASSWORD}
 TDARR_TRANSCODE_DIR=./tdarr/transcode_cache
 UNMANIC_TRANSCODE_DIR=./unmanic/cache
--- a/.gitignore
+++ b/.gitignore
@@ -36,6 +36,9 @@ tmp/
 temp/
 *.tmp
 # Test/debug files with hardcoded values
 markup.yml
 # Docker volumes (if locally mounted)
 volumes/
--- a/README.md
+++ b/README.md
@@ -5,7 +5,7 @@
 [![Authelia](https://img.shields.io/badge/Authelia-4.38.0-113155)](https://www.authelia.com)
 [![GitHub release (latest by date)](https://img.shields.io/github/v/release/kelinfoxy/EZ-Homelab)](https://github.com/kelinfoxy/EZ-Homelab/releases/latest)
->Production-ready homelab infrastructure with automated SSL, SSO authentication, and VPN routing.  
+>Homelab infrastructure with automated SSL, SSO authentication, and VPN routing.  
 Deploy 50+ services through a file-based, AI-manageable architecture.  
 Plus Dockge for visual management of containers, and Homepage dashboard to easily access deployed services.  
@@ -31,6 +31,12 @@ cd EZ-Homelab
 ./scripts/ez-homelab.sh
 ```
 **Multi-Server Support:**
 - **Core Server**: Full deployment with ports 80/443 forwarded from router
 - **Remote Servers**: Infrastructure-only setup (option 3 in script)
 - Each server runs its own Traefik and Sablier for local container management
 - Core server Traefik routes to all servers via Docker TLS providers
 **What the script does:**
 - Installs Docker and required system packages
 - Guides you through configuration (domain, admin credentials, etc.)
@@ -44,41 +50,56 @@ cd EZ-Homelab
 ## 📚 Documentation
-For comprehensive documentation, see the [GitHub Wiki](https://github.com/kelinfoxy/EZ-Homelab/wiki):
+- **[Getting Started Guide](docs/getting-started.md)** - Step-by-step deployment and configuration
-
+- **[Automated Setup](docs/automated-setup.md)** - Guided installation with ez-homelab.sh script
- **[Getting Started Guide](https://github.com/kelinfoxy/EZ-Homelab/wiki/Getting-Started-Guide)** - Step-by-step deployment and configuration
+- **[Manual Setup](docs/manual-setup.md)** - Step-by-step manual installation
- **[Docker Guidelines](https://github.com/kelinfoxy/EZ-Homelab/wiki/Docker-Guidelines)** - Service management patterns and best practices
+- **[Docker Guidelines](docs/docker-guidelines.md)** - Service management patterns and best practices
- **[Quick Reference](https://github.com/kelinfoxy/EZ-Homelab/wiki/Quick-Reference)** - Command cheat sheet and troubleshooting
+- **[Services Reference](docs/services-overview.md)** - All 50+ available services
- **[Services Reference](https://github.com/kelinfoxy/EZ-Homelab/wiki/Services-Overview)** - All 70+ available services
+- **[Quick Reference](docs/quick-reference.md)** - Command cheat sheet and troubleshooting
- **[Proxying External Hosts](https://github.com/kelinfoxy/EZ-Homelab/wiki/Proxying-External-Hosts)** - Connect non-Docker services (Raspberry Pi, NAS, etc.)
+- **[Proxying External Hosts](docs/proxying-external-hosts.md)** - Connect non-Docker services (Raspberry Pi, NAS, etc.)
 - **[Multi-Server Setup](docs/Ondemand-Remote-Services.md)** - Deploy services across multiple servers
 ## 🚀 Quick Navigation
-**New to EZ-Homelab?** → [Getting Started Guide](https://github.com/kelinfoxy/EZ-Homelab/wiki/Getting-Started-Guide)
+**New to EZ-Homelab?** → [Getting Started Guide](docs/getting-started.md)
-**Need Help Deploying?** → [Automated Setup](https://github.com/kelinfoxy/EZ-Homelab/wiki/Getting-Started-Guide#automated-setup)
+**Need Help Deploying?** → [Automated Setup](docs/automated-setup.md)
-**Want to Add Services?** → [Service Creation Guide](https://github.com/kelinfoxy/EZ-Homelab/wiki/Docker-Guidelines#service-creation-guidelines)
+**Want to Add Services?** → [Service Creation Guide](docs/docker-guidelines.md)
-**Having Issues?** → [Troubleshooting](https://github.com/kelinfoxy/EZ-Homelab/wiki/Quick-Reference#troubleshooting)
+**Having Issues?** → [Troubleshooting](docs/quick-reference.md)
-**Managing Services?** → [Dockge Dashboard](https://dockge.yourdomain.duckdns.org)
+**Multi-Server Setup?** → [Remote Services Guide](docs/Ondemand-Remote-Services.md)
 **Managing Services?** → Dockge Dashboard at `https://dockge.yourdomain.duckdns.org`
 ### Service Documentation
-Individual service documentation is available in the [GitHub Wiki](https://github.com/kelinfoxy/EZ-Homelab/wiki):
+Individual service documentation is available in [docs/service-docs/](docs/service-docs/):
- [Authelia](https://github.com/kelinfoxy/EZ-Homelab/wiki/Authelia) - SSO authentication
+- [Authelia](docs/service-docs/authelia.md) - SSO authentication
- [Traefik](https://github.com/kelinfoxy/EZ-Homelab/wiki/Traefik) - Reverse proxy and SSL
+- [Traefik](docs/service-docs/traefik.md) - Reverse proxy and SSL
- [Dockge](https://github.com/kelinfoxy/EZ-Homelab/wiki/Dockge) - Stack management
+- [Sablier](docs/service-docs/sablier.md) - Lazy loading for on-demand containers
- [Homepage](https://github.com/kelinfoxy/EZ-Homelab/wiki/Homepage) - Service dashboard
+- [DuckDNS](docs/service-docs/duckdns.md) - Dynamic DNS
- And 50+ more services...
+- [Dockge](docs/service-docs/dockge.md) - Stack management
 - [Homepage](docs/service-docs/homepage.md) - Service dashboard
 - And 50+ more services in the docs/service-docs/ folder
 ## 🏗️ Architecture
-### Core Infrastructure
+### Core Infrastructure (Deploy on Main Server)
 - **Traefik** - Reverse proxy with automatic HTTPS termination
 - **Authelia** - Single sign-on (SSO) authentication
 - **DuckDNS** - Dynamic DNS with wildcard SSL certificates
- **Sablier** - Lazy loading service for on-demand containers
+- **Traefik** - Reverse proxy with automatic HTTPS termination and multi-server routing
 - **Authelia** - Single sign-on (SSO) authentication
 ### Per-Server Infrastructure (Deploy on Each Server)
 - **Traefik** - Local reverse proxy instance for container discovery
 - **Sablier** - Lazy loading service for on-demand local container startup
 ### Multi-Server Architecture
 - **Core Server**: Only server with ports 80/443 forwarded from router
 - **Remote Servers**: Connect to core via Docker TLS (port 2376)
 - **Unified Access**: All services accessible through core server's domain
 - **Automatic Routing**: Core Traefik discovers services on all servers
 - **Lazy Loading**: Each server's Sablier manages local containers only
 ### VPN Services
 - **Gluetun** - VPN client for secure downloads
@@ -94,11 +115,13 @@ Individual service documentation is available in the [GitHub Wiki](https://githu
 ### Key Features
 - **File-based configuration** - AI-manageable YAML files
 - **Multi-server support** - Scale across multiple machines with unified access
 - **Automated SSL** - Wildcard certificates via Let's Encrypt
 - **Automatic routing** - Traefik discovers services across all servers
 - **VPN routing** - Secure download clients through Gluetun
 - **Resource limits** - Prevent resource exhaustion
 - **SSO protection** - Authelia integration with bypass options
- **Lazy loading** - Sablier enables on-demand container startup
+- **Lazy loading** - Per-server Sablier enables on-demand container startup
 - **Automated backups** - Restic + Backrest for comprehensive data protection
 ## 🤖 AI Management
@@ -121,8 +144,8 @@ This homelab is designed to be managed by AI agents through VS Code with GitHub
 ## 🔧 Manual Setup
 If automated scripts fail, see:
- **[Manual Setup Guide](https://github.com/kelinfoxy/EZ-Homelab/wiki/Manual-Setup)** - Step-by-step manual installation
+- **[Manual Setup Guide](docs/manual-setup.md)** - Step-by-step manual installation
- **[Troubleshooting](https://github.com/kelinfoxy/EZ-Homelab/wiki/Troubleshooting)** - Common issues and solutions
+- **[Troubleshooting](docs/quick-reference.md)** - Common issues and solutions
 ## 🤝 Contributing
--- a/improvements.md
+++ b/improvements.md
@@ -0,0 +1,71 @@
 # Script Improvements
 # Latest test results
 ## **Option 1 Install Prerequesites**: 
    Works as intended, but want to run commands silently with custom output for success/error messages. Needs the visual layout update.
 ## **Option 2 Deploy Core Server**:
 ### **arcane deployment**: 
    Files copied, variables replaced, docker compose up failed. Manually started the stack without errors. 
    Otherwise it works as intended. 
    It has been manually updated to achieve a specific visual layout. 
    Use this as a reference for the visual layout I want throughout.
 ## **Option 3 Deploy Additional Server**: 
    * Missing function call to deploy arcane
    * Dockge and Infrastructure stack deployed successfully.
    * Other stacks seem to have been copied correctly.
    * Fails to copy ssh key to core server and gives no specific error, skipping ssh setup and everything else completes without error. Related to conflicting info in known_hosts. May have to rethink this logic.
    * It seems to also have verbose output on by default, that's not right.
    * It needs the visual layout update.
 ## Visual Layout
    * Based on Option 2 styling
    * All lines begin with `‖` or the corresponding corner, 90, or tee symbol 
    * Text uses the format `‖  some text` with 2 spaces between ‖ and the text
    * The visual layout of the select an option promts have been converted to a horizontal layout and the Option input integrated into the visual layout.
 ### **Requires the visual layout update**
    * When running the script without manually creating/editing .env the way it prompts for values 
    * When the script warns that Option 3 requires an existing core server
    * When the script prompts for ssh keys
    * Any other place the script prompts the user
 ## **homepage config files**: 
    * replace placeholders with vars. 
    * Remove sections for remote server services. 
    * For services that run on multiple servers use the format service.server_hostname.domain (dockge, glances, dozzle, backrest, & duplicati)
 ## Future Plans
 * Configure arcane using env for deployment, and hopefully after logging into arcane it will store the settings in the db, then I could comment out the env variables to re-enable webui configuration, restart the stack, and my default settings should persist but be modifiable in the webui. I hope it works that way, requires research and testing.
 * Figure out requirements and how to configure arcane on every server with the environment of each server. So that user can manage any server via arcane from the webui of any of the servers.
 * Develop a procedure for creating arcane templates from my copose files that will maintain the same functionality.
 * Create arcane registry file for all services, hosted from the repo. The goal is to make the templates near 1-click installs from arcane. The templates should use .env.global as default variables (such as: puid, pgid, server_ip, domain, and many more).
--- a/config-templates/authelia/users_database.yml
+++ b/config-templates/authelia/users_database.yml
@@ -1,20 +0,0 @@
 # Authelia Users Database
 # Copy to /opt/stacks/authelia/users_database.yml
 # Generate password hashes with: docker run authelia/authelia:latest authelia crypto hash generate argon2 --password 'yourpassword'
 users:
  admin:
    displayname: "Admin User"
    password: "$argon2id$v=19$m=65536,t=3,p=4$CHANGEME"  # Replace with your hashed password
    email: admin@example.com
    groups:
      - admins
      - users
  # Example: Additional user
  # user1:
  #   displayname: "User One"
  #   password: "$argon2id$v=19$m=65536,t=3,p=4$CHANGEME"
  #   email: user1@example.com
  #   groups:
  #     - users
--- a/config-templates/dokuwiki/conf/.htaccess
+++ b/config-templates/dokuwiki/conf/.htaccess
@@ -1,8 +0,0 @@
 ## no access to the conf directory
 <IfModule mod_authz_core.c>
    Require all denied
 </IfModule>
 <IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
 </IfModule>
--- a/config-templates/dokuwiki/conf/acl.auth.php
+++ b/config-templates/dokuwiki/conf/acl.auth.php
@@ -1,10 +0,0 @@
 # acl.auth.php
 # <?php exit()?>
 # Don't modify the lines above
 #
 # Access Control Lists
 #
 # Auto-generated by install script
 # Date: Tue, 20 Jan 2026 20:06:48 -0500
 *               @ALL          1
 *               @user         8
--- a/config-templates/dokuwiki/conf/acl.auth.php.dist
+++ b/config-templates/dokuwiki/conf/acl.auth.php.dist
@@ -1,21 +0,0 @@
 # acl.auth.php
 # <?php exit()?>
 # Don't modify the lines above
 #
 # Access Control Lists
 #
 # Editing this file by hand shouldn't be necessary. Use the ACL
 # Manager interface instead.
 #
 # If your auth backend allows special char like spaces in groups
 # or user names you need to urlencode them (only chars <128, leave
 # UTF-8 multibyte chars as is)
 #
 # none   0
 # read   1
 # edit   2
 # create 4
 # upload 8
 # delete 16
 *               @ALL        8
--- a/config-templates/dokuwiki/conf/acronyms.conf
+++ b/config-templates/dokuwiki/conf/acronyms.conf
@@ -1,62 +0,0 @@
 # Acronyms.
 ACL          Access Control List
 AFAICS       As far as I can see
 AFAIK        As far as I know
 AFAIR        As far as I remember
 API          Application Programming Interface
 ASAP         As soon as possible
 ASCII        American Standard Code for Information Interchange
 BTW          By the way
 CMS          Content Management System
 CSS          Cascading Style Sheets
 DNS          Domain Name System
 EOF          End of file
 EOL          End of line
 EOM          End of message
 EOT          End of text
 FAQ          Frequently Asked Questions
 FTP          File Transfer Protocol
 FOSS         Free & Open-Source Software
 FLOSS        Free/Libre and Open Source Software
 FUD          Fear, Uncertainty, and Doubt
 FYI          For your information
 GB           Gigabyte
 GHz          Gigahertz
 GPL          GNU General Public License
 GUI          Graphical User Interface
 HTML         HyperText Markup Language
 IANAL        I am not a lawyer (but)
 IE           Internet Explorer
 IIRC         If I remember correctly
 IMHO         In my humble opinion
 IMO          In my opinion
 IOW          In other words
 IRC          Internet Relay Chat
 IRL          In real life
 KISS         Keep it simple stupid
 LAN          Local Area Network
 LGPL         GNU Lesser General Public License
 LOL          Laughing out loud
 MathML       Mathematical Markup Language
 MB           Megabyte
 MHz          Megahertz
 MSIE         Microsoft Internet Explorer
 OMG          Oh my God
 OS           Operating System
 OSS          Open Source Software
 OTOH         On the other hand
 PITA         Pain in the Ass
 RFC          Request for Comments
 ROTFL        Rolling on the floor laughing
 RTFM         Read The Fine Manual
 spec         specification
 TIA          Thanks in advance
 TL;DR        Too long; didn't read
 TOC          Table of Contents
 URI          Uniform Resource Identifier
 URL          Uniform Resource Locator
 W3C          World Wide Web Consortium
 WTF?         What the f***
 WYSIWYG      What You See Is What You Get
 YMMV         Your mileage may vary
--- a/config-templates/dokuwiki/conf/dokuwiki.php
+++ b/config-templates/dokuwiki/conf/dokuwiki.php
@@ -1,187 +0,0 @@
 <?php
 /**
 * This is DokuWiki's Main Configuration file
 *
 * All the default values are kept here, you should not modify it but use
 * a local.php file instead to override the settings from here.
 *
 * This is a piece of PHP code so PHP syntax applies!
 *
 * For help with the configuration and a more detailed explanation of the various options
 * see https://www.dokuwiki.org/config
 */
 /* Basic Settings */
 $conf['title']       = 'DokuWiki';        //what to show in the title
 $conf['start']       = 'start';           //name of start page
 $conf['lang']        = 'en';              //your language
 $conf['template']    = 'dokuwiki';         //see lib/tpl directory
 $conf['tagline']     = '';                //tagline in header (if template supports it)
 $conf['sidebar']     = 'sidebar';         //name of sidebar in root namespace (if template supports it)
 $conf['license']     = 'cc-by-nc-sa';     //see conf/license.php
 $conf['savedir']     = './data';          //where to store all the files
 $conf['basedir']     = '';                //absolute dir from serveroot - blank for autodetection
 $conf['baseurl']     = '';                //URL to server including protocol - blank for autodetect
 $conf['cookiedir']   = '';                //path to use in cookies - blank for basedir
 $conf['dmode']       = 0755;              //set directory creation mode
 $conf['fmode']       = 0644;              //set file creation mode
 $conf['allowdebug']  = 0;                 //allow debug output, enable if needed 0|1
 /* Display Settings */
 $conf['recent']      = 20;                //how many entries to show in recent
 $conf['recent_days'] = 7;                 //How many days of recent changes to keep. (days)
 $conf['breadcrumbs'] = 10;                //how many recent visited pages to show
 $conf['youarehere']  = 0;                 //show "You are here" navigation? 0|1
 $conf['fullpath']    = 0;                 //show full path of the document or relative to datadir only? 0|1
 $conf['typography']  = 1;                 //smartquote conversion 0=off, 1=doublequotes, 2=all quotes
 $conf['dformat']     = '%Y/%m/%d %H:%M';  //dateformat accepted by PHPs strftime() function
 $conf['signature']   = ' --- //[[@MAIL@|@NAME@]] @DATE@//'; //signature see wiki page for details
 $conf['showuseras']  = 'loginname';       // 'loginname' users login name
                                          // 'username' users full name
                                          // 'email' e-mail address (will be obfuscated as per mailguard)
                                          // 'email_link' e-mail address as a mailto: link (obfuscated)
 $conf['toptoclevel'] = 1;                 //Level starting with and below to include in AutoTOC (max. 5)
 $conf['tocminheads'] = 3;                 //Minimum amount of headlines that determines if a TOC is built
 $conf['maxtoclevel'] = 3;                 //Up to which level include into AutoTOC (max. 5)
 $conf['maxseclevel'] = 3;                 //Up to which level create editable sections (max. 5)
 $conf['camelcase']   = 0;                 //Use CamelCase for linking? (I don't like it) 0|1
 $conf['deaccent']    = 1;                 //deaccented chars in pagenames (1) or romanize (2) or keep (0)?
 $conf['useheading']  = 0;                 //use the first heading in a page as its name
 $conf['sneaky_index']= 0;                 //check for namespace read permission in index view (0|1) (1 might cause unexpected behavior)
 $conf['hidepages']   = '';                //Regexp for pages to be skipped from RSS, Search and Recent Changes
 /* Authentication Settings */
 $conf['useacl']      = 0;                //Use Access Control Lists to restrict access?
 $conf['autopasswd']  = 1;                //autogenerate passwords and email them to user
 $conf['authtype']    = 'authplain';      //which authentication backend should be used
 $conf['passcrypt']   = 'bcrypt';           //Used crypt method (smd5,md5,sha1,ssha,crypt,mysql,my411,bcrypt)
 $conf['defaultgroup']= 'user';           //Default groups new Users are added to
 $conf['superuser']   = '!!not set!!';    //The admin can be user or @group or comma separated list user1,@group1,user2
 $conf['manager']     = '!!not set!!';    //The manager can be user or @group or comma separated list user1,@group1,user2
 $conf['profileconfirm'] = 1;             //Require current password to confirm changes to user profile
 $conf['rememberme'] = 1;                 //Enable/disable remember me on login
 $conf['disableactions'] = '';            //comma separated list of actions to disable
 $conf['auth_security_timeout'] = 900;    //time (seconds) auth data is considered valid, set to 0 to recheck on every page view
 $conf['securecookie'] = 1;               //never send HTTPS cookies via HTTP
 $conf['samesitecookie'] = 'Lax';         //SameSite attribute for cookies (Lax|Strict|None|Empty)
 $conf['remote']      = 0;                //Enable/disable remote interfaces
 $conf['remoteuser']  = '!!not set!!';    //user/groups that have access to remote interface (comma separated). leave empty to allow all users
 $conf['remotecors']  = '';               //enable Cross-Origin Resource Sharing (CORS) for the remote interfaces. Asterisk (*) to allow all origins. leave empty to deny.
 /* Antispam Features */
 $conf['usewordblock']= 1;                //block spam based on words? 0|1
 $conf['relnofollow'] = 1;                //use rel="ugc nofollow" for external links?
 $conf['indexdelay']  = 60*60*24*5;       //allow indexing after this time (seconds) default is 5 days
 $conf['mailguard']   = 'hex';            //obfuscate email addresses against spam harvesters?
                                         //valid entries are:
                                         //  'visible' - replace @ with [at], . with [dot] and - with [dash]
                                         //  'hex'     - use hex entities to encode the mail address
                                         //  'none'    - do not obfuscate addresses
 $conf['iexssprotect']= 1;                // check for JavaScript and HTML in uploaded files 0|1
 /* Editing Settings */
 $conf['usedraft']    = 1;                //automatically save a draft while editing (0|1)
 $conf['locktime']    = 15*60;            //maximum age for lockfiles (defaults to 15 minutes)
 $conf['cachetime']   = 60*60*24;         //maximum age for cachefile in seconds (defaults to a day)
 /* Link Settings */
 // Set target to use when creating links - leave empty for same window
 $conf['target']['wiki']      = '';
 $conf['target']['interwiki'] = '';
 $conf['target']['extern']    = '';
 $conf['target']['media']     = '';
 $conf['target']['windows']   = '';
 /* Media Settings */
 $conf['mediarevisions'] = 1;             //enable/disable media revisions
 $conf['refcheck']    = 1;                //check for references before deleting media files
 $conf['gdlib']       = 2;                //the GDlib version (0, 1 or 2) 2 tries to autodetect
 $conf['im_convert']  = '';               //path to ImageMagicks convert (will be used instead of GD)
 $conf['jpg_quality'] = '70';             //quality of compression when scaling jpg images (0-100)
 $conf['fetchsize']   = 0;                //maximum size (bytes) fetch.php may download from extern, disabled by default
 /* Notification Settings */
 $conf['subscribers'] = 0;                //enable change notice subscription support
 $conf['subscribe_time'] = 24*60*60;      //Time after which digests / lists are sent (in sec, default 1 day)
                                         //Should be smaller than the time specified in recent_days
 $conf['notify']      = '';               //send change info to this email (leave blank for nobody)
 $conf['registernotify'] = '';            //send info about newly registered users to this email (leave blank for nobody)
 $conf['mailfrom']    = '';               //use this email when sending mails
 $conf['mailreturnpath']    = '';         //use this email as returnpath for bounce mails
 $conf['mailprefix']  = '';               //use this as prefix of outgoing mails
 $conf['htmlmail']    = 1;                //send HTML multipart mails
 $conf['dontlog'] = 'debug';              //logging facilities that should be disabled
 $conf['logretain'] = 3;                  //how many days of logs to keep
 /* Syndication Settings */
 $conf['sitemap']     = 0;                //Create a Google sitemap? How often? In days.
 $conf['rss_type']    = 'rss1';           //type of RSS feed to provide, by default:
                                         //  'rss'  - RSS 0.91
                                         //  'rss1' - RSS 1.0
                                         //  'rss2' - RSS 2.0
                                         //  'atom' - Atom 0.3
                                         //  'atom1' - Atom 1.0
 $conf['rss_linkto'] = 'diff';            //what page RSS entries link to:
                                         //  'diff'    - page showing revision differences
                                         //  'page'    - the revised page itself
                                         //  'rev'     - page showing all revisions
                                         //  'current' - most recent revision of page
 $conf['rss_content'] = 'abstract';       //what to put in the items by default?
                                         //  'abstract' - plain text, first paragraph or so
                                         //  'diff'     - plain text unified diff wrapped in <pre> tags
                                         //  'htmldiff' - diff as HTML table
                                         //  'html'     - the full page rendered in XHTML
 $conf['rss_media']   = 'both';           //what should be listed?
                                         //  'both'     - page and media changes
                                         //  'pages'    - page changes only
                                         //  'media'    - media changes only
 $conf['rss_update'] = 5*60;              //Update the RSS feed every n seconds (defaults to 5 minutes)
 $conf['rss_show_summary'] = 1;           //Add revision summary to title? 0|1
 $conf['rss_show_deleted'] = 1;           //Show deleted items 0|1
 /* Advanced Settings */
 $conf['updatecheck'] = 1;                //automatically check for new releases?
 $conf['userewrite']  = 0;                //this makes nice URLs: 0: off 1: .htaccess 2: internal
 $conf['useslash']    = 0;                //use slash instead of colon? only when rewrite is on
 $conf['sepchar']     = '_';              //word separator character in page names; may be a
                                         //  letter, a digit, '_', '-', or '.'.
 $conf['canonical']   = 0;                //Should all URLs use full canonical http://... style?
 $conf['fnencode']    = 'url';            //encode filenames (url|safe|utf-8)
 $conf['autoplural']  = 0;                //try (non)plural form of nonexistent files?
 $conf['compression'] = 'gz';             //compress old revisions: (0: off) ('gz': gnuzip) ('bz2': bzip)
                                         //  bz2 generates smaller files, but needs more cpu-power
 $conf['gzip_output'] = 0;                //use gzip content encoding for the output xhtml (if allowed by browser)
 $conf['compress']    = 1;                //Strip whitespaces and comments from Styles and JavaScript? 1|0
 $conf['cssdatauri']  = 512;              //Maximum byte size of small images to embed into CSS, won't work on IE<8
 $conf['send404']     = 0;                //Send an HTTP 404 status for nonexistent pages?
 $conf['broken_iua']  = 0;                //Platform with broken ignore_user_abort (IIS+CGI) 0|1
 $conf['xsendfile']   = 0;                //Use X-Sendfile (1 = lighttpd, 2 = standard)
 $conf['renderer_xhtml'] = 'xhtml';       //renderer to use for main page generation
 $conf['readdircache'] = 0;               //time cache in second for the readdir operation, 0 to deactivate.
 $conf['search_nslimit'] = 0;             //limit the search to the current X namespaces
 $conf['search_fragment'] = 'exact';      //specify the default fragment search behavior
 /* Feature Flags */
 $conf['defer_js'] = 1;                   // Defer javascript to be executed after the page's HTML has been parsed. Setting will be removed in the next release.
 $conf['hidewarnings'] = 0;               // Hide warnings
 /* Network Settings */
 $conf['dnslookups'] = 1;                 //disable to disallow IP to hostname lookups
 $conf['jquerycdn']  = 0;                 //use a CDN for delivering jQuery?
 $conf['trustedproxies'] = array('::1', 'fe80::/10', '127.0.0.0/8', '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16');
                                         // Trusted proxy servers from which to read the X-Forwarded-For header.
                                         // Each item in the array may be either an IPv4 or IPv6 address, or
                                         // an IPv4 or IPv6 CIDR range (e.g. 10.0.0.0/8).
 $conf['realip'] = false;                 // Enable reading the X-Real-IP header.  Default: false.
                                         // Only enable this if your server writes this header, otherwise it may be spoofed.
 // Proxy setup - if your Server needs a proxy to access the web set these
 $conf['proxy']['host']    = '';
 $conf['proxy']['port']    = '';
 $conf['proxy']['user']    = '';
 $conf['proxy']['pass']    = '';
 $conf['proxy']['ssl']     = 0;
 $conf['proxy']['except']  = '';
--- a/config-templates/dokuwiki/conf/entities.conf
+++ b/config-templates/dokuwiki/conf/entities.conf
@@ -1,22 +0,0 @@
 # Typography replacements
 #
 # Order does matter!
 #
 # You can use HTML entities here, but it is not recommended because it may break
 # non-HTML renderers. Use UTF-8 chars directly instead.
 <->     ↔
 ->      →
 <-      ←
 <=>     ⇔
 =>      ⇒
 <=      ⇐
 >>      »
 <<      «
 ---     —
 --      –
 (c)     ©
 (tm)    ™
 (r)     ®
 ...     …
--- a/config-templates/dokuwiki/conf/interwiki.conf
+++ b/config-templates/dokuwiki/conf/interwiki.conf
@@ -1,43 +0,0 @@
 # Each URL may contain one of these placeholders
 # {URL}  is replaced by the URL encoded representation of the wikiname
 #        this is the right thing to do in most cases
 # {NAME} this is replaced by the wikiname as given in the document
 #        only mandatory encoded is done, urlencoding if the link
 #        is an external URL, or encoding as a wikiname if it is an
 #        internal link (begins with a colon)
 # {SCHEME}
 # {HOST}
 # {PORT}
 # {PATH}
 # {QUERY} these placeholders will be replaced with the appropriate part
 #         of the link when parsed as a URL
 # If no placeholder is defined the urlencoded name is appended to the URL
 # To prevent losing your added InterWiki shortcuts after an upgrade,
 # you should add new ones to interwiki.local.conf
 wp        https://en.wikipedia.org/wiki/{NAME}
 wpfr      https://fr.wikipedia.org/wiki/{NAME}
 wpde      https://de.wikipedia.org/wiki/{NAME}
 wpes      https://es.wikipedia.org/wiki/{NAME}
 wppl      https://pl.wikipedia.org/wiki/{NAME}
 wpjp      https://ja.wikipedia.org/wiki/{NAME}
 wpru      https://ru.wikipedia.org/wiki/{NAME}
 wpmeta    https://meta.wikipedia.org/wiki/{NAME}
 doku      https://www.dokuwiki.org/
 rfc       https://tools.ietf.org/html/rfc
 man       http://man.cx/
 amazon    https://www.amazon.com/dp/{URL}?tag=splitbrain-20
 amazon.de https://www.amazon.de/dp/{URL}?tag=splitbrain-21
 amazon.uk https://www.amazon.co.uk/dp/{URL}
 paypal    https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&amp;business=
 phpfn     https://secure.php.net/{NAME}
 skype     skype:{NAME}
 google    https://www.google.com/search?q=
 google.de https://www.google.de/search?q=
 go        https://www.google.com/search?q={URL}&amp;btnI=lucky
 user      :user:{NAME}
 # To support VoIP/SIP/TEL links
 callto    callto://{NAME}
 tel       tel:{NAME}
--- a/config-templates/dokuwiki/conf/license.php
+++ b/config-templates/dokuwiki/conf/license.php
@@ -1,38 +0,0 @@
 <?php
 /**
 * This file defines multiple available licenses you can license your
 * wiki contents under. Do not change this file, but create a
 * license.local.php instead.
 */
 if(empty($LC)) $LC = empty($conf['lang']) ? 'en' : $conf['lang'];
 $license['cc-zero'] = array(
    'name' => 'CC0 1.0 Universal',
    'url'  => 'https://creativecommons.org/publicdomain/zero/1.0/deed.'.$LC,
 );
 $license['publicdomain'] = array(
    'name' => 'Public Domain',
    'url'  => 'https://creativecommons.org/licenses/publicdomain/deed.'.$LC,
 );
 $license['cc-by'] = array(
    'name' => 'CC Attribution 4.0 International',
    'url'  => 'https://creativecommons.org/licenses/by/4.0/deed.'.$LC,
 );
 $license['cc-by-sa'] = array(
    'name' => 'CC Attribution-Share Alike 4.0 International',
    'url'  => 'https://creativecommons.org/licenses/by-sa/4.0/deed.'.$LC,
 );
 $license['gnufdl'] = array(
    'name' => 'GNU Free Documentation License 1.3',
    'url'  => 'https://www.gnu.org/licenses/fdl-1.3.html',
 );
 $license['cc-by-nc'] = array(
    'name' => 'CC Attribution-Noncommercial 4.0 International',
    'url'  => 'https://creativecommons.org/licenses/by-nc/4.0/deed.'.$LC,
 );
 $license['cc-by-nc-sa'] = array(
    'name' => 'CC Attribution-Noncommercial-Share Alike 4.0 International',
    'url'  => 'https://creativecommons.org/licenses/by-nc-sa/4.0/deed.'.$LC,
 );
--- a/config-templates/dokuwiki/conf/local.php
+++ b/config-templates/dokuwiki/conf/local.php
@@ -1,13 +0,0 @@
 <?php
 /**
 * Dokuwiki's Main Configuration File - Local Settings
 * Auto-generated by install script
 * Date: Tue, 20 Jan 2026 20:06:48 -0500
 */
 $conf['title'] = 'AI-Homelab';
 $conf['lang'] = 'en';
 $conf['license'] = 'cc-by-sa';
 $conf['useacl'] = 1;
 $conf['superuser'] = '@admin';
 $conf['disableactions'] = 'register';
 $conf['savedir'] = '/app/www/public/data';
--- a/config-templates/dokuwiki/conf/local.php.dist
+++ b/config-templates/dokuwiki/conf/local.php.dist
@@ -1,16 +0,0 @@
 <?php
 /**
 * This is an example of how a local.php could look like.
 * Simply copy the options you want to change from dokuwiki.php
 * to this file and change them.
 *
 * When using the installer, a correct local.php file be generated for
 * you automatically.
 */
 //$conf['title']       = 'My Wiki';        //what to show in the title
 //$conf['useacl']      = 1;                //Use Access Control Lists to restrict access?
 //$conf['superuser']   = 'joe';
--- a/config-templates/dokuwiki/conf/manifest.json
+++ b/config-templates/dokuwiki/conf/manifest.json
@@ -1,3 +0,0 @@
 {
    "display": "standalone"
 }
--- a/config-templates/dokuwiki/conf/mediameta.php
+++ b/config-templates/dokuwiki/conf/mediameta.php
@@ -1,91 +0,0 @@
 <?php
 /**
 * This configures which metadata will be editable through
 * the media manager. Each field of the array is an array with the
 * following contents:
 *   fieldname - Where data will be saved (EXIF or IPTC field)
 *   label     - key to lookup in the $lang var, if not found printed as is
 *   htmltype  - 'text', 'textarea' or 'date'
 *   lookups   - array additional fields to look up the data (EXIF or IPTC fields)
 *
 * The fields are not ordered continuously to make inserting additional items
 * in between simpler.
 *
 * This is a PHP snippet, so PHP syntax applies.
 *
 * Note: $fields is not a global variable and will not be available to any
 *       other functions or templates later
 *
 * You may extend or overwrite this variable in an optional
 * conf/mediameta.local.php file
 *
 * For a list of available EXIF/IPTC fields refer to
 * http://www.dokuwiki.org/devel:templates:detail.php
 */
 $fields = array(
    10 => array('Iptc.Headline',
                'img_title',
                'text'),
    20 => array('',
                'img_date',
                'date',
                array('Date.EarliestTime')),
    30 => array('',
                'img_fname',
                'text',
                array('File.Name')),
    40 => array('Iptc.Caption',
                'img_caption',
                'textarea',
                array('Exif.UserComment',
                      'Exif.TIFFImageDescription',
                      'Exif.TIFFUserComment')),
    50 => array('Iptc.Byline',
                'img_artist',
                'text',
                array('Exif.TIFFArtist',
                      'Exif.Artist',
                      'Iptc.Credit')),
    60 => array('Iptc.CopyrightNotice',
                'img_copyr',
                'text',
                array('Exif.TIFFCopyright',
                      'Exif.Copyright')),
    70 => array('',
                'img_format',
                'text',
                array('File.Format')),
    80 => array('',
                'img_fsize',
                'text',
                array('File.NiceSize')),
    90 => array('',
                'img_width',
                'text',
                array('File.Width')),
    100 => array('',
                'img_height',
                'text',
                array('File.Height')),
    110 => array('',
                'img_camera',
                'text',
                array('Simple.Camera')),
    120 => array('Iptc.Keywords',
                'img_keywords',
                'text',
                array('Exif.Category')),
 );
--- a/config-templates/dokuwiki/conf/mime.conf
+++ b/config-templates/dokuwiki/conf/mime.conf
@@ -1,75 +0,0 @@
 # Allowed uploadable file extensions and mimetypes are defined here.
 # To extend this file it is recommended to create a mime.local.conf
 # file. Mimetypes that should be downloadable and not be opened in the
 # should be prefixed with a !
 jpg     image/jpeg
 jpeg    image/jpeg
 gif     image/gif
 png     image/png
 webp    image/webp
 ico     image/vnd.microsoft.icon
 mp3     audio/mpeg
 ogg     audio/ogg
 wav     audio/wav
 webm    video/webm
 ogv     video/ogg
 mp4     video/mp4
 vtt     text/vtt
 tgz     !application/octet-stream
 tar     !application/x-gtar
 gz      !application/octet-stream
 bz2     !application/octet-stream
 zip     !application/zip
 rar     !application/rar
 7z      !application/x-7z-compressed
 pdf     application/pdf
 ps      !application/postscript
 rpm     !application/octet-stream
 deb     !application/octet-stream
 doc     !application/msword
 xls     !application/msexcel
 ppt     !application/mspowerpoint
 rtf     !application/msword
 docx    !application/vnd.openxmlformats-officedocument.wordprocessingml.document
 xlsx    !application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
 pptx    !application/vnd.openxmlformats-officedocument.presentationml.presentation
 sxw     !application/soffice
 sxc     !application/soffice
 sxi     !application/soffice
 sxd     !application/soffice
 odc     !application/vnd.oasis.opendocument.chart
 odf     !application/vnd.oasis.opendocument.formula
 odg     !application/vnd.oasis.opendocument.graphics
 odi     !application/vnd.oasis.opendocument.image
 odp     !application/vnd.oasis.opendocument.presentation
 ods     !application/vnd.oasis.opendocument.spreadsheet
 odt     !application/vnd.oasis.opendocument.text
 svg     image/svg+xml
 # You should enable HTML and Text uploads only for restricted Wikis.
 # Spammers are known to upload spam pages through unprotected Wikis.
 # Note: Enabling HTML opens Cross Site Scripting vulnerabilities
 #       through JavaScript. Only enable this with trusted users. You
 #       need to disable the iexssprotect option additionally to
 #       adding the mime type here
 #html    text/html
 #htm     text/html
 #txt     text/plain
 #conf    text/plain
 #xml     text/xml
 #csv     text/csv
 # Also flash may be able to execute arbitrary scripts in the website's
 # context
 #swf     application/x-shockwave-flash
--- a/config-templates/dokuwiki/conf/mysql.conf.php.example
+++ b/config-templates/dokuwiki/conf/mysql.conf.php.example
@@ -1,253 +0,0 @@
 <?php
 /*
 * This is an example configuration for the mysql auth plugin.
 *
 * This SQL statements are optimized for following table structure.
 * If you use a different one you have to change them accordingly.
 * See comments of every statement for details.
 *
 * TABLE users
 *     uid   login   pass   firstname   lastname   email
 *
 * TABLE groups
 *     gid   name
 *
 * TABLE usergroup
 *     uid   gid
 *
 * To use this configuration you have to copy them to local.protected.php
 * or at least include this file in local.protected.php.
 */
 /* Options to configure database access. You need to set up this
 * options carefully, otherwise you won't be able to access you
 * database.
 */
 $conf['plugin']['authmysql']['server']   = '';
 $conf['plugin']['authmysql']['user']     = '';
 $conf['plugin']['authmysql']['password'] = '';
 $conf['plugin']['authmysql']['database'] = '';
 /* This option enables debug messages in the mysql plugin. It is
 * mostly useful for system admins.
 */
 $conf['plugin']['authmysql']['debug'] = 0;
 /* Normally password encryption is done by DokuWiki (recommended) but for
 * some reasons it might be useful to let the database do the encryption.
 * Set 'forwardClearPass' to '1' and the cleartext password is forwarded to
 * the database, otherwise the encrypted one.
 */
 $conf['plugin']['authmysql']['forwardClearPass'] = 0;
 /* Multiple table operations will be protected by locks. This array tells
 * the plugin which tables to lock. If you use any aliases for table names
 * these array must also contain these aliases. Any unnamed alias will cause
 * a warning during operation. See the example below.
 */
 $conf['plugin']['authmysql']['TablesToLock']= array("users", "users AS u","groups", "groups AS g", "usergroup", "usergroup AS ug");
 /***********************************************************************/
 /*       Basic SQL statements for user authentication (required)       */
 /***********************************************************************/
 /* This statement is used to grant or deny access to the wiki. The result
 * should be a table with exact one line containing at least the password
 * of the user. If the result table is empty or contains more than one
 * row, access will be denied.
 *
 * The plugin accesses the password as 'pass' so an alias might be necessary.
 *
 * Following patters will be replaced:
 *   %{user}    user name
 *   %{pass}    encrypted or clear text password (depends on 'encryptPass')
 *   %{dgroup}  default group name
 */
 $conf['plugin']['authmysql']['checkPass']   = "SELECT pass
                                               FROM usergroup AS ug
                                               JOIN users AS u ON u.uid=ug.uid
                                               JOIN groups AS g ON g.gid=ug.gid
                                               WHERE login='%{user}'
                                               AND name='%{dgroup}'";
 /* This statement should return a table with exact one row containing
 * information about one user. The field needed are:
 * 'pass'  containing the encrypted or clear text password
 * 'name'  the user's full name
 * 'mail'  the user's email address
 *
 * Keep in mind that Dokuwiki will access this information through the
 * names listed above so aliases might be necessary.
 *
 * Following patters will be replaced:
 *   %{user}    user name
 */
 $conf['plugin']['authmysql']['getUserInfo'] = "SELECT pass, CONCAT(firstname,' ',lastname) AS name, email AS mail
                                               FROM users
                                               WHERE login='%{user}'";
 /* This statement is used to get all groups a user is member of. The
 * result should be a table containing all groups the given user is
 * member of. The plugin accesses the group name as 'group' so an alias
 * might be necessary.
 *
 * Following patters will be replaced:
 *   %{user}    user name
 */
 $conf['plugin']['authmysql']['getGroups']   = "SELECT name as `group`
                                               FROM groups g, users u, usergroup ug
                                               WHERE u.uid = ug.uid
                                               AND g.gid = ug.gid
                                               AND u.login='%{user}'";
 /***********************************************************************/
 /*      Additional minimum SQL statements to use the user manager      */
 /***********************************************************************/
 /* This statement should return a table containing all user login names
 * that meet certain filter criteria. The filter expressions will be added
 * case dependent by the plugin. At the end a sort expression will be added.
 * Important is that this list contains no double entries for a user. Each
 * user name is only allowed once in the table.
 *
 * The login name will be accessed as 'user' to an alias might be necessary.
 * No patterns will be replaced in this statement but following patters
 * will be replaced in the filter expressions:
 *   %{user}    in FilterLogin  user's login name
 *   %{name}    in FilterName   user's full name
 *   %{email}   in FilterEmail  user's email address
 *   %{group}   in FilterGroup  group name
 */
 $conf['plugin']['authmysql']['getUsers']    = "SELECT DISTINCT login AS user
                                               FROM users AS u
                                               LEFT JOIN usergroup AS ug ON u.uid=ug.uid
                                               LEFT JOIN groups AS g ON ug.gid=g.gid";
 $conf['plugin']['authmysql']['FilterLogin'] = "login LIKE '%{user}'";
 $conf['plugin']['authmysql']['FilterName']  = "CONCAT(firstname,' ',lastname) LIKE '%{name}'";
 $conf['plugin']['authmysql']['FilterEmail'] = "email LIKE '%{email}'";
 $conf['plugin']['authmysql']['FilterGroup'] = "name LIKE '%{group}'";
 $conf['plugin']['authmysql']['SortOrder']   = "ORDER BY login";
 /***********************************************************************/
 /*   Additional SQL statements to add new users with the user manager  */
 /***********************************************************************/
 /* This statement should add a user to the database. Minimum information
 * to store are: login name, password, email address and full name.
 *
 * Following patterns will be replaced:
 *   %{user}    user's login name
 *   %{pass}    password (encrypted or clear text, depends on 'encryptPass')
 *   %{email}   email address
 *   %{name}    user's full name
 */
 $conf['plugin']['authmysql']['addUser']     = "INSERT INTO users
                                               (login, pass, email, firstname, lastname)
                                               VALUES ('%{user}', '%{pass}', '%{email}',
                                               SUBSTRING_INDEX('%{name}',' ', 1),
                                               SUBSTRING_INDEX('%{name}',' ', -1))";
 /* This statement should add a group to the database.
 * Following patterns will be replaced:
 *   %{group}   group name
 */
 $conf['plugin']['authmysql']['addGroup']    = "INSERT INTO groups (name)
                                               VALUES ('%{group}')";
 /* This statement should connect a user to a group (a user become member
 * of that group).
 * Following patterns will be replaced:
 *   %{user}    user's login name
 *   %{uid}     id of a user dataset
 *   %{group}   group name
 *   %{gid}     id of a group dataset
 */
 $conf['plugin']['authmysql']['addUserGroup']= "INSERT INTO usergroup (uid, gid)
                                               VALUES ('%{uid}', '%{gid}')";
 /* This statement should remove a group fom the database.
 * Following patterns will be replaced:
 *   %{group}   group name
 *   %{gid}     id of a group dataset
 */
 $conf['plugin']['authmysql']['delGroup']    = "DELETE FROM groups
                                               WHERE gid='%{gid}'";
 /* This statement should return the database index of a given user name.
 * The plugin will access the index with the name 'id' so an alias might be
 * necessary.
 * following patters will be replaced:
 *   %{user}    user name
 */
 $conf['plugin']['authmysql']['getUserID']   = "SELECT uid AS id
                                               FROM users
                                               WHERE login='%{user}'";
 /***********************************************************************/
 /*   Additional SQL statements to delete users with the user manager   */
 /***********************************************************************/
 /* This statement should remove a user fom the database.
 * Following patterns will be replaced:
 *   %{user}    user's login name
 *   %{uid}     id of a user dataset
 */
 $conf['plugin']['authmysql']['delUser']     = "DELETE FROM users
                                               WHERE uid='%{uid}'";
 /* This statement should remove all connections from a user to any group
 * (a user quits membership of all groups).
 * Following patterns will be replaced:
 *   %{uid}     id of a user dataset
 */
 $conf['plugin']['authmysql']['delUserRefs'] = "DELETE FROM usergroup
                                               WHERE uid='%{uid}'";
 /***********************************************************************/
 /*   Additional SQL statements to modify users with the user manager   */
 /***********************************************************************/
 /* This statements should modify a user entry in the database. The
 * statements UpdateLogin, UpdatePass, UpdateEmail and UpdateName will be
 * added to updateUser on demand. Only changed parameters will be used.
 *
 * Following patterns will be replaced:
 *   %{user}    user's login name
 *   %{pass}    password (encrypted or clear text, depends on 'encryptPass')
 *   %{email}   email address
 *   %{name}    user's full name
 *   %{uid}     user id that should be updated
 */
 $conf['plugin']['authmysql']['updateUser']  = "UPDATE users SET";
 $conf['plugin']['authmysql']['UpdateLogin'] = "login='%{user}'";
 $conf['plugin']['authmysql']['UpdatePass']  = "pass='%{pass}'";
 $conf['plugin']['authmysql']['UpdateEmail'] = "email='%{email}'";
 $conf['plugin']['authmysql']['UpdateName']  = "firstname=SUBSTRING_INDEX('%{name}',' ', 1),
                                               lastname=SUBSTRING_INDEX('%{name}',' ', -1)";
 $conf['plugin']['authmysql']['UpdateTarget']= "WHERE uid=%{uid}";
 /* This statement should remove a single connection from a user to a
 * group (a user quits membership of that group).
 *
 * Following patterns will be replaced:
 *   %{user}    user's login name
 *   %{uid}     id of a user dataset
 *   %{group}   group name
 *   %{gid}     id of a group dataset
 */
 $conf['plugin']['authmysql']['delUserGroup']= "DELETE FROM usergroup
                                               WHERE uid='%{uid}'
                                               AND gid='%{gid}'";
 /* This statement should return the database index of a given group name.
 * The plugin will access the index with the name 'id' so an alias might
 * be necessary.
 *
 * Following patters will be replaced:
 *   %{group}   group name
 */
 $conf['plugin']['authmysql']['getGroupID']  = "SELECT gid AS id
                                               FROM groups
                                               WHERE name='%{group}'";
--- a/config-templates/dokuwiki/conf/plugins.local.php
+++ b/config-templates/dokuwiki/conf/plugins.local.php
@@ -1,12 +0,0 @@
 <?php
 /*
 * Local plugin enable/disable settings
 *
 * Auto-generated by install script
 * Date: Tue, 20 Jan 2026 20:06:48 -0500
 */
 $plugins['authad']    = 0;
 $plugins['authldap']  = 0;
 $plugins['authmysql'] = 0;
 $plugins['authpgsql'] = 0;
--- a/config-templates/dokuwiki/conf/plugins.php
+++ b/config-templates/dokuwiki/conf/plugins.php
@@ -1,6 +0,0 @@
 <?php
 /**
 * This file configures the default states of available plugins. All settings in
 * the plugins.*.php files will override those here.
 */
 $plugins['testing'] = 0;
--- a/config-templates/dokuwiki/conf/plugins.required.php
+++ b/config-templates/dokuwiki/conf/plugins.required.php
@@ -1,12 +0,0 @@
 <?php
 /**
 * This file configures the enabled/disabled status of plugins, which are also protected
 * from changes by the extension manager. These settings will override any local settings.
 * It is not recommended to change this file, as it is overwritten on DokuWiki upgrades.
 */
 $plugins['acl']               = 1;
 $plugins['authplain']         = 1;
 $plugins['extension']         = 1;
 $plugins['config']            = 1;
 $plugins['usermanager']       = 1;
 $plugins['template:dokuwiki'] = 1; // not a plugin, but this should not be uninstalled either
--- a/config-templates/dokuwiki/conf/scheme.conf
+++ b/config-templates/dokuwiki/conf/scheme.conf
@@ -1,11 +0,0 @@
 #Add URL schemes you want to be recognized as links here
 http
 https
 telnet
 gopher
 wais
 ftp
 ed2k
 irc
 ldap
--- a/config-templates/dokuwiki/conf/smileys.conf
+++ b/config-templates/dokuwiki/conf/smileys.conf
@@ -1,28 +0,0 @@
 # Smileys configured here will be replaced by the
 # configured images in the smiley directory
 8-)         cool.svg
 8-O         eek.svg
 8-o         eek.svg
 :-(         sad.svg
 :-)         smile.svg
 =)          smile2.svg
 :-/         doubt.svg
 :-\         doubt2.svg
 :-?         confused.svg
 :-D         biggrin.svg
 :-P         razz.svg
 :-o         surprised.svg
 :-O         surprised.svg
 :-x         silenced.svg
 :-X         silenced.svg
 :-|         neutral.svg
 ;-)         wink.svg
 m(          facepalm.svg
 ^_^         fun.svg
 :?:         question.svg
 :!:         exclaim.svg
 LOL         lol.svg
 FIXME       fixme.svg
 DELETEME    deleteme.svg
--- a/config-templates/dokuwiki/conf/users.auth.php
+++ b/config-templates/dokuwiki/conf/users.auth.php
@@ -1,13 +0,0 @@
 # users.auth.php
 # <?php exit()?>
 # Don't modify the lines above
 #
 # Userfile
 #
 # Auto-generated by install script
 # Date: Tue, 20 Jan 2026 20:06:48 -0500
 #
 # Format:
 # login:passwordhash:Real Name:email:groups,comma,separated
 admin:$2y$10$dX5ryEUsFKXDRNl6DAk5Zem.1KtI8Q45.z0EQ6NLI7HXJjJyx4hqS:Admin:admin@example.com:admin,user
--- a/config-templates/dokuwiki/conf/users.auth.php.dist
+++ b/config-templates/dokuwiki/conf/users.auth.php.dist
@@ -1,10 +0,0 @@
 # users.auth.php
 # <?php exit()?>
 # Don't modify the lines above
 #
 # Userfile
 #
 # Format:
 #
 # login:passwordhash:Real Name:email:groups,comma,separated
--- a/config-templates/dokuwiki/conf/wordblock.conf
+++ b/config-templates/dokuwiki/conf/wordblock.conf
@@ -1,29 +0,0 @@
 # This blacklist is maintained by the DokuWiki community
 # patches welcome
 #
 https?:\/\/(\S*?)(-side-effects|top|pharm|pill|discount|discount-|deal|price|order|now|best|cheap|cheap-|online|buy|buy-|sale|sell)(\S*?)(cialis|viagra|prazolam|xanax|zanax|soma|vicodin|zenical|xenical|meridia|paxil|prozac|claritin|allegra|lexapro|wellbutrin|zoloft|retin|valium|levitra|phentermine)
 https?:\/\/(\S*?)(bi\s*sex|gay\s*sex|fetish|incest|penis|\brape\b)
 zoosex
 gang\s*bang
 facials
 ladyboy
 \btits\b
 bolea\.com
 52crystal
 baida\.org
 web-directory\.awardspace\.us
 korsan-team\.com
 BUDA TAMAMDIR
 wow-powerleveling-wow\.com
 wow gold
 wow-gold\.dinmo\.cn
 downgrade-vista\.com
 downgradetowindowsxp\.com
 elegantugg\.com
 classicedhardy\.com
 research-service\.com
 https?:\/\/(\S*?)(2-pay-secure|911essay|academia-research|anypapers|applicationessay|bestbuyessay|bestdissertation|bestessay|bestresume|besttermpaper|businessessay|college-paper|customessay|custom-made-paper|custom-writing|degree-?result|dissertationblog|dissertation-service|dissertations?expert|essaybank|essay-?blog|essaycapital|essaylogic|essaymill|essayontime|essaypaper|essays?land|essaytownsucks|essay-?writ|fastessays|freelancercareers|genuinecontent|genuineessay|genuinepaper|goessay|grandresume|killer-content|ma-dissertation|managementessay|masterpaper|mightystudent|needessay|researchedge|researchpaper-blog|resumecvservice|resumesexperts|resumesplanet|rushessay|samedayessay|superiorcontent|superiorpaper|superiorthesis|term-paper|termpaper-blog|term-paper-research|thesisblog|universalresearch|valwriting|vdwriters|wisetranslation|writersassembly|writers\.com\.ph|writers\.ph)
 flatsinmumbai\.co\.in
 https?:\/\/(\S*?)penny-?stock
 mattressreview\.biz
 (just|simply) (my|a) profile (site|webpage|page)
--- a/config-templates/dokuwiki/data/pages/architecture/backup.txt
+++ b/config-templates/dokuwiki/data/pages/architecture/backup.txt
@@ -1,293 +0,0 @@
 ====== Backup Strategy ======
 The AI-Homelab implements a comprehensive backup strategy designed for data protection, disaster recovery, and business continuity.
