- Add Homarr discovery labels to Jellyfin and Jellyseerr
- Add config volume mount to Profilarr for persistence
- Improve service organization and discoverability
- Upgrade Loki from v2.9.3 to v3.3.2
- Upgrade Promtail from v2.9.3 to v3.3.2
- Update Loki configuration for v3 compatibility
- Replace deprecated table_manager with compactor settings
- Disable structured metadata for compatibility
Update all media services to use the correct mount point at /mnt/media
for consistency across Sonarr, Radarr, SABnzbd, qBittorrent, Jellyfin,
and Immich. This ensures proper file access and atomic moves between
download and library directories.
- Upgrade Traefik from v3.3 to v3.6.2
- Add Docker API version specification for compatibility
- Update LLDAP to latest image tag
- Migrate LLDAP to named volume for better data management
- Updated documentation for users who disable root SSH
- Added setup instructions for non-root user with sudo access
- Configured write permissions for /var/lib/vz/snippets
- Added Option A (root) and Option B (non-root) SSH setup guides
- Enhanced troubleshooting for permission denied errors
- Updated terraform.tfvars.example with non-root user example
- Added GPU passthrough configuration for NVIDIA GTX 1070
- Dynamic hostpci block with OVMF BIOS and q35 machine type
- EFI disk support when GPU is enabled
- Configurable via enable_gpu_passthrough and gpu_pci_id variables
- Added NFS mount support for Proxmox host media directories
- Mounts 11 media directories from Proxmox host to VM
- Configurable source path and mount point
- Persistent mounts via /etc/fstab
- NFS client installation via cloud-init
- Added multi-OS support (Ubuntu, AlmaLinux, Debian)
- Separate cloud-init templates for Ubuntu and AlmaLinux
- OS-specific package installation (apt vs dnf)
- OS type validation via variable
- Updated terraform.tfvars.example with new configuration options
- Updated README.md with comprehensive documentation:
- AlmaLinux cloud template creation steps
- GPU passthrough setup for AMD Ryzen + NVIDIA
- NFS server configuration on Proxmox host
- Troubleshooting for GPU and NFS issues
- Replace Linkwarden with Karakeep for AI-powered bookmarking
- Supports links, notes, images, PDFs
- AI auto-tagging with Ollama integration
- Browser extensions and mobile apps
- Full-text search with Meilisearch
- Add Ollama for local LLM inference
- Run Llama, Mistral, CodeLlama locally
- GPU acceleration support (GTX 1070)
- OpenAI-compatible API
- Integrates with Karakeep for AI features
- Add example configuration files for services
- Sonarr: config.xml.example
- Radarr: config.xml.example
- SABnzbd: sabnzbd.ini.example
- qBittorrent: qBittorrent.conf.example
- Vikunja: config.yml.example
- FreshRSS: config.php.example
- Fix incomplete FreshRSS compose.yaml
- Update README with new services and deployment instructions
This commit improves configuration management by:
## Changes
### Environment Variable Management
- Moved ALL environment blocks from compose.yaml files to .env files
- Added comprehensive .env files for all 20 services
- Included example secret formats with generation commands
- Added detailed comments explaining what each secret should look like
### Example Secret Formats
All .env files now include examples for:
- **JWT Secrets**: 64-character hex strings
- Example format: `a1b2c3d4e5f67890abcdef1234567890...`
- Generate with: `openssl rand -hex 32`
- **Passwords**: Strong alphanumeric passwords
- Example format: `MyS3cur3P@ssw0rd!2024#HomeL@b`
- Generate with: `openssl rand -base64 32 | tr -d /=+ | cut -c1-32`
- **Session Secrets**: Random hex strings
- Example format: `b2c3d4e5f67890abcdef1234567890a1b2...`
- Generate with: `openssl rand -hex 32`
- **API Keys**: Service-specific formats
- Meili: 32-character hex (`openssl rand -hex 16`)
- NextAuth: 64-character hex (`openssl rand -hex 32`)
### GPU Support Documentation
- Added NVIDIA GPU (GTX 1070) configuration for Jellyfin
- Added NVIDIA GPU configuration for Immich (ML inference & transcoding)
- Included setup instructions for NVIDIA Container Toolkit
- Documented how to enable GPU acceleration in each service
### Services Updated
**Core Infrastructure:**
- lldap: Added JWT secret and password examples
- tinyauth: Added session secret examples
- traefik: No environment variables needed
**Media Services:**
- jellyfin: Added .env with GPU configuration docs
- jellyseer: Created .env with logging and timezone settings
- immich: Added database password examples and GPU docs
- sonarr: Created .env for PUID/PGID/TZ
- radarr: Created .env for PUID/PGID/TZ
- sabnzbd: Created .env for PUID/PGID/TZ
- qbittorrent: Created .env for PUID/PGID/TZ/WEBUI_PORT
**Utility Services:**
- homarr: Created .env for port and timezone
- backrest: Added environment variables to .env
- linkwarden: Rewrote .env with NextAuth, Postgres, Meili examples
- vikunja: Created .env with JWT secret and database password
- FreshRSS: Created .env for PUID/PGID/TZ
- booklore: Created .env for PUID/PGID/TZ
- calibre-web: Created .env for PUID/PGID/TZ
- filebrowser: Created .env for PUID/PGID/TZ
- lubelogger: Created .env with locale settings
- rsshub: Created .env with cache and logging config
- microbin: Updated existing .env, removed environment block
### Benefits
1. **Security**:
- Clear examples show what strong secrets look like
- Generation commands prevent weak passwords
- All secrets in one place per service
2. **Consistency**:
- All services follow the same pattern (env_file: .env)
- No more environment blocks in compose files
- Easier to template new services
3. **Usability**:
- Users know exactly what to change (look for `changeme_*`)
- Example formats prevent configuration errors
- Commands provided to generate secure values
4. **Maintainability**:
- Compose files are cleaner and more readable
- Environment changes don't require compose file edits
- Version control friendly (.env files can be .gitignored)
### Files Changed
- Modified: 24 compose.yaml files
- Created: 14 new .env files
- Updated: 6 existing .env files
- Total .env files: 20 across all services
All compose.yaml files now use `env_file: .env` exclusively.
No environment blocks remain in any compose files.
This commit adds several new features to enhance homelab management:
## New Services
### Backrest (backup.fig.systems)
- Modern web UI for managing Restic backups
- Encrypted, deduplicated backups to Backblaze B2
- Automated scheduling and retention policies
- Pre-configured to backup Immich photos and homelab configs
- SSO protected via tinyauth
### Homarr (home.fig.systems)
- Auto-discovery dashboard for all homelab services
- Docker socket integration for service monitoring
- Clean, modern interface with customizable widgets
- SSO protected via tinyauth
## Infrastructure
### Service Template System (templates/service-template/)
- Complete template with all common patterns
- Traefik labels, health checks, dependencies
- Environment variable examples
- Comprehensive README with usage instructions
- Ensures consistency across all new services
### OpenTofu/Terraform IaC (terraform/)
- Complete Proxmox VM provisioning setup
- Cloud-init automation for Docker host creation
- Automated Docker installation and configuration
- Media directory structure creation
- Step-by-step documentation including:
- Cloud template creation guide
- Variable configuration examples
- Resource sizing recommendations
- Security hardening options
## Documentation Updates
- Updated README with new service URLs
- Added Homarr and Backrest to directory structure
- Updated deployment instructions
- Added service table entries for new services
All new services follow established patterns:
- External homelab network
- Let's Encrypt SSL via Traefik
- Dual domain support (fig.systems + edfig.dev)
- Consistent naming and structure
Traefik Network Fix:
- Change homelab network to external: true
- Consistent with all other services
- Network must be created before deploying Traefik
- Resolves CI validation warning
Labeler Configuration Fix:
- Remove unsupported changed-lines option
- actions/labeler@v5 doesn't support line-based matching
- Simplified to file path matching only
- Removes 'traefik' and 'dependencies' advanced filters
- Resolves 'Unknown config options' error
CI should now pass all validation checks
Core Infrastructure:
- Add LLDAP for centralized user authentication (lldap.fig.systems)
- Configure Tinyauth with LLDAP backend for SSO (auth.fig.systems)
- Set up Traefik v3.3 with Let's Encrypt SSL automation
- Create homelab Docker network for service isolation
Media Services:
- Configure Jellyfin with /media folder mappings (flix.fig.systems)
- Add Jellyseerr for media requests (requests.fig.systems)
- Update Immich with photo library access (photos.fig.systems)
- Set up Sonarr for TV automation (sonarr.fig.systems)
- Set up Radarr for movie automation (radarr.fig.systems)
- Configure SABnzbd for Usenet downloads (sabnzbd.fig.systems)
- Add qBittorrent for torrent downloads (qbt.fig.systems)
Utility Services:
- Update Linkwarden with proper networking (links.fig.systems)
- Configure Vikunja task management (tasks.fig.systems)
- Set up LubeLogger vehicle tracking (garage.fig.systems)
- Configure Calibre-web for ebooks (books.fig.systems)
- Add Booklore for book tracking (booklore.fig.systems)
- Update FreshRSS reader (rss.fig.systems)
- Update RSSHub with internal networking (rsshub.fig.systems)
- Update MicroBin pastebin (paste.fig.systems)
- Add File Browser for media access (files.fig.systems)
Technical Improvements:
- Standardize all compose files to compose.yaml (Docker best practice)
- Add Traefik labels to all services for SSL termination
- Implement proper network isolation (homelab + service-specific networks)
- Add health checks to database services
- Configure dual domain support (fig.systems + edfig.dev)
- Set proper /media folder mappings for all media services
- Add comprehensive README with deployment instructions
Security:
- Enable SSO via Tinyauth for most services
- Configure LLDAP with admin user (edfig/admin@edfig.dev)
- Services with built-in auth have SSO disabled by default
- All traffic secured with automatic Let's Encrypt certificates
