From 3e28c19c850157abcf5ebb2ad8f3e7ea6eaffb97 Mon Sep 17 00:00:00 2001 From: Kevin St-Sauveur Date: Mon, 13 Apr 2026 23:11:24 +0200 Subject: [PATCH 1/9] Fix traefik errors Fix traefik version and minimal API version --- infra/docker-compose.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/infra/docker-compose.yml b/infra/docker-compose.yml index bb0abe7..795502c 100644 --- a/infra/docker-compose.yml +++ b/infra/docker-compose.yml @@ -4,7 +4,7 @@ networks: services: traefik: - image: traefik:v2.10.7 + image: traefik:v3.6.13 container_name: traefik restart: unless-stopped env_file: @@ -20,9 +20,10 @@ services: - CF_API_EMAIL=${CF_API_EMAIL} - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN} - TZ=${TZ:-Europe/London} + - DOCKER_API_VERSION=1.52 volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - - ${DATA_DIR}/letsencrypt:/letsencrypt + - /mnt/user/appdata/letsencrypt:/letsencrypt dns: - 100.100.100.100 - 1.1.1.1 @@ -57,4 +58,4 @@ services: - "traefik.http.middlewares.secureHeaders.headers.stsIncludeSubdomains=true" - "traefik.http.middlewares.secureHeaders.headers.stsPreload=true" - "traefik.http.middlewares.secureHeaders.headers.stsSeconds=31536000" - - "traefik.http.routers.dashboard.middlewares=secureHeaders@docker" \ No newline at end of file + - "traefik.http.routers.dashboard.middlewares=secureHeaders@docker" From 72ff65e0e7da07a30adbc385574e3f066d2bcecd Mon Sep 17 00:00:00 2001 From: Kevin St-Sauveur Date: Mon, 13 Apr 2026 23:19:11 +0200 Subject: [PATCH 2/9] Update VPN configuration and change volume path Fix seerr and vpn config --- arr/docker-compose.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/arr/docker-compose.yml b/arr/docker-compose.yml index 7e1bf6c..fb65329 100644 --- a/arr/docker-compose.yml +++ b/arr/docker-compose.yml @@ -48,17 +48,16 @@ services: VPN_SERVICE_PROVIDER: protonvpn VPN_TYPE: wireguard WIREGUARD_PRIVATE_KEY: ${WG_PRIVATE_KEY} - WIREGUARD_PUBLIC_KEY: ${WG_PUBLIC_KEY} + OPENVPN_USER: ${PROTONVPN_USERNAME} + OPENVPN_PASSWORD: ${PROTONVPN_PASSWORD} WIREGUARD_ADDRESSES: ${WG_ADDRESSES:-10.2.0.2/32} # Improved stability settings WIREGUARD_PERSISTENT_KEEPALIVE_INTERVAL: 25s # Increased for better stability SERVER_COUNTRIES: Netherlands,Switzerland SERVER_FEATURES: p2p # Port-forwarding - VPN_PORT_FORWARDING: "on" - VPN_PORT_FORWARDING_PROVIDER: protonvpn - VPN_PORT_FORWARD_ONLY: "on" - PORT_FORWARD_ONLY: "on" + VPN_PORT_FORWARDING: on + PORT_FORWARD_ONLY: on FIREWALL_VPN_INPUT_PORTS: "8080,9999" HEALTH_SERVER_ADDRESS: 0.0.0.0:9999 # DNS Configuration for better resolution @@ -248,7 +247,7 @@ services: PGID: ${PGID:-1000} TZ: ${TZ:-Europe/Warsaw} volumes: - - ${DATA_DIR}/seerr/config:/config + - ${DATA_DIR}/seerr/config:/app/config restart: unless-stopped healthcheck: test: ["CMD", "wget", "-qO-", "http://localhost:5055/health"] From 3e11f2e269dbdcb0d2fa811b52e8fe10e10cf75d Mon Sep 17 00:00:00 2001 From: Kevin St-Sauveur Date: Mon, 13 Apr 2026 23:20:15 +0200 Subject: [PATCH 3/9] Set back appdata directory in traefik --- infra/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/docker-compose.yml b/infra/docker-compose.yml index 795502c..aadee86 100644 --- a/infra/docker-compose.yml +++ b/infra/docker-compose.yml @@ -23,7 +23,7 @@ services: - DOCKER_API_VERSION=1.52 volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - - /mnt/user/appdata/letsencrypt:/letsencrypt + - ${DATA_DIR}/letsencrypt:/letsencrypt dns: - 100.100.100.100 - 1.1.1.1 From 2bb3c1dc31bbc5263e1a9f7592a72bc3fb61b5ff Mon Sep 17 00:00:00 2001 From: Kevin St-Sauveur Date: Tue, 14 Apr 2026 00:05:52 +0200 Subject: [PATCH 4/9] Update README with network tips and subdomains to register Added configuration details for service networking and DNS. --- README.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/README.md b/README.md index f946b8d..da01a2d 100644 --- a/README.md +++ b/README.md @@ -57,6 +57,27 @@ docker compose -f arr/docker-compose.yml up -d # media pipeline (9 container Each compose file declares `env_file: ./.env`, resolved relative to its own directory — so `arr/docker-compose.yml` needs `arr/.env`. Symlinking keeps one source of truth at the repo root. +To configure each service, be sure to use docker internal DNS to let services reach each other on the network `arr_internal` : +- http://prowlarr:9696 +- http://radarr:7878 +- http://gluetun:8080 (qbittorrent) +- http://jellyfin:8096 +- http://sonarr:8989 +- http://bazarr:6767 +- http://seerr:5055 + +This is the list of subdomains for which you must create `A` records pointing to the Tailscale IP of the machine that hosts Traefik: +- traefik +- bazarr +- jellyfin +- prowlarr +- qbit +- radarr +- seerr +- sonarr + +Note: create full FQDNs (e.g., traefik.example.com) in your DNS zone (alternatively, add them to your hosts file), each pointing to your host's Tailscale IP. + ## Networking & Security This is the part that's actually interesting. The services themselves are standard — the value is in how they're wired together. From fb23cc5b7a65c03140d6c0caf44621b6add00da8 Mon Sep 17 00:00:00 2001 From: Kevin St-Sauveur Date: Tue, 14 Apr 2026 00:11:54 +0200 Subject: [PATCH 5/9] Remove default credentials for qbittorrent since they does nothing Removed default username and password for qBittorrent. --- arr/docker-compose.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/arr/docker-compose.yml b/arr/docker-compose.yml index fb65329..35a45a0 100644 --- a/arr/docker-compose.yml +++ b/arr/docker-compose.yml @@ -99,8 +99,6 @@ services: PGID: ${PGID:-100} TZ: ${TZ:-Europe/Warsaw} WEBUI_PORT: 8080 - WEBUI_USERNAME: ${QB_USERNAME:-admin} - WEBUI_PASSWORD: ${QB_PASSWORD:?Set QB_PASSWORD in .env} TORRENTING_PORT: 51413 BIND_TO_INTERFACE: tun0 # Bind qBittorrent to the VPN interface volumes: From a56afc08e083f15385c8401461dce62176411626 Mon Sep 17 00:00:00 2001 From: Kevin St-Sauveur Date: Tue, 14 Apr 2026 00:15:01 +0200 Subject: [PATCH 6/9] Enhance README with qbittorrent credentials details Added sections for configuring services, domains, and qBittorrent in the README. --- README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/README.md b/README.md index da01a2d..6af76be 100644 --- a/README.md +++ b/README.md @@ -57,6 +57,7 @@ docker compose -f arr/docker-compose.yml up -d # media pipeline (9 container Each compose file declares `env_file: ./.env`, resolved relative to its own directory — so `arr/docker-compose.yml` needs `arr/.env`. Symlinking keeps one source of truth at the repo root. +### Configuring each services To configure each service, be sure to use