docs: create Netgrimoire/service_Catalog

2026-03-29 16:05:36 +00:00 · 2026-03-29 16:05:36 +00:00 · 9a42d6a27d
commit 9a42d6a27d
parent 46b6cf3095
1 changed files with 355 additions and 0 deletions
--- a/Netgrimoire/service_Catalog.md
+++ b/Netgrimoire/service_Catalog.md
@ -0,0 +1,355 @@
 ---
 title: Netgrimoire Service Catalog
 description: Done or soon to be
 published: true
 date: 2026-03-29T16:05:26.168Z
 tags: 
 editor: markdown
 dateCreated: 2026-03-29T16:05:26.168Z
 ---
 # Netgrimoire Service Catalog
 > **Living document** — tracks all deployed, configured, and planned services across the Netgrimoire homelab.
 > Source of truth: Forgejo repo — `compose/` = Docker Compose per host | `swarm/` = Docker Swarm | `archive/` = not running
 >
 > Status: ✅ Deployed & Configured | 🔧 Deployed, Needs Config | 📋 Planned | 🔍 Evaluating | ❌ Abandoned/Archived
 ---
 ## 🏗️ Infrastructure Overview
 | Host | Role | IP | Runtime |
 |------|------|----|---------|
 | znas | NAS / Primary Swarm node | 192.168.5.10 | Docker Compose + Swarm manager |
 | docker2 | VPN gateway host | — | Docker Compose |
 | docker3 | LibreNMS host | — | Docker Compose |
 | docker4 (hermes) | Mail server host | 192.168.5.16 | Docker Compose |
 | docker5 | Media host | 192.168.5.18 | Docker Compose |
 | Pi4s / NUCs | Swarm worker nodes | various | Docker Swarm workers |
 ---
 ## 📡 Network & Reverse Proxy
 | Status | App | Host / Runtime | URL | Purpose | Notes |
 |--------|-----|----------------|-----|---------|-------|
 | ✅ | OPNsense | Firewall appliance | — | Firewall / Dual-WAN / NAT | ATT igc1 primary; 5 static IPs allocated; legacy WAN retiring |
 | 🔧 | Caddy (new) | znas / Swarm | — | Reverse proxy — CrowdSec edition | `serfriz/caddy-crowdsec-geoip-ratelimit-security-dockerproxy`; migration in progress; `caddy.yaml` |
 | ✅ | Caddy (legacy) | znas / Swarm | — | Reverse proxy | `lucaslorentz/caddy-docker-proxy`; `caddy-1.yaml` |
 | ✅ | Authentik | znas / Swarm | — | SSO / IdP | Protects `*.netgrimoire.com` services |
 | ✅ | Authelia | znas / Swarm | — | SSO / IdP | Protects `*.wasted-bandwidth.net` services |
 | ✅ | WireGuard | OPNsense | — | VPN | Peers: Obie (.2), pncfishandmore (.3), GLNet (.4/.6), PortaPotty (.5) — 192.168.32.0/24 |
 | ✅ | OpenVPN | OPNsense | — | VPN | Configured alongside WireGuard |
 | ✅ | Gluetun | docker2 / Compose | — | VPN gateway container | PIA VPN; Jackett + Transmission share `network_mode: container:gluetun` |
 | ✅ | Internal DNS | 192.168.5.7 | dns.netgrimoire.com | Internal name resolution | Technitium DNS; behind Authentik |
 | ✅ | LLDAP | znas / Swarm | ldap.netgrimoire.com | Lightweight LDAP directory | `lldap/lldap:stable` + postgres; user management backend |
 | 📋 | dnscrypt-proxy | TBD | — | Encrypted upstream DNS | Pending install |
 | 📋 | Suricata | OPNsense | — | IDS/IPS | Pending config |
 | 📋 | Zenarmor | OPNsense | — | Deep packet inspection (free tier) | Pending install |
 | 📋 | os-git-backup | OPNsense | — | OPNsense config backup to git | Pending install |
 ---
 ## 🔒 Security
 | Status | App | Host / Runtime | URL | Purpose | Notes |
 |--------|-----|----------------|-----|---------|-------|
 | ✅ | CrowdSec | OPNsense + Swarm | — | Threat intelligence / IP blocking | OPNsense bouncer active; Caddy bouncer in progress |
 | ✅ | Vaultwarden | znas / Swarm | pass.netgrimoire.com | Password manager | `vaultwarden/server` |
 | 🔧 | CrowdSec Caddy Bouncer | znas / Swarm | — | HTTP-level blocking | Gradual rollout via `caddy.import=crowdsec` label per service |
 | 🔧 | OPNsense Spamhaus + GeoIP | OPNsense | — | IP blocklist / geo-blocking | Currently DISABLED — needs fixing |
 | 📋 | YubiKey PIV (SSH) | All hosts | — | Smartcard SSH authentication | Highest-impact pending integration |
 | 📋 | YubiKey Challenge-Response | znas | — | LUKS / Kopia key derivation | Planned |
 ---
 ## 📧 Email
 | Status | App | Host / Runtime | URL | Purpose | Notes |
 |--------|-----|----------------|-----|---------|-------|
 | ✅ | MailCow | docker4 / Compose | mail.netgrimoire.com + all domains | Self-hosted mail server | hermes.netgrimoire.com; MXRoute inbound filter + outbound relay for all 8 domains |
 | ✅ | Roundcube | docker4 / Swarm | — | Webmail | SSL peer verify disabled for internal dovecot; SRS catch-all aliases configured |
 | ✅ | MXRoute | External | — | Inbound filter + outbound relay | Two DKIM selectors: `mailcow` + `mxroute` |
 | 📋 | Dedicated ATT_Mail IP | OPNsense | — | Separate static IP for mail traffic | Assignment still pending |
 **Domains:** netgrimoire.com · pncharris.com · nucking-futz.com · wasted-bandwidth.net · florosafd.org · gnarlypandaproductions.com · pncfishandmore.com · pncharrisenterprises.com
 ---
 ## 🎬 Media — Video
 | Status | App | Host / Runtime | URL | Purpose | Notes |
 |--------|-----|----------------|-----|---------|-------|
 | ✅ | Jellyfin | docker5 / Compose | — | Media server | Port 8096; VAAPI via `/dev/dri`; dedicated static IP 107.133.34.147 |
 | ✅ | Jellyfinx | docker5 / Compose | — | Green Door media server | Port 7096; separate instance; Green + AfterDark library mounts |
 | ✅ | Sonarr | znas / Swarm | — | TV show downloader | `linuxserver/sonarr` |
 | ✅ | Radarr | znas / Swarm | — | Movie downloader | `linuxserver/radarr` |
 | ✅ | Bazarr | znas / Swarm | bazarr.netgrimoire.com | Subtitle management | `linuxserver/bazarr` |
 | ✅ | Tunarr | znas / Swarm | — | IPTV channel creation | `chrisbenincasa/tunarr`; ErsatzTV replacement (ErsatzTV archived Feb 2026) |
 | ✅ | JellySeerr | znas / Swarm | requests.netgrimoire.com | Media request management | `fallenbagel/jellyseerr` |
 | ✅ | JellyStat | znas / Swarm | — | Jellyfin usage statistics | `cyfershepard/jellystat` + postgres |
 | ✅ | TinyMediaManager | znas / Swarm | tmm.netgrimoire.com | Media metadata manager | `tinymediamanager/tinymediamanager` |
 | ✅ | Pinchflat | znas / Swarm | pinchflat.netgrimoire.com | YouTube channel downloader | `kieraneglin/pinchflat` |
 | 📋 | MeTube | TBD | — | YouTube downloader | Needed for Tunarr period-accurate filler sourcing workflow |
 | 🔍 | Wizarr | TBD | — | Jellyfin user onboarding | Evaluating |
 ---
 ## 🎵 Media — Audio
 | Status | App | Host / Runtime | URL | Purpose | Notes |
 |--------|-----|----------------|-----|---------|-------|
 | ✅ | Lidarr | znas / Swarm | — | Music downloader | (Caddy label not found in yaml — likely static Caddyfile entry) |
 | ✅ | Beets | znas / Swarm | beets.netgrimoire.com | Music library tagging | `linuxserver/beets` |
 | 🔍 | Navidrome | TBD | — | Music streaming server | Lightweight Subsonic-compatible |
 | 🔍 | Soularr | TBD | — | Soulseek integration for Lidarr | Strongly recommended; fills gaps Usenet/torrents miss |
 | 🔍 | Tubifarry | TBD | — | Spotify playlists → YouTube → Lidarr | https://github.com/TypNull/Tubifarry |
 ---
 ## 📚 Media — Books & Comics
 | Status | App | Host / Runtime | URL | Purpose | Notes |
 |--------|-----|----------------|-----|---------|-------|
 | ✅ | Calibre | znas / Compose | calibre.netgrimoire.com | Ebook library management | `linuxserver/calibre`; port 7070; behind Authentik; requires `seccomp=unconfined` (Compose-only) |
 | ✅ | Calibre-Web Automated | znas / Swarm | books.netgrimoire.com · books.pncharris.com | Web UI + auto-import | `crocodilestick/calibre-web-automated`; dual-domain Caddy label |
 | ✅ | Calibre-Web (library) | znas / Swarm | — | Secondary Calibre-Web instance | `linuxserver/calibre-web`; hostname `calibre-netgrimoire`; `library.yaml` |
 | ✅ | Readarr | znas / Swarm | — | Book downloader | Using `blampe/rreading-glasses` image |
 | 📋 | Mylar | znas / Swarm | — | Comic book downloader | Not currently running; needs setup soon. Reference `archive/arr.yaml` for old config |
 | ✅ | Kavita | znas / Swarm | kavita.netgrimoire.com | Ebook/comic reader | `jvmilazz0/kavita` |
 | ✅ | Comixed | znas / Swarm | comics.netgrimoire.com | Comic library server | `comixed/comixed` |
 | ✅ | FreshRSS | znas / Swarm | rss.netgrimoire.com | RSS aggregator | `linuxserver/freshrss` |
 | 🔍 | Komga | TBD | — | Comic/manga server | Evaluating vs Kavita/Comixed |
 | 🔍 | MyAnonaMouse | TBD | — | Private ebook tracker | Worth investigating |
 ---
 ## 📥 Download Stack
 | Status | App | Host / Runtime | URL | Purpose | Notes |
 |--------|-----|----------------|-----|---------|-------|
 | ✅ | NZBGet | znas / Swarm | — | Usenet download manager | `linuxserver/nzbget` |
 | ✅ | SABnzbd | znas / Swarm | — | Usenet download manager | `linuxserver/sabnzbd` |
 | ✅ | NZBHydra | znas / Swarm | hydra.netgrimoire.com | Usenet indexer aggregator | `linuxserver/nzbhydra2:dev`; altHUB, NZBGeek, Drunken Slug, Usenet Crawler, DogNZB |
 | ✅ | Jackett | docker2 / Compose | jackett.netgrimoire.com | Torrent indexer | Runs inside Gluetun network; behind Authentik |
 | ✅ | Transmission | docker2 / Compose | — | Torrent client | `network_mode: container:gluetun`; shares Gluetun VPN |
 | ✅ | Recyclarr | znas / Swarm | — | Sonarr/Radarr quality profile sync | `recyclarr/recyclarr` |
 | ✅ | Profilarr | znas / Swarm | profilarr.netgrimoire.com | Quality profile management | `santiagosayshey/profilarr` |
 | ✅ | Configarr | znas / Swarm | configarr.netgrimoire.com | Arr config management | `raydak-labs/configarr` |
 | 📋 | Prowlarr | TBD | — | Unified indexer manager | Low priority — light torrent usage; NZBHydra covers current needs |
 ---
 ## 🤖 AI & Automation (Gremlin Stack)
 > All pinned to `znas` node on Docker Swarm via `swarm/ollama.yaml`.
 | Status | App | Host / Runtime | URL | Purpose | Notes |
 |--------|-----|----------------|-----|---------|-------|
 | ✅ | Ollama | znas / Swarm | — | Local LLM inference | CPU-only (Ryzen); 3B–14B models |
 | ✅ | Open WebUI | znas / Swarm | — | Chat interface for Ollama | `ghcr.io/open-webui/open-webui` |
 | ✅ | Qdrant | znas / Swarm | — | Vector database for RAG | Wiki.js / markdown doc search |
 | ✅ | n8n | znas / Swarm | — | Workflow automation | Forgejo webhook → doc gen, compose validation, alert triage |
 | 🔍 | Perplexica | TBD | — | Self-hosted AI search | https://github.com/ItzCrazyKns/Perplexica |
 ---
 ## ☁️ Files, Notes & Personal Apps
 | Status | App | Host / Runtime | URL | Purpose | Notes |
 |--------|-----|----------------|-----|---------|-------|
 | ✅ | Nextcloud AIO | znas / Compose | cloud.netgrimoire.com | File sync / cloud storage | `nextcloud/all-in-one`; data at `/srv/NextCloud-AIO`; Caddy → port 11000 |
 | ✅ | Immich | znas / Compose | immich.netgrimoire.com | Photo management | Port 2283; Postgres dump + Kopia backup; external photo + Nextcloud mounts |
 | ✅ | Joplin Server | znas / Swarm | joplin.netgrimoire.com | Note sync server | `joplin/server` + postgres; Homepage widget configured |
 | ✅ | Vikunja | znas / Swarm | task.netgrimoire.com | Task management | `vikunja/vikunja` + MariaDB |
 | ✅ | Linkding | znas / Swarm | link.netgrimoire.com | Bookmark manager | `sissbruecker/linkding:1.13.0` |
 | ✅ | Mealie | znas / Swarm | recipe.netgrimoire.com | Recipe manager | `ghcr.io/mealie-recipes/mealie` |
 | ✅ | Wallos | znas / Swarm | expense.netgrimoire.com | Subscription / expense tracker | `bellamy/wallos` |
 | ✅ | DailyTxT | znas / Swarm | — | Encrypted diary | `phitux/dailytxt:2.x.x` |
 | ✅ | Bigcapital | docker5 / Compose | accounts.netgrimoire.com | Accounting / invoicing | Static Caddyfile entry; `{{upstreams}}` doesn't work for Compose stacks |
 | ✅ | Scanopy | znas / Swarm | scn.netgrimoire.com | Document scanner | `ghcr.io/scanopy/scanopy` (server + daemon) + postgres |
 | ✅ | Glance | znas / Swarm | home.netgrimoire.com | Alternative dashboard | `glanceapp/glance` |
 | 📋 | Memos | TBD | — | Self-hosted journaling | Preferred journal addition (alongside Joplin for notes) |
 | 🔍 | Wallabag | TBD | — | Read-it-later / article saving | |
 | 🔍 | Fluid Calendar | TBD | — | Self-hosted calendar | https://github.com/dotnetfactory/fluid-calendar |
 | 🔍 | Firefly III | TBD | — | Personal finance / budgeting | |
 | 🔍 | Stirling-PDF | TBD | — | PDF editor / tools | |
 | 🔍 | Excalidraw | TBD | — | Collaborative whiteboard | |
 | 🔍 | Baikal | TBD | — | CalDAV / CardDAV sync | https://sabre.io/baikal/ |
 ---
 ## 📝 Documentation & Dev
 | Status | App | Host / Runtime | URL | Purpose | Notes |
 |--------|-----|----------------|-----|---------|-------|
 | ✅ | Wiki.js | znas / Swarm | wiki.netgrimoire.com | Documentation wiki | `requarks/wiki:2` + postgres; Grimoire theme; Forgejo git backend |
 | ✅ | Draw.io | znas / Swarm | draw.netgrimoire.com | Diagramming | `jgraph/drawio`; co-deployed in `wiki.yaml` |
 | ✅ | Forgejo | znas / Swarm | git.netgrimoire.com | Self-hosted Git | `codeberg.org/forgejo/forgejo:11`; source of truth for Wiki.js + Gremlin |
 | ✅ | Forgejo Runner | znas / Swarm | — | CI/CD | `data.forgejo.org/forgejo/runner:4.0.0`; `gitrunner.yaml` |
 | ✅ | VS Code Server | znas / Swarm | code.netgrimoire.com | Web-based IDE | `linuxserver/code-server` |
 | ✅ | Webtop (ubuntu-kde) | znas / Compose | webtop.netgrimoire.com | Browser-based desktop | Software rendering via llvmpipe; behind Authentik |
 | ✅ | Firefox (container) | znas / Swarm | firefox.netgrimoire.com | Containerized browser | `jlesage/firefox` |
 ---
 ## 📊 Monitoring & Observability
 | Status | App | Host / Runtime | URL | Purpose | Notes |
 |--------|-----|----------------|-----|---------|-------|
 | ✅ | Uptime Kuma | znas / Swarm | — | Service uptime monitoring | `louislam/uptime-kuma:1` |
 | ✅ | AutoKuma | znas / Swarm | — | Auto-create Kuma monitors from labels | `ghcr.io/bigboot/autokuma`; co-deployed in `kuma.yaml` |
 | ✅ | Beszel | znas / Swarm | — | Docker resource monitoring | `henrygd/beszel` hub + agents on all nodes |
 | ✅ | DIUN | znas / Swarm | — | Docker image update notifications | `crazymax/diun`; label-based per-service |
 | ✅ | ntfy | znas / Swarm | ntfy.netgrimoire.com | Push notifications | `binwiederhier/ntfy`; OPNsense alerts via CrowdSec HTTP plugin |
 | ✅ | Dozzle | znas / Swarm | dozzle.netgrimoire.com | Real-time container logs | `amir20/dozzle`; behind Authentik |
 | ✅ | Scrutiny | znas / Compose | scrutiny.netgrimoire.com | Disk S.M.A.R.T. monitoring | `analogj/scrutiny:master-omnibus`; monitors /dev/sda–sdg; behind Authentik |
 | ✅ | Glances | znas / Compose | — | Real-time system stats | `nicolargo/glances`; `network_mode: host`; co-deployed in `monitor.yaml` |
 | ✅ | Graylog | docker4 / Compose | log.netgrimoire.com | Log aggregation | Graylog 6.0 + MongoDB 5 + DataNode (OpenSearch); compose-only (noted in file) |
 | ✅ | LibreNMS | docker3 / Compose | nms.netgrimoire.com | Network/SNMP monitoring | Full stack: librenms + dispatcher + syslog-ng + snmptrapd + MariaDB + Redis; port 8000 |
 | ✅ | Homelable | znas / Compose | — | Infrastructure visualizer | Frontend + Backend via GHCR; MCP deferred (requires build from source) |
 | ✅ | phpIPAM | znas / Swarm | ipam.netgrimoire.com | IP address management | `phpipam/phpipam-www` + cron + MariaDB |
 | ✅ | Homepage | znas / Swarm | — | Primary dashboard | `ghcr.io/gethomepage/homepage` |
 | ✅ | Glance | znas / Swarm | home.netgrimoire.com | Alternative dashboard | `glanceapp/glance` |
 | ✅ | Dockpeek | znas / Swarm | dockpeek.netgrimoire.com | Container inspector | `dockpeek/dockpeek` |
 | ✅ | Loki + Promtail + Grafana | znas / Swarm | — | Metrics/log stack | `logging.yaml`; Grafana 10.4.2 + Loki 2.9.3 + Promtail 2.9.3 |
 | ✅ | phpMyAdmin + phpPgAdmin | znas / Swarm | — | DB admin UIs | `SQL-mgmt.yaml` |
 | ✅ | pgAdmin | znas / Swarm | — | Postgres admin | `dpage/pgadmin4`; `database.yaml` |
 | 🔍 | WatchYourLAN | TBD | — | Network device tracker | https://github.com/aceberg/WatchYourLAN |
 | 🔍 | NUT UPS | TBD | — | UPS power management | https://hub.docker.com/r/instantlinux/nut-upsd |
 | 🔍 | OliveTin | TBD | — | Web button → shell command | Run commands from web UI |
 | 🔍 | Swarm Dashboard | TBD | — | Docker Swarm visualizer | https://github.com/mohsenasm/swarm-dashboard |
 ---
 ## 💾 Storage & Backup
 | Status | App | Host / Runtime | URL | Purpose | Notes |
 |--------|-----|----------------|-----|---------|-------|
 | ✅ | OpenZFS (ZNAS) | znas | — | Primary storage | ~94TB raw, two RAIDZ1 VDEVs; vault pool |
 | ✅ | NFSv4 | znas | — | Shared storage for Swarm | Loopback NFS at `/data/nfs/znas`; ZFS must fully mount before NFS starts |
 | ✅ | Kopia (primary vault) | znas / Swarm | kopia.netgrimoire.com | Primary backup repo | `kopia.yaml`; dedup + replication |
 | ✅ | Kopia (offsite vault) | znas / Swarm | vault.netgrimoire.com | Offsite replication server | `vault.yaml`; port 51516; separate dataset → ZFS raw send to Pi vaults |
 | ✅ | syncoid | znas | — | ZFS replication | Syncs vault/Green/Pocket → Pocket Grimoire |
 | ✅ | Nextcloud AIO BorgBackup | znas | — | Nextcloud-native backup | Local snapshots before Kopia |
 | ✅ | Czkawka | znas / Swarm | dupes.netgrimoire.com | Duplicate file finder | `jlesage/czkawka` |
 | ✅ | Cloud Commander | znas / Swarm | — | Web file manager | `coderaiser/cloudcmd`; **two instances** (`cloudcmd.yaml` + `commander.yaml`) — verify if intentional |
 | ✅ | File Browser | znas / Swarm | — | Web file manager | `filebrowser/filebrowser` |
 | 🔍 | Manyfold | TBD | — | 3D print model collector | https://github.com/manyfold3d/manyfold |
 ---
 ## 🖥️ Management & Remote Access
 | Status | App | Host / Runtime | URL | Purpose | Notes |
 |--------|-----|----------------|-----|---------|-------|
 | ✅ | Portainer | znas / Swarm | docker.netgrimoire.com | Container management UI | `portainer/portainer-ce:2.33.6` + agents on all nodes |
 | ✅ | ISPConfig | 192.168.4.11 | — | Web/DNS hosting control panel | |
 | ✅ | Cockpit | All hosts | win.netgrimoire.com | Linux server management | Caddy → `192.168.5.10:8006` |
 | ✅ | Termix | znas / Swarm | termix.netgrimoire.com | Web-based terminal | `ghcr.io/lukegus/termix` |
 | ✅ | DumbTerm | znas / Swarm | — | Simple web terminal | `dockwareio/dumbterm` |
 | ✅ | Windows 7 (VM) | znas / Compose | — | Windows VM | `dockurr/windows`; `windows7.yaml` |
 | 🔍 | Guacamole | TBD | — | Remote desktop gateway | Previously tried as `nxterm` — in archive |
 | 🔍 | SSHwifty | TBD | — | SSH web client | In archive; reconsidering |
 ---
 ## 🎭 Green Door (Adult Content)
 > Protected behind Authelia (`*.wasted-bandwidth.net`)
 | Status | App | Host / Runtime | URL | Purpose | Notes |
 |--------|-----|----------------|-----|---------|-------|
 | ✅ | Whisparr | znas / Swarm | — | Adult content downloader | `ghcr.io/hotio/whisparr` |
 | ✅ | Namer | znas / Compose | namer.wasted-bandwidth.net | Scene file namer | `theporndatabase/namer`; port 6980; data → `/data/nfs/Baxter/Green/` |
 | ✅ | Stash (main) | znas / Compose | stash.wasted-bandwidth.net | Adult content library | `stashapp/stash`; port 9999 |
 | ✅ | PocketStash | znas / Compose | — | Stash for Pocket Grimoire | Separate instance; port 9998; data → `/export/Green/Pocket/`; `pocketstash.yaml` |
 ---
 ## 🌐 Web Hosting
 | Status | App | Host / Runtime | URL | Purpose | Notes |
 |--------|-----|----------------|-----|---------|-------|
 | ✅ | Apache/PHP web | znas / Swarm | fish.pncharris.com · www.wasted-bandwidth.net | Static/PHP web hosting | `php:8.2-apache`; `web.yaml`; replicas: 1 |
 ---
 ## 📦 Archive (Not Currently Running)
 > Files in `archive/` — previously evaluated or deployed, not currently active.
 | App | File | Notes |
 |-----|------|-------|
 | Plex | `plex.yaml` | Replaced by Jellyfin |
 | Komodo | `komodo.yaml` | Container management platform — evaluated, not deployed |
 | cAdvisor | `cadvisor.yaml` | Container metrics — not deployed |
 | Peekaping | `peekaping.yaml` | Uptime monitor — Kuma preferred |
 | WatchState | `WatchState.yaml` | Jellyfin/Plex watch state sync |
 | Nessus | `nessus.yaml` | Vulnerability scanner — evaluated |
 | NxTerm | `nxterm.yaml` | Guacamole-style remote desktop — evaluated |
 | SSHwifty | `sshwifty.yaml` | SSH web client — evaluated |
 | Wordpress Classifieds | `wordpress-classifieds.yaml` | Not deployed |
 | Cal (calendar?) | `cal.yaml` | Evaluated |
 | CrowdSec (standalone) | `crowdsec.yaml` | Merged into Caddy stack |
 | Arr stack | `arr.yaml` | Old consolidated arr compose — superseded by individual yamls |
 | Caddyfile.old | `Caddyfile.old` | Legacy Caddyfile |
 ---
 ## 🗃️ Ideas Backlog
 | App | Category | Notes |
 |-----|----------|-------|
 | Soularr | Audio | Soulseek for Lidarr; strongly recommended |
 | Tubifarry | Audio | Spotify → YouTube → Lidarr |
 | MeTube | Video | YouTube downloader for Tunarr filler |
 | Memos | Journal | Preferred self-hosted journal pick |
 | Wallabag | Reading | Read-it-later |
 | Firefly III | Finance | Budgeting |
 | Baikal | PIM | CalDAV/CardDAV |
 | Fluid Calendar | PIM | https://github.com/dotnetfactory/fluid-calendar |
 | Perplexica | AI | Self-hosted AI search |
 | WatchYourLAN | Network | Device tracker |
 | OliveTin | Automation | Web UI → shell commands |
 | Swarm Dashboard | Monitoring | Swarm-aware visualizer |
 | ContainerNursery | Automation | On-demand container start/stop |
 | NUT UPS | Power | UPS management |
 | Wire-pod for Vector | IoT | Anki Vector local server |
 | Kindle reuse | IoT | Repurpose Kindle as weather/info display |
 | Collectarr | Media | https://github.com/RiffSphere/Collectarr |
 | SuggestArr | Media | Automated media recommendations |
 | Recommendarr | Media | AI media recommendations |
 | Manyfold | 3D Print | Model library |
 | OrcaSlicer | 3D Print | Slicer web UI |
 | Memos / Journiv | Journal | Self-hosted journaling (Memos preferred) |
 | Romm | Gaming | ROM library manager |
 | EmulatorJS | Gaming | Browser-based emulation |
 ---
 ## 🔑 Key Architecture Decisions & Gotchas
 > Reference these before deploying or modifying services.
 - **MailCow network isolation:** Only `nginx-mailcow` on the `netgrimoire` overlay. All other containers stay on internal bridge. Mixing causes PHP-FPM → Redis DNS conflicts.
 - **caddy-docker-proxy + static Caddyfile conflict:** Never manage the same hostname via both Docker labels AND a static block. Pick one method exclusively per service.
 - **`{{upstreams}}` is Swarm-only:** Does not work for Docker Compose stacks. Use static Caddyfile with container name or pinned IP.
 - **Docker Compose `ports: []` override:** Does not nullify ports from base file. Remap to unused host ports instead.
 - **Graylog is Compose-only:** The `graylog.yaml` file explicitly notes this — do not attempt to run it in Swarm.
 - **Calibre requires `seccomp=unconfined`:** Necessary for the desktop app container; incompatible with Swarm mode — must remain in `compose/znas/`.
 - **Kopia repos not ZFS-separable:** Use separate repositories with independent retention (`kopia.yaml` vs `vault.yaml`) rather than trying to separate at the ZFS snapshot level.
 - **ZFS encryption:** In-place encryption impossible. Use rsync migration + `-w` flag for raw send to Pi vaults (no key needed on vault side).
 - **SRS rewrite:** All domains using MXRoute inbound forwarding require catch-all aliases in MailCow to prevent `reject_unlisted_sender` rejections.
 - **Docker Swarm DNS caching:** Use `endpoint_mode: dnsrr` for internal services; VIP only for published-port services.
 - **NFS boot ordering on znas:** ZFS must fully mount before NFS starts — systemd override required (`After=zfs-import.target zfs-mount.service`). Loopback NFS mount needs `x-systemd.after=nfs-server.service` in fstab.
 - **Wiki.js angle brackets:** `<value>` placeholders cause rendering hangs. Use `VALUE` or backtick format instead.
 - **bcrypt in `.env`:** Wrap full hash in single quotes to preserve leading `$`.
 - **Webtop GPU rendering:** Requires `LIBGL_ALWAYS_SOFTWARE=1` + `GALLIUM_DRIVER=llvmpipe`; remove `devices:/dev/dri` mapping.
 - **Cloud Commander duplication:** Two nearly identical `coderaiser/cloudcmd` stacks exist (`cloudcmd.yaml` + `commander.yaml`) — verify if intentional or a duplicate to clean up.
 - **Lidarr missing Caddy label:** Lidarr yaml has no caddy label — either routed via static Caddyfile or not yet exposed. Confirm and standardize.
 ---
 *Last updated: March 2026 | Source: Forgejo repo git archive*