Remove Tinyauth SSO middleware from all media automation services
(Lidarr, Profilarr, Prowlarr, qBittorrent, Radarr, SABnzbd, Sonarr)
and Jellyseerr. These services will migrate to Authelia for SSO.
Remove Tinyauth SSO provider and migrate to Authelia for authentication.
Update LLDAP to use PostgreSQL backend and remove Tinyauth middleware
from core services.
Changes:
- Remove Tinyauth service entirely (compose/core/tinyauth/)
- Update LLDAP configuration with PostgreSQL database
- Remove Tinyauth middleware from Traefik dashboard
- Update LLDAP credentials and timezone to America/Los_Angeles
Add comprehensive guides for debugging and resolving FreshRSS API
authentication issues with mobile apps.
Includes:
- API password setup instructions
- iOS app configuration (Reeder, NetNewsWire, etc.)
- Google Reader API vs Fever API comparison
- nginx Authorization header troubleshooting
- Debug logging locations and commands
- Common error patterns and solutions
Covers both successful resolution and known limitations.
Add development environment mode for troubleshooting authentication
and API issues. Enables detailed PHP error logging and stack traces.
Can be reverted to production mode by removing FRESHRSS_ENV variable
after debugging is complete.
Remove Tinyauth SSO middleware and configure Traefik for FreshRSS API
compatibility with mobile apps.
Changes:
- Removed tinyauth middleware (conflicts with API authentication)
- Added passhostheader directive for proper request routing
- FreshRSS now uses built-in authentication only
This enables iOS RSS apps (Reeder, NetNewsWire, etc.) to connect via
FreshRSS's Google Reader and Fever APIs.
Add Dozzle for simple, real-time Docker container log viewing.
Features:
- Real-time log streaming from all containers
- Search and filter capabilities
- Multi-container side-by-side view
- Container resource statistics (CPU, memory)
- No database required (reads directly from Docker)
- Minimal footprint (~4MB image)
Configuration:
- Restricted to local network only (local-only middleware)
- Auto-discovery of all running containers
- Dark/light theme support
Includes quickstart guide and comprehensive documentation.
Add Komodo for centralized Docker container and server management.
Features:
- Docker container deployment and management
- Server monitoring and resource tracking
- Build system for Docker images from Git repositories
- Multi-server support with periphery agents
- Webhooks for automatic deployments
Stack includes:
- Komodo Core (web UI and API)
- Komodo Periphery (local Docker agent)
- MongoDB (configuration storage)
Includes comprehensive configuration with:
- Pre-configured .env with all available options
- Optional TOML config files for advanced settings
- Setup script with pre-deployment validation
- Full documentation and security checklist
Apply local-only middleware to:
- Backrest (backup management)
- Code Server (IDE)
- Ollama (LLM API)
These services now require both SSO authentication and local network
access (10.0.0.0/16), preventing external access while maintaining
convenience on LAN.
Add IP allowlist middleware to restrict services to local network
(10.0.0.0/16). Allows services to be protected from external access
while remaining accessible on LAN.
Add Lidarr for music collection management and Prowlarr for
unified indexer management across all *arr applications.
- Lidarr accessible at lidarr.fig.systems
- Prowlarr accessible at prowlarr.fig.systems
- Both integrated with existing media automation stack
Add Open WebUI for ChatGPT-like interface to local Ollama models
with RAG capabilities for documentation Q&A. Add code-server for
web-based VS Code access with AI coding assistants.
- Open WebUI accessible at ai.fig.systems
- code-server accessible at code.fig.systems
- Both integrated with local Ollama instance
- Add complete Traefik configuration for Homarr dashboard
- Enable Docker socket access for service discovery
- Configure Homarr to listen on dashboard.fig.systems
- Update FreshRSS hostname from rss to feeds for clarity
- Add Homarr discovery labels to Jellyfin and Jellyseerr
- Add config volume mount to Profilarr for persistence
- Improve service organization and discoverability
- Upgrade Loki from v2.9.3 to v3.3.2
- Upgrade Promtail from v2.9.3 to v3.3.2
- Update Loki configuration for v3 compatibility
- Replace deprecated table_manager with compactor settings
- Disable structured metadata for compatibility
Update all media services to use the correct mount point at /mnt/media
for consistency across Sonarr, Radarr, SABnzbd, qBittorrent, Jellyfin,
and Immich. This ensures proper file access and atomic moves between
download and library directories.
