# Configuration Reference > **Purpose**: Detailed configuration for all services - copy/paste ready configs and settings > **Update Frequency**: When service configurations change ## Traefik ### SSL/TLS with Let's Encrypt **Location**: LXC 104 on pm2 **Environment Variables** (`/etc/systemd/system/traefik.service.d/override.conf`): ```bash NAMECHEAP_API_USER=kavren NAMECHEAP_API_KEY=8156f3d9ef664c91b95f029dfbb62ad5 NAMECHEAP_PROPAGATION_TIMEOUT=3600 NAMECHEAP_POLLING_INTERVAL=30 NAMECHEAP_TTL=300 ``` **Main Config** (`/etc/traefik/traefik.yaml`): ```yaml certificatesResolvers: letsencrypt: acme: email: cory.bailey87@gmail.com storage: /etc/traefik/ssl/acme.json dnsChallenge: provider: namecheap resolvers: - "1.1.1.1:53" - "8.8.8.8:53" ``` ### Service Routing Examples **Home Assistant** (`/etc/traefik/conf.d/home-automation.yaml`): ```yaml http: routers: homeassistant: rule: "Host(`hass.kavcorp.com`)" entryPoints: - websecure service: homeassistant tls: certResolver: letsencrypt services: homeassistant: loadBalancer: servers: - url: "http://10.4.2.62:8123" ``` **Ollama** (`/etc/traefik/conf.d/ollama.yaml`): ```yaml http: routers: ollama: rule: "Host(`ollama.kavcorp.com`)" entryPoints: - websecure service: ollama tls: certResolver: letsencrypt services: ollama: loadBalancer: servers: - url: "http://10.4.2.224:11434" ``` **Frigate** (`/etc/traefik/conf.d/frigate.yaml`): ```yaml http: routers: frigate: rule: "Host(`frigate.kavcorp.com`)" entryPoints: - websecure service: frigate tls: certResolver: letsencrypt services: frigate: loadBalancer: servers: - url: "https://10.4.2.8:8971" serversTransport: frigate-transport serversTransports: frigate-transport: insecureSkipVerify: true ``` **Note**: Frigate uses port 8971 for authenticated access with a self-signed TLS certificate. Port 5000 is unauthenticated (for Home Assistant integration only). **Foundry VTT** (`/etc/traefik/conf.d/foundry.yaml`): ```yaml http: routers: foundry: rule: "Host(`vtt.kavcorp.com`)" entryPoints: - websecure service: foundry tls: certResolver: letsencrypt services: foundry: loadBalancer: servers: - url: "http://10.4.2.37:30000" ``` **Proxmox** (`/etc/traefik/conf.d/proxmox.yaml`): ```yaml http: routers: proxmox: rule: "Host(`pm.kavcorp.com`)" entryPoints: - websecure service: proxmox tls: certResolver: letsencrypt services: proxmox: loadBalancer: servers: - url: "https://10.4.2.6:8006" serversTransport: proxmox-transport serversTransports: proxmox-transport: insecureSkipVerify: true ``` ## Synology DSM **Location**: KavNas (Synology NAS) **IP**: 10.4.2.13:5001 **Domain**: dsm.kavcorp.com **Traefik Config** (`/etc/traefik/conf.d/dsm.yaml`): ```yaml http: routers: dsm: rule: "Host(`dsm.kavcorp.com`)" entryPoints: - websecure service: dsm tls: certResolver: letsencrypt services: dsm: loadBalancer: servers: - url: "http://10.4.2.13:5001" ``` **Note**: DSM is configured for HTTP on port 5001 (not HTTPS). Traefik terminates TLS. ## AMP (Application Management Panel) **Location**: LXC 124 on elantris **IP**: 10.4.2.26:8080 **Domain**: amp.kavcorp.com **Traefik Config** (`/etc/traefik/conf.d/amp.yaml`): ```yaml http: routers: amp: rule: "Host(`amp.kavcorp.com`)" entryPoints: - websecure service: amp tls: certResolver: letsencrypt services: amp: loadBalancer: servers: - url: "http://10.4.2.26:8080" ``` ## Home Assistant **Location**: VM 100 on pm1 **IP**: 10.4.2.62:8123 **Reverse Proxy Config** (`/config/configuration.yaml`): ```yaml http: use_x_forwarded_for: true trusted_proxies: - 10.4.2.10 # Traefik IP - 172.30.0.0/16 # Home Assistant internal network (for add-ons) ``` ## Sonarr **Location**: LXC 105 on pm2 **IP**: 10.4.2.20:8989 **API Key**: b331fe18ec2144148a41645d9ce8b249 **Media Management Settings**: - Permissions: Enabled, chmod 777 - Hardlinks: Enabled - Episode title required: Always - Free space check: 100MB minimum ## Radarr **Location**: LXC 108 **IP**: 10.4.2.16:7878 **API Key**: 5e6796988abf4d6d819a2b506a44f422 ## NZBGet **Location**: Docker on kavnas (10.4.2.13) **Port**: 6789 **Web User**: kavren **Web Password**: fre8ub2ax8 **Key Settings** (`/volume1/docker/nzbget/config/nzbget.conf`): ```ini MainDir=/config DestDir=/downloads/completed InterDir=/downloads/intermediate UMask=0000 # Creates files with 777 permissions ``` **Docker Mounts**: - Config: `/volume1/docker/nzbget/config:/config` - Downloads: `/volume1/Media/downloads:/downloads` ## Recyclarr **Location**: LXC 122 on pm2 **IP**: 10.4.2.25 **Binary**: `/usr/local/bin/recyclarr` **Config**: `/root/.config/recyclarr/recyclarr.yml` **Sync Schedule**: Daily at 3 AM via cron **Configured Profiles**: - **Radarr**: HD Bluray + WEB (1080p), Remux-1080p - Anime - **Sonarr**: WEB-1080p, Remux-1080p - Anime - **Custom Formats**: TRaSH Guides synced (Dolby Vision blocked, release group tiers) ## Jellyfin **Location**: LXC 121 on elantris **IP**: 10.4.2.21:8096 **Media Mounts** (inside LXC): - `/media/tv` → `/el-pool/media/tv` - `/media/anime` → `/el-pool/media/anime` - `/media/movies` → `/el-pool/media/movies` **Permissions**: Files must be 777 for Jellyfin user (UID 100107 in LXC) to access ## Vaultwarden **Location**: LXC 125 on pm4 **IP**: 10.4.2.212:80 **Domain**: vtw.kavcorp.com **Traefik Config** (`/etc/traefik/conf.d/vaultwarden.yaml`): ```yaml http: routers: vaultwarden: rule: "Host(`vtw.kavcorp.com`)" entryPoints: - websecure service: vaultwarden tls: certResolver: letsencrypt services: vaultwarden: loadBalancer: servers: - url: "http://10.4.2.212:80" ``` ## Pi-hole **Location**: LXC 103 on pm4 **IP**: 10.4.2.129 **Domain**: pihole.kavcorp.com **Web UI**: http://10.4.2.129/admin **DNS Configuration**: - Unbound recursive DNS on port 5335 - Pi-hole uses `127.0.0.1#5335` as upstream **Traefik Config** (`/etc/traefik/conf.d/pihole.yaml`): ```yaml http: routers: pihole: rule: "Host(`pihole.kavcorp.com`)" entryPoints: - websecure service: pihole tls: certResolver: letsencrypt services: pihole: loadBalancer: servers: - url: "http://10.4.2.129" ``` **Router Configuration** (Asus): - LAN → DHCP Server → DNS Server 1: `10.4.2.129` - DNS Server 2: `1.1.1.1` (fallback) ## Immich **Location**: LXC 126 on pm4 **IP**: 10.4.2.24:2283 **Domain**: immich.kavcorp.com **Config** (`/opt/immich/.env`): ```bash TZ=America/Indiana/Indianapolis IMMICH_VERSION=release NODE_ENV=production DB_HOSTNAME=127.0.0.1 DB_USERNAME=immich DB_PASSWORD=AulF5JhgWXrRxtaV05 DB_DATABASE_NAME=immich DB_VECTOR_EXTENSION=pgvector REDIS_HOSTNAME=127.0.0.1 IMMICH_MACHINE_LEARNING_URL=http://127.0.0.1:3003 MACHINE_LEARNING_CACHE_FOLDER=/opt/immich/cache IMMICH_MEDIA_LOCATION=/mnt/immich-library ``` **NFS Mount** (configured via `pct set 126 -mp0`): - Host path: `/mnt/pve/elantris-downloads/immich` - Container path: `/mnt/immich-library` - Source: elantris (`/el-pool/downloads/immich/`) **Systemd Services**: - `immich-web.service` - Web UI and API - `immich-ml.service` - Machine learning service **Traefik Config** (`/etc/traefik/conf.d/immich.yaml`): ```yaml http: routers: immich: rule: "Host(`immich.kavcorp.com`)" entryPoints: - websecure service: immich tls: certResolver: letsencrypt services: immich: loadBalancer: servers: - url: "http://10.4.2.24:2283" ``` ## RomM **Location**: Docker on docker-pm3 (VM 109) **IP**: 10.4.2.202:8998 **Version**: 4.5.0 **Docker Compose** (`/opt/romm/docker-compose.yml`): ```yaml services: romm: image: rommapp/romm:latest container_name: romm ports: - 8998:8080 environment: - DB_HOST=romm-db - DB_NAME=romm - DB_USER=romm-user - DB_PASSWD=55e7720ac5100322678bacf0a7705bf9 - ROMM_AUTH_SECRET_KEY=05817a5501383c44287fc4079082f9fc0543013f186e61789aa2cc2be58d22e8 - HASHEOUS_API_ENABLED=true - ENABLE_SCHEDULED_RESCAN=true - SCHEDULED_RESCAN_CRON=0 3 * * * - ENABLE_RESCAN_ON_FILESYSTEM_CHANGE=true - RESCAN_ON_FILESYSTEM_CHANGE_DELAY=5 - SCREENSCRAPER_USER=kavren - SCREENSCRAPER_PASSWORD=outlaw - RETROACHIEVEMENTS_USERNAME=kavren - RETROACHIEVEMENTS_API_KEY=obwPWYqylOhy9LA0Mapr64LrUuKNUZLc - STEAMGRIDDB_API_KEY=447ec66ceaef54d52e249a403ec4d4ec - PLAYMATCH_API_ENABLED=true volumes: - romm_resources:/romm/resources - romm_redis_data:/redis-data - /mnt/kavnas/Roms:/romm/library - /opt/romm/config:/romm/config romm-db: image: mariadb:latest container_name: romm-db environment: - MARIADB_ROOT_PASSWORD=55e7720ac5100322678bacf0a7705bf9 - MARIADB_DATABASE=romm - MARIADB_USER=romm-user - MARIADB_PASSWORD=55e7720ac5100322678bacf0a7705bf9 ``` **NFS Mount** (docker-pm3 `/etc/fstab`): ``` 10.4.2.13:/volume1/Media /mnt/kavnas nfs rw,soft,nfsvers=4 0 0 ``` **ROM Library Structure** (RomM expects Structure A: `/library/roms//`): - Mount: `/mnt/kavnas/Roms:/romm/library` - ROMs location: `/mnt/kavnas/Roms/roms//` → `/romm/library/roms//` - Assets: `/mnt/kavnas/Roms/assets/` (cover art, screenshots) **Network Note**: docker-pm3 gateway is 10.4.2.1 (configured in `/etc/netplan/50-cloud-init.yaml`) **Traefik Config** (`/etc/traefik/conf.d/romm.yaml`): ```yaml http: routers: romm: rule: "Host(`romm.kavcorp.com`)" entryPoints: - websecure service: romm tls: certResolver: letsencrypt services: romm: loadBalancer: servers: - url: "http://10.4.2.202:8998" ```