 ===== Backup Principles =====
 **3-2-1 Rule:**
  * **3 Copies**: Original + 2 backups
  * **2 Media Types**: Different storage technologies
  * **1 Offsite**: Geographic separation
 **Recovery Objectives:**
  * **RTO (Recovery Time Objective)**: Time to restore service
  * **RPO (Recovery Point Objective)**: Maximum data loss acceptable
  * **RTO Target**: < 4 hours for critical services
  * **RPO Target**: < 1 hour for critical data
 **Backup Types:**
  * **Full**: Complete system backup
  * **Incremental**: Changes since last backup
  * **Differential**: Changes since last full backup
  * **Snapshot**: Point-in-time copy
 ===== Backup Architecture =====
 **Primary Backup Solution (Backrest):**
 ```yaml
 services:
  backrest:
    image: ghcr.io/garethflowers/docker-backrest:latest
    volumes:
      - ./config/backrest:/config
      - /mnt/backups:/backups
      - /opt/stacks:/opt/stacks:ro
      - /mnt:/mnt:ro
    environment:
      - BACKREST_CONFIG=/config/config.yml
      - BACKREST_SCHEDULE=0 0 * * *
 ```
 **Alternative Solution (Duplicati):**
 ```yaml
 services:
  duplicati:
    image: lscr.io/linuxserver/duplicati:latest
    volumes:
      - duplicati-config:/config
      - duplicati-source:/source:ro
      - duplicati-backup:/backup
 ```
 ===== Backup Categories =====
 **Configuration Backups:**
  * **Source**: `/opt/stacks/*/`
  * **Frequency**: Daily
  * **Retention**: 30 days
  * **Type**: Incremental
  * **Critical**: Yes (service definitions)
 **User Data Backups:**
  * **Source**: `/mnt/media/`, `/mnt/nextcloud/`
  * **Frequency**: Daily
  * **Retention**: 90 days
  * **Type**: Incremental
  * **Critical**: Yes (user files)
 **Database Backups:**
  * **Source**: Named Docker volumes
  * **Frequency**: Hourly
  * **Retention**: 7 days
  * **Type**: Snapshot
  * **Critical**: Yes (application data)
 **SSL Certificate Backups:**
  * **Source**: `/opt/stacks/core/traefik/acme.json`
  * **Frequency**: After renewal
  * **Retention**: 1 year
  * **Type**: Full
  * **Critical**: Yes (HTTPS access)
 ===== Backup Configuration =====
 **Backrest Configuration:**
 ```yaml
 version: 1
 schedule: "0 2 * * *"  # Daily at 2 AM
 repositories:
  - path: "/backups/local"
    retention: "30d"
  - path: "/backups/remote"
    retention: "90d"
 backups:
  - name: "stacks-config"
    paths:
      - "/opt/stacks"
    exclude:
      - "*.log"
      - "*/cache/*"
  - name: "user-data"
    paths:
      - "/mnt/media"
      - "/mnt/nextcloud"
    exclude:
      - "*/temp/*"
      - "*/cache/*"
 ```
 **Duplicati Configuration:**
  * **Source**: Local directories
  * **Destination**: Local/network/cloud storage
  * **Encryption**: AES-256
  * **Compression**: ZIP
  * **Deduplication**: Block-level
 ===== Storage Destinations =====
 **Local Storage:**
  * **Path**: `/mnt/backups/`
  * **Type**: External HDD/SSD
  * **Encryption**: Filesystem level
  * **Access**: Direct mount
 **Network Storage:**
  * **Protocol**: NFS/SMB/CIFS
  * **Location**: NAS device
  * **Redundancy**: RAID protection
  * **Security**: VPN access
 **Cloud Storage:**
  * **Providers**: AWS S3, Backblaze B2, Google Cloud
  * **Encryption**: Client-side
  * **Cost**: Pay for storage used
  * **Access**: Internet connection
 **Offsite Storage:**
  * **Location**: Different geographic location
  * **Transport**: Encrypted drives
  * **Frequency**: Weekly rotation
  * **Security**: Physical security
 ===== Encryption & Security =====
 **Encryption Methods:**
  * **Symmetric**: AES-256-GCM
  * **Asymmetric**: RSA key pairs
  * **Key Management**: Secure key storage
  * **Key Rotation**: Regular key updates
 **Security Measures:**
  * **Access Control**: Restricted backup access
  * **Network Security**: VPN for remote backups
  * **Integrity Checks**: SHA-256 verification
  * **Audit Logging**: Backup operation logs
 ===== Automation & Scheduling =====
 **Cron Schedules:**
 ```bash
 # Daily backups at 2 AM
 0 2 * * * /usr/local/bin/backrest backup
 # Weekly full backup on Sunday
 0 3 * * 0 /usr/local/bin/backrest backup --full
 # Monthly archive
 0 4 1 * * /usr/local/bin/backrest archive
 ```
 **Monitoring:**
  * **Success/Failure**: Email notifications
  * **Size Tracking**: Storage usage monitoring
  * **Performance**: Backup duration tracking
  * **Health Checks**: Integrity verification
 ===== Recovery Procedures =====
 **File-Level Recovery:**
 ```bash
 # List snapshots
 restic snapshots
 # Restore specific file
 restic restore latest --target /tmp/restore --path /opt/stacks/config.yml
 # Restore to original location
 restic restore latest --target / --path /opt/stacks
 ```
 **Volume Recovery:**
 ```bash
 # Stop service
 docker compose down
 # Restore volume
 docker run --rm -v restored-volume:/data -v /backups:/backup busybox tar xzf /backup/volume.tar.gz -C /
 # Restart service
 docker compose up -d
 ```
 **System Recovery:**
  1. **Boot from installation media**
  2. **Restore base system**
  3. **Install Docker**
  4. **Restore configurations**
  5. **Restore user data**
  6. **Verify services**
 ===== Testing & Validation =====
 **Regular Testing:**
  * **Monthly**: File restoration tests
  * **Quarterly**: Volume recovery tests
  * **Annually**: Full system recovery
  * **After Changes**: Configuration updates
 **Validation Checks:**
 ```bash
 # Verify backup integrity
 restic check
 # List backup contents
 restic ls latest
 # Compare file counts
 find /original -type f | wc -l
 restic ls latest | wc -l
 ```
 **Performance Monitoring:**
  * **Backup Duration**: Track completion times
  * **Success Rate**: Monitor failure rates
  * **Storage Growth**: Track backup size trends
  * **Recovery Time**: Measure restoration speed
 ===== Disaster Recovery =====
 **Disaster Scenarios:**
  * **Hardware Failure**: Drive/server replacement
  * **Data Corruption**: File system damage
  * **Cyber Attack**: Ransomware recovery
  * **Site Disaster**: Complete site loss
 **Recovery Strategies:**
  * **Cold Standby**: Pre-configured backup server
  * **Cloud Recovery**: Infrastructure as Code
  * **Data Center**: Professional recovery services
  * **Insurance**: Cyber liability coverage
 **Business Continuity:**
  * **Critical Services**: < 1 hour RTO
  * **Important Services**: < 4 hours RTO
  * **Standard Services**: < 24 hours RTO
  * **Acceptable Data Loss**: < 1 hour RPO
 ===== Cost Optimization =====
 **Storage Costs:**
  * **Local**: Low initial cost, high maintenance
  * **Network**: Medium cost, shared resources
  * **Cloud**: Pay-as-you-go, scalable
  * **Offsite**: Security vs accessibility trade-off
 **Optimization Strategies:**
  * **Compression**: Reduce storage requirements
  * **Deduplication**: Eliminate redundant data
  * **Tiering**: Move old data to cheaper storage
  * **Retention Policies**: Delete unnecessary backups
 ===== Compliance & Auditing =====
 **Regulatory Requirements:**
  * **Data Retention**: Industry-specific rules
  * **Encryption Standards**: FIPS compliance
  * **Access Logging**: Audit trail requirements
  * **Testing Frequency**: Regulatory testing schedules
 **Audit Procedures:**
  * **Backup Logs**: Operation history
  * **Access Logs**: Who accessed backups
  * **Change Logs**: Configuration changes
  * **Test Results**: Recovery test documentation
 **Documentation:**
  * **Procedures**: Step-by-step recovery guides
  * **Contacts**: Emergency contact information
  * **Dependencies**: Required resources and access
  * **Testing**: Regular test schedules and results
 This backup strategy ensures your homelab data remains protected and recoverable in any scenario.
 **Next:** Explore [[services:start|Service Management]] or learn about [[development:start|Contributing]].
--- a/config-templates/dokuwiki/data/pages/architecture/networking.txt
+++ b/config-templates/dokuwiki/data/pages/architecture/networking.txt
@@ -1,329 +0,0 @@
 ====== Network Architecture ======
 The AI-Homelab uses a sophisticated network architecture designed for security, performance, and scalability.
 ===== Network Topology =====
 ```
 Internet
    ↓
 [Router/Firewall]
    ├── Port 80 (HTTP) → Traefik (Let's Encrypt)
    ├── Port 443 (HTTPS) → Traefik (SSL Termination)
    └── Port 22 (SSH) → Server (Management)
    ↓
 [DuckDNS] Dynamic DNS
    ↓
 [Traefik] Reverse Proxy
    ├── Authelia SSO Middleware
    ├── Service Routing
    └── SSL Termination
    ↓
 [Docker Networks]
    ├── traefik-network (Web Services)
    ├── homelab-network (Internal)
    ├── media-network (Media Services)
    └── service-specific networks
 ```
 ===== Docker Networks =====
 **traefik-network (Primary):**
  * **Purpose**: All web-accessible services
  * **Driver**: Bridge
  * **IP Range**: 172.20.0.0/16
  * **External Access**: Yes (via Traefik)
 **homelab-network (Internal):**
  * **Purpose**: Internal service communication
  * **Driver**: Bridge
  * **IP Range**: 172.21.0.0/16
  * **External Access**: No
 **media-network:**
  * **Purpose**: Media service isolation
  * **Driver**: Bridge
  * **IP Range**: 172.22.0.0/16
  * **External Access**: Via Traefik
 **dockerproxy-network:**
  * **Purpose**: Docker socket proxy
  * **Driver**: Bridge
  * **Security**: Restricted access
 ===== Traefik Routing =====
 **Entry Points:**
 ```yaml
 entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
    http:
      tls:
        certResolver: letsencrypt
 ```
 **Router Configuration:**
 ```yaml
 http:
  routers:
    service-router:
      rule: "Host(`service.yourdomain.duckdns.org`)"
      entryPoints:
        - websecure
      service: service-name
      tls:
        certResolver: letsencrypt
      middlewares:
        - authelia@docker
 ```
 **Service Discovery:**
 ```yaml
 http:
  services:
    service-name:
      loadBalancer:
        servers:
          - url: "http://container-name:port"
 ```
 ===== SSL/TLS Configuration =====
 **Certificate Resolver:**
 ```yaml
 certificatesResolvers:
  letsencrypt:
    acme:
      email: your-email@example.com
      storage: /acme.json
      dnsChallenge:
        provider: duckdns
        delayBeforeCheck: 30
 ```
 **Wildcard Certificate:**
  * **Domain**: `*.yourdomain.duckdns.org`
  * **Provider**: Let's Encrypt
  * **Challenge**: DNS-01 (DuckDNS)
  * **Validity**: 90 days
  * **Renewal**: Automatic
 **Security Headers:**
 ```yaml
 middlewares:
  security-headers:
    headers:
      stsSeconds: 31536000
      stsIncludeSubdomains: true
      stsPreload: true
      forceSTSHeader: true
      contentTypeNosniff: true
      browserXssFilter: true
      referrerPolicy: "strict-origin-when-cross-origin"
      permissionsPolicy: "geolocation=(), microphone=(), camera=()"
 ```
 ===== Authelia Integration =====
 **SSO Middleware:**
 ```yaml
 middlewares:
  authelia:
    forwardAuth:
      address: "http://authelia:9091/api/verify?rd=https://auth.yourdomain.duckdns.org/"
      trustForwardHeader: true
      authResponseHeaders:
        - "Remote-User"
        - "Remote-Groups"
        - "Remote-Name"
        - "Remote-Email"
 ```
 **Access Control Rules:**
 ```yaml
 access_control:
  default_policy: deny
  rules:
    - domain: "*.yourdomain.duckdns.org"
      policy: two_factor
    - domain: "jellyfin.yourdomain.duckdns.org"
      policy: bypass
    - domain: "plex.yourdomain.duckdns.org"
      policy: bypass
 ```
 ===== VPN Integration =====
 **Gluetun Network Mode:**
 ```yaml
 services:
  qbittorrent:
    network_mode: "service:gluetun"
    depends_on:
      - gluetun
 ```
 **Port Mapping:**
 ```yaml
 gluetun:
  ports:
    - "8080:8080"  # qBittorrent Web UI
    - "6881:6881"  # Torrent port
    - "6881:6881/udp"
 ```
 **VPN Routing:**
  * **Provider**: Surfshark (configurable)
  * **Protocol**: WireGuard/OpenVPN
  * **Kill Switch**: Prevents IP leaks
  * **Port Forwarding**: Automatic
 ===== Firewall Configuration =====
 **UFW Rules (Automatic):**
 ```bash
 # Allow SSH
 sudo ufw allow ssh
 # Allow HTTP/HTTPS
 sudo ufw allow 80
 sudo ufw allow 443
 # Enable firewall
 sudo ufw enable
 # Default deny
 sudo ufw default deny incoming
 sudo ufw default allow outgoing
 ```
 **Docker Security:**
  * **No privileged containers**
  * **Non-root user execution**
  * **Minimal port exposure**
  * **Network isolation**
 ===== External Service Proxying =====
 **Traefik File Provider:**
 ```yaml
 http:
  routers:
    external-service:
      rule: "Host(`external.yourdomain.duckdns.org`)"
      service: external-service
      middlewares:
        - authelia@docker
  services:
    external-service:
      loadBalancer:
        servers:
          - url: "http://192.168.1.100:8123"
 ```
 **Use Cases:**
  * **Home Assistant** on Raspberry Pi
  * **NAS devices** (TrueNAS, Unraid)
  * **Network printers** and IoT devices
  * **Legacy applications**
 ===== DNS Configuration =====
 **DuckDNS Setup:**
  * **Update Interval**: Every 5 minutes
  * **API Token**: Stored in `.env`
  * **Domains**: yourdomain.duckdns.org
  * **Wildcard**: *.yourdomain.duckdns.org
 **Pi-hole Integration:**
  * **Upstream DNS**: Quad9, Cloudflare
  * **Ad Blocking**: Enabled
  * **Local DNS**: Service discovery
  * **DHCP**: Optional
 ===== Network Troubleshooting =====
 **Connectivity Issues:**
 ```bash
 # Check network connectivity
 ping -c 4 8.8.8.8
 # Test DNS resolution
 nslookup yourdomain.duckdns.org
 # Check port forwarding
 curl -I http://your-external-ip
 ```
 **Docker Network Issues:**
 ```bash
 # List networks
 docker network ls
 # Inspect network
 docker network inspect traefik-network
 # Check container connectivity
 docker exec container-name ping traefik
 ```
 **SSL Certificate Problems:**
 ```bash
 # Check certificate
 echo | openssl s_client -connect yourdomain.duckdns.org:443 -servername service.yourdomain.duckdns.org 2>/dev/null | openssl x509 -noout -subject -dates
 # View Traefik logs
 docker logs traefik | grep certificate
 ```
 **Authelia Issues:**
 ```bash
 # Check Authelia logs
 docker logs authelia
 # Test authentication
 curl -k https://auth.yourdomain.duckdns.org/api/state
 ```
 ===== Performance Optimization =====
 **Connection Pooling:**
  * **Keep-Alive**: Persistent connections
  * **Connection Reuse**: Reduce overhead
  * **Load Balancing**: Distribute traffic
 **Caching:**
  * **Browser Caching**: Static assets
  * **Reverse Proxy**: Dynamic content
  * **DNS Caching**: Pi-hole
 **Compression:**
  * **Gzip**: Text compression
  * **Brotli**: Advanced compression
  * **Media**: No compression (already compressed)
 ===== Monitoring =====
 **Network Monitoring:**
  * **Traefik Dashboard**: Routing metrics
  * **Authelia Logs**: Authentication events
  * **Pi-hole Stats**: DNS queries
  * **Uptime Kuma**: Service availability
 **Traffic Analysis:**
  * **Request Logs**: Access patterns
  * **Error Rates**: Service health
  * **Response Times**: Performance metrics
  * **Bandwidth Usage**: Network utilization
 This network architecture provides secure, efficient, and scalable connectivity for all homelab services.
 **Next:** Learn about [[architecture:security|Security Architecture]] or [[architecture:storage|Storage Strategy]].
--- a/config-templates/dokuwiki/data/pages/architecture/overview.txt
+++ b/config-templates/dokuwiki/data/pages/architecture/overview.txt
@@ -1,298 +0,0 @@
 ====== System Architecture ======
 The AI-Homelab is built on a production-ready, scalable architecture designed for reliability, security, and ease of management.
 ===== Core Principles =====
 **Infrastructure as Code:**
  * All services defined in Docker Compose files
  * Configuration managed through YAML files
  * Version control with Git
  * Reproducible deployments
 **Security First:**
  * SSO protection for admin interfaces
  * Automatic HTTPS with Let's Encrypt
  * VPN routing for downloads
  * Network isolation and segmentation
 **Scalability:**
  * Resource limits prevent exhaustion
  * Lazy loading reduces resource usage
  * Modular service architecture
  * Easy addition of new services
 **Observability:**
  * Comprehensive logging
  * Metrics collection
  * Health monitoring
  * Alerting capabilities
 ===== Network Architecture =====
 ```
 Internet
    ↓
 [Router] Port Forwarding (80, 443)
    ↓
 [DuckDNS] Dynamic DNS Updates
    ↓
 [Traefik] Reverse Proxy + SSL Termination
    ↓
 [Authelia] SSO Authentication
    ↓
 [Docker Services] Isolated Containers
 ```
 **Network Layers:**
 **External Access:**
  * **DuckDNS**: Dynamic DNS service
  * **Port Forwarding**: 80/443 to Traefik
  * **SSL Termination**: Wildcard certificate
 **Reverse Proxy:**
  * **Traefik**: Routes traffic to services
  * **Authelia**: SSO middleware
  * **Load Balancing**: Service discovery
 **Service Networks:**
  * **traefik-network**: All web services
  * **homelab-network**: Internal communication
  * **media-network**: Media services
  * **isolated networks**: Security segmentation
 ===== Service Architecture =====
 **Core Stack (Essential Infrastructure):**
  * **DuckDNS**: DNS updates every 5 minutes
  * **Traefik**: HTTP routing and SSL
  * **Authelia**: Authentication and authorization
  * **Gluetun**: VPN client for downloads
  * **Sablier**: Lazy loading service
 **Infrastructure Stack:**
  * **Dockge**: Primary management interface
  * **Pi-hole**: Network-wide DNS and ad blocking
  * **Dozzle**: Live Docker log viewer
  * **Glances**: System resource monitoring
 **Service Categories:**
 **Media Services:**
  * **Jellyfin/Plex**: Media servers with transcoding
  * **qBittorrent**: Torrent client (VPN routed)
  * **Sonarr/Radarr**: Download automation
  * **Prowlarr**: Indexer management
 **Productivity Services:**
  * **Nextcloud**: File synchronization
  * **Gitea**: Git service and CI/CD
  * **BookStack**: Documentation platform
  * **WordPress**: Blogging platform
 **Monitoring & Observability:**
  * **Grafana**: Dashboard and visualization
  * **Prometheus**: Metrics collection
  * **Uptime Kuma**: Status monitoring
  * **Loki**: Log aggregation
 ===== Storage Architecture =====
 **Configuration Storage:**
 ```
 /opt/stacks/
 ├── core/                    # Core infrastructure
 ├── infrastructure/          # Management tools
 ├── media/                   # Media services
 ├── productivity/            # Office tools
 └── monitoring/              # Observability
 ```
 **Data Storage Strategy:**
 **Small Data (< 50GB):**
  * **Location**: `/opt/stacks/stack-name/config/`
  * **Type**: Bind mounts
  * **Backup**: Included in configuration backups
 **Large Data (> 50GB):**
  * **Location**: `/mnt/media/`, `/mnt/downloads/`, `/mnt/backups/`
  * **Type**: External mounts
  * **Backup**: Separate backup strategies
 **Database Storage:**
  * **Type**: Named Docker volumes
  * **Location**: Docker managed
  * **Backup**: Volume snapshots
 ===== Security Architecture =====
 **Authentication & Authorization:**
 **Authelia SSO:**
  * **Protocol**: SAML, OpenID Connect
  * **Storage**: File-based user database
  * **2FA**: TOTP, WebAuthn support
  * **Policies**: Domain-based access control
 **Service Authentication:**
  * **Admin Services**: Authelia protected
  * **Media Services**: Bypass for app compatibility
  * **APIs**: Token-based authentication
 **Network Security:**
  * **Firewall**: UFW with minimal ports
  * **SSL/TLS**: End-to-end encryption
  * **VPN**: Download traffic protection
  * **Isolation**: Docker network segmentation
 ===== Deployment Architecture =====
 **Two-Phase Deployment:**
 **Phase 1: Setup**
 ```bash
 sudo ./scripts/setup-homelab.sh
 ```
  * System preparation
  * Docker installation
  * Authelia configuration
  * Infrastructure setup
 **Phase 2: Deployment**
 ```bash
 sudo ./scripts/deploy-homelab.sh
 ```
  * Core stack deployment
  * SSL certificate generation
  * Infrastructure services
  * Health verification
 **Service Deployment:**
  * **Dockge**: Web-based stack management
  * **Manual**: Docker Compose commands
  * **Automated**: CI/CD pipelines
 ===== Resource Management =====
 **Resource Limits:**
 ```yaml
 deploy:
  resources:
    limits:
      cpus: '2.0'
      memory: 4G
    reservations:
      cpus: '0.5'
      memory: 1G
 ```
 **Resource Allocation Strategy:**
  * **Core Services**: Minimal resources (0.1-0.5 CPU, 64MB-256MB RAM)
  * **Web Services**: Moderate resources (1-2 CPU, 1-4GB RAM)
  * **Media Services**: High resources (2-4 CPU, 4-8GB RAM)
  * **Background Services**: Variable based on workload
 **Lazy Loading:**
  * **Sablier**: On-demand service startup
  * **Resource Savings**: 50-80% reduction in idle usage
  * **Automatic Scaling**: Services start when accessed
 ===== Monitoring Architecture =====
 **Metrics Collection:**
  * **Prometheus**: Time-series metrics
  * **Node Exporter**: System metrics
  * **cAdvisor**: Container metrics
  * **Custom Exporters**: Service-specific metrics
 **Logging:**
  * **Dozzle**: Real-time log viewer
  * **Loki**: Log aggregation
  * **Promtail**: Log shipping
  * **Structured Logging**: JSON format
 **Alerting:**
  * **Uptime Kuma**: Service availability
  * **Grafana**: Threshold-based alerts
  * **Email/SMS**: Notification channels
 ===== Backup Architecture =====
 **Backup Strategy:**
  * **Backrest**: Primary backup solution (Restic)
  * **Duplicati**: Alternative encrypted backups
  * **Automated**: Scheduled backups
  * **Encrypted**: AES-256 encryption
 **Backup Types:**
  * **Configuration**: `/opt/stacks/` directories
  * **User Data**: Service volumes and mounts
  * **SSL Certificates**: `/opt/stacks/core/traefik/acme.json`
  * **Databases**: Volume snapshots
 **Recovery:**
  * **Point-in-time**: Versioned backups
  * **Bare metal**: Complete system recovery
  * **Service-level**: Individual service restoration
 ===== High Availability =====
 **Redundancy:**
  * **Load Balancing**: Traefik distributes traffic
  * **Health Checks**: Automatic service monitoring
  * **Failover**: Automatic service restart
  * **Backups**: Multiple backup locations
 **Scalability:**
  * **Horizontal**: Multiple service instances
  * **Vertical**: Resource scaling
  * **Storage**: Distributed storage options
  * **Network**: High-bandwidth connections
 ===== Development Architecture =====
 **AI Integration:**
  * **GitHub Copilot**: Intelligent assistance
  * **Copilot Instructions**: Context-aware guidance
  * **Automated Configuration**: AI-generated compose files
  * **Documentation**: AI-maintained wiki
 **Version Control:**
  * **Git**: Source code management
  * **Branches**: Feature development
  * **Tags**: Release versioning
  * **CI/CD**: Automated testing and deployment
 ===== Performance Optimization =====
 **Caching:**
  * **Browser Caching**: Static asset optimization
  * **Database Caching**: Query result caching
  * **CDN**: Content delivery networks
  * **Reverse Proxy**: Traefik caching
 **Optimization Techniques:**
  * **Compression**: Gzip/Brotli compression
  * **Minification**: Asset optimization
  * **Lazy Loading**: On-demand resource loading
  * **Connection Pooling**: Database optimization
 ===== Compliance & Governance =====
 **Security Standards:**
  * **SSL/TLS**: Industry standard encryption
  * **Access Control**: Least privilege principle
  * **Audit Logging**: Comprehensive activity logs
  * **Regular Updates**: Security patch management
 **Data Protection:**
  * **Encryption**: Data at rest and in transit
  * **Backup Encryption**: Secure offsite storage
  * **Privacy**: Minimal data collection
  * **Retention**: Configurable data lifecycle
 This architecture provides a solid foundation for a production-ready homelab that can scale with your needs while maintaining security and reliability.
 **Next:** Learn about [[architecture:networking|Network Architecture]] or explore [[services:start|Available Services]].
--- a/config-templates/dokuwiki/data/pages/architecture/security.txt
+++ b/config-templates/dokuwiki/data/pages/architecture/security.txt
@@ -1,299 +0,0 @@
 ====== Security Architecture ======
 The AI-Homelab implements a comprehensive security model based on defense in depth, zero trust principles, and industry best practices.
 ===== Security Principles =====
 **Defense in Depth:**
  * **Multiple Layers**: Network, application, and data security
  * **Fail-Safe Defaults**: Secure by default, explicit opt-out
  * **Least Privilege**: Minimal required permissions
  * **Continuous Monitoring**: Real-time threat detection
 **Zero Trust:**
  * **Never Trust**: Verify every access request
  * **Assume Breach**: Design for compromised systems
  * **Micro-Segmentation**: Isolate services and data
  * **Continuous Verification**: Ongoing authentication
 **Compliance:**
  * **Data Protection**: Encryption at rest and in transit
  * **Access Control**: Role-based and attribute-based access
  * **Audit Logging**: Comprehensive activity tracking
  * **Regular Updates**: Security patch management
 ===== Authentication & Authorization =====
 **Authelia SSO System:**
 **Architecture:**
  * **Protocol**: OpenID Connect, SAML 2.0
  * **Storage**: File-based user database
  * **Session Management**: Secure JWT tokens
  * **Multi-Factor**: TOTP, WebAuthn, Push notifications
 **User Management:**
 ```yaml
 users:
  admin:
    displayname: Administrator
    password: $argon2id$...
    email: admin@yourdomain.duckdns.org
    groups:
      - admins
      - dev
 ```
 **Access Policies:**
 ```yaml
 access_control:
  default_policy: deny
  rules:
    # Admin services require 2FA
    - domain: "*.yourdomain.duckdns.org"
      policy: two_factor
      subject:
        - "group:admins"
    # Media services bypass SSO
    - domain: "jellyfin.yourdomain.duckdns.org"
      policy: bypass
    # API access with tokens
    - domain: "*.yourdomain.duckdns.org"
      policy: one_factor
      resources:
        - "^/api/.*"
 ```
 **Session Security:**
  * **Expiration**: 8 hour sessions
  * **Inactivity Timeout**: 10 minute timeout
  * **Secure Cookies**: HttpOnly, Secure, SameSite
  * **CSRF Protection**: Token-based validation
 ===== SSL/TLS Encryption =====
 **Certificate Management:**
  * **Authority**: Let's Encrypt (trusted CA)
  * **Type**: Wildcard ECDSA certificate
  * **Domains**: *.yourdomain.duckdns.org
  * **Renewal**: Automatic (30 days before expiry)
 **SSL Configuration:**
 ```yaml
 tls:
  certificates:
    - certFile: /ssl/cert.pem
      keyFile: /ssl/private.key
  options:
    default:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      sniStrict: true
 ```
 **Security Headers:**
 ```yaml
 headers:
  # Prevent clickjacking
  customResponseHeaders:
    X-Frame-Options: "SAMEORIGIN"
    X-Content-Type-Options: "nosniff"
    Referrer-Policy: "strict-origin-when-cross-origin"
    Permissions-Policy: "geolocation=(), microphone=(), camera=()"
  # HSTS (HTTP Strict Transport Security)
  stsSeconds: 31536000
  stsIncludeSubdomains: true
  stsPreload: true
 ```
 ===== Network Security =====
 **Firewall Configuration:**
  * **UFW**: Uncomplicated Firewall
  * **Default Policy**: Deny all incoming
  * **Allowed Ports**: 22 (SSH), 80 (HTTP), 443 (HTTPS)
  * **Docker Isolation**: Container network segmentation
 **Network Segmentation:**
  * **traefik-network**: Web-facing services
  * **homelab-network**: Internal services
  * **media-network**: Media services
  * **isolated-networks**: High-security services
 **VPN Protection:**
  * **Gluetun**: VPN client container
  * **Provider**: Surfshark (configurable)
  * **Protocol**: WireGuard (preferred)
  * **Kill Switch**: Prevents IP leaks
 ===== Container Security =====
 **Docker Security Best Practices:**
  * **Non-root Users**: PUID/PGID environment variables
  * **No Privileged Containers**: Minimal capabilities
  * **Read-only Filesystems**: Where possible
  * **Resource Limits**: CPU and memory constraints
 **Security Scanning:**
 ```yaml
 # Trivy vulnerability scanning
 docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
  aquasec/trivy image your-image:latest
 # Container security audit
 docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
  docker/docker-bench-security
 ```
 **Image Security:**
  * **Official Images**: LinuxServer.io preferred
  * **Version Pinning**: Specific version tags
  * **SBOM**: Software Bill of Materials
  * **Signature Verification**: Image signing
 ===== Data Protection =====
 **Encryption at Rest:**
  * **SSL Certificates**: Encrypted storage
  * **User Data**: Service-specific encryption
  * **Backups**: AES-256 encryption
  * **Secrets**: Environment variable protection
 **Encryption in Transit:**
  * **HTTPS**: End-to-end encryption
  * **API Communication**: TLS 1.2+
  * **Database Connections**: SSL/TLS
  * **VPN Tunneling**: WireGuard/OpenVPN
 **Data Classification:**
  * **Public**: No encryption required
  * **Internal**: TLS encryption
  * **Sensitive**: Additional encryption layers
  * **Critical**: Multi-layer encryption
 ===== Access Control =====
 **Role-Based Access Control (RBAC):**
 ```yaml
 # Authelia groups
 groups:
  admins:
    - admin
  users:
    - user1
    - user2
  media:
    - family
 ```
 **Service-Level Permissions:**
  * **Nextcloud**: User and group permissions
  * **Gitea**: Repository access control
  * **Grafana**: Dashboard permissions
  * **API Keys**: Scoped access tokens
 **Network Access Control:**
  * **IP Whitelisting**: Restrict by IP address
  * **Geo-blocking**: Country-based restrictions
  * **Rate Limiting**: Prevent brute force attacks
  * **Fail2Ban**: SSH protection
 ===== Monitoring & Auditing =====
 **Security Monitoring:**
  * **Authentication Logs**: Authelia events
  * **Access Logs**: Traefik requests
  * **System Logs**: Docker and system events
  * **Intrusion Detection**: Pattern matching
 **Audit Logging:**
 ```yaml
 # Loki log aggregation
 scrape_configs:
  - job_name: 'authelia'
    static_configs:
      - targets: ['authelia:9091']
    relabel_configs:
      - source_labels: [__address__]
        target_label: __param_target
      - source_labels: [__param_target]
        target_label: instance
      - target_label: __address__
        replacement: localhost:3100
 ```
 **Alerting:**
  * **Failed Logins**: Brute force detection
  * **Certificate Expiry**: SSL renewal warnings
  * **Service Downtime**: Availability monitoring
  * **Security Events**: Suspicious activity
 ===== Threat Mitigation =====
 **Common Threats:**
  * **Brute Force**: Rate limiting, 2FA
  * **SQL Injection**: Parameterized queries
  * **XSS**: Content Security Policy
  * **CSRF**: Token validation
 **Incident Response:**
  1. **Detection**: Monitoring alerts
  2. **Assessment**: Determine impact
  3. **Containment**: Isolate affected systems
  4. **Recovery**: Restore from backups
  5. **Lessons Learned**: Update policies
 **Backup Security:**
  * **Encryption**: AES-256-GCM
  * **Integrity**: SHA-256 checksums
  * **Retention**: Configurable policies
  * **Testing**: Regular restoration tests
 ===== Compliance & Governance =====
 **Security Standards:**
  * **OWASP**: Web application security
  * **NIST**: Cybersecurity framework
  * **ISO 27001**: Information security
  * **GDPR**: Data protection
 **Regular Assessments:**
  * **Vulnerability Scanning**: Weekly
  * **Penetration Testing**: Monthly
  * **Security Audits**: Quarterly
  * **Compliance Reviews**: Annual
 **Documentation:**
  * **Security Policies**: Access and usage rules
  * **Incident Response**: Procedures and contacts
  * **Change Management**: Update procedures
  * **Training**: Security awareness
 ===== Advanced Security =====
 **Zero Trust Network Access (ZTNA):**
  * **Identity-Based**: User and device verification
  * **Context-Aware**: Risk-based access
  * **Micro-Segmentation**: Service isolation
  * **Continuous Monitoring**: Real-time assessment
 **Secrets Management:**
  * **Environment Variables**: Runtime secrets
  * **Docker Secrets**: Swarm mode secrets
  * **External Vaults**: HashiCorp Vault integration
  * **Key Rotation**: Automatic secret renewal
 **Intrusion Detection:**
  * **Network IDS**: Traffic analysis
  * **Host IDS**: System monitoring
  * **Log Analysis**: Pattern detection
  * **SIEM Integration**: Centralized logging
 This security architecture provides comprehensive protection for your homelab while maintaining usability and performance.
 **Next:** Learn about [[architecture:storage|Storage Strategy]] or [[architecture:backup|Backup Strategy]].
--- a/config-templates/dokuwiki/data/pages/architecture/storage.txt
+++ b/config-templates/dokuwiki/data/pages/architecture/storage.txt
@@ -1,291 +0,0 @@
 ====== Storage Architecture ======
 The AI-Homelab implements a comprehensive storage strategy designed for performance, reliability, and scalability.
 ===== Storage Principles =====
 **Data Classification:**
  * **Configuration**: Application settings and metadata
  * **User Data**: Files, documents, media
  * **System Data**: Logs, caches, temporary files
  * **Backup Data**: Archived copies and snapshots
 **Storage Tiers:**
  * **Hot**: Frequently accessed data (SSD)
  * **Warm**: Regularly accessed data (HDD)
  * **Cold**: Archive data (external storage)
  * **Offline**: Long-term retention (tape/offsite)
 **Performance Optimization:**
  * **Caching**: In-memory data acceleration
  * **Compression**: Storage space optimization
  * **Deduplication**: Eliminate redundant data
  * **Tiering**: Automatic data placement
 ===== Directory Structure =====
 **System Storage (/opt/stacks/):**
 ```
 /opt/stacks/
 ├── core/                    # Core infrastructure
 │   ├── traefik/            # Reverse proxy config
 │   ├── authelia/           # SSO configuration
 │   ├── duckdns/            # DNS updater
 │   └── gluetun/            # VPN client
 ├── infrastructure/         # Management tools
 ├── media/                  # Media services
 ├── productivity/           # Office applications
 ├── monitoring/             # Observability stack
 └── utilities/              # Helper services
 ```
 **Data Storage (/mnt/):**
 ```
 /mnt/
 ├── media/                  # Movies, TV, music
 │   ├── movies/
 │   ├── tv/
 │   └── music/
 ├── downloads/              # Torrent downloads
 │   ├── complete/
 │   └── incomplete/
 ├── backups/                # Backup archives
 ├── nextcloud/              # Cloud storage
 ├── git/                    # Git repositories
 └── surveillance/           # Camera footage
 ```
 ===== Docker Storage =====
 **Volume Types:**
 **Named Volumes (Managed):**
 ```yaml
 volumes:
  database-data:
    driver: local
 ```
  * **Pros**: Docker managed, portable, backup-friendly
  * **Cons**: Less direct access, filesystem overhead
  * **Use**: Databases, application data
 **Bind Mounts (Direct):**
 ```yaml
 volumes:
  - ./config:/config
  - /mnt/media:/media
 ```
  * **Pros**: Direct filesystem access, performance
  * **Cons**: Host-dependent, permission management
  * **Use**: Configuration, large media files
 **tmpfs (Memory):**
 ```yaml
 tmpfs:
  - /tmp/cache
 ```
  * **Pros**: High performance, automatic cleanup
  * **Cons**: Volatile, memory usage
  * **Use**: Caches, temporary files
 **Storage Drivers:**
  * **overlay2**: Modern union filesystem
  * **btrfs**: Advanced features (snapshots, compression)
  * **zfs**: Enterprise-grade (snapshots, deduplication)
 ===== Service Storage Patterns =====
 **Configuration Storage:**
 ```yaml
 services:
  service-name:
    volumes:
      - ./config/service-name:/config
      - service-data:/data
 ```
  * **Config**: Bind mount in stack directory
  * **Data**: Named volume for persistence
  * **Permissions**: PUID/PGID for access control
 **Media Storage:**
 ```yaml
 services:
  jellyfin:
    volumes:
      - ./config/jellyfin:/config
      - jellyfin-cache:/cache
      - /mnt/media:/media:ro
      - /mnt/transcode:/transcode
 ```
  * **Media**: Read-only external mount
  * **Transcode**: Temporary processing space
  * **Cache**: Named volume for performance
 **Database Storage:**
 ```yaml
 services:
  postgres:
    volumes:
      - postgres-data:/var/lib/postgresql/data
    environment:
      - POSTGRES_DB=homelab
      - POSTGRES_USER=homelab
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
 ```
  * **Data**: Named volume for persistence
  * **Backups**: Volume snapshots
  * **Performance**: Proper indexing
 ===== Backup Storage =====
 **Backrest (Primary):**
 ```yaml
 services:
  backrest:
    volumes:
      - ./config/backrest:/config
      - /mnt/backups:/backups
      - /opt/stacks:/opt/stacks:ro
      - /mnt:/mnt:ro
 ```
  * **Repository**: Local and remote storage
  * **Encryption**: AES-256-GCM
  * **Deduplication**: Space-efficient
  * **Snapshots**: Point-in-time recovery
 **Duplicati (Alternative):**
 ```yaml
 services:
  duplicati:
    volumes:
      - duplicati-config:/config
      - duplicati-source:/source:ro
      - duplicati-backup:/backup
 ```
  * **Frontend**: Web-based interface
  * **Destinations**: Multiple cloud providers
  * **Encryption**: Built-in encryption
  * **Scheduling**: Automated backups
 ===== Performance Optimization =====
 **Filesystem Choice:**
  * **ext4**: General purpose, reliable
  * **btrfs**: Snapshots, compression, RAID
  * **ZFS**: Advanced features, data integrity
  * **XFS**: High performance, large files
 **RAID Configuration:**
  * **RAID 1**: Mirroring (2 drives)
  * **RAID 5**: Striping with parity (3+ drives)
  * **RAID 10**: Mirroring + striping (4+ drives)
  * **RAID Z**: ZFS software RAID
 **Caching Strategies:**
  * **Page Cache**: OS-level caching
  * **Application Cache**: Service-specific caching
  * **CDN**: Content delivery networks
  * **Reverse Proxy**: Traefik caching
 ===== Monitoring & Maintenance =====
 **Storage Monitoring:**
 ```bash
 # Disk usage
 df -h
 # Docker storage
 docker system df
 # Volume usage
 docker volume ls
 docker volume inspect volume-name
 ```
 **Maintenance Tasks:**
  * **Cleanup**: Remove unused volumes and images
  * **Defragmentation**: Filesystem optimization
  * **SMART Monitoring**: Drive health checks
  * **Backup Verification**: Integrity testing
 **Health Checks:**
  * **Filesystem**: fsck, scrub operations
  * **RAID**: Array status monitoring
  * **SMART**: Drive error monitoring
  * **Backup**: Restoration testing
 ===== Capacity Planning =====
 **Storage Requirements:**
 | Service | Typical Size | Growth Rate |
 |---------|-------------|-------------|
 | Nextcloud | 100GB+ | High (user files) |
 | Jellyfin | 500GB+ | High (media library) |
 | Gitea | 10GB+ | Medium (repositories) |
 | Grafana | 5GB+ | Low (metrics) |
 | Backups | 2x data size | Variable |
 **Scaling Strategies:**
  * **Vertical**: Larger drives, more RAM
  * **Horizontal**: Multiple storage servers
  * **Cloud**: Hybrid cloud storage
  * **Archival**: Long-term retention solutions
 ===== Security Considerations =====
 **Encryption:**
  * **At Rest**: Filesystem encryption (LUKS)
  * **In Transit**: TLS encryption
  * **Backups**: Encrypted archives
  * **Keys**: Secure key management
 **Access Control:**
  * **Permissions**: Proper file permissions
  * **SELinux/AppArmor**: Mandatory access control
  * **Network**: Isolated storage networks
  * **Auditing**: Access logging
 **Data Protection:**
  * **RAID**: Redundancy protection
  * **Snapshots**: Point-in-time copies
  * **Backups**: Offsite copies
  * **Testing**: Regular recovery tests
 ===== Disaster Recovery =====
 **Recovery Strategies:**
  * **File-level**: Individual file restoration
  * **Volume-level**: Docker volume recovery
  * **System-level**: Complete system restore
  * **Bare-metal**: Full server recovery
 **Business Continuity:**
  * **RTO**: Recovery Time Objective
  * **RPO**: Recovery Point Objective
  * **Testing**: Regular DR exercises
  * **Documentation**: Recovery procedures
 **High Availability:**
  * **Replication**: Data mirroring
  * **Clustering**: Distributed storage
  * **Load Balancing**: Access distribution
  * **Failover**: Automatic switching
 ===== Migration Strategies =====
 **Storage Migration:**
  * **Live Migration**: Zero-downtime moves
  * **Offline Migration**: Scheduled maintenance
  * **Incremental**: Phased data movement
  * **Verification**: Data integrity checks
 **Technology Upgrades:**
  * **Filesystem**: ext4 to btrfs/ZFS
  * **RAID**: Hardware to software RAID
  * **Storage**: Local to network storage
  * **Cloud**: Hybrid cloud solutions
 This storage architecture provides reliable, performant, and scalable data management for your homelab.
 **Next:** Learn about [[architecture:backup|Backup Strategy]] or explore [[services:start|Service Management]].
--- a/config-templates/dokuwiki/data/pages/backup_recovery/start.txt
+++ b/config-templates/dokuwiki/data/pages/backup_recovery/start.txt
@@ -1,3 +0,0 @@
 ====== Backup & Recovery ======
 Coming soon...
--- a/config-templates/dokuwiki/data/pages/development/start.txt
+++ b/config-templates/dokuwiki/data/pages/development/start.txt
@@ -1,3 +0,0 @@
 ====== Development ======
 Coming soon...
--- a/config-templates/dokuwiki/data/pages/getting_started/access.txt
+++ b/config-templates/dokuwiki/data/pages/getting_started/access.txt
@@ -1,251 +0,0 @@
 ====== Access Services ======
 After deployment, access your homelab services through secure HTTPS URLs.
 ===== Service URLs =====
 All services are accessible at `https://service-name.yourdomain.duckdns.org`
 | Category | Service | URL | Authentication | Purpose |
 |----------|---------|-----|----------------|---------|
 | **Management** | Dockge | `https://dockge.yourdomain.duckdns.org` | Authelia SSO | Stack management |
 | **Management** | Homepage | `https://home.yourdomain.duckdns.org` | Authelia SSO | Service dashboard |
 | **Security** | Authelia | `https://auth.yourdomain.duckdns.org` | Direct login | SSO authentication |
 | **Infrastructure** | Traefik | `https://traefik.yourdomain.duckdns.org` | Authelia SSO | Reverse proxy dashboard |
 | **Infrastructure** | Pi-hole | `http://pihole.yourdomain.duckdns.org` | Authelia SSO | DNS & ad blocking |
 | **Infrastructure** | Dozzle | `https://dozzle.yourdomain.duckdns.org` | Authelia SSO | Log viewer |
 | **Infrastructure** | Glances | `https://glances.yourdomain.duckdns.org` | Authelia SSO | System monitoring |
 | **Media** | Jellyfin | `https://jellyfin.yourdomain.duckdns.org` | None (app access) | Media server |
 | **Media** | Plex | `https://plex.yourdomain.duckdns.org` | None (app access) | Media server |
 | **Media** | qBittorrent | `https://qbit.yourdomain.duckdns.org` | Authelia SSO | Torrent client |
 | **Media Mgmt** | Sonarr | `https://sonarr.yourdomain.duckdns.org` | Authelia SSO | TV automation |
 | **Media Mgmt** | Radarr | `https://radarr.yourdomain.duckdns.org` | Authelia SSO | Movie automation |
 | **Productivity** | Nextcloud | `https://nextcloud.yourdomain.duckdns.org` | Authelia SSO | File sync |
 | **Productivity** | Gitea | `https://git.yourdomain.duckdns.org` | Authelia SSO | Git service |
 | **Productivity** | BookStack | `https://docs.yourdomain.duckdns.org` | Authelia SSO | Documentation |
 | **Monitoring** | Grafana | `https://grafana.yourdomain.duckdns.org` | Authelia SSO | Dashboards |
 | **Monitoring** | Prometheus | `https://prometheus.yourdomain.duckdns.org` | Authelia SSO | Metrics |
 | **Monitoring** | Uptime Kuma | `https://status.yourdomain.duckdns.org` | Authelia SSO | Status monitoring |
 | **Home Auto** | Home Assistant | `https://ha.yourdomain.duckdns.org` | None (built-in auth) | Home automation |
 | **Utilities** | Backrest | `https://backrest.yourdomain.duckdns.org` | Authelia SSO | Backup management |
 | **Development** | Code Server | `https://code.yourdomain.duckdns.org` | Authelia SSO | VS Code in browser |
 ===== Authentication =====
 ==== Authelia SSO (Single Sign-On) ====
 **Protected Services:**
  * Most admin interfaces require Authelia login
  * One login grants access to all protected services
  * Supports 2FA (Two-Factor Authentication)
 **Login Process:**
  1. Visit any protected service URL
  2. Redirected to Authelia login page
  3. Enter username and password
  4. (Optional) Enter 2FA code
  5. Redirected back to original service
 **Default Credentials:**
  * Username: `admin` (or custom from setup)
  * Password: Secure password from setup
 ==== Service-Specific Authentication ====
 **No SSO (Direct Access):**
  * **Jellyfin/Plex**: Use service's built-in user management
  * **Home Assistant**: Built-in authentication system
  * **Nextcloud**: Can use Authelia or built-in auth
 **VPN-Protected Services:**
  * **qBittorrent**: Routes through Gluetun VPN
  * Access via web UI after Authelia login
 ===== Security Features =====
 ==== SSL/TLS Encryption ====
 **Wildcard Certificate:**
  * Covers all `*.yourdomain.duckdns.org` subdomains
  * Issued by Let's Encrypt (free)
  * Automatic renewal every 90 days
  * A+ SSL rating
 **Certificate Details:**
  * **Issuer**: Let's Encrypt Authority X3
  * **Algorithm**: ECDSA P-256
  * **Validity**: 90 days
  * **Renewal**: Automatic via Traefik
 ==== Firewall Protection ====
 **UFW Configuration:**
  * Only ports 80, 443, and 22 (SSH) open
  * All other ports blocked
  * Docker containers isolated
 **Network Security:**
  * Services behind reverse proxy
  * No direct container exposure
  * VPN routing for downloads
 ==== Access Control ====
 **Authelia Policies:**
  * **One Factor**: Username + password
  * **Two Factor**: Username + password + TOTP
  * **Bypass**: No authentication required
 **Default Policies:**
  * Admin services: Two-factor recommended
  * Media services: Bypass (app compatibility)
  * Public services: Bypass when appropriate
 ===== First-Time Access =====
 ==== Configure Authelia ====
 1. **Access Authelia:**
   * URL: `https://auth.yourdomain.duckdns.org`
   * Login with admin credentials
 2. **Enable 2FA:**
   * Go to **Settings** → **One-Time Password**
   * Scan QR code with authenticator app
   * Enter verification code
 3. **Configure Access Rules:**
   * Edit `/opt/stacks/core/authelia/configuration.yml`
   * Modify access policies as needed
 ==== Set Up Homepage Dashboard ====
 1. **Access Homepage:**
   * URL: `https://home.yourdomain.duckdns.org`
 2. **Initial Configuration:**
   * Click settings icon (gear)
   * Add deployed services
   * Configure widgets
 3. **API Integration:**
   * Add API keys for enhanced widgets
   * Configure service integrations
 ==== Test Service Access ====
 **Verification Checklist:**
  * [ ] Authelia login works
  * [ ] Homepage loads correctly
  * [ ] Dockge accessible
  * [ ] SSL certificates valid
  * [ ] No mixed content warnings
 ===== Troubleshooting Access =====
 ==== SSL Certificate Issues ====
 **"Not Secure" warnings:**
  * Wait 2-5 minutes after deployment
  * Check DNS propagation: `nslookup yourdomain.duckdns.org`
  * Verify ports 80/443 forwarded
  * Check Traefik logs: `docker logs traefik`
 **Certificate errors:**
 ```bash
 # Check certificate status
 echo | openssl s_client -connect yourdomain.duckdns.org:443 -servername dockge.yourdomain.duckdns.org 2>/dev/null | openssl x509 -noout -subject -dates
 ```
 ==== Authentication Problems ====
 **Can't log in to Authelia:**
  * Verify username/password
  * Check 2FA setup
  * Clear browser cache
  * Check Authelia logs: `docker logs authelia`
 **Redirect loops:**
  * Check Traefik configuration
  * Verify middleware labels
  * Restart Traefik: `docker restart traefik`
 ==== Service Not Accessible ====
 **404 errors:**
  * Service not deployed
  * Traefik route not configured
  * Wrong subdomain
 **Connection refused:**
  * Service not running
  * Port mapping issues
  * Network connectivity problems
 ==== DNS Issues ====
 **Domain not resolving:**
  * Check DuckDNS configuration
  * Verify token in `.env`
  * Wait for DNS propagation
 **Local network access:**
  * Use internal IP for local access
  * Configure local DNS overrides
 ===== Advanced Access =====
 ==== External Service Proxying ====
 **Proxy non-Docker services:**
  * Raspberry Pi Home Assistant
  * NAS devices
  * Other network services
 **Configuration:**
  * Add routes to `/opt/stacks/core/traefik/dynamic/external.yml`
  * Include Authelia middleware
  * Test connectivity
 ==== VPN Access ====
 **Remote Access:**
  * Configure VPN server (OpenVPN/WireGuard)
  * Route traffic through VPN
  * Access local services remotely
 ==== API Access ====
 **Service APIs:**
  * Most services expose REST APIs
  * Use API keys for authentication
  * Configure in Homepage widgets
 ===== Mobile Access =====
 **Mobile Apps:**
  * **Jellyfin/Plex**: Dedicated mobile apps
  * **Nextcloud**: Mobile sync client
  * **Home Assistant**: Mobile companion app
  * **Bitwarden**: Password manager
 **Browser Access:**
  * All services work in mobile browsers
  * Responsive design for most interfaces
  * Authelia SSO works on mobile
 ===== Performance Optimization =====
 **Loading Speed:**
  * Enable HTTP/2 in Traefik
  * Use CDN for static assets
  * Optimize service configurations
 **Resource Usage:**
  * Monitor with Glances
  * Set appropriate resource limits
  * Use lazy loading for unused services
 Ready to access your services? Start with the [[getting_started:security|Security Setup]] guide.
 **Need help?** Check [[troubleshooting:networking|Network Troubleshooting]] or visit [[https://github.com/kelinfoxy/AI-Homelab/discussions|GitHub Discussions]].
--- a/config-templates/dokuwiki/data/pages/getting_started/deployment.txt
+++ b/config-templates/dokuwiki/data/pages/getting_started/deployment.txt
@@ -1,284 +0,0 @@
 ====== Deployment ======
 After setup, deploy your homelab services using Dockge or manual commands.