- Upgrade Traefik from v3.3 to v3.6.2
- Add Docker API version specification for compatibility
- Update LLDAP to latest image tag
- Migrate LLDAP to named volume for better data management
- Updated documentation for users who disable root SSH
- Added setup instructions for non-root user with sudo access
- Configured write permissions for /var/lib/vz/snippets
- Added Option A (root) and Option B (non-root) SSH setup guides
- Enhanced troubleshooting for permission denied errors
- Updated terraform.tfvars.example with non-root user example
- Added GPU passthrough configuration for NVIDIA GTX 1070
- Dynamic hostpci block with OVMF BIOS and q35 machine type
- EFI disk support when GPU is enabled
- Configurable via enable_gpu_passthrough and gpu_pci_id variables
- Added NFS mount support for Proxmox host media directories
- Mounts 11 media directories from Proxmox host to VM
- Configurable source path and mount point
- Persistent mounts via /etc/fstab
- NFS client installation via cloud-init
- Added multi-OS support (Ubuntu, AlmaLinux, Debian)
- Separate cloud-init templates for Ubuntu and AlmaLinux
- OS-specific package installation (apt vs dnf)
- OS type validation via variable
- Updated terraform.tfvars.example with new configuration options
- Updated README.md with comprehensive documentation:
- AlmaLinux cloud template creation steps
- GPU passthrough setup for AMD Ryzen + NVIDIA
- NFS server configuration on Proxmox host
- Troubleshooting for GPU and NFS issues
- Replace Linkwarden with Karakeep for AI-powered bookmarking
- Supports links, notes, images, PDFs
- AI auto-tagging with Ollama integration
- Browser extensions and mobile apps
- Full-text search with Meilisearch
- Add Ollama for local LLM inference
- Run Llama, Mistral, CodeLlama locally
- GPU acceleration support (GTX 1070)
- OpenAI-compatible API
- Integrates with Karakeep for AI features
- Add example configuration files for services
- Sonarr: config.xml.example
- Radarr: config.xml.example
- SABnzbd: sabnzbd.ini.example
- qBittorrent: qBittorrent.conf.example
- Vikunja: config.yml.example
- FreshRSS: config.php.example
- Fix incomplete FreshRSS compose.yaml
- Update README with new services and deployment instructions
This commit improves configuration management by:
## Changes
### Environment Variable Management
- Moved ALL environment blocks from compose.yaml files to .env files
- Added comprehensive .env files for all 20 services
- Included example secret formats with generation commands
- Added detailed comments explaining what each secret should look like
### Example Secret Formats
All .env files now include examples for:
- **JWT Secrets**: 64-character hex strings
- Example format: `a1b2c3d4e5f67890abcdef1234567890...`
- Generate with: `openssl rand -hex 32`
- **Passwords**: Strong alphanumeric passwords
- Example format: `MyS3cur3P@ssw0rd!2024#HomeL@b`
- Generate with: `openssl rand -base64 32 | tr -d /=+ | cut -c1-32`
- **Session Secrets**: Random hex strings
- Example format: `b2c3d4e5f67890abcdef1234567890a1b2...`
- Generate with: `openssl rand -hex 32`
- **API Keys**: Service-specific formats
- Meili: 32-character hex (`openssl rand -hex 16`)
- NextAuth: 64-character hex (`openssl rand -hex 32`)
### GPU Support Documentation
- Added NVIDIA GPU (GTX 1070) configuration for Jellyfin
- Added NVIDIA GPU configuration for Immich (ML inference & transcoding)
- Included setup instructions for NVIDIA Container Toolkit
- Documented how to enable GPU acceleration in each service
### Services Updated
**Core Infrastructure:**
- lldap: Added JWT secret and password examples
- tinyauth: Added session secret examples
- traefik: No environment variables needed
**Media Services:**
- jellyfin: Added .env with GPU configuration docs
- jellyseer: Created .env with logging and timezone settings
- immich: Added database password examples and GPU docs
- sonarr: Created .env for PUID/PGID/TZ
- radarr: Created .env for PUID/PGID/TZ
- sabnzbd: Created .env for PUID/PGID/TZ
- qbittorrent: Created .env for PUID/PGID/TZ/WEBUI_PORT
**Utility Services:**
- homarr: Created .env for port and timezone
- backrest: Added environment variables to .env
- linkwarden: Rewrote .env with NextAuth, Postgres, Meili examples
- vikunja: Created .env with JWT secret and database password
- FreshRSS: Created .env for PUID/PGID/TZ
- booklore: Created .env for PUID/PGID/TZ
- calibre-web: Created .env for PUID/PGID/TZ
- filebrowser: Created .env for PUID/PGID/TZ
- lubelogger: Created .env with locale settings
- rsshub: Created .env with cache and logging config
- microbin: Updated existing .env, removed environment block
### Benefits
1. **Security**:
- Clear examples show what strong secrets look like
- Generation commands prevent weak passwords
- All secrets in one place per service
2. **Consistency**:
- All services follow the same pattern (env_file: .env)
- No more environment blocks in compose files
- Easier to template new services
3. **Usability**:
- Users know exactly what to change (look for `changeme_*`)
- Example formats prevent configuration errors
- Commands provided to generate secure values
4. **Maintainability**:
- Compose files are cleaner and more readable
- Environment changes don't require compose file edits
- Version control friendly (.env files can be .gitignored)
### Files Changed
- Modified: 24 compose.yaml files
- Created: 14 new .env files
- Updated: 6 existing .env files
- Total .env files: 20 across all services
All compose.yaml files now use `env_file: .env` exclusively.
No environment blocks remain in any compose files.
This commit adds several new features to enhance homelab management:
## New Services
### Backrest (backup.fig.systems)
- Modern web UI for managing Restic backups
- Encrypted, deduplicated backups to Backblaze B2
- Automated scheduling and retention policies
- Pre-configured to backup Immich photos and homelab configs
- SSO protected via tinyauth
### Homarr (home.fig.systems)
- Auto-discovery dashboard for all homelab services
- Docker socket integration for service monitoring
- Clean, modern interface with customizable widgets
- SSO protected via tinyauth
## Infrastructure
### Service Template System (templates/service-template/)
- Complete template with all common patterns
- Traefik labels, health checks, dependencies
- Environment variable examples
- Comprehensive README with usage instructions
- Ensures consistency across all new services
### OpenTofu/Terraform IaC (terraform/)
- Complete Proxmox VM provisioning setup
- Cloud-init automation for Docker host creation
- Automated Docker installation and configuration
- Media directory structure creation
- Step-by-step documentation including:
- Cloud template creation guide
- Variable configuration examples
- Resource sizing recommendations
- Security hardening options
## Documentation Updates
- Updated README with new service URLs
- Added Homarr and Backrest to directory structure
- Updated deployment instructions
- Added service table entries for new services
All new services follow established patterns:
- External homelab network
- Let's Encrypt SSL via Traefik
- Dual domain support (fig.systems + edfig.dev)
- Consistent naming and structure
Traefik Network Fix:
- Change homelab network to external: true
- Consistent with all other services
- Network must be created before deploying Traefik
- Resolves CI validation warning
Labeler Configuration Fix:
- Remove unsupported changed-lines option
- actions/labeler@v5 doesn't support line-based matching
- Simplified to file path matching only
- Removes 'traefik' and 'dependencies' advanced filters
- Resolves 'Unknown config options' error
CI should now pass all validation checks
Core Infrastructure:
- Add LLDAP for centralized user authentication (lldap.fig.systems)
- Configure Tinyauth with LLDAP backend for SSO (auth.fig.systems)
- Set up Traefik v3.3 with Let's Encrypt SSL automation
- Create homelab Docker network for service isolation
Media Services:
- Configure Jellyfin with /media folder mappings (flix.fig.systems)
- Add Jellyseerr for media requests (requests.fig.systems)
- Update Immich with photo library access (photos.fig.systems)
- Set up Sonarr for TV automation (sonarr.fig.systems)
- Set up Radarr for movie automation (radarr.fig.systems)
- Configure SABnzbd for Usenet downloads (sabnzbd.fig.systems)
- Add qBittorrent for torrent downloads (qbt.fig.systems)
Utility Services:
- Update Linkwarden with proper networking (links.fig.systems)
- Configure Vikunja task management (tasks.fig.systems)
- Set up LubeLogger vehicle tracking (garage.fig.systems)
- Configure Calibre-web for ebooks (books.fig.systems)
- Add Booklore for book tracking (booklore.fig.systems)
- Update FreshRSS reader (rss.fig.systems)
- Update RSSHub with internal networking (rsshub.fig.systems)
- Update MicroBin pastebin (paste.fig.systems)
- Add File Browser for media access (files.fig.systems)
Technical Improvements:
- Standardize all compose files to compose.yaml (Docker best practice)
- Add Traefik labels to all services for SSL termination
- Implement proper network isolation (homelab + service-specific networks)
- Add health checks to database services
- Configure dual domain support (fig.systems + edfig.dev)
- Set proper /media folder mappings for all media services
- Add comprehensive README with deployment instructions
Security:
- Enable SSO via Tinyauth for most services
- Configure LLDAP with admin user (edfig/admin@edfig.dev)
- Services with built-in auth have SSO disabled by default
- All traffic secured with automatic Let's Encrypt certificates
