fix(core): mount backrest config directory instead of file

Backrest requires atomic file operations for config updates,
which fail with single-file bind mounts.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

CLAUDE.md

@@ -25,7 +25,7 @@ Root `compose.yaml` uses Docker Compose's `include` directive to orchestrate mul
 - **kit**: Unified toolkit with Vert file converter and miniPaint image editor (path-routed)
 - **jelly**: Jellyfin media server with hardware transcoding
 - **drop**: PairDrop peer-to-peer file sharing
-- **ai**: AI infrastructure with Open WebUI, Crawl4AI, and pgvector (PostgreSQL)
+- **ai**: AI infrastructure with Open WebUI, ComfyUI proxy, Crawl4AI, and pgvector (PostgreSQL)
 - **asciinema**: Terminal recording and sharing platform (PostgreSQL)
 - **restic**: Backrest backup system with restic backend
 - **netdata**: Real-time infrastructure monitoring
@@ -451,11 +451,13 @@ AI infrastructure with Open WebUI, Crawl4AI, and dedicated PostgreSQL with pgvec
   - User signup enabled
   - Data persisted in `ai_webui_data` volume
 
-- **crawl4ai**: Crawl4AI web scraping service (internal API, no public access)
+- **comfyui**: ComfyUI reverse proxy exposed at `comfy.ai.pivoine.art:80`
-  - Optimized web scraper for LLM content preparation
+  - Nginx-based proxy to ComfyUI running on RunPod GPU server
-  - Internal API on port 11235 (not exposed via Traefik)
+  - Node-based UI for Flux.1 Schnell image generation workflows
-  - Designed for integration with Open WebUI and n8n workflows
+  - Proxies to RunPod via Tailscale VPN (100.121.199.88:8188)
-  - Data persisted in `ai_crawl4ai_data` volume
+  - Protected by Authelia SSO authentication
+  - WebSocket support for real-time updates
+  - Stateless architecture (no data persistence on VPS)
 
 **Configuration**:
 - **Claude Integration**: Uses Anthropic API with OpenAI-compatible endpoint
@@ -476,11 +478,71 @@ AI infrastructure with Open WebUI, Crawl4AI, and dedicated PostgreSQL with pgvec
 4. Use web search feature for current information
 5. Integrate with n8n workflows for automation
 
+**Flux Image Generation** (`functions/flux_image_gen.py`):
+Open WebUI function for generating images via Flux.1 Schnell on RunPod GPU:
+- Manifold function adds "Flux.1 Schnell (4-5s)" model to Open WebUI
+- Routes requests through LiteLLM → Orchestrator → RunPod Flux
+- Generates 1024x1024 images in 4-5 seconds
+- Returns images as base64-encoded markdown
+- Configuration via Valves (API base, timeout, default size)
+- **Automatically loaded via Docker volume mount** (`./functions:/app/backend/data/functions:ro`)
+
+**Deployment**:
+- Function file tracked in `ai/functions/` directory
+- Automatically available after `pnpm arty up -d ai_webui`
+- No manual import required - infrastructure as code
+
+See `ai/FLUX_SETUP.md` for detailed setup instructions and troubleshooting.
+
+**ComfyUI Image Generation**:
+ComfyUI provides a professional node-based interface for creating Flux image generation workflows:
+
+**Architecture**:
+```
+User → Traefik (VPS) → Authelia SSO → ComfyUI Proxy (nginx) → Tailscale → ComfyUI (RunPod:8188) → Flux Model (GPU)
+```
+
+**Access**:
+1. Navigate to https://comfy.ai.pivoine.art
+2. Authenticate via Authelia SSO
+3. Create node-based workflows in ComfyUI interface
+4. Use Flux.1 Schnell model from HuggingFace cache at `/workspace/ComfyUI/models/huggingface_cache`
+
+**RunPod Setup** (via Ansible):
+ComfyUI is installed on RunPod using the Ansible playbook at `/home/valknar/Projects/runpod/playbook.yml`:
+- Clone ComfyUI from https://github.com/comfyanonymous/ComfyUI
+- Install dependencies from `models/comfyui/requirements.txt`
+- Create model directory structure (checkpoints, unet, vae, loras, clip, controlnet)
+- Symlink Flux model from HuggingFace cache
+- Start service via `models/comfyui/start.sh` on port 8188
+
+**To deploy ComfyUI on RunPod**:
+```bash
+# Run Ansible playbook with comfyui tag
+ssh -p 16186 root@213.173.110.150
+cd /workspace/ai
+ansible-playbook playbook.yml --tags comfyui --skip-tags always
+
+# Start ComfyUI service
+bash models/comfyui/start.sh &
+```
+
+**Proxy Configuration**:
+The VPS runs an nginx proxy (`ai/comfyui-nginx.conf`) that:
+- Listens on port 80 inside container
+- Forwards to RunPod via Tailscale (100.121.199.88:8188)
+- Supports WebSocket upgrades for real-time updates
+- Handles large file uploads (100M limit)
+- Uses extended timeouts for long-running generations (300s)
+
+**Note**: ComfyUI runs directly on RunPod GPU server, not in a container. All data is stored on RunPod's `/workspace` volume.
+
 **Integration Points**:
 - **n8n**: Workflow automation with AI tasks (scraping, RAG ingestion, webhooks)
 - **Mattermost**: Can send AI-generated notifications via webhooks
 - **Crawl4AI**: Internal API for advanced web scraping
 - **Claude API**: Primary LLM provider via Anthropic
+- **Flux via RunPod**: Image generation through orchestrator (GPU server) or ComfyUI
 
 **Future Enhancements**:
 - GPU server integration (IONOS A10 planned)
@@ -659,7 +721,7 @@ Backrest backup system with restic backend:
     - Retention: 7 daily, 4 weekly, 3 monthly
 
 16. **ai-backup** (3 AM daily)
-    - Paths: `/volumes/ai_postgres_data`, `/volumes/ai_webui_data`, `/volumes/ai_crawl4ai_data`
+    - Paths: `/volumes/ai_postgres_data`, `/volumes/ai_webui_data`
     - Retention: 7 daily, 4 weekly, 6 monthly, 2 yearly
 
 17. **asciinema-backup** (11 AM daily)
@@ -670,8 +732,7 @@ Backrest backup system with restic backend:
 All Docker volumes are mounted read-only to `/volumes/` with prefixed names (e.g., `backup_core_postgres_data`) to avoid naming conflicts with other compose stacks.
 
 **Configuration Management**:
-- `config.json` template in repository defines all backup plans
+- `core/backrest/config.json` in repository defines all backup plans (bind-mounted to container)
-- On first run, copy config into volume: `docker cp restic/config.json restic_app:/config/config.json`
 - Config version must be `4` for Backrest 1.10.1 compatibility
 - Backrest manages auth automatically (username: `valknar`, password set via web UI on first access)
 
@@ -709,7 +770,7 @@ Each service uses named volumes prefixed with project name:
 - `vault_data`: Vaultwarden password vault (SQLite database)
 - `joplin_data`: Joplin note-taking data
 - `jelly_config`: Jellyfin media server configuration
-- `ai_postgres_data`, `ai_webui_data`, `ai_crawl4ai_data`: AI stack databases and application data
+- `ai_postgres_data`, `ai_webui_data`: AI stack databases and application data
 - `netdata_config`: Netdata monitoring configuration
 - `restic_data`, `restic_config`, `restic_cache`, `restic_tmp`: Backrest backup system
 - `proxy_letsencrypt_data`: SSL certificates

README.md

@@ -406,11 +406,10 @@ THE FALCON (falcon_network)
 │  ├─ vaultwarden        [vault.pivoine.art] → Password Manager
 │  └─ tandoor            [tandoor.pivoine.art] → Recipe Manager
 │
-├─ 🤖 AI STACK (5 services)
+├─ 🤖 AI STACK (4 services)
 │  ├─ ai_postgres        [Internal] → pgvector Database
 │  ├─ webui              [ai.pivoine.art] → Open WebUI (Claude)
 │  ├─ litellm            [llm.ai.pivoine.art] → API Proxy
-│  ├─ crawl4ai           [Internal:11235] → Web Scraper
 │  └─ facefusion         [facefusion.ai.pivoine.art] → Face AI
 │
 ├─ 🛡️ NET STACK (4 services)
@@ -435,7 +434,7 @@ THE FALCON (falcon_network)
    ├─ Core: postgres_data, redis_data, backrest_*
    ├─ Sexy: directus_uploads, directus_bundle
    ├─ Util: pairdrop_*, joplin_data, linkwarden_*, mattermost_*, vaultwarden_data, tandoor_*
-   ├─ AI: ai_postgres_data, ai_webui_data, ai_crawl4ai_data, facefusion_*
+   ├─ AI: ai_postgres_data, ai_webui_data, facefusion_*
    ├─ Net: letsencrypt_data, netdata_*
    ├─ Media: jelly_config, jelly_cache, filestash_data
    └─ Dev: gitea_*, coolify_data, n8n_data, asciinema_data

ai/compose.yaml

@@ -15,7 +15,7 @@ services:
       - ai_postgres_data:/var/lib/postgresql/data
       - ./postgres/init:/docker-entrypoint-initdb.d
     healthcheck:
-      test: ['CMD-SHELL', 'pg_isready -U ${AI_DB_USER}']
+      test: ["CMD-SHELL", "pg_isready -U ${AI_DB_USER}"]
       interval: 30s
       timeout: 10s
       retries: 3
@@ -66,101 +66,87 @@ services:
 
     volumes:
       - ai_webui_data:/app/backend/data
+      - ./functions:/app/backend/data/functions:ro
     depends_on:
       - ai_postgres
       - litellm
     networks:
       - compose_network
     labels:
-      - 'traefik.enable=${AI_TRAEFIK_ENABLED}'
+      - "traefik.enable=${AI_TRAEFIK_ENABLED}"
       # HTTP to HTTPS redirect
-      - 'traefik.http.middlewares.${AI_COMPOSE_PROJECT_NAME}-redirect-web-secure.redirectscheme.scheme=https'
+      - "traefik.http.middlewares.${AI_COMPOSE_PROJECT_NAME}-redirect-web-secure.redirectscheme.scheme=https"
-      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-web.middlewares=${AI_COMPOSE_PROJECT_NAME}-redirect-web-secure'
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-web.middlewares=${AI_COMPOSE_PROJECT_NAME}-redirect-web-secure"
-      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-web.rule=Host(`${AI_TRAEFIK_HOST}`)'
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-web.rule=Host(`${AI_TRAEFIK_HOST}`)"
-      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-web.entrypoints=web'
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-web.entrypoints=web"
       # HTTPS router
-      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-web-secure.rule=Host(`${AI_TRAEFIK_HOST}`)'
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-web-secure.rule=Host(`${AI_TRAEFIK_HOST}`)"
-      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-web-secure.tls.certresolver=resolver'
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-web-secure.tls.certresolver=resolver"
-      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-web-secure.entrypoints=web-secure'
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-web-secure.entrypoints=web-secure"
-      - 'traefik.http.middlewares.${AI_COMPOSE_PROJECT_NAME}-web-secure-compress.compress=true'
+      - "traefik.http.middlewares.${AI_COMPOSE_PROJECT_NAME}-web-secure-compress.compress=true"
-      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-web-secure.middlewares=${AI_COMPOSE_PROJECT_NAME}-web-secure-compress,security-headers@file'
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-web-secure.middlewares=${AI_COMPOSE_PROJECT_NAME}-web-secure-compress,security-headers@file"
       # Service
-      - 'traefik.http.services.${AI_COMPOSE_PROJECT_NAME}-web-secure.loadbalancer.server.port=8080'
+      - "traefik.http.services.${AI_COMPOSE_PROJECT_NAME}-web-secure.loadbalancer.server.port=8080"
-      - 'traefik.docker.network=${NETWORK_NAME}'
+      - "traefik.docker.network=${NETWORK_NAME}"
       # Watchtower
-      - 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}'
+      - "com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}"
 
