diff --git a/compose/znas/homelable/.env b/compose/znas/homelable/.env
new file mode 100644
index 0000000..44607fd
--- /dev/null
+++ b/compose/znas/homelable/.env
@@ -0,0 +1,32 @@
+# ============================================================
+# Homelable — Environment Configuration
+# ============================================================
+# Deploy: docker stack deploy --env-file homelable.env -c homelable-stack.yml homelable
+# ============================================================
+
+# Generate with: python3 -c "import secrets; print(secrets.token_hex(32))"
+SECRET_KEY=c11b1b069248886b07fc58f94952e130630853369b58ed36c32589d708e285a7
+
+# --- Web UI credentials ---
+AUTH_USERNAME=admin
+# Generate hash:
+#   docker run --rm ghcr.io/pouzor/homelable-backend:latest \
+#     python -c "from passlib.context import CryptContext; print(CryptContext(schemes=['bcrypt']).hash('yourpassword'))"
+# Keep single quotes — bcrypt hashes contain $ characters
+AUTH_PASSWORD_HASH='$2b$12$REPLACE_WITH_REAL_BCRYPT_HASH'
+
+# --- Network scanner ---
+# Adjust CIDR ranges to match your subnet layout
+SCANNER_RANGES=["192.168.3.0/24","192.168.4.0/24","192.168.5.0/24"]
+
+# How often to poll node health (seconds)
+STATUS_CHECKER_INTERVAL=60
+
+# --- MCP server keys ---
+# Authenticates external MCP clients (Open WebUI / Gremlin, Claude Code, n8n)
+# Generate: python3 -c "import secrets; print('mcp_sk_' + secrets.token_hex(32))"
+MCP_API_KEY=mcp_sk_CHANGEME
+
+# Authenticates MCP server -> backend internally (never leave this network)
+# Generate: python3 -c "import secrets; print('svc_' + secrets.token_hex(32))"
+MCP_SERVICE_KEY=svc_d60114070a6f3c4cfe5cd9f676499a857088f5da37d18499c8cf9901264fdab7
diff --git a/compose/znas/homelable/docker-compose.yaml b/compose/znas/homelable/docker-compose.yaml
new file mode 100644
index 0000000..8f3280b
--- /dev/null
+++ b/compose/znas/homelable/docker-compose.yaml
@@ -0,0 +1,80 @@
+networks:
+  netgrimoire:
+    external: true
+
+services:
+  frontend:
+    image: ghcr.io/pouzor/homelable-frontend:latest
+    networks:
+      - netgrimoire
+    environment:
+      - VITE_API_URL=https://homelable-api.netgrimoire.com
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.hostname == znas
+      labels:
+        # --- Caddy reverse proxy ---
+        caddy: homelable.netgrimoire.com
+        caddy.reverse_proxy: "{{upstreams 80}}"
+        # --- Homepage ---
+        homepage.group: Tools
+        homepage.name: Homelable
+        homepage.icon: homelable.png
+        homepage.href: https://homelable.netgrimoire.com
+        homepage.description: Homelab infrastructure visualizer
+        # --- Uptime Kuma ---
+        kuma.homelable.http.url: https://homelable.netgrimoire.com
+
+  backend:
+    image: ghcr.io/pouzor/homelable-backend:latest
+    networks:
+      - netgrimoire
+    volumes:
+      - /DockerVol/homelable/data:/app/data
+    environment:
+      - SECRET_KEY=${SECRET_KEY}
+      - AUTH_USERNAME=${AUTH_USERNAME}
+      - AUTH_PASSWORD_HASH=${AUTH_PASSWORD_HASH}
+      - SCANNER_RANGES=${SCANNER_RANGES:-["192.168.3.0/24","192.168.4.0/24","192.168.5.0/24"]}
+      - STATUS_CHECKER_INTERVAL=${STATUS_CHECKER_INTERVAL:-60}
+    cap_add:
+      - NET_RAW
+      - NET_ADMIN
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.hostname == znas
+      labels:
+        # --- Caddy reverse proxy ---
+        caddy: homelable-api.netgrimoire.com
+        caddy.reverse_proxy: "{{upstreams 8000}}"
+        # --- Uptime Kuma ---
+        kuma.homelable-api.http.url: https://homelable-api.netgrimoire.com/health
+
+  mcp:
+    image: ghcr.io/pouzor/homelable-mcp:latest
+    networks:
+      - netgrimoire
+    environment:
+      # Authenticates external MCP clients (Open WebUI, Claude Code, n8n)
+      - MCP_API_KEY=${MCP_API_KEY}
+      # Authenticates MCP server -> backend (internal only, never exposed)
+      - MCP_SERVICE_KEY=${MCP_SERVICE_KEY}
+      - BACKEND_URL=http://backend:8000
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.hostname == znas
+      labels:
+        # --- Caddy reverse proxy ---
+        # Exposed for Claude Code on remote machines — remove label if LAN-only preferred
+        caddy: homelable-mcp.netgrimoire.com
+        caddy.reverse_proxy: "{{upstreams 8001}}"
+        # --- Uptime Kuma ---
+        kuma.homelable-mcp.http.url: https://homelable-mcp.netgrimoire.com/health
+        # --- DIUN image update notifications ---
+        diun.enable: "true"
\ No newline at end of file
diff --git a/compose/znas/webtop.yaml b/compose/znas/webtop.yaml
index 1af829c..90fdfd8 100644
--- a/compose/znas/webtop.yaml
+++ b/compose/znas/webtop.yaml
@@ -34,7 +34,7 @@ services:
       - kuma.sab.http.name="Webtop"
       - kuma.sab.http.url=http://webtop:3000
      # - caddy=webtop.netgrimoire.com
-     # - caddy.import=authentik
+     # - caddy.import=authentik  
      # - caddy.reverse_proxy="{{upstreams 3000}}"   
 
 networks: