From 9a42d6a27def9aa6c9bade76ef50f46c635ae92b Mon Sep 17 00:00:00 2001
From: Administrator <graymutt@netgrimoire.com>
Date: Sun, 29 Mar 2026 16:05:36 +0000
Subject: [PATCH] docs: create Netgrimoire/service_Catalog

---
 Netgrimoire/service_Catalog.md | 355 +++++++++++++++++++++++++++++++++
 1 file changed, 355 insertions(+)
 create mode 100644 Netgrimoire/service_Catalog.md

diff --git a/Netgrimoire/service_Catalog.md b/Netgrimoire/service_Catalog.md
new file mode 100644
index 0000000..f5e4809
--- /dev/null
+++ b/Netgrimoire/service_Catalog.md
@@ -0,0 +1,355 @@
+---
+title: Netgrimoire Service Catalog
+description: Done or soon to be
+published: true
+date: 2026-03-29T16:05:26.168Z
+tags: 
+editor: markdown
+dateCreated: 2026-03-29T16:05:26.168Z
+---
+
+# Netgrimoire Service Catalog
+
+> **Living document** — tracks all deployed, configured, and planned services across the Netgrimoire homelab.
+> Source of truth: Forgejo repo — `compose/` = Docker Compose per host | `swarm/` = Docker Swarm | `archive/` = not running
+>
+> Status: ✅ Deployed & Configured | 🔧 Deployed, Needs Config | 📋 Planned | 🔍 Evaluating | ❌ Abandoned/Archived
+
+---
+
+## 🏗️ Infrastructure Overview
+
+| Host | Role | IP | Runtime |
+|------|------|----|---------|
+| znas | NAS / Primary Swarm node | 192.168.5.10 | Docker Compose + Swarm manager |
+| docker2 | VPN gateway host | — | Docker Compose |
+| docker3 | LibreNMS host | — | Docker Compose |
+| docker4 (hermes) | Mail server host | 192.168.5.16 | Docker Compose |
+| docker5 | Media host | 192.168.5.18 | Docker Compose |
+| Pi4s / NUCs | Swarm worker nodes | various | Docker Swarm workers |
+
+---
+
+## 📡 Network & Reverse Proxy
+
+| Status | App | Host / Runtime | URL | Purpose | Notes |
+|--------|-----|----------------|-----|---------|-------|
+| ✅ | OPNsense | Firewall appliance | — | Firewall / Dual-WAN / NAT | ATT igc1 primary; 5 static IPs allocated; legacy WAN retiring |
+| 🔧 | Caddy (new) | znas / Swarm | — | Reverse proxy — CrowdSec edition | `serfriz/caddy-crowdsec-geoip-ratelimit-security-dockerproxy`; migration in progress; `caddy.yaml` |
+| ✅ | Caddy (legacy) | znas / Swarm | — | Reverse proxy | `lucaslorentz/caddy-docker-proxy`; `caddy-1.yaml` |
+| ✅ | Authentik | znas / Swarm | — | SSO / IdP | Protects `*.netgrimoire.com` services |
+| ✅ | Authelia | znas / Swarm | — | SSO / IdP | Protects `*.wasted-bandwidth.net` services |
+| ✅ | WireGuard | OPNsense | — | VPN | Peers: Obie (.2), pncfishandmore (.3), GLNet (.4/.6), PortaPotty (.5) — 192.168.32.0/24 |
+| ✅ | OpenVPN | OPNsense | — | VPN | Configured alongside WireGuard |
+| ✅ | Gluetun | docker2 / Compose | — | VPN gateway container | PIA VPN; Jackett + Transmission share `network_mode: container:gluetun` |
+| ✅ | Internal DNS | 192.168.5.7 | dns.netgrimoire.com | Internal name resolution | Technitium DNS; behind Authentik |
+| ✅ | LLDAP | znas / Swarm | ldap.netgrimoire.com | Lightweight LDAP directory | `lldap/lldap:stable` + postgres; user management backend |
+| 📋 | dnscrypt-proxy | TBD | — | Encrypted upstream DNS | Pending install |
+| 📋 | Suricata | OPNsense | — | IDS/IPS | Pending config |
+| 📋 | Zenarmor | OPNsense | — | Deep packet inspection (free tier) | Pending install |
+| 📋 | os-git-backup | OPNsense | — | OPNsense config backup to git | Pending install |
+
+---
+
+## 🔒 Security
+
+| Status | App | Host / Runtime | URL | Purpose | Notes |
+|--------|-----|----------------|-----|---------|-------|
+| ✅ | CrowdSec | OPNsense + Swarm | — | Threat intelligence / IP blocking | OPNsense bouncer active; Caddy bouncer in progress |
+| ✅ | Vaultwarden | znas / Swarm | pass.netgrimoire.com | Password manager | `vaultwarden/server` |
+| 🔧 | CrowdSec Caddy Bouncer | znas / Swarm | — | HTTP-level blocking | Gradual rollout via `caddy.import=crowdsec` label per service |
+| 🔧 | OPNsense Spamhaus + GeoIP | OPNsense | — | IP blocklist / geo-blocking | Currently DISABLED — needs fixing |
+| 📋 | YubiKey PIV (SSH) | All hosts | — | Smartcard SSH authentication | Highest-impact pending integration |
+| 📋 | YubiKey Challenge-Response | znas | — | LUKS / Kopia key derivation | Planned |
+
+---
+
+## 📧 Email
+
+| Status | App | Host / Runtime | URL | Purpose | Notes |
+|--------|-----|----------------|-----|---------|-------|
+| ✅ | MailCow | docker4 / Compose | mail.netgrimoire.com + all domains | Self-hosted mail server | hermes.netgrimoire.com; MXRoute inbound filter + outbound relay for all 8 domains |
+| ✅ | Roundcube | docker4 / Swarm | — | Webmail | SSL peer verify disabled for internal dovecot; SRS catch-all aliases configured |
+| ✅ | MXRoute | External | — | Inbound filter + outbound relay | Two DKIM selectors: `mailcow` + `mxroute` |
+| 📋 | Dedicated ATT_Mail IP | OPNsense | — | Separate static IP for mail traffic | Assignment still pending |
+
+**Domains:** netgrimoire.com · pncharris.com · nucking-futz.com · wasted-bandwidth.net · florosafd.org · gnarlypandaproductions.com · pncfishandmore.com · pncharrisenterprises.com
+
+---
+
+## 🎬 Media — Video
+
+| Status | App | Host / Runtime | URL | Purpose | Notes |
+|--------|-----|----------------|-----|---------|-------|
+| ✅ | Jellyfin | docker5 / Compose | — | Media server | Port 8096; VAAPI via `/dev/dri`; dedicated static IP 107.133.34.147 |
+| ✅ | Jellyfinx | docker5 / Compose | — | Green Door media server | Port 7096; separate instance; Green + AfterDark library mounts |
+| ✅ | Sonarr | znas / Swarm | — | TV show downloader | `linuxserver/sonarr` |
+| ✅ | Radarr | znas / Swarm | — | Movie downloader | `linuxserver/radarr` |
+| ✅ | Bazarr | znas / Swarm | bazarr.netgrimoire.com | Subtitle management | `linuxserver/bazarr` |
+| ✅ | Tunarr | znas / Swarm | — | IPTV channel creation | `chrisbenincasa/tunarr`; ErsatzTV replacement (ErsatzTV archived Feb 2026) |
+| ✅ | JellySeerr | znas / Swarm | requests.netgrimoire.com | Media request management | `fallenbagel/jellyseerr` |
+| ✅ | JellyStat | znas / Swarm | — | Jellyfin usage statistics | `cyfershepard/jellystat` + postgres |
+| ✅ | TinyMediaManager | znas / Swarm | tmm.netgrimoire.com | Media metadata manager | `tinymediamanager/tinymediamanager` |
+| ✅ | Pinchflat | znas / Swarm | pinchflat.netgrimoire.com | YouTube channel downloader | `kieraneglin/pinchflat` |
+| 📋 | MeTube | TBD | — | YouTube downloader | Needed for Tunarr period-accurate filler sourcing workflow |
+| 🔍 | Wizarr | TBD | — | Jellyfin user onboarding | Evaluating |
+
+---
+
+## 🎵 Media — Audio
+
+| Status | App | Host / Runtime | URL | Purpose | Notes |
+|--------|-----|----------------|-----|---------|-------|
+| ✅ | Lidarr | znas / Swarm | — | Music downloader | (Caddy label not found in yaml — likely static Caddyfile entry) |
+| ✅ | Beets | znas / Swarm | beets.netgrimoire.com | Music library tagging | `linuxserver/beets` |
+| 🔍 | Navidrome | TBD | — | Music streaming server | Lightweight Subsonic-compatible |
+| 🔍 | Soularr | TBD | — | Soulseek integration for Lidarr | Strongly recommended; fills gaps Usenet/torrents miss |
+| 🔍 | Tubifarry | TBD | — | Spotify playlists → YouTube → Lidarr | https://github.com/TypNull/Tubifarry |
+
+---
+
+## 📚 Media — Books & Comics
+
+| Status | App | Host / Runtime | URL | Purpose | Notes |
+|--------|-----|----------------|-----|---------|-------|
+| ✅ | Calibre | znas / Compose | calibre.netgrimoire.com | Ebook library management | `linuxserver/calibre`; port 7070; behind Authentik; requires `seccomp=unconfined` (Compose-only) |
+| ✅ | Calibre-Web Automated | znas / Swarm | books.netgrimoire.com · books.pncharris.com | Web UI + auto-import | `crocodilestick/calibre-web-automated`; dual-domain Caddy label |
+| ✅ | Calibre-Web (library) | znas / Swarm | — | Secondary Calibre-Web instance | `linuxserver/calibre-web`; hostname `calibre-netgrimoire`; `library.yaml` |
+| ✅ | Readarr | znas / Swarm | — | Book downloader | Using `blampe/rreading-glasses` image |
+| 📋 | Mylar | znas / Swarm | — | Comic book downloader | Not currently running; needs setup soon. Reference `archive/arr.yaml` for old config |
+| ✅ | Kavita | znas / Swarm | kavita.netgrimoire.com | Ebook/comic reader | `jvmilazz0/kavita` |
+| ✅ | Comixed | znas / Swarm | comics.netgrimoire.com | Comic library server | `comixed/comixed` |
+| ✅ | FreshRSS | znas / Swarm | rss.netgrimoire.com | RSS aggregator | `linuxserver/freshrss` |
+| 🔍 | Komga | TBD | — | Comic/manga server | Evaluating vs Kavita/Comixed |
+| 🔍 | MyAnonaMouse | TBD | — | Private ebook tracker | Worth investigating |
+
+---
+
+## 📥 Download Stack
+
+| Status | App | Host / Runtime | URL | Purpose | Notes |
+|--------|-----|----------------|-----|---------|-------|
+| ✅ | NZBGet | znas / Swarm | — | Usenet download manager | `linuxserver/nzbget` |
+| ✅ | SABnzbd | znas / Swarm | — | Usenet download manager | `linuxserver/sabnzbd` |
+| ✅ | NZBHydra | znas / Swarm | hydra.netgrimoire.com | Usenet indexer aggregator | `linuxserver/nzbhydra2:dev`; altHUB, NZBGeek, Drunken Slug, Usenet Crawler, DogNZB |
+| ✅ | Jackett | docker2 / Compose | jackett.netgrimoire.com | Torrent indexer | Runs inside Gluetun network; behind Authentik |
+| ✅ | Transmission | docker2 / Compose | — | Torrent client | `network_mode: container:gluetun`; shares Gluetun VPN |
+| ✅ | Recyclarr | znas / Swarm | — | Sonarr/Radarr quality profile sync | `recyclarr/recyclarr` |
+| ✅ | Profilarr | znas / Swarm | profilarr.netgrimoire.com | Quality profile management | `santiagosayshey/profilarr` |
+| ✅ | Configarr | znas / Swarm | configarr.netgrimoire.com | Arr config management | `raydak-labs/configarr` |
+| 📋 | Prowlarr | TBD | — | Unified indexer manager | Low priority — light torrent usage; NZBHydra covers current needs |
+
+---
+
+## 🤖 AI & Automation (Gremlin Stack)
+
+> All pinned to `znas` node on Docker Swarm via `swarm/ollama.yaml`.
+
+| Status | App | Host / Runtime | URL | Purpose | Notes |
+|--------|-----|----------------|-----|---------|-------|
+| ✅ | Ollama | znas / Swarm | — | Local LLM inference | CPU-only (Ryzen); 3B–14B models |
+| ✅ | Open WebUI | znas / Swarm | — | Chat interface for Ollama | `ghcr.io/open-webui/open-webui` |
+| ✅ | Qdrant | znas / Swarm | — | Vector database for RAG | Wiki.js / markdown doc search |
+| ✅ | n8n | znas / Swarm | — | Workflow automation | Forgejo webhook → doc gen, compose validation, alert triage |
+| 🔍 | Perplexica | TBD | — | Self-hosted AI search | https://github.com/ItzCrazyKns/Perplexica |
+
+---
+
+## ☁️ Files, Notes & Personal Apps
+
+| Status | App | Host / Runtime | URL | Purpose | Notes |
+|--------|-----|----------------|-----|---------|-------|
+| ✅ | Nextcloud AIO | znas / Compose | cloud.netgrimoire.com | File sync / cloud storage | `nextcloud/all-in-one`; data at `/srv/NextCloud-AIO`; Caddy → port 11000 |
+| ✅ | Immich | znas / Compose | immich.netgrimoire.com | Photo management | Port 2283; Postgres dump + Kopia backup; external photo + Nextcloud mounts |
+| ✅ | Joplin Server | znas / Swarm | joplin.netgrimoire.com | Note sync server | `joplin/server` + postgres; Homepage widget configured |
+| ✅ | Vikunja | znas / Swarm | task.netgrimoire.com | Task management | `vikunja/vikunja` + MariaDB |
+| ✅ | Linkding | znas / Swarm | link.netgrimoire.com | Bookmark manager | `sissbruecker/linkding:1.13.0` |
+| ✅ | Mealie | znas / Swarm | recipe.netgrimoire.com | Recipe manager | `ghcr.io/mealie-recipes/mealie` |
+| ✅ | Wallos | znas / Swarm | expense.netgrimoire.com | Subscription / expense tracker | `bellamy/wallos` |
+| ✅ | DailyTxT | znas / Swarm | — | Encrypted diary | `phitux/dailytxt:2.x.x` |
+| ✅ | Bigcapital | docker5 / Compose | accounts.netgrimoire.com | Accounting / invoicing | Static Caddyfile entry; `{{upstreams}}` doesn't work for Compose stacks |
+| ✅ | Scanopy | znas / Swarm | scn.netgrimoire.com | Document scanner | `ghcr.io/scanopy/scanopy` (server + daemon) + postgres |
+| ✅ | Glance | znas / Swarm | home.netgrimoire.com | Alternative dashboard | `glanceapp/glance` |
+| 📋 | Memos | TBD | — | Self-hosted journaling | Preferred journal addition (alongside Joplin for notes) |
+| 🔍 | Wallabag | TBD | — | Read-it-later / article saving | |
+| 🔍 | Fluid Calendar | TBD | — | Self-hosted calendar | https://github.com/dotnetfactory/fluid-calendar |
+| 🔍 | Firefly III | TBD | — | Personal finance / budgeting | |
+| 🔍 | Stirling-PDF | TBD | — | PDF editor / tools | |
+| 🔍 | Excalidraw | TBD | — | Collaborative whiteboard | |
+| 🔍 | Baikal | TBD | — | CalDAV / CardDAV sync | https://sabre.io/baikal/ |
+
+---
+
+## 📝 Documentation & Dev
+
+| Status | App | Host / Runtime | URL | Purpose | Notes |
+|--------|-----|----------------|-----|---------|-------|
+| ✅ | Wiki.js | znas / Swarm | wiki.netgrimoire.com | Documentation wiki | `requarks/wiki:2` + postgres; Grimoire theme; Forgejo git backend |
+| ✅ | Draw.io | znas / Swarm | draw.netgrimoire.com | Diagramming | `jgraph/drawio`; co-deployed in `wiki.yaml` |
+| ✅ | Forgejo | znas / Swarm | git.netgrimoire.com | Self-hosted Git | `codeberg.org/forgejo/forgejo:11`; source of truth for Wiki.js + Gremlin |
+| ✅ | Forgejo Runner | znas / Swarm | — | CI/CD | `data.forgejo.org/forgejo/runner:4.0.0`; `gitrunner.yaml` |
+| ✅ | VS Code Server | znas / Swarm | code.netgrimoire.com | Web-based IDE | `linuxserver/code-server` |
+| ✅ | Webtop (ubuntu-kde) | znas / Compose | webtop.netgrimoire.com | Browser-based desktop | Software rendering via llvmpipe; behind Authentik |
+| ✅ | Firefox (container) | znas / Swarm | firefox.netgrimoire.com | Containerized browser | `jlesage/firefox` |
+
+---
+
+## 📊 Monitoring & Observability
+
+| Status | App | Host / Runtime | URL | Purpose | Notes |
+|--------|-----|----------------|-----|---------|-------|
+| ✅ | Uptime Kuma | znas / Swarm | — | Service uptime monitoring | `louislam/uptime-kuma:1` |
+| ✅ | AutoKuma | znas / Swarm | — | Auto-create Kuma monitors from labels | `ghcr.io/bigboot/autokuma`; co-deployed in `kuma.yaml` |
+| ✅ | Beszel | znas / Swarm | — | Docker resource monitoring | `henrygd/beszel` hub + agents on all nodes |
+| ✅ | DIUN | znas / Swarm | — | Docker image update notifications | `crazymax/diun`; label-based per-service |
+| ✅ | ntfy | znas / Swarm | ntfy.netgrimoire.com | Push notifications | `binwiederhier/ntfy`; OPNsense alerts via CrowdSec HTTP plugin |
+| ✅ | Dozzle | znas / Swarm | dozzle.netgrimoire.com | Real-time container logs | `amir20/dozzle`; behind Authentik |
+| ✅ | Scrutiny | znas / Compose | scrutiny.netgrimoire.com | Disk S.M.A.R.T. monitoring | `analogj/scrutiny:master-omnibus`; monitors /dev/sda–sdg; behind Authentik |
+| ✅ | Glances | znas / Compose | — | Real-time system stats | `nicolargo/glances`; `network_mode: host`; co-deployed in `monitor.yaml` |
+| ✅ | Graylog | docker4 / Compose | log.netgrimoire.com | Log aggregation | Graylog 6.0 + MongoDB 5 + DataNode (OpenSearch); compose-only (noted in file) |
+| ✅ | LibreNMS | docker3 / Compose | nms.netgrimoire.com | Network/SNMP monitoring | Full stack: librenms + dispatcher + syslog-ng + snmptrapd + MariaDB + Redis; port 8000 |
+| ✅ | Homelable | znas / Compose | — | Infrastructure visualizer | Frontend + Backend via GHCR; MCP deferred (requires build from source) |
+| ✅ | phpIPAM | znas / Swarm | ipam.netgrimoire.com | IP address management | `phpipam/phpipam-www` + cron + MariaDB |
+| ✅ | Homepage | znas / Swarm | — | Primary dashboard | `ghcr.io/gethomepage/homepage` |
+| ✅ | Glance | znas / Swarm | home.netgrimoire.com | Alternative dashboard | `glanceapp/glance` |
+| ✅ | Dockpeek | znas / Swarm | dockpeek.netgrimoire.com | Container inspector | `dockpeek/dockpeek` |
+| ✅ | Loki + Promtail + Grafana | znas / Swarm | — | Metrics/log stack | `logging.yaml`; Grafana 10.4.2 + Loki 2.9.3 + Promtail 2.9.3 |
