From 82056ed283e5eed9016b83cf0f2699de550fe2c6 Mon Sep 17 00:00:00 2001
From: Thomas Dehaeze <dehaeze.thomas@gmail.com>
Date: Mon, 25 Oct 2021 14:32:23 +0200
Subject: [PATCH] Add lots of docker containers

---
 homelab.org | 1494 +++++++++++++++++++++++++++++++++++----------------
 1 file changed, 1030 insertions(+), 464 deletions(-)

diff --git a/homelab.org b/homelab.org
index b76f1a1..3f214e0 100644
--- a/homelab.org
+++ b/homelab.org
@@ -23,7 +23,7 @@
 
 ** Install Important software
 #+begin_src bash :eval no
-sudo apt install neovim tmux fd-find ripgrep apache2-utils unrar ranger fzf stow
+sudo apt install neovim tmux fd-find ripgrep fzf apache2-utils unrar ranger
 #+end_src
 
 ** Terminal Problem
@@ -68,7 +68,6 @@ sudo mkfs.ext4 -L partitionname /dev/sda1
 ** MergerFS and FStab
 *MergerFS* is a transparent layer that sits on top of the data drives providing a single mount point for reads / writes ([[https://selfhostedhome.com/combining-different-sized-drives-with-mergerfs-and-snapraid/][link]]).
 
-
 #+begin_src bash :eval no
 sudo apt install mergerfs
 #+end_src
@@ -173,6 +172,13 @@ To check how the first part of the crontab works, check [[https://crontab.guru/]
 cd ~/docker && docker-compose up -d
 #+end_src
 
+** Docker config =~/.docker/config.json=
+#+begin_src json :tangle /ssh:thomas@homelab:~/.docker/config.json
+{
+  "psFormat": "table {{ .ID }}\\t{{ .Names }}\t{{ .Status }}"
+}
+#+end_src
+
 * Maintenance - How To
 ** Update System/Packages
 #+begin_src bash
@@ -199,16 +205,7 @@ This will delete all unused images, volumes and networks.
 docker system prune -f && docker image prune -f && docker volume prune -f
 #+end_src
 
-** Add User and Password for Basic Authentication
-- Go to https://www.web2generators.com/apache-tools/htpasswd-generator and type the username and password
-- Alternatively, type =htpasswd -nb username mystrongpassword= in the shell
-- Or use the following docker container:
-#+begin_src bash
-docker run --rm -it httpd echo $(htpasswd -nb username-here password-here) | sed -e s/\\$/\\$\\$/g
-#+end_src
-- Paste the output in =~/docker/shared/.htpasswd=
-
-** Snapraid
+** =snapraid=
 To see all files "backed up" by snapraid, use:
 #+begin_src bash
 docker exec -ti snapraid snapraid list | fzf
@@ -224,7 +221,7 @@ The path to file should be relative: =/srv/storage/Cloud/org/file.org= -> =Cloud
 ** Restore Online backup with =restic=
 
 To list backups:
-#+begin_src bash :dir /ssh:thomas@grenoble:/ :results output replace
+#+begin_src bash :dir /ssh:thomas@homelab:/ :results output replace
 docker exec restic restic snapshots
 #+end_src
 
@@ -238,7 +235,7 @@ docker exec restic restic snapshots
 : 3 snapshots
 
 Force backup of folder:
-#+begin_src bash :dir /ssh:thomas@grenoble:/ :results output replace
+#+begin_src bash :dir /ssh:thomas@homelab:/ :results output replace
 docker exec restic restic backup /data/documents/manuals
 #+end_src
 
@@ -252,30 +249,65 @@ docker exec restic restic backup /data/documents/manuals
 : snapshot 9cf0b480 saved
 
 Find the path to the file within the snapshot:
-#+begin_src bash :dir /ssh:thomas@grenoble:/ :results output replace
+#+begin_src bash :dir /ssh:thomas@homelab:/ :results output replace
 docker exec restic restic find file_name
 #+end_src
 
 Find files only for a specific snapshot:
-#+begin_src bash :dir /ssh:thomas@grenoble:/ :results output replace
+#+begin_src bash :dir /ssh:thomas@homelab:/ :results output replace
 docker exec restic restic find -s latest file_name
 #+end_src
 
 Restore files/folders (replace file/folders):
-#+begin_src bash :dir /ssh:thomas@grenoble:/ :results output replace
+#+begin_src bash :dir /ssh:thomas@homelab:/ :results output replace
 docker exec restic restic restore --include /data/documents/manuals --target / 088e31a4
 #+end_src
 
 You can use =latest= instead of the ID.
 
 If indeed, we want to make a copy of the file, we can use the backup folder
-#+begin_src bash :dir /ssh:thomas@grenoble:/ :results output replace
+#+begin_src bash :dir /ssh:thomas@homelab:/ :results output replace
 docker exec restic restic restore --include /data/documents/manuals --target /backup 088e31a4
 #+end_src
 
+** Add =wireguard= client
+*** With an Android client
+Show the QRcode corresponding the a specific peer with:
+#+begin_src bash
+docker exec -it wireguard /app/show-peer 1
+#+end_src
+
+Then, simply scan the QRcode with the [[https://github.com/WireGuard/wireguard-android][Wireguard]] application.
+
+*** With a Linux client
+
+Copy the file =$CONFIGDIR/wireguard/peeri/peeri.conf=, e.g.:
+#+begin_src conf
+[Interface]
+Address = 10.13.13.4/24
+DNS = 10.13.1.1
+PrivateKey = ****
+ListenPort = 51820
+
+[Peer]
+PublicKey = ****
+Endpoint = wireguard.tdehaeze.xyz:51820
+AllowedIPs = 0.0.0.0/0, ::0/0
+#+end_src
+
+Then, paste the file to =/etc/wireguard/interfacename.conf=.
+And then:
+- =sudo chmod 600 /etc/wireguard/interfacename.conf=
+- =sudo chown root:root /etc/wireguard/interfacename.conf=
+
+Then, start the tunnel with:
+#+begin_src bash :eval no
+wg-quick up interfacename
+#+end_src
+
 * Docker-Compose
 :PROPERTIES:
-:header-args: :tangle /ssh:thomas@grenoble:~/docker/docker-compose.yaml
+:header-args: :tangle /ssh:thomas@homelab:~/docker/docker-compose.yaml
 :header-args+: :comments none :mkdirp yes
 :END:
 
@@ -315,22 +347,22 @@ services:
     container_name: traefik
     image: traefik:2.2.1
     restart: unless-stopped
+    depends_on:
+      - authelia
     networks:
       t2_proxy:
         ipv4_address: 192.168.90.254 # You can specify a static IP
     security_opt:
       - no-new-privileges:true
     ports:
-      - 80:80
-      - 443:443
-      - 8080:8080
-      - 8448:8448
+      - 80:80 # http
+      - 443:443 # https
+      - 8448:8448 # Matrix
     volumes:
       - $CONFIGDIR/traefik2/rules:/rules
       - $CONFIGDIR/traefik2/acme/acme.json:/acme.json
       - $CONFIGDIR/traefik2/shared:/shared
       - $CONFIGDIR/traefik2/traefik.yaml:/etc/traefik/traefik.yaml
-      - $CONFIGDIR/traefik2/usersfile:/usersfile
       - /var/log/traefik:/var/log
       - /var/run/docker.sock:/var/run/docker.sock:ro
     environment:
@@ -347,38 +379,23 @@ services:
       - "traefik.http.routers.traefik-rtr.entrypoints=https"
       - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
       - "traefik.http.routers.traefik-rtr.tls=true"
-      # - "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs
+      - "traefik.http.routers.traefik-rtr.middlewares=authelia@docker"
+      - "traefik.http.routers.traefik-rtr.service=traefik-svc"
       - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
       - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
+      - "traefik.http.services.traefik-svc.loadbalancer.server.port=8080"
       # Services - API
       - "traefik.http.routers.traefik-rtr.service=api@internal"
-      # Middlewares
-      - "traefik.http.routers.traefik-rtr.middlewares=middlewares-basic-auth@file"
-      - "traefik.http.routers.traefik-rtr.middlewares=middlewares-rate-limit@file,middlewares-basic-auth@file"
-      # - "traefik.http.routers.traefik-rtr.middlewares=test"
-      - "traefik.http.middlewares.traefik-auth.basicauth.users=tdehaeze:$$apr1$$d.JmbY5J$$K8btOi1fwwVYOkCnicCVi."
-      - "traefik.http.middlewares.public-auth.basicauth.users=tdehaeze:$$apr1$$d.JmbY5J$$K8btOi1fwwVYOkCnicCVi.,dehaeze:$$apr1$$ICU0hKjc$$D7buBzZDvokvMP1O6ptc5/"
-      # Authelia
-      # - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://login.$DOMAINNAME/'
-      # - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
-      # - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User, Remote-Groups'
     logging: *default-logging
 #+end_src
 
-*** =usersfile=
-#+begin_src conf :tangle /ssh:thomas@grenoble:~/docker/config/traefik2/usersfile
-tdehaeze:$$apr1$$d.JmbY5J$$K8btOi1fwwVYOkCnicCVi.
-#+end_src
-
 *** =traefik.yaml=
-#+begin_src yaml :tangle /ssh:thomas@grenoble:~/docker/config/traefik2/traefik.yaml
+#+begin_src yaml :tangle /ssh:thomas@homelab:~/docker/config/traefik2/traefik.yaml
 global:
   checkNewVersion: true
   sendAnonymousUsage: false
 
 entryPoints:
-  traefik:
-    address: :8080
   http:
     address: :80
   https:
@@ -420,7 +437,194 @@ certificatesResolvers:
         resolvers: 1.1.1.1:53,1.0.0.1:53
 #+end_src
 
