Move docker files for candidate services to dev branch

2026-03-19 12:14:06 -04:00
27 changed files with 142 additions and 718 deletions
--- a/beszel/.gitignore
+++ b/beszel/.gitignore
@@ -1,3 +0,0 @@
 /beszel_agent_data/
 /beszel_data/
--- a/beszel/compose.full
+++ b/beszel/compose.full
@@ -1,27 +0,0 @@
 services:
  beszel:
    image: henrygd/beszel:latest
    container_name: beszel
    restart: unless-stopped
    environment:
      APP_URL: http://localhost:8090
    ports:
      - 8090:8090
    volumes:
      - ./beszel_data:/beszel_data
      - ./beszel_socket:/beszel_socket
  beszel-agent:
    image: henrygd/beszel-agent:latest
    container_name: beszel-agent
    restart: unless-stopped
    network_mode: host
    volumes:
      - ./beszel_agent_data:/var/lib/beszel-agent
      - ./beszel_socket:/beszel_socket
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      LISTEN: /beszel_socket/beszel.sock
      HUB_URL: http://localhost:8090
      TOKEN: da52524a-fa93-47ef-908c-dd001c9e8e18
      KEY: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFgDayLLA8JOzQ7fZtqTlUaRIQvhtoYSZvkUC9PrdQJG"
--- a/beszel/compose.hubonly
+++ b/beszel/compose.hubonly
@@ -1,13 +0,0 @@
 services:
  beszel:
    image: henrygd/beszel:latest
    container_name: beszel
    restart: unless-stopped
    environment:
      APP_URL: http://localhost:8090
    ports:
      - 8090:8090
    volumes:
      - ./beszel_data:/beszel_data
      - ./beszel_socket:/beszel_socket
--- a/beszel/compose.yaml
+++ b/beszel/compose.yaml
@@ -1,27 +0,0 @@
 services:
  beszel:
    image: henrygd/beszel:latest
    container_name: beszel
    restart: unless-stopped
    environment:
      APP_URL: http://localhost:8090
    ports:
      - 8090:8090
    volumes:
      - /var/lib/beszel/beszel_data:/beszel_data
      - /var/lib/beszel/beszel_socket:/beszel_socket
  beszel-agent:
    image: henrygd/beszel-agent:latest
    container_name: beszel-agent
    restart: unless-stopped
    network_mode: host
    volumes:
      - /var/lib/beszel/beszel_agent_data:/var/lib/beszel-agent
      - /var/lib/beszel/beszel_socket:/beszel_socket
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      LISTEN: /beszel_socket/beszel.sock
      HUB_URL: http://localhost:8090
      TOKEN: da52524a-fa93-47ef-908c-dd001c9e8e18
      KEY: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFgDayLLA8JOzQ7fZtqTlUaRIQvhtoYSZvkUC9PrdQJG"
--- a/gitea/compose.yaml
+++ b/gitea/compose.yaml
@@ -18,7 +18,7 @@ services:
    networks:
      - gitea
    volumes:
-      - /var/lib/gitea/data:/data
+      - /mnt/storage/appdata/gitea/data:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
@@ -38,6 +38,6 @@ services:
    networks:
      - gitea
    volumes:
-      - /var/lib/gitea/db:/var/lib/mysql
+      - /mnt/storage/appdata/gitea/mysql:/var/lib/mysql
--- a/heimdall/compose.yaml
+++ b/heimdall/compose.yaml
@@ -0,0 +1,19 @@
 services:
  heimdall:
    image: lscr.io/linuxserver/heimdall:latest
    container_name: heimdall
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/New_York
    ports:
      - 9088:80
      - 7443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /mnt/storage/appdata/heimdall/config:/data
--- a/immich/.env
+++ b/immich/.env
@@ -1,9 +1,9 @@
 # You can find documentation for all the supported env variables at https://immich.app/docs/install/environment-variables
 # The location where your uploaded files are stored
-UPLOAD_LOCATION=/var/lib/immich/data
+UPLOAD_LOCATION=/mnt/storage/appdata/immich/library