+| ✅ | phpMyAdmin + phpPgAdmin | znas / Swarm | — | DB admin UIs | `SQL-mgmt.yaml` |
+| ✅ | pgAdmin | znas / Swarm | — | Postgres admin | `dpage/pgadmin4`; `database.yaml` |
+| 🔍 | WatchYourLAN | TBD | — | Network device tracker | https://github.com/aceberg/WatchYourLAN |
+| 🔍 | NUT UPS | TBD | — | UPS power management | https://hub.docker.com/r/instantlinux/nut-upsd |
+| 🔍 | OliveTin | TBD | — | Web button → shell command | Run commands from web UI |
+| 🔍 | Swarm Dashboard | TBD | — | Docker Swarm visualizer | https://github.com/mohsenasm/swarm-dashboard |
+
+---
+
+## 💾 Storage & Backup
+
+| Status | App | Host / Runtime | URL | Purpose | Notes |
+|--------|-----|----------------|-----|---------|-------|
+| ✅ | OpenZFS (ZNAS) | znas | — | Primary storage | ~94TB raw, two RAIDZ1 VDEVs; vault pool |
+| ✅ | NFSv4 | znas | — | Shared storage for Swarm | Loopback NFS at `/data/nfs/znas`; ZFS must fully mount before NFS starts |
+| ✅ | Kopia (primary vault) | znas / Swarm | kopia.netgrimoire.com | Primary backup repo | `kopia.yaml`; dedup + replication |
+| ✅ | Kopia (offsite vault) | znas / Swarm | vault.netgrimoire.com | Offsite replication server | `vault.yaml`; port 51516; separate dataset → ZFS raw send to Pi vaults |
+| ✅ | syncoid | znas | — | ZFS replication | Syncs vault/Green/Pocket → Pocket Grimoire |
+| ✅ | Nextcloud AIO BorgBackup | znas | — | Nextcloud-native backup | Local snapshots before Kopia |
+| ✅ | Czkawka | znas / Swarm | dupes.netgrimoire.com | Duplicate file finder | `jlesage/czkawka` |
+| ✅ | Cloud Commander | znas / Swarm | — | Web file manager | `coderaiser/cloudcmd`; **two instances** (`cloudcmd.yaml` + `commander.yaml`) — verify if intentional |
+| ✅ | File Browser | znas / Swarm | — | Web file manager | `filebrowser/filebrowser` |
+| 🔍 | Manyfold | TBD | — | 3D print model collector | https://github.com/manyfold3d/manyfold |
+
+---
+
+## 🖥️ Management & Remote Access
+
+| Status | App | Host / Runtime | URL | Purpose | Notes |
+|--------|-----|----------------|-----|---------|-------|
+| ✅ | Portainer | znas / Swarm | docker.netgrimoire.com | Container management UI | `portainer/portainer-ce:2.33.6` + agents on all nodes |
+| ✅ | ISPConfig | 192.168.4.11 | — | Web/DNS hosting control panel | |
+| ✅ | Cockpit | All hosts | win.netgrimoire.com | Linux server management | Caddy → `192.168.5.10:8006` |
+| ✅ | Termix | znas / Swarm | termix.netgrimoire.com | Web-based terminal | `ghcr.io/lukegus/termix` |
+| ✅ | DumbTerm | znas / Swarm | — | Simple web terminal | `dockwareio/dumbterm` |
+| ✅ | Windows 7 (VM) | znas / Compose | — | Windows VM | `dockurr/windows`; `windows7.yaml` |
+| 🔍 | Guacamole | TBD | — | Remote desktop gateway | Previously tried as `nxterm` — in archive |
+| 🔍 | SSHwifty | TBD | — | SSH web client | In archive; reconsidering |
+
+---
+
+## 🎭 Green Door (Adult Content)
+
+> Protected behind Authelia (`*.wasted-bandwidth.net`)
+
+| Status | App | Host / Runtime | URL | Purpose | Notes |
+|--------|-----|----------------|-----|---------|-------|
+| ✅ | Whisparr | znas / Swarm | — | Adult content downloader | `ghcr.io/hotio/whisparr` |
+| ✅ | Namer | znas / Compose | namer.wasted-bandwidth.net | Scene file namer | `theporndatabase/namer`; port 6980; data → `/data/nfs/Baxter/Green/` |
+| ✅ | Stash (main) | znas / Compose | stash.wasted-bandwidth.net | Adult content library | `stashapp/stash`; port 9999 |
+| ✅ | PocketStash | znas / Compose | — | Stash for Pocket Grimoire | Separate instance; port 9998; data → `/export/Green/Pocket/`; `pocketstash.yaml` |
+
+---
+
+## 🌐 Web Hosting
+
+| Status | App | Host / Runtime | URL | Purpose | Notes |
+|--------|-----|----------------|-----|---------|-------|
+| ✅ | Apache/PHP web | znas / Swarm | fish.pncharris.com · www.wasted-bandwidth.net | Static/PHP web hosting | `php:8.2-apache`; `web.yaml`; replicas: 1 |
+
+---
+
+## 📦 Archive (Not Currently Running)
+
+> Files in `archive/` — previously evaluated or deployed, not currently active.
+
+| App | File | Notes |
+|-----|------|-------|
+| Plex | `plex.yaml` | Replaced by Jellyfin |
+| Komodo | `komodo.yaml` | Container management platform — evaluated, not deployed |
+| cAdvisor | `cadvisor.yaml` | Container metrics — not deployed |
+| Peekaping | `peekaping.yaml` | Uptime monitor — Kuma preferred |
+| WatchState | `WatchState.yaml` | Jellyfin/Plex watch state sync |
+| Nessus | `nessus.yaml` | Vulnerability scanner — evaluated |
+| NxTerm | `nxterm.yaml` | Guacamole-style remote desktop — evaluated |
+| SSHwifty | `sshwifty.yaml` | SSH web client — evaluated |
+| Wordpress Classifieds | `wordpress-classifieds.yaml` | Not deployed |
+| Cal (calendar?) | `cal.yaml` | Evaluated |
+| CrowdSec (standalone) | `crowdsec.yaml` | Merged into Caddy stack |
+| Arr stack | `arr.yaml` | Old consolidated arr compose — superseded by individual yamls |
+| Caddyfile.old | `Caddyfile.old` | Legacy Caddyfile |
+
+---
+
+## 🗃️ Ideas Backlog
+
+| App | Category | Notes |
+|-----|----------|-------|
+| Soularr | Audio | Soulseek for Lidarr; strongly recommended |
+| Tubifarry | Audio | Spotify → YouTube → Lidarr |
+| MeTube | Video | YouTube downloader for Tunarr filler |
+| Memos | Journal | Preferred self-hosted journal pick |
+| Wallabag | Reading | Read-it-later |
+| Firefly III | Finance | Budgeting |
+| Baikal | PIM | CalDAV/CardDAV |
+| Fluid Calendar | PIM | https://github.com/dotnetfactory/fluid-calendar |
+| Perplexica | AI | Self-hosted AI search |
+| WatchYourLAN | Network | Device tracker |
+| OliveTin | Automation | Web UI → shell commands |
+| Swarm Dashboard | Monitoring | Swarm-aware visualizer |
+| ContainerNursery | Automation | On-demand container start/stop |
+| NUT UPS | Power | UPS management |
+| Wire-pod for Vector | IoT | Anki Vector local server |
+| Kindle reuse | IoT | Repurpose Kindle as weather/info display |
