Updated service configurations, added new services, removed deprecated
ones, and improved gitignore patterns for better repository hygiene.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Remove Tinyauth SSO middleware from all media automation services
(Lidarr, Profilarr, Prowlarr, qBittorrent, Radarr, SABnzbd, Sonarr)
and Jellyseerr. These services will migrate to Authelia for SSO.
Remove Tinyauth SSO provider and migrate to Authelia for authentication.
Update LLDAP to use PostgreSQL backend and remove Tinyauth middleware
from core services.
Changes:
- Remove Tinyauth service entirely (compose/core/tinyauth/)
- Update LLDAP configuration with PostgreSQL database
- Remove Tinyauth middleware from Traefik dashboard
- Update LLDAP credentials and timezone to America/Los_Angeles
Add comprehensive guides for debugging and resolving FreshRSS API
authentication issues with mobile apps.
Includes:
- API password setup instructions
- iOS app configuration (Reeder, NetNewsWire, etc.)
- Google Reader API vs Fever API comparison
- nginx Authorization header troubleshooting
- Debug logging locations and commands
- Common error patterns and solutions
Covers both successful resolution and known limitations.
Add development environment mode for troubleshooting authentication
and API issues. Enables detailed PHP error logging and stack traces.
Can be reverted to production mode by removing FRESHRSS_ENV variable
after debugging is complete.
Remove Tinyauth SSO middleware and configure Traefik for FreshRSS API
compatibility with mobile apps.
Changes:
- Removed tinyauth middleware (conflicts with API authentication)
- Added passhostheader directive for proper request routing
- FreshRSS now uses built-in authentication only
This enables iOS RSS apps (Reeder, NetNewsWire, etc.) to connect via
FreshRSS's Google Reader and Fever APIs.
Add Dozzle for simple, real-time Docker container log viewing.
Features:
- Real-time log streaming from all containers
- Search and filter capabilities
- Multi-container side-by-side view
- Container resource statistics (CPU, memory)
- No database required (reads directly from Docker)
- Minimal footprint (~4MB image)
Configuration:
- Restricted to local network only (local-only middleware)
- Auto-discovery of all running containers
- Dark/light theme support
Includes quickstart guide and comprehensive documentation.
Add Komodo for centralized Docker container and server management.
Features:
- Docker container deployment and management
- Server monitoring and resource tracking
- Build system for Docker images from Git repositories
- Multi-server support with periphery agents
- Webhooks for automatic deployments
Stack includes:
- Komodo Core (web UI and API)
- Komodo Periphery (local Docker agent)
- MongoDB (configuration storage)
Includes comprehensive configuration with:
- Pre-configured .env with all available options
- Optional TOML config files for advanced settings
- Setup script with pre-deployment validation
- Full documentation and security checklist
Apply local-only middleware to:
- Backrest (backup management)
- Code Server (IDE)
- Ollama (LLM API)
These services now require both SSO authentication and local network
access (10.0.0.0/16), preventing external access while maintaining
convenience on LAN.
Add IP allowlist middleware to restrict services to local network
(10.0.0.0/16). Allows services to be protected from external access
while remaining accessible on LAN.
Add Lidarr for music collection management and Prowlarr for
unified indexer management across all *arr applications.
- Lidarr accessible at lidarr.fig.systems
- Prowlarr accessible at prowlarr.fig.systems
- Both integrated with existing media automation stack
Add Open WebUI for ChatGPT-like interface to local Ollama models
with RAG capabilities for documentation Q&A. Add code-server for
web-based VS Code access with AI coding assistants.
- Open WebUI accessible at ai.fig.systems
- code-server accessible at code.fig.systems
- Both integrated with local Ollama instance
- Add complete Traefik configuration for Homarr dashboard
- Enable Docker socket access for service discovery
- Configure Homarr to listen on dashboard.fig.systems
- Update FreshRSS hostname from rss to feeds for clarity
- Add Homarr discovery labels to Jellyfin and Jellyseerr
- Add config volume mount to Profilarr for persistence
- Improve service organization and discoverability
- Upgrade Loki from v2.9.3 to v3.3.2
- Upgrade Promtail from v2.9.3 to v3.3.2
- Update Loki configuration for v3 compatibility
- Replace deprecated table_manager with compactor settings
- Disable structured metadata for compatibility
Update all media services to use the correct mount point at /mnt/media
for consistency across Sonarr, Radarr, SABnzbd, qBittorrent, Jellyfin,
and Immich. This ensures proper file access and atomic moves between
download and library directories.