docker internal DNS to let services reach each other on the network `arr_internal` : - http://prowlarr:9696 - http://radarr:7878 @@ -66,6 +67,7 @@ To configure each service, be sure to use docker internal DNS to let services re - http://bazarr:6767 - http://seerr:5055 +### Domains This is the list of subdomains for which you must create `A` records pointing to the Tailscale IP of the machine that hosts Traefik: - traefik - bazarr @@ -78,6 +80,11 @@ This is the list of subdomains for which you must create `A` records pointing to Note: create full FQDNs (e.g., traefik.example.com) in your DNS zone (alternatively, add them to your hosts file), each pointing to your host's Tailscale IP. +### qBittorrent +The web UI is at `qbit.example.com` and a temporary password for the `admin` user will be printed to the container log on startup. + +You must then change username/password in the web UI section of settings. If you do not change the password a new one will be generated every time the container starts. + ## Networking & Security This is the part that's actually interesting. The services themselves are standard — the value is in how they're wired together. From f8e2a2eb290d55d711c7cc11ffddaea03a401421 Mon Sep 17 00:00:00 2001 From: Kevin St-Sauveur Date: Tue, 14 Apr 2026 00:17:25 +0200 Subject: [PATCH 7/9] Rename 'Domains' section to 'Subdomains' --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6af76be..328f26e 100644 --- a/README.md +++ b/README.md @@ -67,7 +67,7 @@ To configure each service, be sure to use docker internal DNS to let services re - http://bazarr:6767 - http://seerr:5055 -### Domains +### Subdomains This is the list of subdomains for which you must create `A` records pointing to the Tailscale IP of the machine that hosts Traefik: - traefik - bazarr From 9d58a29bcfa0f5994790da4ef79c8df2daaeb223 Mon Sep 17 00:00:00 2001 From: Kevin St-Sauveur Date: Tue, 14 Apr 2026 00:33:12 +0200 Subject: [PATCH 8/9] Fix BT_PORT variable not taken into account --- arr/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arr/docker-compose.yml b/arr/docker-compose.yml index 35a45a0..6ed0e09 100644 --- a/arr/docker-compose.yml +++ b/arr/docker-compose.yml @@ -99,7 +99,7 @@ services: PGID: ${PGID:-100} TZ: ${TZ:-Europe/Warsaw} WEBUI_PORT: 8080 - TORRENTING_PORT: 51413 + TORRENTING_PORT: ${BT_PORT} BIND_TO_INTERFACE: tun0 # Bind qBittorrent to the VPN interface volumes: - ${DATA_DIR}/qbittorrent:/config From d83f8765751870b193db006f1cec7836e7c8e895 Mon Sep 17 00:00:00 2001 From: Kevin St-Sauveur Date: Tue, 14 Apr 2026 00:36:47 +0200 Subject: [PATCH 9/9] Remove unused env variables from .env.example Removed QB_USERNAME, QB_PASSWORD and WG_PUBLIC_KEY from example. --- .env.example | 3 --- 1 file changed, 3 deletions(-) diff --git a/.env.example b/.env.example index a67ff8a..9430157 100644 --- a/.env.example +++ b/.env.example @@ -18,7 +18,6 @@ ACME_EMAIL=your@email.com # ProtonVPN WireGuard — main tunnel (NL/CH, P2P) WG_PRIVATE_KEY=your_wireguard_private_key -WG_PUBLIC_KEY=your_wireguard_public_key WIREGUARD_ADDRESSES=10.2.0.2/32 # ProtonVPN credentials (OpenVPN fallback) @@ -32,7 +31,5 @@ MEDIA_TV_DIR=/mnt/user/media/tv MEDIA_MOVIES_DIR=/mnt/user/media/movies # qBittorrent -QB_USERNAME=admin -QB_PASSWORD=change_me BT_PORT=51413