proxmox-infra/docs/CONFIGURATIONS.md

# Configuration Reference

> **Purpose**: Detailed configuration for all services - copy/paste ready configs and settings
> **Update Frequency**: When service configurations change

## Traefik

### SSL/TLS with Let's Encrypt

**Location**: LXC 104 on pm2

**Environment Variables** (`/etc/systemd/system/traefik.service.d/override.conf`):
```bash
NAMECHEAP_API_USER=kavren
NAMECHEAP_API_KEY=8156f3d9ef664c91b95f029dfbb62ad5
NAMECHEAP_PROPAGATION_TIMEOUT=3600
NAMECHEAP_POLLING_INTERVAL=30
NAMECHEAP_TTL=300
```

**Main Config** (`/etc/traefik/traefik.yaml`):
```yaml
certificatesResolvers:
  letsencrypt:
    acme:
      email: cory.bailey87@gmail.com
      storage: /etc/traefik/ssl/acme.json
      dnsChallenge:
        provider: namecheap
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"
```

### Service Routing Examples

**Home Assistant** (`/etc/traefik/conf.d/home-automation.yaml`):
```yaml
http:
  routers:
    homeassistant:
      rule: "Host(`hass.kavcorp.com`)"
      entryPoints:
        - websecure
      service: homeassistant
      tls:
        certResolver: letsencrypt

  services:
    homeassistant:
      loadBalancer:
        servers:
          - url: "http://10.4.2.62:8123"
```

**Ollama** (`/etc/traefik/conf.d/ollama.yaml`):
```yaml
http:
  routers:
    ollama:
      rule: "Host(`ollama.kavcorp.com`)"
      entryPoints:
        - websecure
      service: ollama
      tls:
        certResolver: letsencrypt

  services:
    ollama:
      loadBalancer:
        servers:
          - url: "http://10.4.2.224:11434"
```

**Frigate** (`/etc/traefik/conf.d/frigate.yaml`):
```yaml
http:
  routers:
    frigate:
      rule: "Host(`frigate.kavcorp.com`)"
      entryPoints:
        - websecure
      service: frigate
      tls:
        certResolver: letsencrypt

  services:
    frigate:
      loadBalancer:
        servers:
          - url: "https://10.4.2.8:8971"
        serversTransport: frigate-transport

  serversTransports:
    frigate-transport:
      insecureSkipVerify: true
```

**Note**: Frigate uses port 8971 for authenticated access with a self-signed TLS certificate. Port 5000 is unauthenticated (for Home Assistant integration only).

**Foundry VTT** (`/etc/traefik/conf.d/foundry.yaml`):
```yaml
http:
  routers:
    foundry:
      rule: "Host(`vtt.kavcorp.com`)"
      entryPoints:
        - websecure
      service: foundry
      tls:
        certResolver: letsencrypt

  services:
    foundry:
      loadBalancer:
        servers:
          - url: "http://10.4.2.37:30000"
```

**Proxmox** (`/etc/traefik/conf.d/proxmox.yaml`):
```yaml
http:
  routers:
    proxmox:
      rule: "Host(`pm.kavcorp.com`)"
      entryPoints:
        - websecure
      service: proxmox
      tls:
        certResolver: letsencrypt

  services:
    proxmox:
      loadBalancer:
        servers:
          - url: "https://10.4.2.6:8006"
        serversTransport: proxmox-transport

  serversTransports:
    proxmox-transport:
      insecureSkipVerify: true
```

## Synology DSM

**Location**: KavNas (Synology NAS)
**IP**: 10.4.2.13:5001
**Domain**: dsm.kavcorp.com

**Traefik Config** (`/etc/traefik/conf.d/dsm.yaml`):
```yaml
http:
  routers:
    dsm:
      rule: "Host(`dsm.kavcorp.com`)"
      entryPoints:
        - websecure
      service: dsm
      tls:
        certResolver: letsencrypt

  services:
    dsm:
      loadBalancer:
        servers:
          - url: "http://10.4.2.13:5001"
```

**Note**: DSM is configured for HTTP on port 5001 (not HTTPS). Traefik terminates TLS.

## AMP (Application Management Panel)

**Location**: LXC 124 on elantris
**IP**: 10.4.2.26:8080
**Domain**: amp.kavcorp.com

**Traefik Config** (`/etc/traefik/conf.d/amp.yaml`):
```yaml
http:
  routers:
    amp:
      rule: "Host(`amp.kavcorp.com`)"
      entryPoints:
        - websecure
      service: amp
      tls:
        certResolver: letsencrypt

  services:
    amp:
      loadBalancer:
        servers:
          - url: "http://10.4.2.26:8080"
```

## Home Assistant

**Location**: VM 100 on pm1
**IP**: 10.4.2.62:8123

**Reverse Proxy Config** (`/config/configuration.yaml`):
```yaml
http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 10.4.2.10  # Traefik IP
    - 172.30.0.0/16  # Home Assistant internal network (for add-ons)
```

## Sonarr

**Location**: LXC 105 on pm2
**IP**: 10.4.2.15:8989
**API Key**: b331fe18ec2144148a41645d9ce8b249

**Media Management Settings**:
- Permissions: Enabled, chmod 777
- Hardlinks: Enabled
- Episode title required: Always
- Free space check: 100MB minimum

## Radarr

**Location**: LXC 108
**IP**: 10.4.2.16:7878
**API Key**: 5e6796988abf4d6d819a2b506a44f422

## NZBGet

**Location**: Docker on kavnas (10.4.2.13)
**Port**: 6789
**Web User**: kavren
**Web Password**: fre8ub2ax8

**Key Settings** (`/volume1/docker/nzbget/config/nzbget.conf`):
```ini
MainDir=/config
DestDir=/downloads/completed
InterDir=/downloads/intermediate
UMask=0000  # Creates files with 777 permissions
```

**Docker Mounts**:
- Config: `/volume1/docker/nzbget/config:/config`
- Downloads: `/volume1/Media/downloads:/downloads`

## Recyclarr

**Location**: LXC 122 on pm2
**IP**: 10.4.2.25
**Binary**: `/usr/local/bin/recyclarr`
**Config**: `/root/.config/recyclarr/recyclarr.yml`

**Sync Schedule**: Daily at 3 AM via cron

**Configured Profiles**:
- **Radarr**: HD Bluray + WEB (1080p), Remux-1080p - Anime
- **Sonarr**: WEB-1080p, Remux-1080p - Anime
- **Custom Formats**: TRaSH Guides synced (Dolby Vision blocked, release group tiers)

## Jellyfin

**Location**: LXC 121 on elantris
**IP**: 10.4.2.21:8096

**Media Mounts** (inside LXC):
- `/media/tv` → `/el-pool/media/tv`
- `/media/anime` → `/el-pool/media/anime`
- `/media/movies` → `/el-pool/media/movies`

**Permissions**: Files must be 777 for Jellyfin user (UID 100107 in LXC) to access

## Vaultwarden

**Location**: LXC 125 on pm4
**IP**: 10.4.2.212:80
**Domain**: vtw.kavcorp.com

**Traefik Config** (`/etc/traefik/conf.d/vaultwarden.yaml`):
```yaml
http:
  routers:
    vaultwarden:
      rule: "Host(`vtw.kavcorp.com`)"
      entryPoints:
        - websecure
      service: vaultwarden
      tls:
        certResolver: letsencrypt

  services:
    vaultwarden:
      loadBalancer:
        servers:
          - url: "http://10.4.2.212:80"
```

## Pi-hole

**Location**: LXC 103 on pm4
**IP**: 10.4.2.129
**Domain**: pihole.kavcorp.com
**Web UI**: http://10.4.2.129/admin

**DNS Configuration**:
- Unbound recursive DNS on port 5335
- Pi-hole uses `127.0.0.1#5335` as upstream

**Traefik Config** (`/etc/traefik/conf.d/pihole.yaml`):
```yaml
http:
  routers:
    pihole:
      rule: "Host(`pihole.kavcorp.com`)"
      entryPoints:
        - websecure
      service: pihole
      tls:
        certResolver: letsencrypt

  services:
    pihole:
      loadBalancer:
        servers:
          - url: "http://10.4.2.129"
```

**Router Configuration** (Asus):
- LAN → DHCP Server → DNS Server 1: `10.4.2.129`
- DNS Server 2: `1.1.1.1` (fallback)

## Immich

**Location**: LXC 126 on pm4
**IP**: 10.4.2.24:2283
**Domain**: immich.kavcorp.com

**Config** (`/opt/immich/.env`):
```bash
TZ=America/Indiana/Indianapolis
IMMICH_VERSION=release
NODE_ENV=production
DB_HOSTNAME=127.0.0.1
DB_USERNAME=immich
DB_PASSWORD=AulF5JhgWXrRxtaV05
DB_DATABASE_NAME=immich
DB_VECTOR_EXTENSION=pgvector
REDIS_HOSTNAME=127.0.0.1
IMMICH_MACHINE_LEARNING_URL=http://127.0.0.1:3003
MACHINE_LEARNING_CACHE_FOLDER=/opt/immich/cache
IMMICH_MEDIA_LOCATION=/mnt/immich-library
```

**NFS Mount** (configured via `pct set 126 -mp0`):
- Host path: `/mnt/pve/elantris-downloads/immich`
- Container path: `/mnt/immich-library`
- Source: elantris (`/el-pool/downloads/immich/`)

**Systemd Services**:
- `immich-web.service` - Web UI and API
- `immich-ml.service` - Machine learning service

**Traefik Config** (`/etc/traefik/conf.d/immich.yaml`):
```yaml
http:
  routers:
    immich:
      rule: "Host(`immich.kavcorp.com`)"
      entryPoints:
        - websecure
      service: immich
      tls:
        certResolver: letsencrypt

  services:
    immich:
      loadBalancer:
        servers:
          - url: "http://10.4.2.24:2283"
```