Home A - Z Create page
Page Index

An Otter Wiki

Network Stack

Home

Services running on PCT 108 (network, 192.168.2.82) — the Docker Swarm manager node.

Service URLs

Service URL Internal
Traefik dashboard traefik.carr-family.org 192.168.2.82:443
Portainer portainer.carr-family.org 192.168.2.82:9443 (HTTPS)
Homarr homepage.carr-family.org 192.168.2.82:7575
Authentik auth.carr-family.org
Guacamole guac.carr-family.org 192.168.2.82:8080
CloudBeaver db.carr-family.org 192.168.2.82:8978
Dozzle dozzle.carr-family.org — (global, all nodes)

Authentik (stack: authentik, compose 23)

SSO at auth.carr-family.org. Image: ghcr.io/goauthentik/server:2026.2.

Services: server, worker, proxy outpost, postgres:16-alpine (host port 5433), redis:7-alpine.

Proxy outpost (ghcr.io/goauthentik/proxy:2026.2) — handles Traefik ForwardAuth. Connects to authentik and traefik-public networks. forwardAuth address: http://authentik_authentik-proxy:9000/outpost.goauthentik.io/auth/traefik.

Env file: /root/authentik.env on PCT 108 (chmod 600). Required: AUTHENTIK_SECRET_KEY, PG_USER, PG_PASS, PG_DB.

Redeploy:

pct exec 108 -- bash -c "set -a && source /root/authentik.env && set +a && docker stack deploy -c /mnt/tank/appdata/portainer/compose/23/docker-compose.yml authentik"

Trusted IP bypass: LAN 192.168.2.0/24, Tailscale 100.64.0.0/10, 205.194.16.9/32 (friend's house) — Authentik Admin → Policy Engine → Policies → Trusted IP Bypass.

Note (2026-06-12): authentik middleware removed from all routes.yml routers. Routes are now unprotected via Traefik. Services with authentik applied via compose labels still have it but it's effectively unused without the middleware definition.

Homarr (stack: documents-homarr, compose 22)

Dashboard at homepage.carr-family.org. Pinned to manager node. Image: ghcr.io/homarr-labs/homarr:latest.

  • Port: 3001 (published) → 7575 (internal); Traefik label targets 7575
  • DB: /mnt/tank/appdata/homarr/db/db.sqlite (SQLite)
  • Populate script: /root/populate-homarr.js on Proxmox host

After re-populate, restore board permissions:

pct exec 108 -- sqlite3 /mnt/tank/appdata/homarr/db/db.sqlite "
INSERT OR IGNORE INTO boardUserPermission VALUES ('a2tzcbvgfkkt16aamvuwa6rs','bskmlbq5oayy4845ekbomk9y','full');
INSERT OR IGNORE INTO boardGroupPermission VALUES ('a2tzcbvgfkkt16aamvuwa6rs','nw94xpf6j307ceruir2b82x9','full');"

Integrations: Sonarr, Radarr, Prowlarr, Jellyseerr (apiKey). Jellyfin + qBittorrent need manual setup (no apiKey support). immich and paperlessNgx kinds crash the integrations page — do not add.

Guacamole (stack: network-guacamole, compose 6)

Remote desktop gateway at guac.carr-family.org. v1.6.0 + guacd + postgresql:15 (host port 5434).

CloudBeaver (stack: network-cloudbeaver, compose 31)

DB viewer at db.carr-family.org (lan-only). Workspace: /mnt/tank/appdata/cloudbeaver/workspace.

DB Connections:

Name Host Port User DB
authentik 192.168.2.82 5433 authentik authentik
guacamole 192.168.2.82 5434 guacamole guacamole
nextcloud 192.168.2.105 5432 nextcloud nextcloud
paperless 192.168.2.105 5433 paperless paperless
linkwarden 192.168.2.105 5434 postgres postgres
immich 192.168.2.105 5435 immich immich
litellm 192.168.2.83 5433 litellm litellm

Postgres ports are exposed host-mode on each node's LAN IP.

Watchtower (stack: watchtower)

Automatic image updates daily at 04:00 AM (0 0 4 * * * — cron6 format).

  • Mode: Global (one instance per node — covers Swarm services and standalone containers)
  • Config: WATCHTOWER_CLEANUP=true, WATCHTOWER_ROLLING_RESTART=true, DOCKER_API_VERSION=1.40
  • Compose: /mnt/tank/appdata/watchtower/docker-compose.yml
  • Notifications: Disabled (was spamming emails — removed 2026-06-12)

Excluded containers (incompatible with rolling restart — network_mode: "service:..." dependency):

  • gluetun-proton and qbittorrent-vpn — label com.centurylinklabs.watchtower.enable=false

Dozzle (stack: dozzel, compose 25)

Live container log viewer at dozzle.carr-family.org. Global mode — runs on all 4 worker nodes (not PCT 108).