   # LiteLLM - Proxy to convert Anthropic API to OpenAI-compatible format
   litellm:
     image: ghcr.io/berriai/litellm:main-latest
     container_name: ${AI_COMPOSE_PROJECT_NAME}_litellm
     restart: unless-stopped
+    dns:
+      - 100.100.100.100
+      - 8.8.8.8
     environment:
       TZ: ${TIMEZONE:-Europe/Berlin}
       ANTHROPIC_API_KEY: ${ANTHROPIC_API_KEY}
       LITELLM_MASTER_KEY: ${AI_LITELLM_API_KEY}
       DATABASE_URL: postgresql://${AI_DB_USER}:${AI_DB_PASSWORD}@ai_postgres:5432/litellm
+      GPU_VLLM_LLAMA_URL: ${GPU_VLLM_LLAMA_URL}
+      GPU_VLLM_BGE_URL: ${GPU_VLLM_BGE_URL}
       # LITELLM_DROP_PARAMS: 'true'  # DISABLED: Was breaking streaming
-      NO_DOCS: 'true'
+      NO_DOCS: "true"
-      NO_REDOC: 'true'
+      NO_REDOC: "true"
       # Performance optimizations
-      LITELLM_LOG: 'DEBUG'  # Enable detailed logging for debugging streaming issues
+      LITELLM_LOG: "DEBUG" # Enable detailed logging for debugging streaming issues
-      LITELLM_MODE: 'PRODUCTION'  # Production mode for better performance
+      LITELLM_MODE: "PRODUCTION" # Production mode for better performance
     volumes:
       - ./litellm-config.yaml:/app/litellm-config.yaml:ro
     command:
       [
-        '--config',
+        "--config",
-        '/app/litellm-config.yaml',
+        "/app/litellm-config.yaml",
-        '--host',
+        "--host",
-        '0.0.0.0',
+        "0.0.0.0",
-        '--port',
+        "--port",
-        '4000'
+        "4000",
       ]
     depends_on:
       - ai_postgres
-    networks:
-      - compose_network
     healthcheck:
       disable: true
-    labels:
-      - 'traefik.enable=${AI_TRAEFIK_ENABLED}'
-      # HTTP to HTTPS redirect
-      - 'traefik.http.middlewares.${AI_COMPOSE_PROJECT_NAME}-litellm-redirect-web-secure.redirectscheme.scheme=https'
-      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-litellm-web.middlewares=${AI_COMPOSE_PROJECT_NAME}-litellm-redirect-web-secure'
-      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-litellm-web.rule=Host(`${AI_LITELLM_TRAEFIK_HOST}`)'
-      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-litellm-web.entrypoints=web'
-      # HTTPS router
-      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-litellm-web-secure.rule=Host(`${AI_LITELLM_TRAEFIK_HOST}`)'
-      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-litellm-web-secure.tls.certresolver=resolver'
-      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-litellm-web-secure.entrypoints=web-secure'
-      - 'traefik.http.middlewares.${AI_COMPOSE_PROJECT_NAME}-litellm-web-secure-compress.compress=true'
-      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-litellm-web-secure.middlewares=${AI_COMPOSE_PROJECT_NAME}-litellm-web-secure-compress,security-headers@file'
-      # Service
-      - 'traefik.http.services.${AI_COMPOSE_PROJECT_NAME}-litellm-web-secure.loadbalancer.server.port=4000'
-      - 'traefik.docker.network=${NETWORK_NAME}'
-      # Watchtower
-      - 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}'
-
-  # Crawl4AI - Web scraping for LLMs (internal API, no public access)
-  crawl4ai:
-    image: ${AI_CRAWL4AI_IMAGE:-unclecode/crawl4ai:latest}
-    container_name: ${AI_COMPOSE_PROJECT_NAME}_crawl4ai
-    restart: unless-stopped
-    environment:
-      TZ: ${TIMEZONE:-Europe/Berlin}
-      # API configuration
-      PORT: ${AI_CRAWL4AI_PORT:-11235}
-    volumes:
-      - ai_crawl4ai_data:/app/.crawl4ai
     networks:
       - compose_network
     labels:
-      # No Traefik exposure - internal only
+      - "traefik.enable=${AI_TRAEFIK_ENABLED}"
-      - 'traefik.enable=false'
+      # HTTP to HTTPS redirect
+      - "traefik.http.middlewares.${AI_COMPOSE_PROJECT_NAME}-litellm-redirect-web-secure.redirectscheme.scheme=https"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-litellm-web.middlewares=${AI_COMPOSE_PROJECT_NAME}-litellm-redirect-web-secure"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-litellm-web.rule=Host(`${AI_LITELLM_TRAEFIK_HOST}`)"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-litellm-web.entrypoints=web"
+      # HTTPS router
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-litellm-web-secure.rule=Host(`${AI_LITELLM_TRAEFIK_HOST}`)"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-litellm-web-secure.tls.certresolver=resolver"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-litellm-web-secure.entrypoints=web-secure"
+      - "traefik.http.middlewares.${AI_COMPOSE_PROJECT_NAME}-litellm-web-secure-compress.compress=true"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-litellm-web-secure.middlewares=${AI_COMPOSE_PROJECT_NAME}-litellm-web-secure-compress,security-headers@file"
+      # Service
+      - "traefik.http.services.${AI_COMPOSE_PROJECT_NAME}-litellm-web-secure.loadbalancer.server.port=4000"
+      - "traefik.docker.network=${NETWORK_NAME}"
       # Watchtower
-      - 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}'
+      - "com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}"
-
   # Facefusion - AI face swapping and enhancement
   facefusion:
     build:
@@ -170,7 +156,7 @@ services:
     container_name: ${AI_COMPOSE_PROJECT_NAME}_facefusion
     restart: unless-stopped
     tty: true
-    command: ['python', '-u', 'facefusion.py', 'run']
+    command: ["python", "-u", "facefusion.py", "run"]
     environment:
       TZ: ${TIMEZONE:-Europe/Berlin}
       GRADIO_SERVER_NAME: "0.0.0.0"
@@ -180,30 +166,175 @@ services:
     networks:
       - compose_network
     labels:
-      - 'traefik.enable=${AI_FACEFUSION_TRAEFIK_ENABLED}'
+      - "traefik.enable=${AI_FACEFUSION_TRAEFIK_ENABLED}"
       # HTTP to HTTPS redirect
-      - 'traefik.http.middlewares.${AI_COMPOSE_PROJECT_NAME}-facefusion-redirect-web-secure.redirectscheme.scheme=https'
+      - "traefik.http.middlewares.${AI_COMPOSE_PROJECT_NAME}-facefusion-redirect-web-secure.redirectscheme.scheme=https"
-      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-facefusion-web.middlewares=${AI_COMPOSE_PROJECT_NAME}-facefusion-redirect-web-secure'
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-facefusion-web.middlewares=${AI_COMPOSE_PROJECT_NAME}-facefusion-redirect-web-secure"
-      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-facefusion-web.rule=Host(`${AI_FACEFUSION_TRAEFIK_HOST}`)'
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-facefusion-web.rule=Host(`${AI_FACEFUSION_TRAEFIK_HOST}`)"
-      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-facefusion-web.entrypoints=web'
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-facefusion-web.entrypoints=web"
       # HTTPS router with Authelia
-      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-facefusion-web-secure.rule=Host(`${AI_FACEFUSION_TRAEFIK_HOST}`)'
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-facefusion-web-secure.rule=Host(`${AI_FACEFUSION_TRAEFIK_HOST}`)"
-      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-facefusion-web-secure.tls.certresolver=resolver'
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-facefusion-web-secure.tls.certresolver=resolver"
-      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-facefusion-web-secure.entrypoints=web-secure'
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-facefusion-web-secure.entrypoints=web-secure"
-      - 'traefik.http.middlewares.${AI_COMPOSE_PROJECT_NAME}-facefusion-web-secure-compress.compress=true'
+      - "traefik.http.middlewares.${AI_COMPOSE_PROJECT_NAME}-facefusion-web-secure-compress.compress=true"
-      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-facefusion-web-secure.middlewares=${AI_COMPOSE_PROJECT_NAME}-facefusion-web-secure-compress,net-authelia,security-headers@file'
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-facefusion-web-secure.middlewares=${AI_COMPOSE_PROJECT_NAME}-facefusion-web-secure-compress,net-authelia,security-headers@file"
       # Service
-      - 'traefik.http.services.${AI_COMPOSE_PROJECT_NAME}-facefusion-web-secure.loadbalancer.server.port=7860'
+      - "traefik.http.services.${AI_COMPOSE_PROJECT_NAME}-facefusion-web-secure.loadbalancer.server.port=7860"
-      - 'traefik.docker.network=${NETWORK_NAME}'
+      - "traefik.docker.network=${NETWORK_NAME}"
       # Watchtower - disabled for custom local image
-      - 'com.centurylinklabs.watchtower.enable=false'
+      - "com.centurylinklabs.watchtower.enable=false"
+
+  # ComfyUI - Node-based UI for Flux image generation (proxies to RunPod GPU)
+  comfyui:
+    image: nginx:alpine
+    container_name: ${AI_COMPOSE_PROJECT_NAME}_comfyui
+    restart: unless-stopped
+    dns:
+      - 100.100.100.100
+      - 8.8.8.8
+    environment:
+      TZ: ${TIMEZONE:-Europe/Berlin}
+      GPU_SERVICE_HOST: ${GPU_TAILSCALE_HOST:-runpod-ai-orchestrator}
+      GPU_SERVICE_PORT: ${COMFYUI_BACKEND_PORT:-8188}
+    volumes:
+      - ./nginx.conf.template:/etc/nginx/nginx.conf.template:ro
+    command: /bin/sh -c "envsubst '$${GPU_SERVICE_HOST},$${GPU_SERVICE_PORT}' < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf && exec nginx -g 'daemon off;'"
+    networks:
+      - compose_network
+    labels:
+      - "traefik.enable=${AI_COMFYUI_TRAEFIK_ENABLED:-true}"
+      # HTTP to HTTPS redirect
+      - "traefik.http.middlewares.${AI_COMPOSE_PROJECT_NAME}-comfyui-redirect-web-secure.redirectscheme.scheme=https"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-comfyui-web.middlewares=${AI_COMPOSE_PROJECT_NAME}-comfyui-redirect-web-secure"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-comfyui-web.rule=Host(`${AI_COMFYUI_TRAEFIK_HOST:-comfy.ai.pivoine.art}`)"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-comfyui-web.entrypoints=web"
+      # HTTPS router with Authelia SSO
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-comfyui-web-secure.rule=Host(`${AI_COMFYUI_TRAEFIK_HOST:-comfy.ai.pivoine.art}`)"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-comfyui-web-secure.tls.certresolver=resolver"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-comfyui-web-secure.entrypoints=web-secure"
+      - "traefik.http.middlewares.${AI_COMPOSE_PROJECT_NAME}-comfyui-web-secure-compress.compress=true"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-comfyui-web-secure.middlewares=${AI_COMPOSE_PROJECT_NAME}-comfyui-web-secure-compress,net-authelia,security-headers@file"
+      # Service
+      - "traefik.http.services.${AI_COMPOSE_PROJECT_NAME}-comfyui-web-secure.loadbalancer.server.port=80"
+      - "traefik.docker.network=${NETWORK_NAME}"
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}"
+
+  audiocraft:
+    image: nginx:alpine
+    container_name: ${AI_COMPOSE_PROJECT_NAME}_audiocraft
+    restart: unless-stopped
+    dns:
+      - 100.100.100.100
+      - 8.8.8.8
+    environment:
+      TZ: ${TIMEZONE:-Europe/Berlin}
+      GPU_SERVICE_HOST: ${GPU_TAILSCALE_HOST:-runpod-ai-orchestrator}
+      GPU_SERVICE_PORT: ${AUDIOCRAFT_BACKEND_PORT:-7860}
+    volumes:
+      - ./nginx.conf.template:/etc/nginx/nginx.conf.template:ro
+    command: /bin/sh -c "envsubst '$${GPU_SERVICE_HOST},$${GPU_SERVICE_PORT}' < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf && exec nginx -g 'daemon off;'"
+    networks:
+      - compose_network
+    labels:
+      - "traefik.enable=${AI_AUDIOCRAFT_TRAEFIK_ENABLED:-true}"
+      # HTTP to HTTPS redirect
+      - "traefik.http.middlewares.${AI_COMPOSE_PROJECT_NAME}-audiocraft-redirect-web-secure.redirectscheme.scheme=https"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-audiocraft-web.middlewares=${AI_COMPOSE_PROJECT_NAME}-audiocraft-redirect-web-secure"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-audiocraft-web.rule=Host(`${AI_AUDIOCRAFT_TRAEFIK_HOST:-audiocraft.ai.pivoine.art}`)"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-audiocraft-web.entrypoints=web"
+      # HTTPS router with Authelia SSO
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-audiocraft-web-secure.rule=Host(`${AI_AUDIOCRAFT_TRAEFIK_HOST:-audiocraft.ai.pivoine.art}`)"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-audiocraft-web-secure.tls.certresolver=resolver"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-audiocraft-web-secure.entrypoints=web-secure"
+      - "traefik.http.middlewares.${AI_COMPOSE_PROJECT_NAME}-audiocraft-web-secure-compress.compress=true"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-audiocraft-web-secure.middlewares=${AI_COMPOSE_PROJECT_NAME}-audiocraft-web-secure-compress,net-authelia,security-headers@file"
+      # Service
+      - "traefik.http.services.${AI_COMPOSE_PROJECT_NAME}-audiocraft-web-secure.loadbalancer.server.port=80"
+      - "traefik.docker.network=${NETWORK_NAME}"
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}"
+
+  upscale:
+    image: nginx:alpine
+    container_name: ${AI_COMPOSE_PROJECT_NAME}_upscale
+    restart: unless-stopped
+    dns:
+      - 100.100.100.100
+      - 8.8.8.8
+    environment:
+      TZ: ${TIMEZONE:-Europe/Berlin}
+      GPU_SERVICE_HOST: ${GPU_TAILSCALE_HOST:-runpod-ai-orchestrator}
+      GPU_SERVICE_PORT: ${UPSCALE_BACKEND_PORT:-8080}
+    volumes:
+      - ./nginx.conf.template:/etc/nginx/nginx.conf.template:ro
+    command: /bin/sh -c "envsubst '$${GPU_SERVICE_HOST},$${GPU_SERVICE_PORT}' < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf && exec nginx -g 'daemon off;'"
+    networks:
+      - compose_network
+    labels:
+      - "traefik.enable=${AI_UPSCALE_TRAEFIK_ENABLED:-true}"
+      # HTTP to HTTPS redirect
+      - "traefik.http.middlewares.${AI_COMPOSE_PROJECT_NAME}-upscale-redirect-web-secure.redirectscheme.scheme=https"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-upscale-web.middlewares=${AI_COMPOSE_PROJECT_NAME}-upscale-redirect-web-secure"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-upscale-web.rule=Host(`${AI_UPSCALE_TRAEFIK_HOST:-upscale.ai.pivoine.art}`)"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-upscale-web.entrypoints=web"
+      # HTTPS router with Authelia SSO
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-upscale-web-secure.rule=Host(`${AI_UPSCALE_TRAEFIK_HOST:-upscale.ai.pivoine.art}`)"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-upscale-web-secure.tls.certresolver=resolver"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-upscale-web-secure.entrypoints=web-secure"
+      - "traefik.http.middlewares.${AI_COMPOSE_PROJECT_NAME}-upscale-web-secure-compress.compress=true"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-upscale-web-secure.middlewares=${AI_COMPOSE_PROJECT_NAME}-upscale-web-secure-compress,net-authelia,security-headers@file"
+      # Service
+      - "traefik.http.services.${AI_COMPOSE_PROJECT_NAME}-upscale-web-secure.loadbalancer.server.port=80"
+      - "traefik.docker.network=${NETWORK_NAME}"
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}"
+
+  # Supervisor UI - Modern web interface for RunPod process management
+  supervisor:
+    image: dev.pivoine.art/valknar/supervisor-ui:latest
+    container_name: ${AI_COMPOSE_PROJECT_NAME}_supervisor_ui
+    restart: unless-stopped
+    dns:
+      - 100.100.100.100
+      - 8.8.8.8
+    environment:
+      TZ: ${TIMEZONE:-Europe/Berlin}
+      NODE_ENV: production
+      # Connect to RunPod Supervisor via Tailscale (host Tailscale provides DNS)
+      SUPERVISOR_HOST: ${GPU_TAILSCALE_HOST:-runpod-ai-orchestrator}
+      SUPERVISOR_PORT: ${SUPERVISOR_BACKEND_PORT:-9001}
+      # No auth needed - Supervisor has auth disabled (protected by Authelia)
+    networks:
+      - compose_network
+    labels:
+      - "traefik.enable=${AI_SUPERVISOR_TRAEFIK_ENABLED:-true}"
+      # HTTP to HTTPS redirect
+      - "traefik.http.middlewares.${AI_COMPOSE_PROJECT_NAME}-supervisor-redirect-web-secure.redirectscheme.scheme=https"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-supervisor-web.middlewares=${AI_COMPOSE_PROJECT_NAME}-supervisor-redirect-web-secure"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-supervisor-web.rule=Host(`${AI_SUPERVISOR_TRAEFIK_HOST:-supervisor.ai.pivoine.art}`)"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-supervisor-web.entrypoints=web"
+      # HTTPS router with Authelia SSO
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-supervisor-web-secure.rule=Host(`${AI_SUPERVISOR_TRAEFIK_HOST:-supervisor.ai.pivoine.art}`)"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-supervisor-web-secure.tls.certresolver=resolver"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-supervisor-web-secure.entrypoints=web-secure"
+      - "traefik.http.middlewares.${AI_COMPOSE_PROJECT_NAME}-supervisor-web-secure-compress.compress=true"
+      - "traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-supervisor-web-secure.middlewares=${AI_COMPOSE_PROJECT_NAME}-supervisor-web-secure-compress,net-authelia,security-headers@file"
+      # Service (port 3000 for Next.js app)
+      - "traefik.http.services.${AI_COMPOSE_PROJECT_NAME}-supervisor-web-secure.loadbalancer.server.port=3000"
+      - "traefik.docker.network=${NETWORK_NAME}"
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}"
 