-** =nginx= - Root
+** =authelia= - Single Sign-On Multi-Factor portal ([[https://github.com/authelia/authelia][link]])
+#+begin_src yaml
+  authelia:
+    image: authelia/authelia:4.30
+    container_name: authelia
+    restart: unless-stopped
+    networks:
+      - t2_proxy
+      - backend
+    volumes:
+      - $CONFIGDIR/authelia:/config
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    environment:
+      - PUID=$PUID
+      - PGID=$PGID
+      - TZ=$TZ
+      - AUTHELIA_NOTIFIER_SMTP_PASSWORD=$AUTHELIA_NOTIFIER_SMTP_PASSWORD
+      - AUTHELIA_JWT_SECRET=$AUTHELIA_JWT_SECRET
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.authelia-rtr.entrypoints=https"
+      - "traefik.http.routers.authelia-rtr.tls=true"
+      - "traefik.http.routers.authelia-rtr.service=authelia-svc"
+      - "traefik.http.routers.authelia-rtr.rule=Host(`login.$DOMAINNAME`)"
+      - "traefik.http.services.authelia-svc.loadbalancer.server.port=9091"
+      - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://login.$DOMAINNAME/"
+      - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
+      - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email"
+      - "treafik.http.middlewares.chain-authelia.chain.middlewares=middlewares-rate-limit, middlewares-secure-headers, middlewares-authelia"
+      - "traefik.docker.network=t2_proxy"
+#+end_src
+
+*** =configuration.yml=
+#+begin_src yaml :tangle /ssh:thomas@homelab:~/docker/config/authelia/configuration.yml
+---
+###############################################################
+#                   Authelia configuration                    #
+###############################################################
+
+default_redirection_url: https://authelia.tdehaeze.xyz
+
+server:
+  host: 0.0.0.0
+  port: 9091
+
+log:
+  level: debug
+
+totp:
+  issuer: authelia.com
+  period: 30
+  skew: 1
+
+authentication_backend:
+  file:
+    path: /config/users_database.yml
+    password:
+      algorithm: argon2id
+      iterations: 1
+      salt_length: 16
+      parallelism: 8
+      memory: 1024
+
+access_control:
+  default_policy: deny
+  rules:
+    - domain: traefik.tdehaeze.xyz
+      policy: one_factor
+      subject:
+      - ["group:admins"]
+    - domain: zigbee2mqttassistant.tdehaeze.xyz
+      policy: one_factor
+      subject:
+      - ["group:admins"]
+    - domain: scrutiny.tdehaeze.xyz
+      policy: one_factor
+      subject:
+      - ["group:admins"]
+    - domain: portainer.tdehaeze.xyz
+      policy: one_factor
+      subject:
+      - ["group:admins"]
+    - domain: syncthing.tdehaeze.xyz
+      policy: one_factor
+      subject:
+      - ["group:admins"]
+    - domain: octoprint.tdehaeze.xyz
+      policy: one_factor
+      subject:
+      - ["group:admins"]
+    - domain: uptime.tdehaeze.xyz
+      policy: one_factor
+      subject:
+      - ["group:admins"]
+    - domain: joal.tdehaeze.xyz
+      policy: one_factor
+      subject:
+      - ["group:admins"]
+    - domain: down.tdehaeze.xyz
+      policy: one_factor
+      subject:
+      - ["group:admins"]
+      - ["group:friends"]
+      - ["group:family"]
+    - domain: qobuz.tdehaeze.xyz
+      policy: one_factor
+      subject:
+      - ["group:admins"]
+      - ["group:friends"]
+      - ["group:family"]
+
+session:
+  name: authelia_session
+  expiration: 3600
+  inactivity: 300
+  domain: tdehaeze.xyz
+
+regulation:
+  max_retries: 3
+  find_time: 120
+  ban_time: 300
+
+storage:
+  local:
+    path: /config/db.sqlite3
+
+notifier:
+  smtp:
+    username: tdehaeze.xyz@gmail.com
+    host: smtp.gmail.com
+    port: 587
+    sender: tdehaeze.xyz@gmail.com
+#+end_src
+
+** TODO =lldap= - LDAP Server ([[https://github.com/nitnelave/lldap][link]])
+#+begin_src yaml :tangle no
+  lldap:
+    image: nitnelave/lldap
+    container_name: lldap
+    restart: unless-stopped
+    networks:
+      - t2_proxy
+      - backend
+    ports:
+      - 3890:3890
+    volumes:
+      - $CONFIGDIR/lldap:/data
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.lldap-rtr.entrypoints=https"
+      - "traefik.http.routers.lldap-rtr.rule=Host(`lldap.$DOMAINNAME`)"
+      - "traefik.http.routers.lldap-rtr.tls=true"
+      - "traefik.http.routers.lldap-rtr.service=lldap-svc"
+      - "traefik.http.routers.lldap-rtr.middlewares=authelia@docker"
+      - "traefik.http.services.lldap-svc.loadbalancer.server.port=17170"
+    logging: *default-logging
+#+end_src
+
+** =gotify= - Notification service ([[https://github.com/gotify/server][link]])
+
+In order to have notifications on Linux desktop use [[https://github.com/ztpnk/gotify-dunst][gotify-dunst]].
+
+#+begin_src yaml
+  gotify:
+    container_name: gotify
+    image: gotify/server
+    restart: unless-stopped
+    networks:
+      - t2_proxy
+    environment:
+      - PUID=$PUID
+      - PGID=$PGID
+      - TZ=$TZ
+      - GOTIFY_DEFAULTUSER_NAME=$GOTIFY_DEFAULTUSER_NAME
+      - GOTIFY_DEFAULTUSER_PASS=$GOTIFY_DEFAULTUSER_PASS
+    volumes:
+      - $CONFIGDIR/gotify:/app/data
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.gotify-rtr.entrypoints=https"
+      - "traefik.http.routers.gotify-rtr.rule=Host(`gotify.$DOMAINNAME`)"
+      - "traefik.http.routers.gotify-rtr.tls=true"
+      - "traefik.http.routers.gotify-rtr.service=gotify-svc"
+      - "traefik.http.services.gotify-svc.loadbalancer.server.port=80"
+#+end_src
+
+** =nginx= - Root (used for Matrix)
 #+begin_src yaml
   root:
     container_name: root
@@ -445,7 +649,7 @@ certificatesResolvers:
 #+end_src
 
 *** =nginx.conf=
-#+begin_src conf :tangle /ssh:thomas@grenoble:~/docker/config/root/Caddyfile
+#+begin_src conf :tangle /ssh:thomas@homelab:~/docker/config/root/Caddyfile
 events {
 
 }
@@ -493,7 +697,7 @@ http {
 #+end_src
 
 *** =config.yml=
-#+begin_src yaml :tangle /ssh:thomas@grenoble:~/docker/config/homer/assets/config.yml
+#+begin_src yaml :tangle /ssh:thomas@homelab:~/docker/config/homer/assets/config.yml
 ---
 title: "Homepage"
 subtitle: ""
@@ -512,10 +716,14 @@ services:
   - name: "Websites"
     icon: "fas fa-desktop"
     items:
-    - name: "Wiki"
+    - name: "Brain"
       logo: "/assets/tools/brain.png"
       subtitle: "Digital Brain"
       url: "https://brain.tdehaeze.xyz"
+    - name: "Wiki"
+      logo: "/assets/tools/wikijs.png"
+      subtitle: "Shared Wiki"
+      url: "https://wiki.tdehaeze.xyz"
     - name: "Research"
       logo: "/assets/tools/orgmode.png"
       subtitle: "Research Pages"
@@ -528,29 +736,21 @@ services:
       logo: "/assets/tools/miam.png"
       subtitle: "Personnal Recipes"
       url: "https://miam.tdehaeze.xyz"
-  - name: "Utilities"
-    icon: "fas fa-rss"
+  - name: "Multimedia"
+    icon: "fas fa-photo-video"
     items:
-    - name: "Miniflux"
-      logo: "/assets/tools/miniflux.png"
-      subtitle: "RSS Feeds"
-      url: "https://rss.tdehaeze.xyz"
-    # - name: "Bitwarden"
-    #   logo: "/assets/tools/bitwarden.png"
-    #   subtitle: "Password Manager"
-    #   url: "https://bw.tdehaeze.xyz"
-    - name: "Home Assistant"
-      logo: "/assets/tools/homeassistant.png"
-      subtitle: "Home Assistant"
-      url: "http://home.tdehaeze.xyz:8123"
-    # - name: "Guacamole"
-    #   logo: "/assets/tools/guacamole.png"
-    #   subtitle: "SSH Access"
-    #   url: "https://guacamole.tdehaeze.xyz/"
+    - name: "Jellyfin"
+      logo: "/assets/tools/jellyfin.png"
+      subtitle: "Media Library"
+      url: "https://jellyfin.tdehaeze.xyz"
+    - name: "Kavita"
+      logo: "/assets/tools/kavita.png"
+      subtitle: "Book Library"
+      url: "https://kavita.tdehaeze.xyz"
   - name: "Cloud"
     icon: "fas fa-cloud"
     items:
-    - name: "Cloud"
+    - name: "File Browser"
       logo: "/assets/tools/cloud.png"
       subtitle: "Simple Personnal Could"
       url: "https://cloud.tdehaeze.xyz"
@@ -558,6 +758,14 @@ services:
       logo: "/assets/tools/syncthing.png"
       subtitle: "P2P Sync"
       url: "https://syncthing.tdehaeze.xyz"
+    - name: "Radicale"
+      logo: "/assets/tools/radicale.png"
+      subtitle: "CalDAV/CardDAV Server"
+      url: "https://radicale.tdehaeze.xyz"
+    - name: "Miniflux"
+      logo: "/assets/tools/miniflux.png"
+      subtitle: "RSS Feeds"
+      url: "https://rss.tdehaeze.xyz"
     - name: "Gitea"
       logo: "/assets/tools/gitea.png"
       subtitle: "Git Server"
@@ -565,71 +773,64 @@ services:
   - name: "Download"
     icon: "fas fa-download"
     items:
-    - name: "Transmission"
-      logo: "/assets/tools/transmission.png"
-      subtitle: "Torrents"
-      url: "https://torrent.tdehaeze.xyz/transmission/web/"
-    # - name: "transfer"
-    #   logo: "/assets/tools/transfer.png"
-    #   subtitle: "Transfer.sh"
-    #   url: "https://file.tdehaeze.xyz"
-    - name: "deemix"
-      subtitle: "Download Music"
-      logo: "/assets/tools/deezer.png"
-      url: "https://deemix.tdehaeze.xyz"
-    - name: "qobuz"
-      subtitle: "Qobuz-DL"
+    - name: "Down"
+      logo: "/assets/tools/down.png"
+      subtitle: "Torrent Download"
+      url: "https://down.tdehaeze.xyz/"
+    - name: "Qobuz"
+      subtitle: "Music Download"
       logo: "/assets/tools/qobuz.png"
       url: "https://qobuz.tdehaeze.xyz"
-    - name: "Aria2"
-      logo: "/assets/tools/aria2.png"
-      subtitle: "Direct Downloads"
-      url: "http://dl.tdehaeze.xyz"
-  - name: "Media"
-    icon: "fas fa-film"
-    items:
-    - name: "Jellyfin"
-      logo: "/assets/tools/jellyfin.png"
-      subtitle: "Media Library"
-      url: "https://jellyfin.tdehaeze.xyz"
+    - name: "Transmission"
+      logo: "/assets/tools/transmission.png"
+      subtitle: "Torrent Client"
+      url: "http://torrent.tdehaeze.xyz:9091/transmission/web/"
+    - name: "Joal"
+      logo: "/assets/tools/joal.png"
+      subtitle: "Increase Ratio"
+      url: "https://joal.tdehaeze.xyz/joal/ui/#/"
   - name: "Config"
     icon: "fas fa-cog"
     items:
     - name: "Portainer"
       logo: "/assets/tools/portainer.png"
       subtitle: "Manger Docker"
-      url: "https://portainer.tdehaeze.xyz"
+      url: "https://portainer.tdehaeze.xyz/#/containers"
     - name: "Traefik"
       logo: "/assets/tools/traefik.png"
       subtitle: "Reverse Proxy"
       url: "https://traefik.tdehaeze.xyz"
-  - name: "Local"
-    icon: "fas fa-home"
-    items:
-    # - name: "Jackett"
-    #   logo: "/assets/tools/jackett.png"
-    #   subtitle: "Download API"
-    #   url: "http://192.168.1.150:9117/"
-    # - name: "Radarr"
-    #   logo: "/assets/tools/radarr.png"
-    #   subtitle: "Movie Manager"
-    #   url: "http://192.168.1.150:7878/"
-    # - name: "Sonarr"
-    #   logo: "/assets/tools/sonarr.png"
-    #   subtitle: "TV Shows Manager"
-    #   url: "http://192.168.1.150:8989/"
-    # - name: "Ombi"
-    #   logo: "/assets/tools/ombi.png"
-    #   subtitle: "Request Content"
-    #   url: "https://ombi.tdehaeze.xyz/"
-    # - name: "Bazarr"
-    #   logo: "/assets/tools/bazarr.png"
-    #   subtitle: "Subtitles Manager"
-    #   url: "http://192.168.1.150:6767/"
+    - name: "Uptime"
+      logo: "/assets/tools/uptime.png"
+      subtitle: "Monitoring"
+      url: "https://uptime.tdehaeze.xyz"
+    - name: "Commento"
+      logo: "/assets/tools/commento.png"
+      subtitle: "Commenting System"
+      url: "https://commento.tdehaeze.xyz"
+    - name: "Gotify"
+      logo: "/assets/tools/gotify.png"
+      subtitle: "Messaging System"
+      url: "https://gotify.tdehaeze.xyz"
     - name: "Scrutiny"
       logo: "/assets/tools/scrutiny.png"
       subtitle: "S.M.A.R.T"
-      url: "http://192.168.1.150:8089/web/dashboard"
+      url: "http://scrutiny.tdehaeze.xyz/web/dashboard"
+  - name: "Home"
+    icon: "fas fa-home"
+    items:
+    - name: "OpenWRT"
+      logo: "/assets/tools/openwrt.png"
+      subtitle: "Router"
+      url: "http://192.168.1.1/"
+    - name: "Home Assistant"
+      logo: "/assets/tools/homeassistant.png"
+      subtitle: "Home Assistant"
+      url: "http://home.tdehaeze.xyz:8123"
+    - name: "Zigbee2MQTT"
+      logo: "/assets/tools/zigbee2mqtt.png"
+      subtitle: "Zigbee2MQTT Assistant"
+      url: "https://zigbee2mqttassistant.tdehaeze.xyz/"
     - name: "OctoPrint"
       logo: "/assets/tools/octoprint.png"
       subtitle: "3D-Printing"
@@ -657,7 +858,7 @@ services:
 #+end_src
 
 *** =snapraid.conf=
-#+begin_src conf :tangle /ssh:thomas@grenoble:~/docker/config/snapraid/snapraid.conf
+#+begin_src conf :tangle /ssh:thomas@homelab:~/docker/config/snapraid/snapraid.conf
 # Defines the file to use as parity storage
 # It must NOT be in a data disk
 # Format: "parity FILE_PATH"
@@ -706,7 +907,7 @@ exclude .AppleDB
 #+end_src
 
 *** =snapraid-runner.conf=
-#+begin_src conf :tangle /ssh:thomas@grenoble:~/docker/config/snapraid/snapraid-runner.conf
+#+begin_src conf :tangle /ssh:thomas@homelab:~/docker/config/snapraid/snapraid-runner.conf
 [snapraid]
 ; path to the snapraid executable (e.g. /bin/snapraid)
 executable = /usr/bin/snapraid
@@ -775,7 +976,7 @@ older-than = 10
       - "traefik.http.routers.portainer-rtr.rule=Host(`portainer.$DOMAINNAME`)"
       - "traefik.http.routers.portainer-rtr.tls=true"
       - "traefik.http.routers.portainer-rtr.service=portainer-svc"
-      - "traefik.http.routers.portainer-rtr.middlewares=traefik-auth"
+      - "traefik.http.routers.portainer-rtr.middlewares=authelia@docker"
       - "traefik.http.services.portainer-svc.loadbalancer.server.port=9000"
     logging: *default-logging
 #+end_src
@@ -807,6 +1008,53 @@ older-than = 10
     logging: *default-logging
 #+end_src
 
+** =gluetun= - Provide VPN connection to other containers ([[https://github.com/bubuntux/nordvpn][link]])
+#+begin_src yaml
+  gluetun:
+    image: qmcgaw/gluetun
+    container_name: gluetun
+    restart: unless-stopped
+    cap_add:
+      - NET_ADMIN
+    network_mode: bridge
+    ports:
+      - 8065:8065 # For transmission
+      - 9091:9091 # For transmission
+      - 51413:51413 # For transmission
+      - 51413:51413/udp # For transmission
+    environment:
+      - OPENVPN_USER=$NORDVPN_NAME
+      - OPENVPN_PASSWORD=$NORDVPN_PASS
+      - VPNSP=nordvpn
+      - REGION=France
+      - SERVER_NUMBER=776
+      - TZ=$TZ
+    volumes:
+      - $CONFIGDIR/gluetun:/config
+#+end_src
+
+** =transmission= - Torrent client ([[https://hub.docker.com/r/linuxserver/transmission][link]])
+#+begin_src yaml
+  transmission:
+    container_name: transmission
+    image: ghcr.io/linuxserver/transmission
+    restart: unless-stopped
+    network_mode: container:gluetun
+    depends_on:
+      - gluetun
+    environment:
+      - PUID=$PUID
+      - PGID=$PGID
+      - TZ=$TZ
+      - USER=$TRANSMISSION_NAME
+      - PASS=$TRANSMISSION_PASS
+    volumes:
+      - $CONFIGDIR/transmission:/config
+      - /srv/storage/Downloads:/downloads
+      - /srv/storage/Downloads/watch:/watch
+    logging: *default-logging
+#+end_src
+
 ** =gitea= - Git server ([[https://github.com/go-gitea/gitea][link]])
 #+begin_src yaml
   gitea:
@@ -855,7 +1103,32 @@ older-than = 10
       - $CONFIGDIR/mariadb:/var/lib/mysql
 #+end_src
 
-** =caddy= - Research Pages
+** =wikijs= - Wiki App ([[https://github.com/Requarks/wiki][link]])
+#+begin_src yaml
+  wikijs:
+    image: ghcr.io/linuxserver/wikijs:version-2.5.201
+    container_name: wikijs
+    restart: unless-stopped
+    networks:
+      - t2_proxy
+    environment:
+      - PUID=$PUID
+      - PGID=$PGID
+      - TZ=$TZ
+    volumes:
+      - $CONFIGDIR/wikijs/config:/config
+      - $CONFIGDIR/wikijs/data:/data
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.wikijs-rtr.entrypoints=https"
+      - "traefik.http.routers.wikijs-rtr.rule=Host(`wiki.$DOMAINNAME`)"
+      - "traefik.http.routers.wikijs-rtr.tls=true"
+      - "traefik.http.routers.wikijs-rtr.service=wikijs-svc"
+      - "traefik.http.services.wikijs-svc.loadbalancer.server.port=3000"
+    logging: *default-logging
+#+end_src
+
+** =research= - Research Pages ([[https://git.tdehaeze.xyz/tdehaeze/research-home-page][link]])
 #+begin_src yaml
   caddy:
     container_name: caddy
@@ -883,7 +1156,7 @@ older-than = 10
 #+end_src
 
 *** =Caddyfile=
-#+begin_src conf :tangle /ssh:thomas@grenoble:~/docker/config/caddy/Caddyfile
+#+begin_src conf :tangle /ssh:thomas@homelab:~/docker/config/caddy/Caddyfile
 0.0.0.0:2015 {
     root /srv/www/
 
@@ -897,7 +1170,7 @@ older-than = 10
 }
 #+end_src
 
-** =caddy= - Dotfiles
+** =dotfiles= - Dotfiles ([[https://git.tdehaeze.xyz/tdehaeze/literate-dotfiles][link]])
 #+begin_src yaml
   dotfiles:
     container_name: dotfiles
@@ -924,7 +1197,7 @@ older-than = 10
 #+end_src
 
 *** =Caddyfile=
-#+begin_src conf :tangle /ssh:thomas@grenoble:~/docker/config/dotfiles/Caddyfile
+#+begin_src conf :tangle /ssh:thomas@homelab:~/docker/config/dotfiles/Caddyfile
 0.0.0.0:2015 {
     root /srv/www/docs/
 
