5cbb106160
Introduce multi-server architecture documentation and reorganize README content. Top-level README now documents Core vs Remote server roles, links to local docs instead of wiki pages, and highlights Traefik/Sablier multi-server behavior. docker-compose/README.md was rewritten to be a template-style reference with single- and multi-server deployment guidance, Traefik label examples, and sablier usage; dockge README was moved into docker-compose/dockge/. docker-compose/core/README.md was updated to describe core responsibilities, shared CA artifacts, and startup order for multi-server deployments. Several obsolete/duplicated docs and action reports were removed and a new multi-server deployment doc was added to centralize on-demand/remote service guidance. Overall this cleans up legacy docs and documents the multi-server workflow and TLS/shared-CA requirements.
Core Infrastructure Services
This directory contains the core infrastructure services that form the foundation of the homelab. These services should be deployed on the main server only and are critical for the operation of all other services across all servers.
Services
DuckDNS
- Purpose: Dynamic DNS service for domain resolution and wildcard SSL certificates
- Subdomain: Configurable via environment variables
- Token: Configured in environment variables
- SSL Certificates: Generates wildcard cert used by all services on all servers
- Deploy: Core server only
Traefik (v3)
- Purpose: Reverse proxy and SSL termination with multi-server routing
- Ports: 80 (HTTP), 443 (HTTPS), 8080 (Dashboard)
- Configuration: Located in
traefik/config/traefik.yml - Multi-Server: Discovers services on all servers via Docker providers
- SSL: Let's Encrypt with DNS-01 challenge (wildcard certificate)
- Dashboard: Available at configured domain
- Deploy: Core server (multi-provider), Remote servers (local-only)
Note: Sablier has been moved to its own stack (/opt/stacks/sablier/) and should be deployed on each server individually. See Sablier documentation for details.
Authelia (v4.37.5)
- Purpose: Single sign-on authentication service for all services across all servers
- Port: 9091 (internal)
- Access: Configured authentication domain
- Configuration: Located in
authelia/config/ - Database: SQLite database in
authelia/config/db.sqlite3 - Deploy: Core server only
DuckDNS
- Purpose: Dynamic DNS service for domain resolution and wildcard SSL certificates
- Subdomain: Configurable via environment variables
- Token: Configured in environment variables
- SSL Certificates: Generates wildcard cert used by all services on all servers
- Deploy: Core server only
Multi-Server Architecture
The core stack on the main server provides centralized services for the entire homelab:
Core Server Responsibilities:
- Receives all external traffic (ports 80/443 forwarded from router)
- Runs DuckDNS for domain management and SSL certificates
- Runs Authelia for centralized authentication
- Runs multi-provider Traefik that discovers services on all servers
- Generates shared CA for Docker TLS communication
Remote Server Setup:
- Remote servers run their own Traefik instance (local Docker provider only)
- Remote servers run their own Sablier instance (local container management)
- Remote servers expose Docker API on port 2376 with TLS
- Core server Traefik connects to remote Docker APIs to discover services
- No port forwarding needed on remote servers
Service Access:
- All services accessible via:
https://service.yourdomain.duckdns.org - Core Traefik routes to appropriate server (local or remote)
- Single wildcard SSL certificate used for all services
- Authelia provides SSO for all protected services
⚠️ Version Pinning & Breaking Changes
Authelia Version Pinning
Current Version: authelia/authelia:4.37.5
Breaking Changes Identified:
- Authelia v4.39.15+ has breaking configuration changes that are incompatible with the current setup
- Database schema changes may require migration or recreation
- Configuration file format changes may break existing setups
Action Taken:
- Pinned to v4.37.5 which is confirmed working
- Database recreated from scratch to ensure compatibility
- Configuration files verified and working
Upgrade Path:
- Test upgrades in a separate environment first
- Backup configuration and database before upgrading
- Check Authelia changelog for breaking changes
- Consider using Authelia's migration tools if available
Traefik Version Pinning
Current Version: traefik:v3
Notes:
- Traefik v3 is stable and working with current configuration
- Configuration format is compatible
- No breaking changes identified in current setup
Configuration Requirements
File Structure
core/
├── docker-compose.yml # Main service definitions
├── .env # Environment variables
├── authelia/
│ └── config/
│ ├── configuration.yml # Authelia main config
│ ├── users_database.yml # User credentials
│ └── db.sqlite3 # SQLite database
├── duckdns/
│ └── config/ # DuckDNS configuration
├── traefik/
│ ├── config/
│ │ └── traefik.yml # Traefik static config
│ ├── dynamic/ # Dynamic configurations
│ │ ├── routes.yml
│ │ ├── sablier.yml
│ │ └── external-host-*.yml # Remote server routing
│ └── letsencrypt/
│ └── acme.json # SSL certificates
└── shared-ca/ # TLS certificates for multi-server
├── ca.pem # Certificate Authority
├── ca-key.pem # CA private key
├── cert.pem # Client certificate
└── key.pem # Client key
Environment Variables (.env)
# Required for proper operation
DUCKDNS_TOKEN=your_duckdns_token_here
DUCKDNS_SUBDOMAINS=your_subdomain
DOMAIN=yourdomain.duckdns.org
TZ=America/New_York
PUID=1000
PGID=1000
Network Requirements
- Docker network:
traefik-network - External ports: 80, 443 must be accessible
- DNS resolution: Domain must point to server IP
Deployment
Prerequisites
- Docker and Docker Compose installed
- Ports 80/443 forwarded to server
- DuckDNS account with valid token
- Domain configured in DuckDNS
Startup Order
duckdns- For DNS updates and SSL certificate generationtraefik- Reverse proxy (waits for SSL certificates)authelia- Authentication service
Note: Sablier is now deployed separately in /opt/stacks/sablier/ after core stack is running.
Commands
# Start all services
docker-compose up -d
# Check status
docker-compose ps
# View logs
docker-compose logs -f [service-name]
# Restart specific service
docker-compose restart [service-name]
Troubleshooting
Common Issues
- Connection Refused: Check if Traefik config file is in correct location (
traefik/config/traefik.yml) - SSL Certificate Issues: Verify DuckDNS token and domain configuration
- Authelia Login Issues: Check database file exists and configuration is valid
- Service Not Starting: Check Docker logs for error messages
Backup Strategy
- Configuration files are backed up automatically (see backup directories)
- Database should be backed up regularly
- SSL certificates are stored in
letsencrypt/acme.json - Use
backup.shscript for automated backups
Security Notes
- Authelia provides authentication for protected services
- All external traffic goes through Traefik with SSL termination
- Internal services communicate via Docker networks
- Dashboard access is protected by Authelia middleware
Maintenance
- Monitor SSL certificate expiration (Let's Encrypt auto-renews)
- Keep Authelia version pinned until tested upgrades are available
- Regularly backup configuration and database files
- Check logs for security issues or errors
- Run
./backup.shregularly to backup critical files
Customization
Domain Configuration
Update the following files with your domain:
docker-compose.yml: Traefik labels and Authelia configurationauthelia/config/configuration.yml: Domain settings.env: Domain environment variables
SSL Certificate Provider
Modify traefik/config/traefik.yml to use different DNS providers:
certificatesResolvers:
letsencrypt:
acme:
dnsChallenge:
provider: cloudflare # or other supported provider
Adding New Services
- Add service definition to
docker-compose.yml - Configure Traefik labels for routing
- Add middleware for authentication if needed
- Update network configuration