 ===== Using Dockge (Recommended) =====
 **Access Dockge:**
  * URL: `https://dockge.yourdomain.duckdns.org`
  * Username: `admin` (or your custom username)
  * Password: Your secure password from setup
 **Deploy Services:**
  1. Click **"Add Stack"** button
  2. Choose **"From Docker Compose"**
  3. Select a compose file from the repository
  4. Click **"Deploy"**
  5. Monitor deployment in the **"Logs"** tab
 **Available Stacks:**
  * `media.yml` - Media services (Jellyfin, qBittorrent)
  * `media-management.yml` - Download automation (Sonarr, Radarr)
  * `productivity.yml` - Office tools (Nextcloud, Gitea)
  * `monitoring.yml` - Observability (Grafana, Prometheus)
  * `homeassistant.yml` - Home automation
  * `utilities.yml` - Backup and utilities
 ===== Manual Deployment =====
 **Deploy Individual Stacks:**
 ```bash
 # Navigate to repository
 cd ~/AI-Homelab
 # Deploy media services
 docker compose -f docker-compose/media.yml up -d
 # Deploy productivity stack
 docker compose -f docker-compose/productivity.yml up -d
 # Deploy monitoring
 docker compose -f docker-compose/monitoring.yml up -d
 ```
 **Check Deployment Status:**
 ```bash
 # View all running containers
 docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}"
 # Check specific stack
 docker compose -f docker-compose/media.yml ps
 # View logs
 docker compose -f docker-compose/media.yml logs -f
 ```
 ===== Service Access =====
 After deployment, services are available at:
 | Category | Service | URL | Notes |
 |----------|---------|-----|-------|
 | **Media** | Jellyfin | `https://jellyfin.yourdomain.duckdns.org` | No SSO (app access) |
 | **Media** | qBittorrent | `https://qbit.yourdomain.duckdns.org` | VPN protected |
 | **Productivity** | Nextcloud | `https://nextcloud.yourdomain.duckdns.org` | File sync |
 | **Productivity** | Gitea | `https://git.yourdomain.duckdns.org` | Git service |
 | **Monitoring** | Grafana | `https://grafana.yourdomain.duckdns.org` | Dashboards |
 | **Development** | Code Server | `https://code.yourdomain.duckdns.org` | VS Code in browser |
 ===== Post-Deployment Configuration =====
 ==== Configure Homepage Dashboard ====
 1. Visit `https://home.yourdomain.duckdns.org`
 2. Click settings (gear icon)
 3. Add services to dashboard
 4. Configure widgets with API keys
 **Example Widgets:**
  * System monitoring (CPU, RAM, disk)
  * Service status checks
  * Weather information
  * Calendar integration
 ==== Set Up Backups ====
 1. Deploy Backrest service
 2. Configure backup schedules
 3. Set up encryption
 4. Test backup restoration
 ==== Configure Monitoring ====
 1. Deploy Grafana and Prometheus
 2. Import dashboards
 3. Set up alerts
 4. Configure data sources
 ===== Deployment Order =====
 **Recommended Deployment Sequence:**
 1. **Core** (deployed automatically)
   - DuckDNS, Traefik, Authelia, Gluetun
 2. **Infrastructure** (deployed automatically)
   - Dockge, Pi-hole, Dozzle, Glances
 3. **Dashboards** (deployed automatically)
   - Homepage, Homarr
 4. **Media Services**
   - Jellyfin or Plex
   - qBittorrent (VPN routing)
   - Sonarr, Radarr, Prowlarr
 5. **Productivity**
   - Nextcloud, Gitea, BookStack
 6. **Monitoring**
   - Grafana, Prometheus, Uptime Kuma
 7. **Home Automation**
   - Home Assistant, Node-RED
 ===== Resource Management =====
 **Monitor Resource Usage:**
 ```bash
 # Check container resources
 docker stats
 # View system resources
 docker run --rm -v /proc:/host/proc:ro --net=host codenvy/glances
 # Check disk space
 df -h /opt/stacks/
 ```
 **Resource Limits Applied:**
  * CPU limits prevent resource exhaustion
  * Memory limits protect system stability
  * Automatic cleanup of unused resources
 ===== Troubleshooting Deployment =====
 ==== Service Won't Start ====
 **Check Logs:**
 ```bash
 # View service logs
 docker compose -f docker-compose/stack.yml logs service-name
 # Follow logs in real-time
 docker compose -f docker-compose/stack.yml logs -f service-name
 ```
 **Common Issues:**
  * Port conflicts
  * Missing environment variables
  * Network connectivity problems
  * Insufficient resources
 ==== SSL Certificate Issues ====
 **Check Certificate Status:**
 ```bash
 # View Traefik logs
 docker logs traefik | grep certificate
 # Check certificate file
 ls -la /opt/stacks/core/traefik/acme.json
 ```
 **Certificate Problems:**
  * DNS propagation delay (wait 5-10 minutes)
  * DuckDNS token incorrect
  * Ports 80/443 not forwarded
  * Rate limiting (Let's Encrypt limits)
 ==== Network Issues ====
 **Verify Networks:**
 ```bash
 # List Docker networks
 docker network ls
 # Inspect traefik-network
 docker network inspect traefik-network
 ```
 **Network Troubleshooting:**
  * Services not on correct network
  * Firewall blocking traffic
  * DNS resolution problems
 ==== Permission Issues ====
 **Check File Permissions:**
 ```bash
 # Check stack directory permissions
 ls -la /opt/stacks/stack-name/
 # Check Docker socket permissions
 ls -la /var/run/docker.sock
 ```
 **Fix Permissions:**
 ```bash
 # Set correct ownership
 sudo chown -R $USER:$USER /opt/stacks/stack-name/
 # Add user to docker group
 sudo usermod -aG docker $USER
 ```
 ===== Scaling and Customization =====
 ==== Add Custom Services ====
 1. Create new compose file
 2. Add Traefik labels for routing
 3. Include Authelia middleware
 4. Deploy via Dockge
 ==== Modify Existing Services ====
 1. Edit compose file
 2. Update environment variables
 3. Redeploy service
 4. Test functionality
 ==== Remove Services ====
 ```bash
 # Stop and remove service
 docker compose -f docker-compose/stack.yml down
 # Remove with volumes
 docker compose -f docker-compose/stack.yml down -v
 # Clean up unused resources
 docker system prune
 ```
 ===== Performance Optimization =====
 **Hardware Acceleration:**
  * Enable NVIDIA GPU for transcoding
  * Use SSD storage for databases
  * Configure appropriate CPU/memory limits
 **Network Optimization:**
  * Use wired connections when possible
  * Configure QoS for media streaming
  * Optimize DNS resolution
 **Service Optimization:**
  * Enable lazy loading for unused services
  * Configure appropriate resource limits
  * Use efficient Docker images
 ===== Backup and Recovery =====
 **Regular Backups:**
  * Configuration files in `/opt/stacks/`
  * SSL certificates in `/opt/stacks/core/traefik/`
  * User data in service volumes
 **Recovery Process:**
  * Restore configuration files
  * Redeploy services
  * Restore user data from backups
 **Disaster Recovery:**
  * Keep backup scripts ready
  * Document recovery procedures
  * Test restoration regularly
 Ready to deploy? Use Dockge to start deploying services!
 **Need help?** See [[troubleshooting:services|Service Troubleshooting]] or check [[reference:commands|Command Reference]].
--- a/config-templates/dokuwiki/data/pages/getting_started/prerequisites.txt
+++ b/config-templates/dokuwiki/data/pages/getting_started/prerequisites.txt
@@ -1,201 +0,0 @@
 ====== Prerequisites ======
 Before deploying your AI-Homelab, ensure your system meets these requirements.
 ===== System Requirements =====
 **Minimum Hardware:**
  * **CPU**: 2-core processor (4+ cores recommended)
  * **RAM**: 4GB minimum (8GB+ recommended)
  * **Storage**: 50GB free space (SSD preferred)
  * **Network**: Stable internet connection
 **Recommended Hardware:**
  * **CPU**: 4+ core processor with virtualization support
  * **RAM**: 16GB+ for full stack deployment
  * **Storage**: 500GB+ SSD for media and backups
  * **GPU**: NVIDIA GPU (optional, for hardware transcoding)
 ===== Operating System =====
 **Supported Systems:**
  * **Ubuntu 20.04+** (recommended)
  * **Debian 11+**
  * **Ubuntu Server**
  * **Raspberry Pi OS** (64-bit, for lightweight deployments)
 **Fresh Installation Recommended:**
  * Start with a clean OS install
  * Avoid pre-installed Docker versions
  * Use LTS (Long Term Support) releases
 ===== Network Requirements =====
 **Domain & DNS:**
  * **DuckDNS account**: [[https://duckdns.org|Create free account]]
  * **Domain**: Choose your subdomain (e.g., `yourname.duckdns.org`)
  * **Token**: Get your DuckDNS token from account settings
 **Port Forwarding:**
  * **Port 80**: Required for Let's Encrypt HTTP challenge
  * **Port 443**: Required for HTTPS traffic
  * **Router**: Configure port forwarding to your server
 **Network Access:**
  * **Outbound**: Full internet access for updates and services
  * **Inbound**: Ports 80/443 forwarded from router
  * **Local**: Access to router admin panel (for port forwarding)
 ===== Software Prerequisites =====
 **Required Software:**
  * **Git**: Version control system
  * **curl/wget**: Download utilities
  * **SSH server**: Remote access (usually pre-installed)
 **Optional but Recommended:**
  * **VS Code**: With GitHub Copilot extension
  * **Docker Desktop**: For local testing (Windows/Mac)
  * **NVIDIA drivers**: If using GPU acceleration
 ===== Account Setup =====
 **Required Accounts:**
  * **DuckDNS**: Free dynamic DNS service
    * Visit [[https://duckdns.org]]
    * Create account and subdomain
    * Copy your token for configuration
 **Optional Accounts (for specific services):**
  * **Surfshark VPN**: For secure downloads
  * **GitHub**: For repository access and Copilot
  * **Cloud storage**: For offsite backups
 ===== Security Considerations =====
 **Firewall Setup:**
  * UFW (Uncomplicated Firewall) will be configured automatically
  * Only necessary ports will be opened
  * SSH access restricted to key-based authentication
 **SSL Certificates:**
  * Let's Encrypt provides free certificates
  * Wildcard certificate covers all subdomains
  * Automatic renewal every 90 days
 **Access Control:**
  * Authelia provides SSO (Single Sign-On)
  * 2FA (Two-Factor Authentication) recommended
  * Granular access control per service
 ===== Pre-Installation Checklist =====
 **Hardware Check:**
  * [ ] Server meets minimum requirements
  * [ ] Sufficient storage space available
  * [ ] Stable power supply
  * [ ] Backup power (UPS) recommended
 **Network Check:**
  * [ ] Internet connection stable
  * [ ] Router supports port forwarding
  * [ ] Ports 80/443 available and forwarded
  * [ ] Local IP address known and static
 **Account Setup:**
  * [ ] DuckDNS account created
  * [ ] Domain chosen and configured
  * [ ] DuckDNS token obtained
  * [ ] Optional: VPN credentials prepared
 **Software Preparation:**
  * [ ] SSH access to server established
  * [ ] VS Code installed (optional)
  * [ ] GitHub Copilot configured (optional)
 ===== Environment Variables =====
 Create a `.env` file with these variables:
 ```
 # Domain Configuration
 DOMAIN=yourdomain.duckdns.org
 DUCKDNS_TOKEN=your-duckdns-token
 # Optional: VPN Configuration
 SURFSHARK_USERNAME=your-vpn-username
 SURFSHARK_PASSWORD=your-vpn-password
 # Authelia (auto-generated by setup script)
 AUTHELIA_JWT_SECRET=64-char-random-string
 AUTHELIA_SESSION_SECRET=64-char-random-string
 AUTHELIA_STORAGE_ENCRYPTION_KEY=64-char-random-string
 # User Configuration
 PUID=1000
 PGID=1000
 TZ=America/New_York
 ```
 **Note:** Authelia secrets are auto-generated by the setup script. Leave them with default values initially.
 ===== Testing Your Setup =====
 **Network Connectivity:**
 ```bash
 # Test internet connection
 ping -c 4 8.8.8.8
 # Test DNS resolution
 nslookup duckdns.org
 # Test port forwarding (from external network)
 curl -I http://your-external-ip
 ```
 **System Resources:**
 ```bash
 # Check available space
 df -h /
 # Check memory
 free -h
 # Check CPU cores
 nproc
 ```
 **SSH Access:**
 ```bash
 # Test SSH connection
 ssh user@your-server-ip
 # Test sudo access
 sudo whoami
 ```
 ===== Troubleshooting Prerequisites =====
 **"Permission denied" errors:**
  * Ensure you have sudo access
  * Check if user is in sudo group
  * Try running commands with `sudo`
 **Network connectivity issues:**
  * Verify internet connection
  * Check firewall settings
  * Test DNS resolution
 **Port forwarding problems:**
  * Access router admin panel
  * Verify ports 80/443 are forwarded
  * Check if ISP blocks these ports
 **DuckDNS issues:**
  * Verify token is correct
  * Check domain is available
  * Test DNS updates manually
 Ready to proceed? Continue to [[getting_started:setup|Automated Setup]].
 **Need Help?** Check the [[troubleshooting:start|Troubleshooting Guide]] or visit [[https://github.com/kelinfoxy/AI-Homelab/discussions|GitHub Discussions]].
--- a/config-templates/dokuwiki/data/pages/getting_started/security.txt
+++ b/config-templates/dokuwiki/data/pages/getting_started/security.txt
@@ -1,245 +0,0 @@
 ====== Security Setup ======
 Secure your homelab with proper authentication, encryption, and access controls.
 ===== Two-Factor Authentication =====
 **Enable 2FA for Authelia:**
 1. **Access Authelia:**
   * URL: `https://auth.yourdomain.duckdns.org`
   * Login with admin credentials
 2. **Configure TOTP:**
   * Go to **Settings** → **One-Time Password**
   * Install authenticator app (Google Authenticator, Authy, etc.)
   * Scan QR code or enter secret manually
   * Enter verification code to enable
 3. **Backup Codes:**
   * Generate backup codes for recovery
   * Store securely (encrypted password manager)
   * Use only for emergency access
 **2FA Best Practices:**
  * Use hardware security keys when possible
  * Enable biometric authentication on mobile
  * Regularly rotate backup codes
  * Test recovery process
 ===== Access Control Policies =====
 **Authelia Configuration:**
  * Location: `/opt/stacks/core/authelia/configuration.yml`
 **Default Policies:**
 ```yaml
 access_control:
  default_policy: deny
  rules:
    # Admin services - require 2FA
    - domain: "*.yourdomain.duckdns.org"
      policy: two_factor
    # Media services - bypass SSO (app compatibility)
    - domain: jellyfin.yourdomain.duckdns.org
      policy: bypass
    - domain: plex.yourdomain.duckdns.org
      policy: bypass
    # Home Assistant - bypass (built-in auth)
    - domain: ha.yourdomain.duckdns.org
      policy: bypass
 ```
 **Policy Types:**
  * **deny**: Block all access
  * **one_factor**: Username + password only
  * **two_factor**: Username + password + 2FA
  * **bypass**: No authentication required
 ===== SSL/TLS Security =====
 **Certificate Management:**
  * **Issuer**: Let's Encrypt (trusted CA)
  * **Type**: Wildcard certificate (*.yourdomain.duckdns.org)
  * **Algorithm**: ECDSA P-256 with SHA-256
  * **Validity**: 90 days with automatic renewal
 **Security Headers:**
  * **HSTS**: HTTP Strict Transport Security
  * **CSP**: Content Security Policy
  * **X-Frame-Options**: Clickjacking protection
  * **X-Content-Type-Options**: MIME sniffing prevention
 **Traefik Security:**
 ```yaml
 # In traefik.yml
 http:
  middlewares:
    security-headers:
      headers:
        customRequestHeaders:
          X-Forwarded-Proto: "https"
        customResponseHeaders:
          X-Frame-Options: "SAMEORIGIN"
          X-Content-Type-Options: "nosniff"
          Referrer-Policy: "strict-origin-when-cross-origin"
          Permissions-Policy: "geolocation=(), microphone=(), camera=()"
 ```
 ===== Firewall Configuration =====
 **UFW Rules (automatically configured):**
 ```bash
 # Allow SSH
 sudo ufw allow ssh
 # Allow HTTP/HTTPS
 sudo ufw allow 80
 sudo ufw allow 443
 # Enable firewall
 sudo ufw enable
 ```
 **Docker Security:**
  * Containers run as non-root users
  * No privileged containers
  * Minimal exposed ports
  * Network isolation
 ===== Password Security =====
 **Strong Password Requirements:**
  * Minimum 12 characters
  * Mix of uppercase, lowercase, numbers, symbols
  * No dictionary words or common patterns
  * Unique per service
 **Password Manager Integration:**
  * Use Bitwarden/Vaultwarden for password storage
  * Enable auto-fill for services
  * Regular password rotation
  * Emergency access setup
 ===== VPN and Network Security =====
 **Download Protection:**
  * qBittorrent routes through Gluetun VPN
  * All torrent traffic encrypted
  * No IP leaks during downloads
 **Network Segmentation:**
  * Services isolated in Docker networks
  * Database access restricted
  * External services proxied through Traefik
 ===== Backup Security =====
 **Encrypted Backups:**
  * Use Backrest with encryption
  * Store encryption keys securely
  * Offsite backup storage
  * Regular integrity checks
 **Backup Verification:**
 ```bash
 # Test backup restoration
 restic restore latest --target /tmp/restore-test
 restic check
 ```
 ===== Service-Specific Security =====
 **Nextcloud Security:**
  * Enable brute force protection
  * Configure trusted domains
  * Set up file encryption
  * Regular security scans
 **Gitea Security:**
  * Disable public registration
  * Enable SSH key authentication
  * Configure access tokens
  * Regular repository backups
 **Database Security:**
  * Strong database passwords
  * Network isolation
  * Regular updates
  * Query logging
 ===== Monitoring and Alerts =====
 **Security Monitoring:**
  * Enable fail2ban for SSH protection
  * Monitor authentication attempts
  * Set up intrusion detection
  * Log analysis with Loki/Promtail
 **Alert Configuration:**
  * Failed login notifications
  * Certificate expiration warnings
  * Service downtime alerts
  * Security vulnerability notifications
 ===== Incident Response =====
 **Security Breach Response:**
  1. **Isolate**: Disconnect affected systems
  2. **Assess**: Determine scope of breach
  3. **Contain**: Change all passwords
  4. **Recover**: Restore from clean backups
  5. **Learn**: Update security policies
 **Emergency Access:**
  * Keep backup authentication methods
  * Document recovery procedures
  * Test incident response plans
  * Regular security audits
 ===== Advanced Security =====
 **Certificate Pinning:**
  * Pin Let's Encrypt intermediate certificates
  * Monitor certificate transparency logs
  * Automated certificate validation
 **Zero Trust Architecture:**
  * Every access request verified
  * Minimal privilege access
  * Continuous authentication
  * Network micro-segmentation
 **Compliance Considerations:**
  * Data encryption at rest and in transit
  * Access logging and monitoring
  * Regular security assessments
  * Privacy-preserving configurations
 ===== Security Checklist =====
 **Initial Setup:**
  * [ ] 2FA enabled for all admin accounts
  * [ ] Strong, unique passwords everywhere
  * [ ] SSL certificates properly configured
  * [ ] Firewall rules verified
  * [ ] VPN configured for downloads
 **Ongoing Security:**
  * [ ] Regular password rotation
  * [ ] Security updates applied
  * [ ] Backup encryption verified
  * [ ] Access logs reviewed
  * [ ] Security scans performed
 **Emergency Preparedness:**
  * [ ] Backup authentication methods available
  * [ ] Incident response plan documented
  * [ ] Recovery procedures tested
  * [ ] Contact information current
 Your homelab is now secure! Continue to [[architecture:security|Security Architecture]] for detailed technical information.
 **Need help?** Check [[troubleshooting:ssl|SSL Troubleshooting]] or visit [[https://github.com/kelinfoxy/AI-Homelab/discussions|GitHub Discussions]].
--- a/config-templates/dokuwiki/data/pages/getting_started/setup.txt
+++ b/config-templates/dokuwiki/data/pages/getting_started/setup.txt
@@ -1,234 +0,0 @@
 ====== Automated Setup ======
 The AI-Homelab uses two automated scripts for deployment. This is the recommended approach for most users.
 ===== Quick Setup Commands =====
 ```bash
 # 1. Clone the repository
 git clone https://github.com/kelinfoxy/AI-Homelab.git
 cd AI-Homelab
 # 2. Configure environment
 cp .env.example .env
 nano .env  # Edit with your domain and tokens
 # 3. Run setup script
 sudo ./scripts/setup-homelab.sh
 # 4. Run deployment script
 sudo ./scripts/deploy-homelab.sh
 ```
 That's it! Your homelab will be ready in 10-15 minutes.
 ===== Detailed Setup Process =====
 ==== Step 1: Clone Repository ====
 ```bash
 # Clone to your home directory
 cd ~
 git clone https://github.com/kelinfoxy/AI-Homelab.git
 cd AI-Homelab
 ```
 **What this provides:**
  * Complete homelab configuration
  * Docker compose files for all services
  * Automated deployment scripts
  * Configuration templates
  * Documentation and guides
 ==== Step 2: Configure Environment ====
 ```bash
 # Copy example configuration
 cp .env.example .env
 # Edit with your settings
 nano .env
 ```
 **Required variables:**
 ```
 DOMAIN=yourdomain.duckdns.org
 DUCKDNS_TOKEN=your-duckdns-token
 ACME_EMAIL=your-email@example.com
 ```
 **Optional variables:**
 ```
 SURFSHARK_USERNAME=your-vpn-username
 SURFSHARK_PASSWORD=your-vpn-password
 TZ=America/New_York
 PUID=1000
 PGID=1000
 ```
 ==== Step 3: Run Setup Script ====
 ```bash
 # Execute with sudo privileges
 sudo ./scripts/setup-homelab.sh
 ```
 **What the setup script does:**
 **System Preparation:**
  * Updates system packages
  * Installs required dependencies (git, curl, etc.)
  * Installs Docker Engine + Compose V2
  * Configures user permissions
  * Sets up UFW firewall
  * Enables SSH server
 **Authelia Configuration:**
  * Generates cryptographic secrets (JWT, session, encryption keys)
  * Prompts for admin username (default: admin)
  * Prompts for secure password with confirmation
  * Generates argon2id password hash
  * Creates user database
 **Infrastructure Setup:**
  * Creates `/opt/stacks/` directory structure
  * Sets up Docker networks (traefik-network, homelab-network, etc.)
  * Detects NVIDIA GPU and offers driver installation
 **Security Features:**
  * Idempotent (safe to re-run)
  * Comprehensive error handling
  * Timeout protection for operations
  * Clear troubleshooting messages
 ==== Step 4: Run Deployment Script ====
 ```bash
 # Deploy all services
 sudo ./scripts/deploy-homelab.sh
 ```
 **What the deployment script does:**
 **Prerequisites Check:**
  * Validates environment configuration
  * Verifies Docker installation
  * Checks network connectivity
 **Core Stack Deployment:**
  * Deploys DuckDNS, Traefik, Authelia, Gluetun
  * Obtains wildcard SSL certificate (*.yourdomain.duckdns.org)
  * Configures reverse proxy routing
 **Infrastructure Deployment:**
  * Deploys Dockge, Pi-hole, monitoring tools
  * Sets up dashboards (Homepage, Homarr)
  * Configures service discovery
 **Health Checks:**
  * Waits for services to become healthy
  * Validates SSL certificate generation
  * Opens Dockge in browser
 ===== Post-Setup Configuration =====
 ==== Access Your Services ====
 After deployment, access services at:
 | Service | URL | Status |
 |---------|-----|--------|
 | **Dockge** | `https://dockge.yourdomain.duckdns.org` | ✅ Primary management |
 | **Homepage** | `https://home.yourdomain.duckdns.org` | ✅ Service dashboard |
 | **Authelia** | `https://auth.yourdomain.duckdns.org` | ✅ SSO login |
 | **Traefik** | `https://traefik.yourdomain.duckdns.org` | ✅ Proxy dashboard |
 **Default Credentials:**
  * Username: `admin` (or your custom username)
  * Password: The secure password you created
 ==== Configure Two-Factor Authentication ====
 1. Visit `https://auth.yourdomain.duckdns.org`
 2. Log in with your admin credentials
 3. Go to Settings → One-Time Password
 4. Scan QR code with authenticator app
 5. Enter verification code to enable 2FA
 ==== Customize Homepage Dashboard ====
 1. Visit `https://home.yourdomain.duckdns.org`
 2. Click the settings icon (gear)
 3. Configure services and widgets
 4. Add API keys for enhanced widgets
 ===== Troubleshooting Setup =====
 ==== Common Issues ====
 **"Permission denied" when running scripts:**
 ```bash
 # Ensure you're using sudo
 sudo ./scripts/setup-homelab.sh
 # Check if scripts are executable
 ls -la scripts/
 chmod +x scripts/*.sh
 ```
 **Docker installation fails:**
 ```bash
 # Remove conflicting packages
 sudo apt remove docker docker-engine docker.io containerd runc
 # Re-run setup script
 sudo ./scripts/setup-homelab.sh
 ```
 **SSL certificate generation fails:**
  * Check DuckDNS token is correct in `.env`
  * Verify ports 80/443 are forwarded
  * Wait 2-5 minutes for DNS propagation
  * Check Traefik logs: `docker logs traefik`
 **Services not accessible:**
  * Verify domain resolves: `nslookup yourdomain.duckdns.org`
  * Check firewall: `sudo ufw status`
  * View service logs: `docker compose -f /opt/stacks/core/docker-compose.yml logs`
 ==== NVIDIA GPU Setup ====
 If you have an NVIDIA GPU and want hardware acceleration:
 ```bash
 # During setup script, answer 'y' when prompted
 # Or install manually after setup:
 # Add NVIDIA package repository
 distribution=$(. /etc/os-release;echo $ID$VERSION_ID)
 curl -s -L https://nvidia.github.io/nvidia-docker/gpgkey | sudo apt-key add -
 curl -s -L https://nvidia.github.io/nvidia-docker/$distribution/nvidia-docker.list | sudo tee /etc/apt/sources.list.d/nvidia-docker.list
 # Install NVIDIA Docker
 sudo apt-get update && sudo apt-get install -y nvidia-docker2
 sudo systemctl restart docker
 # Test GPU access
 docker run --rm --gpus all nvidia/cuda:12.0.0-base-ubuntu22.04 nvidia-smi
 ```
 ==== Manual Setup Alternative ====
 If automated scripts fail, see [[getting_started:manual|Manual Setup Guide]] for step-by-step instructions.
 ===== Next Steps =====
 1. **Explore Services**: Use Dockge to deploy additional services
 2. **Configure Backups**: Set up Backrest for automated backups
 3. **Add Monitoring**: Deploy Grafana/Prometheus for observability
 4. **Customize**: Modify services to fit your needs
 5. **Contribute**: Help improve the project
 **Ready to deploy?** Run the setup script and enjoy your new homelab!
 **Need help?** Check [[troubleshooting:deployment|Deployment Troubleshooting]] or ask in [[https://github.com/kelinfoxy/AI-Homelab/discussions|GitHub Discussions]].
--- a/config-templates/dokuwiki/data/pages/getting_started/start.txt
+++ b/config-templates/dokuwiki/data/pages/getting_started/start.txt
@@ -1,126 +0,0 @@
 ====== Getting Started ======
 Welcome to your AI-powered homelab! This guide will walk you through setting up your production-ready infrastructure with Dockge, Traefik, Authelia, and 70+ services.
 ===== Quick Start Checklist =====
 **Prerequisites:**
  * [ ] Fresh Debian/Ubuntu server (or existing system)
  * [ ] Root/sudo access
  * [ ] Internet connection
  * [ ] VS Code with GitHub Copilot (recommended)
 **Setup Process:**
  * [ ] Clone repository: `git clone https://github.com/kelinfoxy/AI-Homelab.git`
  * [ ] Configure `.env` file with your domain and tokens
  * [ ] Run setup script: `sudo ./scripts/setup-homelab.sh`
  * [ ] Run deployment script: `sudo ./scripts/deploy-homelab.sh`
  * [ ] Access Dockge at `https://dockge.yourdomain.duckdns.org`
 **Post-Setup:**
  * [ ] Set up 2FA with Authelia
  * [ ] Configure Homepage dashboard
  * [ ] Deploy additional services as needed
  * [ ] Set up backups with Backrest
 ===== What You Get =====
 Your homelab includes:
 **Core Infrastructure (Deployed First):**
  * **DuckDNS**: Dynamic DNS with Let's Encrypt wildcard SSL certificates
  * **Traefik**: Reverse proxy with automatic HTTPS termination
  * **Authelia**: SSO authentication protecting all services
  * **Gluetun**: VPN client for secure downloads
  * **Sablier**: Lazy loading service for resource management
 **Management Tools:**
  * **Dockge**: Web-based Docker stack manager (PRIMARY interface)
  * **Pi-hole**: Network-wide ad blocking and DNS
  * **Dozzle**: Live Docker log viewer
  * **Glances**: System monitoring dashboard
 **Dashboards:**
  * **Homepage**: AI-configured service dashboard
  * **Homarr**: Modern alternative dashboard
 **70+ Available Services:**
  * Media: Plex, Jellyfin, Sonarr, Radarr, qBittorrent
  * Productivity: Nextcloud, Gitea, BookStack, WordPress
  * Home Automation: Home Assistant, Node-RED, Zigbee2MQTT
  * Monitoring: Grafana, Prometheus, Uptime Kuma
  * Development: VS Code Server, GitLab, Jupyter
  * And many more...
 ===== Architecture Overview =====
 ```
 Internet → DuckDNS → Traefik → Authelia → Services
                    ↓
              Wildcard SSL (*.yourdomain.duckdns.org)
 ```
 **Key Features:**
  * **File-based configuration**: AI-manageable YAML files
  * **Automatic HTTPS**: Let's Encrypt wildcard certificates
  * **SSO protection**: Authelia secures admin interfaces
  * **VPN routing**: Downloads protected through Gluetun
  * **Resource management**: Automatic container limits
  * **Lazy loading**: Services start on-demand
 ===== Access Your Services =====
 After deployment, access services at:
 | Service | URL | Purpose |
 |---------|-----|---------|
 | **Dockge** | `https://dockge.yourdomain.duckdns.org` | Stack management |
 | **Homepage** | `https://home.yourdomain.duckdns.org` | Service dashboard |
 | **Authelia** | `https://auth.yourdomain.duckdns.org` | SSO login |
 | **Traefik** | `https://traefik.yourdomain.duckdns.org` | Reverse proxy dashboard |
 | **Pi-hole** | `http://pihole.yourdomain.duckdns.org` | DNS admin |
 | **Dozzle** | `https://dozzle.yourdomain.duckdns.org` | Log viewer |
 **Default Credentials:**
  * Username: `admin` (or custom username from setup)
  * Password: Secure password created during setup
 ===== Next Steps =====
 1. **Complete Security Setup**
   * Configure 2FA in Authelia
   * Review service access policies
   * Set up backup encryption
 2. **Deploy Core Services**
   * Use Dockge to deploy media services
   * Configure Homepage widgets
   * Set up monitoring dashboards
 3. **Customize Your Stack**
   * Add external service proxying
   * Configure backup schedules
   * Set up development environment
 4. **Learn Advanced Features**
   * Use AI Copilot for management
   * Explore service customization
   * Contribute to the project
 ===== Getting Help =====
 **Documentation:**
  * [[architecture:overview|Architecture Guide]]
  * [[services:start|Service Reference]]
  * [[troubleshooting:start|Troubleshooting]]
  * [[reference:start|Quick Reference]]
 **Community:**
  * [[https://github.com/kelinfoxy/AI-Homelab/issues|GitHub Issues]]
  * [[https://github.com/kelinfoxy/AI-Homelab/discussions|Discussions]]
 **AI Assistance:**
  * Use GitHub Copilot in VS Code
  * Reference the [[development:copilot|Copilot Instructions]]
 Ready to get started? Continue to [[getting_started:prerequisites|Prerequisites]] or jump straight to [[getting_started:setup|Automated Setup]].
--- a/config-templates/dokuwiki/data/pages/services/core/authelia.txt
+++ b/config-templates/dokuwiki/data/pages/services/core/authelia.txt
@@ -1,420 +0,0 @@
 ====== Authelia ======
 Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) capabilities to secure access to your homelab services.
 ===== Overview =====
 **Purpose:** SSO authentication server
 **URL:** `https://auth.yourdomain.duckdns.org`
 **Authentication:** Direct login (username/password + 2FA)
 **Deployment:** Automatic (core stack)
 **Storage:** File-based user database
 ===== Key Features =====
 **Authentication Methods:**
  * **Username/Password**: Secure credential verification
  * **TOTP (Time-based One-Time Password)**: RFC 6238 compliant
  * **WebAuthn**: Hardware security key support
  * **Push Notifications**: Mobile authentication
 **Authorization:**
  * **Domain-based policies**: Per-service access control
  * **Group membership**: Role-based permissions
  * **Bypass rules**: Direct access for media services
  * **Session management**: Secure token handling
 **Security:**
  * **Argon2id hashing**: Memory-hard password hashing
  * **JWT tokens**: Secure session management
  * **CSRF protection**: Cross-site request forgery prevention
  * **Brute force protection**: Rate limiting and account lockout
 **Integration:**
  * **Traefik middleware**: Reverse proxy authentication
  * **LDAP support**: External user directory integration
  * **SAML/OIDC**: Enterprise federation protocols
  * **API access**: RESTful authentication API
 ===== Configuration =====
 **Main Configuration (configuration.yml):**
 ```yaml
 ---
 # Authelia configuration
 host: 0.0.0.0
 port: 9091
 log:
  level: info
  format: json
 jwt_secret: ${AUTHELIA_JWT_SECRET}
 session:
  name: authelia_session
  secret: ${AUTHELIA_SESSION_SECRET}
  expiration: 3600  # 1 hour
  inactivity: 300   # 5 minutes
  domain: yourdomain.duckdns.org
 storage:
  encryption_key: ${AUTHELIA_STORAGE_ENCRYPTION_KEY}
  local:
    path: /config/db.sqlite3
 access_control:
  default_policy: deny
  rules:
    # Admin services require 2FA
    - domain: "*.yourdomain.duckdns.org"
      policy: two_factor
      subject:
        - "group:admins"
    # Media services bypass SSO
    - domain: "jellyfin.yourdomain.duckdns.org"
      policy: bypass
    - domain: "plex.yourdomain.duckdns.org"
      policy: bypass
 api:
  disable_bearer_token: false
 authentication_backend:
  file:
    path: /config/users_database.yml
 notifier:
  filesystem:
    filename: /config/notification.txt
 ```
 **User Database (users_database.yml):**
 ```yaml
 ---
 users:
  admin:
    displayname: Administrator
    password: $argon2id$...
    email: admin@yourdomain.duckdns.org
    groups:
      - admins
      - dev
 ```
 ===== Docker Compose =====
 ```yaml
 services:
  authelia:
    image: authelia/authelia:latest
    container_name: authelia
    restart: unless-stopped
    networks:
      - traefik-network
    volumes:
      - ./authelia/configuration.yml:/config/configuration.yml:ro
      - ./authelia/users_database.yml:/config/users_database.yml
      - ./authelia/db.sqlite3:/config/db.sqlite3
      - ./authelia/notification.txt:/config/notification.txt
    environment:
      - AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET}
      - AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET}
      - AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_STORAGE_ENCRYPTION_KEY}
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.authelia.rule=Host(`auth.${DOMAIN}`)"
      - "traefik.http.routers.authelia.entrypoints=websecure"
      - "traefik.http.routers.authelia.tls.certresolver=letsencrypt"
      # No Authelia middleware for itself
      - "traefik.http.services.authelia.loadbalancer.server.port=9091"
    depends_on:
      - authelia-redis  # If using Redis
    deploy:
      resources:
        limits:
          cpus: '0.5'
          memory: 256M
        reservations:
          cpus: '0.1'
          memory: 64M
 ```
 ===== User Management =====
 **Adding Users:**
 ```yaml
 users:
  newuser:
    displayname: "New User"
    password: "$argon2id$..."  # Generate with authelia crypto hash generate argon2
    email: newuser@example.com
    groups:
      - users
 ```
 **Password Hashing:**
 ```bash
 # Generate Argon2id hash
 docker run authelia/authelia:latest authelia crypto hash generate argon2 --password 'mypassword'
 ```
 **Group Management:**
 ```yaml
 # Define groups
 groups:
  admins:
    - admin
  users:
    - user1
    - user2
  media:
    - family
 ```
 ===== Access Control Policies =====
 **Policy Types:**
  * **deny**: Block all access
  * **one_factor**: Username + password only
  * **two_factor**: Username + password + 2FA
  * **bypass**: No authentication required
 **Rule Structure:**
 ```yaml
 rules:
  - domain: "*.yourdomain.duckdns.org"
    policy: two_factor
    subject:
      - "user:admin"
      - "group:admins"
    resources:
      - "^/api/.*"  # API endpoints
 ```
 **Advanced Rules:**
 ```yaml
 # Time-based access
 - domain: "*.yourdomain.duckdns.org"
    policy: two_factor
    subject: "group:admins"
    rules:
      - operator: present
        operand: http_request.header.Authorization
 # IP-based restrictions
 - domain: "admin.yourdomain.duckdns.org"
    policy: deny
    networks:
      - "192.168.1.0/24"  # Allow only local network
 ```
 ===== Two-Factor Authentication =====
 **TOTP Setup:**
  1. Access Authelia dashboard
  2. Go to **Settings** → **One-Time Password**
  3. Install authenticator app (Google Authenticator, Authy, etc.)
  4. Scan QR code or enter secret manually
  5. Enter verification code to enable
 **WebAuthn (Hardware Keys):**
  * **Supported**: YubiKey, Google Titan, etc.
  * **Protocol**: FIDO2/WebAuthn
  * **Benefits**: Phishing-resistant, no shared secrets
 **Backup Codes:**
  * Generate one-time use codes
  * Store securely (encrypted password manager)
  * Use only for emergency access
 ===== Integration with Traefik =====
 **ForwardAuth Middleware:**
 ```yaml
 # In Traefik dynamic configuration
 middlewares:
  authelia:
    forwardAuth:
      address: "http://authelia:9091/api/verify?rd=https://auth.yourdomain.duckdns.org/"
      trustForwardHeader: true
      authResponseHeaders:
        - "Remote-User"
        - "Remote-Groups"
        - "Remote-Name"
        - "Remote-Email"
 ```
 **Service Protection:**
 ```yaml
 # Add to service labels
 labels:
  - "traefik.http.routers.service.middlewares=authelia@docker"
 ```
 **Bypass Configuration:**
 ```yaml
 # In Authelia configuration.yml
 access_control:
  rules:
    - domain: "jellyfin.yourdomain.duckdns.org"
      policy: bypass
    - domain: "plex.yourdomain.duckdns.org"
      policy: bypass
 ```
 ===== Session Management =====
 **Session Configuration:**
 ```yaml
 session:
  name: authelia_session
  secret: ${AUTHELIA_SESSION_SECRET}
  expiration: 3600  # 1 hour
  inactivity: 300   # 5 minutes
  domain: yourdomain.duckdns.org
  same_site: lax
  secure: true
  http_only: true
 ```
 **Session Security:**
  * **Secure cookies**: HTTPS only
  * **HttpOnly**: JavaScript protection
  * **SameSite**: CSRF protection
  * **Expiration**: Automatic logout
 ===== Monitoring & Logging =====
 **Log Configuration:**
 ```yaml
 log:
  level: info  # debug, info, warn, error
  format: json  # json or text
  file: /config/authelia.log
 ```
 **Monitoring Integration:**
  * **Prometheus metrics**: `/metrics` endpoint
  * **Health checks**: `/api/health` endpoint
  * **Log aggregation**: Loki integration
  * **Alerting**: Failed authentication notifications
 **Audit Logging:**
  * **Authentication events**: Login/logout tracking
  * **Authorization decisions**: Access control logging
  * **Security events**: Failed attempts, lockouts
  * **Compliance**: Audit trail for security reviews
 ===== Security Best Practices =====
 **Password Policies:**
  * **Complexity**: Minimum 12 characters, mixed case, numbers, symbols
  * **Expiration**: Regular rotation (90-180 days)
  * **History**: Prevent password reuse
  * **Lockout**: Account lockout after failed attempts
 **Session Security:**
  * **Short sessions**: 1 hour maximum
  * **Inactivity timeout**: 5-15 minutes
  * **Secure cookies**: All security flags enabled
  * **Token rotation**: Regular token refresh
 **Network Security:**
  * **HTTPS only**: No HTTP access
  * **HSTS**: HTTP Strict Transport Security
  * **CSP**: Content Security Policy
  * **Rate limiting**: Brute force protection
 ===== Troubleshooting =====
 **Login Issues:**
 ```bash
 # Check Authelia logs
 docker logs authelia
 # Verify configuration
 docker exec authelia authelia validate-config /config/configuration.yml
 # Test authentication API
 curl -k https://auth.yourdomain.duckdns.org/api/state
 ```
 **2FA Problems:**
  * Check system time synchronization
  * Verify TOTP secret/code
  * Clear browser cache
  * Try different authenticator app
 **Middleware Issues:**
 ```bash
 # Check Traefik logs
 docker logs traefik | grep authelia
 # Test middleware
 curl -H "Host: service.yourdomain.duckdns.org" http://localhost/
 ```
 **Configuration Errors:**
  * Validate YAML syntax
  * Check file permissions
  * Verify environment variables
  * Test configuration with `authelia validate-config`
 ===== Advanced Features =====
 **LDAP Integration:**
 ```yaml
 authentication_backend:
  ldap:
    url: ldap://127.0.0.1
    base_dn: dc=example,dc=com
    username_attribute: uid
    additional_users_dn: ou=users
    users_filter: (&({username_attribute}={input})(objectClass=person))
    groups_filter: (&(member={dn})(objectClass=groupOfNames))
    group_name_attribute: cn
    mail_attribute: mail
    display_name_attribute: displayName
 ```
 **SAML/OIDC Identity Providers:**
 ```yaml
 identity_providers:
  oidc:
    # OIDC configuration
  saml:
    # SAML configuration
 ```
 **Custom Themes:**
 ```yaml
 theme: dark  # light, dark, grey, auto
 ```
 **API Integration:**
  * **REST API**: Programmatic authentication
  * **Webhooks**: Event notifications
  * **SCIM**: User provisioning
  * **GraphQL**: Advanced queries
 ===== Backup & Recovery =====
 **Configuration Backup:**
  * **Files**: `configuration.yml`, `users_database.yml`
  * **Database**: `db.sqlite3`
  * **Secrets**: Environment variables
 **Password Recovery:**
  * **Backup codes**: One-time use recovery
  * **Admin reset**: Administrative password reset
  * **Self-service**: Password reset via email
 **Disaster Recovery:**
  * **Configuration restore**: YAML file recovery
  * **Database recovery**: SQLite backup restoration
  * **Secret rotation**: Emergency credential management
 Authelia provides enterprise-grade authentication and authorization for your homelab, ensuring secure access to all your services.
 **Next:** Learn about [[services:core:duckdns|DuckDNS]] or [[services:core:gluetun|Gluetun]].
--- a/config-templates/dokuwiki/data/pages/services/core/duckdns.txt
+++ b/config-templates/dokuwiki/data/pages/services/core/duckdns.txt
@@ -1,289 +0,0 @@
 ====== DuckDNS ======
 DuckDNS is a free dynamic DNS service that automatically updates your domain's IP address. In the AI-Homelab, DuckDNS provides the domain name that Traefik uses for SSL certificates and service routing.
 ===== Overview =====
 **Purpose:** Dynamic DNS service
 **URL:** https://duckdns.org (external service)
 **Authentication:** Token-based
 **Deployment:** Automatic (core stack)
 **Update Interval:** Every 5 minutes
 ===== Key Features =====
 **Dynamic DNS:**
  * **Free service**: No cost for basic usage
  * **Multiple domains**: Support for multiple subdomains
  * **API integration**: RESTful API for updates
  * **IPv4/IPv6**: Support for both IP versions
 **SSL Integration:**
  * **Wildcard certificates**: *.yourdomain.duckdns.org
  * **Let's Encrypt**: Automatic certificate generation
  * **DNS challenge**: Domain ownership verification
  * **Certificate renewal**: Automatic 90-day renewal
 **Reliability:**
  * **High uptime**: 99.9%+ availability
  * **Global CDN**: Fast DNS resolution worldwide
  * **Redundant servers**: Multiple DNS servers
  * **Monitoring**: Service status monitoring
 ===== Configuration =====
 **DuckDNS Account Setup:**
  1. Visit https://duckdns.org
  2. Create free account
  3. Choose domain name (your subdomain)
  4. Get API token from account settings
 **Environment Variables:**
 ```bash
 # Required
 DOMAIN=yourdomain.duckdns.org
 DUCKDNS_TOKEN=your-api-token
 # Optional
 DUCKDNS_SUBDOMAINS=subdomain1,subdomain2
 ```
 **Container Configuration:**
 ```yaml
 services:
  duckdns:
    image: lscr.io/linuxserver/duckdns:latest
    container_name: duckdns
    restart: unless-stopped
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=${TZ}
      - SUBDOMAINS=${DUCKDNS_SUBDOMAINS:-yourdomain}
      - TOKEN=${DUCKDNS_TOKEN}
    deploy:
      resources:
        limits:
          cpus: '0.1'
          memory: 64M
        reservations:
          cpus: '0.01'
          memory: 16M
 ```
 ===== How It Works =====
 **DNS Update Process:**
  1. **IP Detection**: Container detects current public IP
  2. **API Call**: Sends update request to DuckDNS API
  3. **DNS Update**: DuckDNS updates DNS records
  4. **Propagation**: DNS changes propagate globally
  5. **Verification**: Container verifies update success
 **Update Frequency:**
  * **Interval**: Every 5 minutes
  * **Trigger**: Container startup + periodic updates
  * **Condition**: IP address change detected
  * **Logging**: Update success/failure logging
 **API Integration:**
 ```bash
 # Manual update (for testing)
 curl "https://www.duckdns.org/update?domains=yourdomain&token=your-token&ip="
 # Check current IP
 curl "https://www.duckdns.org/update?domains=yourdomain&token=your-token&verbose=1"
 ```
 ===== SSL Certificate Integration =====
 **Traefik Configuration:**
 ```yaml
 certificatesResolvers:
  letsencrypt:
    acme:
      email: your-email@example.com
      storage: /acme.json
      dnsChallenge:
        provider: duckdns
        delayBeforeCheck: 30
 ```
 **Certificate Generation:**
  * **Challenge Type**: DNS-01
  * **Record**: `_acme-challenge.yourdomain.duckdns.org`
  * **Value**: Generated by Let's Encrypt
  * **TTL**: 60 seconds (temporary)
 **Wildcard Certificate:**
  * **Domain**: `*.yourdomain.duckdns.org`
  * **Coverage**: All subdomains automatically
  * **Type**: ECDSA P-256
  * **Validity**: 90 days
  * **Renewal**: Automatic (30 days before expiry)
 ===== Monitoring & Troubleshooting =====
 **Container Logs:**
 ```bash
 # View DuckDNS logs
 docker logs duckdns
 # Follow logs in real-time
 docker logs -f duckdns
 ```
 **DNS Verification:**
 ```bash
 # Check DNS resolution
 nslookup yourdomain.duckdns.org
 # Check TXT record (during certificate generation)
 dig TXT _acme-challenge.yourdomain.duckdns.org
 # Verify IP address
 curl -s https://api.ipify.org
 ```
 **Common Issues:**
 **DNS Not Updating:**
 ```bash
 # Check token validity
 curl "https://www.duckdns.org/update?domains=yourdomain&token=wrong-token"
 # Verify internet connectivity
 ping -c 4 8.8.8.8
 # Check container status
 docker ps | grep duckdns
 ```
 **SSL Certificate Issues:**
  * **Rate Limiting**: Let's Encrypt limits (20 certificates/week)
  * **DNS Propagation**: Wait 5-10 minutes after DNS update
  * **Token Issues**: Verify DuckDNS token is correct
  * **Port Forwarding**: Ensure 80/443 are forwarded
 **Troubleshooting Steps:**
  1. **Check logs**: `docker logs duckdns`
  2. **Verify token**: Test API manually
  3. **Check IP**: Confirm current public IP
  4. **Test DNS**: Verify domain resolution
  5. **Restart container**: `docker restart duckdns`
 ===== Advanced Configuration =====
 **Multiple Subdomains:**
 ```bash
 # Environment variable
 DUCKDNS_SUBDOMAINS=sub1,sub2,sub3
 # Or in compose
 environment:
  - SUBDOMAINS=sub1,sub2,sub3
 ```
 **IPv6 Support:**
 ```bash
 # Enable IPv6 updates
 environment:
  - IPV6=1
 ```
 **Custom Update Interval:**
 ```bash
 # Modify container command
 command: sh -c "while true; do /app/duckdns.sh; sleep 300; done"
 # 300 seconds = 5 minutes (default)
 ```
 ===== Security Considerations =====
 **Token Security:**
  * **Storage**: Environment variables (not in code)
  * **Access**: Limited to DuckDNS container only
  * **Rotation**: Regular token renewal
  * **Monitoring**: API usage monitoring
 **DNS Security:**
  * **DNSSEC**: Not supported by DuckDNS
  * **Rate Limiting**: API call restrictions
  * **Monitoring**: DNS query logging
  * **Backup**: Secondary DNS provider consideration
 ===== Performance & Reliability =====
 **Update Efficiency:**
  * **Conditional Updates**: Only when IP changes
  * **Fast API**: Quick response times
  * **Error Handling**: Retry logic for failures
  * **Logging**: Comprehensive update logging
 **Global Distribution:**
  * **Anycast**: Multiple global DNS servers
  * **CDN**: Fast resolution worldwide
  * **Caching**: DNS record caching
  * **Redundancy**: Multiple server locations
 ===== Alternative DNS Providers =====
 **If DuckDNS is insufficient:**
 **Cloudflare:**
  * **Free tier**: 100,000 DNS queries/month
  * **API**: Full DNS management
  * **DNSSEC**: Supported
  * **Analytics**: Query statistics
 **No-IP:**
  * **Free tier**: 30-day renewal requirement
  * **Multiple hosts**: Up to 3 free domains
  * **Client software**: Windows/Mac/Linux clients
  * **Groups**: Domain grouping
 **Dynu:**
  * **Free tier**: 1 domain, 30-day renewal
  * **API**: RESTful API
  * **IPv6**: Supported
  * **Analytics**: Basic statistics
 ===== Migration Guide =====
 **Switching DNS Providers:**
  1. **Register**: Create account with new provider
  2. **Configure**: Set up domain and get API token
  3. **Update**: Modify environment variables
  4. **Test**: Verify DNS resolution
  5. **SSL**: Update Traefik certificate resolver
  6. **Cleanup**: Remove old DuckDNS container
 **Certificate Migration:**
  * **Backup**: Save acme.json file
  * **Update**: Change DNS provider in Traefik
  * **Renew**: Force certificate renewal
  * **Verify**: Test SSL certificate validity
 ===== Best Practices =====
 **Domain Management:**
  * **Choose wisely**: Select available, memorable domain
  * **Documentation**: Record domain and token securely
  * **Backup**: Include DNS settings in backup
  * **Monitoring**: Monitor domain expiration
 **SSL Management:**
  * **Wildcard**: Use for all subdomains
  * **Backup**: Regular acme.json backups
  * **Monitoring**: Certificate expiry alerts
  * **Testing**: Regular SSL validation
 **Reliability:**
  * **Redundancy**: Consider secondary DNS
  * **Monitoring**: DNS and SSL health checks
  * **Updates**: Keep container updated
  * **Logging**: Monitor update success
 DuckDNS provides the foundation for your homelab's domain name and SSL certificates, ensuring secure and reliable access to all your services.
 **Next:** Learn about [[services:core:gluetun|Gluetun]] or explore [[architecture:networking|Network Architecture]].
--- a/config-templates/dokuwiki/data/pages/services/core/gluetun.txt
+++ b/config-templates/dokuwiki/data/pages/services/core/gluetun.txt
@@ -1,404 +0,0 @@
 ====== Gluetun ======
 Gluetun is a VPN client container that routes download services through VPN providers like Surfshark, NordVPN, or Mullvad. It provides network-level VPN protection for torrent clients and other download services.