@@ -937,7 +1210,7 @@ older-than = 10
 }
 #+end_src
 
-** =hugo= - Wiki + Blog
+** =hugo= - Wiki + Blog ([[https://git.tdehaeze.xyz/tdehaeze/digital-brain][link]])
 #+begin_src yaml
   hugo:
     container_name: hugo
@@ -987,7 +1260,7 @@ older-than = 10
       - "traefik.http.routers.syncthing-rtr.rule=Host(`syncthing.$DOMAINNAME`)"
       - "traefik.http.routers.syncthing-rtr.tls=true"
       - "traefik.http.routers.syncthing-rtr.service=syncthing-svc"
-      - "traefik.http.routers.syncthing-rtr.middlewares=traefik-auth"
+      - "traefik.http.routers.syncthing-rtr.middlewares=authelia@docker"
       - "traefik.http.services.syncthing-svc.loadbalancer.server.port=8384"
     logging: *default-logging
 #+end_src
@@ -1048,24 +1321,25 @@ older-than = 10
     #    protocol: tcp
     #    mode: host
     privileged: true
-    network_mode: host
+    ports:
+      - 8123:8123
+    # network_mode: host
     volumes:
       - $CONFIGDIR/homeassistant:/config
       - /etc/localtime:/etc/localtime:ro
       - /dev/bus/usb:/dev/bus/usb
-        # - ${USERDIR}/docker/shared:/shared
     environment:
       - PUID=$PUID
       - PGID=$PGID
       - TZ=$TZ
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.homeassistant-rtr.entrypoints=https,http"
+      - "traefik.http.routers.homeassistant-rtr.entrypoints=https"
       - "traefik.http.routers.homeassistant-rtr.rule=Host(`home.$DOMAINNAME`)"
       - "traefik.http.routers.homeassistant-rtr.tls=true"
       - "traefik.http.routers.homeassistant-rtr.service=homeassistant-svc"
-      - "traefik.http.services.homeassistant-svc.loadbalancer.servers.url=http://172.17.0.1:8123"
-      #- "traefik.http.services.homeassistant-svc.loadbalancer.server.port=8123"
+      - "traefik.http.services.homeassistant-svc.loadbalancer.server.port=8123"
+      # - "traefik.http.services.homeassistant-svc.loadbalancer.servers.url=http://172.17.0.1:8123"
     logging: *default-logging
 #+end_src
 
@@ -1080,14 +1354,24 @@ older-than = 10
     volumes:
       - $CONFIGDIR/jellyfin:/config
       - /srv/storage/TVShows:/data/tvshows
+      - /srv/storage/Documentaries:/data/documentaries
       - /srv/storage/LiveMusic:/data/livemusic
       - /srv/storage/Animes:/data/animes
       - /srv/storage/Movies:/data/movies
       - /srv/storage/Music:/data/music
+      - /srv/storage/StandUp:/data/standup
     environment:
       - PUID=$PUID
       - PGID=$PGID
       - TZ=$TZ
+    group-add:
+      - 109
+    devices:
+      # VAAPI Devices
+      - /dev/dri/renderD128:/dev/dri/renderD128
+      - /dev/dri/card0:/dev/dri/card0
+    ports:
+      - 8096:8096
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.jellyfin-rtr.entrypoints=https"
@@ -1098,6 +1382,62 @@ older-than = 10
     logging: *default-logging
 #+end_src
 
+** =jfa-go= - Manage Jellyfin Users ([[https://github.com/hrfee/jfa-go][link]])
+#+begin_src yaml
+  jfa:
+    container_name: jfa
+    image: hrfee/jfa-go
+    restart: unless-stopped
+    depends_on:
+      - jellyfin
+    networks:
+      - t2_proxy
+    volumes:
+      - $CONFIGDIR/jfa:/data
+      - $CONFIGDIR/jellyfin:/jf
+      - /etc/localtime:/etc/localtime:ro
+    environment:
+      - PUID=$PUID
+      - PGID=$PGID
+      - TZ=$TZ
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.jfa-rtr.entrypoints=https"
+      - "traefik.http.routers.jfa-rtr.rule=Host(`jfa.$DOMAINNAME`)"
+      - "traefik.http.routers.jfa-rtr.tls=true"
+      - "traefik.http.routers.jfa-rtr.service=jfa-svc"
+      - "traefik.http.services.jfa-svc.loadbalancer.server.port=8056"
+    logging: *default-logging
+#+end_src
+
+** =audioserve= - Audiobook server ([[https://github.com/izderadicka/audioserve][link]])
+#+begin_src yaml
+  audioserve:
+    container_name: audioserve
+    image: izderadicka/audioserve
+    restart: unless-stopped
+    command: /audiobooks
+    networks:
+      - t2_proxy
+    environment:
+      - PUID=$PUID
+      - PGID=$PGID
+      - TZ=$TZ
+      - AUDIOSERVE_SHARED_SECRET=$AUDIOSERVE_SHARED_SECRET
+    volumes:
+      - /srv/storage/AudioBooks:/audiobooks
+      - /etc/localtime:/etc/localtime:ro
+      - $CONFIGDIR/audioserve:/home/audioserve/.audioserve
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.audioserve-rtr.entrypoints=https"
+      - "traefik.http.routers.audioserve-rtr.rule=Host(`audiobook.$DOMAINNAME`)"
+      - "traefik.http.routers.audioserve-rtr.tls=true"
+      - "traefik.http.routers.audioserve-rtr.service=audioserve-svc"
+      - "traefik.http.services.audioserve-svc.loadbalancer.server.port=3000"
+    logging: *default-logging
+#+end_src
+
 ** =filebrowser= - Web file browser ([[https://hub.docker.com/r/filebrowser/filebrowser][link]])
 #+begin_src yaml
   filebrowser:
@@ -1127,7 +1467,7 @@ older-than = 10
 
 *** =.filebrowser.json=
 
-#+begin_src json :tangle /ssh:thomas@grenoble:~/docker/config/filebrowser/.filebrowser.json
+#+begin_src json :tangle /ssh:thomas@homelab:~/docker/config/filebrowser/.filebrowser.json
 {
   "port": 80,
   "baseURL": "",
@@ -1145,17 +1485,16 @@ older-than = 10
     image: linuxserver/scrutiny
     restart: unless-stopped
     networks:
-      - backend
+      - t2_proxy
     cap_add:
       - SYS_RAWIO
       - SYS_ADMIN
     environment:
       - PUID=$PUID
       - PGID=$PGID
-      - SCRUTINY_API_ENDPOINT=http://localhost:8080
       - TZ=$TZ
       - SCRUTINY_WEB=true
-      - SCRUTINY_COLLECTOR=true
+      - SCRUTINY_COLLECTOR=false
     volumes:
       - $CONFIGDIR/scrutiny:/config
       - /run/udev:/run/udev:ro
@@ -1165,185 +1504,18 @@ older-than = 10
       - /dev/sdc:/dev/sdc
       - /dev/sdd:/dev/sdd
       - /dev/nvme0n1:/dev/nvme0n1
-    ports:
-      - 8089:8080
-    logging: *default-logging
-#+end_src
-
-** =transmission= - Torrent server ([[https://hub.docker.com/r/haugene/transmission-openvpn][link]])
-#+begin_src yaml
-  transmission-openvpn:
-    container_name: transmission
-    image: haugene/transmission-openvpn
-    restart: unless-stopped
-    networks:
-      - t2_proxy
-      - backend
-    environment:
-      - PUID=$PUID
-      - PGID=$PGID
-      - CREATE_TUN_DEVICE=true
-      - ENABLE_UFW=true
-      - WEBPROXY_ENABLED=false
-      - TRANSMISSION_WEB_UI=combustion
-      - OPENVPN_PROVIDER=NORDVPN
-      - OPENVPN_USERNAME=$NORDVPN_NAME
-      - OPENVPN_PASSWORD=$NORDVPN_PASS
-      - NORDVPN_COUNTRY=FR
-      - NORDVPN_CATEGORY=P2P
-      - NORDVPN_PROTOCOL=tcp
-      - LOCAL_NETWORK=192.168.0.0/16
-    volumes:
-      - /srv/storage/Downloads:/data
-      - /etc/localtime:/etc/localtime:ro
-    cap_add:
-      - NET_ADMIN
-    ports:
-      - 9091:9091
-      - 51413:51413
-      - 51413:51413/udp
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.transmission-rtr.entrypoints=https"
-      - "traefik.http.routers.transmission-rtr.rule=Host(`torrent.$DOMAINNAME`)"
-      - "traefik.http.routers.transmission-rtr.tls=true"
-      - "traefik.http.routers.transmission-rtr.service=transmission-svc"
-      - "traefik.http.routers.transmission-rtr.middlewares=traefik-auth"
-      - "traefik.http.services.transmission-svc.loadbalancer.server.port=9091"
+      - "traefik.http.routers.scrutiny-rtr.entrypoints=https"
+      - "traefik.http.routers.scrutiny-rtr.rule=Host(`scrutiny.$DOMAINNAME`)"
+      - "traefik.http.routers.scrutiny-rtr.tls=true"
+      - "traefik.http.routers.scrutiny-rtr.service=scrutiny-svc"
+      - "traefik.http.routers.scrutiny-rtr.middlewares=authelia@docker"
+      - "traefik.http.services.scrutiny-svc.loadbalancer.server.port=8080"
     logging: *default-logging
 #+end_src
 
-** =aria2= - Download daemon ([[https://hub.docker.com/r/opengg/aria2][link]])
-Backend ([[https://hub.docker.com/r/opengg/aria2][link]]):
-#+begin_src yaml
-  aria2:
-    container_name: aria2
-    image: opengg/aria2
-    restart: unless-stopped
-    networks:
-      - t2_proxy
-    environment:
-      - PUID=$PUID
-      - PGID=$PGID
-    user: "${PUID}:${PGID}"
-    volumes:
-      - $CONFIGDIR/aria2:/config
-      - /srv/storage/Downloads:/downloads
-    ports:
-      - 6800:6800
-    logging: *default-logging
-#+end_src
-
-Web-UI ([[https://hub.docker.com/r/p3terx/ariang][link]]):
-#+begin_src yaml
-  aria2-ui:
-    container_name: aria2-ui
-    image: p3terx/ariang
-    restart: unless-stopped
-    networks:
-      - t2_proxy
-    environment:
-      - PUID=$PUID
-      - PGID=$PGID
-    ports:
-      - 6880:6880
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.aria2-rtr.entrypoints=http"
-      - "traefik.http.routers.aria2-rtr.rule=Host(`dl.$DOMAINNAME`)"
-      - "traefik.http.routers.aria2-rtr.tls=false"
-      - "traefik.http.routers.aria2-rtr.service=aria2-svc"
-      - "traefik.http.services.aria2-svc.loadbalancer.server.port=6880"
-    logging: *default-logging
-#+end_src
-
-*** =aria2.conf=
-#+begin_src conf :tangle /ssh:thomas@grenoble:~/docker/config/aria2/aria2.conf :noweb yes
-save-session=/config/aria2.session
-input-file=/config/aria2.session
-save-session-interval=60
-
-dir=/downloads
-
-file-allocation=prealloc
-disk-cache=128M
-
-enable-rpc=true
-rpc-listen-port=6800
-rpc-allow-origin-all=true
-rpc-listen-all=true
-
-rpc-secret=<<get-password(passname="nas/aria2")>>
-
-auto-file-renaming=false
-
-max-connection-per-server=16
-min-split-size=1M
-split=16
-#+end_src
-
-** =deemix= - Music Download ([[https://gitlab.com/Bockiii/deemix-docker][link]])                                :noexport:
-#+begin_src yaml
-  deemix:
-    container_name: deemix
-    image: registry.gitlab.com/bockiii/deemix-docker
-    restart: unless-stopped
-    networks:
-      - t2_proxy
-    volumes:
-      - /srv/storage/Music:/downloads
-      - $CONFIGDIR/deemix:/config
-    environment:
-      - TZ=$TZ
-      - PUID=$PUID
-      - PGID=$PGID
-      - ARL=$DEEMIX_ARL
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.deemix-rtr.entrypoints=https"
-      - "traefik.http.routers.deemix-rtr.rule=Host(`deemix.$DOMAINNAME`)"
-      - "traefik.http.routers.deemix-rtr.tls=true"
-      - "traefik.http.routers.deemix-rtr.service=deemix-svc"
-      - "traefik.http.routers.deemix-rtr.middlewares=public-auth"
-      - "traefik.http.services.deemix-svc.loadbalancer.server.port=6595"
-    logging: *default-logging
-#+end_src
-
-*** =.arl=
-#+begin_src conf :tangle /ssh:thomas@grenoble:~/docker/config/deemix/.arl :noweb yes
-<<get-password(passname="nas/deemix_arl")>>
-#+end_src
-
-** =qobuz= - Qobuz Downloader ([[https://github.com/tdehaeze/qobuz-docker][link]])                               :noexport:
-#+begin_src yaml
-  qobuz:
-    container_name: qobuz
-    image: tdehaeze/qobuz
-    restart: unless-stopped
-    networks:
-      - t2_proxy
-    volumes:
-      - /srv/storage/Music:/downloads
-    environment:
-      - TZ=$TZ
-      - QOBUZNAME=$QOBUZNAME
-      - QOBUZPASS=$QOBUZPASS
-      - DOWNLOADDIR=/downloads
-      - JELLYFINURL=https://jellyfin.tdehaeze.xyz/library/refresh
-      - JELLYFINTOKEN=$JELLYFINTOKEN
-    user: "${PUID}:${PGID}"
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.qobuz-rtr.entrypoints=https"
-      - "traefik.http.routers.qobuz-rtr.rule=Host(`qobuz.$DOMAINNAME`)"
-      - "traefik.http.routers.qobuz-rtr.tls=true"
-      - "traefik.http.routers.qobuz-rtr.service=qobuz-svc"
-      - "traefik.http.routers.qobuz-rtr.middlewares=public-auth"
-      - "traefik.http.services.qobuz-svc.loadbalancer.server.port=8080"
-    logging: *default-logging
-#+end_src
-
-** =radicale= - CalDAC/CardDAV server ([[https://github.com/tomsquest/docker-radicale][link]])
+** =radicale= - CalDAV/CardDAV server ([[https://github.com/tomsquest/docker-radicale][link]])
 #+begin_src yaml
   radicale:
     container_name: radicale
@@ -1378,7 +1550,7 @@ split=16
 #+end_src
 
 *** =config=
-#+begin_src conf :tangle /ssh:thomas@grenoble:~/docker/config/radicale/config/config
+#+begin_src conf :tangle /ssh:thomas@homelab:~/docker/config/radicale/config/config
 [server]
 hosts = 0.0.0.0:5232
 
@@ -1404,8 +1576,8 @@ filesystem_folder = /data/collections
       - RESTIC_REPOSITORY=b2:tdehaeze:/restic
       - RESTIC_PASSWORD=$RESTIC_PASSWORD
       - RESTIC_BACKUP_SOURCES=/source
-      - RESTIC_FORGET_ARGS=--keep-daily 7 --keep-weekly 4 --keep-monthly 12
-      - RESTIC_BACKUP_ARGS=--exclude-file /exclude.txt
+      - RESTIC_FORGET_ARGS=--group-by tag --keep-daily 7 --keep-weekly 4 --keep-monthly 12 --prune
+      - RESTIC_BACKUP_ARGS=--tag local --exclude-file /exclude.txt
       - B2_ACCOUNT_ID=$RESTIC_B2_ACCOUNT_ID
       - B2_ACCOUNT_KEY=$RESTIC_B2_ACCOUNT_KEY
       - UID=$PUID
@@ -1420,7 +1592,7 @@ filesystem_folder = /data/collections
 
 *** =exclude.txt= - Exclude files
 
-#+begin_src conf :tangle /ssh:thomas@grenoble:~/docker/config/restic/exclude.txt
+#+begin_src conf :tangle /ssh:thomas@homelab:~/docker/config/restic/exclude.txt
 *.db
 *.log
 *.log.*
@@ -1456,65 +1628,11 @@ filesystem_folder = /data/collections
       - "traefik.http.routers.octoprint-rtr.rule=Host(`octoprint.$DOMAINNAME`)"
       - "traefik.http.routers.octoprint-rtr.tls=true"
       - "traefik.http.routers.octoprint-rtr.service=octoprint-svc"
-      - "traefik.http.routers.octoprint-rtr.middlewares=traefik-auth"
+      - "traefik.http.routers.octoprint-rtr.middlewares=authelia@docker"
       - "traefik.http.services.octoprint-svc.loadbalancer.server.port=80"
     logging: *default-logging
 #+end_src
 
-** TODO =linkding= - Bookmark manager ([[https://github.com/sissbruecker/linkding][link]])
-#+begin_src yaml
-  linkding:
-    container_name: linkding
-    image: sissbruecker/linkding:latest
-    restart: unless-stopped
-    networks:
-      - t2_proxy
-    volumes:
-      - $CONFIGDIR/linkding:/etc/linkding/data
-    environment:
-      - TZ=$TZ
-      - PUID=$PUID
-      - PGID=$PGID
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.linkding-rtr.entrypoints=https"
-      - "traefik.http.routers.linkding-rtr.rule=Host(`bm.$DOMAINNAME`)"
-      - "traefik.http.routers.linkding-rtr.tls=true"
-      - "traefik.http.routers.linkding-rtr.service=linkding-svc"
-      - "traefik.http.routers.linkding-rtr.middlewares=traefik-auth"
-      - "traefik.http.services.linkding-svc.loadbalancer.server.port=9090"
-    logging: *default-logging
-#+end_src
-
-** TODO =adguardhome= - Network-wide ads & trackers blocking DNS server ([[https://github.com/AdguardTeam/AdGuardHome][link]])
-#+begin_src yaml
-  adguardhome:
-    container_name: adguardhome
-    image: adguard/adguardhome
-    restart: unless-stopped
-    networks:
-      - t2_proxy
-    environment:
-      - UID=$PUID
-      - GID=$PGID
-      - TZ=$TZ
-    volumes:
-      - $CONFIGDIR/adguardhome/work:/opt/adguardhome/work
-      - $CONFIGDIR/adguardhome/conf:/opt/adguardhome/conf
-    ports:
-      - 53:53
-      - 853:853
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.adguardhome-rtr.entrypoints=https"
-      - "traefik.http.routers.adguardhome-rtr.rule=Host(`adguardhome.$DOMAINNAME`)"
-      - "traefik.http.routers.adguardhome-rtr.tls=true"
-      - "traefik.http.routers.adguardhome-rtr.service=adguardhome-svc"
-      - "traefik.http.routers.adguardhome-rtr.middlewares=traefik-auth"
-      - "traefik.http.services.adguardhome-svc.loadbalancer.server.port=3000"
-    logging: *default-logging
-#+end_src
-
 ** =mealie= - Recipe Manager ([[https://github.com/hay-kot/mealie][link]])
 #+begin_src yaml
   miam:
@@ -1556,20 +1674,15 @@ filesystem_folder = /data/collections
       - DIUN_WATCH_SCHEDULE=0 7 * * 6
       - DIUN_PROVIDERS_DOCKER=true
       - DIUN_PROVIDERS_DOCKER_WATCHBYDEFAULT=true
-      - DIUN_NOTIF_MAIL_HOST=smtp.gmail.com
-      - DIUN_NOTIF_MAIL_PORT=465
-      - DIUN_NOTIF_MAIL_SSL=true
-      - DIUN_NOTIF_MAIL_USERNAME=tdehaeze.xyz@gmail.com
-      - DIUN_NOTIF_MAIL_PASSWORD=$GMAIL_PASS
-      - DIUN_NOTIF_MAIL_FROM=tdehaeze.xyz@gmail.com
-      - DIUN_NOTIF_MAIL_TO=dehaeze.thomas@gmail.com
+      - DIUN_NOTIF_GOTIFY_ENDPOINT=$GOTIFY_URL
+      - DIUN_NOTIF_GOTIFY_TOKEN=$DIUN_GOTIFY_TOKEN
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - $CONFIGDIR/diun:/data
+    logging: *default-logging
 #+end_src
 
 ** =commento= - Commenting system ([[https://github.com/adtac/commento][link]])
-
 #+begin_src yaml
   commento:
     container_name: commento
@@ -1607,7 +1720,7 @@ filesystem_folder = /data/collections
 #+begin_src yaml
   commento_db:
     container_name: commento_db
-    image: postgres
+    image: postgres:13
     restart: unless-stopped
     networks:
       - backend
@@ -1617,9 +1730,481 @@ filesystem_folder = /data/collections
       - POSTGRES_PASSWORD=$COMMENTO_DB_PASSWORD
     volumes:
       - $CONFIGDIR/commento_db:/var/lib/postgresql/data
+    logging: *default-logging
+#+end_src
+
+** =uptime-kuma= - Monitoring Tool ([[https://github.com/louislam/uptime-kuma][link]])
+#+begin_src yaml
+  uptime-kuma:
+    container_name: uptime-kuma
+    image: louislam/uptime-kuma
+    restart: unless-stopped
+    networks:
+      - t2_proxy
+    volumes:
+    environment:
+      - TZ=$TZ
+      - UID=$PUID
+      - GID=$PGID
+    volumes:
+      - $CONFIGDIR/uptime-kuma:/app/data
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.uptime-rtr.entrypoints=https"
+      - "traefik.http.routers.uptime-rtr.rule=Host(`uptime.$DOMAINNAME`)"
+      - "traefik.http.routers.uptime-rtr.tls=true"
+      - "traefik.http.routers.uptime-rtr.service=uptime-svc"
+      - "traefik.http.routers.uptime-rtr.middlewares=authelia@docker"
+      - "traefik.http.services.uptime-svc.loadbalancer.server.port=3001"
+    logging: *default-logging
+#+end_src
+
+** =kavita= - Reading server ([[https://github.com/Kareadita/Kavita][link]])
+#+begin_src yaml
+  kavita:
+    container_name: kavita
+    image: kizaing/kavita:latest
+    restart: unless-stopped
+    networks:
+      - t2_proxy
+    environment:
+      - TZ=$TZ
+      - UID=$PUID
+      - GID=$PGID
+    volumes:
+      - $CONFIGDIR/kavita:/kavita/data
+      - /srv/storage/Books:/books
+      - /srv/storage/Scans:/scans
+      - /srv/storage/Comics:/comics
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.kavita-rtr.entrypoints=https"
+      - "traefik.http.routers.kavita-rtr.rule=Host(`kavita.$DOMAINNAME`)"
+      - "traefik.http.routers.kavita-rtr.tls=true"
+      - "traefik.http.routers.kavita-rtr.service=kavita-svc"
+      - "traefik.http.services.kavita-svc.loadbalancer.server.port=5000"
+    logging: *default-logging
+#+end_src
+
+** =mosquitto= - MQTT broker ([[https://github.com/eclipse/mosquitto/][link]])
+#+begin_src yaml
+  mosquitto:
+    container_name: mosquitto
+    image: eclipse-mosquitto
+    restart: unless-stopped
+    networks:
+      - t2_proxy
+    environment:
+      - UID=$PUID
+      - GID=$PGID
+      - TZ=$TZ
+    expose:
+      - 1883
+      - 9001
+    ports:
+      - 1883:1883
+      - 9001:9001
+    volumes:
+      - $CONFIGDIR/mosquitto/config:/mosquitto/config
+      - $CONFIGDIR/mosquitto/log:/mosquitto/log
+      - $CONFIGDIR/mosquitto/data:/mosquitto/data
+    logging: *default-logging
+#+end_src
+
+** =zigbee2mqtt= - Zigbee to MQTT bridge ([[https://github.com/Koenkk/zigbee2mqtt/][link]])
+#+begin_src yaml
+  zigbee2mqtt:
+    container_name: zigbee2mqtt
+    image: koenkk/zigbee2mqtt
+    restart: unless-stopped
+    privileged: true
+    depends_on:
+      - mosquitto
+    networks:
+      - t2_proxy
+    environment:
+      - UID=$PUID
+      - GID=$PGID
+      - TZ=$TZ
+    volumes:
+      - $CONFIGDIR/zigbee2mqtt:/app/data
+      - /run/udev:/run/udev:ro
+    devices:
+      - /dev/ttyACM0:/dev/ttyACM0
+#+end_src
+
+** =zigbee2mqttassistant= - GUI for Zigbee2Mqtt ([[https://github.com/yllibed/Zigbee2MqttAssistant][link]])
+#+begin_src yaml
+  zigbee2mqttAssistant:
+    container_name: zigbee2mqttassistant
+    image: carldebilly/zigbee2mqttassistant
+    restart: unless-stopped
+    networks:
+      - t2_proxy
+    environment:
+      - Z2MA_SETTINGS__MQTTSERVER=192.168.1.21:1883
+      # - Z2MA_SETTINGS__MQTTUSERNAME={MQTTUSERNAME}
+      # - Z2MA_SETTINGS__MQTTPASSWORD={MQTTPASSWORD}
+      - PUID=$PUID
+      - PGID=$PGID
+      - TZ=$TZ
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.zigbee2mqttassistant-rtr.entrypoints=https"
+      - "traefik.http.routers.zigbee2mqttassistant-rtr.rule=Host(`zigbee2mqttassistant.$DOMAINNAME`)"
+      - "traefik.http.routers.zigbee2mqttassistant-rtr.tls=true"
+      - "traefik.http.routers.zigbee2mqttassistant-rtr.service=zigbee2mqttassistant-svc"
+      - "traefik.http.routers.zigbee2mqttassistant-rtr.middlewares=authelia@docker"
+      - "traefik.http.services.zigbee2mqttassistant-svc.loadbalancer.server.port=80"
+    logging: *default-logging
+#+end_src
+
+** =qobuz= - Qobuz Downloader ([[https://github.com/tdehaeze/qobuz-docker][link]])                               :noexport:
+#+begin_src yaml
+  qobuz:
+    container_name: qobuz
+    image: tdehaeze/docker-qobuz
+    restart: unless-stopped
+    networks:
+      - t2_proxy
+    volumes:
+      - /srv/storage/Music:/downloads
+    environment:
+      - TZ=$TZ
+      - QOBUZNAME=$QOBUZNAME
+      - QOBUZPASS=$QOBUZPASS
+      - DOWNLOADDIR=/downloads
+      - JELLYFINURL=https://jellyfin.tdehaeze.xyz/library/refresh
+      - JELLYFINTOKEN=$JELLYFINTOKEN
+      - NOTIF_TYPE=gotify
+      - GOTIFY_URL=$GOTIFY_URL
+      - GOTIFY_TOKEN=$QOBUZ_GOTIFY_TOKEN
+    user: "${PUID}:${PGID}"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.qobuz-rtr.entrypoints=https"
+      - "traefik.http.routers.qobuz-rtr.rule=Host(`qobuz.$DOMAINNAME`)"
+      - "traefik.http.routers.qobuz-rtr.tls=true"
+      - "traefik.http.routers.qobuz-rtr.service=qobuz-svc"
+      - "traefik.http.routers.qobuz-rtr.middlewares=authelia@docker"
+      - "traefik.http.services.qobuz-svc.loadbalancer.server.port=8080"
+    logging: *default-logging
+#+end_src
+
+** =joal= - Seeding Torrents ([[https://github.com/anthonyraymond/joal][link]])                                :noexport:
+#+begin_src yaml
+  joal:
+    image: anthonyraymond/joal
+    container_name: joal
+    restart: unless-stopped
+    networks:
+      - t2_proxy
+    volumes:
+      - $CONFIGDIR/joal:/data
+    command: ["--joal-conf=/data", "--spring.main.web-environment=true", "--server.port=80", "--joal.ui.path.prefix=joal", "--joal.ui.secret-token=$JOALTOKEN"]
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.joal-rtr.entrypoints=https"
+      - "traefik.http.routers.joal-rtr.rule=Host(`joal.$DOMAINNAME`)"
+      - "traefik.http.routers.joal-rtr.tls=true"
+      - "traefik.http.routers.joal-rtr.service=joal-svc"
+      - "traefik.http.routers.joal-rtr.middlewares=authelia@docker"
+      - "traefik.http.services.joal-svc.loadbalancer.server.port=80"
+    logging: *default-logging
+#+end_src
+
+** =docker-torrent= - Download Torrents from YGG ([[https://github.com/tdehaeze/qobuz-docker][link]])            :noexport:
+#+begin_src yaml
+  down:
+    container_name: down
+    image: tdehaeze/docker-torrent
+    restart: always
+    networks:
+      - t2_proxy
+    volumes:
+      - /srv/storage/Downloads/watch:/watch
+    environment:
+      - PUID=$PUID
+      - PGID=$PGID
+      - TZ=$TZ
+      - YGGTORRENTNAME=$YGGTORRENTNAME
+      - YGGTORRENTPASS=$YGGTORRENTPASS
+      - NOTIF_TYPE=gotify
+      - GOTIFY_URL=$GOTIFY_URL
+      - GOTIFY_TOKEN=$DOWN_GOTIFY_TOKEN
+    user: "${PUID}:${PGID}"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.down-rtr.entrypoints=https"
+      - "traefik.http.routers.down-rtr.rule=Host(`down.$DOMAINNAME`)"
+      - "traefik.http.routers.down-rtr.tls=true"
+      - "traefik.http.routers.down-rtr.service=down-svc"
+      - "traefik.http.routers.down-rtr.middlewares=authelia@docker"
+      - "traefik.http.services.down-svc.loadbalancer.server.port=3000"
+    logging: *default-logging
 #+end_src
 
 * Docker-Compose OLD                                                :noexport:
+** =acoustic= - Acoustic Pages
+#+begin_src yaml
+  acoustic:
+    container_name: acoustic
+    image: abiosoft/caddy:1.0.3-no-stats
+    restart: unless-stopped
+    networks:
+      - t2_proxy
+    environment:
+      - PUID=$PUID
+      - PGID=$PGID
+      - TZ=$TZ
+      - PLUGINS=git
+    volumes:
+      - $CONFIGDIR/acoustic/Caddyfile:/etc/Caddyfile
+      - $CONFIGDIR/acoustic/web:/srv
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.acoustic-rtr.entrypoints=https"
+      - "traefik.http.routers.acoustic-rtr.rule=Host(`acoustic.$DOMAINNAME`)"
+      - "traefik.http.routers.acoustic-rtr.tls=true"
+      - "traefik.http.routers.acoustic-rtr.service=acoustic-svc"
+      - "traefik.http.services.acoustic-svc.loadbalancer.server.port=2015"
+    logging: *default-logging
+#+end_src
+
+*** =Caddyfile=
+#+begin_src conf :tangle /ssh:thomas@homelab:~/docker/config/acoustic/Caddyfile
+0.0.0.0:2015 {
+    root /srv/www/
+
+    git {
+        repo     https://git.tdehaeze.xyz/tdehaeze/acoustic-home-page
+        path     /srv/www/
+        interval -1
+        hook     /acoustic-home-page/webhook 9a2CMCD5CucbnVQr
+        then     git submodule update --init --recursive --merge
+    }
+}
+#+end_src
+
+** =pyload= - Download manager (link)
+#+begin_src yaml
+  pyload:
+    container_name: pyload
+    image: ghcr.io/linuxserver/pyload
+    restart: unless-stopped
+    networks:
+      - t2_proxy
+    volumes:
+      - $CONFIGDIR/pyload/config:/config
+      - /srv/storage/Downloads:/downloads
+    environment:
+      - PUID=$PUID
+      - PGID=$PGID
+      - TZ=$TZ
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.pyload-rtr.entrypoints=https"
+      - "traefik.http.routers.pyload-rtr.rule=Host(`pyload.$DOMAINNAME`)"
+      - "traefik.http.routers.pyload-rtr.tls=true"
+      - "traefik.http.routers.pyload-rtr.service=pyload-svc"
+      - "traefik.http.services.pyload-svc.loadbalancer.server.port=8000"
+    logging: *default-logging
+#+end_src
+
+** =aria2= - Download daemon ([[https://hub.docker.com/r/opengg/aria2][link]])
+Backend ([[https://hub.docker.com/r/opengg/aria2][link]]):
+#+begin_src yaml
+  aria2:
+    container_name: aria2
+    image: opengg/aria2
+    restart: unless-stopped
+    networks:
+      - t2_proxy
+    environment:
+      - PUID=$PUID
+      - PGID=$PGID
+    user: "${PUID}:${PGID}"
+    volumes:
+      - $CONFIGDIR/aria2:/config
+      - /srv/storage/Downloads:/downloads
+    ports:
+      - 6800:6800
+    logging: *default-logging
+#+end_src
+
+Web-UI ([[https://hub.docker.com/r/p3terx/ariang][link]]):
+#+begin_src yaml
+  aria2-ui:
+    container_name: aria2-ui
+    image: p3terx/ariang
+    restart: unless-stopped
+    networks:
+      - t2_proxy
+    depends_on:
+      - aria2
+    environment:
+      - PUID=$PUID
+      - PGID=$PGID
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.aria2-rtr.entrypoints=http"
+      - "traefik.http.routers.aria2-rtr.rule=Host(`dl.$DOMAINNAME`)"
+      - "traefik.http.routers.aria2-rtr.tls=false"
+      - "traefik.http.routers.aria2-rtr.service=aria2-svc"
+      - "traefik.http.services.aria2-svc.loadbalancer.server.port=6880"
+    logging: *default-logging
+#+end_src
+
+*** =aria2.conf=
+#+begin_src conf :tangle /ssh:thomas@homelab:~/docker/config/aria2/aria2.conf :noweb yes
+save-session=/config/aria2.session
+input-file=/config/aria2.session
+save-session-interval=60
+
+dir=/downloads
+
+file-allocation=prealloc
+disk-cache=128M
+
+enable-rpc=true
+rpc-listen-port=6800
+rpc-allow-origin-all=true
+rpc-listen-all=true
+
+rpc-secret=<<get-password(passname="nas/aria2")>>
+
+auto-file-renaming=false
+
+max-connection-per-server=16
+min-split-size=1M
+split=16
+#+end_src
+
+** =transmission-openvpn= - Torrent server ([[https://hub.docker.com/r/haugene/transmission-openvpn][link]])
+#+begin_src yaml :tangle no
+  transmission-openvpn:
+    container_name: transmission
+    image: haugene/transmission-openvpn
+    restart: unless-stopped
+    environment:
+      - PUID=$PUID
+      - PGID=$PGID
+      - CREATE_TUN_DEVICE=true
+      - ENABLE_UFW=true
+      - WEBPROXY_ENABLED=false
+      - TRANSMISSION_WEB_UI=combustion
+      - OPENVPN_PROVIDER=NORDVPN
+      - OPENVPN_USERNAME=$NORDVPN_NAME
+      - OPENVPN_PASSWORD=$NORDVPN_PASS
+      - NORDVPN_COUNTRY=FR
+      - NORDVPN_CATEGORY=P2P
+      - NORDVPN_PROTOCOL=tcp
+      - LOCAL_NETWORK=192.168.0.0/16
+    volumes:
+      - /srv/storage/Downloads:/data
+      - /etc/localtime:/etc/localtime:ro
+    cap_add:
+      - NET_ADMIN
+    ports:
+      - 51413:51413
+      - 51413:51413/udp
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.transmission-rtr.entrypoints=https"
+      - "traefik.http.routers.transmission-rtr.rule=Host(`torrent.$DOMAINNAME`)"
+      - "traefik.http.routers.transmission-rtr.tls=true"
+      - "traefik.http.routers.transmission-rtr.service=transmission-svc"
+      - "traefik.http.routers.transmission-rtr.middlewares=private-auth"
+      - "traefik.http.services.transmission-svc.loadbalancer.server.port=9091"
+    logging: *default-logging
+#+end_src
+
+** TODO =linkding= - Bookmark manager ([[https://github.com/sissbruecker/linkding][link]])
+#+begin_src yaml
+  linkding:
+    container_name: linkding
+    image: sissbruecker/linkding:latest
+    restart: unless-stopped
+    networks:
+      - t2_proxy
+    volumes:
+      - $CONFIGDIR/linkding:/etc/linkding/data
+    environment:
+      - TZ=$TZ
+      - PUID=$PUID
+      - PGID=$PGID
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.linkding-rtr.entrypoints=https"
+      - "traefik.http.routers.linkding-rtr.rule=Host(`bm.$DOMAINNAME`)"
+      - "traefik.http.routers.linkding-rtr.tls=true"
+      - "traefik.http.routers.linkding-rtr.service=linkding-svc"
+      - "traefik.http.routers.linkding-rtr.middlewares=private-auth"
+      - "traefik.http.services.linkding-svc.loadbalancer.server.port=9090"
+    logging: *default-logging
+#+end_src
+
+** TODO =adguardhome= - Network-wide ads & trackers blocking DNS server ([[https://github.com/AdguardTeam/AdGuardHome][link]])
+#+begin_src yaml
+  adguardhome:
+    container_name: adguardhome
+    image: adguard/adguardhome
+    restart: unless-stopped
+    networks:
+      - t2_proxy
+    environment:
+      - UID=$PUID
+      - GID=$PGID
+      - TZ=$TZ
+    volumes:
+      - $CONFIGDIR/adguardhome/work:/opt/adguardhome/work
+      - $CONFIGDIR/adguardhome/conf:/opt/adguardhome/conf
+    ports:
+      - 53:53
+      - 853:853
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.adguardhome-rtr.entrypoints=https"
+      - "traefik.http.routers.adguardhome-rtr.rule=Host(`adguardhome.$DOMAINNAME`)"
+      - "traefik.http.routers.adguardhome-rtr.tls=true"
+      - "traefik.http.routers.adguardhome-rtr.service=adguardhome-svc"
+      - "traefik.http.routers.adguardhome-rtr.middlewares=private-auth"
+      - "traefik.http.services.adguardhome-svc.loadbalancer.server.port=3000"
+    logging: *default-logging
+#+end_src
+
+** =deemix= - Music Download ([[https://gitlab.com/Bockiii/deemix-docker][link]])                                :noexport:
+#+begin_src yaml
+  deemix:
+    container_name: deemix
+    image: registry.gitlab.com/bockiii/deemix-docker
+    restart: unless-stopped
+    networks:
+      - t2_proxy
+    volumes:
+      - /srv/storage/Music:/downloads
+      - $CONFIGDIR/deemix:/config
+    environment:
+      - TZ=$TZ
+      - PUID=$PUID
+      - PGID=$PGID
+      - ARL=$DEEMIX_ARL
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.deemix-rtr.entrypoints=https"
+      - "traefik.http.routers.deemix-rtr.rule=Host(`deemix.$DOMAINNAME`)"
+      - "traefik.http.routers.deemix-rtr.tls=true"
+      - "traefik.http.routers.deemix-rtr.service=deemix-svc"
+      - "traefik.http.routers.deemix-rtr.middlewares=authelia@docker"
+      - "traefik.http.services.deemix-svc.loadbalancer.server.port=6595"
+    logging: *default-logging
+#+end_src
+
+*** =.arl=
+#+begin_src conf :tangle /ssh:thomas@homelab:~/docker/config/deemix/.arl :noweb yes
+<<get-password(passname="nas/deemix_arl")>>
+#+end_src
+
 ** =vaultwarden= - Password Manager ([[https://github.com/dani-garcia/vaultwarden][link]])
 #+begin_src yaml
   vaultwarden:
@@ -1737,13 +2322,13 @@ filesystem_folder = /data/collections
 #+end_src
 
 *** =.megarc=
-#+begin_src conf :tangle /ssh:thomas@grenoble:~/docker/config/duplicity/.megav2rc :noweb yes
+#+begin_src conf :tangle /ssh:thomas@homelab:~/docker/config/duplicity/.megav2rc :noweb yes
 [Login]
 user = dehaeze.thomas@gmail.com
 pass = <<get-password(passname="nas/duplicity_mega")>>
 #+end_src
 
-** =transfer= - Transfer.sh
+** TODO =transfer= - Transfer.sh
 #+begin_src yaml
   transfer:
     container_name: transfer
@@ -1877,31 +2462,6 @@ pass = <<get-password(passname="nas/duplicity_mega")>>
       - 6767:6767
 #+end_src
 
-** =gotify= - Notification service
-#+begin_src yaml
-  gotify:
-    container_name: gotify
-    image: gotify/server
-    restart: unless-stopped
-    networks:
-      - t2_proxy
-    environment:
-      - PUID=$PUID
-      - PGID=$PGID
-      - TZ=$TZ
-      - GOTIFY_DEFAULTUSER_NAME=$GOTIFY_DEFAULTUSER_NAME
-      - GOTIFY_DEFAULTUSER_PASS=$GOTIFY_DEFAULTUSER_PASS
-    volumes:
-      - $CONFIGDIR/gotify:/app/data
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.gotify-rtr.entrypoints=https"
-      - "traefik.http.routers.gotify-rtr.rule=Host(`notify.$DOMAINNAME`)"
-      - "traefik.http.routers.gotify-rtr.tls=true"
-      - "traefik.http.routers.gotify-rtr.service=gotify-svc"
-      - "traefik.http.services.gotify-svc.loadbalancer.server.port=80"
-#+end_src
-
 ** =mail-cli= - CLI mail client
 #+begin_src yaml
   mail-cli:
@@ -1944,7 +2504,7 @@ pass = <<get-password(passname="nas/duplicity_mega")>>
       - "traefik.http.routers.cloudcmd-rtr.rule=Host(`cloud.$DOMAINNAME`)"
       - "traefik.http.routers.cloudcmd-rtr.tls=true"
       - "traefik.http.routers.cloudcmd-rtr.service=cloudcmd-svc"
-      - "traefik.http.routers.cloudcmd-rtr.middlewares=traefik-auth"
+      - "traefik.http.routers.cloudcmd-rtr.middlewares=private-auth"
       - "traefik.http.services.cloudcmd-svc.loadbalancer.server.port=8000"
 #+end_src
 
@@ -1996,6 +2556,35 @@ pass = <<get-password(passname="nas/duplicity_mega")>>
       - $CONFIGDIR/wallabag/data:/var/lib/mysql
 #+end_src
 
+** =buku= - Bookmark manager
+#+begin_src yaml
+  buku:
+    container_name: buku
+    image: bukuserver/bukuserver
+    restart: unless-stopped
+    networks:
+      - t2_proxy
+    environment:
+      - UID=$PUID
+      - GID=$PGID
+      - TZ=$TZ
+      - BUKUSERVER_PER_PAGE=100
+      - BUKUSERVER_OPEN_IN_NEW_TAB=true
+      # - BUKUSERVER_SECRET_KEY=123456789012345678901234
+      # - BUKUSERVER_URL_RENDER_MODE=full
+      # - BUKUSERVER_DISABLE_FAVICON=false
+    volumes:
+      - $CONFIGDIR/buku:/root/.local/share/buku
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.buku-rtr.entrypoints=https"
+      - "traefik.http.routers.buku-rtr.rule=Host(`bookmarks.$DOMAINNAME`)"
+      - "traefik.http.routers.buku-rtr.tls=true"
+      - "traefik.http.routers.buku-rtr.service=buku-svc"
+      - "traefik.http.routers.buku-rtr.middlewares=private-auth"
+      - "traefik.http.services.buku-svc.loadbalancer.server.port=5001"
+#+end_src
+
 ** =transmission= - Torrent server
 #+begin_src yaml
   transmission:
@@ -2022,7 +2611,7 @@ pass = <<get-password(passname="nas/duplicity_mega")>>
       - "traefik.http.routers.transmission-rtr.rule=Host(`torrent.$DOMAINNAME`)"
       - "traefik.http.routers.transmission-rtr.tls=true"
       - "traefik.http.routers.transmission-rtr.service=transmission-svc"
-      - "traefik.http.routers.transmission-rtr.middlewares=traefik-auth"
+      - "traefik.http.routers.transmission-rtr.middlewares=private-auth"
       - "traefik.http.services.transmission-svc.loadbalancer.server.port=9091"
 #+end_src
 
@@ -2055,35 +2644,6 @@ pass = <<get-password(passname="nas/duplicity_mega")>>
       - "traefik.http.services.navidrome-svc.loadbalancer.server.port=4533"
 #+end_src
 
-** =buku= - Bookmark manager
-#+begin_src yaml
-  buku:
-    container_name: buku
-    image: bukuserver/bukuserver
-    restart: unless-stopped
-    networks:
-      - t2_proxy
-    environment:
-      - UID=$PUID
-      - GID=$PGID
-      - TZ=$TZ
-      - BUKUSERVER_PER_PAGE=100
-      - BUKUSERVER_OPEN_IN_NEW_TAB=true
-      # - BUKUSERVER_SECRET_KEY=123456789012345678901234
-      # - BUKUSERVER_URL_RENDER_MODE=full
-      # - BUKUSERVER_DISABLE_FAVICON=false
-    volumes:
-      - $CONFIGDIR/buku:/root/.local/share/buku
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.buku-rtr.entrypoints=https"
-      - "traefik.http.routers.buku-rtr.rule=Host(`bookmarks.$DOMAINNAME`)"
-      - "traefik.http.routers.buku-rtr.tls=true"
-      - "traefik.http.routers.buku-rtr.service=buku-svc"
-      - "traefik.http.routers.buku-rtr.middlewares=traefik-auth"
-      - "traefik.http.services.buku-svc.loadbalancer.server.port=5001"
-#+end_src
-
 ** =duplicati= - Backup system
 #+begin_src yaml
   duplicati:
@@ -2107,7 +2667,7 @@ pass = <<get-password(passname="nas/duplicity_mega")>>
       - "traefik.http.routers.duplicati-rtr.rule=Host(`backup.$DOMAINNAME`)"
       - "traefik.http.routers.duplicati-rtr.tls=true"
       - "traefik.http.routers.duplicati-rtr.service=duplicati-svc"
-      - "traefik.http.routers.duplicati-rtr.middlewares=traefik-auth"
+      - "traefik.http.routers.duplicati-rtr.middlewares=private-auth"
       - "traefik.http.services.duplicati-svc.loadbalancer.server.port=8200"
 #+end_src
 
@@ -2162,33 +2722,9 @@ pass = <<get-password(passname="nas/duplicity_mega")>>
       - PGID=$PGID
 #+end_src
 
-** =authelia= - Single Sign-On Multi-Factor portal ([[https://github.com/authelia/authelia][link]])
-#+begin_src yaml
-  authelia:
-    image: authelia/authelia
-    container_name: authelia
-    restart: unless-stopped
-    networks:
-      - t2_proxy
-    volumes:
-      - $CONFIGDIR/authelia:/config
-    expose:
-      - 9091
-    environment:
-      - UID=$PUID
-      - GID=$PGID
-      - TZ=$TZ
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.authelia-rtr.entrypoints=https"
-      - "traefik.http.routers.authelia-rtr.rule=Host(`login.$DOMAINNAME`)"
-      - "traefik.http.routers.authelia-rtr.tls=true"
-      - "traefik.http.routers.authelia-rtr.service=authelia-svc"
-#+end_src
-
-* =.env= - Variable used for Docker Compose
+* =.env= - Variable used for Docker Compose                         :noexport:
 :PROPERTIES:
-:header-args: :tangle /ssh:thomas@grenoble:~/docker/.env
+:header-args: :tangle /ssh:thomas@homelab:~/docker/.env
 :header-args+: :comments none :mkdirp yes :noweb yes
 :END:
 
@@ -2217,6 +2753,10 @@ RESTIC_B2_ACCOUNT_ID=<<get-password(passname="nas/restic_B2_id")>>
 RESTIC_B2_ACCOUNT_KEY=<<get-password(passname="nas/restic_B2_key")>>
 #+end_src
 
+#+begin_src conf
+AUDIOSERVE_SHARED_SECRET=<<get-password(passname="nas/audioserve_secret")>>
+#+end_src
+
 #+begin_src conf
 GITEA_DB_MYSQL_ROOT_PASSWORD=<<get-password(passname="nas/gitea_mysql_root_pass")>>
 GITEA_DB_MYSQL_PASSWORD=<<get-password(passname="nas/gitea_mysql_pass")>>
@@ -2228,6 +2768,23 @@ NORDVPN_NAME=dehaeze.thomas@gmail.com
 NORDVPN_PASS=<<get-password(passname="nordvpn.com/dehaeze.thomas@gmail.com")>>
 #+end_src
 
+#+begin_src conf
+TRANSMISSION_NAME=tdehaeze
+TRANSMISSION_PASS=<<get-password(passname="nas/transmission")>>
+#+end_src
+
+#+begin_src conf
+GOTIFY_URL=https://gotify.tdehaeze.xyz/
+GOTIFY_DEFAULTUSER_NAME=tdehaeze
+GOTIFY_DEFAULTUSER_PASS=<<get-password(passname="nas/gotify")>>
+#+end_src
+
+#+begin_src conf
+DOWN_GOTIFY_TOKEN=<<get-password(passname="nas/gotify_down_token")>>
+QOBUZ_GOTIFY_TOKEN=<<get-password(passname="nas/gotify_qobuz_token")>>
+DIUN_GOTIFY_TOKEN=<<get-password(passname="nas/gotify_diun_token")>>
+#+end_src
+
 #+begin_src conf
 QOBUZNAME=jeanmarie.dehaeze@wanadoo.fr
 QOBUZPASS=<<get-password(passname="qobuz.com/jeanmarie.dehaeze@wanadoo.fr")>>
@@ -2235,8 +2792,17 @@ JELLYFINTOKEN=<<get-password(passname="nas/jellyfin_token")>>
 #+end_src
 
 #+begin_src conf
-GOTIFY_DEFAULTUSER_NAME=tdehaeze
-GOTIFY_DEFAULTUSER_PASS=<<get-password(passname="nas/gotify_pass")>>
+AUTHELIA_NOTIFIER_SMTP_PASSWORD=<<get-password(passname="google.com/tdehaeze.xyz")>>
+AUTHELIA_JWT_SECRET=<<get-password(passname="nas/authelia_jwt_secret")>>
+#+end_src
+
+#+begin_src conf
+YGGTORRENTNAME=deoldeol
+YGGTORRENTPASS=<<get-password(passname="yggtorrent/deoldeol")>>
+#+end_src
+
+#+begin_src conf
+JOALTOKEN=<<get-password(passname="joal.tdehaeze.xyz/secret-token")>>
 #+end_src
 
 #+begin_src conf
@@ -2258,7 +2824,7 @@ COMMENTO_DB_PASSWORD=<<get-password(passname="nas/commento_db_pass")>>
 * Cron Jobs
 ** Caddy Update
 Create a script =~/cron/caddy_update.sh= with:
-#+begin_src bash :tangle /ssh:thomas@grenoble:~/cron/caddy_update.sh :shebang "#!/usr/bin/env bash"
+#+begin_src bash :tangle /ssh:thomas@homelab:~/cron/caddy_update.sh :shebang "#!/usr/bin/env bash"
 docker exec caddy /bin/sh -c "cd /srv/www && echo -e \"Update repo $(date)\" && git submodule update --recursive --remote --merge"
 #+end_src