- Upgrade Traefik from v3.3 to v3.6.2
- Add Docker API version specification for compatibility
- Update LLDAP to latest image tag
- Migrate LLDAP to named volume for better data management
- Updated documentation for users who disable root SSH
- Added setup instructions for non-root user with sudo access
- Configured write permissions for /var/lib/vz/snippets
- Added Option A (root) and Option B (non-root) SSH setup guides
- Enhanced troubleshooting for permission denied errors
- Updated terraform.tfvars.example with non-root user example
- Added GPU passthrough configuration for NVIDIA GTX 1070
- Dynamic hostpci block with OVMF BIOS and q35 machine type
- EFI disk support when GPU is enabled
- Configurable via enable_gpu_passthrough and gpu_pci_id variables
- Added NFS mount support for Proxmox host media directories
- Mounts 11 media directories from Proxmox host to VM
- Configurable source path and mount point
- Persistent mounts via /etc/fstab
- NFS client installation via cloud-init
- Added multi-OS support (Ubuntu, AlmaLinux, Debian)
- Separate cloud-init templates for Ubuntu and AlmaLinux
- OS-specific package installation (apt vs dnf)
- OS type validation via variable
- Updated terraform.tfvars.example with new configuration options
- Updated README.md with comprehensive documentation:
- AlmaLinux cloud template creation steps
- GPU passthrough setup for AMD Ryzen + NVIDIA
- NFS server configuration on Proxmox host
- Troubleshooting for GPU and NFS issues
- Replace Linkwarden with Karakeep for AI-powered bookmarking
- Supports links, notes, images, PDFs
- AI auto-tagging with Ollama integration
- Browser extensions and mobile apps
- Full-text search with Meilisearch
- Add Ollama for local LLM inference
- Run Llama, Mistral, CodeLlama locally
- GPU acceleration support (GTX 1070)
- OpenAI-compatible API
- Integrates with Karakeep for AI features
- Add example configuration files for services
- Sonarr: config.xml.example
- Radarr: config.xml.example
- SABnzbd: sabnzbd.ini.example
- qBittorrent: qBittorrent.conf.example
- Vikunja: config.yml.example
- FreshRSS: config.php.example
- Fix incomplete FreshRSS compose.yaml
- Update README with new services and deployment instructions
This commit improves configuration management by:
## Changes
### Environment Variable Management
- Moved ALL environment blocks from compose.yaml files to .env files
- Added comprehensive .env files for all 20 services
- Included example secret formats with generation commands
- Added detailed comments explaining what each secret should look like
### Example Secret Formats
All .env files now include examples for:
- **JWT Secrets**: 64-character hex strings
- Example format: `a1b2c3d4e5f67890abcdef1234567890...`
- Generate with: `openssl rand -hex 32`
- **Passwords**: Strong alphanumeric passwords
- Example format: `MyS3cur3P@ssw0rd!2024#HomeL@b`
- Generate with: `openssl rand -base64 32 | tr -d /=+ | cut -c1-32`
- **Session Secrets**: Random hex strings
- Example format: `b2c3d4e5f67890abcdef1234567890a1b2...`
- Generate with: `openssl rand -hex 32`
- **API Keys**: Service-specific formats
- Meili: 32-character hex (`openssl rand -hex 16`)
- NextAuth: 64-character hex (`openssl rand -hex 32`)
### GPU Support Documentation
- Added NVIDIA GPU (GTX 1070) configuration for Jellyfin
- Added NVIDIA GPU configuration for Immich (ML inference & transcoding)
- Included setup instructions for NVIDIA Container Toolkit
- Documented how to enable GPU acceleration in each service
### Services Updated
**Core Infrastructure:**
- lldap: Added JWT secret and password examples
- tinyauth: Added session secret examples
- traefik: No environment variables needed
**Media Services:**
- jellyfin: Added .env with GPU configuration docs
- jellyseer: Created .env with logging and timezone settings
- immich: Added database password examples and GPU docs
- sonarr: Created .env for PUID/PGID/TZ
- radarr: Created .env for PUID/PGID/TZ
- sabnzbd: Created .env for PUID/PGID/TZ
- qbittorrent: Created .env for PUID/PGID/TZ/WEBUI_PORT
**Utility Services:**
- homarr: Created .env for port and timezone
- backrest: Added environment variables to .env
- linkwarden: Rewrote .env with NextAuth, Postgres, Meili examples
- vikunja: Created .env with JWT secret and database password
- FreshRSS: Created .env for PUID/PGID/TZ
- booklore: Created .env for PUID/PGID/TZ
- calibre-web: Created .env for PUID/PGID/TZ
- filebrowser: Created .env for PUID/PGID/TZ
- lubelogger: Created .env with locale settings
- rsshub: Created .env with cache and logging config
- microbin: Updated existing .env, removed environment block
### Benefits
1. **Security**:
- Clear examples show what strong secrets look like
- Generation commands prevent weak passwords
- All secrets in one place per service
2. **Consistency**:
- All services follow the same pattern (env_file: .env)
- No more environment blocks in compose files
- Easier to template new services
3. **Usability**:
- Users know exactly what to change (look for `changeme_*`)
- Example formats prevent configuration errors
- Commands provided to generate secure values
4. **Maintainability**:
- Compose files are cleaner and more readable
- Environment changes don't require compose file edits
- Version control friendly (.env files can be .gitignored)
### Files Changed
- Modified: 24 compose.yaml files
- Created: 14 new .env files
- Updated: 6 existing .env files
- Total .env files: 20 across all services
All compose.yaml files now use `env_file: .env` exclusively.
No environment blocks remain in any compose files.