 ===== Overview =====
 **Purpose:** VPN client for download services
 **Supported VPNs:** Surfshark, NordVPN, Mullvad, ExpressVPN, ProtonVPN, and 20+ others
 **Network Mode:** Service-based routing
 **Deployment:** Core stack (always running)
 **Resource Usage:** Low (minimal CPU/memory)
 ===== Key Features =====
 **VPN Providers:**
  * **Surfshark**: Primary recommended provider
  * **WireGuard/OpenVPN**: Multiple protocol support
  * **Port Forwarding**: Automatic port forwarding
  * **Kill Switch**: Network isolation when VPN fails
 **Network Routing:**
  * **Service Mode**: `network_mode: "service:gluetun"`
  * **Port Mapping**: VPN ports mapped to host
  * **DNS**: VPN provider DNS servers
  * **Firewall**: Built-in firewall rules
 **Security Features:**
  * **IP Leak Protection**: Prevents IP exposure
  * **DNS Leak Protection**: VPN DNS enforcement
  * **Kill Switch**: Automatic connection blocking
  * **Protocol Selection**: WireGuard/OpenVPN choice
 ===== Configuration =====
 **Environment Variables:**
 ```bash
 # VPN Provider (Surfshark recommended)
 VPN_SERVICE_PROVIDER=surfshark
 VPN_TYPE=wireguard
 # Credentials
 VPN_USERNAME=your-username
 VPN_PASSWORD=your-password
 # Optional: Specific server/country
 SERVER_COUNTRIES=Netherlands
 SERVER_CITIES=Amsterdam
 # Optional: WireGuard specific
 WIREGUARD_PRIVATE_KEY=your-private-key
 WIREGUARD_ADDRESSES=10.0.0.0/8
 ```
 **Container Configuration:**
 ```yaml
 services:
  gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    environment:
      - VPN_SERVICE_PROVIDER=${VPN_SERVICE_PROVIDER}
      - VPN_TYPE=${VPN_TYPE}
      - VPN_USERNAME=${VPN_USERNAME}
      - VPN_PASSWORD=${VPN_PASSWORD}
      - SERVER_COUNTRIES=${SERVER_COUNTRIES:-Netherlands}
    volumes:
      - ./gluetun/config:/config
    ports:
      - 8080:8080    # qBittorrent WebUI
      - 6881:6881    # qBittorrent TCP
      - 6881:6881/udp # qBittorrent UDP
    networks:
      - traefik-network
    deploy:
      resources:
        limits:
          cpus: '0.5'
          memory: 256M
        reservations:
          cpus: '0.1'
          memory: 64M
 ```
 ===== How VPN Routing Works =====
 **Service-Based Routing:**
 ```yaml
 # Download service configuration
 services:
  qbittorrent:
    image: lscr.io/linuxserver/qbittorrent:latest
    network_mode: "service:gluetun"  # Routes through VPN
    depends_on:
      - gluetun
    volumes:
      - ./qbittorrent/config:/config
      - /mnt/downloads:/downloads
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=${TZ}
    # No ports exposed - accessed via Gluetun
 ```
 **Network Flow:**
  1. **Gluetun Container**: Establishes VPN connection
  2. **Service Mode**: Download service shares Gluetun's network stack
  3. **VPN Routing**: All traffic from download service goes through VPN
  4. **Port Mapping**: VPN ports mapped to Gluetun container ports
  5. **Access**: Services access download client via Gluetun's IP/port
 ===== VPN Provider Setup =====
 **Surfshark (Recommended):**
  1. **Sign up**: https://surfshark.com
  2. **Get credentials**: Username/password from account
  3. **WireGuard**: Generate private key (optional, faster)
  4. **Configure**: Use in environment variables
 **WireGuard Setup (Optional but Recommended):**
 ```bash
 # Generate private key
 wg genkey
 # Or use Surfshark app to get key
 # Account -> Manual Setup -> WireGuard
 ```
 **Other Providers:**
 ```yaml
 # NordVPN
 VPN_SERVICE_PROVIDER=nordvpn
 VPN_TYPE=openvpn
 # Mullvad
 VPN_SERVICE_PROVIDER=mullvad
 VPN_TYPE=wireguard
 # ExpressVPN
 VPN_SERVICE_PROVIDER=expressvpn
 VPN_TYPE=openvpn
 ```
 ===== Port Management =====
 **Port Forwarding:**
 ```yaml
 # Gluetun ports (map download service ports)
 ports:
  - 8080:8080      # WebUI
  - 6881:6881      # TCP torrent port
  - 6881:6881/udp  # UDP torrent port
  - 51413:51413    # Alternative torrent port
  - 51413:51413/udp
 ```
 **Dynamic Port Forwarding:**
  * **Automatic**: Some providers support automatic port forwarding
  * **Manual**: Configure specific ports in VPN provider
  * **Testing**: Verify port forwarding with online tools
 **Port Forwarding Check:**
 ```bash
 # Check if port is open
 curl -s "https://portchecker.co/check" --data "port=6881"
 # Or use online port checker
 # Visit: https://www.yougetsignal.com/tools/open-ports/
 ```
 ===== Monitoring & Troubleshooting =====
 **Container Logs:**
 ```bash
 # View Gluetun logs
 docker logs gluetun
 # Follow logs in real-time
 docker logs -f gluetun
 ```
 **VPN Status Check:**
 ```bash
 # Check VPN connection
 docker exec gluetun sh -c "curl -s ifconfig.me"
 # Verify VPN IP (should be different from your real IP)
 docker exec gluetun sh -c "curl -s https://api.ipify.org"
 ```
 **Kill Switch Testing:**
 ```bash
 # Test kill switch (disconnect VPN)
 docker exec gluetun sh -c "iptables -P OUTPUT DROP"
 # Restore (reconnect VPN)
 docker restart gluetun
 ```
 **Common Issues:**
 **VPN Connection Failed:**
 ```bash
 # Check credentials
 docker logs gluetun | grep -i "auth\|login\|password"
 # Verify server selection
 docker logs gluetun | grep -i "server\|country"
 # Test VPN provider status
 # Visit provider status page
 ```
 **DNS Leaks:**
 ```bash
 # Check DNS servers
 docker exec gluetun sh -c "cat /etc/resolv.conf"
 # Test DNS leak
 # Visit: https://www.dnsleaktest.com
 ```
 **Port Forwarding Issues:**
  * **Provider Support**: Not all VPNs support port forwarding
  * **Server Selection**: Choose servers that support port forwarding
  * **Configuration**: Enable port forwarding in VPN account
  * **Testing**: Use port checking tools
 **Troubleshooting Steps:**
  1. **Check logs**: `docker logs gluetun`
  2. **Verify credentials**: Test with VPN provider app
  3. **Test connection**: Manual VPN connection
  4. **Check ports**: Verify port forwarding
  5. **Restart**: `docker restart gluetun`
 ===== Security Considerations =====
 **Kill Switch Protection:**
  * **Automatic**: Blocks all traffic if VPN disconnects
  * **Testing**: Regularly test kill switch functionality
  * **Monitoring**: Monitor VPN connection status
  * **Alerts**: Set up notifications for VPN failures
 **IP Leak Prevention:**
  * **WebRTC**: Disable WebRTC in browsers
  * **IPv6**: Disable IPv6 if not needed
  * **DNS**: Use VPN DNS servers only
  * **Testing**: Regular leak testing
 **Credential Security:**
  * **Storage**: Environment variables (not in code)
  * **Access**: Limited to Gluetun container
  * **Rotation**: Regular password changes
  * **2FA**: Enable 2FA on VPN account
 ===== Performance Optimization =====
 **Protocol Selection:**
  * **WireGuard**: Faster, more secure (recommended)
  * **OpenVPN**: More compatible, slightly slower
  * **IKEv2**: Mobile-optimized
 **Server Selection:**
  * **Location**: Choose closest servers
  * **Load**: Select less crowded servers
  * **Features**: Port forwarding capable servers
  * **Testing**: Test different server locations
 **Resource Limits:**
 ```yaml
 deploy:
  resources:
    limits:
      cpus: '0.5'    # Low CPU usage
      memory: 256M   # Minimal memory
    reservations:
      cpus: '0.1'
      memory: 64M
 ```
 ===== Advanced Configuration =====
 **Custom VPN Configuration:**
 ```yaml
 # Custom OpenVPN config
 volumes:
  - ./gluetun/config:/config
  - ./custom-config:/custom
 environment:
  - VPN_TYPE=openvpn
  - OPENVPN_CUSTOM_CONFIG=/custom/my-config.ovpn
 ```
 **Multiple VPN Services:**
 ```yaml
 # Separate Gluetun instances for different services
 services:
  gluetun-us:
    # US-based VPN
    environment:
      - SERVER_COUNTRIES=United States
  gluetun-nl:
    # Netherlands-based VPN
    environment:
      - SERVER_COUNTRIES=Netherlands
 ```
 **Health Checks:**
 ```yaml
 healthcheck:
  test: ["CMD", "curl", "-f", "https://api.ipify.org"]
  interval: 30s
  timeout: 10s
  retries: 3
 ```
 ===== Integration with Download Services =====
 **qBittorrent Configuration:**
 ```yaml
 # In qbittorrent config
 # Network settings
 Connection Limits:
  Global max number of upload slots: 20
  Max number of upload slots per torrent: 5
 # BitTorrent settings
 Enable DHT: Yes
 Enable PeX: Yes
 Enable LSD: Yes
 # WebUI settings
 IP Address: 0.0.0.0
 Port: 8080
 ```
 **Transmission Configuration:**
 ```yaml
 # transmission-daemon settings.json
 {
  "rpc-port": 9091,
  "rpc-username": "admin",
  "rpc-password": "password",
  "rpc-whitelist-enabled": false,
  "download-dir": "/downloads",
  "incomplete-dir": "/downloads/incomplete"
 }
 ```
 ===== Backup & Recovery =====
 **Configuration Backup:**
 ```bash
 # Backup Gluetun config
 docker run --rm \
  -v gluetun-config:/config \
  -v $(pwd)/backup:/backup \
  busybox tar czf /backup/gluetun-config.tar.gz /config
 ```
 **VPN Credential Rotation:**
  1. **Generate new credentials** in VPN provider
  2. **Update environment variables** in .env
  3. **Restart Gluetun**: `docker restart gluetun`
  4. **Verify connection**: Check logs and IP
  5. **Test downloads**: Verify torrent functionality
 ===== Best Practices =====
 **VPN Selection:**
  * **Reliability**: Choose reputable providers
  * **Speed**: Test connection speeds
  * **Features**: Port forwarding, kill switch
  * **Privacy**: No-logs policy
  * **Cost**: Balance features vs price
 **Security:**
  * **Kill Switch**: Always enabled
  * **Regular Testing**: Monthly leak tests
  * **Updates**: Keep Gluetun updated
  * **Monitoring**: VPN status monitoring
 **Performance:**
  * **WireGuard**: Prefer over OpenVPN
  * **Server Location**: Closest available
  * **Load Balancing**: Distribute across servers
  * **Monitoring**: Track connection quality
 **Maintenance:**
  * **Credential Rotation**: Regular password changes
  * **Log Review**: Monitor connection logs
  * **Update Checks**: Keep VPN client updated
  * **Backup**: Regular configuration backups
 Gluetun provides essential VPN protection for download services, ensuring your torrenting and file sharing activities remain private and secure.
 **Next:** Learn about [[services:core:sablier|Sablier]] or explore [[architecture:security|Security Architecture]].
--- a/config-templates/dokuwiki/data/pages/services/core/sablier.txt
+++ b/config-templates/dokuwiki/data/pages/services/core/sablier.txt
@@ -1,401 +0,0 @@
 ====== Sablier ======
 Sablier is a lazy loading service that starts Docker containers on-demand when accessed, then automatically stops them after a period of inactivity. This saves system resources by keeping unused services stopped until needed.
 ===== Overview =====
 **Purpose:** On-demand container startup
 **Integration:** Traefik middleware
 **Resource Savings:** Significant CPU/memory reduction
 **Deployment:** Core stack (always running)
 **Configuration:** Label-based activation
 ===== Key Features =====
 **Lazy Loading:**
  * **On-Demand Startup**: Containers start when accessed
  * **Automatic Shutdown**: Stop after inactivity timeout
  * **Resource Efficiency**: Save CPU/memory when not used
  * **Transparent**: No user experience changes
 **Integration:**
  * **Traefik Middleware**: HTTP request triggering
  * **Label Configuration**: Simple Docker labels
  * **Group Management**: Related services as groups
  * **Health Checks**: Wait for service readiness
 **Performance:**
  * **Fast Startup**: Quick container initialization
  * **Timeout Control**: Configurable inactivity periods
  * **Queue Management**: Handle multiple concurrent requests
  * **Monitoring**: Startup/shutdown tracking
 ===== Configuration =====
 **Container Configuration:**
 ```yaml
 services:
  sablier:
    image: acouvreur/sablier:latest
    container_name: sablier
    restart: unless-stopped
    environment:
      - SABLIER_STRATEGY=docker-api
      - SABLIER_DOCKER_API_VERSION=1.41
      - SABLIER_DOCKER_NETWORK=traefik-network
      - SABLIER_TIMEOUT=5m
      - SABLIER_SESSION_DURATION=168h
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - traefik-network
    deploy:
      resources:
        limits:
          cpus: '0.2'
          memory: 128M
        reservations:
          cpus: '0.05'
          memory: 32M
 ```
 **Service Integration Labels:**
 ```yaml
 # Enable Sablier for a service
 labels:
  - "sablier.enable=true"
  - "sablier.group=my-service-group"
  - "sablier.start-on-demand=true"
  - "sablier.timeout=5m"  # Optional: per-service timeout
 ```
 ===== How Lazy Loading Works =====
 **Request Flow:**
  1. **HTTP Request**: User accesses service URL
  2. **Traefik Routing**: Request hits Traefik with Sablier middleware
  3. **Sablier Check**: Sablier checks if target service is running
  4. **Container Start**: If stopped, Sablier starts the container
  5. **Health Wait**: Waits for service to be ready
  6. **Request Forward**: Forwards request to running service
  7. **Timeout Reset**: Resets inactivity timer
 **Automatic Shutdown:**
  * **Inactivity Detection**: No requests for timeout period
  * **Graceful Shutdown**: Container stopped cleanly
  * **Resource Recovery**: CPU/memory freed up
  * **Restart Ready**: Ready for next access
 ===== Service Configuration =====
 **Basic Setup:**
 ```yaml
 services:
  my-service:
    image: my-service:latest
    labels:
      # Traefik labels (normal)
      - "traefik.enable=true"
      - "traefik.http.routers.my-service.rule=Host(`my-service.${DOMAIN}`)"
      - "traefik.http.routers.my-service.entrypoints=websecure"
      - "traefik.http.routers.my-service.tls.certresolver=letsencrypt"
      - "traefik.http.routers.my-service.middlewares=authelia@docker"
      # Sablier labels (lazy loading)
      - "sablier.enable=true"
      - "sablier.group=my-service"
      - "sablier.start-on-demand=true"
 ```
 **Advanced Configuration:**
 ```yaml
 labels:
  # Custom timeout (overrides global)
  - "sablier.timeout=10m"
  # Custom session duration
  - "sablier.session-duration=24h"
  # Group multiple services
  - "sablier.group=media-stack"
 ```
 ===== Timeout Management =====
 **Global Timeout:**
 ```yaml
 environment:
  - SABLIER_TIMEOUT=5m  # Default 5 minutes
 ```
 **Per-Service Timeout:**
 ```yaml
 labels:
  - "sablier.timeout=15m"  # Override for this service
 ```
 **Session Duration:**
 ```yaml
 environment:
  - SABLIER_SESSION_DURATION=168h  # 7 days default
 ```
 **Timeout Behavior:**
  * **Activity Reset**: Each request resets the timer
  * **Graceful Shutdown**: Clean container stop
  * **Resource Recovery**: Memory/CPU freed
  * **Quick Restart**: Fast startup on next access
 ===== Group Management =====
 **Service Groups:**
 ```yaml
 # Related services in same group
 services:
  sonarr:
    labels:
      - "sablier.group=media-management"
  radarr:
    labels:
      - "sablier.group=media-management"
  prowlarr:
    labels:
      - "sablier.group=media-management"
 ```
 **Group Benefits:**
  * **Coordinated Startup**: Start related services together
  * **Shared Timeout**: Group timeout applies to all
  * **Resource Management**: Better resource planning
  * **Dependency Handling**: Handle service dependencies
 ===== Monitoring & Troubleshooting =====
 **Sablier Logs:**
 ```bash
 # View Sablier logs
 docker logs sablier
 # Follow logs in real-time
 docker logs -f sablier
 ```
 **Startup Monitoring:**
 ```bash
 # Check service startup
 docker logs sablier | grep "Starting container"
 # Monitor shutdowns
 docker logs sablier | grep "Stopping container"
 ```
 **Debug Mode:**
 ```yaml
 environment:
  - SABLIER_LOG_LEVEL=debug
 ```
 **Common Issues:**
 **Service Not Starting:**
 ```bash
 # Check Sablier logs
 docker logs sablier | grep -i "error\|failed"
 # Verify Docker socket access
 docker exec sablier ls -la /var/run/docker.sock
 # Check network connectivity
 docker exec sablier ping -c 2 traefik
 ```
 **Timeout Issues:**
  * **Too Short**: Services stopping too quickly
  * **Too Long**: Resources not freed timely
  * **Per-Service**: Override global timeout
  * **Testing**: Monitor actual usage patterns
 **Middleware Issues:**
  * **Traefik Config**: Verify middleware order
  * **Label Format**: Check label syntax
  * **Network Access**: Ensure Sablier can reach Docker API
 **Troubleshooting Steps:**
  1. **Check logs**: `docker logs sablier`
  2. **Verify labels**: Check service configuration
  3. **Test startup**: Manual container start
  4. **Check network**: Verify Docker API access
  5. **Restart Sablier**: `docker restart sablier`
 ===== Performance Optimization =====
 **Resource Limits:**
 ```yaml
 deploy:
  resources:
    limits:
      cpus: '0.2'    # Low CPU usage
      memory: 128M   # Minimal memory
    reservations:
      cpus: '0.05'
      memory: 32M
 ```
 **Timeout Tuning:**
  * **Frequent Access**: Longer timeouts (15-30m)
  * **Infrequent Access**: Shorter timeouts (2-5m)
  * **Resource Intensive**: Consider manual management
  * **User Patterns**: Monitor and adjust based on usage
 **Startup Optimization:**
  * **Health Checks**: Fast health check endpoints
  * **Dependencies**: Minimize startup dependencies
  * **Caching**: Use persistent volumes for data
  * **Pre-warming**: Keep critical services running
 ===== Security Considerations =====
 **Docker Socket Access:**
  * **Read-Only**: Mount socket as read-only
  * **Limited Access**: Only Sablier container access
  * **Network Isolation**: Separate network for Sablier
  * **Monitoring**: Monitor Docker API usage
 **Service Security:**
  * **No Direct Access**: Services only accessible via Traefik
  * **Authentication**: Authelia protection maintained
  * **SSL**: HTTPS encryption preserved
  * **Timeout Security**: Automatic cleanup prevents exposure
 ===== Advanced Configuration =====
 **Custom Strategies:**
 ```yaml
 environment:
  - SABLIER_STRATEGY=docker-api  # Default
  # Alternative: kubernetes, swarm
 ```
 **Queue Management:**
 ```yaml
 environment:
  - SABLIER_QUEUE_SIZE=10  # Concurrent startups
  - SABLIER_QUEUE_TIMEOUT=30s  # Queue wait timeout
 ```
 **Health Check Configuration:**
 ```yaml
 environment:
  - SABLIER_HEALTH_CHECK=true
  - SABLIER_HEALTH_CHECK_TIMEOUT=30s
  - SABLIER_HEALTH_CHECK_INTERVAL=5s
 ```
 **Dynamic Configuration:**
 ```yaml
 # Via environment variables
 environment:
  - SABLIER_SERVICES=my-service:5m,other-service:10m
 ```
 ===== Integration Examples =====
 **Media Management Stack:**
 ```yaml
 services:
  sonarr:
    labels:
      - "sablier.enable=true"
      - "sablier.group=media-mgmt"
      - "sablier.timeout=15m"
  radarr:
    labels:
      - "sablier.enable=true"
      - "sablier.group=media-mgmt"
      - "sablier.timeout=15m"
  prowlarr:
    labels:
      - "sablier.enable=true"
      - "sablier.group=media-mgmt"
      - "sablier.timeout=10m"
 ```
 **Development Tools:**
 ```yaml
 services:
  code-server:
    labels:
      - "sablier.enable=true"
      - "sablier.group=dev-tools"
      - "sablier.timeout=2h"  # Longer for development
  jupyter:
    labels:
      - "sablier.enable=true"
      - "sablier.group=dev-tools"
      - "sablier.timeout=1h"
 ```
 ===== Best Practices =====
 **Service Selection:**
  * **Infrequently Used**: Perfect for rarely accessed services
  * **Resource Intensive**: Save resources on heavy services
  * **Development Tools**: Good for dev environments
  * **Always-On**: Keep critical services running
 **Timeout Configuration:**
  * **Monitor Usage**: Track actual access patterns
  * **Adjust Gradually**: Start conservative, adjust based on logs
  * **Per-Service**: Different timeouts for different services
  * **User Feedback**: Consider user experience
 **Resource Management:**
  * **Capacity Planning**: Calculate resource savings
  * **Monitoring**: Track startup/shutdown patterns
  * **Optimization**: Tune based on system resources
  * **Backup Plan**: Manual startup if needed
 **Maintenance:**
  * **Log Review**: Regular log analysis
  * **Performance Monitoring**: Track resource usage
  * **Configuration Updates**: Update timeouts as needed
  * **Documentation**: Document lazy-loaded services
 ===== Monitoring & Alerts =====
 **Log Analysis:**
 ```bash
 # Startup events
 docker logs sablier | grep "Starting"
 # Shutdown events
 docker logs sablier | grep "Stopping"
 # Errors
 docker logs sablier | grep -i "error"
 ```
 **Performance Metrics:**
  * **Startup Time**: Time to service readiness
  * **Resource Usage**: CPU/memory before/after
  * **Access Patterns**: Frequency of service access
  * **Timeout Effectiveness**: Actual vs configured timeouts
 **Health Monitoring:**
 ```yaml
 # Add health check
 healthcheck:
  test: ["CMD", "curl", "-f", "http://localhost:10000/health"]
  interval: 30s
  timeout: 10s
  retries: 3
 ```
 Sablier significantly reduces resource usage by keeping unused services stopped until needed, while maintaining a seamless user experience through automatic on-demand startup.
 **Next:** Explore [[architecture:storage|Storage Architecture]] or return to [[services:start|Services Overview]].
--- a/config-templates/dokuwiki/data/pages/services/core/traefik.txt
+++ b/config-templates/dokuwiki/data/pages/services/core/traefik.txt
@@ -1,366 +0,0 @@
 ====== Traefik ======
 Traefik is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy. In the AI-Homelab, Traefik serves as the main entry point for all services, providing automatic HTTPS, load balancing, and routing.
 ===== Overview =====
 **Purpose:** HTTP reverse proxy and load balancer
 **URL:** `https://traefik.yourdomain.duckdns.org`
 **Authentication:** Authelia SSO
 **Deployment:** Automatic (core stack)
 **Configuration:** File-based (YAML)
 ===== Key Features =====
 **Automatic HTTPS:**
  * Let's Encrypt integration
  * Wildcard SSL certificates
  * Automatic renewal (90 days)
  * A+ SSL rating
 **Service Discovery:**
  * Docker label-based routing
  * Dynamic configuration reloading
  * Zero-downtime deployments
  * Health check integration
 **Load Balancing:**
  * Round-robin distribution
  * Weighted load balancing
  * Session stickiness
  * Circuit breaker protection
 **Security:**
  * HTTP security headers
  * Rate limiting
  * IP whitelisting
  * CORS protection
 ===== Configuration =====
 **Static Configuration (traefik.yml):**
 ```yaml
 global:
  checkNewVersion: false
  sendAnonymousUsage: false
 api:
  dashboard: true
  insecure: false
 entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
    http:
      tls:
        certResolver: letsencrypt
 providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    network: traefik-network
  file:
    directory: /dynamic
    watch: true
 certificatesResolvers:
  letsencrypt:
    acme:
      email: your-email@example.com
      storage: /acme.json
      dnsChallenge:
        provider: duckdns
        delayBeforeCheck: 30
 ```
 **Dynamic Configuration (external.yml):**
 ```yaml
 http:
  middlewares:
    authelia:
      forwardAuth:
        address: "http://authelia:9091/api/verify?rd=https://auth.yourdomain.duckdns.org/"
        trustForwardHeader: true
        authResponseHeaders:
          - "Remote-User"
          - "Remote-Groups"
          - "Remote-Name"
          - "Remote-Email"
    security-headers:
      headers:
        customRequestHeaders:
          X-Forwarded-Proto: "https"
        customResponseHeaders:
          X-Frame-Options: "SAMEORIGIN"
          X-Content-Type-Options: "nosniff"
          Referrer-Policy: "strict-origin-when-cross-origin"
          Permissions-Policy: "geolocation=(), microphone=(), camera=()"
        stsSeconds: 31536000
        stsIncludeSubdomains: true
        stsPreload: true
 ```
 ===== Docker Compose =====
 ```yaml
 services:
  traefik:
    image: traefik:v3.0
    container_name: traefik
    restart: unless-stopped
    networks:
      - traefik-network
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./traefik.yml:/etc/traefik/traefik.yml:ro
      - ./dynamic:/dynamic:ro
      - ./acme.json:/acme.json
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - DUCKDNS_TOKEN=${DUCKDNS_TOKEN}
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
      - "traefik.http.routers.traefik.middlewares=authelia@docker"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.services.traefik.loadbalancer.server.port=8080"
    deploy:
      resources:
        limits:
          cpus: '0.5'
          memory: 256M
        reservations:
          cpus: '0.1'
          memory: 64M
 ```
 ===== Service Routing =====
 **Standard Service Labels:**
 ```yaml
 labels:
  - "traefik.enable=true"
  - "traefik.http.routers.service.rule=Host(`service.${DOMAIN}`)"
  - "traefik.http.routers.service.entrypoints=websecure"
  - "traefik.http.routers.service.tls.certresolver=letsencrypt"
  - "traefik.http.routers.service.middlewares=authelia@docker"
  - "traefik.http.services.service.loadbalancer.server.port=8080"
 ```
 **Router Components:**
  * **Rule**: Host matching (e.g., `Host(`service.domain.org`)`)
  * **EntryPoint**: HTTP/HTTPS endpoint
  * **TLS**: Certificate resolver
  * **Middlewares**: Authentication, security headers
  * **Service**: Backend service definition
 **Advanced Routing:**
 ```yaml
 # Path-based routing
 - "traefik.http.routers.api.rule=Host(`api.${DOMAIN}`) && PathPrefix(`/v1`)"
 - "traefik.http.routers.web.rule=Host(`app.${DOMAIN}`)"
 # Header-based routing
 - "traefik.http.routers.mobile.rule=Host(`app.${DOMAIN}`) && Headers(`User-Agent`, `*Mobile*`)"
 # Priority routing
 - "traefik.http.routers.specific.rule=Host(`service.${DOMAIN}`) && Path(`/api`)"
 - "traefik.http.routers.specific.priority=100"
 ```
 ===== SSL Certificate Management =====
 **Certificate Generation:**
  * **Challenge**: DNS-01 (DuckDNS)
  * **Provider**: Let's Encrypt
  * **Type**: ECDSA P-256
  * **Validity**: 90 days
  * **Renewal**: Automatic (30 days before expiry)
 **Certificate Storage:**
  * **File**: `/opt/stacks/core/traefik/acme.json`
  * **Permissions**: 600 (owner read/write only)
  * **Backup**: Include in backup strategy
  * **Format**: JSON with encrypted private keys
 **Troubleshooting SSL:**
 ```bash
 # Check certificate status
 echo | openssl s_client -connect yourdomain.duckdns.org:443 -servername service.yourdomain.duckdns.org 2>/dev/null | openssl x509 -noout -subject -dates
 # View Traefik logs
 docker logs traefik | grep certificate
 # Check DNS TXT record
 dig TXT _acme-challenge.yourdomain.duckdns.org
 ```
 ===== Monitoring & Logging =====
 **Dashboard Access:**
  * URL: `https://traefik.yourdomain.duckdns.org`
  * Features: Real-time routing, health status, metrics
  * Authentication: Authelia SSO required
 **Log Configuration:**
 ```yaml
 log:
  level: INFO
  format: json
 accessLog:
  filePath: /var/log/traefik/access.log
  format: json
  filters:
    statusCodes: ["200-299", "400-499", "500-599"]
 ```
 **Metrics Integration:**
  * **Prometheus**: `/metrics` endpoint
  * **Health Checks**: Service health monitoring
  * **Performance**: Response time tracking
 ===== Security Features =====
 **Authentication Middleware:**
  * **Authelia Integration**: SSO for protected services
  * **Bypass Rules**: Direct access for media services
  * **Session Management**: Secure cookie handling
 **Rate Limiting:**
 ```yaml
 middlewares:
  rate-limit:
    rateLimit:
      burst: 100
      average: 50
 ```
 **IP Whitelisting:**
 ```yaml
 middlewares:
  ip-whitelist:
    ipWhiteList:
      sourceRange:
        - "192.168.1.0/24"
        - "10.0.0.0/8"
 ```
 ===== Performance Optimization =====
 **Caching:**
 ```yaml
 middlewares:
  cache:
    inFlightReq:
      amount: 64
 ```
 **Compression:**
  * **Gzip**: Automatic text compression
  * **Brotli**: Advanced compression (if supported)
 **Connection Pooling:**
  * **Keep-Alive**: Persistent connections
  * **Connection Reuse**: Reduced latency
  * **Timeout Management**: Connection limits
 ===== Troubleshooting =====
 **Service Not Accessible:**
 ```bash
 # Check if service is running
 docker ps | grep service-name
 # Verify Traefik labels
 docker inspect service-name | grep traefik
 # Check Traefik logs
 docker logs traefik | grep service-name
 ```
 **SSL Issues:**
  * Verify DuckDNS token
  * Check DNS propagation
  * Confirm port forwarding
  * Review certificate logs
 **Routing Problems:**
  * Validate router rules
  * Check middleware configuration
  * Test service connectivity
  * Review access logs
 **Performance Issues:**
  * Monitor resource usage
  * Check connection limits
  * Review middleware stack
  * Analyze access patterns
 ===== External Service Proxying =====
 **Proxying Non-Docker Services:**
 ```yaml
 # In dynamic/external.yml
 http:
  routers:
    external-service:
      rule: "Host(`external.yourdomain.duckdns.org`)"
      service: external-service
      middlewares:
        - authelia@docker
  services:
    external-service:
      loadBalancer:
        servers:
          - url: "http://192.168.1.100:8123"
 ```
 **Use Cases:**
  * Raspberry Pi Home Assistant
  * NAS devices
  * Legacy applications
  * Network printers
 ===== Best Practices =====
 **Configuration Management:**
  * Use version control for config files
  * Test changes in staging
  * Document custom routing rules
  * Regular backup of acme.json
 **Security:**
  * Keep Traefik updated
  * Monitor access logs
  * Use strong authentication
  * Regular security audits
 **Performance:**
  * Implement appropriate caching
  * Use connection pooling
  * Monitor resource usage
  * Optimize middleware stack
 **Monitoring:**
  * Set up alerts for failures
  * Monitor certificate expiry
  * Track performance metrics
  * Regular log analysis
 Traefik is the backbone of your homelab's networking infrastructure, providing secure, efficient, and reliable service routing.
 **Next:** Learn about [[services:core:authelia|Authelia]] or [[services:core:duckdns|DuckDNS]].
--- a/config-templates/dokuwiki/data/pages/services/infrastructure/code-server.txt
+++ b/config-templates/dokuwiki/data/pages/services/infrastructure/code-server.txt
@@ -1,428 +0,0 @@
 ====== Code Server ======
 Code Server is a web-based version of Visual Studio Code that runs in your browser, providing a full development environment accessible from anywhere. It includes all VS Code features, extensions, and integrates with your homelab development workflow.
 ===== Overview =====
 **Purpose:** Browser-based code editor
 **URL:** https://code.yourdomain.duckdns.org
 **Authentication:** Authelia SSO protected
 **Deployment:** Infrastructure stack
 **Interface:** Full VS Code web interface
 ===== Key Features =====
 **VS Code Features:**
  * **Full IDE**: Complete Visual Studio Code experience
  * **Extensions**: Access to VS Code marketplace
  * **Themes**: All VS Code themes and customization
  * **Git Integration**: Built-in Git version control
 **Web Access:**
  * **Browser-based**: Access from any device
  * **Responsive Design**: Works on desktop and mobile
  * **Persistent Sessions**: Maintain work sessions
  * **File Synchronization**: Sync across devices
 **Development Tools:**
  * **Terminal Integration**: Built-in terminal access
  * **Debugging**: Full debugging capabilities
  * **Extensions**: Python, Docker, GitHub Copilot
  * **Language Support**: 50+ programming languages
 ===== Configuration =====
 **Container Configuration:**
 ```yaml
 services:
  code-server:
    image: lscr.io/linuxserver/code-server:latest
    container_name: code-server
    restart: unless-stopped
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=${TZ}
      - PASSWORD=${CODE_SERVER_PASSWORD}
      - SUDO_PASSWORD=${CODE_SERVER_PASSWORD}
      - PROXY_DOMAIN=${DOMAIN}
      - DEFAULT_WORKSPACE=/config/workspace
    volumes:
      - ./code-server/config:/config
      - /opt/stacks:/opt/stacks:ro
      - /home/kelin/AI-Homelab:/workspace
    networks:
      - traefik-network
    deploy:
      resources:
        limits:
          cpus: '1.0'
          memory: 1G
        reservations:
          cpus: '0.2'
          memory: 256M
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.code-server.rule=Host(`code.${DOMAIN}`)"
      - "traefik.http.routers.code-server.entrypoints=websecure"
      - "traefik.http.routers.code-server.tls.certresolver=letsencrypt"
      - "traefik.http.routers.code-server.middlewares=authelia@docker"
      - "traefik.http.services.code-server.loadbalancer.server.port=8443"
      - "x-dockge.url=https://code.${DOMAIN}"
 ```
 **Environment Variables:**
 ```bash
 # User permissions
 PUID=1000
 PGID=1000
 # Authentication
 PASSWORD=your-secure-password
 SUDO_PASSWORD=your-secure-password
 # Domain configuration
 PROXY_DOMAIN=yourdomain.duckdns.org
 # Default workspace
 DEFAULT_WORKSPACE=/config/workspace
 ```
 ===== Getting Started =====
 **Initial Access:**
  1. **Access URL**: Visit https://code.yourdomain.duckdns.org
  2. **Authelia Login**: Authenticate with SSO
  3. **Password Setup**: Enter container password
  4. **Workspace Setup**: Configure your workspace
 **Interface Overview:**
  * **Explorer**: File and folder navigation
  * **Editor**: Code editing with syntax highlighting
  * **Terminal**: Integrated command line access
  * **Extensions**: VS Code extension marketplace
  * **Settings**: Full VS Code configuration
 ===== Workspace Configuration =====
 **Directory Mounting:**
 ```yaml
 volumes:
  # AI-Homelab repository
  - /home/kelin/AI-Homelab:/workspace
  # Stack configurations
  - /opt/stacks:/opt/stacks:ro
  # User configuration
  - ./code-server/config:/config
 ```
 **Workspace Settings:**
 ```json
 // .vscode/settings.json in workspace
 {
  "python.defaultInterpreterPath": "/usr/bin/python3",
  "git.enableSmartCommit": true,
  "editor.formatOnSave": true,
  "terminal.integrated.shell.linux": "/bin/bash"
 }
 ```
 **Recommended Extensions:**
  * **GitHub Copilot**: AI-powered code completion
  * **Python**: Python language support
  * **Docker**: Container management
  * **GitLens**: Enhanced Git capabilities
  * **Remote SSH**: Remote development
 ===== Development Workflow =====
 **Homelab Development:**
  * **Stack Editing**: Edit docker-compose.yml files
  * **Configuration Management**: Modify service configurations
  * **Script Development**: Create automation scripts
  * **Documentation**: Edit wiki and documentation
 **AI Integration:**
  * **GitHub Copilot**: AI-powered code suggestions
  * **AI Toolkit**: Access to AI development tools
  * **Model Testing**: Test AI models and integrations
  * **Workflow Development**: Create AI agent workflows
 **Version Control:**
  * **Git Integration**: Full Git repository management
  * **Branch Management**: Create and manage branches
  * **Commit Management**: Stage, commit, and push changes
  * **Conflict Resolution**: Handle merge conflicts
 ===== Extensions & Customization =====
 **Essential Extensions:**
 ```json
 {
  "recommendations": [
    "ms-python.python",
    "ms-vscode.vscode-json",
    "ms-vscode-remote.remote-ssh",
    "GitHub.copilot",
    "ms-vscode.vscode-docker",
    "eamodio.gitlens",
    "ms-vscode.vscode-yaml",
    "redhat.vscode-yaml"
  ]
 }
 ```
 **Theme Configuration:**
 ```json
 // Dark theme with high contrast
 {
  "workbench.colorTheme": "Default Dark Modern",
  "editor.fontSize": 14,
  "editor.lineHeight": 1.6,
  "terminal.integrated.fontSize": 13
 }
 ```
 **Keybindings:**
 ```json
 // Custom keybindings
 [
  {
    "key": "ctrl+shift+t",
    "command": "workbench.action.terminal.new"
  },
  {
    "key": "ctrl+shift+g",
    "command": "gitlens.showCommitSearch"
  }
 ]
 ```
 ===== Terminal Integration =====
 **Terminal Configuration:**
 ```json
 {
  "terminal.integrated.shell.linux": "/bin/bash",
  "terminal.integrated.cwd": "/workspace",
  "terminal.integrated.env.linux": {
    "PATH": "/usr/local/bin:/usr/bin:/bin"
  }
 }
 ```
 **Docker Commands:**
 ```bash
 # Access from terminal
 docker ps
 docker logs container-name
 docker exec -it container-name /bin/bash
 ```
 **Development Commands:**
 ```bash
 # Python development
 python3 -m venv venv
 source venv/bin/activate
 pip install -r requirements.txt
 # Git operations
 git status
 git add .
 git commit -m "Update"
 git push origin main
 ```
 ===== Security Considerations =====
 **Access Control:**
  * **Authelia Protection**: SSO authentication required
  * **Password Protection**: Additional container password
  * **Network Isolation**: Container network restrictions
  * **File Permissions**: Proper user permission mapping
 **Data Protection:**
  * **Workspace Security**: Secure workspace access
  * **Git Credentials**: Secure Git authentication
  * **Extension Security**: Verify extension sources
  * **Session Security**: Secure web sessions
 ===== Performance Optimization =====
 **Resource Management:**
 ```yaml
 deploy:
  resources:
    limits:
      cpus: '1.0'
      memory: 1G
    reservations:
      cpus: '0.2'
      memory: 256M
 ```
 **Performance Tuning:**
  * **Extension Management**: Limit active extensions
  * **File Watching**: Configure file watcher limits
  * **Memory Usage**: Monitor memory consumption
  * **Caching**: Enable appropriate caching
 ===== Troubleshooting =====
 **Connection Issues:**
 ```bash
 # Check service status
 docker ps | grep code-server
 # View logs
 docker logs code-server
 # Test web access
 curl -k https://code.yourdomain.duckdns.org
 ```
 **Extension Problems:**
  * **Installation Failures**: Check network connectivity
  * **Compatibility Issues**: Verify VS Code version compatibility
  * **Permission Errors**: Check file permissions
  * **Cache Issues**: Clear extension cache
 **Workspace Issues:**
  * **File Access**: Verify volume mount permissions
  * **Git Problems**: Check Git configuration
  * **Python Issues**: Verify Python interpreter path
  * **Extension Sync**: Check settings synchronization
 **Performance Issues:**
  * **High CPU Usage**: Reduce active extensions
  * **Memory Problems**: Increase memory limits
  * **Slow Loading**: Clear browser cache
  * **Network Latency**: Check network performance
 **Troubleshooting Steps:**
  1. **Check logs**: `docker logs code-server`
  2. **Verify configuration**: Check environment variables
  3. **Test connectivity**: Access web interface
  4. **Clear cache**: Clear browser and extension cache
  5. **Restart service**: `docker restart code-server`
 ===== Integration with Homelab =====
 **Stack Management:**
  * **Compose Editing**: Edit docker-compose.yml files
  * **Configuration Management**: Modify service settings
  * **Script Development**: Create deployment scripts
  * **Documentation**: Update wiki and docs
 **AI Development:**
  * **Model Testing**: Test AI models in isolated environment
  * **Workflow Development**: Create AI agent workflows
  * **API Integration**: Develop API integrations
  * **Tool Development**: Build custom tools and extensions
 **Monitoring & Debugging:**
  * **Log Analysis**: Analyze service logs
  * **Performance Monitoring**: Monitor system performance
  * **Network Debugging**: Debug network connectivity
  * **Container Debugging**: Debug containerized applications
 ===== Best Practices =====
 **Workspace Organization:**
  * **Project Structure**: Maintain clean project structure
  * **Version Control**: Use Git for all projects
  * **Documentation**: Document code and configurations
  * **Backup**: Regular workspace backups
 **Development Workflow:**
  * **Branch Strategy**: Use feature branches
  * **Code Reviews**: Review code changes
  * **Testing**: Test changes before deployment
  * **Documentation**: Update documentation
 **Security:**
  * **Access Control**: Limit workspace access
  * **Credential Management**: Secure sensitive credentials
  * **Extension Verification**: Only trusted extensions
  * **Session Management**: Proper session handling
 **Performance:**
  * **Resource Limits**: Appropriate resource allocation
  * **Extension Management**: Keep extensions updated
  * **Cache Management**: Regular cache cleanup
  * **Optimization**: Optimize for your use case
 ===== Use Cases =====
 **Homelab Management:**
  * **Service Configuration**: Edit service configurations
  * **Script Development**: Create automation scripts
  * **Documentation**: Maintain project documentation
  * **Troubleshooting**: Debug homelab issues
 **Development Work:**
  * **Code Development**: Full-stack development
  * **API Development**: Build and test APIs
  * **Testing**: Unit and integration testing
  * **Debugging**: Application debugging
 **Remote Development:**
  * **Mobile Development**: Code on mobile devices
  * **Travel Access**: Access code while traveling
  * **Collaborative Work**: Share development environment
  * **Backup Access**: Access code from any location
 **Education & Learning:**
  * **Tutorial Following**: Follow coding tutorials
  * **Experimentation**: Test new technologies
  * **Documentation**: Create learning materials
  * **Project Development**: Build personal projects
 ===== Advanced Configuration =====
 **Custom Extensions:**
 ```json
 // Install custom extensions
 {
  "extensions": {
    "recommendations": [
      "ms-python.python",
      "GitHub.copilot"
    ]
  }
 }
 ```
 **Remote Development:**
 ```json
 // SSH configuration for remote development
 {
  "remote.SSH.configFile": "~/.ssh/config",
  "remote.SSH.remotePlatform": {
    "homelab-server": "linux"
  }
 }
 ```
 **Task Automation:**
 ```json
 // tasks.json for automation
 {
  "version": "2.0.0",
  "tasks": [
    {
      "label": "Deploy Stack",
      "type": "shell",
      "command": "docker-compose",
      "args": ["up", "-d"],
      "group": "build"
    }
  ]
 }
 ```
 Code Server provides a full-featured development environment in your browser, perfectly integrated with your homelab workflow and AI development tools.
 **Next:** Learn about [[services:infrastructure:docker-proxy|Docker Proxy]] or explore [[getting_started:access|Access Guide]].
--- a/config-templates/dokuwiki/data/pages/services/infrastructure/docker-proxy.txt
+++ b/config-templates/dokuwiki/data/pages/services/infrastructure/docker-proxy.txt
@@ -1,384 +0,0 @@
 ====== Docker Proxy ======
 Docker Proxy provides secure remote access to the Docker daemon socket, enabling safe Docker API access from external tools and services. It acts as a secure proxy between Docker clients and the Docker daemon.
 ===== Overview =====
 **Purpose:** Secure Docker socket proxy
 **Deployment:** Infrastructure stack
 **Access Method:** TCP socket (no web UI)
 **Security:** TLS encryption and authentication
 **Integration:** External Docker tool access
 ===== Key Features =====
 **Secure Access:**
  * **TLS Encryption**: Encrypted Docker API communication
  * **Authentication**: Client certificate authentication
  * **Access Control**: Granular permission control
  * **Audit Logging**: Comprehensive access logging
 **Proxy Features:**
  * **Socket Proxy**: TCP proxy for Docker socket
  * **API Compatibility**: Full Docker API support
  * **Connection Pooling**: Efficient connection management
  * **Load Balancing**: Distribute requests across instances
 **Monitoring:**
  * **Request Logging**: Log all Docker API requests
  * **Performance Metrics**: Monitor proxy performance
  * **Health Checks**: Proxy health monitoring
  * **Error Tracking**: Track and report errors
 ===== Configuration =====
 **Container Configuration:**
 ```yaml
 services:
  docker-proxy:
    image: tecnativa/docker-socket-proxy:latest
    container_name: docker-proxy
    restart: unless-stopped
    environment:
      - CONTAINERS=1
      - SERVICES=1
      - TASKS=1
      - NODES=0
      - SWARM=0
      - NETWORKS=0
      - VOLUMES=0
      - IMAGES=0
      - EXEC=0
      - INFO=1
      - VERSION=1
      - PING=1
      - BUILD=0
      - COMMIT=0
      - CONFIGS=0
      - DISTRIBUTION=0
      - EVENTS=1
      - GRPC=0
      - LOGS=1
      - PLUGINS=0
      - POST=0
      - SECRETS=0
      - SESSION=0
      - SYSTEM=0
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    ports:
      - 2376:2376
    networks:
      - traefik-network
    deploy:
      resources:
        limits:
          cpus: '0.2'
          memory: 64M
        reservations:
          cpus: '0.01'
          memory: 16M
 ```
 **Permission Levels:**
 ```bash
 # Read-only access (recommended)
 CONTAINERS=1    # List containers
 SERVICES=1      # List services
 TASKS=1         # List tasks
 INFO=1          # System info
 VERSION=1       # Version info
 PING=1          # Health checks
 EVENTS=1        # Docker events
 LOGS=1          # Container logs
 # Write access (use carefully)
 IMAGES=1        # Pull/push images
 NETWORKS=1      # Network management
 VOLUMES=1       # Volume management
 EXEC=1          # Execute commands
 BUILD=1         # Build images
 POST=1          # Create resources
 ```
 ===== Security Configuration =====
 **TLS Setup:**
 ```yaml
 # Generate certificates
 openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \
  -subj "/C=US/ST=State/L=City/O=Organization/CN=docker-proxy" \
  -keyout docker-proxy.key -out docker-proxy.crt
 # Mount certificates
 volumes:
  - ./certs/docker-proxy.crt:/certs/server.crt:ro
  - ./certs/docker-proxy.key:/certs/server.key:ro
 ```
 **Client Authentication:**
 ```bash
 # Client certificate authentication
 environment:
  - AUTH=1
  - CERTS_PATH=/certs
 volumes:
  - ./certs:/certs:ro
 ```
 **Access Control:**
  * **IP Whitelisting**: Restrict access by IP address
  * **Certificate Validation**: Require valid client certificates
  * **Permission Levels**: Granular API permission control
  * **Rate Limiting**: Prevent abuse and DoS attacks
 ===== Usage Examples =====
 **Docker Client Connection:**
 ```bash
 # Connect using TCP
 export DOCKER_HOST=tcp://localhost:2376
 docker ps
 # With TLS
 export DOCKER_HOST=tcp://localhost:2376
 export DOCKER_TLS_VERIFY=1
 export DOCKER_CERT_PATH=/path/to/certs
 docker ps
 ```
 **External Tool Integration:**
 ```python
 # Python Docker client
 import docker
 client = docker.DockerClient(base_url='tcp://localhost:2376')
 containers = client.containers.list()
 ```
 **CI/CD Integration:**
 ```yaml
 # GitHub Actions example
 - name: Connect to Docker
  run: |
    echo "DOCKER_HOST=tcp://docker-proxy:2376" >> $GITHUB_ENV
    docker ps
 ```
 **Monitoring Integration:**
 ```bash
 # Prometheus metrics
 curl http://localhost:2376/metrics
 # Health check
 curl http://localhost:2376/_ping
 ```
 ===== Monitoring & Troubleshooting =====
 **Proxy Logs:**
 ```bash
 # View proxy logs
 docker logs docker-proxy
 # Follow logs in real-time
 docker logs -f docker-proxy
 ```
 **Connection Testing:**
 ```bash
 # Test basic connectivity
 telnet localhost 2376
 # Test Docker API
 curl http://localhost:2376/_ping
 # Test with Docker client
 DOCKER_HOST=tcp://localhost:2376 docker version
 ```
 **Permission Issues:**
  * **Access Denied**: Check permission environment variables
  * **Certificate Errors**: Verify TLS certificate configuration
  * **Network Issues**: Check firewall and network connectivity
  * **Socket Access**: Verify Docker socket permissions
 **Performance Issues:**
  * **High Latency**: Check network configuration
  * **Connection Limits**: Monitor concurrent connections
  * **Resource Usage**: Check CPU/memory usage
  * **Rate Limiting**: Adjust rate limiting settings
 **Troubleshooting Steps:**
  1. **Check logs**: `docker logs docker-proxy`
  2. **Test connectivity**: Verify TCP connection
  3. **Validate permissions**: Check environment variables
  4. **Test Docker client**: Verify Docker API access
  5. **Restart service**: `docker restart docker-proxy`
 ===== Advanced Configuration =====
 **High Availability:**
 ```yaml
 # Multiple proxy instances
 services:
  docker-proxy-1:
    # Configuration for instance 1
  docker-proxy-2:
    # Configuration for instance 2
  load-balancer:
    # Load balancer configuration
 ```
 **Custom TLS Configuration:**
 ```yaml
 environment:
  - TLS_CERT=/certs/custom.crt
  - TLS_KEY=/certs/custom.key
  - TLS_CA=/certs/ca.crt
 ```
 **Rate Limiting:**
 ```yaml
 environment:
  - RATE_LIMIT=100  # Requests per minute
  - BURST_LIMIT=20  # Burst allowance
 ```
 **Audit Logging:**
 ```yaml
 environment:
  - LOG_LEVEL=debug
  - AUDIT_LOG=/logs/audit.log
 volumes:
  - ./logs:/logs
 ```
 ===== Security Best Practices =====
 **Access Control:**
  * **Principle of Least Privilege**: Grant minimal required permissions
  * **Network Segmentation**: Isolate proxy network access
  * **Certificate Management**: Regular certificate rotation
  * **Monitoring**: Continuous access monitoring
 **TLS Security:**
  * **Strong Ciphers**: Use modern TLS cipher suites
  * **Certificate Validation**: Enable client certificate validation
  * **Perfect Forward Secrecy**: Enable PFS cipher suites
  * **Regular Updates**: Keep TLS libraries updated
 **Operational Security:**
  * **Log Analysis**: Regular security log review
  * **Intrusion Detection**: Monitor for suspicious activity
  * **Backup Security**: Secure configuration backups
  * **Incident Response**: Have security incident procedures
 ===== Integration Patterns =====
 **CI/CD Pipelines:**
 ```yaml
 # Jenkins pipeline
 pipeline {
  agent any
  stages {
    stage('Build') {
      steps {
        script {
          docker.withServer('tcp://docker-proxy:2376') {
            docker.build('my-app')
          }
        }
      }
    }
  }
 }
 ```
 **Monitoring Integration:**
 ```yaml
 # Prometheus configuration
 scrape_configs:
  - job_name: 'docker-proxy'
    static_configs:
      - targets: ['docker-proxy:2376']
    metrics_path: '/metrics'
 ```
 **Backup Integration:**
 ```bash
 # Backup Docker configurations
 DOCKER_HOST=tcp://localhost:2376 docker system info > system-info.json
 DOCKER_HOST=tcp://localhost:2376 docker config ls > configs.json
 ```
 ===== Performance Optimization =====
 **Resource Management:**
 ```yaml
 deploy:
  resources:
    limits:
      cpus: '0.2'
      memory: 64M
    reservations:
      cpus: '0.01'
      memory: 16M
 ```
 **Connection Optimization:**
  * **Connection Pooling**: Reuse connections efficiently
  * **Timeout Configuration**: Appropriate request timeouts
  * **Concurrent Limits**: Control simultaneous connections
  * **Caching**: Cache frequently accessed data
 ===== Use Cases =====
 **Development Environments:**
  * **Remote Docker Access**: Access Docker from development machines
  * **CI/CD Integration**: Integrate with build pipelines
  * **Testing Environments**: Isolated testing environments
  * **Container Management**: Manage containers from external tools
 **Production Management:**
  * **Monitoring Tools**: Connect monitoring tools to Docker API
  * **Management Platforms**: Integrate with Docker management platforms
  * **Backup Solutions**: Connect backup tools to Docker
  * **Security Scanning**: Integrate security scanning tools
 **Homelab Management:**
  * **Portainer Integration**: Connect Portainer to Docker API
  * **External Tools**: Use Docker CLI from external machines
  * **Automation Scripts**: Run Docker automation scripts
  * **Monitoring Integration**: Connect monitoring stacks
 **Enterprise Integration:**
  * **Centralized Management**: Connect to enterprise Docker platforms
  * **Compliance Monitoring**: Meet compliance requirements
  * **Audit Trails**: Maintain Docker operation audit logs
  * **Security Integration**: Integrate with security platforms
 ===== Backup & Recovery =====
 **Configuration Backup:**
 ```bash
 # Backup proxy configuration
 docker run --rm \
  -v docker-proxy-config:/config \
  -v $(pwd)/backup:/backup \
  busybox tar czf /backup/docker-proxy-config.tar.gz /config
 ```
 **Certificate Management:**
  * **Certificate Backup**: Regular certificate backups
  * **Key Rotation**: Periodic key rotation procedures
  * **Certificate Monitoring**: Monitor certificate expiration
  * **Renewal Process**: Automated certificate renewal
 Docker Proxy provides secure, controlled access to the Docker daemon, enabling safe integration with external tools and services while maintaining security and audit capabilities.
 **Next:** Explore [[services:media:start|Media Services]] or return to [[services:start|Services Overview]].
--- a/config-templates/dokuwiki/data/pages/services/infrastructure/dockge.txt
+++ b/config-templates/dokuwiki/data/pages/services/infrastructure/dockge.txt
@@ -1,313 +0,0 @@
 ====== Dockge ======
 Dockge is the primary web-based interface for managing Docker stacks in your homelab. It provides a clean, intuitive way to deploy, monitor, and manage all your services through a web UI, making it the central hub for homelab management.
 ===== Overview =====
 **Purpose:** Docker stack management interface
 **URL:** https://dockge.yourdomain.duckdns.org
 **Authentication:** Authelia SSO protected
 **Deployment:** Infrastructure stack
 **Interface:** Modern web UI with drag-and-drop
 ===== Key Features =====
 **Stack Management:**
  * **Visual Interface**: Web-based stack management
  * **Compose File Editing**: Direct YAML editing
  * **One-Click Deploy**: Deploy stacks with single click
  * **Real-time Monitoring**: Live container status
 **Container Operations:**
  * **Start/Stop/Restart**: Individual container control
  * **Log Viewing**: Integrated log viewer
  * **Resource Monitoring**: CPU/memory usage
  * **Network Inspection**: Container networking info
 **File Management:**
  * **Directory Browser**: Navigate stack directories
  * **File Editor**: Edit configuration files
  * **Upload/Download**: File transfer capabilities
  * **Backup Integration**: Stack backup/restore
 ===== Configuration =====
 **Container Configuration:**
 ```yaml
 services:
  dockge:
    image: louislam/dockge:1
    container_name: dockge
    restart: unless-stopped
    environment:
      - DOCKGE_STACKS_DIR=/opt/stacks
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /opt/stacks:/opt/stacks
      - ./dockge/data:/app/data
    ports:
      - 5001:5001
    networks:
      - traefik-network
    deploy:
      resources:
        limits:
          cpus: '0.5'
          memory: 256M
        reservations:
          cpus: '0.1'
          memory: 64M
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dockge.rule=Host(`dockge.${DOMAIN}`)"
      - "traefik.http.routers.dockge.entrypoints=websecure"
      - "traefik.http.routers.dockge.tls.certresolver=letsencrypt"
      - "traefik.http.routers.dockge.middlewares=authelia@docker"
      - "traefik.http.services.dockge.loadbalancer.server.port=5001"
      - "x-dockge.url=https://dockge.${DOMAIN}"
 ```
 **Directory Structure:**
 ```
 /opt/stacks/
 ├── core/                    # Core infrastructure
 ├── infrastructure/          # Management tools
 ├── media/                   # Media services
 ├── media-management/        # Download automation
 ├── dashboards/              # Dashboard services
 ├── homeassistant/           # Home automation
 ├── productivity/            # Office tools
 ├── monitoring/              # Observability
 ├── utilities/               # Backup/utilities
 └── development/             # Dev tools
 ```
 ===== Getting Started =====
 **Initial Access:**
  1. **Deploy Infrastructure Stack**: Run deploy script or manual deployment
  2. **Access URL**: Visit https://dockge.yourdomain.duckdns.org
  3. **Authelia Login**: Authenticate with your credentials
  4. **First Stack**: Create your first stack
 **Interface Overview:**
  * **Left Sidebar**: Stack categories and navigation
  * **Main Panel**: Stack list with status indicators
  * **Top Bar**: Search, settings, and actions
  * **Stack Cards**: Individual stack management
 ===== Stack Operations =====
 **Creating a New Stack:**
  1. **Click "Compose"**: Open compose file editor
  2. **Enter Stack Name**: Choose directory name
  3. **Paste YAML**: Copy docker-compose.yml content
  4. **Deploy**: Click deploy button
  5. **Monitor**: Watch deployment progress
 **Managing Existing Stacks:**
  * **Start/Stop**: Control stack lifecycle
  * **Update**: Pull new images and restart
  * **Edit**: Modify compose files
  * **Logs**: View container logs
  * **Terminal**: Access container shells
 **Stack Status Indicators:**
  * **🟢 Running**: All containers healthy
  * **🟡 Partial**: Some containers issues
  * **🔴 Stopped**: Stack not running
  * **🔵 Updating**: Stack being updated
 ===== File Management =====
 **Directory Navigation:**
  * **Browse Stacks**: Navigate /opt/stacks directory
  * **File Editor**: Edit YAML, config files
  * **Upload Files**: Drag-and-drop file uploads
  * **Download**: Download files from containers
 **Configuration Editing:**
  * **Syntax Highlighting**: YAML, JSON, text files
  * **Save Changes**: Auto-save or manual save
  * **Version Control**: Track file changes
  * **Backup**: Automatic file backups
 ===== Container Management =====
 **Individual Container Control:**
  * **Start/Stop/Restart**: Container lifecycle
  * **Logs**: Real-time log streaming
  * **Exec**: Run commands in containers
  * **Inspect**: View container details
 **Resource Monitoring:**
  * **CPU Usage**: Real-time CPU monitoring
  * **Memory Usage**: RAM consumption tracking
  * **Network I/O**: Traffic monitoring
  * **Disk Usage**: Storage utilization
 ===== Advanced Features =====
 **Environment Variables:**
 ```yaml
 # Global environment file
 # /opt/stacks/.env
 DOMAIN=yourdomain.duckdns.org
 PUID=1000
 PGID=1000
 TZ=America/New_York
 ```
 **Stack Dependencies:**
  * **Service Dependencies**: depends_on configuration
  * **Network Dependencies**: Shared networks
  * **Volume Dependencies**: Shared storage
  * **Health Checks**: Service readiness
 **Backup & Restore:**
  * **Stack Export**: Download compose files
  * **Configuration Backup**: Environment files
  * **Volume Backup**: Data persistence
  * **Full Restore**: Complete stack recovery
 ===== Integration with AI Assistant =====
 **AI-Powered Management:**
  * **Service Creation**: AI generates compose files
  * **Configuration Help**: AI assists with setup
  * **Troubleshooting**: AI analyzes logs and issues
  * **Documentation**: AI maintains service docs
 **Workflow Integration:**
  * **VS Code**: Direct file editing
  * **GitHub Copilot**: AI assistance for configurations
  * **Automated Deployments**: Script-based stack management
  * **Monitoring Integration**: Health check automation
 ===== Security Considerations =====
 **Access Control:**
  * **Authelia Protection**: SSO authentication required
  * **User Permissions**: Container user mapping (PUID/PGID)
  * **Docker Socket**: Read-only access to Docker API
  * **Network Isolation**: Container network segmentation
 **Data Protection:**
  * **Encrypted Connections**: HTTPS via Traefik
  * **Secure Storage**: Sensitive data in environment files
  * **Backup Security**: Encrypted backup storage
  * **Access Logging**: User action auditing
 ===== Performance Optimization =====
 **Resource Management:**
 ```yaml
 deploy:
  resources:
    limits:
      cpus: '0.5'
      memory: 256M
    reservations:
      cpus: '0.1'
      memory: 64M
 ```
 **Container Optimization:**
  * **Image Updates**: Regular security updates
  * **Log Rotation**: Prevent disk space issues
  * **Cache Management**: Docker layer caching
  * **Network Efficiency**: Optimized container networking
 ===== Troubleshooting =====
 **Common Issues:**
 **Cannot Connect to Docker:**
 ```bash
 # Check Docker socket permissions
 ls -la /var/run/docker.sock
 # Verify Docker is running
 docker ps
 # Check container logs
 docker logs dockge
 ```
 **Stack Deployment Fails:**
  * **YAML Syntax**: Validate compose file syntax
  * **Port Conflicts**: Check for port usage conflicts
  * **Network Issues**: Verify network connectivity
  * **Permission Errors**: Check file/directory permissions
 **Web Interface Issues:**
  * **Traefik Routing**: Verify Traefik configuration
  * **Authelia Access**: Check SSO authentication
  * **SSL Certificates**: Validate certificate status
  * **Browser Cache**: Clear browser cache
 **Troubleshooting Steps:**
  1. **Check logs**: `docker logs dockge`
  2. **Validate configuration**: Test compose file syntax
  3. **Network connectivity**: Verify Docker network access
  4. **Restart service**: `docker restart dockge`
  5. **Check dependencies**: Ensure required services running
 ===== Best Practices =====
 **Stack Organization:**
  * **Logical Grouping**: Group related services
  * **Naming Convention**: Consistent naming patterns
  * **Documentation**: Comment complex configurations
  * **Version Control**: Track configuration changes
 **Maintenance:**
  * **Regular Updates**: Keep images updated
  * **Backup Routine**: Regular configuration backups
  * **Log Monitoring**: Review logs for issues
  * **Performance Tuning**: Optimize resource usage
 **Security:**
  * **Access Control**: Limit user permissions
  * **Network Security**: Use secure networks
  * **Data Encryption**: Encrypt sensitive data
  * **Audit Logging**: Monitor access and changes
 **Workflow:**
  * **Testing**: Test changes in development first
  * **Documentation**: Document custom configurations
  * **Automation**: Use scripts for repetitive tasks
  * **Monitoring**: Monitor stack health continuously
 ===== Integration Examples =====
 **Adding a New Service:**
 ```yaml
 # 1. Create new stack directory
 # 2. Add docker-compose.yml
 # 3. Configure environment variables
 # 4. Deploy via Dockge UI
 # 5. Test service functionality
 ```
 **Service Updates:**
 ```yaml
 # 1. Edit compose file in Dockge
 # 2. Update image version
 # 3. Deploy changes
 # 4. Monitor startup logs
 # 5. Verify functionality
 ```
 **Backup Strategy:**
 ```yaml
 # 1. Export stack configurations
 # 2. Backup environment files
 # 3. Backup persistent volumes
 # 4. Store backups securely
 # 5. Test restore procedures
 ```
 Dockge serves as the central nervous system of your homelab, providing intuitive management of all your Docker services through a modern web interface.
 **Next:** Learn about [[services:infrastructure:pihole|Pi-hole]] or explore [[getting_started:deployment|Deployment Guide]].
--- a/config-templates/dokuwiki/data/pages/services/infrastructure/dozzle.txt
+++ b/config-templates/dokuwiki/data/pages/services/infrastructure/dozzle.txt
@@ -1,343 +0,0 @@
 ====== Dozzle ======
 Dozzle is a real-time log viewer for Docker containers, providing a web-based interface to monitor and search through container logs. It offers live log streaming, filtering capabilities, and multi-container log management.
 ===== Overview =====
 **Purpose:** Real-time Docker log viewer
 **URL:** https://dozzle.yourdomain.duckdns.org
 **Authentication:** Authelia SSO protected
 **Deployment:** Infrastructure stack
 **Interface:** Modern web UI with live updates
 ===== Key Features =====
 **Log Viewing:**
  * **Real-time Streaming**: Live log updates
  * **Multi-container**: View multiple containers simultaneously
  * **Search & Filter**: Advanced log filtering
  * **Color Coding**: Syntax highlighting for different log levels
 **Container Management:**
  * **Container List**: All running containers
  * **Status Indicators**: Container health status
  * **Quick Actions**: Start/stop/restart containers
  * **Resource Monitoring**: Basic CPU/memory stats
 **Search & Filtering:**
  * **Text Search**: Search within logs
  * **Regex Support**: Regular expression filtering
  * **Date Filtering**: Time-based log filtering
  * **Container Filtering**: Filter by specific containers
 ===== Configuration =====
 **Container Configuration:**
 ```yaml
 services:
  dozzle:
    image: amir20/dozzle:latest
    container_name: dozzle
    restart: unless-stopped
    environment:
      - DOZZLE_USERNAME=${DOZZLE_USERNAME:-admin}
      - DOZZLE_PASSWORD=${DOZZLE_PASSWORD}
      - DOZZLE_LEVEL=info
      - DOZZLE_TAILSIZE=100
      - DOZZLE_FILTER_CONTAINERS=${DOZZLE_FILTER_CONTAINERS}
      - DOZZLE_NO_ANALYTICS=true
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - traefik-network
    deploy:
      resources:
        limits:
          cpus: '0.3'
          memory: 128M
        reservations:
          cpus: '0.05'
          memory: 32M
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dozzle.rule=Host(`dozzle.${DOMAIN}`)"
      - "traefik.http.routers.dozzle.entrypoints=websecure"
      - "traefik.http.routers.dozzle.tls.certresolver=letsencrypt"
      - "traefik.http.routers.dozzle.middlewares=authelia@docker"
      - "traefik.http.services.dozzle.loadbalancer.server.port=8080"
      - "x-dockge.url=https://dozzle.${DOMAIN}"
 ```
 **Environment Variables:**
 ```bash
 # Authentication (optional, Authelia handles SSO)
 DOZZLE_USERNAME=admin
 DOZZLE_PASSWORD=your-secure-password
 # Logging configuration
 DOZZLE_LEVEL=info  # debug, info, warn, error
 DOZZLE_TAILSIZE=100  # Lines to show initially
 # Container filtering (optional)
 DOZZLE_FILTER_CONTAINERS=container1,container2
 # Privacy
 DOZZLE_NO_ANALYTICS=true
 ```
 ===== Interface Overview =====
 **Main Dashboard:**
  * **Container List**: Left sidebar with all containers
  * **Log Viewer**: Main panel showing selected logs
  * **Search Bar**: Top search and filter controls
  * **Status Bar**: Connection and filter status
 **Container Selection:**
  * **Single Container**: Click to view individual logs
  * **Multiple Containers**: Hold Ctrl/Cmd to select multiple
  * **All Containers**: View logs from all containers
  * **Container Groups**: Filter by stack or service type
 **Log Display:**
  * **Live Updates**: Real-time log streaming
  * **Color Coding**: Different colors for log levels
  * **Timestamps**: Show log timestamps
  * **Line Numbers**: Reference specific log lines
 ===== Search & Filtering =====
 **Text Search:**
 ```bash
 # Basic search
 error warning
 # Case-sensitive search
 /Error|Warning/
 # Complex patterns
 "connection refused" OR "timeout"
 ```
 **Advanced Filtering:**
  * **Container Name**: Filter by specific containers
  * **Log Level**: Filter by severity (ERROR, WARN, INFO, DEBUG)
  * **Time Range**: Show logs from specific time periods
  * **Regex Patterns**: Use regular expressions for complex matching
 **Saved Filters:**
  * **Custom Filters**: Save frequently used search patterns
  * **Filter Presets**: Pre-configured filter combinations
  * **Quick Filters**: One-click common filters (errors only, etc.)
 ===== Container Management =====
 **Quick Actions:**
  * **Start/Stop**: Control container lifecycle
  * **Restart**: Restart individual containers
  * **Logs**: Jump to detailed logs
  * **Exec**: Open terminal in container
 **Container Information:**
  * **Status**: Running, stopped, paused
  * **Uptime**: How long container has been running
  * **Image**: Container image and version
  * **Ports**: Exposed ports and mappings
 **Resource Monitoring:**
  * **CPU Usage**: Real-time CPU percentage
  * **Memory Usage**: RAM consumption
  * **Network I/O**: Data transfer rates
  * **Disk I/O**: Storage read/write operations
 ===== Advanced Features =====
 **Log Analysis:**
  * **Pattern Recognition**: Identify common error patterns
  * **Anomaly Detection**: Flag unusual log patterns
  * **Trend Analysis**: Track log volume over time
  * **Alert Integration**: Send alerts for specific log patterns
 **Export & Sharing:**
  * **Log Export**: Download logs as text files
  * **Share Links**: Generate shareable log links
  * **API Access**: Programmatic log access
  * **Integration**: Connect with other monitoring tools
 **Customization:**
  * **Themes**: Light/dark mode switching
  * **Layout**: Customizable interface layout
  * **Shortcuts**: Keyboard shortcuts for common actions
  * **Notifications**: Browser notifications for events
 ===== Security Considerations =====
 **Access Control:**
  * **Authelia Protection**: SSO authentication required
  * **User Permissions**: Container access restrictions
  * **Log Privacy**: Sensitive data in logs
  * **Network Security**: Secure Docker socket access
 **Data Protection:**
  * **Log Encryption**: Secure log transmission
  * **Access Logging**: Audit log access
  * **Data Retention**: Log retention policies
  * **Privacy Controls**: Filter sensitive information
 ===== Performance Optimization =====
 **Resource Management:**
 ```yaml
 deploy:
  resources:
    limits:
      cpus: '0.3'
      memory: 128M
    reservations:
      cpus: '0.05'
      memory: 32M
 ```
 **Log Optimization:**
  * **Tail Size**: Limit initial log display
  * **Buffer Management**: Efficient log buffering
  * **Compression**: Log compression for storage
  * **Cleanup**: Automatic old log cleanup
 **Container Filtering:**
 ```yaml
 # Limit visible containers
 environment:
  - DOZZLE_FILTER_CONTAINERS=traefik,authelia,dockge
 ```
 ===== Troubleshooting =====
 **Connection Issues:**
 ```bash
 # Check Docker socket access
 ls -la /var/run/docker.sock
 # Verify Docker is running
 docker ps
 # Check container logs
 docker logs dozzle
 ```
 **Log Display Problems:**
  * **No Logs Showing**: Check container permissions
  * **Logs Not Updating**: Verify real-time connection
  * **Search Not Working**: Check search syntax
  * **Performance Issues**: Reduce number of containers
 **Authentication Issues:**
  * **Login Problems**: Verify credentials
  * **Authelia Integration**: Check SSO configuration
  * **Session Timeout**: Adjust session settings
  * **Permission Denied**: Check user permissions
 **Web Interface Issues:**
  * **Page Not Loading**: Check Traefik routing
  * **SSL Errors**: Verify certificate status
  * **JavaScript Errors**: Clear browser cache
  * **Mobile Issues**: Check responsive design
 **Troubleshooting Steps:**
  1. **Check logs**: `docker logs dozzle`
  2. **Test connectivity**: Verify Docker socket access
  3. **Validate configuration**: Check environment variables
  4. **Browser testing**: Test in different browsers
  5. **Restart service**: `docker restart dozzle`
 ===== Integration with Monitoring =====
 **Prometheus Integration:**
 ```yaml
 # Expose metrics for monitoring
 environment:
  - DOZZLE_ENABLE_METRICS=true
  - DOZZLE_METRICS_PORT=8081
 ```
 **Grafana Dashboards:**
  * **Log Volume**: Track log generation rates
  * **Error Rates**: Monitor error log frequency
  * **Container Health**: Track container status
  * **Performance Metrics**: CPU/memory usage trends
 **Alert Integration:**
  * **Error Alerts**: Alert on specific error patterns
  * **Container Alerts**: Notify on container failures
  * **Performance Alerts**: Alert on resource issues
  * **Log Volume Alerts**: Alert on unusual log activity
 ===== Best Practices =====
 **Log Management:**
  * **Regular Monitoring**: Daily log review routine
  * **Search Optimization**: Use efficient search patterns
  * **Filter Usage**: Create useful filter presets
  * **Export Strategy**: Regular log exports for analysis
 **Container Organization:**
  * **Naming Convention**: Consistent container naming
  * **Grouping**: Logical container grouping
  * **Tagging**: Use labels for better organization
  * **Documentation**: Document container purposes
 **Security:**
  * **Access Control**: Limit log access to authorized users
  * **Data Protection**: Be aware of sensitive data in logs
  * **Network Security**: Secure Docker socket access
  * **Audit Logging**: Track log access and searches
 **Performance:**
  * **Resource Limits**: Appropriate CPU/memory limits
  * **Container Filtering**: Limit visible containers
  * **Log Tail Size**: Optimize initial log display
  * **Caching**: Use browser caching for better performance
 ===== Use Cases =====
 **Development & Debugging:**
  * **Application Logs**: Monitor application behavior
  * **Error Tracking**: Quickly identify and fix errors
  * **Performance Monitoring**: Track application performance
  * **Integration Testing**: Verify service interactions
 **Production Monitoring:**
  * **Service Health**: Monitor service availability
  * **Error Detection**: Catch errors before they escalate
  * **User Issue Investigation**: Debug user-reported problems
  * **Security Monitoring**: Watch for suspicious activity
 **Maintenance & Troubleshooting:**
  * **Update Monitoring**: Watch for issues during updates
  * **Configuration Changes**: Monitor impact of changes
  * **Network Issues**: Debug connectivity problems
  * **Resource Problems**: Identify resource bottlenecks
 ===== Keyboard Shortcuts =====
 **Navigation:**
  * **Ctrl/Cmd + K**: Focus search bar
  * **Arrow Keys**: Navigate container list
  * **Enter**: Select container
  * **Esc**: Clear selection
 **Search:**
  * **Ctrl/Cmd + F**: Start search
  * **F3**: Find next occurrence
  * **Shift + F3**: Find previous occurrence
  * **Ctrl/Cmd + G**: Go to line
 **Actions:**
  * **Ctrl/Cmd + R**: Refresh logs
  * **Ctrl/Cmd + S**: Save current filter
  * **Ctrl/Cmd + E**: Export logs
  * **Ctrl/Cmd + T**: Open terminal
 Dozzle provides essential log monitoring capabilities with an intuitive interface, making it easy to track and troubleshoot your containerized services in real-time.
 **Next:** Learn about [[services:infrastructure:glances|Glances]] or explore [[architecture:monitoring|Monitoring Architecture]].
--- a/config-templates/dokuwiki/data/pages/services/infrastructure/glances.txt
+++ b/config-templates/dokuwiki/data/pages/services/infrastructure/glances.txt
@@ -1,394 +0,0 @@
 ====== Glances ======
 Glances is a cross-platform system monitoring tool that provides real-time information about your system's performance, resources, and running processes. It offers a web-based interface for monitoring system health and performance metrics.
 ===== Overview =====
 **Purpose:** System and container monitoring
 **URL:** https://glances.yourdomain.duckdns.org
 **Authentication:** Authelia SSO protected
 **Deployment:** Infrastructure stack
 **Interface:** Web-based monitoring dashboard
 ===== Key Features =====
 **System Monitoring:**
  * **CPU Usage**: Real-time CPU utilization
  * **Memory Usage**: RAM and swap monitoring
  * **Disk I/O**: Storage read/write operations
  * **Network I/O**: Network traffic monitoring
 **Container Monitoring:**
  * **Docker Stats**: Container resource usage
  * **Container Health**: Status and health checks
  * **Process Monitoring**: Running processes
  * **Service Status**: Application service monitoring
 **Performance Metrics:**
  * **Load Average**: System load over time
  * **Temperature**: CPU and system temperatures
  * **Fan Speed**: Cooling system monitoring
  * **Power Usage**: System power consumption
 ===== Configuration =====
 **Container Configuration:**
 ```yaml
 services:
  glances:
    image: nicolargo/glances:latest
    container_name: glances
    restart: unless-stopped
    pid: host
    environment:
      - GLANCES_OPT=-w
      - GLANCES_OPT_WEBserver=true
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /etc/os-release:/etc/os-release:ro
      - /proc:/host/proc:ro
      - /sys:/host/sys:ro
    networks:
      - traefik-network
    deploy:
      resources:
        limits:
          cpus: '0.3'
          memory: 128M
        reservations:
          cpus: '0.05'
          memory: 32M
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.glances.rule=Host(`glances.${DOMAIN}`)"
      - "traefik.http.routers.glances.entrypoints=websecure"
      - "traefik.http.routers.glances.tls.certresolver=letsencrypt"
      - "traefik.http.routers.glances.middlewares=authelia@docker"
      - "traefik.http.services.glances.loadbalancer.server.port=61208"
      - "x-dockge.url=https://glances.${DOMAIN}"
 ```
 **Command Line Options:**
 ```bash
 # Web server mode
 GLANCES_OPT=-w
 # Additional options
 GLANCES_OPT=-w --disable-webui-password --enable-process-extended
 # Custom refresh interval
 GLANCES_OPT=-w --time 5
 # Disable specific plugins
 GLANCES_OPT=-w --disable cpu --disable mem
 ```
 ===== Interface Overview =====
 **Main Dashboard:**
  * **System Overview**: CPU, memory, disk, network
  * **Container List**: Docker container statistics
  * **Process List**: Top running processes
  * **Alerts Panel**: System alerts and warnings
 **Navigation Tabs:**
  * **System**: Core system metrics
  * **Docker**: Container monitoring
  * **Processes**: Process management
  * **Alerts**: System alerts and thresholds
  * **Filesystem**: Disk usage and I/O
 **Real-time Updates:**
  * **Auto-refresh**: Configurable update intervals
  * **Live Charts**: Real-time performance graphs
  * **Color Coding**: Status-based color indicators
  * **Threshold Alerts**: Configurable warning levels
 ===== System Monitoring =====
 **CPU Monitoring:**
  * **Usage Percentage**: Overall CPU utilization
  * **Per-Core Usage**: Individual core monitoring
  * **Load Average**: 1, 5, 15-minute averages
  * **CPU Frequency**: Current clock speeds
 **Memory Monitoring:**
  * **RAM Usage**: Physical memory utilization
  * **Swap Usage**: Swap file/page file usage
  * **Memory Pressure**: System memory pressure
  * **Cache Statistics**: Buffer and cache usage
 **Disk Monitoring:**
  * **Usage Percentage**: Filesystem utilization
  * **I/O Operations**: Read/write operations per second
  * **Transfer Rates**: Data transfer speeds
  * **Disk Health**: S.M.A.R.T. status (if available)
 **Network Monitoring:**
  * **Interface Statistics**: Per-interface traffic
  * **Connection Count**: Active network connections
  * **Bandwidth Usage**: Upload/download rates
  * **Network Errors**: Packet loss and errors
 ===== Container Monitoring =====
 **Docker Integration:**
  * **Container List**: All running containers
  * **Resource Usage**: CPU, memory per container
  * **Network Stats**: Container network traffic
  * **Health Status**: Container health checks
 **Container Details:**
  * **Image Information**: Base image and version
  * **Port Mappings**: Exposed ports
  * **Volume Mounts**: Attached volumes
  * **Environment Variables**: Container configuration
 **Performance Metrics:**
  * **CPU Shares**: CPU allocation and usage
  * **Memory Limits**: Memory constraints and usage
  * **Network I/O**: Container network traffic
  * **Disk I/O**: Container storage operations
 ===== Process Monitoring =====
 **Process List:**
  * **Top Processes**: Most resource-intensive processes
  * **Process Tree**: Parent-child process relationships
  * **User Processes**: Per-user process listing
  * **System Processes**: Kernel and system processes
 **Process Details:**
  * **CPU Usage**: Per-process CPU consumption
  * **Memory Usage**: RAM and virtual memory
  * **I/O Operations**: Disk read/write activity
  * **Network Activity**: Network connections
 **Process Management:**
  * **Kill Process**: Terminate problematic processes
  * **Change Priority**: Adjust process nice levels
  * **Resource Limits**: Set process resource limits
  * **Process Groups**: Group related processes
 ===== Alert System =====
 **Threshold Configuration:**
 ```yaml
 # Alert thresholds (environment variables)
 GLANCES_OPT=-w --alert cpu>80,mem>90,disk>85
 ```
 **Alert Types:**
  * **CPU Alerts**: High CPU usage warnings
  * **Memory Alerts**: Memory pressure alerts
  * **Disk Alerts**: Storage space warnings
  * **Network Alerts**: Bandwidth threshold alerts
 **Alert Actions:**
  * **Visual Indicators**: Color-coded alerts
  * **Sound Alerts**: Audio notifications
  * **Email Notifications**: SMTP alerts
  * **Webhook Integration**: External alert systems
 ===== Advanced Configuration =====
 **Custom Plugins:**
 ```yaml
 # Enable additional plugins
 GLANCES_OPT=-w --enable-plugin sensors --enable-plugin gpu
 ```
 **Export Options:**
 ```yaml
 # Export to various formats
 GLANCES_OPT=-w --export csv --export-csv-file /data/stats.csv
 GLANCES_OPT=-w --export influxdb --export-influxdb-host localhost
 ```
 **Remote Monitoring:**
 ```yaml
 # Monitor remote systems
 GLANCES_OPT=-w --client localhost:61209
 ```
 **Configuration File:**
 ```yaml
 # glances.conf
 [main]
 refresh=2
 history_size=1200
 [cpu]
 user_careful=50
 user_warning=70
 user_critical=90
 ```
 ===== Security Considerations =====
 **Access Control:**
  * **Authelia Protection**: SSO authentication required
  * **Network Isolation**: Container network restrictions
  * **Read-only Access**: Limited system access
  * **Audit Logging**: Monitor access patterns
 **Data Protection:**
  * **Sensitive Data**: Avoid exposing sensitive information
  * **Encryption**: Secure data transmission
  * **Access Logging**: Track monitoring access
  * **Privacy Controls**: Limit exposed system information
 ===== Performance Optimization =====
 **Resource Management:**
 ```yaml
 deploy:
  resources:
    limits:
      cpus: '0.3'
      memory: 128M
    reservations:
      cpus: '0.05'
      memory: 32M
 ```
 **Monitoring Optimization:**
  * **Refresh Rate**: Balance between real-time and performance
  * **Data Retention**: Configure historical data limits
  * **Plugin Selection**: Enable only needed monitoring plugins
  * **Caching**: Use efficient data caching
 ===== Troubleshooting =====
 **Connection Issues:**
 ```bash
 # Check web interface
 curl -k https://glances.yourdomain.duckdns.org
 # Verify port accessibility
 netstat -tlnp | grep 61208
 # Check container logs
 docker logs glances
 ```
 **Monitoring Problems:**
  * **No Data Showing**: Check system permissions
  * **High Resource Usage**: Adjust refresh rates
  * **Missing Metrics**: Enable required plugins
  * **Inaccurate Data**: Verify system compatibility
 **Docker Integration Issues:**
  * **Socket Access**: Verify Docker socket permissions
  * **Container Detection**: Check Docker API access
  * **Permission Errors**: Adjust container privileges
  * **Network Issues**: Check container networking
 **Performance Issues:**
  * **High CPU Usage**: Reduce refresh frequency
  * **Memory Leaks**: Monitor memory consumption
  * **Disk I/O**: Optimize data storage
  * **Network Latency**: Check network performance
 **Troubleshooting Steps:**
  1. **Check logs**: `docker logs glances`
  2. **Verify configuration**: Test command line options
  3. **Test connectivity**: Check web interface access
  4. **Monitor resources**: Track system resource usage
  5. **Restart service**: `docker restart glances`
 ===== Integration with Monitoring Stack =====
 **Prometheus Integration:**
 ```yaml
 # Export metrics to Prometheus
 GLANCES_OPT=-w --export prometheus --export-prometheus-port 9091
 ```
 **Grafana Dashboards:**
  * **System Overview**: CPU, memory, disk, network
  * **Container Metrics**: Docker container statistics
  * **Process Monitoring**: Top processes and resource usage
  * **Historical Trends**: Performance over time
 **Alert Manager Integration:**
  * **Threshold Alerts**: Configurable alert rules
  * **Notification Channels**: Email, Slack, webhook alerts
  * **Escalation Policies**: Multi-level alert handling
  * **Silence Management**: Alert suppression rules
 ===== Best Practices =====
 **Monitoring Strategy:**
  * **Key Metrics**: Focus on critical system metrics
  * **Alert Thresholds**: Set appropriate warning levels
  * **Baseline Establishment**: Understand normal system behavior
  * **Trend Analysis**: Monitor performance trends
 **Alert Configuration:**
  * **Avoid Alert Fatigue**: Set meaningful thresholds
  * **Escalation Paths**: Define alert escalation procedures
  * **Maintenance Windows**: Suppress alerts during maintenance
  * **Testing**: Regularly test alert functionality
 **Performance:**
  * **Resource Limits**: Appropriate CPU/memory allocation
  * **Refresh Rates**: Balance real-time vs performance
  * **Data Retention**: Configure appropriate history
  * **Optimization**: Enable only needed features
 **Security:**
  * **Access Control**: Limit monitoring access
  * **Data Protection**: Secure monitoring data
  * **Network Security**: Secure monitoring traffic
  * **Compliance**: Meet monitoring compliance requirements
 ===== Use Cases =====
 **System Administration:**
  * **Performance Monitoring**: Track system health
  * **Capacity Planning**: Plan for resource upgrades
  * **Troubleshooting**: Diagnose system issues
  * **Maintenance Planning**: Schedule maintenance windows
 **Container Orchestration:**
  * **Resource Allocation**: Monitor container resources
  * **Health Checks**: Track container health
  * **Scaling Decisions**: Inform scaling decisions
  * **Optimization**: Optimize container performance
 **Development & Testing:**
  * **Application Monitoring**: Monitor application performance
  * **Resource Usage**: Track development environment usage
  * **Debugging**: Identify performance bottlenecks
  * **Testing**: Validate system performance
 **Production Monitoring:**
  * **SLA Monitoring**: Ensure service level agreements
  * **Incident Response**: Quick issue identification
  * **Root Cause Analysis**: Analyze system incidents
  * **Reporting**: Generate performance reports
 ===== Keyboard Shortcuts =====
 **Navigation:**
  * **Tab**: Switch between sections
  * **Arrow Keys**: Navigate lists and menus
  * **Enter**: Select item or open details
  * **Esc**: Close dialogs or return to main view
 **Actions:**
  * **R**: Refresh data
  * **S**: Sort current list
  * **F**: Filter/search
  * **H**: Show help
 **Views:**
  * **1-9**: Switch to specific tabs
  * **C**: Container view
  * **P**: Process view
  * **A**: Alerts view
 Glances provides comprehensive system and container monitoring with an intuitive web interface, essential for maintaining your homelab's health and performance.
 **Next:** Learn about [[services:infrastructure:watchtower|Watchtower]] or explore [[architecture:monitoring|Monitoring Architecture]].
--- a/config-templates/dokuwiki/data/pages/services/infrastructure/pihole.txt
+++ b/config-templates/dokuwiki/data/pages/services/infrastructure/pihole.txt
@@ -1,376 +0,0 @@
 ====== Pi-hole ======
 Pi-hole is a network-wide ad blocker that acts as a DNS sinkhole, blocking advertisements and tracking domains at the network level. It provides DNS-based ad blocking, DHCP server capabilities, and comprehensive network statistics.
 ===== Overview =====
 **Purpose:** Network-wide ad blocking and DNS
 **URL:** http://pihole.yourdomain.duckdns.org (HTTP only)
 **Authentication:** Authelia SSO protected
 **Deployment:** Infrastructure stack
 **Protocol:** DNS (port 53), DHCP (optional)
 ===== Key Features =====
 **Ad Blocking:**
  * **DNS Sinkhole**: Blocks ad/tracking domains
  * **Network Wide**: Protects all devices on network
  * **Custom Lists**: Support for custom blocklists
  * **Whitelist/Blacklist**: Fine-grained control
 **DNS Services:**
  * **Recursive DNS**: Full DNS resolution
  * **DNSSEC**: DNS security extensions
  * **Conditional Forwarding**: Local hostname resolution
  * **Rate Limiting**: Query rate limiting
 **DHCP Server:**
  * **IP Address Assignment**: Dynamic IP allocation
  * **Static Leases**: Reserved IP addresses
  * **Network Configuration**: Gateway and DNS settings
  * **Client Management**: Device tracking
 ===== Configuration =====
 **Container Configuration:**
 ```yaml
 services:
  pihole:
    image: pihole/pihole:latest
    container_name: pihole
    restart: unless-stopped
    environment:
      - TZ=${TZ}
      - WEBPASSWORD=${PIHOLE_PASSWORD}
      - PIHOLE_DNS_=1.1.1.1;1.0.0.1;8.8.8.8;8.8.4.4
      - DHCP_ACTIVE=false  # Set to true to enable DHCP
      - DHCP_START=192.168.1.100
      - DHCP_END=192.168.1.200
      - DHCP_ROUTER=192.168.1.1
      - DHCP_LEASETIME=24
    volumes:
      - ./pihole/etc-pihole:/etc/pihole
      - ./pihole/etc-dnsmasq.d:/etc/dnsmasq.d
    ports:
      - 53:53/tcp
      - 53:53/udp
      - 8082:80/tcp  # Web interface
    networks:
      - traefik-network
    deploy:
      resources:
        limits:
          cpus: '0.5'
          memory: 256M
        reservations:
          cpus: '0.1'
          memory: 64M
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.pihole.rule=Host(`pihole.${DOMAIN}`)"
      - "traefik.http.routers.pihole.entrypoints=websecure"
      - "traefik.http.routers.pihole.tls.certresolver=letsencrypt"
      - "traefik.http.routers.pihole.middlewares=authelia@docker"
      - "traefik.http.services.pihole.loadbalancer.server.port=80"
      - "x-dockge.url=http://pihole.${DOMAIN}"
    dns:
      - 127.0.0.1
      - 1.1.1.1
 ```
 **Environment Variables:**
 ```bash
 # Required
 PIHOLE_PASSWORD=your-secure-password
 # Optional DNS servers (comma-separated)
 PIHOLE_DNS_=1.1.1.1;1.0.0.1;8.8.8.8;8.8.4.4
 # DHCP Configuration (if enabled)
 DHCP_ACTIVE=true
 DHCP_START=192.168.1.100
 DHCP_END=192.168.1.200
 DHCP_ROUTER=192.168.1.1
 DHCP_LEASETIME=24
 ```
 ===== DNS Configuration =====
 **Upstream DNS Servers:**
  * **Cloudflare**: 1.1.1.1, 1.0.0.1 (default)
  * **Google**: 8.8.8.8, 8.8.4.4
  * **Quad9**: 9.9.9.9, 149.112.112.112
  * **OpenDNS**: 208.67.222.222, 208.67.220.220
 **DNS Settings:**
 ```bash
 # In Pi-hole admin interface
 # Settings > DNS
 # Enable DNSSEC for enhanced security
 # Configure conditional forwarding for local network
 ```
 **Client Configuration:**
  * **Router DNS**: Set router to use Pi-hole IP
  * **Device DNS**: Configure individual devices
  * **DHCP**: Enable DHCP server in Pi-hole
  * **IPv6**: Configure IPv6 DNS if needed
 ===== Ad Blocking Setup =====
 **Blocklists:**
  * **Default Lists**: Pre-configured ad/tracking lists
  * **Custom Lists**: Add your own blocklists
  * **Gravity Update**: Regular list updates
  * **Regex Filtering**: Advanced pattern matching
 **Whitelist/Blacklist:**
  * **Whitelist**: Allow specific domains
  * **Blacklist**: Block additional domains
  * **Regex**: Pattern-based filtering
  * **Client Groups**: Per-device rules
 **Group Management:**
 ```bash
 # Create client groups for different policies
 # Assign devices to groups
 # Apply different filtering rules per group
 ```
 ===== DHCP Server Configuration =====
 **DHCP Setup:**
 ```yaml
 environment:
  - DHCP_ACTIVE=true
  - DHCP_START=192.168.1.100
  - DHCP_END=192.168.1.200
  - DHCP_ROUTER=192.168.1.1
  - DHCP_LEASETIME=24
 ```
 **Static Leases:**
  * **MAC Address**: Device hardware address
  * **IP Address**: Reserved static IP
  * **Hostname**: Device name
  * **Description**: Device description
 **DHCP Options:**
  * **Domain Name**: Local domain suffix
  * **NTP Servers**: Time synchronization
  * **PXE Boot**: Network boot options
  * **Vendor Options**: Device-specific options
 ===== Monitoring & Statistics =====
 **Dashboard Overview:**
  * **Total Queries**: DNS query volume
  * **Blocked Domains**: Ad blocking statistics
  * **Top Clients**: Most active devices
  * **Top Domains**: Frequently queried domains
 **Query Log:**
  * **Real-time Monitoring**: Live query feed
  * **Filtering**: Search and filter queries
  * **Blocking Status**: See what's blocked/allowed
  * **Client Tracking**: Per-device statistics
 **Long-term Statistics:**
  * **Historical Data**: Query trends over time
  * **Blocking Efficiency**: Ad blocking performance
  * **Client Usage**: Device activity patterns
  * **Domain Analysis**: Popular domain tracking
 ===== Security Features =====
 **Access Control:**
  * **Web Interface**: Password protected
  * **Authelia Integration**: SSO authentication
  * **IP Restrictions**: Limit admin access
  * **Session Management**: Secure login sessions
 **DNS Security:**
  * **DNSSEC**: Domain signature validation
  * **Query Logging**: Audit trail of requests
  * **Rate Limiting**: Prevent DNS amplification
  * **Cache Poisoning**: Protection against attacks
 **Network Security:**
  * **Firewall Integration**: UFW/iptables rules
  * **Port Protection**: Restrict unnecessary ports
  * **Traffic Monitoring**: Network traffic analysis
  * **Intrusion Detection**: Suspicious activity alerts
 ===== Performance Optimization =====
 **DNS Performance:**
 ```yaml
 # Optimize DNS settings
 # Settings > DNS > Interface Settings
 # Enable cache optimization
 # Configure upstream server timeout
 ```
 **Resource Limits:**
 ```yaml
 deploy:
  resources:
    limits:
      cpus: '0.5'
      memory: 256M
    reservations:
      cpus: '0.1'
      memory: 64M
 ```
 **Caching:**
  * **DNS Cache**: Local query caching
  * **Blocklist Cache**: Efficient blocklist lookups
  * **Negative Cache**: Failed query caching
  * **TTL Management**: Cache expiration handling
 ===== Troubleshooting =====
 **DNS Resolution Issues:**
 ```bash
 # Check DNS resolution
 nslookup google.com 127.0.0.1
 # Test Pi-hole DNS
 dig @127.0.0.1 google.com
 # Check upstream connectivity
 dig @8.8.8.8 google.com
 ```
 **Ad Blocking Problems:**
  * **Test Blocking**: Visit ad-heavy sites
  * **Check Lists**: Verify blocklists are updating
  * **Whitelist Issues**: Check whitelist configuration
  * **Client Bypass**: Some apps bypass DNS
 **DHCP Issues:**
  * **IP Conflicts**: Check for IP address conflicts
  * **Lease Problems**: Clear DHCP leases
  * **Router Settings**: Verify router DHCP disabled
  * **Network Issues**: Check network connectivity
 **Web Interface Problems:**
  * **Login Issues**: Reset admin password
  * **SSL Problems**: Check certificate validity
  * **Authelia**: Verify SSO configuration
  * **Browser Cache**: Clear browser cache
 **Troubleshooting Steps:**
  1. **Check logs**: `docker logs pihole`
  2. **Test DNS**: Verify DNS resolution works
  3. **Check configuration**: Validate environment variables
  4. **Network connectivity**: Test upstream DNS
  5. **Restart service**: `docker restart pihole`
 ===== Advanced Configuration =====
 **Custom DNS Records:**
 ```bash
 # Add local DNS records
 # Settings > Local DNS > DNS Records
 # Add A, AAAA, CNAME, PTR records
 ```
 **Conditional Forwarding:**
 ```bash
 # Forward local queries to router
 # Settings > DNS > Advanced Settings
 # Enable conditional forwarding
 # Set router IP and local domain
 ```
 **Regex Blocking:**
 ```bash
 # Advanced blocking patterns
 # Settings > DNS > Group Management
 # Create regex filters for complex patterns
 ```
 **API Access:**
 ```bash
 # Enable API for external tools
 # Settings > API > Show API token
 # Use token for programmatic access
 ```
 ===== Integration with Other Services =====
 **Router Integration:**
  * **DNS Settings**: Configure router to use Pi-hole
  * **DHCP Disable**: Disable router DHCP if using Pi-hole
  * **Port Forwarding**: Forward port 53 to Pi-hole
  * **Static IP**: Give Pi-hole static IP address
 **Monitoring Integration:**
  * **Prometheus**: Export metrics for monitoring
  * **Grafana**: Create dashboards for Pi-hole stats
  * **Uptime Kuma**: Monitor Pi-hole availability
  * **Alerting**: Set up alerts for service issues
 **Backup Integration:**
  * **Configuration Backup**: Backup Pi-hole settings
  * **Blocklist Backup**: Save custom lists
  * **DHCP Backup**: Backup DHCP leases
  * **Automated Backups**: Schedule regular backups
 ===== Best Practices =====
 **DNS Configuration:**
  * **Multiple Upstream**: Use multiple DNS servers
  * **DNSSEC**: Enable DNS security
  * **Conditional Forwarding**: Enable for local network
  * **Rate Limiting**: Prevent abuse
 **Ad Blocking:**
  * **Regular Updates**: Keep blocklists current
  * **Custom Lists**: Add domain-specific blocks
  * **Whitelist Carefully**: Only whitelist necessary sites
  * **Test Blocking**: Verify blocking effectiveness
 **DHCP Management:**
  * **IP Planning**: Plan IP address ranges
  * **Static Leases**: Reserve IPs for servers
  * **Lease Time**: Appropriate lease durations
  * **Monitoring**: Track DHCP usage
 **Security:**
  * **Strong Password**: Secure admin password
  * **Access Control**: Limit admin access
  * **Updates**: Keep Pi-hole updated
  * **Monitoring**: Monitor for security issues
 **Maintenance:**
  * **Log Rotation**: Manage log file sizes
  * **Database Optimization**: Regular database maintenance
  * **Backup Routine**: Regular configuration backups
  * **Performance Monitoring**: Track resource usage
 ===== Common Use Cases =====
 **Home Network:**
  * **Ad Blocking**: Block ads on all devices
  * **Parental Controls**: Block inappropriate content
  * **Device Management**: Track and manage devices
  * **Network Monitoring**: Monitor network activity
 **Small Office:**
  * **Content Filtering**: Block productivity-draining sites
  * **Guest Network**: Separate guest DNS
  * **Device Control**: Manage corporate devices
  * **Reporting**: Generate usage reports
 **Development:**
  * **Local DNS**: Resolve development domains
  * **Testing**: Test ad blocking effectiveness
  * **Network Simulation**: Simulate network conditions
  * **Debugging**: Debug DNS-related issues
 Pi-hole provides essential network services with powerful ad blocking capabilities, serving as the DNS backbone of your homelab network.
 **Next:** Learn about [[services:infrastructure:dozzle|Dozzle]] or explore [[architecture:networking|Network Architecture]].
--- a/config-templates/dokuwiki/data/pages/services/infrastructure/start.txt
+++ b/config-templates/dokuwiki/data/pages/services/infrastructure/start.txt
@@ -1,59 +0,0 @@
 ====== Infrastructure Services ======
 This section covers management, monitoring, and development tools for your homelab infrastructure.
 ===== Available Services =====
 **Dockge** - Docker Compose Manager
  * Access: https://dockge.${DOMAIN}
  * Description: Web-based Docker Compose stack manager
  * Stack: infrastructure.yml
 **Pi-hole** - Network-wide ad blocker
  * Access: http://pihole.${DOMAIN} (or https via Traefik)
  * Description: DNS-based ad blocking and network monitoring
  * Stack: infrastructure.yml
 **Dozzle** - Real-time log viewer
  * Access: https://dozzle.${DOMAIN}
  * Description: Web interface for viewing Docker container logs
  * Stack: infrastructure.yml
 **Glances** - System monitoring
  * Access: https://glances.${DOMAIN}
  * Description: Cross-platform system monitoring tool
  * Stack: infrastructure.yml
 **Watchtower** - Automatic updates
  * Description: Automatically updates Docker containers
  * Stack: infrastructure.yml
 **Code Server** - VS Code in browser
  * Access: https://code.${DOMAIN}
  * Description: Run VS Code in your browser
  * Stack: infrastructure.yml
 **Docker Proxy** - Secure Docker access
  * Description: Provides secure access to Docker socket
  * Stack: infrastructure.yml
 ===== Quick Start =====
 1. Deploy the infrastructure stack:
   docker-compose -f infrastructure.yml up -d
 2. Access Dockge at https://dockge.${DOMAIN} to manage stacks
 3. Configure Pi-hole for network-wide ad blocking
 4. Use Dozzle to monitor container logs in real-time
 5. Set up Glances for system monitoring
 ===== Integration =====
 Infrastructure services integrate with:
  * **Traefik** - Automatic SSL and routing
  * **Authelia** - SSO authentication
  * **Docker** - Container management and monitoring
  * **System** - Hardware and OS monitoring
--- a/config-templates/dokuwiki/data/pages/services/infrastructure/watchtower.txt
+++ b/config-templates/dokuwiki/data/pages/services/infrastructure/watchtower.txt
@@ -1,404 +0,0 @@
 ====== Watchtower ======
 Watchtower is an automated container update service that monitors running Docker containers and automatically updates them when new images are available. It ensures your homelab services stay up-to-date with the latest security patches and features.
 ===== Overview =====
 **Purpose:** Automated container updates
 **Deployment:** Infrastructure stack (currently disabled)
 **Monitoring:** Passive background service
 **Update Strategy:** Rolling updates with health checks
 ===== Key Features =====
 **Automated Updates:**
  * **Image Monitoring**: Checks for new image versions
  * **Scheduled Updates**: Configurable update intervals
  * **Rolling Updates**: Updates containers one by one
  * **Health Checks**: Waits for container health before proceeding
 **Update Control:**
  * **Include/Exclude**: Control which containers to update
  * **Update Notifications**: Email/Slack notifications
  * **Rollback Support**: Revert to previous versions
  * **Dry Run Mode**: Test updates without applying
 **Safety Features:**
  * **Health Monitoring**: Ensures containers start successfully
  * **Timeout Control**: Prevents hanging updates
  * **Resource Limits**: Controls update resource usage
  * **Backup Integration**: Coordinates with backup services
 ===== Configuration =====
 **Container Configuration:**
 ```yaml
 services:
  watchtower:
    image: containrrr/watchtower:latest
    container_name: watchtower
    restart: unless-stopped
    environment:
      - WATCHTOWER_CLEANUP=true
      - WATCHTOWER_POLL_INTERVAL=3600
      - WATCHTOWER_TIMEOUT=30s
      - WATCHTOWER_NOTIFICATIONS=shoutrrr
      - WATCHTOWER_NOTIFICATION_URL=discord://token@webhook
      - WATCHTOWER_INCLUDE_STOPPED=false
      - WATCHTOWER_REVIVE_STOPPED=false
      - WATCHTOWER_REMOVE_VOLUMES=false
      - WATCHTOWER_LABEL_ENABLE=true
      - WATCHTOWER_MONITOR_ONLY=false
      - WATCHTOWER_RUN_ONCE=false
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    command: --interval 3600 --cleanup --label-enable
    deploy:
      resources:
        limits:
          cpus: '0.2'
          memory: 64M
        reservations:
          cpus: '0.01'
          memory: 16M
 ```
 **Environment Variables:**
 ```bash
 # Update interval (seconds)
 WATCHTOWER_POLL_INTERVAL=3600
 # Update timeout
 WATCHTOWER_TIMEOUT=30s
 # Cleanup old images
 WATCHTOWER_CLEANUP=true
 # Notification settings
 WATCHTOWER_NOTIFICATIONS=shoutrrr
 WATCHTOWER_NOTIFICATION_URL=discord://token@webhook
 # Container control
 WATCHTOWER_INCLUDE_STOPPED=false
 WATCHTOWER_REVIVE_STOPPED=false
 WATCHTOWER_REMOVE_VOLUMES=false
 # Label-based control
 WATCHTOWER_LABEL_ENABLE=true
 # Monitoring mode
 WATCHTOWER_MONITOR_ONLY=false
 # One-time run
 WATCHTOWER_RUN_ONCE=false
 ```
 ===== Update Process =====
 **Monitoring Phase:**
  1. **Image Check**: Queries Docker registry for new versions
  2. **Version Comparison**: Compares current vs latest versions
  3. **Update Decision**: Determines if update is needed
  4. **Schedule Planning**: Plans update timing
 **Update Execution:**
  1. **Container Stop**: Gracefully stops current container
  2. **Image Pull**: Downloads new image version
  3. **Container Start**: Starts container with new image
  4. **Health Check**: Verifies container health
  5. **Cleanup**: Removes old images (if enabled)
 **Post-Update:**
  * **Notification**: Sends update notifications
  * **Logging**: Records update details
  * **Monitoring**: Continues monitoring for next updates
  * **Error Handling**: Handles update failures
 ===== Container Selection =====
 **Label-Based Control:**
 ```yaml
 # Enable updates for specific containers
 labels:
  - "com.centurylinklabs.watchtower.enable=true"
 # Disable updates for specific containers
 labels:
  - "com.centurylinklabs.watchtower.enable=false"
 ```
 **Include/Exclude Patterns:**
 ```bash
 # Include only specific containers
 command: --include=traefik,authelia,dockge
 # Exclude specific containers
 command: --exclude=plex,jellyfin
 # Use regex patterns
 command: --include="^media-.*"
 ```
 **Scope Control:**
  * **All Containers**: Update all running containers
  * **Specific Services**: Update only selected services
  * **Stack-Based**: Update containers in specific stacks
  * **Label-Based**: Use Docker labels for control
 ===== Notification System =====
 **Supported Notifications:**
  * **Email**: SMTP email notifications
  * **Slack**: Slack channel notifications
  * **Discord**: Discord webhook notifications
  * **Gotify**: Gotify push notifications
  * **Telegram**: Telegram bot notifications
 **Notification Configuration:**
 ```yaml
 environment:
  - WATCHTOWER_NOTIFICATIONS=shoutrrr
  - WATCHTOWER_NOTIFICATION_URL=slack://token@channel
  # Or for Discord
  - WATCHTOWER_NOTIFICATION_URL=discord://token@webhook
  # Or for email
  - WATCHTOWER_NOTIFICATION_URL=smtp://user:pass@host:port
 ```
 **Notification Content:**
  * **Update Started**: Container update beginning
  * **Update Completed**: Successful update confirmation
  * **Update Failed**: Error details and troubleshooting
  * **Rollback Performed**: Automatic rollback notifications
 ===== Safety & Reliability =====
 **Health Checks:**
 ```yaml
 # Wait for health checks
 command: --interval 3600 --cleanup --label-enable --enable-healthchecks
 ```
 **Timeout Management:**
 ```yaml
 # Set update timeouts
 environment:
  - WATCHTOWER_TIMEOUT=60s
 ```
 **Rollback Capability:**
 ```yaml
 # Enable automatic rollback on failure
 command: --rollback-on-failure
 ```
 **Resource Protection:**
  * **CPU Limits**: Prevent update resource exhaustion
  * **Memory Limits**: Control memory usage during updates
  * **Network Limits**: Manage download bandwidth
  * **Concurrent Updates**: Limit simultaneous updates
 ===== Scheduling =====
 **Update Intervals:**
 ```bash
 # Check every hour
 command: --interval 3600
 # Check every 24 hours
 command: --interval 86400
 # Check at specific times
 command: --schedule "0 0 4 * * *"  # Daily at 4 AM
 ```
 **Maintenance Windows:**
  * **Off-hours Updates**: Schedule updates during low-usage times
  * **Weekend Updates**: Perform updates on weekends
  * **Manual Control**: Trigger updates manually when needed
  * **Holiday Scheduling**: Avoid updates during holidays
 ===== Troubleshooting =====
 **Update Failures:**
 ```bash
 # Check Watchtower logs
 docker logs watchtower
 # Manual update test
 docker pull image:latest
 docker stop container
 docker rm container
 docker run -d --name container image:latest
 ```
 **Permission Issues:**
  * **Docker Socket**: Verify socket access permissions
  * **Registry Access**: Check Docker registry authentication
  * **Network Issues**: Verify internet connectivity
  * **Disk Space**: Ensure sufficient space for image downloads
 **Notification Problems:**
  * **Webhook URLs**: Verify notification endpoint URLs
  * **Authentication**: Check API tokens and credentials
  * **Network Access**: Ensure outbound connectivity
  * **Rate Limits**: Check service rate limiting
 **Performance Issues:**
  * **Resource Usage**: Monitor CPU/memory during updates
  * **Update Frequency**: Adjust polling intervals
  * **Concurrent Updates**: Limit simultaneous container updates
  * **Network Bandwidth**: Control download speeds
 **Troubleshooting Steps:**
  1. **Check logs**: `docker logs watchtower`
  2. **Test manually**: Perform manual container updates
  3. **Verify configuration**: Check environment variables
  4. **Test notifications**: Send test notifications
  5. **Restart service**: `docker restart watchtower`
 ===== Advanced Configuration =====
 **Custom Update Logic:**
 ```bash
 # Use custom update script
 command: --script /path/to/update-script.sh
 ```
 **Lifecycle Hooks:**
 ```yaml
 # Pre/post update hooks
 command: --pre-check /path/to/pre-check.sh --post-check /path/to/post-check.sh
 ```
 **Advanced Filtering:**
 ```bash
 # Complex filtering rules
 command: --filter-by-label=com.example.version=latest --filter-by-label=com.example.tier=frontend
 ```
 **Monitoring Integration:**
 ```yaml
 # Export metrics
 command: --metrics
 environment:
  - WATCHTOWER_METRICS_PORT=8080
 ```
 ===== Security Considerations =====
 **Access Control:**
  * **Docker Socket Security**: Read-only socket access
  * **Registry Authentication**: Secure registry credentials
  * **Network Security**: Secure update traffic
  * **Audit Logging**: Track all update activities
 **Update Security:**
  * **Image Verification**: Verify image authenticity
  * **Vulnerability Scanning**: Check for security issues
  * **Trusted Sources**: Only update from trusted registries
  * **Rollback Security**: Secure rollback procedures
 ===== Integration with Backup =====
 **Backup Coordination:**
 ```yaml
 # Coordinate with backup services
 command: --pre-check /scripts/backup-check.sh --post-check /scripts/backup-verify.sh
 ```
 **Backup Scripts:**
 ```bash
 #!/bin/bash
 # Pre-update backup
 docker exec backup-service backup-now
 # Post-update verification
 docker exec backup-service verify-backup
 ```
 **Automated Backup:**
  * **Pre-update Backup**: Backup before each update
  * **Post-update Verification**: Verify backup integrity
  * **Rollback Backup**: Maintain rollback capability
  * **Retention Policy**: Manage backup retention
 ===== Best Practices =====
 **Update Strategy:**
  * **Staged Updates**: Update non-critical services first
  * **Monitoring**: Monitor updates closely initially
  * **Testing**: Test updates in development first
  * **Documentation**: Document update procedures
 **Safety Measures:**
  * **Health Checks**: Always enable health checks
  * **Timeouts**: Set appropriate update timeouts
  * **Notifications**: Enable comprehensive notifications
  * **Rollback**: Have rollback procedures ready
 **Performance:**
  * **Resource Limits**: Appropriate CPU/memory limits
  * **Update Windows**: Schedule during low-usage times
  * **Concurrent Limits**: Limit simultaneous updates
  * **Network Management**: Control bandwidth usage
 **Monitoring:**
  * **Update Tracking**: Monitor update success/failure
  * **Performance Impact**: Track update performance impact
  * **Error Analysis**: Analyze update failure patterns
  * **Success Metrics**: Track update success rates
 ===== Use Cases =====
 **Production Environments:**
  * **Security Updates**: Automatic security patch deployment
  * **Feature Updates**: Deploy new features automatically
  * **Compliance**: Maintain compliance with update policies
  * **Stability**: Ensure service stability through updates
 **Development Environments:**
  * **Testing Updates**: Test update procedures safely
  * **CI/CD Integration**: Integrate with development pipelines
  * **Version Control**: Manage container versions
  * **Rollback Testing**: Test rollback capabilities
 **Homelab Management:**
  * **Convenience**: Hands-off update management
  * **Security**: Maintain security through updates
  * **Stability**: Prevent version drift issues
  * **Monitoring**: Track update status and health
 **Enterprise Deployments:**
  * **Policy Compliance**: Enforce update policies
  * **Change Management**: Manage change through updates
  * **Audit Trails**: Maintain update audit logs
  * **Reporting**: Generate update compliance reports
 ===== Manual Update Process =====
 **When Watchtower is Disabled:**
 ```bash
 # Manual update procedure
 # 1. Identify containers to update
 docker ps --format "table {{.Names}}\t{{.Image}}"
 # 2. Check for updates
 docker pull image:latest
 # 3. Backup current state
 docker tag current-image backup-image
 # 4. Stop and update container
 docker stop container
 docker rm container
 docker run -d --name container image:latest
 # 5. Verify update
 docker logs container
 docker ps | grep container
 ```
 Watchtower provides automated container updates with safety features and monitoring, ensuring your homelab services remain current and secure.
 **Next:** Learn about [[services:infrastructure:code-server|Code Server]] or explore [[architecture:backup|Backup Architecture]].
--- a/config-templates/dokuwiki/data/pages/services/media/calibre-web.txt
+++ b/config-templates/dokuwiki/data/pages/services/media/calibre-web.txt
@@ -1,393 +0,0 @@
 ====== Calibre-Web ======
 Calibre-Web is a web application that provides a clean web interface for browsing, reading, and downloading eBooks stored in a Calibre database. It allows you to access your eBook library from any device with a web browser.
 ===== Overview =====
 **Purpose:** Web interface for Calibre eBook library
 **URL:** https://calibre.yourdomain.duckdns.org
 **Authentication:** Built-in user management
 **Deployment:** Media stack
 **Database:** SQLite (Calibre database)
 ===== Key Features =====
 **Library Management:**
  * **Browse Books**: Browse your eBook collection
  * **Search & Filter**: Advanced search and filtering
  * **Categories**: Organize by author, genre, series
  * **Metadata Display**: Rich book information display
 **Reading Features:**
  * **Online Reading**: Read books directly in browser
  * **Download Options**: Download in multiple formats
  * **Reading Progress**: Track reading progress
  * **Bookmarks**: Save reading positions
 **User Management:**
  * **Multiple Users**: Separate accounts for users
  * **Access Control**: Configure user permissions
  * **Reading Statistics**: Track reading habits
  * **Personal Shelves**: Create custom book collections
 ===== Configuration =====
 **Container Configuration:**
 ```yaml
 services:
  calibre-web:
    image: lscr.io/linuxserver/calibre-web:latest
    container_name: calibre-web
    restart: unless-stopped
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=${TZ}
      - DOCKER_MODS=linuxserver/mods:universal-calibre  # Calibre integration
    volumes:
      - ./calibre-web/config:/config
      - /mnt/media/books:/books  # Calibre library location
    networks:
      - traefik-network
    deploy:
      resources:
        limits:
          cpus: '1.0'
          memory: 512M
        reservations:
          cpus: '0.2'
          memory: 128M
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.calibre-web.rule=Host(`calibre.${DOMAIN}`)"
      - "traefik.http.routers.calibre-web.entrypoints=websecure"
      - "traefik.http.routers.calibre-web.tls.certresolver=letsencrypt"
      - "traefik.http.routers.calibre-web.middlewares=authelia@docker"
      - "traefik.http.services.calibre-web.loadbalancer.server.port=8083"
      - "x-dockge.url=https://calibre.${DOMAIN}"
 ```
 **Environment Variables:**
 ```bash
 # User permissions
 PUID=1000
 PGID=1000
 # Timezone
 TZ=America/New_York
 # Calibre integration (optional)
 DOCKER_MODS=linuxserver/mods:universal-calibre
 ```
 ===== Calibre Database Setup =====
 **Calibre Library Structure:**
 ```
 /mnt/media/books/
 ├── metadata.db          # Calibre database
 ├── metadata_db_prefs_backup.json
 ├── books/               # Book files
 │   ├── Author Name/
 │   │   ├── Book Title (Year)/
 │   │   │   ├── book.epub
 │   │   │   ├── cover.jpg
 │   │   │   └── metadata.opf
 │   └── Another Author/
 └── covers/              # Cover images
 ```
 **Database Connection:**
  * **Path**: `/books` (mounted Calibre library)
  * **Auto-Detection**: Automatically finds metadata.db
  * **Metadata Access**: Full access to Calibre metadata
  * **Cover Images**: Access to book covers
 **Initial Setup:**
  1. **Place Calibre Library**: Mount existing Calibre library
  2. **Database Detection**: Calibre-Web finds metadata.db
  3. **Admin Account**: Create administrator account
  4. **Library Scan**: Scan and index books
 ===== User Management =====
 **Administrator Setup:**
  1. **First Access**: Visit Calibre-Web URL
  2. **Create Admin**: Set up administrator account
  3. **Configure Library**: Point to Calibre database
  4. **User Settings**: Configure application settings
 **User Accounts:**
  * **User Creation**: Add user accounts
  * **Permission Levels**: Admin, User, Guest
  * **Library Access**: Control book access per user
  * **Download Rights**: Configure download permissions
 **Authentication:**
  * **Username/Password**: Standard authentication
  * **LDAP Integration**: External user directory (optional)
  * **Guest Access**: Allow anonymous browsing
  * **Session Management**: Configurable session timeouts
 ===== Library Features =====
 **Browse & Search:**
  * **Book Grid/List**: Multiple viewing modes
  * **Advanced Search**: Search by title, author, genre
  * **Filters**: Filter by language, format, rating
  * **Sorting**: Sort by various criteria
 **Book Details:**
  * **Metadata Display**: Title, author, description
  * **Cover Images**: High-quality book covers
  * **File Information**: Format, size, pages
  * **Ratings & Reviews**: User ratings and reviews
 **Reading Interface:**
  * **EPUB Reader**: Built-in EPUB reader
  * **PDF Viewer**: PDF document viewer
  * **Progress Tracking**: Reading progress saving
  * **Bookmarking**: Save reading positions
 ===== Download & Formats =====
 **Supported Formats:**
  * **EPUB**: Most common eBook format
  * **PDF**: Portable document format
  * **MOBI**: Kindle format
  * **AZW3**: Amazon format
  * **TXT**: Plain text
  * **RTF**: Rich text format
 **Download Options:**
  * **Direct Download**: Download original format
  * **Format Conversion**: Convert to other formats
  * **Bulk Download**: Download multiple books
  * **ZIP Archives**: Download as compressed archives
 **Conversion Features:**
  * **Calibre Integration**: Use Calibre for conversion
  * **Format Support**: Convert between supported formats
  * **Quality Settings**: Adjust conversion quality
  * **Metadata Preservation**: Maintain book metadata
 ===== Customization =====
 **Interface Themes:**
  * **Light Theme**: Clean, bright interface
  * **Dark Theme**: Easy on the eyes
  * **Custom CSS**: Advanced customization
  * **Responsive Design**: Mobile-friendly interface
 **Language Support:**
  * **Multiple Languages**: 20+ supported languages
  * **Interface Translation**: Full UI translation
  * **Metadata Languages**: Support for various languages
  * **RTL Support**: Right-to-left language support
 **Display Options:**
  * **Books per Page**: Configure pagination
  * **Cover Sizes**: Adjust cover image sizes
  * **Metadata Fields**: Customize displayed fields
  * **Grid/List Views**: Choose viewing preferences
 ===== Advanced Features =====
 **Shelves & Collections:**
  * **Custom Shelves**: Create personal book collections
  * **Public Shelves**: Share collections with others
  * **Smart Shelves**: Dynamic collections based on criteria
  * **Shelf Management**: Organize and categorize shelves
 **Reading Statistics:**
  * **Reading Progress**: Track reading progress
  * **Reading Time**: Monitor reading duration
  * **Books Read**: Track completed books
  * **Reading Goals**: Set reading targets
 **Social Features:**
  * **User Reviews**: Write and read book reviews
  * **Ratings**: Rate books and see averages
  * **Recommendations**: Book recommendation system
  * **User Activity**: See what others are reading
 ===== Integration Features =====
 **Calibre Integration:**
  * **Database Sync**: Sync with Calibre desktop
  * **Metadata Updates**: Update from Calibre
  * **Cover Downloads**: Download covers from Calibre
  * **Format Conversion**: Use Calibre conversion tools
 **External Services:**
  * **Goodreads**: Import ratings and reviews
  * **Google Books**: Enhanced metadata
  * **Open Library**: Additional book information
  * **ISBN Lookup**: Automatic ISBN resolution
 **API Access:**
  * **REST API**: Programmatic access
  * **Webhook Support**: Event notifications
  * **Third-party Integration**: Connect with other services
  * **Automation**: Script-based automation
 ===== Security Considerations =====
 **Access Control:**
  * **User Authentication**: Secure user authentication
  * **Permission Levels**: Granular access control
  * **IP Restrictions**: Limit access by IP address
  * **Session Security**: Secure session management
 **Data Protection:**
  * **File Permissions**: Proper file system permissions
  * **Database Security**: SQLite database protection
  * **Backup Security**: Secure backup procedures
  * **Encryption**: Data encryption options
 ===== Performance Optimization =====
 **Resource Management:**
 ```yaml
 deploy:
  resources:
    limits:
      cpus: '1.0'
      memory: 512M
    reservations:
      cpus: '0.2'
      memory: 128M
 ```
 **Database Optimization:**
  * **Index Maintenance**: Regular database maintenance
  * **Query Optimization**: Efficient database queries
  * **Cache Management**: Metadata and cover caching
  * **Search Optimization**: Fast search capabilities
 ===== Troubleshooting =====
 **Database Connection Issues:**
 ```bash
 # Check database file permissions
 ls -la /mnt/media/books/metadata.db
 # Verify database integrity
 docker exec calibre-web sqlite3 /books/metadata.db ".tables"
 # Check Calibre-Web logs
 docker logs calibre-web
 ```
 **Book Display Problems:**
  * **Cover Images**: Check cover file permissions
  * **Metadata Issues**: Verify database integrity
  * **File Permissions**: Check book file access
  * **Format Support**: Verify supported formats
 **User Authentication Issues:**
  * **Login Problems**: Check user credentials
  * **Permission Errors**: Verify user permissions
  * **Session Issues**: Clear browser cookies
  * **Password Reset**: Administrator password reset
 **Reading Interface Issues:**
  * **EPUB Display**: Check EPUB file validity
  * **PDF Viewer**: Verify PDF compatibility
  * **Progress Saving**: Check database write permissions
  * **Bookmark Issues**: Clear browser cache
 **Troubleshooting Steps:**
  1. **Check logs**: `docker logs calibre-web`
  2. **Verify database**: Test database connectivity
  3. **Check permissions**: Validate file permissions
  4. **Test access**: Verify web interface access
  5. **Restart service**: `docker restart calibre-web`
 ===== Backup & Recovery =====
 **Configuration Backup:**
 ```bash
 # Backup Calibre-Web configuration
 docker run --rm \
  -v calibre-web-config:/config \
  -v $(pwd)/backup:/backup \
  busybox tar czf /backup/calibre-web-config.tar.gz /config
 ```
 **Database Backup:**
 ```bash
 # Backup Calibre database
 docker run --rm \
  -v /mnt/media/books:/books \
  -v $(pwd)/backup:/backup \
  busybox tar czf /backup/calibre-library.tar.gz /books
 ```
 **Recovery Process:**
  1. **Restore Configuration**: Restore config directory
  2. **Restore Database**: Restore Calibre library
  3. **Verify Integrity**: Check database and files
  4. **Update Permissions**: Fix file permissions
  5. **Test Access**: Verify web interface works
 ===== Best Practices =====
 **Library Management:**
  * **Consistent Naming**: Follow Calibre naming conventions
  * **Metadata Quality**: Maintain accurate metadata
  * **File Organization**: Proper folder structure
  * **Regular Backups**: Frequent library backups
 **User Management:**
  * **Permission Planning**: Plan user access levels
  * **Regular Audits**: Review user permissions
  * **Password Policies**: Enforce strong passwords
  * **Activity Monitoring**: Monitor user activity
 **Performance:**
  * **Resource Allocation**: Appropriate CPU/memory limits
  * **Database Maintenance**: Regular database optimization
  * **Cache Management**: Optimize caching settings
  * **Network Optimization**: Fast network access
 **Maintenance:**
  * **Regular Updates**: Keep Calibre-Web updated
  * **Database Maintenance**: Regular database cleanup
  * **File System Checks**: Verify file integrity
  * **Security Updates**: Apply security patches
 ===== Advanced Configuration =====
 **Reverse Proxy Configuration:**
 ```nginx
 # Nginx configuration for additional features
 location /calibre {
    proxy_pass http://calibre-web:8083;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
 }
 ```
 **LDAP Integration:**
 ```python
 # LDAP configuration in config files
 LDAP_URL = "ldap://your-ldap-server"
 LDAP_USER_DN = "ou=users,dc=example,dc=com"
 LDAP_GROUP_DN = "ou=groups,dc=example,dc=com"
 ```
 **API Usage Examples:**
 ```bash
 # Get library information
 curl -u username:password https://calibre.yourdomain.duckdns.org/api/books
 # Search books
 curl -u username:password "https://calibre.yourdomain.duckdns.org/api/books?search=author:smith"
 ```
 Calibre-Web provides a beautiful, user-friendly web interface for your Calibre eBook library, making it easy to browse, read, and manage your digital book collection from any device.
 **Next:** Learn about [[services:media:qbittorrent|qBittorrent]] or explore [[architecture:backup|Backup Architecture]].
--- a/config-templates/dokuwiki/data/pages/services/media/jellyfin.txt
+++ b/config-templates/dokuwiki/data/pages/services/media/jellyfin.txt
@@ -1,424 +0,0 @@
 ====== Jellyfin ======
 Jellyfin is a free, open-source media server that allows you to organize, manage, and stream your personal media collection. It provides a modern, user-friendly interface for accessing movies, TV shows, music, and photos from any device.
 ===== Overview =====
 **Purpose:** Media server and streaming platform
 **URL:** https://jellyfin.yourdomain.duckdns.org
 **Authentication:** Built-in user management (no SSO)
 **Deployment:** Media stack
 **Features:** Multi-device streaming, transcoding, metadata management
 ===== Key Features =====
 **Media Management:**
  * **Library Organization**: Automatic media organization
  * **Metadata Fetching**: Rich metadata from online sources
  * **Poster Art**: High-quality artwork and posters
  * **Collections**: Custom media collections and playlists
 **Streaming Capabilities:**
  * **Multi-Device Support**: Stream to any device
  * **Adaptive Streaming**: Automatic quality adjustment
  * **Transcoding**: Real-time video transcoding
  * **Direct Play**: Direct streaming when supported
 **User Management:**
  * **Multiple Users**: Separate accounts for family members
  * **Parental Controls**: Content restrictions and ratings
  * **Viewing History**: Track watched content
  * **Personal Libraries**: User-specific content access
 ===== Configuration =====
 **Container Configuration:**
 ```yaml
 services:
  jellyfin:
    image: lscr.io/linuxserver/jellyfin:latest
    container_name: jellyfin
    restart: unless-stopped
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=${TZ}
      - JELLYFIN_PublishedServerUrl=https://jellyfin.${DOMAIN}
    volumes:
      - ./jellyfin/config:/config
      - /mnt/media/movies:/data/movies
      - /mnt/media/tv:/data/tv
      - /mnt/media/music:/data/music
      - /mnt/transcode:/config/transcodes
    devices:
      - /dev/dri:/dev/dri  # Hardware acceleration (optional)
    networks:
      - traefik-network
    deploy:
      resources:
        limits:
          cpus: '2.0'
          memory: 2G
        reservations:
          cpus: '0.5'
          memory: 512M
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.jellyfin.rule=Host(`jellyfin.${DOMAIN}`)"
      - "traefik.http.routers.jellyfin.entrypoints=websecure"
      - "traefik.http.routers.jellyfin.tls.certresolver=letsencrypt"
      # No Authelia middleware - direct access for app compatibility
      - "traefik.http.services.jellyfin.loadbalancer.server.port=8096"
      - "x-dockge.url=https://jellyfin.${DOMAIN}"
 ```
 **Environment Variables:**
 ```bash
 # User permissions
 PUID=1000
 PGID=1000
 # Timezone
 TZ=America/New_York
 # Public URL (for external access)
 JELLYFIN_PublishedServerUrl=https://jellyfin.yourdomain.duckdns.org
 ```
 ===== Media Library Setup =====
 **Directory Structure:**
 ```
 /mnt/media/
 ├── movies/           # Movie files
 │   ├── Movie1 (2023)/
 │   └── Movie2 (2023)/
 ├── tv/              # TV show files
 │   ├── Show1/
 │   │   ├── Season 01/
 │   │   └── Season 02/
 │   └── Show2/
 ├── music/           # Music files
 │   ├── Artist1/
 │   └── Artist2/
 └── photos/          # Photo collections
 ```
 **Library Configuration:**
  * **Movie Library**: Point to `/data/movies`
  * **TV Library**: Point to `/data/tv`
  * **Music Library**: Point to `/data/music`
  * **Photo Library**: Point to `/data/photos`
 **Naming Conventions:**
 ```
 Movies: "Movie Name (Year)/Movie Name (Year).mkv"
 TV: "Show Name/Season 01/Show Name - S01E01.mkv"
 Music: "Artist/Album/01 - Song Title.mp3"
 ```
 ===== Hardware Acceleration =====
 **Intel Quick Sync:**
 ```yaml
 devices:
  - /dev/dri:/dev/dri
 environment:
  - JELLYFIN_FFmpeg__probesize=1G
  - JELLYFIN_FFmpeg__analyzeduration=200M
 ```
 **NVIDIA GPU:**
 ```yaml
 deploy:
  resources:
    reservations:
      devices:
        - driver: nvidia
          count: 1
          capabilities: [gpu]
 environment:
  - NVIDIA_VISIBLE_DEVICES=all
  - NVIDIA_DRIVER_CAPABILITIES=all
 ```
 **VAAPI (Software):**
 ```yaml
 environment:
  - JELLYFIN_FFmpeg__hwaccel=vaapi
  - JELLYFIN_FFmpeg__hwaccel_device=/dev/dri/renderD128
  - JELLYFIN_FFmpeg__hwaccel_output_format=vaapi
 ```
 ===== User Management =====
 **Administrator Setup:**
  1. **First Access**: Visit Jellyfin URL
  2. **Create Admin Account**: Set up administrator account
  3. **Configure Libraries**: Add media libraries
  4. **Set Preferences**: Configure server settings
 **User Accounts:**
  * **User Creation**: Add family member accounts
  * **Access Levels**: Configure library access per user
  * **Parental Controls**: Set content ratings and restrictions
  * **Device Limits**: Control simultaneous streams
 **Authentication:**
  * **Local Users**: Username/password authentication
  * **Easy PIN**: Simple PIN for quick access
  * **Auto Login**: Remember login on trusted devices
 ===== Transcoding Configuration =====
 **Transcoding Settings:**
 ```yaml
 # Transcode location
 volumes:
  - /mnt/transcode:/config/transcodes
 ```
 **Quality Settings:**
  * **Video Quality**: Adjust bitrate and resolution
  * **Audio Quality**: Configure audio encoding
  * **Container Format**: Choose output format
  * **Hardware Acceleration**: Enable GPU transcoding
 **Performance Tuning:**
  * **Concurrent Streams**: Limit simultaneous transcodes
  * **Buffer Size**: Adjust transcoding buffer
  * **Thread Count**: Configure encoding threads
  * **Quality Presets**: Balance quality vs speed
 ===== Metadata Management =====
 **Metadata Sources:**
  * **The Movie Database (TMDb)**: Movie and TV metadata
  * **TheTVDB**: TV show information
  * **MusicBrainz**: Music metadata
  * **FanArt.tv**: Artwork and posters
 **Metadata Refresh:**
  * **Automatic Updates**: Regular metadata updates
  * **Manual Refresh**: Force metadata refresh
  * **Image Downloads**: Download posters and artwork
  * **Language Settings**: Configure metadata language
 **Custom Metadata:**
  * **Override Information**: Manually edit metadata
  * **Custom Images**: Upload custom artwork
  * **Collections**: Create custom collections
  * **Tags**: Add custom tags and genres
 ===== Client Applications =====
 **Official Apps:**
  * **Android/iOS**: Mobile apps for streaming
  * **Roku**: TV streaming device support
  * **Fire TV**: Amazon Fire TV support
  * **Android TV**: Android TV support
 **Third-Party Clients:**
  * **Kodi**: Media center integration
  * **Plex**: Alternative media server
  * **Emby**: Similar media server
  * **Infuse**: iOS/macOS media player
 **Web Client:**
  * **Modern Interface**: Responsive web player
  * **Keyboard Shortcuts**: Full keyboard navigation
  * **Cast Support**: Chromecast and DLNA
  * **Offline Sync**: Download for offline viewing
 ===== Plugins & Extensions =====
 **Official Plugins:**
  * **Open Subtitles**: Subtitle downloading
  * **MusicBrainz**: Enhanced music metadata
  * **AniList**: Anime tracking integration
  * **Trakt**: Watch history synchronization
 **Community Plugins:**
  * **Kodi Sync**: Sync with Kodi library
  * **FanArt**: Additional artwork sources
  * **Theme Videos**: Movie theme videos
  * **Trailer**: Trailer playback
 **Plugin Installation:**
  1. **Dashboard > Plugins**: Access plugin catalog
  2. **Browse Repository**: Find desired plugins
  3. **Install**: Click install button
  4. **Configure**: Set plugin preferences
 ===== Backup & Recovery =====
 **Configuration Backup:**
 ```bash
 # Backup Jellyfin configuration
 docker run --rm \
  -v jellyfin-config:/config \
  -v $(pwd)/backup:/backup \
  busybox tar czf /backup/jellyfin-config.tar.gz /config
 ```
 **Database Backup:**
 ```bash
 # Backup Jellyfin database
 docker exec jellyfin sqlite3 /config/data/library.db .dump > jellyfin-backup.sql
 ```
 **Media Backup:**
  * **File System**: Backup media files separately
  * **Metadata**: Configuration includes metadata
  * **User Data**: User preferences and watch history
  * **Plugins**: Plugin configurations
 ===== Performance Optimization =====
 **Resource Management:**
 ```yaml
 deploy:
  resources:
    limits:
      cpus: '2.0'
      memory: 2G
    reservations:
      cpus: '0.5'
      memory: 512M
 ```
 **Optimization Tips:**
  * **Library Scanning**: Schedule scans during off-hours
  * **Transcoding Limits**: Limit concurrent transcodes
  * **Cache Management**: Configure appropriate cache sizes
  * **Network Optimization**: Use appropriate network settings
 ===== Troubleshooting =====
 **Playback Issues:**
 ```bash
 # Check transcoding logs
 docker logs jellyfin | grep -i ffmpeg
 # Verify hardware acceleration
 docker exec jellyfin vainfo  # VAAPI
 docker exec jellyfin nvidia-smi  # NVIDIA
 ```
 **Library Scanning Problems:**
  * **Permission Issues**: Check file permissions
  * **Naming Problems**: Verify file naming conventions
  * **Metadata Errors**: Check metadata provider status
  * **Network Issues**: Verify internet connectivity
 **Web Interface Issues:**
  * **Loading Problems**: Clear browser cache
  * **SSL Errors**: Check certificate validity
  * **CORS Issues**: Verify reverse proxy configuration
  * **JavaScript Errors**: Check browser compatibility
 **Transcoding Issues:**
  * **Hardware Acceleration**: Verify GPU access
  * **Codec Support**: Check supported codecs
  * **Resource Limits**: Monitor CPU/memory usage
  * **Quality Settings**: Adjust transcoding parameters
 **Troubleshooting Steps:**
  1. **Check logs**: `docker logs jellyfin`
  2. **Verify configuration**: Check environment variables
  3. **Test access**: Verify web interface access
  4. **Check permissions**: Validate file permissions
  5. **Restart service**: `docker restart jellyfin`
 ===== Security Considerations =====
 **Access Control:**
  * **User Authentication**: Strong password requirements
  * **Network Security**: Restrict network access
  * **HTTPS Only**: Force secure connections
  * **Session Management**: Configure session timeouts
 **Media Security:**
  * **File Permissions**: Proper file system permissions
  * **Network Shares**: Secure network share access
  * **Backup Security**: Encrypt backup data
  * **Access Logging**: Monitor access patterns
 ===== Integration with Media Stack =====
 **Sonarr/Radarr Integration:**
  * **Automatic Downloads**: Integration with download clients
  * **Library Updates**: Automatic library refreshes
  * **Quality Profiles**: Match download quality to playback
  * **Naming Conventions**: Consistent file naming
 **qBittorrent Integration:**
  * **Download Monitoring**: Track download progress
  * **Category Management**: Organize downloads by type
  * **Completion Notifications**: Notify when downloads complete
  * **File Management**: Automatic file organization
 **Hardware Acceleration:**
  * **GPU Utilization**: Leverage available GPU resources
  * **Transcoding Efficiency**: Optimize transcoding performance
  * **Power Management**: Balance performance and power usage
  * **Resource Monitoring**: Monitor hardware utilization
 ===== Best Practices =====
 **Library Management:**
  * **Consistent Naming**: Follow naming conventions
  * **Quality Standards**: Maintain consistent quality
  * **Metadata Accuracy**: Keep metadata up-to-date
  * **Regular Maintenance**: Periodic library cleanup
 **Performance:**
  * **Resource Allocation**: Appropriate CPU/memory limits
  * **Transcoding Settings**: Balance quality and performance
  * **Caching Strategy**: Optimize cache usage
  * **Network Configuration**: Optimize network settings
 **User Experience:**
  * **Interface Customization**: Customize user interfaces
  * **Device Profiles**: Optimize for different devices
  * **Subtitle Management**: Configure subtitle preferences
  * **Audio Settings**: Configure audio preferences
 **Maintenance:**
  * **Regular Updates**: Keep Jellyfin updated
  * **Library Scans**: Regular library maintenance
  * **Backup Routine**: Regular configuration backups
  * **Performance Monitoring**: Monitor system performance
 ===== Advanced Configuration =====
 **Custom CSS:**
 ```css
 /* Custom theme modifications */
 .dashboardHeader {
  background-color: #your-color;
 }
 .libraryCard {
  border-radius: 10px;
 }
 ```
 **API Access:**
 ```bash
 # Access Jellyfin API
 curl -H "X-MediaBrowser-Token: your-api-key" \
  https://jellyfin.yourdomain.duckdns.org/Items
 ```
 **Webhook Integration:**
  * **Playback Events**: Trigger actions on media events
  * **User Actions**: Monitor user activities
  * **System Events**: Respond to system events
  * **External Integration**: Connect with other services
 Jellyfin provides a powerful, free alternative to proprietary media servers, offering comprehensive media management and streaming capabilities with excellent client support across all platforms.
 **Next:** Learn about [[services:media:calibre-web|Calibre-Web]] or explore [[architecture:storage|Storage Architecture]].
--- a/config-templates/dokuwiki/data/pages/services/media/qbittorrent.txt
+++ b/config-templates/dokuwiki/data/pages/services/media/qbittorrent.txt
@@ -1,391 +0,0 @@
 ====== qBittorrent ======
 qBittorrent is a free and open-source BitTorrent client that provides a web-based interface for downloading and managing torrent files. In the AI-Homelab, it's configured to route all traffic through Gluetun VPN for enhanced privacy and security.
 ===== Overview =====
 **Purpose:** Torrent downloading with VPN protection
 **URL:** https://qbit.yourdomain.duckdns.org
 **Authentication:** Built-in web UI authentication
 **Deployment:** Media stack (VPN-routed through Gluetun)
 **VPN Integration:** Routes through Gluetun container
 ===== Key Features =====
 **Torrent Management:**
  * **Web Interface**: Clean, responsive web UI
  * **Torrent Creation**: Create torrents from files/folders
  * **Magnet Links**: Support for magnet link downloads
  * **Batch Downloads**: Download multiple torrents
  * **RSS Feeds**: Automatic RSS feed monitoring
 **Download Control:**
  * **Speed Limits**: Set download/upload speed limits
  * **Bandwidth Management**: Per-torrent bandwidth allocation
  * **Queue Management**: Priority-based download queuing
  * **Auto-Management**: Automatic torrent management
 **Privacy & Security:**
  * **VPN Routing**: All traffic through Gluetun VPN
  * **IP Binding**: Bind to VPN interface only
  * **Encryption**: Protocol encryption support
  * **Proxy Support**: SOCKS5/HTTP proxy support
 ===== Configuration =====
 **Container Configuration:**
 ```yaml
 services:
  qbittorrent:
    image: lscr.io/linuxserver/qbittorrent:latest
    container_name: qbittorrent
    network_mode: "service:gluetun"  # Route through VPN
    depends_on:
      - gluetun
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=${TZ}
      - WEBUI_PORT=8080
    volumes:
      - ./qbittorrent/config:/config
      - /mnt/downloads:/downloads
    restart: unless-stopped
    deploy:
      resources:
        limits:
          cpus: '2.0'
          memory: 1G
        reservations:
          cpus: '0.5'
          memory: 256M
 ```
 **Gluetun Configuration (Update):**
 ```yaml
 # In gluetun service, add port mapping
 gluetun:
  ports:
    - 8080:8080  # qBittorrent WebUI
    - 6881:6881  # Torrent ports (TCP)
    - 6881:6881/udp  # Torrent ports (UDP)
 ```
 **Environment Variables:**
 ```bash
 # User permissions
 PUID=1000
 PGID=1000
 # Timezone
 TZ=America/New_York
 # Web UI port
 WEBUI_PORT=8080
 ```
 ===== VPN Integration =====
 **Network Mode:**
 ```yaml
 network_mode: "service:gluetun"
 ```
 **Benefits:**
  * **IP Protection**: All torrent traffic through VPN
  * **ISP Protection**: Hide torrenting from ISP
  * **Geographic Access**: Access geo-restricted content
  * **Privacy**: Enhanced download privacy
 **Port Mapping:**
  * **WebUI**: 8080 (internal to Gluetun)
  * **Torrent TCP**: 6881
  * **Torrent UDP**: 6881
 **VPN Verification:**
 ```bash
 # Check if qBittorrent is using VPN IP
 docker exec gluetun curl -s ifconfig.me
 # Verify qBittorrent is accessible through VPN
 curl -k https://qbit.yourdomain.duckdns.org
 ```
 ===== Initial Setup =====
 **First Access:**
  1. **Navigate**: Visit qBittorrent URL
  2. **Default Credentials**: admin/adminadmin
  3. **Change Password**: Immediately change default password
  4. **Configure Settings**: Set up download preferences
 **Basic Configuration:**
  * **Download Location**: Set to `/downloads`
  * **Temporary Files**: Configure temp directory
  * **Auto-Management**: Enable automatic torrent management
  * **WebUI Settings**: Configure interface preferences
 ===== Download Management =====
 **Adding Torrents:**
  * **Torrent Files**: Upload .torrent files
  * **Magnet Links**: Paste magnet links
  * **URLs**: Add torrent URLs
  * **Batch Operations**: Add multiple torrents
 **Download Categories:**
  * **Category Creation**: Create download categories
  * **Path Assignment**: Assign paths per category
  * **Automatic Sorting**: Auto-assign categories
  * **Category Management**: Organize downloads
 **Queue Management:**
  * **Priority Setting**: Set download priorities
  * **Queue Limits**: Limit concurrent downloads
  * **Speed Allocation**: Allocate bandwidth per torrent
  * **Sequential Downloads**: Download files in order
 ===== Advanced Features =====
 **RSS Integration:**
  * **RSS Feeds**: Add RSS torrent feeds
  * **Automatic Downloads**: Auto-download matching torrents
  * **Filters**: Set download filters and rules
  * **Smart Filtering**: Advanced filtering options
 **Search Integration:**
  * **Built-in Search**: Search torrent sites
  * **Search Plugins**: Install additional search plugins
  * **Plugin Management**: Manage search engines
  * **Search History**: Track search history
 **Automation:**
  * **Watch Folders**: Monitor folders for new torrents
  * **Auto-Tagging**: Automatic torrent tagging
  * **Script Integration**: Execute scripts on completion
  * **API Integration**: REST API for automation
 ===== Performance Optimization =====
 **Speed Settings:**
 ```yaml
 # Recommended settings for VPN
 Global maximum number of upload slots: 20
 Global maximum number of half-open connections: 500
 Maximum number of upload slots per torrent: 4
 Maximum number of connections per torrent: 100
 ```
 **Disk Settings:**
  * **Disk Cache**: Set to 64-128 MB
  * **Disk Cache Expiry**: 60 seconds
  * **OS Cache**: Enable OS cache
  * **Coalesce Reads**: Enable for SSDs
 **Connection Settings:**
  * **Global Max Connections**: 500
  * **Max Per Torrent**: 100
  * **Max Upload Slots**: 20
  * **Max Half-Open**: 500
 ===== Security Configuration =====
 **WebUI Security:**
  * **Authentication**: Enable username/password
  * **HTTPS**: Force HTTPS connections
  * **IP Filtering**: Restrict access by IP
  * **Session Timeout**: Configure session limits
 **Network Security:**
  * **Encryption**: Enable protocol encryption
  * **DHT**: Enable DHT for peer discovery
  * **PEX**: Enable peer exchange
  * **LSD**: Enable local service discovery
 **VPN Security:**
  * **Kill Switch**: Gluetun provides kill switch
  * **DNS Leak Protection**: VPN DNS protection
  * **IPv6 Blocking**: Block IPv6 leaks
  * **Port Forwarding**: VPN port forwarding
 ===== Integration with Media Stack =====
 **Sonarr/Radarr Integration:**
 ```yaml
 # In Sonarr/Radarr settings
 Download Client: qBittorrent
 Host: qbittorrent  # Container name
 Port: 8080
 Username: your-username
 Password: your-password
 Category: sonarr  # Use categories for organization
 ```
 **Category Setup:**
  * **sonarr**: For TV show downloads
  * **radarr**: For movie downloads
  * **manual**: For manual downloads
  * **books**: For book downloads
 **Path Mapping:**
  * **/downloads/complete/sonarr**: TV shows
  * **/downloads/complete/radarr**: Movies
  * **/downloads/complete/manual**: Manual downloads
 ===== Monitoring & Maintenance =====
 **Health Checks:**
 ```yaml
 healthcheck:
  test: ["CMD", "curl", "-f", "http://localhost:8080"]
  interval: 30s
  timeout: 10s
  retries: 3
 ```
 **Log Monitoring:**
 ```bash
 # View qBittorrent logs
 docker logs qbittorrent
 # View Gluetun logs (VPN)
 docker logs gluetun
 ```
 **Performance Monitoring:**
  * **Download Speed**: Monitor download/upload speeds
  * **Connection Count**: Track peer connections
  * **Disk I/O**: Monitor disk usage
  * **Memory Usage**: Track memory consumption
 ===== Troubleshooting =====
 **VPN Connection Issues:**
 ```bash
 # Check VPN status
 docker exec gluetun sh -c "curl -s ifconfig.me"
 # Verify Gluetun is running
 docker ps | grep gluetun
 # Check Gluetun logs
 docker logs gluetun | grep -i wireguard
 ```
 **WebUI Access Issues:**
  * **Port Mapping**: Verify port 8080 is mapped in Gluetun
  * **Network Mode**: Confirm `network_mode: "service:gluetun"`
  * **Firewall**: Check firewall rules
  * **Traefik**: Verify Traefik routing
 **Download Problems:**
  * **Port Forwarding**: Check if VPN supports port forwarding
  * **Speed Limits**: Remove artificial speed limits
  * **Tracker Issues**: Check tracker status
  * **Peer Connections**: Verify peer connectivity
 **Common Issues:**
  * **No Downloads**: Check VPN connection and port forwarding
  * **Slow Speeds**: Verify VPN server selection and speed
  * **Connection Errors**: Check firewall and network settings
  * **Authentication**: Verify username/password credentials
 **Troubleshooting Steps:**
  1. **Check VPN**: Verify Gluetun is connected
  2. **Test Access**: Access WebUI directly
  3. **Check Logs**: Review container logs
  4. **Verify Ports**: Confirm port mappings
  5. **Test Downloads**: Try a known working torrent
 ===== Backup & Recovery =====
 **Configuration Backup:**
 ```bash
 # Backup qBittorrent configuration
 docker run --rm \
  -v qbittorrent-config:/config \
  -v $(pwd)/backup:/backup \
  busybox tar czf /backup/qbittorrent-config.tar.gz /config
 ```
 **Download Recovery:**
  * **Resume Downloads**: qBittorrent auto-resumes
  * **Torrent Files**: Backup .torrent files
  * **Fast Resume**: Use fast resume data
  * **Re-add Torrents**: Re-add from backup
 **Migration:**
  1. **Stop Container**: Stop qBittorrent
  2. **Backup Config**: Backup configuration directory
  3. **Restore Config**: Restore to new location
  4. **Update Paths**: Update download paths if changed
  5. **Start Container**: Restart qBittorrent
 ===== Best Practices =====
 **VPN Usage:**
  * **Dedicated Server**: Use VPN server optimized for P2P
  * **Port Forwarding**: Enable port forwarding when available
  * **Kill Switch**: Always use VPN kill switch
  * **IP Rotation**: Rotate VPN servers periodically
 **Download Management:**
  * **Category Organization**: Use categories for organization
  * **Speed Limits**: Set reasonable speed limits
  * **Queue Management**: Limit concurrent downloads
  * **Disk Space**: Monitor available disk space
 **Security:**
  * **Strong Passwords**: Use strong WebUI passwords
  * **IP Restrictions**: Limit WebUI access
  * **Regular Updates**: Keep qBittorrent updated
  * **VPN Always**: Never disable VPN routing
 **Performance:**
  * **Resource Allocation**: Appropriate CPU/memory limits
  * **Disk I/O**: Use fast storage for downloads
  * **Network Optimization**: Optimize VPN server selection
  * **Cache Settings**: Optimize disk cache settings
 ===== Advanced Configuration =====
 **qBittorrent.conf Settings:**
 ```ini
 [Preferences]
 WebUI\Username=your-username
 WebUI\Password_PBKDF2="encrypted-password"
 WebUI\Port=8080
 Downloads\SavePath=/downloads
 Downloads\TempPath=/downloads/temp
 ```
 **API Usage:**
 ```bash
 # Get torrent list
 curl -u username:password "http://localhost:8080/api/v2/torrents/info"
 # Add magnet link
 curl -X POST \
  -u username:password \
  -d "urls=magnet:?..." \
  http://localhost:8080/api/v2/torrents/add
 ```
 **Integration Scripts:**
 ```bash
 #!/bin/bash
 # Auto-organize completed downloads
 QB_HOST="http://localhost:8080"
 QB_USER="username"
 QB_PASS="password"
 # Get completed torrents
 completed=$(curl -s -u $QB_USER:$QB_PASS "$QB_HOST/api/v2/torrents/info?filter=completed")
 # Process completed torrents
 # Add your organization logic here
 ```
 qBittorrent provides a powerful, privacy-focused torrent downloading solution that integrates seamlessly with your media automation stack while maintaining security through VPN routing.
 **Next:** Explore [[services:media-management:start|Media Management Services]] or return to [[services:media:start|Media Services Overview]].
--- a/config-templates/dokuwiki/data/pages/services/media/start.txt
+++ b/config-templates/dokuwiki/data/pages/services/media/start.txt
@@ -1,194 +0,0 @@
 ====== Media Services ======
 The Media Services stack provides comprehensive media management, streaming, and downloading capabilities for your homelab. These services handle everything from media library organization to automated downloading and streaming.
 ===== Overview =====
 **Stack Components:**
  * **[[services:media:jellyfin|Jellyfin]]**: Media server for streaming movies, TV shows, and music
  * **[[services:media:calibre-web|Calibre-Web]]**: Web interface for eBook library management
  * **[[services:media:qbittorrent|qBittorrent]]**: Torrent client with VPN protection
 **Key Features:**
  * **Unified Media Access**: Stream media from any device
  * **EBook Management**: Browse and read digital books
  * **Secure Downloading**: VPN-protected torrent downloads
  * **Cross-Platform**: Works on all devices and platforms
 ===== Service Details =====
 ^ Service ^ Purpose ^ URL ^ Authentication ^ Storage ^
 | [[services:media:jellyfin|Jellyfin]] | Media streaming server | https://jellyfin.${DOMAIN} | Apps/devices | /mnt/media |
 | [[services:media:calibre-web|Calibre-Web]] | eBook web interface | https://calibre.${DOMAIN} | Built-in users | /mnt/media/books |
 | [[services:media:qbittorrent|qBittorrent]] | Torrent downloads | https://qbit.${DOMAIN} | Web UI auth | /mnt/downloads |
 ===== Architecture =====
 **Storage Layout:**
 ```
 /mnt/media/
 ├── movies/           # Movie files
 ├── tv/              # TV show files
 ├── music/           # Music files
 ├── books/           # Calibre eBook library
 │   ├── metadata.db
 │   └── books/
 └── photos/          # Photo collections
 /mnt/downloads/
 ├── complete/        # Completed downloads
 ├── incomplete/      # Active downloads
 └── temp/           # Temporary files
 ```
 **Network Configuration:**
  * **Jellyfin**: Direct access (no SSO for app compatibility)
  * **Calibre-Web**: Authelia SSO protection
  * **qBittorrent**: Authelia SSO + VPN routing through Gluetun
 ===== Deployment =====
 **Docker Compose (media.yml):**
 ```yaml
 services:
  jellyfin:
    image: lscr.io/linuxserver/jellyfin:latest
    # ... Jellyfin configuration
  calibre-web:
    image: lscr.io/linuxserver/calibre-web:latest
    # ... Calibre-Web configuration
  qbittorrent:
    image: lscr.io/linuxserver/qbittorrent:latest
    network_mode: "service:gluetun"  # VPN routing
    # ... qBittorrent configuration
 ```
 **Prerequisites:**
  * **Core Stack**: Traefik, Authelia, Gluetun must be running
  * **Storage**: /mnt/media and /mnt/downloads mounted
  * **VPN**: Gluetun configured with torrent-friendly provider
  * **Permissions**: Proper PUID/PGID for file access
 ===== Integration =====
 **With Media Management:**
  * **Sonarr/Radarr**: Auto-download TV/movies
  * **qBittorrent**: Download client for automation
  * **Jellyfin**: Media library scanning and streaming
  * **Prowlarr**: Indexer management
 **With Home Automation:**
  * **Home Assistant**: Media control integration
  * **Node-RED**: Custom media workflows
  * **MotionEye**: Security camera integration
 **With Monitoring:**
  * **Uptime Kuma**: Service availability monitoring
  * **Grafana**: Performance dashboards
  * **Prometheus**: Resource monitoring
 ===== Security Considerations =====
 **Access Control:**
  * **Jellyfin**: No SSO (device/app compatibility)
  * **Calibre-Web**: SSO protected
  * **qBittorrent**: SSO protected + VPN isolation
 **Network Security:**
  * **VPN Routing**: qBittorrent traffic through VPN
  * **Firewall Rules**: Restrict external access
  * **SSL/TLS**: All services use HTTPS
  * **Authentication**: Strong passwords required
 ===== Performance Optimization =====
 **Hardware Acceleration:**
  * **Jellyfin**: GPU transcoding support
  * **Intel Quick Sync**: Hardware encoding/decoding
  * **NVIDIA NVENC**: GPU-accelerated transcoding
  * **VAAPI**: Linux video acceleration
 **Storage Optimization:**
  * **SSD Storage**: Fast access for media files
  * **RAID Arrays**: Data redundancy and performance
  * **Network Storage**: NAS integration for large libraries
  * **Caching**: Metadata and thumbnail caching
 **Resource Allocation:**
 ```yaml
 # Recommended limits
 jellyfin:
  cpus: '2.0'
  memory: 4G
 calibre-web:
  cpus: '1.0'
  memory: 512M
 qbittorrent:
  cpus: '2.0'
  memory: 1G
 ```
 ===== Maintenance =====
 **Regular Tasks:**
  * **Library Scans**: Regular media library scanning
  * **Database Optimization**: Calibre database maintenance
  * **Download Cleanup**: Remove completed torrents
  * **Update Checks**: Keep services updated
 **Backup Strategy:**
  * **Configuration**: Backup service configurations
  * **Databases**: Backup Calibre and Jellyfin databases
  * **Metadata**: Preserve media metadata
  * **Automation**: Automated backup scripts
 ===== Troubleshooting =====
 **Common Issues:**
  * **Media Not Showing**: Check file permissions and paths
  * **Slow Streaming**: Verify transcoding settings
  * **Download Issues**: Check VPN connection and ports
  * **Authentication**: Verify SSO configuration
 **Diagnostic Commands:**
 ```bash
 # Check service status
 docker compose -f media.yml ps
 # View logs
 docker compose -f media.yml logs -f service-name
 # Test VPN connection
 docker exec gluetun curl -s ifconfig.me
 # Check file permissions
 ls -la /mnt/media/
 ```
 ===== Best Practices =====
 **Library Organization:**
  * **Consistent Naming**: Follow media naming conventions
  * **Folder Structure**: Logical folder hierarchy
  * **Metadata Quality**: Accurate media information
  * **Regular Maintenance**: Keep libraries organized
 **Security:**
  * **VPN Always**: Never disable VPN for downloads
  * **Strong Passwords**: Use strong authentication
  * **Access Logging**: Monitor access patterns
  * **Regular Updates**: Keep services current
 **Performance:**
  * **Resource Monitoring**: Track CPU/memory usage
  * **Storage Optimization**: Use appropriate storage types
  * **Network Optimization**: Fast network connections
  * **Caching**: Enable appropriate caching
 The Media Services stack provides a complete media entertainment solution with streaming, eBook management, and secure downloading capabilities.
 **Next:** Explore [[services:media-management:start|Media Management Services]] for automated downloading or return to [[services:start|Services Overview]].
--- a/config-templates/dokuwiki/data/pages/services/monitoring/start.txt
+++ b/config-templates/dokuwiki/data/pages/services/monitoring/start.txt
@@ -1,53 +0,0 @@
 ====== Monitoring Services ======
 This section covers monitoring and observability tools for your homelab.
 ===== Available Services =====
 **Grafana** - Dashboard and visualization platform
  * Access: https://grafana.${DOMAIN}
  * Description: Create dashboards for metrics, logs, and alerts
  * Stack: monitoring.yml
 **Prometheus** - Metrics collection and alerting
  * Access: https://prometheus.${DOMAIN}
  * Description: Time-series database for monitoring metrics
  * Stack: monitoring.yml
 **Node Exporter** - System metrics exporter
  * Description: Exports hardware and OS metrics for Prometheus
  * Stack: monitoring.yml
 **cAdvisor** - Container metrics
  * Description: Provides container metrics for Prometheus
  * Stack: monitoring.yml
 **Loki** - Log aggregation
  * Access: https://loki.${DOMAIN}
  * Description: Log aggregation system for Docker containers
  * Stack: monitoring.yml
 **Promtail** - Log shipping agent
  * Description: Ships logs from Docker containers to Loki
  * Stack: monitoring.yml
 ===== Quick Start =====
 1. Deploy the monitoring stack:
   docker-compose -f monitoring.yml up -d
 2. Access Grafana at https://grafana.${DOMAIN}
   - Default credentials: admin/admin
   - Change password on first login
 3. Configure Prometheus data sources in Grafana
 4. Set up dashboards for your services
 ===== Integration =====
 Monitoring services integrate with:
  * **Traefik** - Automatic SSL and routing
  * **Authelia** - SSO authentication
  * **Docker** - Container metrics via cAdvisor
  * **System** - Hardware metrics via Node Exporter
--- a/config-templates/dokuwiki/data/pages/services/productivity/start.txt
+++ b/config-templates/dokuwiki/data/pages/services/productivity/start.txt
@@ -1,3 +0,0 @@
 ====== Productivity Services ======
 Coming soon...
--- a/config-templates/dokuwiki/data/pages/services/start.txt
+++ b/config-templates/dokuwiki/data/pages/services/start.txt
@@ -1,294 +0,0 @@
 ====== Services Overview ======
 The AI-Homelab provides 70+ pre-configured services organized into logical stacks. All services follow consistent patterns for deployment, security, and management.
