Lackoftactics · kevinstsauveur · Apr 13, 2026 · Apr 13, 2026 · Apr 13, 2026 · Apr 13, 2026
diff --git a/.env.example b/.env.example
@@ -18,7 +18,6 @@ ACME_EMAIL=your@email.com
 
 # ProtonVPN WireGuard — main tunnel (NL/CH, P2P)
 WG_PRIVATE_KEY=your_wireguard_private_key
-WG_PUBLIC_KEY=your_wireguard_public_key
 WIREGUARD_ADDRESSES=10.2.0.2/32
 
 # ProtonVPN credentials (OpenVPN fallback)
@@ -32,7 +31,5 @@ MEDIA_TV_DIR=/mnt/user/media/tv
 MEDIA_MOVIES_DIR=/mnt/user/media/movies
 
 # qBittorrent
-QB_USERNAME=admin
-QB_PASSWORD=change_me
 BT_PORT=51413
 
diff --git a/README.md b/README.md
@@ -57,6 +57,34 @@ docker compose -f arr/docker-compose.yml up -d     # media pipeline (9 container
 
 Each compose file declares `env_file: ./.env`, resolved relative to its own directory — so `arr/docker-compose.yml` needs `arr/.env`. Symlinking keeps one source of truth at the repo root.
 
+### Configuring each services
+To configure each service, be sure to use docker internal DNS to let services reach each other on the network `arr_internal` :
+- http://prowlarr:9696
+- http://radarr:7878
+- http://gluetun:8080 (qbittorrent)
+- http://jellyfin:8096
+- http://sonarr:8989
+- http://bazarr:6767
+- http://seerr:5055
+
+### Subdomains
+This is the list of subdomains for which you must create `A` records pointing to the Tailscale IP of the machine that hosts Traefik:
+- traefik
+- bazarr
+- jellyfin
+- prowlarr
+- qbit
+- radarr
+- seerr
+- sonarr
+
+Note: create full FQDNs (e.g., traefik.example.com) in your DNS zone (alternatively, add them to your hosts file), each pointing to your host's Tailscale IP.
+
+### qBittorrent
+The web UI is at `qbit.example.com` and a temporary password for the `admin` user will be printed to the container log on startup.
+
+You must then change username/password in the web UI section of settings. If you do not change the password a new one will be generated every time the container starts.
+
 ## Networking & Security
 
 This is the part that's actually interesting. The services themselves are standard — the value is in how they're wired together.

diff --git a/arr/docker-compose.yml b/arr/docker-compose.yml
@@ -48,17 +48,16 @@ services:
       VPN_SERVICE_PROVIDER:       protonvpn
       VPN_TYPE:                   wireguard
       WIREGUARD_PRIVATE_KEY:      ${WG_PRIVATE_KEY}
-      WIREGUARD_PUBLIC_KEY:       ${WG_PUBLIC_KEY}
+      OPENVPN_USER:               ${PROTONVPN_USERNAME}
+      OPENVPN_PASSWORD:           ${PROTONVPN_PASSWORD}
       WIREGUARD_ADDRESSES:        ${WG_ADDRESSES:-10.2.0.2/32}
       # Improved stability settings
       WIREGUARD_PERSISTENT_KEEPALIVE_INTERVAL: 25s # Increased for better stability
       SERVER_COUNTRIES:           Netherlands,Switzerland
       SERVER_FEATURES:            p2p
       # Port-forwarding
-      VPN_PORT_FORWARDING:        "on"
-      VPN_PORT_FORWARDING_PROVIDER: protonvpn
-      VPN_PORT_FORWARD_ONLY:      "on"
-      PORT_FORWARD_ONLY:          "on"
+      VPN_PORT_FORWARDING:        on
+      PORT_FORWARD_ONLY:          on
       FIREWALL_VPN_INPUT_PORTS:    "8080,9999"
       HEALTH_SERVER_ADDRESS: 0.0.0.0:9999
       # DNS Configuration for better resolution
@@ -100,9 +99,7 @@ services:
       PGID:             ${PGID:-100}
       TZ:               ${TZ:-Europe/Warsaw}
       WEBUI_PORT:       8080
-      WEBUI_USERNAME:   ${QB_USERNAME:-admin}
-      WEBUI_PASSWORD:   ${QB_PASSWORD:?Set QB_PASSWORD in .env}
-      TORRENTING_PORT:  51413
+      TORRENTING_PORT:  ${BT_PORT}
       BIND_TO_INTERFACE: tun0  # Bind qBittorrent to the VPN interface
     volumes:
       - ${DATA_DIR}/qbittorrent:/config
@@ -248,7 +245,7 @@ services:
       PGID: ${PGID:-1000}
       TZ:   ${TZ:-Europe/Warsaw}
     volumes:
-      - ${DATA_DIR}/seerr/config:/config
+      - ${DATA_DIR}/seerr/config:/app/config
     restart: unless-stopped
     healthcheck:
       test: ["CMD", "wget", "-qO-", "http://localhost:5055/health"]

diff --git a/infra/docker-compose.yml b/infra/docker-compose.yml
@@ -4,7 +4,7 @@ networks:
 
 services:
   traefik:
-    image: traefik:v2.10.7
+    image: traefik:v3.6.13
     container_name: traefik
     restart: unless-stopped
     env_file:
@@ -20,6 +20,7 @@ services:
       - CF_API_EMAIL=${CF_API_EMAIL}
       - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
       - TZ=${TZ:-Europe/London}
+      - DOCKER_API_VERSION=1.52
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - ${DATA_DIR}/letsencrypt:/letsencrypt
@@ -57,4 +58,4 @@ services:
       - "traefik.http.middlewares.secureHeaders.headers.stsIncludeSubdomains=true"
       - "traefik.http.middlewares.secureHeaders.headers.stsPreload=true"
       - "traefik.http.middlewares.secureHeaders.headers.stsSeconds=31536000"
-      - "traefik.http.routers.dashboard.middlewares=secureHeaders@docker"
+      - "traefik.http.routers.dashboard.middlewares=secureHeaders@docker"