+| Collectarr | Media | https://github.com/RiffSphere/Collectarr |
+| SuggestArr | Media | Automated media recommendations |
+| Recommendarr | Media | AI media recommendations |
+| Manyfold | 3D Print | Model library |
+| OrcaSlicer | 3D Print | Slicer web UI |
+| Memos / Journiv | Journal | Self-hosted journaling (Memos preferred) |
+| Romm | Gaming | ROM library manager |
+| EmulatorJS | Gaming | Browser-based emulation |
+
+---
+
+## 🔑 Key Architecture Decisions & Gotchas
+
+> Reference these before deploying or modifying services.
+
+- **MailCow network isolation:** Only `nginx-mailcow` on the `netgrimoire` overlay. All other containers stay on internal bridge. Mixing causes PHP-FPM → Redis DNS conflicts.
+- **caddy-docker-proxy + static Caddyfile conflict:** Never manage the same hostname via both Docker labels AND a static block. Pick one method exclusively per service.
+- **`{{upstreams}}` is Swarm-only:** Does not work for Docker Compose stacks. Use static Caddyfile with container name or pinned IP.
+- **Docker Compose `ports: []` override:** Does not nullify ports from base file. Remap to unused host ports instead.
+- **Graylog is Compose-only:** The `graylog.yaml` file explicitly notes this — do not attempt to run it in Swarm.
+- **Calibre requires `seccomp=unconfined`:** Necessary for the desktop app container; incompatible with Swarm mode — must remain in `compose/znas/`.
+- **Kopia repos not ZFS-separable:** Use separate repositories with independent retention (`kopia.yaml` vs `vault.yaml`) rather than trying to separate at the ZFS snapshot level.
+- **ZFS encryption:** In-place encryption impossible. Use rsync migration + `-w` flag for raw send to Pi vaults (no key needed on vault side).
+- **SRS rewrite:** All domains using MXRoute inbound forwarding require catch-all aliases in MailCow to prevent `reject_unlisted_sender` rejections.
+- **Docker Swarm DNS caching:** Use `endpoint_mode: dnsrr` for internal services; VIP only for published-port services.
+- **NFS boot ordering on znas:** ZFS must fully mount before NFS starts — systemd override required (`After=zfs-import.target zfs-mount.service`). Loopback NFS mount needs `x-systemd.after=nfs-server.service` in fstab.
+- **Wiki.js angle brackets:** `<value>` placeholders cause rendering hangs. Use `VALUE` or backtick format instead.
+- **bcrypt in `.env`:** Wrap full hash in single quotes to preserve leading `$`.
+- **Webtop GPU rendering:** Requires `LIBGL_ALWAYS_SOFTWARE=1` + `GALLIUM_DRIVER=llvmpipe`; remove `devices:/dev/dri` mapping.
+- **Cloud Commander duplication:** Two nearly identical `coderaiser/cloudcmd` stacks exist (`cloudcmd.yaml` + `commander.yaml`) — verify if intentional or a duplicate to clean up.
+- **Lidarr missing Caddy label:** Lidarr yaml has no caddy label — either routed via static Caddyfile or not yet exposed. Confirm and standardize.
+
+---
+
+*Last updated: March 2026 | Source: Forgejo repo git archive*
\ No newline at end of file