 ===== Service Categories =====
 | Category | Services | Description | Deployment |
 |----------|----------|-------------|------------|
 | **Core** | 4 services | Essential infrastructure | Automatic |
 | **Infrastructure** | 8 services | Management and monitoring | Automatic |
 | **Media** | 3 services | Media servers and downloaders | Manual |
 | **Media Management** | 10 services | Download automation | Manual |
 | **Productivity** | 8+6 services | Office and collaboration | Manual |
 | **Home Automation** | 7 services | Smart home integration | Manual |
 | **Monitoring** | 8 services | Observability and alerting | Manual |
 | **Utilities** | 6 services | Backup and miscellaneous | Manual |
 | **Development** | 6 services | Development tools | Manual |
 | **Alternatives** | 6+3 services | Alternative implementations | Optional |
 ===== Core Infrastructure =====
 **Deployed automatically with setup scripts.**
 | Service | URL | Purpose | SSO | Documentation |
 |---------|-----|---------|-----|---------------|
 | **[[services:core:duckdns|DuckDNS]]** | - | Dynamic DNS updates | - | [[services:core:duckdns|Details]] |
 | **[[services:core:traefik|Traefik]]** | `https://traefik.yourdomain.duckdns.org` | Reverse proxy | ✓ | [[services:core:traefik|Details]] |
 | **[[services:core:authelia|Authelia]]** | `https://auth.yourdomain.duckdns.org` | SSO authentication | - | [[services:core:authelia|Details]] |
 | **[[services:core:gluetun|Gluetun]]** | - | VPN client | - | [[services:core:gluetun|Details]] |
 | **[[services:core:sablier|Sablier]]** | `http://sablier.yourdomain.duckdns.org:10000` | Lazy loading | - | [[services:core:sablier|Details]] |
 ===== Infrastructure Services =====
 **Management and monitoring tools.**
 | Service | URL | Purpose | SSO | Documentation |
 |---------|-----|---------|-----|---------------|
 | **[[services:infrastructure:dockge|Dockge]]** | `https://dockge.yourdomain.duckdns.org` | Stack manager | ✓ | [[services:infrastructure:dockge|Details]] |
 | **[[services:infrastructure:pihole|Pi-hole]]** | `http://pihole.yourdomain.duckdns.org` | DNS & ad blocking | ✓ | [[services:infrastructure:pihole|Details]] |
 | **[[services:infrastructure:dozzle|Dozzle]]** | `https://dozzle.yourdomain.duckdns.org` | Log viewer | ✓ | [[services:infrastructure:dozzle|Details]] |
 | **[[services:infrastructure:glances|Glances]]** | `https://glances.yourdomain.duckdns.org` | System monitor | ✓ | [[services:infrastructure:glances|Details]] |
 | **[[services:infrastructure:watchtower|Watchtower]]** | - | Auto updates | - | [[services:infrastructure:watchtower|Details]] |
 | **[[services:infrastructure:code-server|Code Server]]** | `https://code.yourdomain.duckdns.org` | VS Code in browser | ✓ | [[services:infrastructure:code-server|Details]] |
 | **[[services:infrastructure:docker-proxy|Docker Proxy]]** | - | Secure socket access | - | [[services:infrastructure:docker-proxy|Details]] |
 ===== Monitoring Services =====
 **Observability and alerting tools.**
 See [[services:monitoring:start|Monitoring Services Overview]]
 ===== Utilities Services =====
 **Backup, development, and miscellaneous tools.**
 See [[services:utilities:start|Utilities Services Overview]]
 ===== Media Services =====
 **Media servers, eBook management, and secure downloading.**
 | Service | URL | Purpose | SSO | Documentation |
 |---------|-----|---------|-----|---------------|
 | **[[services:media:jellyfin|Jellyfin]]** | `https://jellyfin.yourdomain.duckdns.org` | Media streaming server | ✗ | [[services:media:jellyfin|Details]] |
 | **[[services:media:calibre-web|Calibre-Web]]** | `https://calibre.yourdomain.duckdns.org` | eBook web interface | ✓ | [[services:media:calibre-web|Details]] |
 | **[[services:media:qbittorrent|qBittorrent]]** | `https://qbit.yourdomain.duckdns.org` | Torrent client (VPN) | ✓ | [[services:media:qbittorrent|Details]] |
 ===== Media Management =====
 **Download automation and organization.**
 | Service | URL | Purpose | SSO |
 |---------|-----|---------|-----|
 | **Sonarr** | `https://sonarr.yourdomain.duckdns.org` | TV automation | ✓ |
 | **Radarr** | `https://radarr.yourdomain.duckdns.org` | Movie automation | ✓ |
 | **Prowlarr** | `https://prowlarr.yourdomain.duckdns.org` | Indexer manager | ✓ |
 | **Readarr** | `https://readarr.yourdomain.duckdns.org` | Book automation | ✓ |
 | **Lidarr** | `https://lidarr.yourdomain.duckdns.org` | Music automation | ✓ |
 | **Lazy Librarian** | `https://lazylibrarian.yourdomain.duckdns.org` | Book manager | ✓ |
 | **Mylar3** | `https://mylar.yourdomain.duckdns.org` | Comic manager | ✓ |
 | **Jellyseerr** | `https://jellyseerr.yourdomain.duckdns.org` | Media requests | ✓ |
 | **FlareSolverr** | - | Cloudflare bypass | - |
 | **Tdarr Server** | `https://tdarr.yourdomain.duckdns.org` | Transcoding | ✓ |
 | **Tdarr Node** | - | Transcoding worker | - |
 | **Unmanic** | `https://unmanic.yourdomain.duckdns.org` | Library optimizer | ✓ |
 | **Bazarr** | `https://bazarr.yourdomain.duckdns.org` | Subtitle manager | ✓ |
 ===== Productivity Services =====
 **Office, collaboration, and content management.**
 | Service | URL | Purpose | SSO | Database |
 |---------|-----|---------|-----|----------|
 | **Nextcloud** | `https://nextcloud.yourdomain.duckdns.org` | File sync | ✓ | MariaDB |
 | **Mealie** | `https://mealie.yourdomain.duckdns.org` | Recipe manager | ✗ | - |
 | **WordPress** | `https://blog.yourdomain.duckdns.org` | Blog platform | ✗ | MariaDB |
 | **Gitea** | `https://git.yourdomain.duckdns.org` | Git service | ✓ | PostgreSQL |
 | **DokuWiki** | `https://wiki.yourdomain.duckdns.org` | Documentation | ✓ | - |
 | **BookStack** | `https://docs.yourdomain.duckdns.org` | Documentation | ✓ | MariaDB |
 | **MediaWiki** | `https://mediawiki.yourdomain.duckdns.org` | Wiki platform | ✓ | MariaDB |
 | **Form.io** | `https://forms.yourdomain.duckdns.org` | Form builder | ✓ | MongoDB |
 ===== Home Automation =====
 **Smart home integration and monitoring.**
 | Service | URL | Purpose | SSO |
 |---------|-----|---------|-----|
 | **Home Assistant** | `https://ha.yourdomain.duckdns.org` | Home automation | ✗ |
 | **ESPHome** | `https://esphome.yourdomain.duckdns.org` | ESP firmware | ✓ |
 | **TasmoAdmin** | `https://tasmoadmin.yourdomain.duckdns.org` | Tasmota manager | ✓ |
 | **Node-RED** | `https://nodered.yourdomain.duckdns.org` | Automation flows | ✓ |
 | **Mosquitto** | - | MQTT broker | - |
 | **Zigbee2MQTT** | `https://zigbee2mqtt.yourdomain.duckdns.org` | Zigbee bridge | ✓ |
 | **MotionEye** | `https://motioneye.yourdomain.duckdns.org` | Video surveillance | ✓ |
 ===== Monitoring Services =====
 **Observability, metrics, and alerting.**
 | Service | URL | Purpose | SSO |
 |---------|-----|---------|-----|
 | **Prometheus** | `https://prometheus.yourdomain.duckdns.org` | Metrics collection | ✓ |
 | **Grafana** | `https://grafana.yourdomain.duckdns.org` | Dashboard platform | ✓ |
 | **Loki** | - | Log aggregation | - |
 | **Promtail** | - | Log shipping | - |
 | **Node Exporter** | - | System metrics | - |
 | **cAdvisor** | - | Container metrics | - |
 | **Uptime Kuma** | `https://status.yourdomain.duckdns.org` | Status monitoring | ✓ |
 ===== Utility Services =====
 **Backup, password management, and miscellaneous.**
 | Service | URL | Purpose | SSO |
 |---------|-----|---------|-----|
 | **Vaultwarden** | `https://bitwarden.yourdomain.duckdns.org` | Password manager | ✗ |
 | **Backrest** | `https://backrest.yourdomain.duckdns.org` | Backup manager | ✓ |
 | **Duplicati** | `https://duplicati.yourdomain.duckdns.org` | Encrypted backups | ✓ |
 | **FreshRSS** | `https://rss.yourdomain.duckdns.org` | RSS reader | ✓ |
 | **Wallabag** | `https://wallabag.yourdomain.duckdns.org` | Read-it-later | ✓ |
 | **Authelia Redis** | - | Session storage | - |
 ===== Development Services =====
 **Development tools and environments.**
 | Service | URL | Purpose | SSO |
 |---------|-----|---------|-----|
 | **GitLab CE** | `https://gitlab.yourdomain.duckdns.org` | DevOps platform | ✓ |
 | **PostgreSQL** | - | SQL database | - |
 | **Redis** | - | In-memory store | - |
 | **pgAdmin** | `https://pgadmin.yourdomain.duckdns.org` | Database admin | ✓ |
 | **Jupyter Lab** | `https://jupyter.yourdomain.duckdns.org` | Notebooks | ✓ |
 | **Code Server** | `https://code.yourdomain.duckdns.org` | VS Code | ✓ |
 ===== Alternative Services =====
 **Alternative implementations and additional options.**
 | Service | URL | Purpose | SSO | Database |
 |---------|-----|---------|-----|----------|
 | **Plex** | `https://plex.yourdomain.duckdns.org` | Media server (Alt) | ✗ | - |
 | **Portainer** | `https://portainer.yourdomain.duckdns.org` | Container manager | ✓ | - |
 | **Authentik** | `https://authentik.yourdomain.duckdns.org` | SSO platform | ✓ | PostgreSQL |
 | **Authentik Worker** | - | Background tasks | - | - |
 | **Authentik DB** | - | Authentik database | - | - |
 | **Authentik Redis** | - | Caching | - | - |
 **Legend:** ✓ = Protected by Authelia SSO | ✗ = Bypasses SSO | - = No web interface
 ===== Service Management =====
 **Deploying Services:**
 **Via Dockge (Recommended):**
  1. Access `https://dockge.yourdomain.duckdns.org`
  2. Click **"Add Stack"**
  3. Choose **"From Docker Compose"**
  4. Select compose file from repository
  5. Click **"Deploy"**
 **Via Command Line:**
 ```bash
 # Deploy media services
 docker compose -f docker-compose/media.yml up -d
 # Deploy productivity stack
 docker compose -f docker-compose/productivity.yml up -d
 ```
 **Managing Services:**
 ```bash
 # View service status
 docker compose -f docker-compose/stack.yml ps
 # View logs
 docker compose -f docker-compose/stack.yml logs -f service-name
 # Restart service
 docker compose -f docker-compose/stack.yml restart service-name
 # Stop service
 docker compose -f docker-compose/stack.yml stop service-name
 ```
 ===== SSO Configuration =====
 **Enabling SSO Protection:**
 ```yaml
 labels:
  - "traefik.http.routers.service.middlewares=authelia@docker"
 ```
 **Disabling SSO (for media apps):**
 ```yaml
 # Comment out the middleware line
 # - "traefik.http.routers.service.middlewares=authelia@docker"
 ```
 **Bypass Rules in Authelia:**
 ```yaml
 access_control:
  rules:
    - domain: jellyfin.yourdomain.duckdns.org
      policy: bypass
    - domain: plex.yourdomain.duckdns.org
      policy: bypass
 ```
 ===== Resource Management =====
 **Default Resource Limits:**
 ```yaml
 deploy:
  resources:
    limits:
      cpus: '2.0'
      memory: 4G
    reservations:
      cpus: '0.5'
      memory: 1G
 ```
 **Service Categories:**
  * **Core**: 0.1-0.5 CPU, 64MB-256MB RAM
  * **Web Services**: 1-2 CPU, 1-4GB RAM
  * **Media Services**: 2-4 CPU, 4-8GB RAM
  * **Databases**: 1-2 CPU, 2-4GB RAM
 ===== Storage Requirements =====
 **Configuration Storage (/opt/stacks/):**
  * Small configs and metadata
  * Automatic backups
  * Version controlled
 **Data Storage (/mnt/):**
  * Large media libraries
  * User uploaded content
  * Database files
 **Backup Storage:**
  * Configuration backups
  * User data archives
  * SSL certificates
 ===== Troubleshooting =====
 **Service Won't Start:**
 ```bash
 # Check logs
 docker compose -f docker-compose/stack.yml logs service-name
 # Validate configuration
 docker compose -f docker-compose/stack.yml config
 # Check resource usage
 docker stats
 ```
 **Access Issues:**
  * Verify Traefik labels
  * Check Authelia policies
  * Confirm DNS resolution
  * Test SSL certificates
 **Performance Problems:**
  * Monitor resource usage
  * Check network connectivity
  * Review service logs
  * Adjust resource limits
 **Next:** Explore individual [[services:core:start|Core Services]] or learn about [[troubleshooting:start|Troubleshooting]].
--- a/config-templates/dokuwiki/data/pages/services/utilities/start.txt
+++ b/config-templates/dokuwiki/data/pages/services/utilities/start.txt
@@ -1,63 +0,0 @@
 ====== Utilities Services ======
 This section covers utility and development tools for your homelab.
 ===== Available Services =====
 **Code Server** - VS Code in the browser
  * Access: https://code.${DOMAIN}
  * Description: Web-based VS Code for development and file editing
  * Stack: utilities.yml
 **File Browser** - Web file manager
  * Access: https://files.${DOMAIN}
  * Description: Simple web interface for managing files
  * Stack: utilities.yml
 **Speedtest Tracker** - Internet speed monitoring
  * Access: https://speedtest.${DOMAIN}
  * Description: Automated internet speed tests with history
  * Stack: utilities.yml
 **SmokePing** - Network latency monitoring
  * Access: https://smokeping.${DOMAIN}
  * Description: Network latency and packet loss monitoring
  * Stack: utilities.yml
 **NetData** - Real-time system monitoring
  * Access: https://netdata.${DOMAIN}
  * Description: Real-time health monitoring and performance metrics
  * Stack: utilities.yml
 **Restic Rest Server** - Backup repository server
  * Description: REST server for Restic backups
  * Stack: utilities.yml
 **Duplicati** - Backup solution
  * Access: https://backup.${DOMAIN}
  * Description: Encrypted backup to various storage providers
  * Stack: utilities.yml
 **Kopia** - Fast and secure backups
  * Access: https://kopia.${DOMAIN}
  * Description: Fast, secure, and efficient backup solution
  * Stack: utilities.yml
 ===== Quick Start =====
 1. Deploy the utilities stack:
   docker-compose -f utilities.yml up -d
 2. Access services via their respective URLs
 3. Configure backup destinations and schedules
 4. Set up monitoring alerts if needed
 ===== Integration =====
 Utilities services integrate with:
  * **Traefik** - Automatic SSL and routing
  * **Authelia** - SSO authentication
  * **File systems** - Direct access to host storage
  * **External services** - Cloud storage for backups
--- a/config-templates/dokuwiki/data/pages/sidebar.txt
+++ b/config-templates/dokuwiki/data/pages/sidebar.txt
@@ -1,84 +0,0 @@
 ====== Navigation ======
 **AI-Homelab Wiki**
 ==== Getting Started ====
  * [[getting_started:start|Overview]]
  * [[getting_started:prerequisites|Prerequisites]]
  * [[getting_started:setup|Automated Setup]]
  * [[getting_started:deployment|Deployment]]
  * [[getting_started:access|Access Services]]
  * [[getting_started:security|Security Setup]]
 ==== Architecture ====
  * [[architecture:overview|System Overview]]
  * [[architecture:networking|Network Architecture]]
  * [[architecture:security|Security Model]]
  * [[architecture:storage|Storage Strategy]]
  * [[architecture:backup|Backup Strategy]]
 ==== Services ====
  * [[services:start|Service Overview]]
  * **Core Infrastructure**
    * [[services:core:traefik|Traefik]]
    * [[services:core:authelia|Authelia]]
    * [[services:core:duckdns|DuckDNS]]
    * [[services:core:gluetun|Gluetun]]
    * [[services:core:sablier|Sablier]]
  * **Infrastructure**
    * [[services:infrastructure:dockge|Dockge]]
    * [[services:infrastructure:pihole|Pi-hole]]
    * [[services:infrastructure:dozzle|Dozzle]]
    * [[services:infrastructure:glances|Glances]]
  * **Media Services**
    * [[services:media:jellyfin|Jellyfin]]
    * [[services:media:plex|Plex]]
    * [[services:media:qbittorrent|qBittorrent]]
    * [[services:media:sonarr|Sonarr]]
    * [[services:media:radarr|Radarr]]
  * **Productivity**
    * [[services:productivity:nextcloud|Nextcloud]]
    * [[services:productivity:gitea|Gitea]]
    * [[services:productivity:bookstack|BookStack]]
  * **Monitoring**
    * [[services:monitoring:grafana|Grafana]]
    * [[services:monitoring:prometheus|Prometheus]]
    * [[services:monitoring:uptime_kuma|Uptime Kuma]]
  * **Utilities**
    * [[services:utilities:backrest|Backrest]]
    * [[services:utilities:duplicati|Duplicati]]
    * [[services:utilities:vaultwarden|Vaultwarden]]
 ==== Backup & Recovery ====
  * [[backup_recovery:start|Overview]]
  * [[backup_recovery:backrest|Backrest (Default)]]
  * [[backup_recovery:duplicati|Duplicati (Alternative)]]
  * [[backup_recovery:strategy|Backup Strategy]]
  * [[backup_recovery:restoration|Restoration]]
 ==== Troubleshooting ====
  * [[troubleshooting:start|Common Issues]]
  * [[troubleshooting:deployment|Deployment Problems]]
  * [[troubleshooting:services|Service Issues]]
  * [[troubleshooting:networking|Network Problems]]
  * [[troubleshooting:ssl|SSL Certificate Issues]]
 ==== Development ====
  * [[development:start|Contributing]]
  * [[development:copilot|AI Copilot Integration]]
  * [[development:customization|Customization]]
  * [[development:deployment|Advanced Deployment]]
 ==== Reference ====
  * [[reference:start|Quick Reference]]
  * [[reference:commands|Command Reference]]
  * [[reference:environment|Environment Variables]]
  * [[reference:ports|Port Reference]]
  * [[reference:scripts|Deployment Scripts]]
 ==== External Links ====
  * [[https://github.com/kelinfoxy/AI-Homelab|GitHub Repository]]
  * [[https://github.com/kelinfoxy/AI-Homelab/issues|Issue Tracker]]
  * [[https://github.com/kelinfoxy/AI-Homelab/discussions|Discussions]]
  * [[https://doc.traefik.io/traefik/|Traefik Documentation]]
  * [[https://www.authelia.com/|Authelia Documentation]]
--- a/config-templates/dokuwiki/data/pages/start.txt
+++ b/config-templates/dokuwiki/data/pages/start.txt
@@ -1,105 +0,0 @@
 ====== AI-Homelab Documentation Wiki ======
 ===== Welcome to AI-Homelab =====
 **AI-Homelab** is a production-ready homelab infrastructure that deploys 70+ services through a file-based, AI-manageable architecture using Dockge for visual management.
 **Key Features:**
  * **Automated SSL** - Wildcard certificates via Let's Encrypt
  * **Single Sign-On** - Authelia authentication across all services
  * **VPN Routing** - Secure downloads through Gluetun
  * **Lazy Loading** - Sablier enables on-demand container startup
  * **Resource Limits** - Prevent resource exhaustion
  * **AI Management** - GitHub Copilot integration for service management
 **Quick Access:**
  * [[getting_started:start|🚀 Getting Started]] - Setup and deployment guide
  * [[architecture:overview|🏗️ Architecture]] - System design and components
  * [[services:start|📦 Services]] - All available services and stacks
  * [[backup_recovery:start|💾 Backup & Recovery]] - Data protection strategies
  * [[troubleshooting:start|🔧 Troubleshooting]] - Common issues and solutions
  * [[development:start|👨‍💻 Development]] - Contributing and customization
 ===== Quick Start Checklist =====
 Complete these steps to get your homelab running:
  * [ ] [[getting_started:prerequisites|Review prerequisites and requirements]]
  * [ ] [[getting_started:setup|Run automated setup script]]
  * [ ] [[getting_started:deployment|Deploy core infrastructure]]
  * [ ] [[getting_started:access|Access your services]]
  * [ ] [[getting_started:security|Configure security (2FA, access rules)]]
  * [ ] [[services:deployment|Deploy additional services as needed]]
 ===== Architecture Overview =====
 **Core Components:**
  * **[[services:core:traefik|Traefik]]** - Reverse proxy with automatic SSL
  * **[[services:core:authelia|Authelia]]** - Single sign-on authentication
  * **[[services:core:duckdns|DuckDNS]]** - Dynamic DNS updates
  * **[[services:core:gluetun|Gluetun]]** - VPN client for secure downloads
  * **[[services:core:sablier|Sablier]]** - Lazy loading service
 **Service Categories:**
  * **[[services:infrastructure:start|Infrastructure]]** - Management and monitoring tools
  * **[[services:media:start|Media]]** - Streaming, automation, and content management
  * **[[services:productivity:start|Productivity]]** - Collaboration and workflow tools
  * **[[services:monitoring:start|Monitoring]]** - Observability and alerting
  * **[[services:utilities:start|Utilities]]** - Backup, security, and system tools
 ===== Service Access =====
 After deployment, access your services at:
 ^ Service ^ URL ^ Authentication ^
 | **Dockge** | https://dockge.{{DOMAIN}} | Authelia SSO |
 | **Homepage** | https://home.{{DOMAIN}} | Authelia SSO |
 | **Traefik Dashboard** | https://traefik.{{DOMAIN}} | Authelia SSO |
 | **Authelia Login** | https://auth.{{DOMAIN}} | Direct access |
 ===== Getting Help =====
 **Documentation Navigation:**
  * Use the sidebar for quick navigation
  * Search functionality is available in the top-right
  * All pages include cross-references to related topics
 **Community Resources:**
  * [[https://github.com/kelinfoxy/AI-Homelab|GitHub Repository]]
  * [[https://github.com/kelinfoxy/AI-Homelab/issues|Issue Tracker]]
  * [[https://github.com/kelinfoxy/AI-Homelab/discussions|Discussions]]
 **AI Assistance:**
  * This wiki is designed to work with AI agents
  * Use GitHub Copilot in VS Code for intelligent management
  * See [[development:copilot|Copilot Instructions]] for details
 ===== Recent Updates =====
 **January 20, 2026:**
  * Updated service count to 70+ services
  * Enhanced Sablier lazy loading documentation
  * Improved backup strategy with Backrest as default
  * Standardized service documentation format
  * Added comprehensive troubleshooting guides
 **Key Improvements:**
  * Better navigation and cross-linking
  * Comprehensive service documentation
  * Enhanced security configurations
  * Improved deployment automation
 ===== Navigation =====
 {{:navigation-tree.png?300|Documentation Structure}}
 **Main Sections:**
  * [[getting_started:start|Getting Started]] - Setup and deployment
  * [[architecture:start|Architecture]] - System design
  * [[services:start|Services]] - Available services
  * [[backup_recovery:start|Backup & Recovery]] - Data protection
  * [[troubleshooting:start|Troubleshooting]] - Problem solving
  * [[development:start|Development]] - Contributing and customization
  * [[reference:start|Reference]] - Quick reference guides
 This wiki serves as the comprehensive documentation hub for AI-Homelab. All content is maintained and regularly updated to reflect the latest features and best practices.
--- a/config-templates/dokuwiki/data/pages/troubleshooting/start.txt
+++ b/config-templates/dokuwiki/data/pages/troubleshooting/start.txt
@@ -1,3 +0,0 @@
 ====== Troubleshooting ======
 Coming soon...
--- a/config-templates/dokuwiki/docker-compose.yml
+++ b/config-templates/dokuwiki/docker-compose.yml
@@ -1,35 +0,0 @@
 # Dokuwiki - Self-hosted Wiki Platform
 # Place in /opt/stacks/productivity/dokuwiki/docker-compose.yml
 services:
  dokuwiki:
    image: lscr.io/linuxserver/dokuwiki:latest
    container_name: dokuwiki
    restart: unless-stopped
    networks:
      - traefik-network
    ports:
      - "80:80"
    volumes:
      - ./config:/config
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
    labels:
      - "homelab.category=productivity"
      - "homelab.description=Self-hosted wiki platform"
      - "traefik.enable=true"
      - "traefik.http.routers.dokuwiki.rule=Host(`wiki.${DOMAIN}`)"
      - "traefik.http.routers.dokuwiki.entrypoints=websecure"
      - "traefik.http.routers.dokuwiki.tls.certresolver=letsencrypt"
      - "traefik.http.routers.dokuwiki.middlewares=authelia@docker"
      - "traefik.http.services.dokuwiki.loadbalancer.server.port=80"
      - "x-dockge.url=https://wiki.${DOMAIN}"
 volumes:
  dokuwiki-config:
 networks:
  traefik-network:
    external: true
--- a/config-templates/homepage/docker.yaml
+++ b/config-templates/homepage/docker.yaml
@@ -1,8 +0,0 @@
 # Homepage Configuration - Docker Integration
 # Copy to /opt/stacks/homepage/config/docker.yaml
 # Enables auto-discovery of containers and status monitoring
 # Docker socket (via proxy for security)
 my-docker:
  socket: /var/run/docker.sock
--- a/config-templates/homepage/settings.yaml
+++ b/config-templates/homepage/settings.yaml
@@ -1,11 +0,0 @@
 ---
 # Homepage Settings
 # For all configuration options: https://gethomepage.dev/configs/settings/
 title: AI Homelab Dashboard
 theme: dark
 color: slate
 headerStyle: boxed
--- a/config-templates/traefik/dynamic/external-host-production.yml
+++ b/config-templates/traefik/dynamic/external-host-production.yml
@@ -1,599 +0,0 @@
 http:
  routers:
    backrest-${SERVER_HOSTNAME}:
      rule: "Host(`backrest.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: backrest-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - sablier-${SERVER_HOSTNAME}-backrest@file
        - authelia@docker
    bookstack-${SERVER_HOSTNAME}:
      rule: "Host(`bookstack.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: bookstack-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - sablier-${SERVER_HOSTNAME}-bookstack@file
        - authelia@docker
    vaultwarden-${SERVER_HOSTNAME}:
      rule: "Host(`vault.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: vaultwarden-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      # SSO disabled for browser extension and mobile app compatibility
      # middlewares:
      #   - sablier-${SERVER_HOSTNAME}-vaultwarden@file
    calibre-web-${SERVER_HOSTNAME}:
      rule: "Host(`calibre.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: calibre-web-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - sablier-${SERVER_HOSTNAME}-calibre-web@file
        - authelia@docker
    code-${SERVER_HOSTNAME}:
      rule: "Host(`code.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: code-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - sablier-${SERVER_HOSTNAME}-code-server@file
        - authelia@docker
    dockge-${SERVER_HOSTNAME}:
      rule: "Host(`jarvis.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: dockge-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - authelia@docker
    dockhand-${SERVER_HOSTNAME}:
      rule: "Host(`dockhand.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: dockhand-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - authelia@docker
    dokuwiki-${SERVER_HOSTNAME}:
      rule: "Host(`dokuwiki.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: dokuwiki-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - sablier-${SERVER_HOSTNAME}-dokuwiki@file
        - authelia@docker
    dozzle-${SERVER_HOSTNAME}:
      rule: "Host(`dozzle.${SERVER_HOSTNAME}.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: dozzle-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - sablier-${SERVER_HOSTNAME}-dozzle@file
        - authelia@docker
    duplicati-${SERVER_HOSTNAME}:
      rule: "Host(`duplicati.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: duplicati-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - sablier-${SERVER_HOSTNAME}-duplicati@file
        - authelia@docker
    formio-${SERVER_HOSTNAME}:
      rule: "Host(`formio.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: formio-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - sablier-${SERVER_HOSTNAME}-formio@file
        - authelia@docker
    gitea-${SERVER_HOSTNAME}:
      rule: "Host(`gitea.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: gitea-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - sablier-${SERVER_HOSTNAME}-gitea@file
        - authelia@docker
    glances-${SERVER_HOSTNAME}:
      rule: "Host(`glances.jarvis.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: glances-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - sablier-${SERVER_HOSTNAME}-glances@file
        - authelia@docker
    homepage-${SERVER_HOSTNAME}:
      rule: "Host(`homepage.jarvis.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: homepage-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - authelia@docker
    homarr-${SERVER_HOSTNAME}:
      rule: "Host(`homarr.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: homarr-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - authelia@docker
        - sablier-${SERVER_HOSTNAME}-homarr@file
    jellyfin-${SERVER_HOSTNAME}:
      rule: "Host(`jellyfin.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: jellyfin-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - sablier-${SERVER_HOSTNAME}-jellyfin@file
        # No authelia middleware for media apps
    jupyter-${SERVER_HOSTNAME}:
      rule: "Host(`jupyter.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: jupyter-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - sablier-${SERVER_HOSTNAME}-jupyter@file
        - authelia@docker
    kopia-${SERVER_HOSTNAME}:
      rule: "Host(`kopia.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: kopia-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - sablier-${SERVER_HOSTNAME}-kopia@file
        - authelia@docker
    mealie-${SERVER_HOSTNAME}:
      rule: "Host(`mealie.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: mealie-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - sablier-${SERVER_HOSTNAME}-mealie@file
        - authelia@docker
    motioneye-${SERVER_HOSTNAME}:
      rule: "Host(`motioneye.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: motioneye-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - authelia@docker
    mediawiki-${SERVER_HOSTNAME}:
      rule: "Host(`mediawiki.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: mediawiki-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - sablier-${SERVER_HOSTNAME}-mediawiki@file
        - authelia@docker
    nextcloud-${SERVER_HOSTNAME}:
      rule: "Host(`nextcloud.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: nextcloud-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - sablier-${SERVER_HOSTNAME}-nextcloud@file
        - authelia@docker
    openkm-${SERVER_HOSTNAME}:
      rule: "Host(`openkm.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: openkm-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - sablier-${SERVER_HOSTNAME}-openkm@file
        - authelia@docker
    openwebui-${SERVER_HOSTNAME}:
      rule: "Host(`openwebui.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: openwebui-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - sablier-${SERVER_HOSTNAME}-openwebui@file
        - authelia@docker
    qbittorrent-${SERVER_HOSTNAME}:
      rule: "Host(`torrents.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: qbittorrent-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - sablier-${SERVER_HOSTNAME}-arr@file
        - authelia@docker
    tdarr-${SERVER_HOSTNAME}:
      rule: "Host(`tdarr.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: tdarr-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - sablier-${SERVER_HOSTNAME}-arr@file
        - authelia@docker
    unmanic-${SERVER_HOSTNAME}:
      rule: "Host(`unmanic.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: unmanic-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - sablier-${SERVER_HOSTNAME}-unmanic@file
        - authelia@docker
    wordpress-${SERVER_HOSTNAME}:
      rule: "Host(`knot-u.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: wordpress-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - sablier-${SERVER_HOSTNAME}-wordpress@file
        - authelia@file
 # Arr Services (no SSO for media apps)
    jellyseerr-${SERVER_HOSTNAME}:
      rule: "Host(`jellyseerr.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: jellyseerr-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - sablier-${SERVER_HOSTNAME}-arr@file
        - authelia@docker
    prowlarr-${SERVER_HOSTNAME}:
      rule: "Host(`prowlarr.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: prowlarr-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - sablier-${SERVER_HOSTNAME}-arr@file
        - authelia@docker
    radarr-${SERVER_HOSTNAME}:
      rule: "Host(`radarr.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: radarr-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - sablier-${SERVER_HOSTNAME}-arr@file
        - authelia@docker
    sonarr-${SERVER_HOSTNAME}:
      rule: "Host(`sonarr.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: sonarr-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - sablier-${SERVER_HOSTNAME}-arr@file
        - authelia@docker
    lidarr-${SERVER_HOSTNAME}:
      rule: "Host(`lidarr.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: lidarr-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - sablier-${SERVER_HOSTNAME}-arr@file
        - authelia@docker
    readarr-${SERVER_HOSTNAME}:
      rule: "Host(`readarr.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: readarr-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - sablier-${SERVER_HOSTNAME}-arr@file
        - authelia@docker
    mylar3-${SERVER_HOSTNAME}:
      rule: "Host(`mylar3.${DOMAIN}`)"
      entryPoints:
        - websecure
      service: mylar3-${SERVER_HOSTNAME}
      tls:
        certResolver: letsencrypt
      middlewares:
        - sablier-${SERVER_HOSTNAME}-arr@file
        - authelia@docker
 # Service Definitions
  services:
    backrest-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:9898"
        passHostHeader: true
    vaultwarden-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:8091"
        passHostHeader: true
    bookstack-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:6875"
        passHostHeader: true
    calibre-web-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:8083"
        passHostHeader: true
    code-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:8079"
        passHostHeader: true
    dockge-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:5001"
        passHostHeader: true
    dockhand-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:3003"
        passHostHeader: true
    dokuwiki-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:8087"
        passHostHeader: true
    dozzle-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:8085"
        passHostHeader: true
    duplicati-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:8200"
        passHostHeader: true
    formio-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:3002"
        passHostHeader: true
    gitea-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:3010"
        passHostHeader: true
    glances-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:61208"
        passHostHeader: true
    homarr-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:7575"
        passHostHeader: true
    homepage-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:3000"
        passHostHeader: true
    jellyfin-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:8096"
        passHostHeader: true
    jupyter-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:8890"
        passHostHeader: true
    kopia-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:51515"
        passHostHeader: true
    mealie-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:9000"
        passHostHeader: true
    mediawiki-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:8086"
        passHostHeader: true
    motioneye-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:8081"
        passHostHeader: true
    nextcloud-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:8089"
        passHostHeader: true
    openkm-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:18080"
        passHostHeader: true
    openwebui-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:3000"
        passHostHeader: true
    qbittorrent-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:8081"
        passHostHeader: true
    tdarr-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:8265"
        passHostHeader: true
    unmanic-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:8889"
        passHostHeader: true
    wordpress-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:8088"
        passHostHeader: true
    # Arr Services
    jellyseerr-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:5055"
        passHostHeader: true
    prowlarr-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:9696"
        passHostHeader: true
    radarr-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:7878"
        passHostHeader: true
    sonarr-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:8989"
        passHostHeader: true
    lidarr-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:8686"
        passHostHeader: true
    readarr-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:8787"
        passHostHeader: true
    mylar3-${SERVER_HOSTNAME}:
      loadBalancer:
        servers:
          - url: "http://192.168.4.11:8090"
        passHostHeader: true
--- a/config-templates/traefik/traefik.yml
+++ b/config-templates/traefik/traefik.yml
@@ -1,56 +0,0 @@
 # Traefik Static Configuration
 # Copy to /opt/stacks/traefik/traefik.yml
 global:
  checkNewVersion: true
  sendAnonymousUsage: false
 api:
  dashboard: true
  insecure: false  # Dashboard accessible via Traefik route with Authelia
 entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
    http:
      tls:
        certResolver: letsencrypt
 certificatesResolvers:
  letsencrypt:
    acme:
      email: ACME_EMAIL_PLACEHOLDER  # Will be replaced by deploy script
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      storage: /acme.json
      # For testing: Use staging to avoid production rate limits
      # caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      # DNS challenge - For wildcard certificates (*.yourdomain.duckdns.org)
      # Works with DuckDNS - requires DUCKDNS_TOKEN in environment
      dnsChallenge:
        provider: duckdns
 providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false  # Only expose services with traefik.enable=true
    network: traefik-network
  file:
    directory: /dynamic
    watch: true
 log:
  level: INFO  # DEBUG, INFO, WARN, ERROR
  filePath: /var/log/traefik/traefik.log
 accessLog:
  filePath: /var/log/traefik/access.log
  bufferingSize: 100
--- a/docker-compose/README.md
+++ b/docker-compose/README.md
@@ -1,139 +1,108 @@
 # Docker Compose Stacks
-This directory contains Docker Compose files for managing your homelab services. Each stack is organized in its own folder for better organization and maintainability.
+This directory contains Docker Compose templates for managing your homelab services. Each stack is organized in its own folder for better organization and maintainability.
 ## Structure
 ```
 docker-compose/
-├── core/              # Core infrastructure (Traefik, Authelia, DuckDNS)
+├── core/              # Core infrastructure (MUST DEPLOY FIRST)
-├── infrastructure/    # Additional infrastructure (Pi-hole, Dockge, etc.)
+│   ├── docker-compose.yml
 │   ├── authelia/      # SSO configuration
 │   ├── duckdns/       # DNS configuration
 │   └── traefik/       # Reverse proxy configuration
 │       └── dynamic/   # External routing YAML files (multi-server)
 ├── sablier/           # Lazy loading service (per-server)
 ├── dockge/            # Docker management web UI
 ├── infrastructure/    # Additional infrastructure (Pi-hole, etc.)
 ├── dashboards/        # Dashboard services (Homepage, Homarr)
 ├── vpn/               # VPN services (Gluetun, qBittorrent)
 ├── media/             # Media services (Plex, Jellyfin, etc.)
 ├── media-management/  # *arr services (Sonarr, Radarr, etc.)
 ├── monitoring/        # Observability stack (Prometheus, Grafana, etc.)
 ├── alternatives/      # Alternative services (Authentik, etc.)
 ├── homeassistant/     # Home Assistant stack
-├── nextcloud/         # Nextcloud stack
+├── productivity/      # Productivity tools (Nextcloud, Gitea, etc.)
-├── productivity/      # Productivity tools
+├── utilities/         # Utility services (Duplicati, FreshRSS, etc.)
-├── utilities/         # Utility services
+├── wikis/             # Mediawiki, Dokuwiki, Bookstacks
-└── README.md          # This file
+└── vpn/               # VPN services (Gluetun, qBittorrent)
 ```
-## Usage
+## Multi-Server Architecture
-### Starting Services
+EZ-Homelab supports two deployment models:
-Start all services in a stack:
+### **Single Server:**
 - Core + all other stacks on one machine
 - Simplest setup for beginners
 ### **Multi-Server:**
 - **Core Server**: DuckDNS, Traefik (multi-provider), Authelia
 - **Remote Servers**: Traefik (local-only), Sablier (local-only), application services
 - All services accessed through unified domain
 See [docs/Ondemand-Remote-Services.md](../docs/Ondemand-Remote-Services.md) for multi-server setup.
 ## Deployment
 Use the unified setup script:
 ```bash
-cd docker-compose/core && docker compose up -d
+cd ~/EZ-Homelab
 ./scripts/ez-homelab.sh
 ```
-Start a specific service:
+## Single Server Traefik service labels
 ```bash
 cd docker-compose/vpn && docker compose up -d gluetun
 ```
 ### Stopping Services
 Stop all services in a stack:
 ```bash
 cd docker-compose/core && docker compose down
 ```
 Stop a specific service:
 ```bash
 cd docker-compose/vpn && docker compose stop qbittorrent
 ```
 ### Viewing Status
 Check running services:
 ```bash
 docker compose -f docker-compose/media.yml ps
 ```
 View logs:
 ```bash
 docker compose -f docker-compose/media.yml logs -f plex
 ```
 ### Updating Services
 Pull latest images:
 ```bash
 docker compose -f docker-compose/media.yml pull
 ```
 Update a specific service:
 ```bash
 docker compose -f docker-compose/media.yml pull plex
 docker compose -f docker-compose/media.yml up -d plex
 ```
 ## Networks
 All services connect to a shared bridge network called `homelab-network`. Create it once:
 ```bash
 docker network create homelab-network
 ```
 Some services may use additional networks for security isolation:
 - `monitoring-network` - For monitoring stack
 - `database-network` - For database isolation
 - `media-network` - For media services
 Create them as needed:
 ```bash
 docker network create monitoring-network
 docker network create database-network
 docker network create media-network
 ```
 ## Environment Variables
 Create a `.env` file in the root of your homelab directory with common variables:
 ```bash
 # .env
 PUID=1000
 PGID=1000
 TZ=America/New_York
 USERDIR=/home/username/homelab
 DATADIR=/mnt/data
 ```
 Never commit `.env` files to git! Use `.env.example` as a template instead.
 ## Labels
 ### To enable Authelia SSO
 ```yaml
 ```
 ### Traefik routing labels
 If Traekif is on the same server add these labels.
 ```yaml
 ```
 >If Traefik is on a seperate server, don't use traekfik labels in compose files, use an external host yaml file.
 ### Sablier middleware labels
 Add these labels to enable ondemand functionality.
 ```yaml
 services:
  myservice:
    labels:
-      - sablier.enable=true
+      # TRAEFIK CONFIGURATION
-      - sablier.group=<server>-<service name>
+      # ==========================================
-      - sablier.start-on-demand=true
+      # Service metadata
-      
+      - "com.centurylinklabs.watchtower.enable=true"
      - "homelab.category=category-name"
      - "homelab.description=Brief service description"
      # Traefik labels
      - "traefik.enable=true"
      # Router configuration
      - "traefik.http.routers.myservice.rule=Host(`myservice.${DOMAIN}`)"
      - "traefik.http.routers.myservice.entrypoints=websecure"
      - "traefik.http.routers.myservice.tls.certresolver=letsencrypt"
      - "traefik.http.routers.myservice.middlewares=authelia@docker"  # SSO (remove to disable)
      # Service configuration
      - "traefik.http.services.myservice.loadbalancer.server.port=8080"
      # Sablier configuration (lazy loading)
      - "sablier.enable=true"
      - "sablier.group=${SERVER_HOSTNAME}-myservice"
      - "sablier.start-on-demand=true"
 ```
 ## Multi-Server Traefik
 ### On Core Server
 ## On Remote Server
 ### Disabling SSO (Media Servers)
 Remove or comment the authelia middleware line:
 ```yaml
 # SSO enabled (default):
 - "traefik.http.routers.myservice.middlewares=authelia@docker"
 # SSO disabled (for Plex, Jellyfin, etc.):
 # - "traefik.http.routers.myservice.middlewares=authelia@docker"
 ```
 ### Disabling Lazy Loading (Always-On Services)
 Remove Sablier labels and use `restart: unless-stopped`:
 ```yaml
 services:
  myservice:
    restart: unless-stopped  # Always running
    # No sablier labels
 ```
 ## Best Practices
@@ -158,6 +127,7 @@ services:
    restart: unless-stopped
    networks:
      - homelab-network
      - traefik-network
    ports:
      - "host_port:container_port"
    volumes:
@@ -184,77 +154,3 @@ networks:
  homelab-network:
    external: true
 ```
 ## Troubleshooting
 ### Service won't start
 1. Check logs: `docker compose -f file.yml logs service-name`
 2. Validate config: `docker compose -f file.yml config`
 3. Check for port conflicts: `sudo netstat -tlnp | grep PORT`
 4. Verify volumes exist and have correct permissions
 ### Permission errors
 1. Ensure PUID and PGID match your user: `id -u` and `id -g`
 2. Fix directory ownership: `sudo chown -R 1000:1000 ./config/service-name`
 ### Network issues
 1. Verify network exists: `docker network ls`
 2. Check service is connected: `docker network inspect homelab-network`
 3. Test connectivity: `docker compose exec service1 ping service2`
 ## Migration from Docker Run
 If you have services running via `docker run`, migrate them to compose:
 1. Get current configuration:
   ```bash
   docker inspect container-name > container-config.json
   ```
 2. Convert to compose format (extract image, ports, volumes, environment)
 3. Test the compose configuration
 4. Stop old container:
   ```bash
   docker stop container-name
   docker rm container-name
   ```
 5. Start with compose:
   ```bash
   docker compose -f file.yml up -d
   ```
 ## Backup Strategy
 Regular backups are essential:
 ```bash
 # Backup compose files (already in git)
 git add docker-compose/*.yml
 git commit -m "Update compose configurations"
 # Backup volumes
 docker run --rm \
  -v volume-name:/data \
  -v $(pwd)/backups:/backup \
  busybox tar czf /backup/volume-name-$(date +%Y%m%d).tar.gz /data
 # Backup config directories
 tar czf backups/config-$(date +%Y%m%d).tar.gz config/
 ```
 ## Getting Help
 - Check the [Docker Guidelines](../docs/docker-guidelines.md) for detailed documentation
 - Review the [GitHub Copilot Instructions](../.github/copilot-instructions.md) for AI assistance
 - Consult service-specific documentation in `config/service-name/README.md`
 ## Examples
 See the example compose files in this directory:
 - `infrastructure.yml` - Essential services like reverse proxy
 - `media.yml` - Media server stack
 - `monitoring.yml` - Observability and monitoring
 - `development.yml` - Development environments and tools
--- a/docker-compose/alternatives/.env.example
+++ b/docker-compose/alternatives/.env.example
@@ -0,0 +1,16 @@
 # Alternatives Stack Environment Variables
 TZ=
 PUID=
 PGID=
 SERVER_IP=
 SERVER_HOSTNAME=
 DOMAIN=
 MEDIA_DIR=
 PLEX_CLAIM=
 AUTHENTIK_SECRET_KEY=
 AUTHENTIK_DB_NAME=
 AUTHENTIK_DB_USER=
 AUTHENTIK_DB_PASSWORD=
--- a/docker-compose/alternatives/docker-compose.yml
+++ b/docker-compose/alternatives/docker-compose.yml
@@ -1,8 +1,5 @@
 # Alternative Services Stack
 # This stack contains alternative/optional services that are not deployed by default
 # Deploy manually through Dockge if you want to use these alternatives
 # Place in /opt/stacks/alternatives/docker-compose.yml
 # RESTART POLICY GUIDE:
 # - unless-stopped: Core infrastructure services that should always run
 # - no: Services with Sablier lazy loading (start on-demand)
@@ -10,8 +7,6 @@
 services:
  # Portainer - Docker management UI (Alternative to Dockge)
  # Access at: https://portainer.${DOMAIN}
  # NOTE: Dockge is the default Docker management UI. Deploy Portainer only if you prefer its interface
  # Docker management interface should always run when deployed
  portainer:
    image: portainer/portainer-ce:2.19.4
@@ -21,24 +16,25 @@ services:
      - homelab-network
      - traefik-network
    ports:
-      - "9000:9000"
+      - '9000:9000'
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
-      - portainer-data:/data
+      - ./portainer/data:/data
    security_opt:
      - no-new-privileges:true
    labels:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=alternatives"
+      - 'homelab.category=alternatives'
-      - "homelab.description=Docker container management UI (Alternative to Dockge)"
+      - 'homelab.description=Docker container management UI (Alternative to Dockge)'
-      - "traefik.enable=true"
+      - 'traefik.enable=true'
-      - "traefik.http.routers.portainer.rule=Host(`portainer.${DOMAIN}`)"
+      - 'traefik.docker.network=traefik-network'
-      - "traefik.http.routers.portainer.entrypoints=websecure"
+      - 'traefik.http.routers.portainer.rule=Host(`portainer.${DOMAIN}`)'
-      - "traefik.http.routers.portainer.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.portainer.entrypoints=websecure'
-      - "traefik.http.routers.portainer.middlewares=authelia@docker"
+      - 'traefik.http.routers.portainer.tls.certresolver=letsencrypt'
-      - "traefik.http.services.portainer.loadbalancer.server.port=9000"
+      - 'traefik.http.routers.portainer.middlewares=authelia@docker'
      - 'traefik.http.services.portainer.loadbalancer.server.port=9000'
  # Authentik - Alternative SSO/Identity Provider with Web UI
  # Access at: https://authentik.${DOMAIN}
@@ -54,10 +50,10 @@ services:
      - homelab-network
      - traefik-network
    ports:
-      - "9000:9000"
+      - '9000:9000'
    volumes:
-      - /opt/stacks/authentik/media:/media
+      - ./authentik/media:/media
-      - /opt/stacks/authentik/custom-templates:/templates
+      - ./authentik/custom-templates:/templates
    environment:
      - AUTHENTIK_REDIS__HOST=authentik-redis
      - AUTHENTIK_POSTGRESQL__HOST=authentik-db
@@ -70,14 +66,15 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=alternatives"
+      - 'homelab.category=alternatives'
-      - "homelab.description=SSO/Identity provider with web UI (Alternative to Authelia)"
+      - 'homelab.description=SSO/Identity provider with web UI (Alternative to Authelia)'
-      - "traefik.enable=true"
+      - 'traefik.enable=true'
-      - "traefik.http.routers.authentik.rule=Host(`authentik.${DOMAIN}`)"
+      - 'traefik.docker.network=traefik-network'
-      - "traefik.http.routers.authentik.entrypoints=websecure"
+      - 'traefik.http.routers.authentik.rule=Host(`authentik.${DOMAIN}`)'
-      - "traefik.http.routers.authentik.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.authentik.entrypoints=websecure'
-      - "traefik.http.routers.authentik.middlewares=authelia@docker"
+      - 'traefik.http.routers.authentik.tls.certresolver=letsencrypt'
-      - "traefik.http.services.authentik.loadbalancer.server.port=9000"
+      - 'traefik.http.routers.authentik.middlewares=authelia@docker'
      - 'traefik.http.services.authentik.loadbalancer.server.port=9000'
    depends_on:
      - authentik-db
      - authentik-redis
@@ -92,9 +89,9 @@ services:
    networks:
      - homelab-network
    volumes:
-      - /opt/stacks/authentik/media:/media
+      - ./authentik/media:/media
-      - /opt/stacks/authentik/certs:/certs
+      - ./authentik/certs:/certs
-      - /opt/stacks/authentik/custom-templates:/templates
+      - ./authentik/custom-templates:/templates
    environment:
      - AUTHENTIK_REDIS__HOST=authentik-redis
      - AUTHENTIK_POSTGRESQL__HOST=authentik-db
@@ -107,8 +104,8 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=alternatives"
+      - 'homelab.category=alternatives'
-      - "homelab.description=Authentik background worker"
+      - 'homelab.description=Authentik background worker'
    depends_on:
      - authentik-db
      - authentik-redis
@@ -122,7 +119,7 @@ services:
    networks:
      - homelab-network
    volumes:
-      - authentik-db-data:/var/lib/postgresql/data
+      - ./authentik/db:/var/lib/postgresql/data
    environment:
      - POSTGRES_USER=${AUTHENTIK_DB_USER}
      - POSTGRES_PASSWORD=${AUTHENTIK_DB_PASSWORD}
@@ -131,10 +128,10 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=alternatives"
+      - 'homelab.category=alternatives'
-      - "homelab.description=Authentik database"
+      - 'homelab.description=Authentik database'
    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U ${AUTHENTIK_DB_USER}"]
+      test: ['CMD-SHELL', 'pg_isready -U ${AUTHENTIK_DB_USER}']
      interval: 10s
      timeout: 5s
      retries: 5
@@ -148,24 +145,22 @@ services:
    networks:
      - homelab-network
    volumes:
-      - authentik-redis-data:/data
+      - ./authentik/redis:/data
    command: --save 60 1 --loglevel warning
    labels:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=alternatives"
+      - 'homelab.category=alternatives'
-      - "homelab.description=Authentik cache and messaging"
+      - 'homelab.description=Authentik cache and messaging'
    healthcheck:
-      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      test: ['CMD-SHELL', 'redis-cli ping | grep PONG']
      interval: 10s
      timeout: 3s
      retries: 5
  # Plex Media Server - Alternative to Jellyfin
  # Access at: https://plex.yourdomain.duckdns.org
  # NOTE: No Authelia - allows app access from Roku, Fire TV, mobile, etc.
  # Media server should always run when deployed as alternative to Jellyfin
  plex:
    image: plexinc/pms-docker:1.40.0.7998-f68041501
    container_name: plex
@@ -175,15 +170,15 @@ services:
      - homelab-network
      - traefik-network
    ports:
-      - "32400:32400"
+      - '32400:32400'
    volumes:
      - ./plex/config:/config
-      - /mnt/media:/media:ro  # Large media files on separate drive
+      - ${MEDIA_DIR}:/media:ro  # Large media files on separate drive
      - plex-transcode:/transcode
    environment:
-      - PUID=${PUID}
+      - PUID=1000
-      - PGID=${PGID}
+      - PGID=1000
-      - TZ=${TZ}
+      - TZ=America/New_York
      - PLEX_CLAIM=${PLEX_CLAIM}
    # Hardware transcoding support
    # Uncomment ONE of the following options:
@@ -207,26 +202,15 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=alternatives"
+      - 'homelab.category=alternatives'
-      - "homelab.description=Alternative media streaming server to Jellyfin"
+      - 'homelab.description=Alternative media streaming server to Jellyfin'
      # Traefik labels - NO Authelia for app access
-      - "traefik.enable=true"
+      - 'traefik.enable=true'
-      - "traefik.http.routers.plex.rule=Host(`plex.${DOMAIN}`)"
+      - 'traefik.docker.network=traefik-network'
-      - "traefik.http.routers.plex.entrypoints=websecure"
+      - 'traefik.http.routers.plex.rule=Host(`plex.${DOMAIN}`)'
-      - "traefik.http.routers.plex.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.plex.entrypoints=websecure'
-      - "traefik.http.services.plex.loadbalancer.server.port=32400"
+      - 'traefik.http.routers.plex.tls.certresolver=letsencrypt'
-      - "x-dockge.url=https://plex.${DOMAIN}"
+      - 'traefik.http.services.plex.loadbalancer.server.port=32400'
      - "x-dockge.url=https://plex.${DOMAIN}"
 volumes:
  portainer-data:
    driver: local
  authentik-db-data:
    driver: local
  authentik-redis-data:
    driver: local
  plex-transcode:
    driver: local
 networks:
  homelab-network:
--- a/docker-compose/arcane/.env.example
+++ b/docker-compose/arcane/.env.example
@@ -0,0 +1,13 @@
 # Arcane Stack Environment Variables
 TZ=
 PUID=
 PGID=
 SERVER_IP=
 SERVER_HOSTNAME=
 DOMAIN=
 PROJECTS_DIR=
 ARCANE_JWT_SECRET=
 ARCANE_ENCRYPTION_KEY=
--- a/docker-compose/arcane/docker-compose.yml
+++ b/docker-compose/arcane/docker-compose.yml
@@ -0,0 +1,40 @@
 services:
  arcane:
    image: ghcr.io/getarcaneapp/arcane:latest
    container_name: arcane
    ports:
      - '3552:3552'
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./data:/app/data
      - ${PROJECTS_DIR}:${PROJECTS_DIR}
    environment:
      - APP_URL=http://${SERVER_IP}:3552
      - PROJECTS_DIRECTORY=${PROJECTS_DIR}
      - PUID=${PUID}
      - PGID=${PGID}
      - ENCRYPTION_KEY=${ARCANE_ENCRYPTION_KEY}
      - JWT_SECRET=${ARCANE_JWT_SECRET}
    restart: unless-stopped
    networks:
      - traefik-network
 #  arcane-agent:
 #    image: ghcr.io/getarcaneapp/arcane-headless:latest
 #    container_name: arcane-agent
 #    restart: unless-stopped
 #    environment:
 #      - AGENT_MODE=true
 #      - AGENT_TOKEN=${ARCANE_AGENT_TOKEN}
 #      - MANAGER_API_URL=http://${SERVER_IP}:3552
 #    ports:
 #      - "3553:3553"
 #    volumes:
 #      - /var/run/docker.sock:/var/run/docker.sock
 #      - ./data:/app/data
 #    networks:
 #      - traefik-network
 networks:
  traefik-network:
    external: true
--- a/docker-compose/core/.env.example
+++ b/docker-compose/core/.env.example
@@ -0,0 +1,18 @@
 # Core Stack Environment Variables
 TZ=
 PUID=
 PGID=
 SERVER_IP=
 SERVER_HOSTNAME=
 DOMAIN=
 DUCKDNS_SUBDOMAINS=
 DUCKDNS_TOKEN=
 PIHOLE_PASSWORD=
 AUTHELIA_JWT_SECRET=
 AUTHELIA_SESSION_SECRET=
 AUTHELIA_STORAGE_ENCRYPTION_KEY=
 AUTHELIA_ADMIN_PASSWORD_HASH=
--- a/docker-compose/core/README.md
+++ b/docker-compose/core/README.md
@@ -0,0 +1,110 @@
 # Core Infrastructure Services
 This directory contains the core infrastructure services that form the foundation of the homelab. These services should be deployed **on the core server only** and are critical for the operation of all other services across all servers.