 volumes:
   ai_postgres_data:
     name: ${AI_COMPOSE_PROJECT_NAME}_postgres_data
   ai_webui_data:
     name: ${AI_COMPOSE_PROJECT_NAME}_webui_data
-  ai_crawl4ai_data:
-    name: ${AI_COMPOSE_PROJECT_NAME}_crawl4ai_data
   ai_facefusion_data:
     name: ${AI_COMPOSE_PROJECT_NAME}_facefusion_data
+
+networks:
+  compose_network:
+    name: ${NETWORK_NAME}
+    external: true

ai/litellm-config.yaml

@@ -25,65 +25,56 @@ model_list:
       api_key: os.environ/ANTHROPIC_API_KEY
 
   # ===========================================================================
-  # SELF-HOSTED MODELS VIA ORCHESTRATOR (GPU Server via Tailscale VPN)
+  # SELF-HOSTED MODELS - DIRECT vLLM SERVERS (GPU Server via Tailscale VPN)
   # ===========================================================================
-  # All requests route through orchestrator (port 9000) which manages model loading
+  # Direct connections to dedicated vLLM servers (no orchestrator)
 
-  # Text Generation
+  # Text Generation - Llama 3.1 8B (Port 8001)
-  - model_name: qwen-2.5-7b
+  - model_name: llama-3.1-8b
     litellm_params:
-      model: hosted_vllm/openai/qwen-2.5-7b  # hosted_vllm/openai/ for vLLM via orchestrator
+      model: hosted_vllm/meta-llama/Llama-3.1-8B-Instruct # hosted_vllm/openai/ prefix for proper streaming
-      api_base: http://100.121.199.88:9000/v1  # RunPod GPU via Tailscale
+      api_base: os.environ/GPU_VLLM_LLAMA_URL # Direct to vLLM Llama server
-      api_key: dummy
+      api_key: "EMPTY" # vLLM doesn't validate API keys
       rpm: 1000
       tpm: 100000
-      timeout: 600  # 10 minutes for generation
+      timeout: 600 # 10 minutes for generation
       stream_timeout: 600
-      supports_system_messages: false  # vLLM handles system messages differently
+      supports_system_messages: true # Llama supports system messages
-      stream: true  # Enable streaming by default
+      stream: true # Enable streaming by default
 
-  # Image Generation
+  # Embeddings - BGE Large (Port 8002)
-  - model_name: flux-schnell
+  - model_name: bge-large-en
     litellm_params:
-      model: openai/dall-e-3  # OpenAI-compatible mapping
+      model: openai/BAAI/bge-large-en-v1.5
-      api_base: http://100.121.199.88:9000/v1  # RunPod GPU via Tailscale
+      api_base: os.environ/GPU_VLLM_BGE_URL
-      api_key: dummy
+      api_key: "EMPTY"
-      rpm: 100
+      rpm: 1000
-      max_parallel_requests: 3
+      tpm: 500000
-
-  # Music Generation
-  - model_name: musicgen-medium
-    litellm_params:
-      model: openai/musicgen-medium
-      api_base: http://100.121.199.88:9000/v1  # RunPod GPU via Tailscale
-      api_key: dummy
-      rpm: 50
-      max_parallel_requests: 1
 
 litellm_settings:
-  drop_params: false  # DISABLED: Was breaking streaming
+  drop_params: false # DISABLED: Was breaking streaming
-  set_verbose: true  # Enable verbose logging for debugging streaming issues
+  set_verbose: true # Enable verbose logging for debugging streaming issues
-  # Disable caching - it breaks streaming responses
+  # Enable caching now that streaming is fixed
-  cache: false
+  cache: true
-  # cache_params:
+  cache_params:
-  #   type: redis
+    type: redis
-  #   host: redis
+    host: core_redis
-  #   port: 6379
+    port: 6379
-  #   ttl: 3600  # Cache for 1 hour
+    ttl: 3600 # Cache for 1 hour
   # Force strip specific parameters globally
   allowed_fails: 0
   # Modify params before sending to provider
-  modify_params: false  # DISABLED: Was breaking streaming
+  modify_params: false # DISABLED: Was breaking streaming
   # Enable success and failure logging but minimize overhead
-  success_callback: []  # Disable all success callbacks to reduce DB writes
+  success_callback: [] # Disable all success callbacks to reduce DB writes
-  failure_callback: []  # Disable all failure callbacks
+  failure_callback: [] # Disable all failure callbacks
 
 router_settings:
   allowed_fails: 0
 
 # Drop unsupported parameters
 default_litellm_params:
-  drop_params: false  # DISABLED: Was breaking streaming
+  drop_params: false # DISABLED: Was breaking streaming
 
 general_settings:
   disable_responses_id_security: true

ai/nginx.conf.template

@@ -0,0 +1,60 @@
+events {
+    worker_connections 1024;
+}
+
+http {
+    # MIME types
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    # DNS resolver for Tailscale MagicDNS
+    resolver 100.100.100.100 8.8.8.8 valid=30s;
+    resolver_timeout 5s;
+
+    # Proxy settings
+    proxy_http_version 1.1;
+    proxy_buffering off;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+
+    # WebSocket support
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+
+    # Timeouts for long-running audio/image generation
+    proxy_connect_timeout 600;
+    proxy_send_timeout 600;
+    proxy_read_timeout 600;
+    send_timeout 600;
+
+    server {
+        listen 80;
+        server_name _;
+
+        # Increase client body size for image uploads
+        client_max_body_size 100M;
+
+        location / {
+            # Proxy to service on RunPod via Tailscale
+            # Use variable to force runtime DNS resolution (not startup)
+            set $backend http://${GPU_SERVICE_HOST}:${GPU_SERVICE_PORT};
+            proxy_pass $backend;
+
+            # WebSocket upgrade
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+
+            # Proxy headers
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            # Disable buffering for real-time updates
+            proxy_buffering off;
+        }
+    }
+}

arty.yml

@@ -78,16 +78,20 @@ envs:
     UTIL_JOPLIN_DB_NAME: joplin
     # PairDrop
     UTIL_DROP_TRAEFIK_HOST: drop.pivoine.art
-    # Media Stack (Jellyfin, Filestash, Pinchflat)
+    # Media Stack (Jellyfin, Pinchflat)
     MEDIA_TRAEFIK_ENABLED: true
     MEDIA_COMPOSE_PROJECT_NAME: media
     MEDIA_JELLYFIN_IMAGE: jellyfin/jellyfin:latest
     MEDIA_JELLYFIN_TRAEFIK_HOST: jellyfin.media.pivoine.art
-    MEDIA_FILESTASH_IMAGE: machines/filestash:latest
-    MEDIA_FILESTASH_TRAEFIK_HOST: filestash.media.pivoine.art
-    MEDIA_FILESTASH_CANARY: true
     MEDIA_PINCHFLAT_IMAGE: ghcr.io/kieraneglin/pinchflat:latest
     MEDIA_PINCHFLAT_TRAEFIK_HOST: pinchflat.media.pivoine.art
+    # Immich - Photo and video management
+    MEDIA_IMMICH_SERVER_IMAGE: ghcr.io/immich-app/immich-server:release
+    MEDIA_IMMICH_ML_IMAGE: ghcr.io/immich-app/immich-machine-learning:release
+    MEDIA_IMMICH_POSTGRES_IMAGE: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0
+    MEDIA_IMMICH_TRAEFIK_HOST: immich.media.pivoine.art
+    MEDIA_IMMICH_DB_NAME: immich
+    MEDIA_IMMICH_DB_USER: immich
     # Dev (Gitea + Coolify)
     DEV_TRAEFIK_ENABLED: true
     DEV_COMPOSE_PROJECT_NAME: dev
@@ -135,7 +139,6 @@ envs:
     AI_COMPOSE_PROJECT_NAME: ai
     AI_POSTGRES_IMAGE: pgvector/pgvector:pg16
     AI_WEBUI_IMAGE: ghcr.io/open-webui/open-webui:main
-    AI_CRAWL4AI_IMAGE: unclecode/crawl4ai:latest
     AI_FACEFUSION_IMAGE: facefusion/facefusion:3.5.0-cpu
     AI_FACEFUSION_TRAEFIK_ENABLED: true
     AI_FACEFUSION_TRAEFIK_HOST: facefusion.ai.pivoine.art
@@ -263,3 +266,57 @@ scripts:
     docker restart sexy_api &&
     echo "✓ Directus API restarted"
   net/create: docker network create "$NETWORK_NAME"
+  # Setup iptables NAT for Docker containers to reach Tailscale network
+  # Requires Tailscale installed on host: curl -fsSL https://tailscale.com/install.sh | sh
+  tailscale/setup: |
+    echo "Setting up iptables for Docker-to-Tailscale routing..."
+
+    # Enable IP forwarding
+    sudo sysctl -w net.ipv4.ip_forward=1
+    grep -q "net.ipv4.ip_forward=1" /etc/sysctl.conf || echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
+
+    # Get Docker network CIDR
+    DOCKER_CIDR=$(docker network inspect ${NETWORK_NAME} --format '{{range .IPAM.Config}}{{.Subnet}}{{end}}' 2>/dev/null || echo "172.18.0.0/16")
+    echo "Docker network CIDR: $DOCKER_CIDR"
+
+    # Add NAT rule (check if already exists)
+    if ! sudo iptables -t nat -C POSTROUTING -s "$DOCKER_CIDR" -o tailscale0 -j MASQUERADE 2>/dev/null; then
+      sudo iptables -t nat -A POSTROUTING -s "$DOCKER_CIDR" -o tailscale0 -j MASQUERADE
+      echo "✓ iptables NAT rule added"
+    else
+      echo "✓ iptables NAT rule already exists"
+    fi
+
+    # Persist rules
+    sudo netfilter-persistent save 2>/dev/null || echo "Install iptables-persistent to persist rules: sudo apt install iptables-persistent"
+
+    echo "✓ Tailscale routing configured"
+
+  # Install and configure Tailscale on host with persistent state
+  tailscale/install: |
+    echo "Installing Tailscale..."
+
+    # Install Tailscale if not present
+    if ! command -v tailscale &> /dev/null; then
+      curl -fsSL https://tailscale.com/install.sh | sh
+    else
+      echo "✓ Tailscale already installed"
+    fi
+
+    # Create state directory for persistence
+    TAILSCALE_STATE="/var/lib/tailscale"
+    sudo mkdir -p "$TAILSCALE_STATE"
+
+    # Start and enable tailscaled service
+    sudo systemctl enable --now tailscaled
+
+    # Connect to Tailscale network
+    echo "Connecting to Tailscale..."
+    sudo tailscale up --authkey="$TAILSCALE_AUTHKEY" --hostname=vps
+
+    # Show status
+    echo ""
+    tailscale status
+    echo ""
+    echo "✓ Tailscale installed and connected"
+    echo "  Run 'arty tailscale/setup' to configure iptables routing for Docker"