 # The location where your database files are stored
-DB_DATA_LOCATION=/var/lib/immich/db
+DB_DATA_LOCATION=/mnt/storage/appdata/immich/postgres
 # To set a timezone, uncomment the next line and change Etc/UTC to a TZ identifier from this list: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
 TZ=America/New_York
--- a/jellyfin/compose.yaml
+++ b/jellyfin/compose.yaml
@@ -4,19 +4,19 @@ services:
    container_name: jellyfin
    network_mode: 'host'
    volumes:
-      - /etc/jellyfin:/config
+      - /mnt/storage/appdata/jellyfin/config:/config
-#      - /etc/jellyfin/web-config.json:/jellyfin/jellyfin-web/config.json
+      - /mnt/storage/appdata/jellyfin/config/web-config.json:/jellyfin/jellyfin-web/config.json
-      - /var/lib/jellyfin/cache:/cache
+      - /mnt/storage/appdata/jellyfin/cache:/cache
      - /mnt/cygnus:/cygnus:ro
      - type: bind
-        source: /var/lib/jellyfin/media
+        source: /mnt/storage/appdata/jellyfin/media
        target: /media
        read_only: true
    restart: 'unless-stopped'
    # Optional - alternative address used for autodiscovery
-    environment:
+    # environment:
-      - JELLYFIN_PublishedServerUrl=http://127.0.0.1:8096
+    #   - JELLYFIN_PublishedServerUrl=http://example.com
    # Optional - may be necessary for docker healthcheck to pass if running in host network mode
    # extra_hosts:
    #   - 'host.docker.internal:host-gateway'
-    
+      
--- a/karakeep/.env
+++ b/karakeep/.env
@@ -0,0 +1,5 @@
 KARAKEEP_VERSION=release
 NEXTAUTH_SECRET=ii3vppdsl98803
 MEILI_MASTER_KEY=tutuewiro5.03092
 NEXTAUTH_URL=http://localhost:3013
--- a/karakeep/compose.yaml
+++ b/karakeep/compose.yaml
@@ -0,0 +1,44 @@
 services:
  web:
    image: ghcr.io/karakeep-app/karakeep:${KARAKEEP_VERSION:-release}
    restart: unless-stopped
    volumes:
      # By default, the data is stored in a docker volume called "data".
      # If you want to mount a custom directory, change the volume mapping to:
      # - /path/to/your/directory:/data
      - /mnt/storage/appdata/karakeep/data:/data
    ports:
      - 3013:3000
    env_file:
      - .env
    environment:
      MEILI_ADDR: http://meilisearch:7700
      BROWSER_WEB_URL: http://chrome:9222
      # OPENAI_API_KEY: ...
      # You almost never want to change the value of the DATA_DIR variable.
      # If you want to mount a custom directory, change the volume mapping above instead.
      DATA_DIR: /data # DON'T CHANGE THIS
  chrome:
    image: gcr.io/zenika-hub/alpine-chrome:124
    restart: unless-stopped
    command:
      - --no-sandbox
      - --disable-gpu
      - --disable-dev-shm-usage
      - --remote-debugging-address=0.0.0.0
      - --remote-debugging-port=9222
      - --hide-scrollbars
  meilisearch:
    image: getmeili/meilisearch:v1.13.3
    restart: unless-stopped
    env_file:
      - .env
    environment:
      MEILI_NO_ANALYTICS: "true"
    volumes:
      - meilisearch:/meili_data
 volumes:
  meilisearch:
  data:
--- a/loki/README.md
+++ b/loki/README.md
@@ -1,121 +0,0 @@
 # Homelab Log Aggregation Stack
 Grafana Alloy + Loki + Grafana, configured for:
 - **MikroTik RB5009** (and other network devices) via syslog
 - **Docker container logs** on the host machine
 ## Quick Start
 ```bash
 # (Optional) load secrets first if using the Vaultwarden secrets workflow
 # ./secrets-load.sh docker/loki-stack .env
 docker compose up -d
 ```
 Grafana will be available at **http://\<host-ip\>:3098**
 Default login: `admin` / `admin` — you will be prompted to change this.