 ## Services
 ### DuckDNS
 - **Purpose**: Dynamic DNS service for domain resolution and wildcard SSL certificates
 - **Subdomain**: Configurable via environment variables
 - **Token**: Configured in environment variables
 - **SSL Certificates**: Generates wildcard cert used by all services on all servers
 - **Deploy**: Core server only
 ### Traefik (v3)
 - **Purpose**: Reverse proxy and SSL termination with multi-server routing
 - **Ports**: 80 (HTTP), 443 (HTTPS), 8080 (Dashboard)
 - **Configuration**: Located in `traefik/config/traefik.yml`
 - **Multi-Server**: Discovers services on all servers via Docker providers
 - **SSL**: Let's Encrypt with DNS-01 challenge (wildcard certificate)
 - **Dashboard**: Available at configured domain
 - **Deploy**: Core server only
 ### Authelia (v4.37.5)
 - **Purpose**: Single sign-on authentication service for all services across all servers
 - **Port**: 9091 (internal)
 - **Access**: Configured authentication domain
 - **Configuration**: Located in `authelia/config/`
 - **Database**: SQLite database in `authelia/config/db.sqlite3`
 - **Deploy**: Core server only
 ## Multi-Server Architecture
 The core stack on the main server provides centralized services for the entire homelab:
 **Core Server:**
 - Receives all external traffic (ports 80/443 forwarded from router)
 - Runs DuckDNS for domain management and SSL certificates
 - Runs Authelia for centralized authentication
 - Runs Sablier for lazyloading local containers
 - Traefik lables route servies on the core server
 - Traekif external-host-servername.yml defines routes for Remote Servers
 **Remote Server:**
 - Each container exposes ports
  - No port forwarding from router needed
 - No Traefik lables
  - Traefik configured by an external-host yaml file on Core Server
 - Runs Sablier for lazyloading local containers
 **Service Access:**
 - All services accessible via: `https://service.yourdomain.duckdns.org`
 - Core Traefik routes to appropriate server (local or remote)
 - Single wildcard SSL certificate used for all services
 - Authelia provides SSO for all protected services
 ## ⚠️ Version Pinning & Breaking Changes
 ### Authelia Version Pinning
 **Current Version**: `authelia/authelia:4.37.5`
 **Breaking Changes Identified**:
 - Authelia v4.39.15+ has breaking configuration changes that are incompatible with the current setup
 - Database schema changes may require migration or recreation
 - Configuration file format changes may break existing setups
 **Action Taken**:
 - Pinned to v4.37.5 which is confirmed working
 - Database recreated from scratch to ensure compatibility
 - Configuration files verified and working
 **Upgrade Path**:
 - Test upgrades in a separate environment first
 - Backup configuration and database before upgrading
 - Check Authelia changelog for breaking changes
 - Consider using Authelia's migration tools if available
 ### Traefik Version Pinning
 **Current Version**: `traefik:v3`
 **Notes**:
 - Traefik v3 is stable and working with current configuration
 - Configuration format is compatible
 - No breaking changes identified in current setup
 ## Configuration Requirements
 ### File Structure
 ```
 core/
 ├── docker-compose.yml          # Main service definitions
 ├── .env                        # Environment variables
 ├── authelia/
 │   ├── config/
 │   |   ├── configuration.yml   # Authelia main config
 │   |   └── notification.txt
 |   └── secrets/
 |       └── users_database.yml  # User credentials
 ├── duckdns/
 │   └── config/                 # DuckDNS configuration
 ├── traefik/
 │   ├── config/
 │   │   └── traefik.yml         # Traefik static config
 │   ├── dynamic/                # Dynamic configurations
 │   │   ├── routes.yml
 │   │   ├── sablier.yml
 │   │   └── external-host-*.yml # Remote server routing
 │   └── letsencrypt/
 │       └── acme.json           # SSL certificates
 ```
--- a/docker-compose/core/authelia/config/configuration.yml
+++ b/docker-compose/core/authelia/config/configuration.yml
@@ -22,7 +22,7 @@ totp:
 authentication_backend:
  file:
-    path: /config/users_database.yml
+    path: /secrets/users_database.yml
    password:
      algorithm: argon2id
      iterations: 1
@@ -64,11 +64,6 @@ session:
  inactivity: 24h      # Session expires after 24 hours of inactivity
  remember_me_duration: 1M
  domain: ${DOMAIN}
  cookies:
    - name: authelia_session
      domain: ${DOMAIN}
      secure: true
      same_site: lax
 regulation:
  max_retries: 3
--- a/docker-compose/core/authelia/config/notification.txt
+++ b/docker-compose/core/authelia/config/notification.txt
--- a/docker-compose/core/authelia/configuration.yml
+++ b/docker-compose/core/authelia/configuration.yml
@@ -1,87 +0,0 @@
 # Authelia Configuration
 # Copy to /opt/stacks/authelia/configuration.yml
 # IMPORTANT: Replace '${DOMAIN}' with your actual DuckDNS domain
 server:
  host: 0.0.0.0
  port: 9091
 log:
  level: info
 theme: dark
 jwt_secret: ${AUTHELIA_JWT_SECRET}
 default_redirection_url: https://auth.${DOMAIN}
 totp:
  issuer: ${DOMAIN}
  period: 30
  skew: 1
 authentication_backend:
  file:
    path: /config/users_database.yml
    password:
      algorithm: argon2id
      iterations: 1
      key_length: 32
      salt_length: 16
      memory: 1024
      parallelism: 8
 access_control:
  default_policy: deny
  rules:
    # Bypass Authelia for Jellyfin (allow app access)
    - domain: jellyfin.${DOMAIN}
      policy: bypass
    # Bypass for Plex (allow app access)
    - domain: plex.${DOMAIN}
      policy: bypass
    # Bypass for Home Assistant (has its own auth)
    - domain: ha.${DOMAIN}
      policy: bypass
    # Bypass for development services (they have their own auth or setup)
    - domain: pgadmin.${DOMAIN}
      policy: bypass
    - domain: gitlab.${DOMAIN}
      policy: bypass
    # Protected: All other services require authentication
    - domain: "*.${DOMAIN}"
      policy: one_factor
    # Two-factor for admin services (optional)
    # - domain:
    #     - "admin.${DOMAIN}"
    #     - "portainer.${DOMAIN}"
    #   policy: two_factor
 session:
  name: authelia_session
  secret: ${AUTHELIA_SESSION_SECRET}
  expiration: 24h      # Session expires after 24 hours
  inactivity: 24h      # Session expires after 24 hours of inactivity
  remember_me_duration: 1M
  domain: ${DOMAIN}
 regulation:
  max_retries: 3
  find_time: 2m
  ban_time: 5m
 storage:
  encryption_key: ${AUTHELIA_STORAGE_ENCRYPTION_KEY}
  local:
    path: /data/db.sqlite3
 notifier:
  # File-based notifications (for development/testing)
  filesystem:
    filename: /data/notification.txt
--- a/docker-compose/core/authelia/secrets/users_database.yml
+++ b/docker-compose/core/authelia/secrets/users_database.yml
@@ -3,10 +3,10 @@
 ###############################################################
 users:
-  kelin:
+  ${AUTHELIA_ADMIN_USER}:
-    displayname: "Admin User"
+    displayname: "${AUTHELIA_ADMIN_USER}"
-    password: "$argon2id$v=19$m=65536,t=3,p=4$a+3pIrywP/li9wy9J6UkMA$+3THyJiAnS/gNYnLaYtlsRCaYfgnnxsUyGZ4D3xGnUg"
+    password: "${AUTHELIA_ADMIN_PASSWORD_HASH}"
-    email: ${DEFAULT_EMAIL}
+    email: ${AUTHELIA_ADMIN_EMAIL}
    groups:
      - admins
      - users
--- a/docker-compose/core/backup.sh
+++ b/docker-compose/core/backup.sh
@@ -0,0 +1,48 @@
 #!/bin/bash
 # Core Services Backup Script
 # Run this script to backup critical configuration files and database
 BACKUP_DIR="/opt/stacks/core/backups"
 TIMESTAMP=$(date +%Y%m%d_%H%M%S)
 BACKUP_NAME="core_backup_${TIMESTAMP}"
 echo "Creating backup: ${BACKUP_NAME}"
 # Create backup directory
 mkdir -p "${BACKUP_DIR}/${BACKUP_NAME}"
 # Backup Authelia configuration and database
 echo "Backing up Authelia..."
 cp -r /opt/stacks/core/authelia/config "${BACKUP_DIR}/${BACKUP_NAME}/"
 # Backup Traefik configuration (excluding certificates for security)
 echo "Backing up Traefik configuration..."
 mkdir -p "${BACKUP_DIR}/${BACKUP_NAME}/traefik"
 cp -r /opt/stacks/core/traefik/config "${BACKUP_DIR}/${BACKUP_NAME}/traefik/"
 cp -r /opt/stacks/core/traefik/dynamic "${BACKUP_DIR}/${BACKUP_NAME}/traefik/"
 # Note: letsencrypt/acme.json contains private keys - backup separately if needed
 # Backup docker-compose.yml
 echo "Backing up docker-compose.yml..."
 cp /opt/stacks/core/docker-compose.yml "${BACKUP_DIR}/${BACKUP_NAME}/"
 # Backup environment file (contains sensitive data - handle carefully)
 echo "Backing up .env file..."
 cp /opt/stacks/core/.env "${BACKUP_DIR}/${BACKUP_NAME}/"
 # Create archive
 echo "Creating compressed archive..."
 cd "${BACKUP_DIR}"
 tar -czf "${BACKUP_NAME}.tar.gz" "${BACKUP_NAME}"
 # Cleanup uncompressed backup
 rm -rf "${BACKUP_NAME}"
 echo "Backup completed: ${BACKUP_DIR}/${BACKUP_NAME}.tar.gz"
 echo "Backup size: $(du -h "${BACKUP_DIR}/${BACKUP_NAME}.tar.gz" | cut -f1)"
 # Keep only last 10 backups
 echo "Cleaning up old backups..."
 ls -t "${BACKUP_DIR}"/*.tar.gz | tail -n +11 | xargs -r rm -f
 echo "Backup script completed successfully"
--- a/docker-compose/core/deploy-core.sh
+++ b/docker-compose/core/deploy-core.sh
@@ -0,0 +1,58 @@
 #!/bin/bash
 # Deploy core stack script
 # Run from /opt/stacks/core/
 set -e
 # Source common functions
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_DIR="$HOME/EZ-Homelab"  
 source "$REPO_DIR/scripts/common.sh"
 log_info "Deploying core stack..."
 # Load environment
 load_env_file_safely "$REPO_DIR/.env"
 # Copy fresh templates
 # cp "$REPO_DIR/docker-compose/core/authelia/secrets/users_database.yml" "./authelia/secrets/users_database.yml"
 # Localize labels in compose file (only replaces variables in labels, not environment sections)
 localize_compose_labels docker-compose.yml
 # Localize config files - Process all YAML config files (excluding docker-compose.yml)
 # This performs FULL variable replacement on config files like:
 # - authelia/config/configuration.yml
 # - authelia/config/users_database.yml <- HANDLED SPECIALLY to preserve password hashes
 # - traefik/dynamic/*.yml
 #
 # Why exclude docker-compose.yml?
 # - It was already processed above with localize_compose_labels (labels-only replacement)
 # - Config files need full replacement (including nested variables) while compose labels
 #   should only have selective replacement to avoid Docker interpreting $ characters
 #
 # The localize_config_file function uses envsubst with recursive expansion to handle
 # nested variables like ${AUTHELIA_ADMIN_PASSWORD_HASH} or ${SERVICE_NAME}.${DOMAIN}
 # The localize_users_database_file function handles password hashes specially to avoid corruption
 for config_file in $(find . -name "*.yml" -o -name "*.yaml" | grep -v docker-compose.yml); do
    # Only process files that contain variables (have ${ in them)
    if grep -q '\${' "$config_file"; then
        if [[ "$config_file" == *"users_database.yml" ]]; then
            localize_users_database_file "$config_file"
        else
            localize_config_file "$config_file"
        fi
    fi
 done
 # Deploy
 run_cmd docker compose up -d
 # Validate
 if docker ps | grep -q traefik && docker ps | grep -q authelia; then
    log_success "Core stack deployed successfully"
    exit 0
 else
    log_error "Core stack deployment failed"
    exit 1
 fi
--- a/docker-compose/core/docker-compose.yml
+++ b/docker-compose/core/docker-compose.yml
@@ -1,7 +1,4 @@
 # Core Infrastructure Services
 # These services form the foundation of the homelab and should always be running
 # Place in /opt/stacks/core/docker-compose.yml
 # RESTART POLICY GUIDE:
 # - unless-stopped: Core infrastructure services that should always run
 # - no: Services with Sablier lazy loading (start on-demand)
@@ -30,7 +27,7 @@ services:
    image: traefik:v3
    container_name: traefik
    restart: unless-stopped
-    command: ["--configFile=/config/traefik.yml"]
+    command: ['--configFile=/config/traefik.yml']
    environment:
      - DUCKDNS_TOKEN=${DUCKDNS_TOKEN}
    ports:
@@ -48,17 +45,14 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=core"
+      - 'homelab.category=core'
-      - "homelab.description=Reverse proxy and SSL termination"
+      - 'homelab.description=Reverse proxy and SSL termination'
-      # Traefik reverse proxy (comment/uncomment to disable/enable)
+      - 'traefik.enable=true'
-      # If Traefik is on a remote server: these labels are NOT USED; 
+      - 'traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)'
-      #   configure external yml files in /traefik/dynamic folder instead.
+      - 'traefik.http.routers.traefik.entrypoints=websecure'
-      - "traefik.enable=true"
+      - 'traefik.http.routers.traefik.tls.certresolver=letsencrypt'
-      - "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)"
+      - 'traefik.http.routers.traefik.middlewares=authelia@docker'
-      - "traefik.http.routers.traefik.entrypoints=websecure"
+      - 'traefik.http.services.traefik.loadbalancer.server.port=8080'
      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
      - "traefik.http.routers.traefik.middlewares=authelia@docker"
      - "traefik.http.services.traefik.loadbalancer.server.port=8080"
  authelia:
    # Single sign-on authentication service - must always run for user authentication
@@ -68,7 +62,7 @@ services:
    environment:
      - TZ=${TZ}
    ports:
-      - "9091:9091"
+      - '9091:9091'
    volumes:
      - ./authelia/config:/config
      - ./authelia/secrets:/secrets
@@ -80,52 +74,70 @@ services:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=core"
+      - 'homelab.category=core'
-      - "homelab.description=Single sign-on authentication"
+      - 'homelab.description=Single sign-on authentication'
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # If Traefik is on a remote server: these labels are NOT USED; 
      #   configure external yml files in /traefik/dynamic folder instead.
-      - "traefik.enable=true"
+      - 'traefik.enable=true'
-      - "traefik.http.routers.authelia.rule=Host(`auth.${DOMAIN}`)"
+      - 'traefik.http.routers.authelia.rule=Host(`auth.${DOMAIN}`)'
-      - "traefik.http.routers.authelia.entrypoints=websecure"
+      - 'traefik.http.routers.authelia.entrypoints=websecure'
-      - "traefik.http.routers.authelia.tls.certresolver=letsencrypt"
+      - 'traefik.http.routers.authelia.tls.certresolver=letsencrypt'
-      - "traefik.http.routers.authelia.service=authelia"
+      - 'traefik.http.routers.authelia.service=authelia'
-      - "traefik.http.services.authelia.loadbalancer.server.port=9091"
+      - 'traefik.http.services.authelia.loadbalancer.server.port=9091'
      # Authelia forward auth middleware configuration
-      - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.${DOMAIN}/"
+      - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.${DOMAIN}/'
-      - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=X-Secret"
+      - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=X-Secret'
-      - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
+      - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
-  # Sablier - Lazy loading service for Docker containers
+  pihole:
-  # Controls startup/shutdown of lazy-loaded services, must always run
+    image: pihole/pihole:2024.01.0
-  # REQUIREMENTS FOR DOCKER API ACCESS:
+    deploy:
-  # 1. Docker daemon must be configured to listen on TCP port 2376 with TLS
+      resources:
-  # 2. DOCKER_HOST environment variable must point to accessible Docker API endpoint
+        limits:
-  # 3. Firewall must allow TCP connections to Docker API port (2376)
+          cpus: '0.25'
-  # 4. TLS certificates must be mounted and environment variables set
+          memory: 128M
-  # 5. Ensure dockerproxy service is running and accessible
+          pids: 256
-  sablier-service:
+        reservations:
-    image: sablierapp/sablier:latest
+          cpus: '0.10'
-    container_name: sablier-service
+          memory: 64M
    container_name: pihole
    restart: unless-stopped
    networks:
      - traefik-network
    environment:
      - SABLIER_PROVIDER=docker
      - SABLIER_DOCKER_API_VERSION=1.51
      - SABLIER_DOCKER_NETWORK=traefik-network
      - SABLIER_LOG_LEVEL=debug
      - DOCKER_HOST=tcp://${SERVER_IP}:2376
      - DOCKER_TLS_VERIFY=1
      - DOCKER_CERT_PATH=/certs
    volumes:
      - ./sablier-certs:/certs:ro
    ports:
-      - 10000:10000
+      - '53:53/tcp'    # DNS TCP
      - '53:53/udp'    # DNS UDP
    volumes:
      - ./pihole/etc-pihole:/etc/pihole
      - ./pihole/etc-dnsmasq.d:/etc/dnsmasq.d
    environment:
      - TZ=${TZ}
      - WEBPASSWORD=${PIHOLE_PASSWORD}
      - FTLCONF_LOCAL_IPV4=${SERVER_IP}
    dns:
      - 127.0.0.1
      - 1.1.1.1
    cap_add:
      - NET_ADMIN
    labels:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=core"
+      - 'homelab.category=infrastructure'
-      - "homelab.description=Lazy loading service for Docker containers"
+      - 'homelab.description=Network-wide ad blocking and DNS'
      # Traefik reverse proxy (comment/uncomment to disable/enable)
      # IMPORTANT: On REMOTE SERVERS (where Traefik runs elsewhere):
      #   - COMMENT OUT all traefik.* labels below (don't delete them)
      #   - Routes are configured via external YAML files on the core server
      #   - This prevents conflicts between Docker labels and file provider
      - 'traefik.enable=true'
      - 'traefik.docker.network=traefik-network'
      - 'traefik.http.routers.pihole.rule=Host(`pihole.${DOMAIN}`)'
      - 'traefik.http.routers.pihole.entrypoints=websecure'
      - 'traefik.http.routers.pihole.tls.certresolver=letsencrypt'
      - 'traefik.http.routers.pihole.middlewares=authelia@docker'
      - 'traefik.http.services.pihole.loadbalancer.server.port=80'
 networks:
  traefik-network:
@@ -134,6 +146,8 @@ networks:
 x-dockge:
  urls:
    - https://auth.${DOMAIN}
-    - https://${SERVER_IP}:9091
+    - http://${SERVER_IP}:9091
    - https://traefik.${DOMAIN}
-    - https://${SERVER_IP}:8080
+    - http://${SERVER_IP}:8080
    - https://pihole.${DOMAIN}
    - http://${SERVER_IP}:53
--- a/docker-compose/core/duckdns/config/logrotate.conf
+++ b/docker-compose/core/duckdns/config/logrotate.conf
--- a/docker-compose/core/traefik/acme.json
+++ b/docker-compose/core/traefik/acme.json
@@ -1,16 +0,0 @@
 {
  "letsencrypt": {
    "Account": {
      "Email": "kelinfoxy@gmail.com",
      "Registration": {
        "body": {
          "status": "valid"
        },
        "uri": "https://acme-v02.api.letsencrypt.org/acme/acct/2959423246"
      },
      "PrivateKey": "MIIJJwIBAAKCAgEAtmlI6xzuaJKm8y8lU2CkLsVEB5QEZx777DDUMH7I3kt2zpIBjWFOxp3u+IppzDqC8ih8+2tzkAzIjF34kb45tgKah+gwTPUg20IoqTyg5/YaN/Otnda7Ioo9CS24k6lZ21DDrReT616BIa45dvtxYld8SES0Qx9x+jDTL8os0y2taMn3bX/0OMIE8jerrkzTYpLZ5PLMxKZFvoDClkfs4wAX4VpLh9oN1H45BqzhFZqsuZ2RZSvt/H91QFJWz38FDS0sRNEX83revbNdXEtJIQs+r45nHXiX6ivvfwtCXeGx2+hluCg/QpESCpCYj/JReQ1r2CCbTsfcpqrtIS1/eoLdal+AhrxGM5OlU6yeyclLHNfcZDIJkM54tr+0bPkweMwdqjoXkXWtEyFYE0Ol1CYQek8wHZLof8YYHwoo/zrLAu05igzSOxcaGRO3Inu1cW3TEvQM7nn2KfnWWPdY+u/Is0H2MqodokbzC9xpmPZlEzrnfGkngtcDtTOSNALUbANbFv4Zu9qBj8VtHUz2AYzkMUF5BKyFf4TSRrELEvXz3dMWpWY1Esjft4XaaeYXUnMCemrzuYPjC+gWyHvfNHXzui0bs5fY914cc4Q318x6JX+R/gKCxUfscuiwDRR9ufIilQCHPDw/hIJtZ9dAHeF66JREwdUQBH2tyBP+hvMCAwEAAQKCAgARbNBS6WIa6jt5ipzpsJcugpijkq+y/CI7p1R1x36/wXy5cfgk/dEtJwQfiPVfVY2RvW1nBRY2ggocYpOutHnF2czSQ8ttZpM7br/8nraOQhOyGZyRseQRghwfhtcVf/199mKi49g1CUOTqJWDuLRVnR7Ztnpz2QqlyEk8TPdoOvpQQs7YjnsRevNHAitrzJn61iVregg2lt2du6Ya/gbyjl05oUsK0Lk2fdJLwXMFAdATMSqk/APRdYmJWfRCARPF9PVAI6tCjo+9lmdKPEThm7XixlsyVQVKEOVhgP1Xg4peg/5Hj8yvOrV6/eIdChxfUHlnXYIIjg4Ve8mIPFTrgS4fv1wwIe0+RcLiimkC0+jTPaAqnMY1xEDU8sisVvB7vU9UevnXIR6XHGkGwsxD1Ga48PW5LvtWHG1YfjfxPEU0cHESsGejgCMPl1WT6UPeOYNmKx1I1gQiOQKixJt4fHXghAPmLBZTPZFrmhyFVSRb/wpVY+J4t61s3fzinqjox8P9xDx6I9bLl/2SI5rQ55a2MrGtRK/0l1zQxTE1U+3qVDD8BV0mbkDrPTtUAvoyHSzAAiwQIIdksSNZzTK7fdDSc/T84WbvSd3dcC6n272g5vfAhOycLEetzdigMc9ht8cCjr16UyHL4Br2adWneAwOxBffTVfVKnuAxshDJQKCAQEAx1idLIRlEGBXSC9x8fwIdsbUtH6y5ajE/ahmQ6L2fV+6A8uvlx/0uhMUkyLIjg30zh0Cnb05Cirzqao7EXSYmMUT6HgctPqNGgk0EvsXLa5NffbhOnPWQNPUKbmEZBf1HdG4K3wOv1/ISQ3fitIVsPrD88/OD3TOafXJLCzeRe8rxnoQlKoztszOwJmE28TMBZTYkvRGQZM6FiqvXzJoJFPeudp+8j0yE78fQPbl1uXNq/p9U5xkYid5PIjturrznoL1fy5KLgxHWrSAJd6JqVvajnch8DdEmsGI9MSLDyRszWHhXp7BeG5tl/+aHHdNxkA4y/38lukCETfORIH3jwKCAQEA6kCTzxHTHVXfxTU4YtcLoAUai94U3wBKf5l9yZfY19P9ITcPijw+daXiYaGLaBUtubMXM+KkjSKq7qx1HNB5hBfbHnSLzt0aAxhOlqfVdRaOi6Fn0tmvOPOLuORjlSVLa4Rng/eRE6yFSjEZ79DTAKYREND2Xxnzfqb573wLro/aFY0IcnZyjm9dO33SF3qBoZPuCoI1yPd+cTGYA7lyKIeNqWemXgCtg/tsxmjADgo9JCVxfc/TtQB8dwHN5GN2pw2jA7MGkCSI43F3QvKlXNEF1OI0jZOxOAphpAAyfWxLUUDsUWmCaDcc7keCFsl+41RqOFVaPewF/SCaybLoXQKCAQAFyp1GXdJR13qxri8xSJE2YjBrzgKEiZKvi+Tssh9XJSDSW2iOi28guM0wOSJ6fg1Or6kTzBuMIBNUKo3sw+ZrCc66QkMTPvQ6fWn14zWZLicyMan5eMQQvha735fpEIkehKlFGiWTicTX2n9UGSZoLeDjhHYIHOyiR3HAxszuWzR6X7F7oDZAaVLYZZ1mhSEoSFrCajZgUVauri7KJTzBUW53F9H4V67MxBC0Ynfq9mIzTOO3OiPwdhUfnRrLAgNx53waZc3h6JlqGTRf5Uc6lGCVIwDpabGkjVrdQZiIqBZBIUba6OHWDd9BOzvO9+haiiMcShS8jahxt51WgDAhAoIBAD+Iuk4sSHUpaGLFd4CfUMDbAYMz/bcqDgqjp9E4hRCsp3gNxgI5Kruf/VF7jiLxs5AtObrR2s2IvJG1ZqIlDQA9tCmDdLPrlfWG7zG/XY6/SnQml9FBR1wL+jZwg23dSqJjq+vIBqouXYxs2tsHaWNAp1pHQrsyf683PIyuuUBkNcMomETrSVDGdaQAES5bBLO9Oo/RFyNltP6gc9l2v7asZUiwGxhd2LH2TF9X49crAcA/A5Qa/RGXiyp/68bpDzJp6W/Ea6BGuHXvvWgEBcOx0YIWxCguCZ/oeOkRQKBx8c+c6zt9gWggopEiBe+GQQsJRzH2PF6VGF66LCFOi+UCggEAFEoujlC54OZHcHnJYT9Jb7JU9K/3F7007g23YPrN4ATE+UPT/6Uiod4BCQ5tTauu6EjofHUjImk1NT9dmc+zCnFexsgfJXLbU83qfRunoDATlueWCRCTzeWMkAEwjReabNQrK7xT0Rk4rGKsH0p0SDmUSP5jnt+uctNSMfLZ/SykihuydGrtQOY/lh87Y4/MX4pY5L03ogleDPAXxWpd+ea+0l8fUz3EX+VtWlTVzSuDFPL5zEFxpZrZeDflR+vxhzCw/Taiyz5/K6kUzaRQxwJq6Wvqv9lgngtfHavauWHFtL2pNs6WySk93M0JVmVpTzItf+bObJTvXuZVt+HbPw==",
      "KeyType": "4096"
    },
    "Certificates": null
  }
 }
--- a/docker-compose/core/traefik/dynamic/external-host-homeassistant.yml
+++ b/docker-compose/core/traefik/dynamic/external-host-homeassistant.yml
@@ -2,7 +2,7 @@ http:
  routers:
    # Individual Services
    homeassistant:
-      rule: "Host(`hass.${DOMAIN}`)"
+      rule: "Host(`hass.yourdomain.duckdns.org`)"
      entryPoints:
        - websecure
      service: homeassistant
@@ -15,5 +15,5 @@ http:
    homeassistant:
      loadBalancer:
        servers:
-          - url: "http://${HOMEASSISTANT_IP}:8123"
+          - url: "http://:8123"
        passHostHeader: true
--- a/docker-compose/core/traefik/dynamic/local-host-production.yml
+++ b/docker-compose/core/traefik/dynamic/local-host-production.yml
@@ -0,0 +1,399 @@
 http:
  routers:
 # Remote Server Services (your-remote-server)
    dockge-your-remote-server:
      rule: "Host(`dockge.your-remote-server.yourdomain.duckdns.org`)"
      entryPoints:
        - websecure
      service: dockge-your-remote-server
      tls:
        certResolver: letsencrypt
      middlewares:
        - authelia@docker
    dozzle-your-remote-server:
      rule: "Host(`dozzle.your-remote-server.yourdomain.duckdns.org`)"
      entryPoints:
        - websecure
      service: dozzle-your-remote-server
      tls:
        certResolver: letsencrypt
      middlewares:
        - authelia@docker
    glances-your-remote-server:
      rule: "Host(`glances.your-remote-server.yourdomain.duckdns.org`)"
      entryPoints:
        - websecure
      service: glances-your-remote-server
      tls:
        certResolver: letsencrypt
      middlewares:
        - authelia@docker
    backrest-your-remote-server:
      rule: "Host(`backrest.your-remote-server.yourdomain.duckdns.org`)"
      entryPoints:
        - websecure
      service: backrest-your-remote-server
      tls:
        certResolver: letsencrypt
      middlewares:
        - authelia@docker
    duplicati-your-remote-server:
      rule: "Host(`duplicati.your-remote-server.yourdomain.duckdns.org`)"
      entryPoints:
        - websecure
      service: duplicati-your-remote-server
      tls:
        certResolver: letsencrypt
      middlewares:
        - authelia@docker
    homepage-your-remote-server:
      rule: "Host(`homepage.your-remote-server.yourdomain.duckdns.org`)"
      entryPoints:
        - websecure
      service: homepage-your-remote-server
      tls:
        certResolver: letsencrypt
      middlewares:
        - authelia@docker
    homarr-your-remote-server:
      rule: "Host(`homarr.your-remote-server.yourdomain.duckdns.org`)"
      entryPoints:
        - websecure
      service: homarr-your-remote-server
      tls:
        certResolver: letsencrypt
      middlewares:
        - authelia@docker
    grafana-your-remote-server:
      rule: "Host(`grafana.your-remote-server.yourdomain.duckdns.org`)"
      entryPoints:
        - websecure
      service: grafana-your-remote-server
      tls:
        certResolver: letsencrypt
      middlewares:
        - authelia@docker
    prometheus-your-remote-server:
      rule: "Host(`prometheus.your-remote-server.yourdomain.duckdns.org`)"
      entryPoints:
        - websecure
      service: prometheus-your-remote-server
      tls:
        certResolver: letsencrypt
      middlewares:
        - authelia@docker
    uptime-kuma-your-remote-server:
      rule: "Host(`status.your-remote-server.yourdomain.duckdns.org`)"
      entryPoints:
        - websecure
      service: uptime-kuma-your-remote-server
      tls:
        certResolver: letsencrypt
      middlewares:
        - authelia@docker
 # Service Definitions
  services:
    backrest-jasper:
      loadBalancer:
        servers:
          - url: "http://192.168.4.4:9898"
        passHostHeader: true
    vaultwarden-jasper:
      loadBalancer:
        servers:
          - url: "http://192.168.4.4:8091"
        passHostHeader: true
    bookstack-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:6875"
        passHostHeader: true
    calibre-web-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:8083"
        passHostHeader: true
    code-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:8079"
        passHostHeader: true
    dockge-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:5001"
        passHostHeader: true
    dockhand-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:3003"
        passHostHeader: true
    dokuwiki-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:8087"
        passHostHeader: true
    dozzle-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:8085"
        passHostHeader: true
    duplicati-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:8200"
        passHostHeader: true
    ez-assistant-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:18789"  # Internal IP of jasper server
        passHostHeader: true
    formio-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:3002"
        passHostHeader: true
    gitea-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:3010"
        passHostHeader: true
    glances-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:61208"
        passHostHeader: true
    homarr-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:7575"
        passHostHeader: true
    homepage-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:3000"
        passHostHeader: true
    jellyfin-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:8096"
        passHostHeader: true
    jupyter-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:8890"
        passHostHeader: true
    kopia-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:51515"
        passHostHeader: true
    mealie-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:9000"
        passHostHeader: true
    mediawiki-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:8086"
        passHostHeader: true
    motioneye-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:8081"
        passHostHeader: true
    nextcloud-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:8089"
        passHostHeader: true
    openkm-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:18080"
        passHostHeader: true
    openwebui-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:3000"
        passHostHeader: true
    qbittorrent-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:8081"
        passHostHeader: true
    tdarr-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:8265"
        passHostHeader: true
    unmanic-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:8889"
        passHostHeader: true
    wordpress-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:8088"
        passHostHeader: true
    # Arr Services
    jellyseerr-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:5055"
        passHostHeader: true
    prowlarr-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:9696"
        passHostHeader: true
    radarr-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:7878"
        passHostHeader: true
    sonarr-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:8989"
        passHostHeader: true
    lidarr-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:8686"
        passHostHeader: true
    readarr-jasper:
      loadbalancer:
        servers:
          - url: "http://192.168.4.4:8787"
        passHostHeader: true
    mylar3-jasper:
      loadBalancer:
        servers:
          - url: "http://192.168.4.4:8090"
        passHostHeader: true
 # Remote Server Service Definitions (your-remote-server)
    dockge-your-remote-server:
      loadbalancer:
        servers:
          - url: "http://your.remote.ip.address:5001"
        passHostHeader: true
    dozzle-your-remote-server:
      loadbalancer:
        servers:
          - url: "http://your.remote.ip.address:8085"
        passHostHeader: true
    glances-your-remote-server:
      loadbalancer:
        servers:
          - url: "http://your.remote.ip.address:61208"
        passHostHeader: true
    backrest-your-remote-server:
      loadbalancer:
        servers:
          - url: "http://your.remote.ip.address:9898"
        passHostHeader: true
    duplicati-your-remote-server:
      loadbalancer:
        servers:
          - url: "http://your.remote.ip.address:8200"
        passHostHeader: true
    homepage-your-remote-server:
      loadbalancer:
        servers:
          - url: "http://your.remote.ip.address:3000"
        passHostHeader: true
    homarr-your-remote-server:
      loadbalancer:
        servers:
          - url: "http://your.remote.ip.address:7575"
        passHostHeader: true
    grafana-your-remote-server:
      loadbalancer:
        servers:
          - url: "http://your.remote.ip.address:3000"
        passHostHeader: true
    prometheus-your-remote-server:
      loadbalancer:
        servers:
          - url: "http://your.remote.ip.address:9090"
        passHostHeader: true
    uptime-kuma-your-remote-server:
      loadbalancer:
        servers:
          - url: "http://your.remote.ip.address:3001"
        passHostHeader: true
 # Middleware Definitions
  middlewares:
    ez-assistant-websocket:
      headers:
        accessControlAllowHeaders:
          - "Connection"
          - "Upgrade"
        accessControlAllowMethods:
          - "GET"
          - "POST"
          - "OPTIONS"
        accessControlMaxAge: 86400
--- a/docker-compose/core/traefik/dynamic/routes.yml
+++ b/docker-compose/core/traefik/dynamic/routes.yml
--- a/docker-compose/core/traefik/dynamic/sablier.yml
+++ b/docker-compose/core/traefik/dynamic/sablier.yml
@@ -3,16 +3,16 @@ http:
  middlewares:
    authelia:
      forwardauth:
-        address: http://authelia:9091/api/verify?rd=https://auth.${DOMAIN}/
+        address: http://authelia:9091/api/verify?rd=https://auth.yourdomain.duckdns.org/
        authResponseHeaders:
          - X-Secret
        trustForwardHeader: true
-    sablier-${SERVER_HOSTNAME}-arr:
+    sablier-jasper-arr:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
-          group: ${SERVER_HOSTNAME}-arr
+          group: jasper-arr
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
@@ -20,11 +20,11 @@ http:
            theme: ghost
            show-details-by-default: true
-    sablier-${SERVER_HOSTNAME}-backrest:
+    sablier-jasper-backrest:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
-          group: ${SERVER_HOSTNAME}-backrest
+          group: jasper-backrest
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
@@ -32,11 +32,11 @@ http:
            theme: ghost
            show-details-by-default: true
-    sablier-${SERVER_HOSTNAME}-vaultwarden:
+    sablier-jasper-vaultwarden:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
-          group: ${SERVER_HOSTNAME}-vaultwarden
+          group: jasper-vaultwarden
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
@@ -44,11 +44,11 @@ http:
            theme: ghost
            show-details-by-default: true
-    sablier-${SERVER_HOSTNAME}-bookstack:
+    sablier-jasper-bookstack:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
-          group: ${SERVER_HOSTNAME}-bookstack
+          group: jasper-bookstack
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
@@ -56,11 +56,11 @@ http:
            theme: ghost
            show-details-by-default: true
-    sablier-${SERVER_HOSTNAME}-calibre-web:
+    sablier-jasper-calibre-web:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
-          group: ${SERVER_HOSTNAME}-calibre-web
+          group: jasper-calibre-web
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
@@ -68,11 +68,11 @@ http:
            theme: ghost
            show-details-by-default: true
-    sablier-${SERVER_HOSTNAME}-code-server:
+    sablier-jasper-code-server:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
-          group: ${SERVER_HOSTNAME}-code-server
+          group: jasper-code-server
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
@@ -80,11 +80,11 @@ http:
            theme: ghost
            show-details-by-default: true
-    sablier-${SERVER_HOSTNAME}-dozzle:
+    sablier-jasper-dozzle:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
-          group: ${SERVER_HOSTNAME}-dozzle
+          group: jasper-dozzle
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
@@ -92,11 +92,11 @@ http:
            theme: ghost
            show-details-by-default: true
-    sablier-${SERVER_HOSTNAME}-dokuwiki:
+    sablier-jasper-dokuwiki:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
-          group: ${SERVER_HOSTNAME}-dokuwiki
+          group: jasper-dokuwiki
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
@@ -104,11 +104,11 @@ http:
            theme: ghost
            show-details-by-default: true
-    sablier-${SERVER_HOSTNAME}-duplicati:
+    sablier-jasper-duplicati:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
-          group: ${SERVER_HOSTNAME}-duplicati
+          group: jasper-duplicati
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
@@ -116,11 +116,23 @@ http:
            theme: ghost
            show-details-by-default: true
-    sablier-${SERVER_HOSTNAME}-formio:
+    sablier-jasper-assistant:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
-          group: ${SERVER_HOSTNAME}-formio
+          group: jasper-assistant
          sessionDuration: 30m
          ignoreUserAgent: curl
          dynamic:
            displayName: EZ-Assistant
            theme: ghost
            show-details-by-default: true
    sablier-jasper-formio:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
          group: jasper-formio
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
@@ -128,11 +140,11 @@ http:
            theme: ghost
            show-details-by-default: true
-    sablier-${SERVER_HOSTNAME}-gitea:
+    sablier-jasper-gitea:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
-          group: ${SERVER_HOSTNAME}-gitea
+          group: jasper-gitea
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
@@ -140,11 +152,11 @@ http:
            theme: ghost
            show-details-by-default: true
-    sablier-${SERVER_HOSTNAME}-glances:
+    sablier-jasper-glances:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
-          group: ${SERVER_HOSTNAME}-glances
+          group: jasper-glances
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
@@ -152,11 +164,11 @@ http:
            theme: ghost
            show-details-by-default: true
-    sablier-${SERVER_HOSTNAME}-homarr:
+    sablier-jasper-homarr:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
-          group: ${SERVER_HOSTNAME}-homarr
+          group: jasper-homarr
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
@@ -164,11 +176,11 @@ http:
            theme: ghost
            show-details-by-default: true
-    sablier-${SERVER_HOSTNAME}-jellyfin:
+    sablier-jasper-jellyfin:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
-          group: ${SERVER_HOSTNAME}-jellyfin
+          group: jasper-jellyfin
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
@@ -176,11 +188,11 @@ http:
            theme: ghost
            show-details-by-default: true
-    sablier-${SERVER_HOSTNAME}-jupyter:
+    sablier-jasper-jupyter:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
-          group: ${SERVER_HOSTNAME}-jupyter
+          group: jasper-jupyter
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
@@ -188,11 +200,11 @@ http:
            theme: ghost
            show-details-by-default: true
-    sablier-${SERVER_HOSTNAME}-komodo:
+    sablier-jasper-komodo:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
-          group: ${SERVER_HOSTNAME}-komodo
+          group: jasper-komodo
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
@@ -200,11 +212,11 @@ http:
            theme: ghost
            show-details-by-default: true
-    sablier-${SERVER_HOSTNAME}-kopia:
+    sablier-jasper-kopia:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
-          group: ${SERVER_HOSTNAME}-kopia
+          group: jasper-kopia
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
@@ -212,11 +224,11 @@ http:
            theme: ghost
            show-details-by-default: true
-    sablier-${SERVER_HOSTNAME}-mealie:
+    sablier-jasper-mealie:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
-          group: ${SERVER_HOSTNAME}-mealie
+          group: jasper-mealie
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
@@ -224,23 +236,23 @@ http:
            theme: ghost
            show-details-by-default: true
-    sablier-${SERVER_HOSTNAME}-mediawiki:
+    sablier-jasper-mediawiki:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
-          group: ${SERVER_HOSTNAME}-mediawiki
+          group: jasper-mediawiki
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
-            displayName: MediaWiki
+            displayName: mediawiki
            theme: ghost
            show-details-by-default: true
-    sablier-${SERVER_HOSTNAME}-nextcloud:
+    sablier-jasper-nextcloud:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
-          group: ${SERVER_HOSTNAME}-nextcloud
+          group: jasper-nextcloud
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
@@ -248,11 +260,11 @@ http:
            theme: ghost
            show-details-by-default: true
-    sablier-${SERVER_HOSTNAME}-openkm:
+    sablier-jasper-openkm:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
-          group: ${SERVER_HOSTNAME}-openkm
+          group: jasper-openkm
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
@@ -260,11 +272,11 @@ http:
            theme: ghost
            show-details-by-default: true
-    sablier-${SERVER_HOSTNAME}-openwebui:
+    sablier-jasper-openwebui:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
-          group: ${SERVER_HOSTNAME}-openwebui
+          group: jasper-openwebui
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
@@ -272,11 +284,11 @@ http:
            theme: ghost
            show-details-by-default: true
-    sablier-${SERVER_HOSTNAME}-pulse:
+    sablier-jasper-pulse:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
-          group: ${SERVER_HOSTNAME}-pulse
+          group: jasper-pulse
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
@@ -284,11 +296,11 @@ http:
            theme: ghost
            show-details-by-default: true
-    sablier-${SERVER_HOSTNAME}-tdarr:
+    sablier-jasper-tdarr:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
-          group: ${SERVER_HOSTNAME}-tdarr
+          group: jasper-tdarr
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
@@ -296,11 +308,11 @@ http:
            theme: ghost
            show-details-by-default: true
-    sablier-${SERVER_HOSTNAME}-unmanic:
+    sablier-jasper-unmanic:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
-          group: ${SERVER_HOSTNAME}-unmanic
+          group: jasper-unmanic
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
@@ -308,14 +320,135 @@ http:
            theme: ghost
            show-details-by-default: true
-    sablier-${SERVER_HOSTNAME}-wordpress:
+    sablier-jasper-wordpress:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
-          group: ${SERVER_HOSTNAME}-wordpress
+          group: jasper-wordpress
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
            displayName: wordpress
            theme: ghost
            show-details-by-default: true
    # Remote Server (your-remote-server) Sablier Middlewares
    sablier-your-remote-server-dockge:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
          group: your-remote-server-dockge
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
            displayName: Dockge (your-remote-server)
            theme: ghost
            show-details-by-default: true
    sablier-your-remote-server-dozzle:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
          group: your-remote-server-dozzle
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
            displayName: Dozzle (your-remote-server)
            theme: ghost
            show-details-by-default: true
    sablier-your-remote-server-glances:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
          group: your-remote-server-glances
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
            displayName: Glances (your-remote-server)
            theme: ghost
            show-details-by-default: true
    sablier-your-remote-server-backrest:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
          group: your-remote-server-backrest
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
            displayName: Backrest (your-remote-server)
            theme: ghost
            show-details-by-default: true
    sablier-your-remote-server-duplicati:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
          group: your-remote-server-duplicati
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
            displayName: Duplicati (your-remote-server)
            theme: ghost
            show-details-by-default: true
    sablier-your-remote-server-homepage:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
          group: your-remote-server-homepage
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
            displayName: Homepage (your-remote-server)
            theme: ghost
            show-details-by-default: true
    sablier-your-remote-server-homarr:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
          group: your-remote-server-homarr
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
            displayName: Homarr (your-remote-server)
            theme: ghost
            show-details-by-default: true
    sablier-your-remote-server-grafana:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
          group: your-remote-server-grafana
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
            displayName: Grafana (your-remote-server)
            theme: ghost
            show-details-by-default: true
    sablier-your-remote-server-prometheus:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
          group: your-remote-server-prometheus
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
            displayName: Prometheus (your-remote-server)
            theme: ghost
            show-details-by-default: true
    sablier-your-remote-server-uptime-kuma:
      plugin:
        sablier:
          sablierUrl: http://sablier-service:10000
          group: your-remote-server-uptime-kuma
          sessionDuration: 5m
          ignoreUserAgent: curl
          dynamic:
            displayName: Uptime Kuma (your-remote-server)
            theme: ghost
            show-details-by-default: true
--- a/docker-compose/core/traefik/traefik.yml
+++ b/docker-compose/core/traefik/traefik.yml
@@ -27,9 +27,9 @@ entryPoints:
 certificatesResolvers:
  letsencrypt:
    acme:
-      email: kelinfoxy@gmail.com  # Will be replaced by deploy script
+      email: ${DEFAULT_EMAIL}  # Your email for Let's Encrypt notifications
-      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
+      caServer: https://acme-v02.api.letsencrypt.org/directory  # Use staging for testing
-      storage: /acme.json
+      storage: /letsencrypt/acme.json
      # DNS challenge - For wildcard certificates (*.yourdomain.duckdns.org)
      # Works with DuckDNS - requires DUCKDNS_TOKEN in environment
      dnsChallenge:
--- a/docker-compose/dashboards/.env.example
+++ b/docker-compose/dashboards/.env.example
@@ -0,0 +1,11 @@
 # Dashboards Stack Environment Variables
 TZ=
 PUID=
 PGID=
 SERVER_IP=
 SERVER_HOSTNAME=
 DOMAIN=
 STACKS_DIR=
 HOMEPAGE_ALLOWED_HOSTS=
--- a/docker-compose/dashboards/deploy-dashboards.sh
+++ b/docker-compose/dashboards/deploy-dashboards.sh
@@ -0,0 +1,35 @@
 #!/bin/bash
 # Deploy dashboards stack script
 # Run from /opt/stacks/dashboards/
 set -e
 # Source common functions
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_DIR="/home/kelin/EZ-Homelab"  # Fixed repo path since script runs from /opt/stacks/dashboards
 source "$REPO_DIR/scripts/common.sh"
 log_info "Deploying dashboards stack..."
 # Load environment
 load_env_file_safely .env
 # Localize labels in compose file
 localize_compose_labels docker-compose.yml
 # Localize config files
 for config_file in $(find . -name "*.yml" -o -name "*.yaml" | grep -v docker-compose.yml); do
    localize_config_file "$config_file"
 done
 # Deploy
 run_cmd docker compose up -d
 # Validate
 if docker ps | grep -q homepage; then
    log_success "Dashboards stack deployed successfully"
    exit 0
 else
    log_error "Dashboards stack deployment failed"
    exit 1
 fi
--- a/docker-compose/dashboards/docker-compose.yml
+++ b/docker-compose/dashboards/docker-compose.yml
@@ -1,11 +1,9 @@
 # Dashboard Services
 # Homepage and Homarr for homelab dashboards
 # SABLIER SESSION DURATION: Set to 5m for testing. Increase to 30m for production in config-templates/traefik/dynamic/sablier.yml
-
+# RESTART POLICY GUIDE:
-# Service Access URLs:
+# - unless-stopped: Core infrastructure services that should always run
-# - Homepage: https://homepage.${DOMAIN}
+# - no: Services with Sablier lazy loading (start on-demand)
-# - Homarr: https://homarr.${DOMAIN}
+# - See individual service comments for specific reasoning
 services:
  # Homepage - Default Application Dashboard
@@ -26,41 +24,43 @@ services:
      - homelab-network
      - traefik-network
    ports:
-      - "3003:3000"
+      - '3003:3000'
    volumes:
      - ./homepage:/app/config
      - /var/run/docker.sock:/var/run/docker.sock # For Docker integration do not mount RO
-      - /opt/stacks:/opt/stacks # To discover other stacks
+      - ${STACKS_DIR}:${STACKS_DIR} # To discover other stacks
    environment:
-      - PUID=995  # Must be set to the docker user ID
+      - PUID=${PUID}  # Must be set to the docker user ID
-      - PGID=995  # Must be set to the docker group ID
+      - PGID=${PGID}  # Must be set to the docker group ID
      - TZ=${TZ}
-      - HOMEPAGE_ALLOWED_HOSTS=homepage.${DOMAIN}
+      - HOMEPAGE_ALLOWED_HOSTS=${HOMEPAGE_ALLOWED_HOSTS}
    labels:
      # TRAEFIK CONFIGURATION
      # ==========================================
      # Service metadata
-      - "homelab.category=dashboard"
+      - 'homelab.category=dashboard'
-      - "homelab.description=Application dashboard"
+      - 'homelab.description=Application dashboard'
      # Traefik reverse proxy (comment/uncomment to disable/enable)
-      # If Traefik is on a remote server: these labels are NOT USED; 
+      # IMPORTANT: On REMOTE SERVERS (where Traefik runs elsewhere):
-      #   configure external yml files in /traefik/dynamic folder instead.
+      #   - COMMENT OUT all traefik.* labels below (don't delete them)
-      - "traefik.enable=true"
+      #   - Routes are configured via external YAML files on the core server
-      - "traefik.http.routers.homepage.rule=Host(`homepage.${DOMAIN}`)"
+      #   - This prevents conflicts between Docker labels and file provider
-      - "traefik.http.routers.homepage.entrypoints=websecure"
+      - 'traefik.enable=true'
-      - "traefik.http.routers.homepage.tls=true"
+      - 'traefik.docker.network=traefik-network'
-      - "traefik.http.routers.homepage.middlewares=authelia@docker"
+      - 'traefik.http.routers.homepage.rule=Host(`homepage.${DOMAIN}`)'
-      - "traefik.http.services.homepage.loadbalancer.server.port=3003"
+      - 'traefik.http.routers.homepage.entrypoints=websecure'
      - 'traefik.http.routers.homepage.tls=true'
      - 'traefik.http.routers.homepage.middlewares=authelia@docker'
      - 'traefik.http.services.homepage.loadbalancer.server.port=3000'
      # Sablier lazy loading (disabled by default - uncomment to enable)
-      # - "sablier.enable=true"
+      # - 'sablier.enable=true'
-      # - "sablier.group=${SERVER_HOSTNAME}-homarr"
+      # - 'sablier.group=jasper-homarr'
-      # - "sablier.start-on-demand=true"
+      # - 'sablier.start-on-demand=true'
  # Homarr - Modern dashboard
  # Uses Sablier lazy loading - starts on-demand, stops after 5min inactivity
  homarr:
-    image: ghcr.io/ajnart/homarr:latest
+    image:  ghcr.io/homarr-labs/homarr:latest
    deploy:
      resources:
        limits:
@@ -76,7 +76,7 @@ services:
      - homelab-network
      - traefik-network
    ports:
-      - "7575:7575"
+      - '7575:7575'
    volumes:
      - ./homarr/config:/app/config/configs
      - ./homarr/data:/data
@@ -84,8 +84,9 @@ services:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - TZ=${TZ}
      - SECRET_ENCRYPTION_KEY=8830c9434b05ebfe3e31340c685fea63446ab3f635c4fad68370006949ed30df
    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:7575/"]
+      test: ['CMD', 'curl', '-f', 'http://localhost:7575/']
      interval: 30s
      timeout: 10s
      retries: 3
@@ -93,30 +94,30 @@ services:
    labels:
      # TRAEFIK CONFIGURATION
      # Service metadata
-      - "com.centurylinklabs.watchtower.enable=true"
+      - 'com.centurylinklabs.watchtower.enable=true'
-      - "homelab.category=dashboard"
+      - 'homelab.category=dashboard'
-      - "homelab.description=Modern homelab dashboard"
+      - 'homelab.description=Modern homelab dashboard'
-      - "traefik.enable=true"
+      - 'traefik.enable=true'
      # Router configuration
-      - "traefik.http.routers.homarr.rule=Host(`homarr.${DOMAIN}`)"
+      - 'traefik.http.routers.homarr.rule=Host(`homarr.${DOMAIN}`)'
-      - "traefik.http.routers.homarr.entrypoints=websecure"
+      - 'traefik.http.routers.homarr.entrypoints=websecure'
-      - "traefik.http.routers.homarr.tls=true"
+      - 'traefik.http.routers.homarr.tls=true'
-      - "traefik.http.routers.homarr.middlewares=authelia@docker"
+      - 'traefik.http.routers.homarr.middlewares=authelia@docker'
      # Service configuration
-      - "traefik.http.services.homarr.loadbalancer.server.port=7575"
+      - 'traefik.http.services.homarr.loadbalancer.server.port=7575'
      # Sablier configuration
-      - "sablier.enable=true"
+      - 'sablier.enable=true'
-      - "sablier.group=${SERVER_HOSTNAME}-homarr"
+      - 'sablier.group=jasper-homarr'
-      - "sablier.start-on-demand=true"
+      - 'sablier.start-on-demand=true'
 # DOCKGE URL CONFIGURATION
 x-dockge:
  urls:
    # Proxied URLs (through Traefik)
    - https://homepage.${DOMAIN}
-    - https://${SERVER_IP}:3003
+    - https://192.168.4.4:3003
    - https://homarr.${DOMAIN}
-    - https://${SERVER_IP}:7575
+    - https://192.168.4.4:7575
 networks:
  homelab-network:
--- a/docker-compose/dashboards/homepage/README.md
+++ b/docker-compose/dashboards/homepage/README.md
--- a/docker-compose/dashboards/homepage/bookmarks.yaml
+++ b/docker-compose/dashboards/homepage/bookmarks.yaml
--- a/docker-compose/dashboards/homepage/custom.css
+++ b/docker-compose/dashboards/homepage/custom.css
@@ -1,7 +1,15 @@
 .information-widgets {
    max-width: 1500px;
 }
 .services-group {
    max-width: 250px;
 }
 #services {
    margin: 0px;
 }
 .service {
    height: 70px;
    max-height: 80px;
@@ -9,7 +17,7 @@
    margin-right: 3px;
 }
-#services {
+#services #bookmarks {
    margin: 0px 0px 0px 20px;
 }
@@ -20,4 +28,4 @@
 .bookmark-group {
    min-width: 250px;
    max-width: 250px;
-}
+}
--- a/docker-compose/dashboards/homepage/custom.js
+++ b/docker-compose/dashboards/homepage/custom.js
--- a/docker-compose/dashboards/homepage/docker.yaml
+++ b/docker-compose/dashboards/homepage/docker.yaml
@@ -0,0 +1,18 @@
 ---
 # For configuration options and examples, please see:
 # https://gethomepage.dev/configs/docker/
 # my-docker:
 #   host: 127.0.0.1
 #   port: 2375
 # my-docker:
 #  socket: /var/run/docker.sock
 # home-assistant:
 #  host: 192.168.4.5
 #  port: 2375
 #jasper:
 #  host: 192.168.4.11
 #  port: 2375
--- a/docker-compose/dashboards/homepage/kubernetes.yaml
+++ b/docker-compose/dashboards/homepage/kubernetes.yaml
--- a/docker-compose/dashboards/homepage/proxmox.yaml
+++ b/docker-compose/dashboards/homepage/proxmox.yaml
--- a/Show More
+++ b/Show More
		`@@ -1,3 +0,0 @@`
			`====== Backup & Recovery ======`

			`Coming soon...`
		`@@ -1,3 +0,0 @@`
			`====== Development ======`

			`Coming soon...`
		`@@ -1,3 +0,0 @@`
			`====== Productivity Services ======`

			`Coming soon...`
		`@@ -1,3 +0,0 @@`
			`====== Troubleshooting ======`

			`Coming soon...`