core/backrest/config.json

@@ -0,0 +1,370 @@
+{
+  "modno": 1,
+  "version": 4,
+  "instance": "falcon",
+  "repos": [
+    {
+      "id": "hidrive-backup",
+      "uri": "/repos",
+      "guid": "df03886ea215b0a3ff9730190d906d7034032bf0f1906ed4ad00f2c4f1748215",
+      "password": "falcon-backup-2025",
+      "prunePolicy": {
+        "schedule": {
+          "cron": "0 2 * * 0"
+        }
+      },
+      "checkPolicy": {
+        "schedule": {
+          "cron": "0 3 * * 0"
+        }
+      },
+      "autoUnlock": true
+    }
+  ],
+  "plans": [
+    {
+      "id": "ai-backup",
+      "repo": "hidrive-backup",
+      "paths": [
+        "/volumes/ai_postgres_data",
+        "/volumes/ai_webui_data"
+      ],
+      "schedule": {
+        "cron": "0 3 * * *"
+      },
+      "retention": {
+        "policyTimeBucketed": {
+          "daily": 7,
+          "weekly": 4,
+          "monthly": 6,
+          "yearly": 2
+        }
+      }
+    },
+    {
+      "id": "asciinema-backup",
+      "repo": "hidrive-backup",
+      "paths": [
+        "/volumes/asciinema_data"
+      ],
+      "schedule": {
+        "cron": "0 11 * * *"
+      },
+      "retention": {
+        "policyTimeBucketed": {
+          "daily": 7,
+          "weekly": 4,
+          "monthly": 6,
+          "yearly": 2
+        }
+      }
+    },
+    {
+      "id": "coolify-backup",
+      "repo": "hidrive-backup",
+      "paths": [
+        "/volumes/dev_coolify_data"
+      ],
+      "schedule": {
+        "cron": "0 0 * * *"
+      },
+      "retention": {
+        "policyTimeBucketed": {
+          "daily": 7,
+          "weekly": 4,
+          "monthly": 6,
+          "yearly": 2
+        }
+      }
+    },
+    {
+      "id": "directus-bundle-backup",
+      "repo": "hidrive-backup",
+      "paths": [
+        "/volumes/directus_bundle"
+      ],
+      "schedule": {
+        "cron": "0 4 * * *"
+      },
+      "retention": {
+        "policyTimeBucketed": {
+          "daily": 7,
+          "weekly": 4,
+          "monthly": 3
+        }
+      }
+    },
+    {
+      "id": "directus-uploads-backup",
+      "repo": "hidrive-backup",
+      "paths": [
+        "/volumes/directus_uploads"
+      ],
+      "schedule": {
+        "cron": "0 4 * * *"
+      },
+      "retention": {
+        "policyTimeBucketed": {
+          "daily": 7,
+          "weekly": 4,
+          "monthly": 6,
+          "yearly": 2
+        }
+      }
+    },
+    {
+      "id": "gitea-backup",
+      "repo": "hidrive-backup",
+      "paths": [
+        "/volumes/dev_gitea_config",
+        "/volumes/dev_gitea_data",
+        "/volumes/dev_gitea_runner_data"
+      ],
+      "schedule": {
+        "cron": "0 11 * * *"
+      },
+      "retention": {
+        "policyTimeBucketed": {
+          "daily": 7,
+          "weekly": 4,
+          "monthly": 6,
+          "yearly": 2
+        }
+      }
+    },
+    {
+      "id": "jellyfin-backup",
+      "repo": "hidrive-backup",
+      "paths": [
+        "/volumes/jelly_config"
+      ],
+      "schedule": {
+        "cron": "0 9 * * *"
+      },
+      "retention": {
+        "policyTimeBucketed": {
+          "daily": 7,
+          "weekly": 4,
+          "monthly": 6,
+          "yearly": 2
+        }
+      }
+    },
+    {
+      "id": "joplin-backup",
+      "repo": "hidrive-backup",
+      "paths": [
+        "/volumes/joplin_data"
+      ],
+      "schedule": {
+        "cron": "0 2 * * *"
+      },
+      "retention": {
+        "policyTimeBucketed": {
+          "daily": 7,
+          "weekly": 4,
+          "monthly": 6,
+          "yearly": 2
+        }
+      }
+    },
+    {
+      "id": "letsencrypt-backup",
+      "repo": "hidrive-backup",
+      "paths": [
+        "/volumes/letsencrypt_data"
+      ],
+      "schedule": {
+        "cron": "0 8 * * *"
+      },
+      "retention": {
+        "policyTimeBucketed": {
+          "daily": 7,
+          "weekly": 4,
+          "monthly": 12,
+          "yearly": 3
+        }
+      }
+    },
+    {
+      "id": "linkwarden-backup",
+      "repo": "hidrive-backup",
+      "paths": [
+        "/volumes/linkwarden_data",
+        "/volumes/linkwarden_meili_data"
+      ],
+      "schedule": {
+        "cron": "0 7 * * *"
+      },
+      "retention": {
+        "policyTimeBucketed": {
+          "daily": 7,
+          "weekly": 4,
+          "monthly": 6
+        }
+      }
+    },
+    {
+      "id": "mattermost-backup",
+      "repo": "hidrive-backup",
+      "paths": [
+        "/volumes/mattermost_config",
+        "/volumes/mattermost_data",
+        "/volumes/mattermost_plugins"
+      ],
+      "schedule": {
+        "cron": "0 5 * * *"
+      },
+      "retention": {
+        "policyTimeBucketed": {
+          "daily": 7,
+          "weekly": 4,
+          "monthly": 6,
+          "yearly": 2
+        }
+      }
+    },
+    {
+      "id": "n8n-backup",
+      "repo": "hidrive-backup",
+      "paths": [
+        "/volumes/n8n_data"
+      ],
+      "schedule": {
+        "cron": "0 6 * * *"
+      },
+      "retention": {
+        "policyTimeBucketed": {
+          "daily": 7,
+          "weekly": 4,
+          "monthly": 6
+        }
+      }
+    },
+    {
+      "id": "netdata-backup",
+      "repo": "hidrive-backup",
+      "paths": [
+        "/volumes/netdata_config"
+      ],
+      "schedule": {
+        "cron": "0 10 * * *"
+      },
+      "retention": {
+        "policyTimeBucketed": {
+          "daily": 7,
+          "weekly": 4,
+          "monthly": 3
+        }
+      }
+    },
+    {
+      "id": "postgres-backup",
+      "repo": "hidrive-backup",
+      "paths": [
+        "/volumes/core_postgres_data"
+      ],
+      "schedule": {
+        "cron": "0 2 * * *"
+      },
+      "retention": {
+        "policyTimeBucketed": {
+          "daily": 7,
+          "weekly": 4,
+          "monthly": 6,
+          "yearly": 2
+        }
+      }
+    },
+    {
+      "id": "redis-backup",
+      "repo": "hidrive-backup",
+      "paths": [
+        "/volumes/core_redis_data"
+      ],
+      "schedule": {
+        "cron": "0 3 * * *"
+      },
+      "retention": {
+        "policyTimeBucketed": {
+          "daily": 7,
+          "weekly": 4,
+          "monthly": 3
+        }
+      }
+    },
+    {
+      "id": "scrapy-backup",
+      "repo": "hidrive-backup",
+      "paths": [
+        "/volumes/scrapy_code",
+        "/volumes/scrapyd_data"
+      ],
+      "schedule": {
+        "cron": "0 6 * * *"
+      },
+      "retention": {
+        "policyTimeBucketed": {
+          "daily": 7,
+          "weekly": 4,
+          "monthly": 3
+        }
+      }
+    },
+    {
+      "id": "tandoor-backup",
+      "repo": "hidrive-backup",
+      "paths": [
+        "/volumes/tandoor_mediafiles",
+        "/volumes/tandoor_staticfiles"
+      ],
+      "schedule": {
+        "cron": "0 5 * * *"
+      },
+      "retention": {
+        "policyTimeBucketed": {
+          "daily": 7,
+          "weekly": 4,
+          "monthly": 6
+        }
+      }
+    },
+    {
+      "id": "vaultwarden-backup",
+      "repo": "hidrive-backup",
+      "paths": [
+        "/volumes/vaultwarden_data"
+      ],
+      "schedule": {
+        "cron": "0 8 * * *"
+      },
+      "retention": {
+        "policyTimeBucketed": {
+          "daily": 7,
+          "weekly": 4,
+          "monthly": 12,
+          "yearly": 3
+        }
+      }
+    },
+    {
+      "id": "immich-backup",
+      "repo": "hidrive-backup",
+      "paths": [
+        "/volumes/immich_postgres_data",
+        "/volumes/immich_upload"
+      ],
+      "schedule": {
+        "cron": "0 12 * * *"
+      },
+      "retention": {
+        "policyTimeBucketed": {
+          "daily": 7,
+          "weekly": 4,
+          "monthly": 6,
+          "yearly": 2
+        }
+      }
+    }
+  ]
+}

