proxmox-infra/docs/CONFIGURATIONS.md

# Configuration Reference

> **Purpose**: Detailed configuration for all services - copy/paste ready configs and settings
> **Update Frequency**: When service configurations change

## Traefik

### SSL/TLS with Let's Encrypt

**Location**: LXC 104 on pm2

**Environment Variables** (`/etc/systemd/system/traefik.service.d/override.conf`):
```bash
NAMECHEAP_API_USER=kavren
NAMECHEAP_API_KEY=8156f3d9ef664c91b95f029dfbb62ad5
NAMECHEAP_PROPAGATION_TIMEOUT=3600
NAMECHEAP_POLLING_INTERVAL=30
NAMECHEAP_TTL=300
```

**Main Config** (`/etc/traefik/traefik.yaml`):
```yaml
certificatesResolvers:
  letsencrypt:
    acme:
      email: cory.bailey87@gmail.com
      storage: /etc/traefik/ssl/acme.json
      dnsChallenge:
        provider: namecheap
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"
```

### Service Routing Examples

**Home Assistant** (`/etc/traefik/conf.d/home-automation.yaml`):
```yaml
http:
  routers:
    homeassistant:
      rule: "Host(`hass.kavcorp.com`)"
      entryPoints:
        - websecure
      service: homeassistant
      tls:
        certResolver: letsencrypt

  services:
    homeassistant:
      loadBalancer:
        servers:
          - url: "http://10.4.2.62:8123"
```

**Ollama** (`/etc/traefik/conf.d/ollama.yaml`):
```yaml
http:
  routers:
    ollama:
      rule: "Host(`ollama.kavcorp.com`)"
      entryPoints:
        - websecure
      service: ollama
      tls:
        certResolver: letsencrypt

  services:
    ollama:
      loadBalancer:
        servers:
          - url: "http://10.4.2.224:11434"
```

**Frigate** (`/etc/traefik/conf.d/frigate.yaml`):
```yaml
http:
  routers:
    frigate:
      rule: "Host(`frigate.kavcorp.com`)"
      entryPoints:
        - websecure
      service: frigate
      tls:
        certResolver: letsencrypt

  services:
    frigate:
      loadBalancer:
        servers:
          - url: "https://10.4.2.8:8971"
        serversTransport: frigate-transport

  serversTransports:
    frigate-transport:
      insecureSkipVerify: true
```

**Note**: Frigate uses port 8971 for authenticated access with a self-signed TLS certificate. Port 5000 is unauthenticated (for Home Assistant integration only).

**Foundry VTT** (`/etc/traefik/conf.d/foundry.yaml`):
```yaml
http:
  routers:
    foundry:
      rule: "Host(`vtt.kavcorp.com`)"
      entryPoints:
        - websecure
      service: foundry
      tls:
        certResolver: letsencrypt

  services:
    foundry:
      loadBalancer:
        servers:
          - url: "http://10.4.2.37:30000"
```

**Proxmox** (`/etc/traefik/conf.d/proxmox.yaml`):
```yaml
http:
  routers:
    proxmox:
      rule: "Host(`pm.kavcorp.com`)"
      entryPoints:
        - websecure
      service: proxmox
      tls:
        certResolver: letsencrypt

  services:
    proxmox:
      loadBalancer:
        servers:
          - url: "https://10.4.2.6:8006"
        serversTransport: proxmox-transport

  serversTransports:
    proxmox-transport:
      insecureSkipVerify: true
```

## Synology DSM

**Location**: KavNas (Synology NAS)
**IP**: 10.4.2.13:5001
**Domain**: dsm.kavcorp.com

**Traefik Config** (`/etc/traefik/conf.d/dsm.yaml`):
```yaml
http:
  routers:
    dsm:
      rule: "Host(`dsm.kavcorp.com`)"
      entryPoints:
        - websecure
      service: dsm
      tls:
        certResolver: letsencrypt

  services:
    dsm:
      loadBalancer:
        servers:
          - url: "http://10.4.2.13:5001"
```

**Note**: DSM is configured for HTTP on port 5001 (not HTTPS). Traefik terminates TLS.

## AMP (Application Management Panel)

**Location**: LXC 124 on elantris
**IP**: 10.4.2.26:8080
**Domain**: amp.kavcorp.com

**Traefik Config** (`/etc/traefik/conf.d/amp.yaml`):
```yaml
http:
  routers:
    amp:
      rule: "Host(`amp.kavcorp.com`)"
      entryPoints:
        - websecure
      service: amp
      tls:
        certResolver: letsencrypt

  services:
    amp:
      loadBalancer:
        servers:
          - url: "http://10.4.2.26:8080"
```

## Home Assistant

**Location**: VM 100 on pm1
**IP**: 10.4.2.62:8123

**Reverse Proxy Config** (`/config/configuration.yaml`):
```yaml
http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 10.4.2.10  # Traefik IP
    - 172.30.0.0/16  # Home Assistant internal network (for add-ons)
```

## Sonarr

**Location**: LXC 105 on pm2
**IP**: 10.4.2.20:8989
**API Key**: b331fe18ec2144148a41645d9ce8b249

**Media Management Settings**:
- Permissions: Enabled, chmod 777
- Hardlinks: Enabled
- Episode title required: Always
- Free space check: 100MB minimum

## Radarr

**Location**: LXC 108
**IP**: 10.4.2.16:7878
**API Key**: 5e6796988abf4d6d819a2b506a44f422

## NZBGet

**Location**: Docker on kavnas (10.4.2.13)
**Port**: 6789
**Web User**: kavren
**Web Password**: fre8ub2ax8

**Key Settings** (`/volume1/docker/nzbget/config/nzbget.conf`):
```ini
MainDir=/config
DestDir=/downloads/completed
InterDir=/downloads/intermediate
UMask=0000  # Creates files with 777 permissions
```

**Docker Mounts**:
- Config: `/volume1/docker/nzbget/config:/config`
- Downloads: `/volume1/Media/downloads:/downloads`

## Recyclarr

**Location**: LXC 122 on pm2
**IP**: 10.4.2.25
**Binary**: `/usr/local/bin/recyclarr`
**Config**: `/root/.config/recyclarr/recyclarr.yml`

**Sync Schedule**: Daily at 3 AM via cron

**Configured Profiles**:
- **Radarr**: HD Bluray + WEB (1080p), Remux-1080p - Anime
- **Sonarr**: WEB-1080p, Remux-1080p - Anime
- **Custom Formats**: TRaSH Guides synced (Dolby Vision blocked, release group tiers)

## Jellyfin

**Location**: LXC 121 on elantris
**IP**: 10.4.2.21:8096

**Media Mounts** (inside LXC):
- `/media/tv` → `/el-pool/media/tv`
- `/media/anime` → `/el-pool/media/anime`
- `/media/movies` → `/el-pool/media/movies`

**Permissions**: Files must be 777 for Jellyfin user (UID 100107 in LXC) to access

## Vaultwarden

**Location**: LXC 125 on pm4
**IP**: 10.4.2.212:80
**Domain**: vtw.kavcorp.com

**Traefik Config** (`/etc/traefik/conf.d/vaultwarden.yaml`):
```yaml
http:
  routers:
    vaultwarden:
      rule: "Host(`vtw.kavcorp.com`)"
      entryPoints:
        - websecure
      service: vaultwarden
      tls:
        certResolver: letsencrypt

  services:
    vaultwarden:
      loadBalancer:
        servers:
          - url: "http://10.4.2.212:80"
```

## Pi-hole

**Location**: LXC 103 on pm4
**IP**: 10.4.2.129
**Domain**: pihole.kavcorp.com
**Web UI**: http://10.4.2.129/admin

**DNS Configuration**:
- Unbound recursive DNS on port 5335
- Pi-hole uses `127.0.0.1#5335` as upstream

**Traefik Config** (`/etc/traefik/conf.d/pihole.yaml`):
```yaml
http:
  routers:
    pihole:
      rule: "Host(`pihole.kavcorp.com`)"
      entryPoints:
        - websecure
      service: pihole
      tls:
        certResolver: letsencrypt

  services:
    pihole:
      loadBalancer:
        servers:
          - url: "http://10.4.2.129"
```

**Router Configuration** (Asus):
- LAN → DHCP Server → DNS Server 1: `10.4.2.129`
- DNS Server 2: `1.1.1.1` (fallback)

## Immich

**Location**: LXC 126 on pm4
**IP**: 10.4.2.24:2283
**Domain**: immich.kavcorp.com

**Config** (`/opt/immich/.env`):
```bash
TZ=America/Indiana/Indianapolis
IMMICH_VERSION=release
NODE_ENV=production
DB_HOSTNAME=127.0.0.1
DB_USERNAME=immich
DB_PASSWORD=AulF5JhgWXrRxtaV05
DB_DATABASE_NAME=immich
DB_VECTOR_EXTENSION=pgvector
REDIS_HOSTNAME=127.0.0.1
IMMICH_MACHINE_LEARNING_URL=http://127.0.0.1:3003
MACHINE_LEARNING_CACHE_FOLDER=/opt/immich/cache
IMMICH_MEDIA_LOCATION=/mnt/immich-library
```

**NFS Mount** (configured via `pct set 126 -mp0`):
- Host path: `/mnt/pve/elantris-downloads/immich`
- Container path: `/mnt/immich-library`
- Source: elantris (`/el-pool/downloads/immich/`)

**Systemd Services**:
- `immich-web.service` - Web UI and API
- `immich-ml.service` - Machine learning service

**Traefik Config** (`/etc/traefik/conf.d/immich.yaml`):
```yaml
http:
  routers:
    immich:
      rule: "Host(`immich.kavcorp.com`)"
      entryPoints:
        - websecure
      service: immich
      tls:
        certResolver: letsencrypt

  services:
    immich:
      loadBalancer:
        servers:
          - url: "http://10.4.2.24:2283"
```

## RomM

**Location**: Docker on docker-pm3 (VM 109)
**IP**: 10.4.2.202:8998
**Version**: 4.5.0

**Docker Compose** (`/opt/romm/docker-compose.yml`):
```yaml
services:
  romm:
    image: rommapp/romm:latest
    container_name: romm
    ports:
      - 8998:8080
    environment:
      - DB_HOST=romm-db
      - DB_NAME=romm
      - DB_USER=romm-user
      - DB_PASSWD=55e7720ac5100322678bacf0a7705bf9
      - ROMM_AUTH_SECRET_KEY=05817a5501383c44287fc4079082f9fc0543013f186e61789aa2cc2be58d22e8
      - HASHEOUS_API_ENABLED=true
      - ENABLE_SCHEDULED_RESCAN=true
      - SCHEDULED_RESCAN_CRON=0 3 * * *
      - ENABLE_RESCAN_ON_FILESYSTEM_CHANGE=true
      - RESCAN_ON_FILESYSTEM_CHANGE_DELAY=5
    volumes:
      - /mnt/kavnas/Roms/roms:/romm/library
      - /mnt/kavnas/Roms/assets:/romm/assets
      - /opt/romm/config:/romm/config

  romm-db:
    image: mariadb:latest
    container_name: romm-db
    environment:
      - MARIADB_ROOT_PASSWORD=55e7720ac5100322678bacf0a7705bf9
      - MARIADB_DATABASE=romm
      - MARIADB_USER=romm-user
      - MARIADB_PASSWORD=55e7720ac5100322678bacf0a7705bf9
```

**NFS Mount** (docker-pm3 `/etc/fstab`):
```
10.4.2.13:/volume1/Media /mnt/kavnas nfs rw,soft,nfsvers=4 0 0
```

**ROM Library Structure**:
- Library: `/mnt/kavnas/Roms/roms` (organized by platform)
- Assets: `/mnt/kavnas/Roms/assets` (cover art, screenshots)

**Traefik Config** (`/etc/traefik/conf.d/romm.yaml`):
```yaml
http:
  routers:
    romm:
      rule: "Host(`romm.kavcorp.com`)"
      entryPoints:
        - websecure
      service: romm
      tls:
        certResolver: letsencrypt

  services:
    romm:
      loadBalancer:
        servers:
          - url: "http://10.4.2.202:8998"
```