 ---
 ## MikroTik RB5009 Configuration
 In RouterOS (Winbox or SSH), run:
 ```routeros
 # Create a remote logging action pointing at this Docker host
 /system logging action
 add name=remote-loki \
    target=remote \
    remote=<YOUR-DOCKER-HOST-IP> \
    remote-port=514 \
    bsd-syslog=yes \
    syslog-facility=local0 \
    syslog-severity=auto
 # Send all log topics to Loki
 /system logging
 add action=remote-loki topics=all
 ```
 To verify it's working, SSH into the RB5009 and run:
 ```routeros
 /log print follow
 ```
 ...then in Grafana, open Explore → Loki and query `{source="network"}`.
 You should see entries appearing within a few seconds.
 ---
 ## Useful LogQL Queries
 **All RB5009 logs:**
 ```logql
 {job="syslog", source="network"}
 ```
 **RB5009 interface/link events only:**
 ```logql
 {job="syslog", source="network"} |= "link"
 ```
 **All logs from a specific Docker container:**
 ```logql
 {job="docker", container="myapp"}
 ```
 **Errors across all Docker containers:**
 ```logql
 {job="docker"} |= "error" | logfmt | level="error"
 ```
 **Everything in the last 24 hours, newest first:**
 ```logql
 {job=~"syslog|docker"} | line_format "{{.source}} {{.container}} {{.message}}"
 ```
 ---
 ## File Layout
 ```
 loki-stack/
 ├── docker-compose.yml
 ├── alloy/
 │   └── config.alloy        # Alloy pipeline config (syslog + Docker)
 ├── loki/
 │   └── loki-config.yml     # Loki storage and retention config
 └── grafana/
    └── provisioning/
        └── datasources/
            └── loki.yml    # Auto-provisions Loki as default datasource
 ```
 ## Retention
 Logs are kept for **90 days** by default. To change this, edit `loki/loki-config.yml`:
 ```yaml
 limits_config:
  retention_period: 30d   # or 180d, etc.
 ```
 Then restart Loki: `docker compose restart loki`
 ## Adding More Syslog Sources
 Any device that can send syslog (UDP/TCP 514) will work automatically —
 the `host` label will be set from the syslog hostname field, so you can
 filter per-device in Grafana with `{host="my-device-hostname"}`.
 ---
 ## Integrating with the Vaultwarden Secrets Workflow
 If you're using the `secrets-load.sh` script, store the Grafana admin
 password as a custom field named `GF_SECURITY_ADMIN_PASSWORD` in a
 Vaultwarden item called `docker/loki-stack`, then replace the hardcoded
 value in `docker-compose.yml` with:
 ```yaml
 env_file:
  - .env
 ```
--- a/loki/alloy/config.alloy
+++ b/loki/alloy/config.alloy
@@ -1,90 +0,0 @@
 // Grafana Alloy configuration
 // Collects:
 //   1. Syslog over UDP/TCP port 514  — for MikroTik RB5009 and other network gear
 //   2. Docker container logs          — for all containers on this host
 // Forwards everything to Loki.
 // ── 1. SYSLOG RECEIVER ────────────────────────────────────────────────────────
 // Listens on 514 UDP and TCP. Point your MikroTik logging action at this host.
 loki.source.syslog "network_devices" {
  listener {
    address  = "0.0.0.0:514"
    protocol = "udp"
    labels   = {
      job    = "syslog",
      source = "network",
    }
  }
  listener {
    address  = "0.0.0.0:514"
    protocol = "tcp"
    labels   = {
      job    = "syslog",
      source = "network",
    }
  }
  // Forward to the relabeling stage below
  forward_to = [loki.process.syslog_relabel.receiver]
 }
 // Relabel syslog: promote the hostname field (sent by RouterOS) to a label
 // so you can filter by device in Grafana with {host="RB5009"} etc.
 loki.process "syslog_relabel" {
  stage.labels {
    values = {
      host     = "__syslog_message_hostname",
      severity = "__syslog_message_severity",
      facility = "__syslog_message_facility",
      app      = "__syslog_message_app_name",
    }
  }
  forward_to = [loki.write.default.receiver]
 }
 // ── 2. DOCKER CONTAINER LOGS ─────────────────────────────────────────────────
 // Tails logs from all Docker containers on this host.
 // Adds container_name and image as labels for easy filtering.
 discovery.docker "containers" {
  host = "unix:///var/run/docker.sock"
 }
 // Relabel Docker metadata into useful Loki labels
 discovery.relabel "docker_labels" {
  targets = discovery.docker.containers.targets
  rule {
    source_labels = ["__meta_docker_container_name"]
    regex         = "/(.*)"
    target_label  = "container"
  }
  rule {
    source_labels = ["__meta_docker_container_log_stream"]
    target_label  = "stream"
  }
  rule {
    source_labels = ["__meta_docker_image_name"]
    target_label  = "image"
  }
 }
 loki.source.docker "docker_logs" {
  host          = "unix:///var/run/docker.sock"
  targets       = discovery.relabel.docker_labels.output
  labels        = { job = "docker" }
  forward_to    = [loki.write.default.receiver]
  relabel_rules = discovery.relabel.docker_labels.rules
 }
 // ── 3. LOKI WRITE TARGET ──────────────────────────────────────────────────────
 // All sources above forward here.
 loki.write "default" {
  endpoint {
    url = "http://loki:3100/loki/api/v1/push"
  }
 }
--- a/loki/compose.yaml
+++ b/loki/compose.yaml
@@ -1,69 +0,0 @@
 ---
 # Loki + Alloy + Grafana log aggregation stack
 # Place this file in a directory e.g. ~/docker/loki-stack/
 # Run with: docker compose up -d
 networks:
  logging:
    driver: bridge
 services:
  # ── Loki: log storage and query engine ──────────────────────────────────────
  loki:
    image: grafana/loki:3.4.2
    container_name: loki
    restart: unless-stopped
    networks:
      - logging
    ports:
      - "3100:3100"       # Loki HTTP API (Alloy pushes here; Grafana queries here)
    volumes:
      - /var/lib/loki:/loki
      - /etc/loki:/etc/loki:ro
    command: -config.file=/etc/loki/loki.yml
    healthcheck:
      test: ["CMD-SHELL", "wget -q --spider http://localhost:3100/ready || exit 1"]
      interval: 30s
      timeout: 5s
      retries: 5
  # ── Alloy: log collector / syslog receiver ───────────────────────────────────
  alloy:
    image: grafana/alloy:v1.7.5
    container_name: alloy
    restart: unless-stopped
    networks:
      - logging
    ports:
      - "5140:5140/udp"     # Syslog UDP (for MikroTik and other network devices)
      - "5140:5140/tcp"     # Syslog TCP
      - "12345:12345"     # Alloy UI (optional, useful for debugging)
    volumes:
      - /etc/alloy/alloy.alloy:/etc/alloy/config.alloy:ro
      - /var/lib/docker/containers:/var/lib/docker/containers:ro  # Docker log access
      - /var/run/docker.sock:/var/run/docker.sock:ro              # Docker metadata
    command: run /etc/alloy/config.alloy --server.http.listen-addr=0.0.0.0:12345
    depends_on:
      loki:
        condition: service_healthy
  # ── Grafana: log query UI ────────────────────────────────────────────────────
  grafana:
    image: grafana/grafana:11.5.2
    container_name: grafana
    restart: unless-stopped
    networks:
      - logging
    ports:
      - "3098:3000"
    volumes:
      - /var/lib/grafana:/var/lib/grafana
      - /etc/grafana/grafana-datasources.yml:/etc/grafana/provisioning/datasources/loki.yml:ro
    environment:
      - GF_AUTH_ANONYMOUS_ENABLED=true         # Remove if you want login
      - GF_AUTH_ANONYMOUS_ORG_ROLE=Admin       # Remove if you want login
      - GF_SECURITY_ADMIN_PASSWORD=changeme    # Change this
    depends_on:
      loki:
        condition: service_healthy
--- a/loki/config/alloy.alloy
+++ b/loki/config/alloy.alloy
@@ -1,89 +0,0 @@
 // Grafana Alloy configuration
 // Collects:
 //   1. Syslog over UDP/TCP port 514  — for MikroTik RB5009 and other network gear
 //   2. Docker container logs          — for all containers on this host
 // Forwards everything to Loki.