core/compose.yaml

@@ -56,7 +56,7 @@ services:
     volumes:
       # Backrest application data
       - backrest_data:/data
-      - backrest_config:/config
+      - ./backrest:/config
       - backrest_cache:/cache
       - backrest_tmp:/tmp
 
@@ -74,7 +74,6 @@ services:
       - backup_util_tandoor_staticfiles:/volumes/tandoor_staticfiles:ro
       - backup_util_tandoor_mediafiles:/volumes/tandoor_mediafiles:ro
       - backup_n8n_data:/volumes/n8n_data:ro
-      - backup_filestash_data:/volumes/filestash_data:ro
       - backup_util_linkwarden_data:/volumes/linkwarden_data:ro
       - backup_util_linkwarden_meili_data:/volumes/linkwarden_meili_data:ro
       - backup_letsencrypt_data:/volumes/letsencrypt_data:ro
@@ -84,12 +83,13 @@ services:
       - backup_netdata_config:/volumes/netdata_config:ro
       - backup_ai_postgres_data:/volumes/ai_postgres_data:ro
       - backup_ai_webui_data:/volumes/ai_webui_data:ro
-      - backup_ai_crawl4ai_data:/volumes/ai_crawl4ai_data:ro
       - backup_asciinema_data:/volumes/asciinema_data:ro
       - backup_dev_gitea_data:/volumes/dev_gitea_data:ro
       - backup_dev_gitea_config:/volumes/dev_gitea_config:ro
       - backup_dev_gitea_runner_data:/volumes/dev_gitea_runner_data:ro
       - backup_dev_coolify_data:/volumes/dev_coolify_data:ro
+      - backup_media_immich_postgres_data:/volumes/immich_postgres_data:ro
+      - backup_media_immich_upload:/volumes/immich_upload:ro
 
     environment:
       TZ: ${TIMEZONE:-Europe/Berlin}
@@ -124,8 +124,6 @@ volumes:
     name: ${CORE_COMPOSE_PROJECT_NAME}_redis_data
   backrest_data:
     name: ${CORE_COMPOSE_PROJECT_NAME}_backrest_data
-  backrest_config:
-    name: ${CORE_COMPOSE_PROJECT_NAME}_backrest_config
   backrest_cache:
     name: ${CORE_COMPOSE_PROJECT_NAME}_backrest_cache
   backrest_tmp:
@@ -162,9 +160,6 @@ volumes:
   backup_n8n_data:
     name: dev_n8n_data
     external: true
-  backup_filestash_data:
-    name: stash_filestash_data
-    external: true
   backup_util_linkwarden_data:
     name: util_linkwarden_data
     external: true
@@ -192,9 +187,6 @@ volumes:
   backup_ai_webui_data:
     name: ai_webui_data
     external: true
-  backup_ai_crawl4ai_data:
-    name: ai_crawl4ai_data
-    external: true
   backup_asciinema_data:
     name: dev_asciinema_data
     external: true
@@ -210,3 +202,9 @@ volumes:
   backup_dev_coolify_data:
     name: dev_coolify_data
     external: true
+  backup_media_immich_postgres_data:
+    name: media_immich_postgres_data
+    external: true
+  backup_media_immich_upload:
+    name: media_immich_upload
+    external: true

media/compose.yaml

@@ -33,36 +33,6 @@ services:
       # Watchtower
       - 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}'
 
-  # Filestash - Web-based file manager
-  filestash:
-    image: ${MEDIA_FILESTASH_IMAGE:-machines/filestash:latest}
-    container_name: ${MEDIA_COMPOSE_PROJECT_NAME}_filestash
-    restart: unless-stopped
-    volumes:
-      - filestash_data:/app/data/state/
-    tmpfs:
-      - /tmp:exec
-    environment:
-      TZ: ${TIMEZONE:-Europe/Berlin}
-      APPLICATION_URL: ${MEDIA_FILESTASH_TRAEFIK_HOST}
-      CANARY: ${MEDIA_FILESTASH_CANARY:-true}
-    networks:
-      - compose_network
-    labels:
-      - 'traefik.enable=${MEDIA_TRAEFIK_ENABLED}'
-      - 'traefik.http.middlewares.${MEDIA_COMPOSE_PROJECT_NAME}-filestash-redirect-web-secure.redirectscheme.scheme=https'
-      - 'traefik.http.routers.${MEDIA_COMPOSE_PROJECT_NAME}-filestash-web.middlewares=${MEDIA_COMPOSE_PROJECT_NAME}-filestash-redirect-web-secure'
-      - 'traefik.http.routers.${MEDIA_COMPOSE_PROJECT_NAME}-filestash-web.rule=Host(`${MEDIA_FILESTASH_TRAEFIK_HOST}`)'
-      - 'traefik.http.routers.${MEDIA_COMPOSE_PROJECT_NAME}-filestash-web.entrypoints=web'
-      - 'traefik.http.routers.${MEDIA_COMPOSE_PROJECT_NAME}-filestash-web-secure.rule=Host(`${MEDIA_FILESTASH_TRAEFIK_HOST}`)'
-      - 'traefik.http.routers.${MEDIA_COMPOSE_PROJECT_NAME}-filestash-web-secure.tls.certresolver=resolver'
-      - 'traefik.http.routers.${MEDIA_COMPOSE_PROJECT_NAME}-filestash-web-secure.entrypoints=web-secure'
-      - 'traefik.http.middlewares.${MEDIA_COMPOSE_PROJECT_NAME}-filestash-web-secure-compress.compress=true'
-      - 'traefik.http.routers.${MEDIA_COMPOSE_PROJECT_NAME}-filestash-web-secure.middlewares=${MEDIA_COMPOSE_PROJECT_NAME}-filestash-web-secure-compress'
-      - 'traefik.http.services.${MEDIA_COMPOSE_PROJECT_NAME}-filestash-web-secure.loadbalancer.server.port=8334'
-      - 'traefik.docker.network=${NETWORK_NAME}'
-      - 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}'
-
   # Pinchflat - YouTube download manager
   pinchflat:
     image: ${MEDIA_PINCHFLAT_IMAGE:-ghcr.io/kieraneglin/pinchflat:latest}
@@ -95,15 +65,98 @@ services:
       # Watchtower
       - 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}'
 
+  # Immich PostgreSQL - Dedicated database with vector extensions
+  immich_postgres:
+    image: ${MEDIA_IMMICH_POSTGRES_IMAGE:-ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0}
+    container_name: ${MEDIA_COMPOSE_PROJECT_NAME}_immich_postgres
+    restart: unless-stopped
+    environment:
+      TZ: ${TIMEZONE:-Europe/Berlin}
+      POSTGRES_USER: ${MEDIA_IMMICH_DB_USER:-immich}
+      POSTGRES_PASSWORD: ${MEDIA_IMMICH_DB_PASSWORD}
+      POSTGRES_DB: ${MEDIA_IMMICH_DB_NAME:-immich}
+      POSTGRES_INITDB_ARGS: --data-checksums
+    volumes:
+      - immich_postgres_data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ${MEDIA_IMMICH_DB_USER:-immich} -d ${MEDIA_IMMICH_DB_NAME:-immich}"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 40s
+    networks:
+      - compose_network
+
+  # Immich Server - Main application
+  immich_server:
+    image: ${MEDIA_IMMICH_SERVER_IMAGE:-ghcr.io/immich-app/immich-server:release}
+    container_name: ${MEDIA_COMPOSE_PROJECT_NAME}_immich_server
+    restart: unless-stopped
+    environment:
+      TZ: ${TIMEZONE:-Europe/Berlin}
+      DB_HOSTNAME: ${MEDIA_COMPOSE_PROJECT_NAME}_immich_postgres
+      DB_PORT: 5432
+      DB_USERNAME: ${MEDIA_IMMICH_DB_USER:-immich}
+      DB_PASSWORD: ${MEDIA_IMMICH_DB_PASSWORD}
+      DB_DATABASE_NAME: ${MEDIA_IMMICH_DB_NAME:-immich}
+      REDIS_HOSTNAME: ${CORE_COMPOSE_PROJECT_NAME}_redis
+      REDIS_PORT: ${CORE_REDIS_PORT:-6379}
+      IMMICH_MACHINE_LEARNING_URL: http://${MEDIA_COMPOSE_PROJECT_NAME}_immich_ml:3003
+    volumes:
+      - immich_upload:/usr/src/app/upload
+      - /etc/localtime:/etc/localtime:ro
+    depends_on:
+      immich_postgres:
+        condition: service_healthy
+    networks:
+      - compose_network
+    labels:
+      - 'traefik.enable=${MEDIA_TRAEFIK_ENABLED}'
+      # HTTP to HTTPS redirect
+      - 'traefik.http.middlewares.${MEDIA_COMPOSE_PROJECT_NAME}-immich-redirect-web-secure.redirectscheme.scheme=https'
+      - 'traefik.http.routers.${MEDIA_COMPOSE_PROJECT_NAME}-immich-web.middlewares=${MEDIA_COMPOSE_PROJECT_NAME}-immich-redirect-web-secure'
+      - 'traefik.http.routers.${MEDIA_COMPOSE_PROJECT_NAME}-immich-web.rule=Host(`${MEDIA_IMMICH_TRAEFIK_HOST}`)'
+      - 'traefik.http.routers.${MEDIA_COMPOSE_PROJECT_NAME}-immich-web.entrypoints=web'
+      # HTTPS router
+      - 'traefik.http.routers.${MEDIA_COMPOSE_PROJECT_NAME}-immich-web-secure.rule=Host(`${MEDIA_IMMICH_TRAEFIK_HOST}`)'
+      - 'traefik.http.routers.${MEDIA_COMPOSE_PROJECT_NAME}-immich-web-secure.tls.certresolver=resolver'
+      - 'traefik.http.routers.${MEDIA_COMPOSE_PROJECT_NAME}-immich-web-secure.entrypoints=web-secure'
+      - 'traefik.http.middlewares.${MEDIA_COMPOSE_PROJECT_NAME}-immich-web-secure-compress.compress=true'
+      - 'traefik.http.routers.${MEDIA_COMPOSE_PROJECT_NAME}-immich-web-secure.middlewares=${MEDIA_COMPOSE_PROJECT_NAME}-immich-web-secure-compress,security-headers@file'
+      # Service
+      - 'traefik.http.services.${MEDIA_COMPOSE_PROJECT_NAME}-immich-web-secure.loadbalancer.server.port=2283'
+      - 'traefik.docker.network=${NETWORK_NAME}'
+      # Watchtower
+      - 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}'
+
+  # Immich Machine Learning - AI inference for faces, search, etc.
+  immich_ml:
+    image: ${MEDIA_IMMICH_ML_IMAGE:-ghcr.io/immich-app/immich-machine-learning:release}
+    container_name: ${MEDIA_COMPOSE_PROJECT_NAME}_immich_ml
+    restart: unless-stopped
+    environment:
+      TZ: ${TIMEZONE:-Europe/Berlin}
+    volumes:
+      - immich_model_cache:/cache
+    networks:
+      - compose_network
+    labels:
+      # Watchtower
+      - 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}'
+
 volumes:
   jellyfin_config:
     name: ${MEDIA_COMPOSE_PROJECT_NAME}_jellyfin_config
   jellyfin_cache:
     name: ${MEDIA_COMPOSE_PROJECT_NAME}_jellyfin_cache
-  filestash_data:
-    name: ${MEDIA_COMPOSE_PROJECT_NAME}_filestash_data
   pinchflat_config:
     name: ${MEDIA_COMPOSE_PROJECT_NAME}_pinchflat_config
+  immich_postgres_data:
+    name: ${MEDIA_COMPOSE_PROJECT_NAME}_immich_postgres_data
+  immich_upload:
+    name: ${MEDIA_COMPOSE_PROJECT_NAME}_immich_upload
+  immich_model_cache:
+    name: ${MEDIA_COMPOSE_PROJECT_NAME}_immich_model_cache
 
 networks:
   compose_network:

net/authelia/configuration.yml

@@ -74,23 +74,26 @@ access_control:
         - "admin.asciinema.dev.pivoine.art"
         - "facefusion.ai.pivoine.art"
         - "pinchflat.media.pivoine.art"
+        - "comfy.ai.pivoine.art"
+        - "supervisor.ai.pivoine.art"
+        - "audiocraft.ai.pivoine.art"
+        - "upscale.ai.pivoine.art"
       policy: one_factor
 
-
 # session secret set via environment variable: AUTHELIA_SESSION_SECRET
 session:
-  name: 'authelia_session'
+  name: "authelia_session"
-  same_site: 'lax'
+  same_site: "lax"
-  expiration: '1h'
+  expiration: "1h"
-  inactivity: '5m'
+  inactivity: "15m"
-  remember_me: '1M'
+  remember_me: "1M"
   cookies:
-    - domain: 'pivoine.art'
+    - domain: "pivoine.art"
-      authelia_url: 'https://auth.pivoine.art'
+      authelia_url: "https://auth.pivoine.art"
-      same_site: 'lax'
+      same_site: "lax"
-      expiration: '1h'
+      expiration: "1h"
-      inactivity: '5m'
+      inactivity: "5m"
-      remember_me: '1M'
+      remember_me: "1M"
 
 regulation:
   max_retries: 3

net/compose.yaml

@@ -6,49 +6,49 @@ services:
     restart: unless-stopped
     command:
       # API & Dashboard
-      - '--api.dashboard=true'
+      - "--api.dashboard=true"
-      - '--api.insecure=false'
+      - "--api.insecure=false"
 
       # Ping endpoint for healthcheck
-      - '--ping=true'
+      - "--ping=true"
 
       # Experimental plugins
-      - '--experimental.plugins.sablier.modulename=github.com/acouvreur/sablier'
+      - "--experimental.plugins.sablier.modulename=github.com/acouvreur/sablier"
-      - '--experimental.plugins.sablier.version=v1.8.0'
+      - "--experimental.plugins.sablier.version=v1.8.0"
 
       # Logging
-      - '--log.level=${NET_PROXY_LOG_LEVEL:-INFO}'
+      - "--log.level=${NET_PROXY_LOG_LEVEL:-INFO}"
-      - '--accesslog=true'
+      - "--accesslog=true"
 
       # Global
-      - '--global.sendAnonymousUsage=false'
+      - "--global.sendAnonymousUsage=false"
-      - '--global.checkNewVersion=true'
+      - "--global.checkNewVersion=true"
 
       # Docker Provider
-      - '--providers.docker=true'
+      - "--providers.docker=true"
-      - '--providers.docker.exposedbydefault=false'
+      - "--providers.docker.exposedbydefault=false"
-      - '--providers.docker.network=${NETWORK_NAME}'
+      - "--providers.docker.network=${NETWORK_NAME}"
 
       # File Provider for dynamic configuration
-      - '--providers.file.directory=/etc/traefik/dynamic'
+      - "--providers.file.directory=/etc/traefik/dynamic"
-      - '--providers.file.watch=true'
+      - "--providers.file.watch=true"
 
       # Entrypoints
-      - '--entrypoints.web.address=:${NET_PROXY_PORT_HTTP:-80}'
+      - "--entrypoints.web.address=:${NET_PROXY_PORT_HTTP:-80}"
-      - '--entrypoints.web-secure.address=:${NET_PROXY_PORT_HTTPS:-443}'
+      - "--entrypoints.web-secure.address=:${NET_PROXY_PORT_HTTPS:-443}"
 
       # Global HTTP to HTTPS redirect
-      - '--entrypoints.web.http.redirections.entryPoint.to=web-secure'
+      - "--entrypoints.web.http.redirections.entryPoint.to=web-secure"
-      - '--entrypoints.web.http.redirections.entryPoint.scheme=https'
+      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
-      - '--entrypoints.web.http.redirections.entryPoint.permanent=true'
+      - "--entrypoints.web.http.redirections.entryPoint.permanent=true"
 
       # Security Headers (applied globally)
-      - '--entrypoints.web-secure.http.middlewares=security-headers@file'
+      - "--entrypoints.web-secure.http.middlewares=security-headers@file"
 
       # Let's Encrypt
-      - '--certificatesresolvers.resolver.acme.tlschallenge=true'
+      - "--certificatesresolvers.resolver.acme.tlschallenge=true"
-      - '--certificatesresolvers.resolver.acme.email=${ADMIN_EMAIL}'
+      - "--certificatesresolvers.resolver.acme.email=${ADMIN_EMAIL}"
-      - '--certificatesresolvers.resolver.acme.storage=/letsencrypt/acme.json'
+      - "--certificatesresolvers.resolver.acme.storage=/letsencrypt/acme.json"
 
     healthcheck:
       test: ["CMD", "traefik", "healthcheck", "--ping"]
@@ -74,20 +74,20 @@ services:
       - ./dynamic:/etc/traefik/dynamic:ro
 
     labels:
-      - 'traefik.enable=true'
+      - "traefik.enable=true"
       # HTTP to HTTPS redirect
-      - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-traefik-redirect-web-secure.redirectscheme.scheme=https'
+      - "traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-traefik-redirect-web-secure.redirectscheme.scheme=https"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web.middlewares=${NET_COMPOSE_PROJECT_NAME}-traefik-redirect-web-secure'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web.middlewares=${NET_COMPOSE_PROJECT_NAME}-traefik-redirect-web-secure"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web.rule=Host(`${NET_PROXY_TRAEFIK_HOST}`)'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web.rule=Host(`${NET_PROXY_TRAEFIK_HOST}`)"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web.entrypoints=web'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web.entrypoints=web"
       # HTTPS router with auth
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web-secure.rule=Host(`${NET_PROXY_TRAEFIK_HOST}`)'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web-secure.rule=Host(`${NET_PROXY_TRAEFIK_HOST}`)"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web-secure.tls.certresolver=resolver'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web-secure.tls.certresolver=resolver"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web-secure.entrypoints=web-secure'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web-secure.entrypoints=web-secure"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web-secure.service=api@internal'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web-secure.service=api@internal"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web-secure.middlewares=${NET_COMPOSE_PROJECT_NAME}-authelia,security-headers@file'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web-secure.middlewares=${NET_COMPOSE_PROJECT_NAME}-authelia,security-headers@file"
-      - 'traefik.http.services.${NET_COMPOSE_PROJECT_NAME}-traefik-web-secure.loadbalancer.server.port=8080'
+      - "traefik.http.services.${NET_COMPOSE_PROJECT_NAME}-traefik-web-secure.loadbalancer.server.port=8080"
-      - 'traefik.docker.network=${NETWORK_NAME}'
+      - "traefik.docker.network=${NETWORK_NAME}"
 