 // ── 1. SYSLOG RECEIVER ────────────────────────────────────────────────────────
 // Listens on 514 UDP and TCP. Point your MikroTik logging action at this host.
 loki.source.syslog "network_devices" {
  listener {
    address       = "0.0.0.0:5140"
    protocol      = "udp"
    syslog_format = "rfc3164"
    labels = {
      job    = "syslog",
      source = "network",
    }
  }
  listener {
    address       = "0.0.0.0:5140"
    protocol      = "tcp"
    syslog_format = "rfc3164"
    labels = {
      job    = "syslog",
      source = "network",
    }
  }
  forward_to = [loki.process.syslog_relabel.receiver]
 }
 // Enrich syslog entries with a hostname label extracted from the syslog message
 loki.process "syslog_relabel" {
  forward_to = [loki.write.local_loki.receiver]
  stage.labels {
    values = {
      // These internal __syslog_message_ labels are created by the source component
      hostname = "__syslog_message_hostname",
      app      = "__syslog_message_app_name",
      severity = "__syslog_message_severity",
      facility = "__syslog_message_facility",
    }
  }
 }
 // ── 2. DOCKER CONTAINER LOGS ─────────────────────────────────────────────────
 // Tails logs from all Docker containers on this host.
 // Adds container name and image as labels for easy filtering.
 discovery.docker "containers" {
  host = "unix:///var/run/docker.sock"
 }
 // Relabel Docker metadata into useful Loki labels.
 discovery.relabel "docker_labels" {
  targets = discovery.docker.containers.targets
  rule {
    source_labels = ["__meta_docker_container_name"]
    regex         = "/(.*)"
    target_label  = "container"
  }
  rule {
    source_labels = ["__meta_docker_container_log_stream"]
    target_label  = "stream"
  }
  rule {
    source_labels = ["__meta_docker_image_name"]
    target_label  = "image"
  }
 }
 loki.source.docker "docker_logs" {
  host       = "unix:///var/run/docker.sock"
  targets    = discovery.relabel.docker_labels.output
  labels     = { job = "docker" }
  forward_to = [loki.write.local_loki.receiver]
 }
 // ── 3. LOKI WRITE TARGET ──────────────────────────────────────────────────────
 loki.write "local_loki" {
  endpoint {
    url = "http://loki:3100/loki/api/v1/push"
  }
 }
--- a/loki/config/alloy.original
+++ b/loki/config/alloy.original
@@ -1,98 +0,0 @@
 // Alloy configuration
 // Collects: (1) Docker container logs, (2) Syslog from network devices (MikroTik etc.)
 // Pushes everything to local Loki instance.
 // ── Loki destination ──────────────────────────────────────────────────────────
 loki.write "local_loki" {
  endpoint {
    url = "http://loki:3100/loki/api/v1/push"
  }
 }
 // ── Docker container log collection ──────────────────────────────────────────
 // Discovers all running containers and tails their logs automatically.
 // New containers are picked up without restarting Alloy.
 discovery.docker "containers" {
  host = "unix:///var/run/docker.sock"
 }
 discovery.relabel "docker_labels" {
  targets = discovery.docker.containers.targets
  // Use container name as the job label (strips the leading slash Docker adds)
  rule {
    source_labels = ["__meta_docker_container_name"]
    regex         = "/(.*)"
    target_label  = "container"
  }
  // Carry through the Docker Compose service name if present
  rule {
    source_labels = ["__meta_docker_container_label_com_docker_compose_service"]
    target_label  = "service"
  }
  // Carry through the Docker Compose project name if present
  rule {
    source_labels = ["__meta_docker_container_label_com_docker_compose_project"]
    target_label  = "compose_project"
  }
  rule {
    target_label = "source"
    replacement  = "docker"
  }
 }
 loki.source.docker "docker_logs" {
  host          = "unix:///var/run/docker.sock"
  targets       = discovery.relabel.docker_labels.output
  forward_to    = [loki.write.local_loki.receiver]
  relabeling {
    source_labels = ["__meta_docker_container_name"]
    regex         = "/(.*)"
    target_label  = "container"
  }
 }
 // ── Syslog receiver (MikroTik RB5009 and other network devices) ──────────────
 // Listens on UDP 514 and TCP 514.
 // On your RB5009, set the remote logging action to point at this host's IP.
 loki.source.syslog "network_syslog" {
  listener {
    address  = "0.0.0.0:514"
    protocol = "udp"
    labels = {
      source = "syslog",
      job    = "network_devices",
    }
  }
  listener {
    address  = "0.0.0.0:514"
    protocol = "tcp"
    labels = {
      source = "syslog",
      job    = "network_devices",
    }
  }
  forward_to = [loki.process.syslog_relabel.receiver]
 }
 // Enrich syslog entries with a hostname label extracted from the syslog message
 loki.process "syslog_relabel" {
  forward_to = [loki.write.local_loki.receiver]
  stage.syslog {}   // Parses RFC3164/RFC5424 syslog and extracts hostname, app, facility, severity
  stage.labels {
    values = {
      hostname = "hostname",   // Extracted by stage.syslog
      app      = "app_name",   // e.g. "dhcp", "firewall", "interface" on RouterOS
      severity = "severity",
      facility = "facility",
    }
  }
 }
--- a/loki/config/grafana-datasources.yml
+++ b/loki/config/grafana-datasources.yml
@@ -1,16 +0,0 @@
 # Grafana datasource provisioning
 # Automatically configures Loki as a datasource on first startup.
 # No manual setup needed in the Grafana UI.
 apiVersion: 1
 datasources:
  - name: Loki
    type: loki
    access: proxy
    url: http://loki:3100
    isDefault: true
    editable: false
    jsonData:
      maxLines: 5000
      timeout: 60
--- a/loki/config/loki.yml
+++ b/loki/config/loki.yml
@@ -1,58 +0,0 @@
 # Loki configuration - single binary mode, suitable for homelab scale
 # Docs: https://grafana.com/docs/loki/latest/configuration/
 auth_enabled: false
 server:
  http_listen_port: 3100
  grpc_listen_port: 9096
  log_level: warn
 common:
  instance_addr: 127.0.0.1
  path_prefix: /loki
  storage:
    filesystem:
      chunks_directory: /loki/chunks
      rules_directory: /loki/rules
  replication_factor: 1
  ring:
    kvstore:
      store: inmemory
 schema_config:
  configs:
    - from: 2024-01-01
      store: tsdb
      object_store: filesystem
      schema: v13
      index:
        prefix: index_
        period: 24h
 # ── Retention ─────────────────────────────────────────────────────────────────
 # Adjust these to suit your disk space. 90 days is a good starting point for
 # homelab troubleshooting — long enough to catch recurring issues.
 limits_config:
  retention_period: 90d
  reject_old_samples: true
  reject_old_samples_max_age: 168h  # 7 days — increase if needed
  ingestion_rate_mb: 4
  ingestion_burst_size_mb: 8
 compactor:
  working_directory: /loki/compactor
  retention_enabled: true
  retention_delete_delay: 2h
  delete_request_store: filesystem
 # ── Query performance ─────────────────────────────────────────────────────────
 query_range:
  results_cache:
    cache:
      embedded_cache:
        enabled: true
        max_size_mb: 100
 ruler:
  alertmanager_url: http://localhost:9093
--- a/loki/grafana/provisioning/datasources/loki.yml
+++ b/loki/grafana/provisioning/datasources/loki.yml
@@ -1,17 +0,0 @@
 apiVersion: 1
 datasources:
  - name: Loki
    type: loki
    access: proxy
    url: http://loki:3100
    isDefault: true
    editable: false
    jsonData:
      maxLines: 5000
      # Derive fields let you turn log content into clickable links.
      # This example makes trace IDs in logs clickable — remove if not needed.
      derivedFields:
        - name: TraceID
          matcherRegex: "traceID=(\\w+)"
          url: ""
--- a/loki/loki/loki-config.yml
+++ b/loki/loki/loki-config.yml
@@ -1,57 +0,0 @@
 # Loki configuration — single-binary mode, suitable for homelab scale
 # Stores data in the local filesystem via the 'loki-data' Docker volume
 auth_enabled: false
 server:
  http_listen_port: 3100
  grpc_listen_port: 9096
  log_level: warn
 common:
  instance_addr: 127.0.0.1
  path_prefix: /loki
  storage:
    filesystem:
      chunks_directory: /loki/chunks
      rules_directory: /loki/rules
  replication_factor: 1
  ring:
    kvstore:
      store: inmemory
 # How long to keep logs. Adjust to taste.
 # 90 days is generous but reasonable for a homelab — tune down if disk is tight.
 limits_config:
  retention_period: 90d
  reject_old_samples: true
  reject_old_samples_max_age: 168h  # 7 days — increase if needed
 # Reject log lines larger than 256KB (protects against runaway logging)
  max_line_size: 256KB
 schema_config:
  configs:
    - from: 2024-01-01
      store: tsdb
      object_store: filesystem
      schema: v13
      index:
        prefix: index_
        period: 24h
 compactor:
  working_directory: /loki/compactor
  # Enables the retention policy above
  retention_enabled: true
  retention_delete_delay: 2h
  delete_request_store: filesystem
 query_range:
  results_cache:
    cache:
      embedded_cache:
        enabled: true
        max_size_mb: 100
 ruler:
  alertmanager_url: http://localhost:9093
--- a/matter-server/compose.yaml
+++ b/matter-server/compose.yaml
@@ -1,11 +0,0 @@
 services:  
  matter-server:  
    container_name: matter-server  
    image: ghcr.io/home-assistant-libs/python-matter-server:stable  
    restart: unless-stopped  
    security_opt:  
      - apparmor=unconfined  
    volumes:  
      - ./data:/data  
      - /run/dbus:/run/dbus:ro  
    network_mode: host
--- a/mealie/compose.yaml
+++ b/mealie/compose.yaml
@@ -0,0 +1,21 @@
 services:
  mealie:
    image: ghcr.io/mealie-recipes/mealie:v2.8.0 # 
    container_name: mealie
    restart: always
    ports:
        - "9925:9000" # 
    deploy:
      resources:
        limits:
          memory: 1000M # 
    volumes:
      - /mnt/storage/appdata/mealie/data:/app/data/
    environment:
      # Set Backend ENV Variables Here
      ALLOW_SIGNUP: "false"
      PUID: 1000
      PGID: 1000
      TZ: America/New_York
      BASE_URL: https://mealie.objectbrokers.com.com
--- a/nextcloud/compose.yaml
+++ b/nextcloud/compose.yaml
@@ -4,7 +4,7 @@ services:
    restart: always
    command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
    volumes:
-      - /var/lib/nextcloud/db:/var/lib/mysql
+      - /mnt/storage/appdata/nextcloud/mysql:/var/lib/mysql
    networks:
      - default
    environment:
@@ -21,7 +21,7 @@ services:
    ports:
      - 8080:80
    volumes:
-      - /var/lib/nextcloud/data/www/html:/var/www/html
+      - /mnt/storage/appdata/nextcloud/www/html:/var/www/html
    networks:
      - default
    environment:
--- a/portainer/compose.yaml
+++ b/portainer/compose.yaml
@@ -1,16 +1,33 @@
 services:
  portainer:
-    image: portainer/portainer-ce:lts
+    image: portainer/portainer:latest
    container_name: portainer
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    volumes:
      - /etc/localtime:/etc/localtime:ro
-      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - /var/lib/portainer:/data
+      - /mnt/storage/appdata/portainer/data:/data
    ports:
-      - 9443:9443
+      - 9000:9000
-      - 8000:8000
+    labels:
      - "traefik.enable=false"
      - "traefik.http.routers.portainer.entrypoints=http"
      - "traefik.http.routers.portainer.rule=Host(`portainer.objectbrokers.com`)"
      - "traefik.http.middlewares.portainer-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.portainer.middlewares=portainer-https-redirect"
      - "traefik.http.routers.portainer-secure.entrypoints=https"
      - "traefik.http.routers.portainer-secure.rule=Host(`portainer.objectbrokers.com`)"
      - "traefik.http.routers.portainer-secure.tls=true"
      - "traefik.http.routers.portainer-secure.tls.certresolver=http"
      - "traefik.http.routers.portainer-secure.service=portainer"
      - "traefik.http.services.portainer.loadbalancer.server.port=9000"
      - "traefik.docker.network=proxy"
 networks:
-  default:
+  proxy:
-    name: portainer_network
+    external: true
--- a/stirling/.gradle/4.4.1/fileChanges/last-build.bin
+++ b/stirling/.gradle/4.4.1/fileChanges/last-build.bin
--- a/stirling/.gradle/4.4.1/fileHashes/fileHashes.lock
+++ b/stirling/.gradle/4.4.1/fileHashes/fileHashes.lock
--- a/stirling/compose.yaml
+++ b/stirling/compose.yaml
@@ -0,0 +1,14 @@
 services:
  stirling-pdf:
    image: docker.stirlingpdf.com/stirlingtools/stirling-pdf:latest
    ports:
      - '8329:8080'
    volumes:
      - /mnt/storage/appdata/StirlingPDF/trainingData:/usr/share/tessdata # Required for extra OCR languages
      - /mnt/storage/appdata/StirlingPDF/extraConfigs:/configs
      - /mnt/storage/appdata/StirlingPDF/customFiles:/customFiles/
      - /mnt/storage/appdata/StirlingPDF/logs:/logs/
      - /mnt/storage/appdata/StirlingPDF/pipeline:/pipeline/
    environment:
      - DISABLE_ADDITIONAL_FEATURES=false
      - LANGS=en_US
--- a/vaultwarden/compose.yaml
+++ b/vaultwarden/compose.yaml
@@ -8,10 +8,10 @@ services:
      - 8030:80
    environment:
 #      - DOMAIN='https://vaultwarden.objectbrokers.com'
-      - ADMIN_TOKEN=mfLzuPlsXDqtIwTGSN/oZ3cgmFKWXY/zv+hO94gtqsJeHdl7+O+tJeMZrTzQNMfI
+      - ADMIN_TOKEN="llanfairpwll"
 #      DOMAIN: "https://vaultwarden.objectbrokers.com"  # Your domain; vaultwarden needs to know it's https to work properly with attachments
 #      ADMIN_TOKEN: ADMIN_TOKEN=${VAULTWARDEN_ADMIN_TOKEN}
    volumes:
-      - /var/lib/vaultwarden:/data
+      - /mnt/storage/appdata/bitwarden:/data