   # Netdata - Real-time monitoring
   netdata:
@@ -128,23 +128,23 @@ services:
     networks:
       - compose_network
     labels:
-      - 'traefik.enable=${NET_TRAEFIK_ENABLED}'
+      - "traefik.enable=${NET_TRAEFIK_ENABLED}"
       # HTTP to HTTPS redirect
-      - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-netdata-redirect-web-secure.redirectscheme.scheme=https'
+      - "traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-netdata-redirect-web-secure.redirectscheme.scheme=https"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-netdata-web.middlewares=${NET_COMPOSE_PROJECT_NAME}-netdata-redirect-web-secure'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-netdata-web.middlewares=${NET_COMPOSE_PROJECT_NAME}-netdata-redirect-web-secure"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-netdata-web.rule=Host(`${NET_NETDATA_TRAEFIK_HOST}`)'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-netdata-web.rule=Host(`${NET_NETDATA_TRAEFIK_HOST}`)"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-netdata-web.entrypoints=web'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-netdata-web.entrypoints=web"
       # HTTPS router
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-netdata-web-secure.rule=Host(`${NET_NETDATA_TRAEFIK_HOST}`)'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-netdata-web-secure.rule=Host(`${NET_NETDATA_TRAEFIK_HOST}`)"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-netdata-web-secure.tls.certresolver=resolver'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-netdata-web-secure.tls.certresolver=resolver"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-netdata-web-secure.entrypoints=web-secure'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-netdata-web-secure.entrypoints=web-secure"
-      - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-netdata-compress.compress=true'
+      - "traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-netdata-compress.compress=true"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-netdata-web-secure.middlewares=${NET_COMPOSE_PROJECT_NAME}-netdata-compress,${NET_COMPOSE_PROJECT_NAME}-authelia,security-headers@file'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-netdata-web-secure.middlewares=${NET_COMPOSE_PROJECT_NAME}-netdata-compress,${NET_COMPOSE_PROJECT_NAME}-authelia,security-headers@file"
       # Service
-      - 'traefik.http.services.${NET_COMPOSE_PROJECT_NAME}-netdata.loadbalancer.server.port=19999'
+      - "traefik.http.services.${NET_COMPOSE_PROJECT_NAME}-netdata.loadbalancer.server.port=19999"
-      - 'traefik.docker.network=${NETWORK_NAME}'
+      - "traefik.docker.network=${NETWORK_NAME}"
       # Watchtower
-      - 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}'
+      - "com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}"
 
   # Watchtower - Automatic container updates
   watchtower:
@@ -202,7 +202,8 @@ services:
       - compose_network
 
     healthcheck:
-      test: ["CMD-SHELL", "curl -f http://localhost:3000/api/heartbeat || exit 1"]
+      test:
+        ["CMD-SHELL", "curl -f http://localhost:3000/api/heartbeat || exit 1"]
       interval: 30s
       timeout: 10s
       retries: 5
@@ -210,21 +211,21 @@ services:
 
     labels:
       # Traefik Configuration
-      - 'traefik.enable=${NET_TRAEFIK_ENABLED}'
+      - "traefik.enable=${NET_TRAEFIK_ENABLED}"
 
       # HTTP to HTTPS redirect
-      - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-umami-redirect-web-secure.redirectscheme.scheme=https'
+      - "traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-umami-redirect-web-secure.redirectscheme.scheme=https"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web.middlewares=${NET_COMPOSE_PROJECT_NAME}-umami-redirect-web-secure'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web.middlewares=${NET_COMPOSE_PROJECT_NAME}-umami-redirect-web-secure"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web.rule=Host(`${NET_TRACK_TRAEFIK_HOST}`)'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web.rule=Host(`${NET_TRACK_TRAEFIK_HOST}`)"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web.entrypoints=web'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web.entrypoints=web"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web-secure.rule=Host(`${NET_TRACK_TRAEFIK_HOST}`)'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web-secure.rule=Host(`${NET_TRACK_TRAEFIK_HOST}`)"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web-secure.tls.certresolver=resolver'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web-secure.tls.certresolver=resolver"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web-secure.entrypoints=web-secure'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web-secure.entrypoints=web-secure"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web-secure.middlewares=security-headers@file'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web-secure.middlewares=security-headers@file"
-      - 'traefik.http.services.${NET_COMPOSE_PROJECT_NAME}-umami-web-secure.loadbalancer.server.port=3000'
+      - "traefik.http.services.${NET_COMPOSE_PROJECT_NAME}-umami-web-secure.loadbalancer.server.port=3000"
-      - 'traefik.docker.network=${NETWORK_NAME}'
+      - "traefik.docker.network=${NETWORK_NAME}"
       # Watchtower
-      - 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}'
+      - "com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}"
 
   # Mailpit - SMTP server with web UI
   mailpit:
@@ -250,22 +251,22 @@ services:
     networks:
       - compose_network
     labels:
-      - 'traefik.enable=${NET_TRAEFIK_ENABLED}'
+      - "traefik.enable=${NET_TRAEFIK_ENABLED}"
       # HTTP to HTTPS redirect
-      - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-mailpit-redirect-web-secure.redirectscheme.scheme=https'
+      - "traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-mailpit-redirect-web-secure.redirectscheme.scheme=https"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web.middlewares=${NET_COMPOSE_PROJECT_NAME}-mailpit-redirect-web-secure'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web.middlewares=${NET_COMPOSE_PROJECT_NAME}-mailpit-redirect-web-secure"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web.rule=Host(`${NET_MAILPIT_TRAEFIK_HOST}`)'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web.rule=Host(`${NET_MAILPIT_TRAEFIK_HOST}`)"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web.entrypoints=web'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web.entrypoints=web"
       # HTTPS router with auth
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web-secure.rule=Host(`${NET_MAILPIT_TRAEFIK_HOST}`)'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web-secure.rule=Host(`${NET_MAILPIT_TRAEFIK_HOST}`)"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web-secure.tls.certresolver=resolver'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web-secure.tls.certresolver=resolver"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web-secure.entrypoints=web-secure'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web-secure.entrypoints=web-secure"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web-secure.middlewares=${NET_COMPOSE_PROJECT_NAME}-authelia,security-headers@file'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web-secure.middlewares=${NET_COMPOSE_PROJECT_NAME}-authelia,security-headers@file"
       # Service
-      - 'traefik.http.services.${NET_COMPOSE_PROJECT_NAME}-mailpit-web-secure.loadbalancer.server.port=8025'
+      - "traefik.http.services.${NET_COMPOSE_PROJECT_NAME}-mailpit-web-secure.loadbalancer.server.port=8025"
-      - 'traefik.docker.network=${NETWORK_NAME}'
+      - "traefik.docker.network=${NETWORK_NAME}"
       # Watchtower
-      - 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}'
+      - "com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}"
 
   # Authelia - SSO and authentication portal
   authelia:
@@ -285,27 +286,27 @@ services:
     networks:
       - compose_network
     labels:
-      - 'traefik.enable=${NET_TRAEFIK_ENABLED}'
+      - "traefik.enable=${NET_TRAEFIK_ENABLED}"
       # HTTP to HTTPS redirect
-      - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia-redirect-web-secure.redirectscheme.scheme=https'
+      - "traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia-redirect-web-secure.redirectscheme.scheme=https"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web.middlewares=${NET_COMPOSE_PROJECT_NAME}-authelia-redirect-web-secure'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web.middlewares=${NET_COMPOSE_PROJECT_NAME}-authelia-redirect-web-secure"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web.rule=Host(`${NET_AUTHELIA_TRAEFIK_HOST}`)'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web.rule=Host(`${NET_AUTHELIA_TRAEFIK_HOST}`)"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web.entrypoints=web'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web.entrypoints=web"
       # HTTPS router
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web-secure.rule=Host(`${NET_AUTHELIA_TRAEFIK_HOST}`)'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web-secure.rule=Host(`${NET_AUTHELIA_TRAEFIK_HOST}`)"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web-secure.tls.certresolver=resolver'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web-secure.tls.certresolver=resolver"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web-secure.entrypoints=web-secure'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web-secure.entrypoints=web-secure"
-      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web-secure.middlewares=security-headers@file'
+      - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web-secure.middlewares=security-headers@file"
       # Service
-      - 'traefik.http.services.${NET_COMPOSE_PROJECT_NAME}-authelia-web-secure.loadbalancer.server.port=9091'
+      - "traefik.http.services.${NET_COMPOSE_PROJECT_NAME}-authelia-web-secure.loadbalancer.server.port=9091"
-      - 'traefik.docker.network=${NETWORK_NAME}'
+      - "traefik.docker.network=${NETWORK_NAME}"
       # ForwardAuth middleware for other services
-      - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia.forwardAuth.address=http://net_authelia:9091/api/authz/forward-auth'
+      - "traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia.forwardAuth.address=http://net_authelia:9091/api/authz/forward-auth"
-      - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia.forwardAuth.trustForwardHeader=true'
+      - "traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia.forwardAuth.trustForwardHeader=true"
-      - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
+      - "traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
-      - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia.forwardAuth.authResponseHeadersRegex=^Remote-'
+      - "traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia.forwardAuth.authResponseHeadersRegex=^Remote-"
       # Watchtower
-      - 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}'
+      - "com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}"
 
 volumes:
   letsencrypt_data: