Document Dawarich metrics verification

Sechs Renovate-PRs gemergt (minor-patch-Gruppe, unbound/traefik/postgres
Digest-Refreshes, n8n 2.27, nextcloud-33 Digest); Nextcloud-34-Major bewusst
gehalten.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.gitattributes

@@ -0,0 +1,6 @@
+*.sh text eol=lf
+*.ps1 text eol=crlf
+*.md text
+*.json text
+*.yml text
+*.yaml text

.gitignore

@@ -0,0 +1,36 @@
+# Local environment and stack values
+.env
+*.env
+!*.env.example
+**/stack.env
+!**/stack.env.example
+
+# Secrets and certificate material
+**/secrets/*
+!**/secrets/*.example
+**/letsencrypt/
+**/acme.json
+**/*.key
+**/*.pem
+**/*.crt
+
+# Backup, dump, and archive artifacts
+**/*.dump
+**/*.sql.gz
+**/*.archive.gz
+**/*.tar
+**/*.tar.gz
+**/*.tgz
+**/*.zip
+
+# Generated reports
+ops/policy-checks/last-report.md
+
+# Local/editor noise
+.DS_Store
+Thumbs.db
+*.tmp
+*.log
+.serena/
+.claude/settings.local.json
+memory/

AGENTS.md

@@ -0,0 +1,20 @@
+# Agent Context - Homelab Infra
+
+Typ: Einstieg/Index · Stand: 2026-06-11 · Status: aktiv
+
+Einstiegspunkt fuer KI-Agenten (Codex, Gemini u. a.; Claude nutzt zusaetzlich
+`CLAUDE.md`). Kein eigener Inhalt - nur Pflichtpfade.
+
+## Vor jeder Arbeit lesen
+
+1. `docs/AI_CONTEXT.md` - Systembild, harte Regeln, Ausnahmen-Kurzliste
+2. `HOMELAB_ARCHITECTURE_MASTER_V2.md` - Architektur-Zielbild
+3. `docs/WORKFLOW.md` - verbindlicher GitOps-/No-Drift-Ablauf
+4. die betroffene `docker-compose.yml` bzw. das betroffene Runbook (Index: `docs/README.md`)
+
+## Nicht verhandelbar
+
+- Keine Secret-Werte lesen, zitieren oder schreiben - nur Namen und Pfade.
+- Keine Deployments, Host-Hotfixes oder Docker-Schreibbefehle ohne ausdrueckliche Anweisung.
+- Doku-Regeln aus `docs/REPO_MAP.md` einhalten: ein Fakt, ein Zuhause. Status nur in `docs/MASTER_TODO.md`, Entscheidungen nur in `docs/DECISIONS.md`.
+- Bei Drift oder zwei fehlgeschlagenen Reparaturversuchen: stoppen, `docs/GITOPS_DRIFT_RUNBOOK.md`.

CLAUDE.md

@@ -0,0 +1,131 @@
+# Claude Code Context - Homelab Infra
+
+Stand: 2026-06-11
+
+Dieses Repository ist die GitOps-Quelle fuer das KalliLab CORE Homelab auf einem Unraid-Host. Es verwaltet Docker-Compose-Stacks fuer Core-Dienste, Security, Infrastruktur, Apps, Operations-Tools, Host-nahe Dienste und Traefik. Gitea Online ist die operative Quelle der Wahrheit; Komodo konsumiert den Git-Stand und deployed daraus.
+
+## Vor jeder Aenderung lesen
+
+Claude muss vor jeder fachlichen oder technischen Aenderung mindestens diese Dateien lesen:
+
+1. `HOMELAB_ARCHITECTURE_MASTER_V2.md`
+2. `docs/WORKFLOW.md`
+3. `docs/README.md`
+4. `docs/REPO_MAP.md`
+5. `docs/SERVICE_CATALOG.md`
+6. die betroffene `docker-compose.yml`
+
+Zusaetzlich je nach Thema:
+
+- Restore / Host-Ausfall: `docs/DISASTER_RECOVERY.md` und `docs/RESTORE_MATRIX.md`
+- Rollback: `docs/ROLLBACK.md`
+- Secrets: `docs/SECRETS_MAP.md`
+- GitOps-/Komodo-/Runtime-Drift: `docs/GITOPS_DRIFT_RUNBOOK.md`
+- Gesamtbild fuer KI-Agenten: `docs/AI_CONTEXT.md`
+- Architektur-/Betriebsentscheidungen mit Begruendung: `docs/DECISIONS.md`
+
+## Projektbeschreibung
+
+- Host: Unraid, Hostname `Kallilabcore`
+- Domain: `kaleschke.info`
+- Reverse Proxy: Traefik v3
+- DNS: AdGuard Home + Unbound
+- VPN/Remote: Tailscale
+- Git: Gitea unter `git.kaleschke.info`
+- Deployment: Komodo als primaerer und einziger produktiver Stack-Manager
+- Lokale Arbeitskopie: Windows/GitHub Desktop
+- Persistenz: ueberwiegend `/mnt/user/appdata`, Nutzdaten in `/mnt/user/documents`, `/mnt/user/photos`, GitOps/Gitea in `/mnt/user/services`
+
+## Architekturprinzipien
+
+- Traefik ist der einzige oeffentliche HTTP(S)-Einstiegspunkt.
+- Service-Routing erfolgt per Docker-Labels, nicht ueber neue Traefik File-Provider-Service-Routen.
+- `frontend_net` ist das Web-/Proxy-Netz.
+- `backend_net` ist `internal: true` fuer Datenbanken, Redis und interne Backends.
+- App-interne Netze sind erlaubt, wenn sie eine App und ihre Datenbank/Worker sauber isolieren.
+- Datenbanken und Caches duerfen nicht im `frontend_net` liegen.
+- Direkte Host-Ports sind nur mit dokumentierter Ausnahme erlaubt.
+- Komodo bleibt bewusst ohne pauschale zentrale Authelia-ForwardAuth-Middleware.
+- Secrets gehoeren niemals ins Git-Repository.
+- Produktive Container sollen als Compose/Git-Stack verwaltet werden.
+
+## GitOps-Regeln
+
+Quelle der Wahrheit:
+
+1. Gitea `origin/master`
+2. lokaler Clone
+3. Komodo Stack Workspace
+4. laufende Docker-Container
+5. Host-Zustand
+
+Standard-Workflow:
+
+1. Lokal synchronisieren (`Fetch`, ggf. `Pull`)
+2. Betroffene Docs und Compose-Datei lesen
+3. Zielzustand und Rollback klaeren
+4. Lokal minimal aendern
+5. Validieren
+6. Commit und Push durch den Benutzer oder nach expliziter Freigabe
+7. Komodo-Deploy/Runtime pruefen
+8. Dokumentation nachziehen
+
+Neue produktive Komodo-Stacks aus `Micha/homelab-infra` brauchen verpflichtend einen aktiven Gitea->Komodo-Webhook auf die aktuelle Stack-ID. Ausnahmen muessen im selben Aenderungsblock dokumentiert werden.
+
+Wenn Drift vermutet wird, nicht raten. Erst die Pflichtmatrix in `docs/GITOPS_DRIFT_RUNBOOK.md` abarbeiten.
+
+## Sicherheitsregeln
+
+- Secret-Werte niemals ausgeben. Wenn Werte auftauchen: redakten.
+- Nur Secret-Namen, Env-Key-Namen und Pfade dokumentieren.
+- Keine produktiven `.env`- oder Stack-Env-Werte zitieren.
+- Keine Compose-Aenderung ohne vorherigen Architektur-/Workflow-Abgleich.
+- Keine Deployments, Host-Hotfixes oder Docker-Schreibbefehle ohne ausdrueckliche Anweisung.
+- Keine direkten Host-Ports fuer Web-UIs, ausser dokumentierte Ausnahmen.
+- `privileged: true`, Docker-Socket und Host-Netz nur als dokumentierte Ausnahme.
+- Traefik dynamic config unter `traefik/dynamic/` wird nicht automatisch von Komodo deployed und muss bei Aenderungen manuell auf den Host synchronisiert werden.
+
+## Bekannte dokumentierte Ausnahmen
+
+- `traefik`: Host-Ports 80/443
+- `gitea`: SSH-Port 222
+- `AdGuard Home`: DNS-Port 53 und LAN-Admin-Port 8082
+- `tailscale`: natives Unraid-Plugin (`tailscale.plg`, Interface `tailscale1`), Subnet-Router fuers LAN; nicht repo-/Komodo-verwaltet. Der frueher repo-verwaltete userspace-Docker-Stack `host-services/tailscale/` wurde am 2026-06-06 entfernt.
+- `Plex-Media-Server`: historischer Host-Netz-Sonderfall, nicht als Repo-Stack enthalten
+- `scrutiny`: `privileged: true` fuer SMART/Laufwerkszugriff
+- `Komodo`: Docker-Socket und native Auth ohne pauschale ForwardAuth
+- `traefik/dynamic/*`: manuelle Host-Sync-Ausnahme
+- `influxdb3-core`: LAN-only Host-Port 8181 fuer Home Assistant Writer, keine Traefik-Route, nicht im `frontend_net`
+
+## No-Go-Regeln
+
+- Keine produktiven Aenderungen direkt in Komodo.
+- Keine `docker run`-Ad-hoc-Container als Dauerzustand.
+- Keine Compose-Dateien, Secrets oder Host-Konfigurationen stillschweigend aendern.
+- Keine Deployments ausloesen, wenn der Benutzer nur Analyse oder Dokumentation verlangt.
+- Kein `push --force` auf `master` als Standard-Rollback.
+- Keine History-Rewrites ohne ausdrueckliche Freigabe.
+- Keine Loesch-, Reset- oder Migrationsbefehle ohne klaren Zielzustand und Rollback.
+- Keine neuen `latest`-/mutable Image-Tags ohne bewusste Versionsentscheidung.
+
+## Rollback-Erwartungen
+
+Jede Aenderung braucht vor dem Deploy eine klare Rueckkehrstrategie:
+
+- letzter bekannter funktionierender Git-Stand
+- betroffener Stack und Persistenzpfade
+- ob Datenpfade unveraendert bleiben
+- ob Secrets/ENV betroffen sind
+- konkrete Smoke-Tests nach Rollback
+
+Standard-Rollback ist ein Ruecknahme-Commit oder gezielte Rueckaenderung mit Push nach Gitea. Produktive Datenpfade unter `/mnt/user/appdata`, `/mnt/user/documents`, `/mnt/user/photos`, `/mnt/user/services` und `/mnt/user/backups` nicht blind loeschen.
+
+## Arbeitsweise fuer Claude
+
+- Erst lesen, dann handeln.
+- Doku-Regeln aus `docs/REPO_MAP.md` einhalten: ein Fakt, ein Zuhause. Status nur in `docs/MASTER_TODO.md`, Entscheidungen nur in `docs/DECISIONS.md`, Erledigtes verlaesst die Arbeitskopie.
+- Bei Unsicherheit Zustand messen, nicht erraten.
+- Aenderungen klein halten und nur den betroffenen Bereich anfassen.
+- Bestehende Doku und Repo-Konventionen bevorzugen.
+- Bei Secret-/Runtime-/Komodo-Fragen besonders konservativ sein.
+- Wenn zwei Reparaturversuche nicht funktionieren: stoppen, Pflichtmatrix ausfuellen, eine abweichende Ebene benennen.

HOMELAB_ARCHITECTURE_MASTER_V2.md

@@ -3,7 +3,7 @@
 > **Single Source of Truth** für Docker-Netzwerkarchitektur, Sicherheitsregeln, Zielbild und Migration des Kallilabcore-Homelabs.
 > **Arbeitsregel für KI-Assistenten:** Dieses Dokument immer zuerst lesen, bevor Fragen zu Containern, Netzwerken, Traefik, Tailscale, Migration oder Security beantwortet werden.
 
-**Stand:** 2026-03-29 | **Aktueller Sprint:** 7 (Authelia SSO/2FA) — Sprints 1–6 abgeschlossen
+**Stand:** 2026-06-13 | **Aktueller Schwerpunkt:** Home Assistant Tibber / Energie-Kosten
 
 ---
 
@@ -16,11 +16,11 @@
 6. [Einordnungsschema für neue Container](#6-einordnungsschema-für-neue-container)
 7. [Container-Zielbild (vollständig)](#7-container-zielbild-vollständig)
 8. [Traefik-Label-Standard](#8-traefik-label-standard)
-9. [Migrationsstrategie (Blöcke A–F)](#9-migrationsstrategie-blöcke-af)
+9. [Historische Migration (abgeschlossen)](#9-historische-migration-abgeschlossen)
 10. [Bekannte Ausnahmen und Begründungen](#10-bekannte-ausnahmen-und-begründungen)
 11. [Projektorganisation und Arbeitsmodus](#11-projektorganisation-und-arbeitsmodus)
 12. [Nutzung mit KI / Kontext-Regel](#12-nutzung-mit-ki--kontext-regel)
-13. [Betriebserfahrungen und Entscheidungs-Log](#13-betriebserfahrungen-und-entscheidungs-log)
+13. [Betriebserfahrungen und Entscheidungs-Log (ausgelagert)](#13-betriebserfahrungen-und-entscheidungs-log-ausgelagert)
 
 ---
 
@@ -30,14 +30,14 @@
 |---|---|
 | Host-OS | Unraid |
 | Hostname | Kallilabcore |
-| Reverse Proxy | Traefik v3 (100% Docker-Labels, kein File-Provider) |
+| Reverse Proxy | Traefik v3 (Service-Routing via Docker-Labels, File-Provider fuer Middlewares, TLS und Dashboards) |
 | VPN / Remote-Zugang | Tailscale (`tailscale`, host-Netz, Git-Stack) |
 | DNS-Stack | AdGuard Home (`dns_net` + `frontend_net`) → Unbound (`dns_net`) |
 | Basis-Domain | `kaleschke.info` |
 | TLS | Let's Encrypt via Cloudflare DNS Challenge |
 | Certresolver | `le` |
 | Compose-Standard | Komodo (GitOps, Stack aus Gitea) |
-| Legacy | Portainer CE (in Ablösung durch Komodo, Sprint 5) |
+| Legacy | Portainer CE entfernt; Komodo ist alleiniger Stack-Manager |
 | Homelab-Compose-Pfad | `/mnt/user/services/homelab/` |
 | Secrets-Pfad | `/mnt/user/appdata/secrets/` |
 | Grundsatz | Keine neuen Dockerman-Einzelcontainer |
@@ -47,26 +47,26 @@
 ## 2. Architektur-Prinzipien
 
 ### P1 — Traefik ist der einzige öffentliche HTTP(S)-Einstiegspunkt
-Kein Webdienst veröffentlicht finale direkte Host-Ports außer `traefik` selbst. Begründete Ausnahmen: `gitea`-SSH (Port 222), `AdGuard Home` (Port 53/DNS + 3000/Admin), `Tailscale`, `Plex-Media-Server`.
+Kein Webdienst veröffentlicht finale direkte Host-Ports außer `traefik` selbst. Begründete Ausnahmen: `gitea`-SSH (Port 222), `AdGuard Home` (Port 53/DNS direkt; Admin 8082 nur auf Tailscale-IP `100.80.98.33`), `Tailscale`, `Plex-Media-Server` und `monitoring-influxdb3-core` Port 8181 als LAN-only Writer-Endpunkt fuer Home Assistant.
 
 ### P2 — Das Setup bleibt bewusst einfach: `frontend_net` + `backend_net` + app-interne Netze
 - `frontend_net` = Proxy-/Web-Netz
 - `backend_net` = intern für DB/Cache/App-Kommunikation
-- zusätzliche Netze nur app-intern, wenn technisch nötig (`mealie_mealie_internal`, `immich_default`, `dns_net`)
+- zusätzliche Netze nur app-intern, wenn technisch nötig (`mealie_internal`, `immich_default`, `dns_net`)
 
-Es gibt **keine künstlichen globalen Zusatznetze** wie `admin_net`, `monitoring_net` oder `media_net`.
+Es gibt **keine künstlichen globalen Zusatznetze** wie `admin_net` oder `media_net`. `monitoring_net` ist die dokumentierte Ausnahme fuer den zentralen Observability-Stack.
 
 ### P3 — Datenbanken gehören nie ins `frontend_net`
 Postgres, Redis und ähnliche Dienste laufen ausschließlich in `backend_net` oder einem eigenen internen Compose-Netz.
 
 ### P4 — Admin-UIs sind nicht öffentlich
-Komodo, filebrowser, scrutiny, UptimeKuma, code-server, Traefik-Dashboard, backrest und beszel sind standardmäßig **Tailscale-only** oder hinter Traefik **mit zentraler Middleware** abgesichert.
+filebrowser, scrutiny, code-server, Traefik-Dashboard und borg-ui sind standardmaessig **Tailscale-only** oder hinter Traefik **mit zentraler Middleware** abgesichert. `Komodo` ist die dokumentierte Ausnahme und bleibt bewusst bei nativer Authentifizierung ohne pauschal vorgeschaltete ForwardAuth-Middleware.
 
 ### P5 — Compose-first
 Alle produktiven Container werden als Compose verwaltet. Bestehende Dockerman-/Ad-hoc-Container werden schrittweise migriert.
 
 ### P6 — Secrets nie im Klartext
-Passwörter, Tokens und API-Keys gehören in Secret-Dateien unter `/mnt/user/appdata/secrets/` oder als Komodo/Portainer Environment Variables mit `${VARIABLE}` in der Compose.
+Passwörter, Tokens und API-Keys gehören in Secret-Dateien unter `/mnt/user/appdata/secrets/` oder als Komodo Stack Environment Variables mit `${VARIABLE}` in der Compose.
 
 ### P7 — `restart: unless-stopped` ist Pflichtstandard
 Jeder produktive Container nutzt `restart: unless-stopped`, außer eine Ausnahme ist dokumentiert.
@@ -74,7 +74,7 @@ Jeder produktive Container nutzt `restart: unless-stopped`, außer eine Ausnahme
 ### P8 — Least Privilege
 - `security_opt: ["no-new-privileges:true"]` standardmäßig ergänzen
 - `privileged: true` nur mit dokumentierter Begründung
-- Docker-Socket standardmäßig vorsichtig behandeln; **Komodo/PortainerCE sind dokumentierte Ausnahmen**
+- Docker-Socket standardmäßig vorsichtig behandeln; **Komodo ist dokumentierte Ausnahme**
 
 ---
 
@@ -87,8 +87,14 @@ Jeder produktive Container nutzt `restart: unless-stopped`, außer eine Ausnahme
 | `frontend_net` | bridge, external | einziges Traefik-/Web-Netz | Standard |
 | `backend_net` | bridge, `internal: true` | interne App-/DB-/Cache-Kommunikation | Standard |
 | `dns_net` | bridge | Resolver-Schicht: AdGuard Home + Unbound | bleibt |
-| `mealie_mealie_internal` | bridge, `internal: true` | internes Netz nur für `mealie` + `mealie-postgres` | ✅ umgesetzt |
-| `immich_default` | Compose-intern, `internal: true` | internes Immich-Netz | ✅ umgesetzt |
+| `mealie_internal` | bridge, `internal: true` | internes Netz nur für `mealie` + `mealie-postgres` | ✅ umgesetzt |
+| `immich_default` | Compose-intern, `internal: true` | internes Immich-Netz (Server, Postgres, Redis, ML) | ✅ umgesetzt |
+| `immich_egress` | Compose-intern, bridge (nicht `internal`) | Outbound-only fuer `immich_machine_learning` (Modell-Download huggingface) | ✅ umgesetzt |
+| `nextcloud_internal` | bridge, `internal: true` | internes Netz nur fuer `nextcloud` + `nextcloud-postgres` + `nextcloud-redis` | ✅ vorbereitet |
+| `monitoring_net` | Compose-intern, bridge | zentraler Observability-Stack fuer Prometheus, Loki, Grafana, Promtail, Exporter und InfluxDB | Zielzustand |
+| `monitoring_influx_lan` | Compose-intern, bridge | nicht-oeffentliches Zusatznetz nur fuer Docker Host-Port-Publishing von InfluxDB 8181 | Zielzustand |
+| `glance_socket_net` | Compose-intern, `internal: true` | interner Zugriff von Glance auf den Docker-Socket-Proxy | umgesetzt |
+| `smarthome_net` | bridge, `internal: true` | interne Smart-Home-Kommunikation zwischen Home Assistant, Mosquitto, spaeter Zigbee2MQTT/ESPHome | vorbereitet |
 | `host` | host | nur für echte Sonderfälle | begründet |
 
 ### 3.2 Finales Diagramm (vereinfacht)
@@ -99,9 +105,10 @@ Internet
 traefik (80/443)
 │
 └── frontend_net
-    ├── öffentliche Apps (vaultwarden, mealie, paperless, immich, gitea, ntfy, homepage)
-    ├── Admin-UIs mit Middleware (komodo, uptime-kuma, filebrowser, scrutiny, code-server, backrest, beszel)
-    └── Hybrid-Dienste mit Internetbedarf (mail-archiver, ddns-updater)
+    ├── öffentliche Apps (vaultwarden, mealie, paperless, immich, gitea, ntfy, mail-archiver, nextcloud)
+    ├── geschützte UIs mit Middleware (glance, paperless-gpt, filebrowser, scrutiny, code-server, borg-ui, glances, speedtest, bentopdf, monitoring-grafana)
+    ├── Admin-UI mit nativer Auth (komodo)
+    └── Dienste mit Internetbedarf ohne öffentliche UI (ddns-updater)
 
 backend_net (internal: true)
 ├── postgresql17
@@ -114,13 +121,17 @@ dns_net
 └── unbound
 
 App-interne Netze
-├── mealie_mealie_internal (internal: true) ✅
-└── immich_default (internal: true) ✅
+├── mealie_internal (internal: true) ✅
+├── immich_default (internal: true) ✅
+├── nextcloud_internal (internal: true) ✅
+├── monitoring_net (zentraler Observability-Stack)
+├── monitoring_influx_lan (Bridge fuer LAN-Port-Publishing, keine Traefik-Route)
+└── smarthome_net (HA, Mosquitto, spaeter Zigbee2MQTT/ESPHome)
 
 Host-Sonderfälle
 ├── tailscale
-├── Plex-Media-Server
-└── beszel-agent
+└── Plex-Media-Server
+
 ```
 
 ---
@@ -136,20 +147,30 @@ Diese Dienste sind über echte `*.kaleschke.info`-Domains erreichbar:
 - `ntfy` — ntfy.kaleschke.info
 - `gitea` (Web) — git.kaleschke.info
 - `immich_server` — immich.kaleschke.info
-- `homepage` — homepage.kaleschke.info
+- `nextcloud` — cloud.kaleschke.info
+- `plex` — plex.kaleschke.info (Traefik, native Plex-Auth; Plex Remote Access/Port 32400 bleibt aus)
+- `homeassistant` — home.kaleschke.info (Traefik, native Home-Assistant-Auth)
 
 ### 4.2 Nicht öffentlich / nur Tailscale oder Traefik + Middleware
 Diese Dienste sind **keine Public Apps**:
 
-- `Komodo` — komodo.kaleschke.info (Middleware)
-- `UptimeKuma` — uptime.kaleschke.info (Middleware)
+- `Komodo` — komodo.kaleschke.info (Traefik, aber bewusst ohne zentrale Middleware; native Auth bleibt aktiv)
 - `filebrowser` — files.kaleschke.info (Middleware)
 - `scrutiny` — scrutiny.kaleschke.info (Middleware)
 - `code-server` — Traefik + Middleware
-- `beszel` — beszel.kaleschke.info (Middleware ausstehend)
-- `backrest` — Traefik + Middleware
+- `borg-ui` — borg.kaleschke.info (Middleware)
+- `glance` — glance.kaleschke.info (Middleware)
+- `paperless-gpt` — paperless-gpt.kaleschke.info (Middleware)
+- `mail-archiver` — mail.kaleschke.info (Middleware + App-Auth)
+- `glances` — glances.kaleschke.info (Middleware)
+- `speedtest-tracker` — speedtest.kaleschke.info (Middleware)
+- `bentopdf` — pdf.kaleschke.info (Middleware)
+- `monitoring-grafana` — monitoring.kaleschke.info (Middleware)
+- `hermes-dashboard` — hermes.kaleschke.info (Middleware)
+- `super-productivity` — sp.kaleschke.info (Middleware)
+- `n8n` — n8n.kaleschke.info (Traefik ohne pauschale Middleware, native Auth + Webhook-Ausnahme analog Komodo)
 - `Traefik-Dashboard`
-- `AdGuard Home` — Port 3000 direkt (kein Traefik, nur LAN-Zugang)
+- `AdGuard Home` — Admin-UI auf Port 8082 (`80` im Container), kein Traefik, nur Tailscale-IP `100.80.98.33`; 2026-05-26 bewusst keine 2FA-/Traefik-Umstellung
 
 ### 4.3 Regel
 Wenn ein Dienst im `frontend_net` hängt, heißt das **nicht automatisch öffentlich**. Admin-Dienste dürfen im `frontend_net` liegen, wenn:
@@ -158,6 +179,8 @@ Wenn ein Dienst im `frontend_net` hängt, heißt das **nicht automatisch öffent
 - keine direkten Host-Ports bestehen
 - Zugriff durch Tailscale bzw. Auth begrenzt ist
 
+`Komodo` ist hiervon die dokumentierte Ausnahme: Traefik ja, aber keine pauschale ForwardAuth-Middleware, damit Webhooks, API und Periphery-Kommunikation nicht versehentlich beeintraechtigt werden.
+
 ---
 
 ## 5. Globale Sicherheitsregeln
@@ -165,10 +188,10 @@ Wenn ein Dienst im `frontend_net` hängt, heißt das **nicht automatisch öffent
 1. Keine produktiven Dienste im Docker-Default-`bridge`
 2. Keine direkten Host-Ports für Web-UIs außer dokumentierte Ausnahmen
 3. `restart: unless-stopped` als Standard
-4. Secrets als Datei / `_FILE` oder Komodo/Portainer Environment Variables mit `${VAR}`
+4. Secrets als Datei / `_FILE` oder Komodo Stack Environment Variables mit `${VAR}`
 5. `no-new-privileges:true` ergänzen, wo praktikabel
 6. `traefik.docker.network=frontend_net` immer explizit setzen
-7. Admin-Dienste immer mit `dashboard-auth@file,secure-headers@file`
+7. Admin- und interne Web-Dienste standardmaessig mit zentraler Middleware absichern (`authelia@file,secure-headers@file` oder dokumentierte Ausnahme)
 8. Placeholder-Domains (`yourdomain.tld`) sind verboten
 9. `privileged: true` nur mit Begründung
 10. Volume-Mounts so klein und so read-only wie möglich
@@ -218,20 +241,18 @@ Legende Status:
 
 | Container | Status | Soll-Netz(e) | Finaler Zugang | Finaler Sollzustand | Offene Punkte |
 |---|---|---|---|---|---|
-| `traefik` | ✅ | `frontend_net`, `backend_net` | öffentlich 80/443 | zentraler Ingress, 100% Docker-Labels | — |
-| `AdGuard Home` | ✅ | `dns_net` (172.23.0.3), `frontend_net` | Port 53 DNS direkt, Port 3000 Admin (LAN) | DNS-Server + Upstream zu unbound; kein Traefik (DNS-Sonderfall) | Admin-Port per Traefik + Middleware absichern (Block F) |
+| `traefik` | ✅ | `frontend_net`, `backend_net` | öffentlich 80/443 | zentraler Ingress, Service-Routing via Docker-Labels | — |
+| `AdGuard Home` | ✅ | `dns_net` (172.23.0.3), `frontend_net` | Port 53 DNS direkt, Port 8082 Admin nur auf Tailscale-IP `100.80.98.33` | DNS-Server + Upstream zu unbound; kein Traefik fuer Admin-UI | Admin-Port bleibt bewusst ohne Traefik/2FA, aber nicht mehr auf allen LAN-Interfaces |
 | `unbound` | ✅ | `dns_net` | intern | Upstream-Resolver für AdGuard, isoliert | — |
 | `ddns-updater` | ✅ | `frontend_net` | intern | Cloudflare DNS API; bleibt in `frontend_net` | Dokumentierte Ausnahme |
-| `tailscale` | ✅ | `host` | VPN-Zugang | Git-Stack (`host-services/tailscale/`) | `TS_USERSPACE`/`privileged` später prüfen |
-| `backrest` | ✅ | `frontend_net`, `backend_net` | Traefik + Middleware | `traefik.docker.network=frontend_net` korrigiert | Breite Mounts straffen (Block F) |
-| `homepage` | ✅ | `frontend_net` | Traefik | öffentliche Startseite via `homepage.kaleschke.info` | — |
+| `tailscale` | ✅ | `host` | VPN-Zugang / Subnet-Router | **Natives Unraid-Plugin** (`tailscale.plg`, Interface `tailscale1`, State `/boot/config/plugins/tailscale/state`) — **nicht** repo-/Komodo-verwaltet | Subnet-Router fuer `192.168.178.0/24`; der redundante userspace-Docker-Stack `host-services/tailscale/` wurde am 2026-06-06 entfernt |
 
 ### 7.2 Sicherheit / Identity
 
 | Container | Status | Soll-Netz(e) | Finaler Zugang | Finaler Sollzustand | Offene Punkte |
 |---|---|---|---|---|---|
 | `vaultwarden` | ✅ | `frontend_net` | Traefik | kein Host-Port, `ADMIN_TOKEN_FILE` | — |
-| `authelia` | 🔄 | `frontend_net`, `backend_net` | Traefik via `auth.kaleschke.info` | ForwardAuth-Provider, Secrets via `_FILE`, PostgreSQL + Redis Shared | NAS-seitige Einrichtung ausstehend (Secrets, DB, Users, DNS) |
+| `authelia` | ✅ | `frontend_net`, `backend_net` | Traefik via `auth.kaleschke.info` | aktiver ForwardAuth-Provider, Secrets via `_FILE`, PostgreSQL Storage; bewusst ohne Redis-Session-Backend | — |
 
 ### 7.3 Datenbanken / Caches
 
@@ -239,47 +260,62 @@ Legende Status:
 |---|---|---|---|---|---|
 | `postgresql17` | ✅ | `backend_net` | intern | kein Host-Port, `POSTGRES_PASSWORD_FILE` | — |
 | `Redis` | ✅ | `backend_net` | intern | intern-only Cache | optional named volume |
-| `mealie-postgres` | ✅ | `mealie_mealie_internal` | intern | isoliert, nie `frontend_net` | — |
+| `mealie-postgres` | ✅ | `mealie_internal` | intern | isoliert, nie `frontend_net` | — |
 | `immich_postgres` | ✅ | `immich_default` | intern | intern-only | — |
 | `immich_redis` | ⏳ | `immich_default` | intern | intern-only | anonymes Volume → named volume |
+| `nextcloud-postgres` | ✅ | `nextcloud_internal` | intern | app-eigene Nextcloud-Datenbank mit `_FILE`-Secret | — |
+| `nextcloud-redis` | ✅ | `nextcloud_internal` | intern | app-eigener Cache fuer File Locking / Sessions | — |
+| `smarthome-mosquitto` | ✅ | `smarthome_net` | intern `1883`, kein Host-Port in Phase 1 | MQTT-Datenbus fuer Home Assistant, spaeter ESPHome und Zigbee2MQTT; Passwortdatei und ACLs in `/mnt/user/appdata/mosquitto/config`; MQTT-Smoke und HA-MQTT-Integration am 2026-06-13 erfolgreich | LAN-Port erst in ESPHome-Phase mit ACLs/per-Device-Usern |
 
-### 7.4 Öffentliche Apps
+### 7.4 Produktive Apps
 
 | Container | Status | Soll-Netz(e) | Finaler Zugang | Finaler Sollzustand | Offene Punkte |
 |---|---|---|---|---|---|
 | `paperless-ngx` | ✅ | `frontend_net`, `backend_net` | Traefik | aktiv via `paperless.kaleschke.info` | — |
-| `Paperless-AI` | ✅ | `frontend_net` | Traefik | aktiv | — |
-| `mealie` | ✅ | `frontend_net`, `mealie_mealie_internal` | Traefik | sauber getrennte App/DB-Struktur | — |
+| `mail-archiver` | ✅ | `frontend_net`, `backend_net` | Traefik + Middleware | aktiv via `mail.kaleschke.info`; IMAP-Abruf + DB-Zugang; App-eigene Auth bleibt zusaetzliche Schutzschicht | — |
+| `mealie` | ✅ | `frontend_net`, `mealie_internal` | Traefik | sauber getrennte App/DB-Struktur | — |
 | `ntfy` | ✅ | `frontend_net` | Traefik | aktiv via `ntfy.kaleschke.info`, Git-Stack | — |
 | `gitea` | ✅ | `frontend_net` | Traefik + SSH-Port 222 | Web via Traefik, SSH direkt gebunden | — |
 | `immich_server` | ✅ | `immich_default`, `frontend_net` | Traefik | aktiv via `immich.kaleschke.info` | — |
-| `immich_machine_learning` | ✅ | `immich_default` | intern | bleibt intern | — |
+| `immich_machine_learning` | ✅ | `immich_default`, `immich_egress` | intern (keine Traefik-Route) | `immich_default` fuer Server-Erreichbarkeit + dediziertes `immich_egress` (nicht-internal) fuer einmaligen Modell-Download (CLIP/buffalo_l) nach `model-cache`; bewusst nicht `frontend_net`, da unauth. ML-API | — |
+| `nextcloud` | ✅ | `frontend_net`, `nextcloud_internal` | Traefik | aktiv via `cloud.kaleschke.info`, nativer Nextcloud-Login, WebDAV/CardDAV faehig | CalDAV/CardDAV-Redirect via Traefik-Labels |
+| `homeassistant` | ✅ | `frontend_net`, `smarthome_net` | Traefik via `home.kaleschke.info`, native HA-Auth | Home Assistant Container im GitOps-Stack `smart-home/`; kein HAOS, kein Supervised; Fach-YAML kommt aus `smart-home-kalli`, `.storage` bleibt in `/mnt/user/appdata/homeassistant`; Komodo-Stack und Gitea-Webhook aktiv; HA-native Backup-Erzeugung, Restore-Probe, HA-MQTT-Integration, SolarEdge Local und Energy Dashboard am 2026-06-13 erfolgreich | Tibber, Energie-Kosten, spaeter Energie-Automationen |
+| `plex` | ✅ | `host` | Traefik via `plex.kaleschke.info` + Plex native Auth; LAN direkt `:32400` | Compose-Stack unter `host-services/plex/`; Host-Netz bleibt fuer Discovery / Plex GDM dokumentierte Ausnahme; Traefik routet per File-Provider-Ausnahme auf `http://192.168.178.58:32400`, weil Docker-Labels Host-Netz-Container aus Traefik heraus auf `127.0.0.1` routen wuerden; kein direkter WAN-Port 32400 und Plex Remote Access bleibt aus; Server geclaimt von `Xeridos`; Smart-TVs (Schlafzimmer, Wohnzimmer) ueber WLAN-LAN per mDNS | — |
+| `super-productivity` | ✅ vorbereitet | `frontend_net` | Traefik + Middleware | Persoenliche Task-PWA des Operators; Issues kommen aus Gitea `Micha/mails` via n8n-Mail-Workflow | Deploy + Webhook + DNS-Eintrag offen |
+| `n8n` | ✅ vorbereitet | `frontend_net` | Traefik, native Auth (keine pauschale Authelia) | Workflow-Automation; erster Workflow: GMX-Mail -> OpenAI-Extraktion -> Gitea-Issue in `Micha/mails`; `N8N_ENCRYPTION_KEY` ist Stack-ENV-Pflichtsecret | Deploy + Webhook + Owner-Setup offen |
 
 ### 7.5 Admin / Operations
 
 | Container | Status | Soll-Netz(e) | Finaler Zugang | Finaler Sollzustand | Offene Punkte |
 |---|---|---|---|---|---|
-| `komodo` | ✅ | `frontend_net` | Traefik + Middleware | primärer GitOps-Stack-Manager | — |
+| `komodo` | ✅ | `frontend_net` | Traefik, native Auth | primaerer GitOps-Stack-Manager | bewusste Ausnahme: keine pauschale ForwardAuth-Middleware vor UI/API/Webhooks/Periphery |
 | `code-server` | ✅ | `frontend_net` | Traefik + Middleware | `PASSWORD_FILE` aktiv | — |
-| `PortainerCE` | ⚠️ Legacy | `frontend_net` | Traefik + Middleware | wird durch Komodo abgelöst | abschalten Sprint 5 |
-| `filebrowser` | ✅ | `frontend_net` | Traefik + Middleware | aktiv via `files.kaleschke.info` | Mounts einschränken (Block F) |
-| `mail-archiver` | ✅ | `frontend_net`, `backend_net` | intern | IMAP-Abruf + DB-Zugang, kein öffentlicher Zugang | — |
+| `PortainerCE` | ❌ entfernt | - | - | 2026-03-29 abgeschaltet | historisch; nicht mehr deployen |
+| `filebrowser` | ✅ | `frontend_net` | Traefik + Middleware | aktiv via `files.kaleschke.info` | Appdata-Breitmount entfernt; nur Documents/Photos/Projekte plus eigener App-State |
+| `borg-ui` | ✅ | `frontend_net` | Traefik + Middleware | produktiver Borg-/Restore-Dienst; `/local/secrets` ist bewusst Teil des Restore-Scopes | BorgBase-Repo und Key laufend pflegen |
+| `paperless-gpt` | ✅ | `frontend_net` | Traefik + Middleware | aktiv via `paperless-gpt.kaleschke.info` | — |
+| `bentopdf` | ✅ vorbereitet | `frontend_net` | Traefik + Middleware | PDF-Tooling via `pdf.kaleschke.info`; browserseitige Verarbeitung, COOP/COEP fuer Office-Konvertierung | Deploy und fachliche Abnahme offen |
+| `hermes-dashboard` | ✅ | `frontend_net`, `hermes_net` | Traefik + Middleware | aktiv via `hermes.kaleschke.info`; Dashboard bindet intern mit `--insecure` auf `0.0.0.0`, externe Absicherung ueber Authelia | — |
 
 ### 7.6 Monitoring / Status
 
 | Container | Status | Soll-Netz(e) | Finaler Zugang | Finaler Sollzustand | Offene Punkte |
 |---|---|---|---|---|---|
-| `UptimeKuma` | ✅ | `frontend_net` | Traefik + Middleware | aktiv via `uptime.kaleschke.info` | — |
+| `glance` | ✅ | `frontend_net`, `glance_socket_net` | Traefik + Middleware | einziges Homelab-Dashboard via `glance.kaleschke.info`; Docker-Status nur ueber internen Socket-Proxy | — |
+| `glances` | ✅ | `frontend_net` | Traefik + Middleware | aktiv via `glances.kaleschke.info` | — |
 | `scrutiny` | ✅ | `frontend_net` | Traefik + Middleware | aktiv via `scrutiny.kaleschke.info`, Git-Stack | `privileged` später prüfen |
-| `beszel` | ✅ | `frontend_net` | Traefik | aktiv via `beszel.kaleschke.info`, Git-Stack | Admin-Middleware ergänzen (Block F) |
-| `beszel-agent` | ✅ | `host` | intern | System-Monitoring, Socket-Zugriff auf Host | — |
+| `speedtest-tracker` | ✅ | `frontend_net` | Traefik + Middleware | aktiv via `speedtest.kaleschke.info` | — |
+| `monitoring-grafana` | ✅ | `frontend_net`, `monitoring_net` | Traefik + Middleware | zentrale UI via `monitoring.kaleschke.info`; Datasources fuer Prometheus, Loki und InfluxDB | — |
+| `monitoring-influxdb3-core` | ✅ | `monitoring_net`, `monitoring_influx_lan` + LAN-Bind | LAN-Port nur fuer interne Writer | InfluxDB 3 Core fuer Home-Assistant-/Ecowitt-Langzeitdaten; keine Traefik-/Public-Freigabe; Port 8181 nur via `INFLUXDB_BIND_IP` | HA-Write-Token und Sensor-Export finalisieren |
+| `monitoring-loki` | ✅ | `monitoring_net` | intern | interner Container-Logspeicher ohne Public Route; Monitoring-Grafana greift ueber Loki-Datasource zu | Retention/Storage beobachten |
+| `monitoring-promtail` | ✅ | `monitoring_net` | intern | Docker-Log-Collector mit read-only Docker-Socket-Ausnahme; schreibt nach Loki | Socket-Ausnahme regelmaessig pruefen |
+| `grafana` / `influxdb3-core` / `loki` / `alloy` | entfernt | - | abgeloest | alte Docker-Runtime frei von Altcontainern; Compose-Pfade am 2026-05-26 aus aktivem Repo entfernt | Rollback nur ueber Git-Historie |
 
-### 7.7 Sprint 5 — noch zu migrieren / abzuschalten
+### 7.7 Noch offene Sonderfälle
 
 | Container | Status | Ziel |
 |---|---|---|
-| `Plex-Media-Server` | ⏳ Dockerman | Compose-Migration, `host`-Netz bleibt (Discovery) |
-| `PortainerCE` | ⚠️ Legacy | abschalten nach vollständiger Komodo-Übernahme |
+| — | — | Plex ist nicht mehr direkt offen: der Dienst ist als Repo-Compose-Stack unter `host-services/plex/` dokumentiert; `host`-Netz bleibt als Discovery-Ausnahme. Externer Zugriff laeuft ausschliesslich ueber Traefik/443 auf `plex.kaleschke.info`; keine direkte 32400-WAN-Freigabe. Technisch nutzt Plex als einzige Host-Netz-Route `traefik/dynamic/plex.yml`, weil Docker-Labels fuer `network_mode: host` in Traefik auf `127.0.0.1:32400` zeigen. |
 
 ### 7.8 Entfernte Container
 
@@ -291,13 +327,19 @@ Legende Status:
 | `diun` | 2026-03-28 | Update-Monitoring via Komodo; Stack + Netz `diun_diun_default` + Repo-Eintrag entfernt |
 | `binhex-official-pihole` | 2026-03-28 | ersetzt durch AdGuard Home + Unbound |
 | `gotify` | 2026-03-28 | nicht mehr aktiv; Push-Notifications via ntfy abgedeckt |
-| `Dozzle` | 2026-03-28 | nicht mehr aktiv; Log-Monitoring via Komodo/beszel |
-| `dashdot` | 2026-03-28 | nicht mehr aktiv; System-Monitoring via beszel |
-| `netdata` | 2026-03-28 | nicht mehr aktiv; System-Monitoring via beszel |
-| `Glances` | 2026-03-28 | nicht mehr aktiv |
+| `Dozzle` | 2026-03-28 | nicht mehr aktiv |
+| `dashdot` | 2026-03-28 | nicht mehr aktiv |
+| `netdata` | 2026-03-28 | nicht mehr aktiv |
 | `netalertx` | 2026-03-28 | nicht mehr aktiv |
-| `luckyBackup` | 2026-03-28 | nicht mehr aktiv; Backup via backrest |
+| `luckyBackup` | 2026-03-28 | nicht mehr aktiv; Backup via Borg |
+| `backrest` | 2026-05-15 | entfernt; Borg ist die alleinige Backup-Technologie, WD MyBookLive ist kein Backup-Ziel mehr |
 | `Stash` | 2026-03-28 | nicht mehr aktiv |
+| `PortainerCE` | 2026-03-29 | abgeschaltet; Komodo ist alleiniger Stack-Manager |
+| `beszel` | nicht dokumentiert | bereits entfernt; nicht mehr Teil des Zielbilds |
+| `beszel-agent` | nicht dokumentiert | bereits entfernt; nicht mehr Teil des Zielbilds |
+| `jellyfin` | 2026-05-25 | doppelter Medienserver neben Plex; Plex bleibt einziger Medienserver |
+| `homepage` | 2026-05-25 | doppeltes Dashboard neben Glance; Glance bleibt einziges Homelab-Dashboard |
+| `uptime-kuma` | 2026-05-25 | durch `monitoring-blackbox-exporter`, Prometheus-Alerts und `monitoring-grafana` ersetzt |
 
 ---
 
@@ -315,9 +357,9 @@ labels:
   - traefik.http.services.<name>.loadbalancer.server.port=<interner-port>
 ```
 
-### Zusatz für Admin-Dienste
+### Zusatz fuer Admin-Dienste (Standard)
 ```yaml
-  - traefik.http.routers.<name>.middlewares=dashboard-auth@file,secure-headers@file
+  - traefik.http.routers.<name>.middlewares=authelia@file,secure-headers@file
 ```
 
 ### Regeln
@@ -326,162 +368,78 @@ labels:
 - certresolver immer `le`
 - `tls=true` immer explizit setzen
 - wenn Traefik aktiv ist, werden direkte Host-Ports entfernt
-- Admin-Dienste niemals ohne Middleware veröffentlichen
+- Admin-Dienste standardmaessig nicht ohne Middleware veroeffentlichen
+- Das Traefik-Dashboard nutzt ebenfalls `authelia@file`; dokumentierte Ausnahmen wie `Komodo` bleiben moeglich
 - **File-Provider nur noch für:** `middlewares.yml`, `tls.yml`, `dashboards.yml` — keine Service-Routen mehr via File-Provider
+- dokumentierte Ausnahmen muessen in Abschnitt 10 begruendet werden
 
 ---
 
-## 9. Migrationsstrategie (Blöcke A–F)
-
-**Letzte Aktualisierung:** 2026-03-29
-
-### Block A — Quick Wins ✅ ABGESCHLOSSEN
-```text
-[x] restart: unless-stopped für alle Container gesetzt
-[x] vaultwarden ADMIN_TOKEN-Doppelpräfix korrigiert
-[x] backrest DNS-Hardcoding entfernt
-[x] leere Netzwerke entfernt: br0, immich_net, kopia_default, netbox_default, diun_default
-[x] anonyme/verwaiste Volumes bereinigt
-[x] scanopy komplett entfernt (3 Container + 2 Volumes + Netz)
-[x] binhex-official-pihole entfernt → ersetzt durch AdGuard Home + Unbound
-```
-
-### Block B — Kritische Kernmigrationen ✅ ABGESCHLOSSEN
-```text
-[x] vaultwarden - frontend_net, Host-Port entfernt, ADMIN_TOKEN_FILE, Traefik aktiv
-[x] postgresql17 - Port 5432 entfernt, nur backend_net, POSTGRES_PASSWORD_FILE
-[x] mealie-postgres - aus frontend_net raus, nur mealie_mealie_internal
-```
-
-### Block C — Frontend-Stack finalisieren ✅ ABGESCHLOSSEN
-```text
-[x] ntfy - Git-Stack - ntfy.kaleschke.info - Traefik aktiv
-[x] paperless-ngx - traefik.enable=true - paperless.kaleschke.info - Port entfernt - tls=true
-[x] Paperless-AI - traefik.enable=true - aktiv
-[x] PortainerCE - traefik.enable=true - Middleware aktiv - direkte Ports entfernt
-[x] UptimeKuma - traefik.enable=true - uptime.kaleschke.info - Port entfernt - Middleware aktiv
-[x] filebrowser - frontend_net - traefik.enable=true - files.kaleschke.info - Port entfernt - Middleware aktiv
-[x] scrutiny - frontend_net - traefik.enable=true - scrutiny.kaleschke.info - Git-Stack
-[x] gitea - traefik.enable=true - git.kaleschke.info - SSH-Port 222 bleibt (Ausnahme dokumentiert)
-[x] backrest - traefik.docker.network=frontend_net korrigiert (war backend_net — Routing-Bug)
-[x] Traefik File-Provider bereinigt - immich.yml, gitea.yml, mealie.yml, scrutiny.yml, vaultwarden.yml.bak gelöscht
-[x] immich Bad Gateway behoben - Traefik nutzt jetzt immich@docker statt immich@file
-[x] AdGuard Home - Git-Stack - dns_net + frontend_net - Port 53 (DNS) + 3000 (Admin)
-[x] beszel - Git-Stack - frontend_net - beszel.kaleschke.info - Traefik aktiv
-[ ] beszel - Admin-Middleware (dashboard-auth@file) ergänzen
-```
-
-### Block D — Dockerman-Container in Git-Stacks
-```text
-[x] vaultwarden ✅
-[x] postgresql17 ✅
-[x] mail-archiver ✅
-[x] scrutiny ✅
-[x] filebrowser ✅
-[x] tailscale ✅
-[x] AdGuard Home ✅
-[x] beszel ✅
-[x] ntfy ✅
-[x] homepage ✅
-[ ] Plex-Media-Server (Sprint 5)
-```
-
-### Block E — Secrets-Migration
-```text
-[x] vaultwarden → ADMIN_TOKEN_FILE ✅
-[x] postgresql17 → POSTGRES_PASSWORD_FILE ✅
-[x] mail-archiver → Stack ENV (${MAILARCHIVER_AUTH_PASSWORD}) ✅
-[x] mealie → Stack ENV (kein _FILE-Support) ✅
-[x] mealie-postgres → Stack ENV (kein _FILE-Support) ✅
-[x] paperless-ngx → Stack ENV (${PAPERLESS_DBPASS}) ✅
-[x] code-server → PASSWORD_FILE ✅
-[x] immich_server → Stack ENV (${IMMICH_DB_PASSWORD}) ✅
-[x] immich_postgres → POSTGRES_PASSWORD_FILE ✅
-[ ] immich_redis → anonymes Volume → named volume
-```
-
-### Block F — Feinschliff / Hardening
-```text
-[x] immich_default - internal: true gesetzt (2026-03-29)
-[x] PortainerCE - abgeschaltet (Sprint 5, 2026-03-29)
-[ ] immich_redis - anonymes Volume → named volume in Compose
-[ ] immich_server - anonymes Volume prüfen und benennen
-[ ] backrest - /mnt/user doppelt gemountet (ro + rw) - rw-Mount auf konkrete Pfade einschränken
-[ ] filebrowser - /mnt/user:/srv ist sehr breit - auf /mnt/user/documents:/srv einschränken wenn möglich
-[ ] Redis - optional named volume
-[ ] scrutiny - später prüfen, ob privileged reduziert werden kann
-[ ] tailscale - TS_USERSPACE/privileged bereinigen wenn möglich
-[ ] beszel - Admin-Middleware (dashboard-auth@file) ergänzen
-[ ] AdGuard Home - Admin-Port 3000 per Traefik + Middleware absichern (aktuell direkter Port)
-```
-
-### Block G — Authelia SSO/2FA (Sprint 7)
-```text
-[x] security/authelia/docker-compose.yml im Repo (2026-03-29)
-[x] security/authelia/configuration.yml im Repo (2026-03-29)
-[x] traefik/dynamic/middlewares.yml - authelia ForwardAuth Middleware ergänzt (2026-03-29)
-[ ] NAS: Secrets anlegen (jwt_secret, session_secret, storage_encryption_key, postgres_password)
-[ ] NAS: Authelia PostgreSQL-User und -Datenbank anlegen
-[ ] NAS: /mnt/user/appdata/authelia/config/configuration.yml aus Repo übernehmen
-[ ] NAS: users_database.yml mit gehashten Passwörtern anlegen
-[ ] NAS: DNS-Eintrag auth.kaleschke.info in AdGuard setzen
-[ ] Komodo: Stack security/authelia deployen
-[ ] Services schrittweise mit authelia@docker Middleware absichern
-```
-
----
+## 9. Historische Migration (abgeschlossen)
 
+Die Blockmigration aus der Portainer-/Dockerman-Phase ist abgeschlossen: Traefik laeuft labelbasiert ohne File-Provider-Service-Routen, Komodo ist alleiniger Stack-Manager, Portainer CE ist entfernt, Borg/Dumps/Restore-Tests sind produktiv. Entscheidungen und Hintergruende stehen in `docs/DECISIONS.md`; die Sprint-Historie liegt in Git.
 ## 10. Bekannte Ausnahmen und Begründungen
 
 | Container | Ausnahme | Begründung |
 |---|---|---|
 | `traefik` | Host-Ports 80/443 | zentraler Reverse Proxy |
-| `tailscale` | `host` | VPN-Zugang; Umstellung nur kontrolliert möglich |
-| `AdGuard Home` | Port 53 (TCP/UDP) direkt + Port 3000 Admin | DNS benötigt direkten Port 53; kein HTTP-Proxy für DNS möglich |
+| `tailscale` | `host`, `NET_ADMIN`, `NET_RAW`, `/dev/net/tun` | VPN-Zugang benoetigt Kernel-Netzwerkfunktionen; Umstellung nur kontrolliert moeglich |
+| `AdGuard Home` | Port 53 (TCP/UDP) direkt + `100.80.98.33:8082` auf Container-Port 80 | DNS benoetigt direkten Port 53; Admin-Port 8082 bleibt bewusst ohne Traefik/2FA, aber nur via Tailscale |
 | `Plex-Media-Server` | `host` | Discovery / mDNS / Plex GDM |
 | `scrutiny` | `privileged: true` | SMART-Datenzugriff auf Laufwerke |
-| `beszel-agent` | `host` | direkter Host-Zugriff für System-Monitoring nötig |
 | `Komodo` | Docker-Socket Zugriff | Stack-Deployments benötigen Socket |
-| `PortainerCE` | Docker-Socket | Legacy-UI; wird durch Komodo abgelöst |
-| `gitea` | SSH-Port 222 direkt gebunden | Git-SSH-Zugang; kein HTTP-Proxy für SSH möglich |
+| `glance-docker-socket-proxy` | Docker-Socket read-only | Glance benoetigt Containerstatus; Zugriff wird ueber einen internen Socket-Proxy auf lesende Docker-API-Endpunkte begrenzt und nicht ins `frontend_net` gelegt |
+| `Komodo` | keine pauschale zentrale Middleware | Webhooks (`/listener`), API und Periphery-WebSocket (`/ws/periphery`) sollen nicht durch vorgeschaltete ForwardAuth gebrochen werden |
+| `gitea` | SSH-Port 222 direkt gebunden (LAN/Tailscale) | Git-SSH-Zugang; kein HTTP-Proxy für SSH möglich. Bewusst **nicht** in FRITZ!Box-WAN freigegeben (Operator-Entscheidung 2026-05-28): Tailscale ist Operator-Pfad, GitHub-Mirror deckt DR-Bootstrap ab, SSH-Brute-Force-Vektor extern vermeiden. |
 | `ddns-updater` | bleibt in `frontend_net` statt `backend_net` | braucht Cloudflare-API-Zugang; `backend_net` ist `internal: true` |
 | `mail-archiver` | `frontend_net` + `backend_net` | braucht Internetzugang für IMAP-Abruf (GMX, Gmail) und DB-Zugang |
+| `traefik/dynamic/*` | manueller Host-Sync trotz GitOps | File-Provider bleibt bewusst fuer `middlewares.yml`, `tls.yml` und `dashboards.yml`; Komodo deployed diese Dateien nicht automatisch |
+| `nextcloud` | keine zentrale ForwardAuth-Middleware | Nextcloud bringt eigene Auth, Clients und WebDAV/CardDAV-Endpunkte mit; Traefik bleibt Reverse Proxy, Auth bleibt app-nativ |
+| `monitoring-influxdb3-core` | Host-Port 8181 auf LAN-IP; `user: "0"` | Home Assistant schreibt spaeter Langzeitdaten. Nach der HA-Container-Entscheidung muss der Writer-Pfad in der Influx-Phase explizit gewaehlt werden: entweder LAN-Bind via `INFLUXDB_BIND_IP` oder gezieltes gemeinsames internes Netz. Keine Traefik-Route, Zugriff nur ueber Token; InfluxDB 3 Core benoetigt im aktuellen Container-Setup Root-Rechte fuer den lokalen Object-Store-Pfad im named volume |
+| `monitoring-promtail` | Docker-Socket read-only | Docker-Log-Discovery fuer Loki; keine Schreibrechte, keine Appdaten-Persistenz ueber den Socket |
+| `n8n` | keine pauschale Authelia-Middleware | Webhook-Endpunkte (`/webhook/*`, `/webhook-test/*`) muessen ohne ForwardAuth erreichbar bleiben; n8n bringt eigene Owner-/Login-Auth mit (analog Komodo/Nextcloud) |
+| `plex` | Traefik ohne Authelia, File-Provider-Ausnahme trotz Host-Netz | Plex bringt native Konto-/Client-Auth mit; vorgeschaltete ForwardAuth wuerde Plex Web, Apps und Client-Flows stoeren. Docker-Labels sind fuer diesen Host-Netz-Container ungeeignet, weil Traefik sonst `127.0.0.1:32400` nutzt; daher `traefik/dynamic/plex.yml` mit Ziel `192.168.178.58:32400`. Route nur ueber Traefik/443 (`plex.kaleschke.info`), direkter Plex-WAN-Port 32400 und Plex Remote Access bleiben deaktiviert. |
+| `homeassistant` | Traefik ohne Authelia, Fach-YAML aus separatem Repo | Home Assistant bringt eigene Auth, mobile Apps, Webhooks und Integrationsfluesse mit. Der Container haengt in `frontend_net` fuer Traefik und in `smarthome_net` fuer MQTT/Zigbee2MQTT/ESPHome. `.storage` und Secrets bleiben in Appdata und werden per Borg gesichert, nicht versioniert. |
+| `homeassistant` (Ecowitt) | LAN-only Host-Port `8123` auf `192.168.178.58` | Ecowitt-GW3000 kann kein HTTPS und pusht per HTTP an den HA-Webhook. HA bekommt einen Host-Bind nur auf der LAN-IP (`192.168.178.58:8123:8123`, nicht `0.0.0.0`/WAN), analog InfluxDB 8181. Kein Traefik-Umbau des globalen HTTP-Redirects noetig, da Ecowitt rein im LAN pusht. Webhook nicht `local_only`, geschuetzt durch 128-bit-Zufalls-ID. Siehe `docs/DECISIONS.md` (2026-06-13). |
+| `homeassistant` (SolarEdge Local) | HACS/Custom-Integration `solaredge_modbus_multi` | Lokaler SolarEdge-Zugriff laeuft ueber Modbus TCP `192.168.178.111:1502`, Device-ID `1`. Das ist bewusst lokal statt Cloud-API, weil kein SolarEdge-API-Key verfuegbar ist und der Wechselrichter Modbus-Daten fuer Inverter, Smart Meter und Batterie liefert. Custom-Integration-Warnungen bei HA-Core-Upgrades beachten. |
 
 ---
 
 ## 11. Projektorganisation und Arbeitsmodus
 
 ### 11.1 Unser Arbeitsprinzip
-Dieses Projekt wird **blockweise** umgesetzt, nicht wild containerweise.
+Dieses Projekt wird heute nicht mehr sprintweise im Dokument gesteuert, sondern über einen stabilen GitOps-Betrieb.
 
-### 11.2 Reihenfolge der Umsetzung
-
-| Sprint | Inhalt | Status |
-|---|---|---|
-| Sprint 1 | Quick Wins + `vaultwarden` | ✅ Abgeschlossen |
-| Sprint 2 | `postgresql17` + `diun/gotify` | ✅ Abgeschlossen |
-| Sprint 3 | `mealie` / `mealie-postgres` + `mail-archiver` | ✅ Abgeschlossen |
-| Sprint 4 | Frontend-Stack (`paperless`, `PortainerCE`, `Dozzle`, `dashdot`, `scrutiny`, `filebrowser`, `gitea`, `UptimeKuma`, `ntfy`, `beszel`) + Traefik File-Provider Bereinigung + Komodo Einführung + AdGuard Home Migration + Pi-hole Ablösung | ✅ Abgeschlossen |
-| Sprint 5 | `Plex-Media-Server` Compose-Migration + `PortainerCE` abschalten | ✅ Abgeschlossen |
-| Sprint 6 | Hardening / Secrets / Volumes / Sonderfälle (`immich_default` ✅, Volumes, Mounts, AdGuard Traefik) | ✅ Abgeschlossen |
-| Sprint 7 | `Authelia` SSO/2FA: Compose + Config im Repo, Traefik ForwardAuth Middleware, NAS-seitige Einrichtung | 🔄 In Bearbeitung |
+### 11.2 Operativer Ablauf
+1. Zielbild prüfen
+2. lokal synchronisieren
+3. gezielt ändern
+4. Commit + Push
+5. Komodo-Webhook und Ergebnis prüfen
+6. Dokumentation nachziehen
 
 ### 11.3 Regel für jede Änderung
 1. Zielbild in diesem Dokument prüfen
-2. nur den aktuellen Block anfassen
-3. Compose-Datei ändern
-4. deployen
-5. testen
-6. dokumentieren / abhaken
-7. erst dann nächster Schritt
+2. nur den betroffenen Bereich anfassen
+3. Änderung lokal vorbereiten
+4. nach Gitea pushen
+5. automatische Reaktion von Komodo beachten
+6. testen
+7. dokumentieren
 
 ### 11.4 Source-of-Truth-Hierarchie
-1. **Dieses Dokument**
-2. Compose-Dateien im Git-Repo
-3. operative Checklisten
-4. ad-hoc Notizen / Chat
+1. **Gitea Online (`origin/master`)**
+2. lokaler Clone / GitHub Desktop
+3. Compose-Dateien im Git-Repo
+4. Komodo als Deploy-Consumer
+5. operative Checklisten und Notizen
 
----
+### 11.5 Operativer Git-Workflow
+- Gitea Online ist der verbindliche Sollzustand.
+- Lokal wird standardmäßig über GitHub Desktop gearbeitet.
+- Komodo deployt aus Gitea und ist kein Bearbeitungsort.
+- Webhooks sind aktiv: Ein Push kann unmittelbar einen Komodo-Deploy auslösen.
+- Wenn online in Gitea editiert wurde, muss vor der nächsten lokalen Änderung zuerst `Fetch origin` und danach `Pull origin` erfolgen.
 
 ## 12. Nutzung mit KI / Kontext-Regel
 
@@ -499,86 +457,18 @@ Damit ist sofort klar:
 
 ---
 
-## 13. Betriebserfahrungen und Entscheidungs-Log
+## 13. Betriebserfahrungen und Entscheidungs-Log (ausgelagert)
 
-### Traefik — Wechsel zu reinen Docker-Labels (2026-03-28)
-Die statischen File-Provider-Konfigurationen in `/mnt/user/appdata/traefik/dynamic/` wurden vollständig bereinigt:
-- **Gelöscht:** `immich.yml`, `gitea.yml`, `mealie.yml`, `scrutiny.yml`, `vaultwarden.yml.bak`
-- **Verbleibend (notwendig):** `middlewares.yml`, `tls.yml`, `dashboards.yml`
-
-**Hintergrund:** Die alten File-Provider-Configs haben `@file`-Routen mit `@docker`-Routen konkurrieren lassen. In Traefik v3 gewinnt der File-Provider und hat z.B. Immich auf die falsche IP geroutet (Bad Gateway). Nach Löschung läuft Traefik ausschließlich auf Docker-Labels.
-
-**Regel:** Neue Dienste ausschließlich via Docker Compose Labels konfigurieren. Keine neuen `.yml`-Dateien im `dynamic/`-Verzeichnis für Service-Routen anlegen.
-
-### Komodo — Ablösung von Portainer als Stack-Manager (2026-03-28)
-Komodo ist nun der primäre GitOps-Stack-Manager:
-- **Komodo Core** läuft als Docker-Stack (`ops/komodo/docker-compose.yml`)
-- **Komodo Periphery** läuft auf dem Unraid-Host für direktes Server-Management
-- Stacks werden via Gitea synchronisiert und über Komodo deployed
-- Portainer CE läuft noch als Legacy-UI und wird in Sprint 5 abgeschaltet
-
-**Vorteil gegenüber Portainer:** Sauberer GitOps-Flow ohne Web-Editor; alle Stack-Änderungen laufen über Git.
-
-### AdGuard Home — Ablösung von Pi-hole (2026-03-28)
-`binhex-official-pihole` wurde entfernt und durch `AdGuard Home` + `unbound` ersetzt:
-- AdGuard läuft als Git-Stack (`host-services/Adguard/docker-compose.yml`)
-- Netzwerke: `dns_net` (feste IP 172.23.0.3) + `frontend_net`
-- Port 53 (DNS) direkt gebunden — dokumentierte Ausnahme
-- Port 3000 (Admin-UI) direkt gebunden — Traefik-Absicherung ausstehend (Block F)
-- `unbound` läuft weiterhin als Upstream-Resolver in `dns_net`
-
-### diun — Entfernung (2026-03-28)
-`diun` (Docker Image Update Notifier) wurde deinstalliert:
-- Stack gelöscht
-- Orphan-Netzwerk `diun_diun_default` bereinigt
-- Repo-Eintrag `infra/diun/` aus Git entfernt
-
-Update-Monitoring kann über Komodo's eingebaute Update-Notifications abgedeckt werden.
-
-### ntfy — Push-Notifications (Git-Stack)
-`ntfy` läuft als Git-Stack (`apps/ntfy/docker-compose.yml`):
-- `ntfy.kaleschke.info` via Traefik
-- `NTFY_UPSTREAM_BASE_URL: https://ntfy.sh` für mobile Push-Notifications
-- `NTFY_BEHIND_PROXY: true` korrekt gesetzt
-
-### immich_default — internal: true gesetzt (2026-03-29)
-`immich_default` wurde von `external: true` auf ein Compose-verwaltetes internes Netz umgestellt:
-- **Vorher:** `external: true` (manuell erstellt, falsche Labels `com.docker.compose.network=default`)
-- **Nachher:** Compose-managed, `internal: true`, `driver: bridge`, korrekte Labels
-- Durchgeführt via: manuelles `docker stop` der Containers → `docker network rm immich_default` → Komodo Redeploy
-- Ergebnis: alle Immich-Container (`immich_postgres`, `immich_redis`, `immich_machine_learning`) sind jetzt vom Internet isoliert; nur `immich_server` hat zusätzlich `frontend_net` für Traefik
-
-### Secrets in Komodo / Portainer Stacks
-Host-Pfade in `env_file` (z.B. `/mnt/...`) sind in Git-Stacks nicht verfügbar. Standardlösung: Stack Environment Variables + `${VARIABLE_NAME}` in der Compose.
-
-**Regel:** Wenn `_FILE` nicht unterstützt wird → Stack Environment Variable. Kein Secret im Git.
-
-| Container | `_FILE` Support |
-|---|---|
-| Vaultwarden | ✅ ja |
-| PostgreSQL | ✅ ja |
-| code-server | ✅ ja (`PASSWORD_FILE`) |
-| Immich Postgres | ✅ ja (`POSTGRES_PASSWORD_FILE`) |
-| Mealie | ❌ nein → Stack ENV |
-| paperless-ngx | ❌ nein für DB-Pass → Stack ENV |
-
-### ddns-updater — Netz-Ausnahme
-Bleibt bewusst in `frontend_net` statt `backend_net`, weil `backend_net` `internal: true` ist und ddns-updater die Cloudflare-API erreichen muss.
-
-### mail-archiver — Hybrid-Dienst
-Benötigt `backend_net` (PostgreSQL) + `frontend_net` (IMAP-Abruf von GMX/Gmail). Kein reiner Backend-Dienst. Kein öffentlicher Traefik-Zugang.
-
-### Netzwerk-Standard für Apps mit Datenbanken
-- App → `frontend_net` + internes Netzwerk
-- Datenbank → nur internes Netzwerk (`internal: true`)
-
-Beispiel (Mealie): `mealie` → `frontend_net` + `mealie_mealie_internal`, `mealie-postgres` → nur `mealie_mealie_internal`.
+Architektur- und Betriebsentscheidungen werden seit 2026-06-11 zentral in
+`docs/DECISIONS.md` gefuehrt (ADR-light: Entscheidung, Kontext, Review-Trigger).
+Dieses Dokument haelt nur noch das Zielbild. Neue Entscheidungen werden dort
+eingetragen; hier aendert sich nur etwas, wenn das Zielbild selbst betroffen
+ist (Netze, Zugangsmodell, Ausnahmen in Sektion 10).
 
 ---
-
 ## Schlussformel
 
 Dieses Dokument ist keine lose Notiz, sondern das **operative Masterdokument** für die Docker- und Zugriffsarchitektur des Homelabs.
 
 **Zielbild in einem Satz:**
-`frontend_net` für alle Web-UIs und Dienste mit Internetbedarf, `backend_net` für interne Backends, app-interne Netze nur wenn technisch nötig, Tailscale für Remote-Admin-Zugriff, Traefik als einziger Web-Einstieg (100% Docker-Labels), Komodo als GitOps-Stack-Manager, AdGuard Home + Unbound für DNS, keine produktiven `bridge`-Container mehr.
+`frontend_net` für Web-UIs und Dienste mit Internetbedarf, `backend_net` für interne Backends, app-interne Netze nur wenn technisch nötig, Tailscale für Remote-Admin-Zugriff, Traefik als einziger Web-Einstieg (Service-Routing via Docker-Labels, File-Provider nur für zentrale Dynamic-Config), Komodo als GitOps-Stack-Manager, AdGuard Home + Unbound für DNS, keine produktiven Container im Docker-Default-`bridge`.

Homelab_Audit_2026-05-05.pdf

@@ -0,0 +1,194 @@
+%PDF-1.4
+%“Œ‹ž ReportLab Generated PDF document (opensource)
+1 0 obj
+<<
+/F1 2 0 R /F2 3 0 R /F3 6 0 R
+>>
+endobj
+2 0 obj
+<<
+/BaseFont /Helvetica /Encoding /WinAnsiEncoding /Name /F1 /Subtype /Type1 /Type /Font
+>>
+endobj
+3 0 obj
+<<
+/BaseFont /Helvetica-Bold /Encoding /WinAnsiEncoding /Name /F2 /Subtype /Type1 /Type /Font
+>>
+endobj
+4 0 obj
+<<
+/Contents 15 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 14 0 R /Resources <<
+/Font 1 0 R /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ]
+>> /Rotate 0 /Trans <<
+
+>> 
+  /Type /Page
+>>
+endobj
+5 0 obj
+<<
+/Contents 16 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 14 0 R /Resources <<
+/Font 1 0 R /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ]
+>> /Rotate 0 /Trans <<
+
+>> 
+  /Type /Page
+>>
+endobj
+6 0 obj
+<<
+/BaseFont /Helvetica-Oblique /Encoding /WinAnsiEncoding /Name /F3 /Subtype /Type1 /Type /Font
+>>
+endobj
+7 0 obj
+<<
+/Contents 17 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 14 0 R /Resources <<
+/Font 1 0 R /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ]
+>> /Rotate 0 /Trans <<
+
+>> 
+  /Type /Page
+>>
+endobj
+8 0 obj
+<<
+/Contents 18 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 14 0 R /Resources <<
+/Font 1 0 R /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ]
+>> /Rotate 0 /Trans <<
+
+>> 
+  /Type /Page
+>>
+endobj
+9 0 obj
+<<
+/Contents 19 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 14 0 R /Resources <<
+/Font 1 0 R /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ]
+>> /Rotate 0 /Trans <<
+
+>> 
+  /Type /Page
+>>
+endobj
+10 0 obj
+<<
+/Contents 20 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 14 0 R /Resources <<
+/Font 1 0 R /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ]
+>> /Rotate 0 /Trans <<
+
+>> 
+  /Type /Page
+>>
+endobj
+11 0 obj
+<<
+/Contents 21 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 14 0 R /Resources <<
+/Font 1 0 R /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ]
+>> /Rotate 0 /Trans <<
+
+>> 
+  /Type /Page
+>>
+endobj
+12 0 obj
+<<
+/PageMode /UseNone /Pages 14 0 R /Type /Catalog
+>>
+endobj
+13 0 obj
+<<
+/Author (Claude Sonnet - Read-Only Audit) /CreationDate (D:20260505184207+00'00') /Creator (\(unspecified\)) /Keywords () /ModDate (D:20260505184207+00'00') /Producer (ReportLab PDF Library - \(opensource\)) 
+  /Subject (KalliLab CORE GitOps & Design Review) /Title (Homelab Audit 2026-05-05) /Trapped /False
+>>
+endobj
+14 0 obj
+<<
+/Count 7 /Kids [ 4 0 R 5 0 R 7 0 R 8 0 R 9 0 R 10 0 R 11 0 R ] /Type /Pages
+>>
+endobj
+15 0 obj
+<<
+/Filter [ /ASCII85Decode /FlateDecode ] /Length 2097
+>>
+stream
+Gau0D?#SK;&q0MXR&@eM6CQ)Y-0_n7c:=A":+[7c/cl`O30H1o89me\Y]50j4\LnOR7a`2j]I9!jmLEa3BK#Y6U;2GUA6lT'>;,WZaYO>9@n4t^?sDB7s]6)EcY[t8&S<PmQ5I%fHn3jag!kuHs;8q90jQMDAYnW:2#DL#,I[L5G-S'&4N`t[VN=^A:($B6db@H,<N]bDLZ=]Od*`OpI>kBU">9Pi3Q_H'40>YGBOoKan)>^gPr=,TcFu>imo56nB;F9hpVEZiik_UZingCYo=(.mFW/VV!Bn/IRpb<I8$O1bN77nZKQ_Ajp]./FfHp3*EQE>JDV/brKXO82VNm0"^lY-3taP^<AB?HN^#dS[mdk[$5nKW!$oe>#8Tk`0/1l;1UbAu7cW0+Qe^_bh8h9jg)=DuRa6,^2._GQ^H+RtW#KI@N#'gN:ZG9gkit_,^E]EK-_^!.Fh&sc-bA56/TSG^>K(e^JE-G-3.$qX!GUK2NOue3',O5?YKmI:8H5O.XP!#&J0_+:R:l8=oY)`SF)%A#[oi`Eqf;OGXqR(LH1;$=,.*%GbC:M.B89n8GSEP3^Yn6/mml/Y^9]]R_Vb_Df<<58i?C;aT\AcRqMoQ]m/_)R)EY<FRRqbo4"c_>2<?pN<Lke_rne!DLP0n\%$T\QF.OQjckurs,ht4Em\MZE4Z`^u6U;;Ta7ct5R"a`cXSM6+4'1n)KX)q3`c`'8&I'+I%dNcmo"W*<51]la?GhV9I.'G)+6L\_;e"&`ignY_kb'*HaSiVim_e;DG^KhLhA!=j.OpR<.-3<t>Wl&V[qUh%c?NSqR@5_,gsiF'$!cSQ3lt?dE)i2=Ws*8Y4L(J*9?k"A(Q-sd[OtPTTJi4\8X6u;V]/pc\L^aCF-aM8'^IE0<P@P-8h)s"gEOg5.*,>pTK5k_<TGGO?icPqq<u**O'A`E'I'JLl7)&$U^>@(=4[9GKjqj</m?bih((GJ(:mn+4f:4gJ)G,Q*DE;]VIlAZUP?V6<3r=i*l(gA._u0[XZ<Fi2,2rBEWZUe(L1!P]<S43'T(dK>qJ'8$-nV2_k<+_Q]tSCHN\`rTZ8oAoYRWY@.)3rX[Q/hCW[<^/K;c4SFS!Wmcc6R:1\!X9K@O(Zcma=bD\=(idpD!*o>ks;KF2"EGc8s"FIU#GbM"Hj5?)$bu*(QlaoPdCt,PnC+RB>PM,LZBs_N@&bZOiDg5P&>4\bg"<`Tt*%T9:+W&WNQe%"".:`VZ$%D7H>r;SCB_B>0rc-?^]$#2,c1&7V-ZqCfOj9X&.9jm_8H=]PY4%PBiZa1i9U=E\p/j@aKO*J_GIq*mhl]/>Rl(70rHlX1P`JHIr;T9m\(B'5A?jah7jLTO%35b@H`_T^Y.rT4O^.YX2RU#'[&m$r?&Kjo1t-6(XH4,jU>0*WHD+iD?M4Uc-Di71XEL&/SRV,F@Rmk9?Kp,UjlreF2/9F:\fF?AIOmWkW#)2[E9'i4Ho<GSrY9Yiq&K]&X-(*`X\V.cmnQf'$soa-Xd&Ob7/?GJ!6)nf_qf)jMJ!Wc>:Hb>frEn2E0)U*JFGYdMUe5h+*XpY.)&+l<Pr:@]]lGakJuCo4GN=7$][G1$_=)0r8_osc'HqVdRhEVF.OCtYO`UJ_a-DZ,V,um8Y.Kc0`UKi_rlisTF6h(C!$30R4:294m;lEj9kmg7fCU'!:P&b7f`:ppcuN`TM3f?`*%*'qVHOfn5:i7h`X3e^"-\dG7jB^l:s/P#&%5*Dbs`!0#$L7I39eRRYk%jf+U6?m4ZUUgI!FD'kQ^e`GUF-hX&G4DSd8SFp8<Z9+D4_-/<I^h$Gm&gL//4q^IbB_^Q#k.9'lr.1H)&De+nHp/>E'_[O/VBS7S`JWM)bEX0E&+n5G]Z"%"mM>ds<_9`]RQ4CV=&>h1*_SbgEK]t2E"[Ag%&7VTrfH(-TT/%n:$19+X7/hE='mW9^'CU3*+N!*L!Vc,."64Fjr7fNj6f3j3^%o)E9P`.:$[sMNGb3@fDPhfMj8_t9RTQr$F'[jOR/WX4gA#3bYnY1rNMfX01)\@%Y"aCop'Z1A[XKfdXLY9:[U&0*.SFE2:9@0\cZ=2;BM#ttLJIgRls+?t~>endstream
+endobj
+16 0 obj
+<<
+/Filter [ /ASCII85Decode /FlateDecode ] /Length 1616
+>>
+stream
+Gatn%l#59H'YqKHYB]?1[)*<]Yq]Bq-,PeM3QN*tlE2V1!M7Oeiu'm!QR:ENIc"O"U$7])8e-6m]]8ahnXrH<hY-u^!4YSYD!6H56^iSXEa+W3_]V,<GiCXAaDZjlH@Db\mp3[CGX39jINiKIlih:Z$3CJpThF\qn7+Cj7BHhP6MBPP/(o]d)d:X[SQn)^lj*7AOo9*mdKXW&>o:+La7"6aqglAER20af`J!1$C^.Rm1&qR9WWE@[G,kd*i&CVUBnl9W)Ua*XI:Lgph##6M6VSV)+,'WuV?q9qi#`7$$'").0g)f#AJeUq(?m.*3c<"4r7\R^ftnV"nZ_W^?b!3p,e-n#6j`BcQ%mE"Ja%Y^0V9U[rXN`Yqecs%gQVj5qEQG,[B1K'Ybp+[G-'Z*fCV+dGOQV3K8r_3>?Z*-`p**cOfnqTk?I'!lg<8%QjuX<"6Y[^K3H,]6(otKI(jF4Pq(9M_8NSR$3n!6^dJJ:[AjRuL81Ud0Vl5)k^<P6a<a$\G'YMQQNfYnVm`6$?>Mna^s0FK\Ps8q:BZB5TNpt+._1(pdMc3,4[SdX8>5e$+SBqB0uK8-agDPLECpG!PYujSdnQ%RqZc[_PO9\:,h$;N)rD0h^D_&O9#l.>Bg3IEdqSC@p0p.uC-Zu"m>Z&5_>CUEV_]29pS6SQg?YWllg\NgDFTsa2][lrVfYSn_lC"1S`<2u;VGeL<Y918$kk77J^/M"RMhrm?)>4;RG[pbaEW`AEUL?$AC!&86Ye9M#/XQE7C=oK'?WA"9)*@/]*C.Id"Sa]jsX4q0q_N02IBq(9nuqFTXdnLikt)W>hOa7<-l:&nPR^5(D$l4c7^D]aj#'93e'Aq6rcDQ5];d9oD;Gud8_:?69RTUWYtWXMm^?u6DASM4>RieK7`qh;TY>).pt0-9[V`MW?lu7+V^>Cf-]cVM-Qh#'4P)PK?$Sc3+(c<WO()-WN!-#h3r(]3_n-MpL@BpDZ3]Ng:FMa`a(WlRKC*Ka>q69)7:+?Q0.4;Wn-;PUiI_uS@.LO\3M6XDTF'D(o9o["OZ5'a(QO=Dj2d7EJ&RK1eLomS17"2CdD:@HfpmLoH+VMgMXYOi6brbd%Wa<`.W-s[qN-NVeF!OmASS/+M$9eQi^Gga,T+S9K*#"hc8SV.eoUfj&+9Y^s]]j/Ta#]6l,acKQ+"dV3*H&7BnN/b7,34cNE!t+Wc+pcs_#u#Mr*7!E*D\W>2*_A@U\\9`bEeJs9@!BO3MDTl"/8X+,\SD.j(de4Z`#'P`=s8s8IGQeMj.>H?1KAsXTnf622.Ai,/6-'7(`cq[<G+UWs88V02_gCZ?6nj7f1bfVMCfHo<*B2@EZ/u[<&>PEP\BB7HRW\%O40r*oPYQ&hoCcbZ^EA!J2V9s,HI\#>DP$='Ao2j1<c35-2EE5/JWEI4d3uc:8<1j%(>Eb)pblmU*WJr-=HR!LD["Gk=F/o)<bQO[g.%P_7epb;!m6[G10Y'dDS."TujAW1g>F?cEc5_>d"Uif+kb2diV\XqScrl(l1<Qk=MU>;`:bRfT%G*(:0S@#=EC88G\7m/&P*u/;!7\pNBS"MF9GccJXj(@K+AMQKp24_lJT+U(m-@s]-iX57.N;C~>endstream
+endobj
+17 0 obj
+<<
+/Filter [ /ASCII85Decode /FlateDecode ] /Length 2759
+>>
+stream
+GauHLCNJ5g(B*Z.EMq7rDT8LJIUm&7<jq)AlSs&6[@Zbr`WM'j`/4[t5-3DkrU5(5;DOLeQC?(L:+Ut+^jVc#EBo]rr0lp>1a>%#e*2QXVFBO49Lj;?r14,QUYh)R,Od8A-/Gpp#P5OgfV\%70fp"M*142&3jqb#kj"9$a9m%DnJmSs:@Xeu[Bi<9m`MZLG$j(5jUZ2l4o(jr`<*BRcLl94ZpKrXbLY48j,B#%=dg]+fn@XhLBGug1=(3&@BY]SMCc[91rI;I+)(R&NSd9LXa?ZXdFDdEHJ>j922uiYEO%YFm>6SfH5QWh_-pbk$jV)e>c<FDBf3=.3K(7KOZp1%s%X[$JqeZ@CSO!dTBidl,3kQp,EfUodBhQBqM(mQ[c%;kEZ3N2+S8J)klu_#^d#^H/bj&WT&Z:sI+S4_OlM.A&;1&g.?1S1:'I6H<Uci%\,A2*Q7be^R'm'l-f]>s>pNEJ:?S-"&eQF!<c5IW>JD,!p%to9)t_<aLIe0foD)trTi,eXp#hd#./++@:b?9::TJ$GBlr%7>Yj\GHW_A"OLm5\[t)"(1".gD%i0(I!u\[7>&6#BS#sf@10GLLRRV?ViI[d,G\!c\j*ScL>c:(ZAKq.:M2ElaN*fi>WLls&]V%iY9]m-bG`n1sHo`o2luuO/l04:"I$s+mC\NlG+He+(B6:uQ.2K7H:;')M/Q59aMBY0pbje+%[BOR1YBfeGS^<6A.7L>V_^U4%:0/<cOY\V)#gb%M+r!2A;!YM">U$k[2QCi/FiK)6"oZl`[HY?R%nMf@mnStHqgRb'e!]0'OAc$35b[taDgF$M5^_#i+<EjFi+tS]ER3Ak/q7(;a8&Xq6K5Bng\)UDIAoO/G&-`lGN>jjLW*aYjkGc;/JhSOOD/pWcgtt@QX&j_MC6"Pflj;UBYH-X)GKRbG%?s5Jc:Z$TNEB3]^!QW8pK`lq7:@EeS`=jC<k:]mI>$<?h.ojG4]mf??dBf.ab,Qe,!"/G0c.L)pb)afX@X2T&m\"pFQ/p"4CG%S`>`aK?3_t4$'u:pX*,I&Q-MCHc!+OA]nY1.Mr!t@G,>elu*T(QQ<gXQCsM1jMafn^B!^s@+Nad_U>U^.j>XSlbEY8iprS5$mtq!U^,EI"&I9\E/D",AhQ:Q,=r\X=@E&AfQqAHaE8bODhFY7RD<K!JPOmd^h>l^2V=G5W0mqH2Hs).B!BZnS#.6oVOCe?J!g^bC:f5LbcV3<oT*??CF&:pPmk0Wh*#Q?Q6q(S\P380ZC<D9?J+"(h/p3:V!Im,Rt.-bo^R1T9dl=*[J9M!LlSRn7ZN1d^k8#b,uuIo(<fCtG/Gcd.CfE-F[G]m82rd=p&C5T3_ibms2J#VP,\TLq(kFh6-neo%kJgc,1JOF%-'%!HD;m'`fa;2`H7\6JdUU\_/VtY'!GU%o#-LJ=M%/!.-2:djK.F:9I;2VQck!oL6c5^Q7t.gY!WHb=P)<L@mO:p=8INFOt//pSqoAXL3X5[3+isP6;bmkEmR.9:Kk[7+*!J7Nk:skM/nj3]G(3EEaCrg`J-q?oWI'FL?Fn)57`JZ]q<<2%sP_7kl,bX567=/1?bAM)=*lOFVF$&Q+AfP!0?VOnkMc$6(3;c`@R:.6-j\.X.#d!)e^4P.Q1RsC=cctK"73o03V<#heVsX)GQ>THLk8R8GbL1Jj71i>3-mU=;`Vq/]kA5(k3p`/DFhX(Q?DVU'Y=\3.cHV3XrBkXBXH[hJS,<7'Rf9c#NL=7B)jjSAMjM'Y@i2r6mDqSjEBra,k`U2U=:'mPr?*FiHk8TK'jjADD@Q4XdZ(Dc&D.b%=p(A6ni7%saGYYk"p-TNo:[nd5&]lpO-t7Q9A>"0Ct@oM,Gbs,%`JIFjZ`T-FLcMKsS2^=.ga#2g58!gu0E4'%ZJ]Vt>4jKa'/9LQsjoFE"6:3.!pZW!P;T<]rg7B*1FmXJ<J72>/f;W?Q#Wb^DuBRd!o72!We3_bKi(ppV1<qj(I*9aC@:n/9r$=MHQjfOXI)!VG6Tga=)f2Y5h@oeqS4DR4a2"k&s%_^]aV<Y61%?iPMj:p3?4i3h&O[h8]Z&`-H<HqU+O%CTiWL!\K!j4]7JtXs\&Z9TZcF2M;`[A/$b_d4a5p3ReI;.PUKjP3c)^)gK%Ed^uMmmeVHZRrVICLAh?/FFE5E#g0_nl+dhuC<:hM`PZ#QOYH!A:n@*Z$BfRj%Gc0+,F,3lH]Tl4VcM5,gIQd_ehLBG&VPq(:FoaZRlcg5&N4TM$p$h-FaHr2FsqJOGFY"bsI>(dJGDOLUF",1Gk;"sR7%!nO#aj[)_:.1:Z*^+?g]_\N$G"ECJ4Veaf`nlQ[V-&P6:b&Y?D<lE8)YgHY:.3PNhYMY_oN%\%Rpk$rqkf;)'mBC;rj\`2R33Xb<[]RakcS/Y1N8uLSLhChL.s-#]r^8Wh*?]i\=>.(@4ZPF0]@#6Ie,`8#'eEsKWVg"X33>F<cd6WGR:M`Z\s0>i46*sOAt))ja)'N-$>;Ko/nghr!!k,B<".$IkaGc;3O$;1@ap;`d"dEW9Y9=RL8.q[9Bp_OgYuF\)FXq#UCbI]#F6<'g7XtA-#_++8R@/7"%aV99Yi'p8IO%UEBW-r'PDSha]E^"g&N]TPbD:8Qe1&<X\^fqKZ,k-m>?ph+6r5eF1=)<UFf8ln)Nq6=8gTl=+0H?(OEI.V@M1;a'\p-7o[r4-#l4e0L&_VM5]VM2ZoR,neRmt?JiKj>FT(M'@_q#q&ZpKOB9a5^t?$L%Nait^R7$&]`~>endstream
+endobj
+18 0 obj
+<<
+/Filter [ /ASCII85Decode /FlateDecode ] /Length 2447
+>>
+stream
+Gatm<?$"c/&q0MXfU4oKm?f`F-+QgWA#F5BF_.tkF'h%k#YBhC5UA^sf(@#?"-B7Qe;6#aS2cNT&D4=9cImo!o'j]/s,M/pM]nWsqr@u=S<+i'&Ii[CC3]<iM<f;JTG*OT#JCE3]0R/-@>Ba)M8[;;5BPp6$n:V`0%M<_FPSWCU4`kKPFkV:c2i(CfPKAZp3#EBHr9bs0jf**4Q&0G`JL)VJt>co+E["B_joS5@Tb$qfn_7&#$9m40.Q-&IdL49ckL^jicm3Wr^ap[2#PH8f>.85M!^CR6m'FbmR^2ZBMQt+7XMH"I6S0jMr:fr6sbOf&R<ZL"b':g2W--/*b=uui;SZ&X+CP'Tq!KqAZMi\9Vu$frs-MJn!F5P@Zt-XL8!3"#u%J55pqP<El/fdpJi=WL$!2Mc^lFT?uWcnF(--h$SQO,dY,q%9eQbQ!H=Ha.1&RuX/@,@omG@5%W;8=Pt^G[^q!96Qb$Q4kDB49EOjd0pDX-gD8:'CLnefT^?>5'+DQCL]s&=N*LBh0o,D)2"ZE]KS12p7a^/i6btBK9B-YBQPY-L.(PPJ^\J?i#UNt7gEp#"6j`i]HY)j=YdZ('#X246`QWMM"rF,a"i?PV/>_@M*:9*iCU_qFbbo&1B!dj@&0#XCN-tgM(n3W`[)rV2_PFP`dSj;8FOBb[9Ur[O(cH4V,4%!iC>R?6,gG5S;BM[A7M+aJOPj9M'\]D"bg]56XT2dV<A8:@6E!4*L-&E8Ne-3n<l[YPH#toIZi#Y_HBO>%tT%e,Jl9e'7/G^*=N4[mgJeCddTuaI%6lhm(*udZ2'IA"2g[!jcN1R`u6/:3Yi*4rb;\4[=+AQC&F"_cALaf5XqP;9(CB5>m\cu5hS<j'$&U43@@/Rt/F:h4%Ydb@b;=?2YhE*p>q(s]R/``sRP;@mbU1DM)B?m<92S'n$S"cXrX"E610m:-FN,L?TG;B#uUc=p)$Wj8_:o[?'b$WH:#1@c$H%P0.QXWpZBF#.s.AU<A87;W!Yu"g&>Z1hYb_2[i_;-N*@BGuIBm4DCqn>5@d,!moCVb0VF2sq)I.Q@a)VT/p"%nSEVL0P_1cilR7<A&k-$,b;cUP!dWWo13F4KK!`._30hOaMs+pB7TBi/8f8?h(e/l,&u/@*bho:h+B2+;^E-_&0ecrdq,Tskj5a(&DZBaM)n/#6IqXYX6^,"k_tZo"2f)U$;++F&5mB=316cDa6Xf(_C[PPQh1j#Jc_Z-!l_jR-fT2:tA&dlEC&Yl(KH?)TqgWM36u$sK,=)gS9-Of;D]:p..Pf%alV\Z@`?X\Z/Na(SE:T5E+oh&6LKrLr0#RTF/.i"R4\/W#?c`.YU3GRLdD9K1IK`.)jIV\qB9B>\_V27S>5!RoY*Q8DZg%`kO):l,VkTN;irTiVpKO'X!n-1W$0SdV-IZ>PGYX=T\F+e)ML?b'f0:[*(g<VZ[fMS_OK$@BggQ]:mTe+@3NfUr6K/@fH6FKLZ,UQIgP!Nf5D2C=cn/&#p$7K)79)Qt+OZ?.^ekrWA7/],"<]^B%B<h+N>=2a5O^<lADXDoL/k=V&W&4(p^g/@I'C%J,0[5L9+T`BXb,L*0timO[8Ru`4$nE/^/)7*%a-=Xh]44Te#U+fm^LIBWm5)--8.hm1$O=]`<O(8hn-DAJ"VQ08N$sh0g*4E(3[HsnnKpFO;\/8pXPK?;ChZ8l+UKJ</".K%V[qPK78Th&q<@_e9d8$f[+`\pK`4/2u)SE:JUp[tIFFc&U8hV&(cO;V`lJA]XjBPYEm!S(,TKZ*n$a4a.QQbhRqN*%J6EZVtr]jg2("L74fjX8!%"g]G`'sB%<%p6NMt3pBhPdnjko%eMF8D64brG52KHB0"cm[&X(5'7jdgS/Abk-.[&c)Mf\%;."$\E8D/@IO0lZJ?jGo85#*E01XbkHWq`[V$1G#78,WW#._#._DWSC/*X1su!tP8,P)<:/D:CT^As13::)raOiR<48XtC_0YpFoT@5KU],Z(i1$e)\F"V6qjW_)^oFtnIf^FnsOP`LiRB\;m'f*0k4;jO:$4+4ir^G7jD"8;N2N*$CO(NDLCL\M/_#emIW7g>,,igo1bE-(OUPfKp[[npE+o7NqQif\js)rS%Oc$.<%<(#%nn["P@f<)#qNR`Sf)q4hr.3dS-"I@dJVS*nb700GSgCAeif5ANm4$,$]URjK3PMCH7AiiI3$;EPP7U=-!m%mlp/aiFWME2st9ASM6CC7(gU&Bt]f'_g(82Z1u-+NlIh(Ggr2/^![0#A*VP!nBl2eCQpnd1C8mYnRY]%.pY_`r)]\ZSF0p"5>&]Bq*%FNX)@iRQt;7b?&uB>/0XY05ENk<+G)C'o9"`DF:JK+I9N;Z_h[42ca\SE]jCe%GAbs\-K:J*R3Ck-ei^CP>Q',Aq'aL8fMg\@lF_Zm9s1SpR-$;:R%b+"LS&Be3h?0j5J-1m~>endstream
+endobj
+19 0 obj
+<<
+/Filter [ /ASCII85Decode /FlateDecode ] /Length 1691
+>>
+stream
+Gau0DgN)%,&:N/3m,Xk(Ak\!\8<@q+3ht>AOuc?S99Y.F_'19^i^MhF:,DkD/gq;W>rddBg%O')/\$-;(4-%5JrSZpq)qLS?I*$W#6i7X('/Q6"1&O-AiBKH,.9.lk5q>.E6qCJ_^Y>Q=H#"_fVb7L%d2aS0#;N/Qqt4:*!(bFkgcVgbePI+%NTBG&sqo;0RnfUC80\iFGnEZ6j,'6i%n,sR'RK5?H=CK5KI%gqfME6/9mMZ.RA,RLN*LAB#:iZr:q(>?XWS"Vq]XH!2?*B,'r[_@A^#].g>l:HY11pnML.K_9Yi.@lp%o_$))lP\mY\-lH3\ZK1I+msj8*?,2G'kLMIcP4*NraXldE^W'`k&I$oaXChq#F5+T$T\YFl*XDY#4C-iW%e?rO^lTr<K]>q>H+W1+Jg1?Vqgjet!`KNB1P,&l#p'I9jD+kL'_Sc*]NL=_ce$@dWedGFH`RRUMCK5R`XD_5Wm4Y1)DE0siPb<hQNIVE&rL;B4U2jN`1t0Q$iQPMP!IZkO&%q6gHL<[g@5k8(3G\LI7Ro'h]&!Zidf*Dlsr/9m-Nf@0/D;(F:aiE4*g4M9YHujLQUC[.S0C7$;u1@"o\B''Sk2aq2+\@R+#*1rJ``"4lE"rHGG6:h'bB[]+)0U*QB+\:`&5u)a1<6<L:DXFu-SO9(ulXr\i&tY*LPo-/>Nt\h#AQQ^L1N$fge:36tY`aD@R$&m]prVQSKae5b"@P^oIallk2i0dn[FXGk=pA_"VUW-HC^dHn2%MrFo]UkI@*`6XQOLpU((V$6>_U^W?C6l(m,@eCkiPB\7FD)f3LYN8*10Cgq1F(fi&PHteN3@]9-2(V^sTm.ZM<<iW4_(%)F[5shAa0rh*,-KooQ=Jqtn:ca7[=!^tF9t1l(60?Db&E8#(r"`_iB(&8WWW_i?P/RZJb=A&&G8bplU2bcNQJA"->aZWdq6Q@b_l3`<p-bnhWD*L@9qr&]rL'RW3bu=];J$d5/X6l<!HE$'$lnER*Q;/4(atRh"8lk-':(8Q%D`na?"p\.^gPNA<l-Dfbke.FnjUJ5)CKVgBP@Pnl2g0$G.`)cS2:diI-U+;$(?.AS%R.a'!T`l?+3r=?=5"csI,qVm:qX$"d;qT#/0iDa:G7e!8(^c%1"1mFaH:#fkrcR.aP;Wd0cZU"OfL^!`O6MTIu[b=jP;8%6@5&Ya-g2TH$f9]G]/_ZRl'Zga"$aJ<^2'B8_0EYM87gSgHJI-HVDrDV@iiX*h>S<S)_W"XD[a@Ko`r'$%%qV1g]W(U-\^9CraSZ'AWZ8a;q9C.:2L$J\2F%/6UV.VV0^sg\Y<NiOh4C<:cJOem31B.:eTA0)$7r)!mKiGYIVl_kIScDnB[6B.0C!"."H2Qs\[UckN&`q;Zf[EU%D51Fs/!3$-RV%F$gmiO-.Z\[rD=a>@Tnh@Q]ZQ.)ijl[O]Desgd3DXRK?TaM$EO8ujlnfZYu`aJQ?TjuM"REN^,?c`'Y]N^&"B2\[j/cKhHX0Yh.rT?osIJ;>I/J)K9,EV^tt/C!pT$1^'dZqikq[=QUbCgoNc.=/q%6WF(s+5`.3n,NQW3Td&(ff!=WhR/q)3qF(s+5]E&FX)OEO9ThXS,!uT`K/inNVc.:te;"u%:0u+nm#gNF$e!l-O1plL-DP,/Tdhn%kf(&UARl]^/KJVTQl`oafN;a"A"#*F~>endstream
+endobj
+20 0 obj
+<<
+/Filter [ /ASCII85Decode /FlateDecode ] /Length 2670
+>>
+stream
+Gau0DD,]4L')p1[kh<TYA1MgS^RM8#5[Xj;+[]kSak]ss-o70%Zt%:cZ5j_Kp:kN=IV4EE$*sa9)G0nuW;BH$#T3>tW;dYO^tTFWS.QkjKF&2o[ip,0PORM>"5WHPdrRc%AmjZ3DV>l24:o[<NgkH+l&KU`huo(#lWc,lh6L>@"[O=-q*7M0_:'DR3b[U>N[;H5qsDNZ,o&A#`]D/jh7sF)pnjl<R:-;TQVj3WpX(R_9P5$ci&o>!MSnI(AgNh!l"Ys*hle1#'uHT>]#MER7LV-d[,,iIZ)0Nm,mAK8BEoHq[pf&i"j_h;2Jgm$`W^Zr'!o#`7\a(To(9Zdqu?/Z&hp)M>asnjqG7o<`8cF5+7V$hM6>M3lPZkn>D@o!+K*Vu4'_D2o[E>Ydmj?G.ko@HbB%N]_!G@eB*Pd`ke8/63(RJ<ijUCV]qL%U`/adR^lg=mYT];>86=en)!2b[#(30)Q50W='jjiK)*37!=>!\nd;n=;a<F:O]YLef`fk\67FG&^2UPAtpPA-cL@b(Pl@E_q543ah]A7$:gNI"S5pr'CEo/O<Gj]IkNr:2cXf\1T-'PH[m?$[QF`\n]h<NN#\b9&_7rljmqp]SK?RMZq^W4"FTa3N8)(1&QbUMp/Jm"l^ZX8(p'a9Y!);W$EncR_@4EIae1+Mr?ds-nK(^s*[9*$f./#h]/Wh=d=]<RD>):#-mdoeYlA#PZpZfG?9p24t-068<#>*>P\rKjh/MK8*K/SS&tOAo1%q33CuZKO181:`0ta)IN+V,f=,WWN!0abitM=oaU!Ws;*k_CeB*m?lA(=KI7]pnh[c#`D[rYjpLi,ei*oA0Od8Q$>h&g;]F3"KN>$^C%/%aCBllJt[V699q7ONKAa7c4dXf&/9]fp#XO_4,+1sQtTP59>A-n!DfofMNoJ^pAtiqFT[Z3?Z8'B)>^4!@^0BLWAs1id&pIjVt;UYe>-OknH[!#5o?F%Y,[Zkid>$CPa;``>l]".pBZjtZiJbb:b?of&9X_nWQ6bj(l-dT*b',1F*/JJ0)giuP]2L6aCpuMmcB%8+"NeWoJOkW6I<$R5I,Z2[1K6[LJXmhNsLl.-_5Z1e;=1diq1L-Mc9"*&i&L,04DR,N0e[A]b=6Un`\4$:X\P&e$k-6Kk8-K:W?1\Z'/##.GkS0VepqA"<C"EHcDqHHpru=\BM9AcJ^Rm?01lcX()7Gjr#.G?YGeu*_OWuXo_2G9lDJ@fe!q#;<da%j)I:5*:;0GF()U]6XuZEY3gC!jE:+]m2;WnEgo*uIsla&WjKE;dA635lNin<`Te)q$FpMqX@+l;4VZDFr4lts7NUJN?5GDX5lqk]nk@(6Sr8c\n[+?*rDi]Ti7#eY=b\m5NM&!VNY%)B\B@=?>t9,TU1%X0q^,kbZ7WpqCZ)uh>d<r.hXFLfYp\3*:T&3in5p](#CD*$P<!!+Wau$6]?$]meW?ob'i.Fq"`1S7?GuL%QWLC''ht-Y=Y:Bd]Af^:[;TG6DT3$4?bj$(];tit'fJR!AB6;"Tn5_%=0]K"0WPti2:WR?EeTN'QeE?l#;BGGS/3&k>SI+6>#k^>,!eTpNI@gE@5$C/E*;''aJ!EPq`_HV0Ld-'K8"q(:C*+(hf-a)Kulf&0I;M1'R"Q8.3*M0fYe5sE7dlf,CedYRj'(5jKP3G7ooDu&am^E[l;,E=^]tdB?._E'1#I8Kf#M%]>r"`c2&jMF>mmr5<eah?kZ>F"-^fDIJX)`dXu/JhsuA-Gs_`gHbm3ikr6pK;X')/43EH:%i2$*ndsR63q`0]#^iCci6>[p/4Xilq`)"2KOJKe$Lo?Me4N35"=j)?+7GIbJ_[GmL5*:s^'"T3[&(k9C3hqSq)iqL5+Q$:bU4dE8bgV]r3,q/*oC3trptn35[(#f9.].bB'@/icli\`i:%FB8A'AR/&!V:MZR:SHL&F[8i<R4rjekL<Io4:Jcq%5kH\G0/'?"DUGc_H=<lF^MLLFF9n?@IQ8G@q(K%'$P%'lf7q*ms?&\t!?d^3_)XaQ*(j*:+N>.DP4AU51jsqGF=6(6:>Xl30md"*'%Su1Lb4l)4d4eq/YfSIsZ`G5=1hh)XK[(;&4U]m2f+=]X=Q:I<-G5:+[90I5FB/44>0_pV<qoO-rScp1P\=$I@,T'lS#:N\oe,JUNOXR;LLY-Ed'6^GU1]G*33QMI=<a>FKd``[:uE%fMJcK-j\*&#U6:-;kGj#B4C%&lEN*?ECJer#!X240W3R^A/0?qF[R>SfifD9!9\MP6gHZjDS7t3KchiFNq7N8JP)E!Iq1ACXP?_W2=1=V%Ig[&)J#M::>VsP\8\ReO;nC=iUQI`78t@92rt7tVSq@O9H%KTSQ;M#\5)Q[)ISMV$oD;C_nWZVteIG9!P+]fA&[/XBTq@e9?Ms4;qh_Fn?YZE2YJ(c74NXp(?;U#G.Oi7]<6.1ar6k?37p&86eu3gl+`0))L"*M=S<pa`2GTAQ>-/G,N8j)Z\rfRZ.bUD6O$U.S%`I`BLpO:;+$;@<l*i#nTHu4mDXO-<p:e#FU]6HX4<6o;>Oo2\N_0WKTXI"+7CRu^SEd8WMZe<`%Jg5jamK<@@qIomIC_D+gmf@>a7#qp<%&d5:<kN0a[u9NCa.!7'\Jm;kFd7`gZONFm-0m-]f[?XF8s;hHMdNT_4R4A,6%~>endstream
+endobj
+21 0 obj
+<<
+/Filter [ /ASCII85Decode /FlateDecode ] /Length 1010
+>>
+stream
+Gatm8?$"IS'Re<2\AM6RY\Hc/jK0`a['[W3Qs#0c%&:bmM85:dZJ;b0rqO0Mghpf:^r&3.A3&)KkFQau3/$q__sc:ZS/-)A)[A!gW.7AhK&R-_MTMJ((1rCo@piR&&cL$D,e6UbD'kQ,B3_`%OqQb:B!a/kOYI_";$%6$H8ZY&"f*^;U%8k_`Nm8:ISBTR5c"p;A/?UEa[OJu'9WflKn6!l<S.(>Xl/<qq&'<ShAE>.HIA)4K*XmYKJD:YU%f&8ZTd03h?+DfOZ9V4Z1pN2!jtNhpOI^e7egI2%N,,4$rIj=>U#N@>]?t.2FgaODf,I)R.oM-VK4H3lR#^jFoAFX]s?`@oljs/*F^3^@?XA=.DqC-T_Fn14ARs74(b21`</0n9m[4q55A#.Z;9ZI*1an]["\>/U*+A<]fmn-(EYnbQ,TjkbM`?<oQYO6%F14hd;$:EW^@"IV^c9.nV++1md'KZQ:G5=m_tCZ$)$r+3fA1WPeh,VhPG>$6%dn"b(-2`:XM8R.frYMG.k"8[OjrG:4UA28E5%'*a]JVq\k0.QALEfn"l]bOD,?(r'2L;P=UWFM*[jdOoc`8np!ijs)5WqEJ(YrUkdeL<ClEpLI"4990+#/96s"\_MkL#6"`jc?!X5+Ba9a:7b+.@]^(gRoOud$H],Jk)01V'hV`]Q&E_i<2u(q,l_Z1bpXc79*kHM8;Wc<!=i$>9ZlVE+s5q-GX"0VC2lbH*7^l8*FR+Fq3$E`[>Y*-IOo8ZRaKfddW>rf-Xa)d4)=6eeD!Ym=;3J7:b;5U:YkTkDE>n3Hb-@uhN!Hd[rMe-_-gqNNc3N[4<5hha]+/2IQLs^s:@2><f6Y-tgC$V1#JEpqc<`&gK<(VNer@Z1Ek=C`")TQdHN,V>@(=WD(jt[.:05sGGM]_+3F"J>.2uqmFSF'US+RS>_7[*\)r0gN32*'9f@^U:\7lolN>_S@JSU$)pk*f9gie+pK-eqeW$WrP4.u<sD5^'.LCFWTIfM[j]L)~>endstream
+endobj
+xref
+0 22
+0000000000 65535 f 
+0000000061 00000 n 
+0000000112 00000 n 
+0000000219 00000 n 
+0000000331 00000 n 
+0000000536 00000 n 
+0000000741 00000 n 
+0000000856 00000 n 
+0000001061 00000 n 
+0000001266 00000 n 
+0000001471 00000 n 
+0000001677 00000 n 
+0000001883 00000 n 
+0000001953 00000 n 
+0000002284 00000 n 
+0000002382 00000 n 
+0000004571 00000 n 
+0000006279 00000 n 
+0000009130 00000 n 
+0000011669 00000 n 
+0000013452 00000 n 
+0000016214 00000 n 
+trailer
+<<
+/ID 
+[<d46a1b7909dbc491a240e4a50a35fd17><d46a1b7909dbc491a240e4a50a35fd17>]
+% ReportLab generated PDF document -- digest (opensource)
+
+/Info 13 0 R
+/Root 12 0 R
+/Size 22
+>>
+startxref
+17316
+%%EOF

README.md

@@ -1,53 +1,81 @@
 # Homelab Infrastructure (KalliLab CORE)
 
-Dieses Repository ist die zentrale Quelle ("Single Source of Truth") für die komplette Infrastruktur meines Homelabs.
+Dieses Repository ist die zentrale Quelle ("Single Source of Truth") fuer die komplette Infrastruktur meines Homelabs.
 
-## 🚨 WICHTIG – Einstieg
+## WICHTIG - Einstieg
 
-Vor jeder Änderung lesen:
+Vor jeder Aenderung lesen:
 
-1. 👉 HOMELAB_ARCHITECTURE_MASTER_V2.md
-2. 👉 docs/WORKFLOW.md
+1. `HOMELAB_ARCHITECTURE_MASTER_V2.md`
+2. `docs/WORKFLOW.md`
+3. `docs/README.md`
+
+Bei Restore-, Host-Ausfall- oder Wiederanlauf-Fragen zusaetzlich:
+
+4. `docs/DISASTER_RECOVERY.md`
+5. `docs/RESTORE_MATRIX.md`
+6. `docs/SERVICES_RECOVERY.md`
+
+Bei Hardware-, Netzwerk-, Provider- oder Kapazitaetsfragen zusaetzlich:
+
+7. `docs/HARDWARE_INVENTORY.md`
+8. `docs/NETWORK_INVENTORY.md`
+9. `docs/EXTERNAL_DEPENDENCIES.md`
+10. `docs/CAPACITY_AND_LIFECYCLE.md`
 
 ## Architektur
 
 - Host: Unraid
-- Container: Docker (Compose)
-- Reverse Proxy: Traefik v3 (100% Docker-Labels, kein File-Provider mehr)
+- Container: Docker Compose
+- Reverse Proxy: Traefik v3 (Service-Routing via Docker-Labels, File-Provider nur fuer zentrale Dynamic-Config)
 - Zugriff: Tailscale (VPN)
 - DNS: AdGuard Home + Unbound
-- GitOps: Gitea + Komodo (Stack-Manager)
+- GitOps: Gitea + Komodo
 
 ## Grundprinzipien
 
-- Alle Änderungen erfolgen über Git (Komodo deployed automatisch aus Gitea)
-- Keine produktiven Container außerhalb von Compose
-- Traefik ist der einzige öffentliche Einstiegspunkt
-- Admin-Dienste sind nicht öffentlich erreichbar (nur via VPN oder Auth)
-- Secrets werden niemals im Repository gespeichert
+- Gitea Online ist der operative Sollzustand.
+- Der lokale Clone ist die Arbeitskopie.
+- Komodo deployed automatisch aus Gitea und ist kein Bearbeitungsort.
+- Keine produktiven Container ausserhalb von Compose.
+- Traefik ist der einzige oeffentliche Einstiegspunkt.
+- Secrets werden niemals im Repository gespeichert.
 
 ## Repository-Struktur
 
-- `core/` → Basisdienste (Gitea)
-- `security/` → sicherheitskritische Dienste (Vaultwarden)
-- `infra/` → Datenbanken & technische Services (PostgreSQL, Redis, DDNS-Updater)
-- `apps/` → Anwendungen (Immich, Paperless, Mealie, Homepage, ...)
-- `ops/` → Monitoring & Tools (Komodo, Scrutiny, Uptime-Kuma, Backrest, ...)
-- `host-services/` → Dienste mit Host-Netz (AdGuard, Beszel, Tailscale, ...)
-- `traefik/` → Reverse Proxy Konfiguration
-- `docs/` → Dokumentation & Prozesse
-- `env/` → Beispiel-Umgebungsvariablen
+- `core/` -> Basisdienste (Gitea)
+- `security/` -> sicherheitskritische Dienste
+- `infra/` -> Datenbanken und technische Services
+- `apps/` -> Anwendungen
+- `ops/` -> operative Tools
+- `monitoring/` -> zentraler Observability-Stack
+- `host-services/` -> Dienste mit Host-Netz
+- `traefik/` -> Reverse Proxy Konfiguration
+- `docs/` -> Dokumentation und Prozesse
+- `env/` -> Beispiel-Umgebungsvariablen
 
-## Workflow
+## Kurz-Workflow
 
-1. Änderung im Repository (Git)
-2. Commit & Push nach Gitea
-3. Komodo deployed automatisch (GitOps)
-4. Testen
-5. Dokumentation aktualisieren
+1. In GitHub Desktop `Fetch origin`.
+2. Wenn noetig `Pull origin`.
+3. Lokal aendern.
+4. Commit erstellen.
+5. `Push origin`.
+6. Komodo-Webhook und Ergebnis pruefen.
+7. Doku bei Bedarf aktualisieren.
 
 ## Status
 
-GitOps-Migration (Sprint 1–4) abgeschlossen. Komodo ist primärer Stack-Manager.
-
-> ⚠️ Portainer CE läuft noch als Legacy-UI – wird in Sprint 5 abgeschaltet.
+- Offene Punkte stehen ausschliesslich in `docs/MASTER_TODO.md`; Entscheidungen mit Begruendung in `docs/DECISIONS.md`.
+- Komodo ist der primaere und einzige produktive Stack-Manager.
+- Komodo bleibt bewusst bei nativer Authentifizierung; zentrale Traefik-Auth wird dort nicht pauschal vorgeschaltet.
+- Portainer CE ist abgeschaltet und kein Teil des aktiven Betriebs mehr.
+- Glance ist das aktive produktive Homelab-Dashboard.
+- Traefik `dynamic/` bleibt eine dokumentierte manuelle Host-Sync-Ausnahme ausserhalb des normalen Komodo-Deployments.
+- Mutable Image-Tags sind auf die aktuell laufenden Digests eingefroren; echte Versions-Upgrades erfolgen bewusst separat.
+- Disaster-Recovery und dienstspezifische Restore-Quellen sind in `docs/DISASTER_RECOVERY.md` und `docs/RESTORE_MATRIX.md` beschrieben.
+- Recovery-kritische Services-Pfade wie Gitea-Repositories, Komodo-Workspaces und Host-Automation sind in `docs/SERVICES_RECOVERY.md` beschrieben.
+- Hardware-, Netzwerk-, Provider- und Capacity-Inventare sind als operative Audit-Dokumente unter `docs/HARDWARE_INVENTORY.md`, `docs/NETWORK_INVENTORY.md`, `docs/EXTERNAL_DEPENDENCIES.md` und `docs/CAPACITY_AND_LIFECYCLE.md` vorbereitet.
+- Der verbindliche Detailablauf steht in `docs/WORKFLOW.md`.
+- Der Doku-Index mit aktiven und archivierten Dokumenten steht in `docs/README.md`.
+- `nextcloud`, `bentopdf` und `monitoring` folgen dem dokumentierten Netz-/Secret-/Traefik-Modell; der zentrale Monitoring-Stack buendelt Prometheus, Loki, Promtail, Grafana und InfluxDB 3 Core.

apps/bentopdf/docker-compose.yml

@@ -0,0 +1,34 @@
+services:
+  bentopdf:
+    image: bentopdfteam/bentopdf:2.8.5@sha256:2d867aacb8ab5b196d00ee86944b1899d09d72df355384c5e15cf974737963a0
+    container_name: bentopdf
+    restart: unless-stopped
+    tmpfs:
+      - /tmp:rw,noexec,nosuid,nodev,mode=1777
+      - /var/cache/nginx:rw,noexec,nosuid,nodev,uid=101,gid=101,mode=0755
+      - /var/run:rw,noexec,nosuid,nodev,uid=101,gid=101,mode=0755
+    networks:
+      - frontend_net
+    security_opt:
+      - no-new-privileges:true
+    healthcheck:
+      test: ["CMD", "wget", "--spider", "-q", "http://localhost:8080"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 20s
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=frontend_net
+      - traefik.http.routers.bentopdf.rule=Host(`pdf.kaleschke.info`)
+      - traefik.http.routers.bentopdf.entrypoints=websecure
+      - traefik.http.routers.bentopdf.tls=true
+      - traefik.http.routers.bentopdf.tls.certresolver=le
+      - traefik.http.routers.bentopdf.middlewares=authelia@file,secure-headers@file,bentopdf-coi@docker
+      - traefik.http.middlewares.bentopdf-coi.headers.customresponseheaders.Cross-Origin-Opener-Policy=same-origin
+      - traefik.http.middlewares.bentopdf-coi.headers.customresponseheaders.Cross-Origin-Embedder-Policy=require-corp
+      - traefik.http.services.bentopdf.loadbalancer.server.port=8080
+
+networks:
+  frontend_net:
+    external: true

apps/dashboard/.dockerignore

@@ -1,4 +0,0 @@
-backend/.env
-backend/app/__pycache__
-backend/app/**/*.pyc
-assets/.DS_Store

apps/dashboard/.env.example

@@ -1,23 +0,0 @@
-DASHBOARD_IMAGE=
-APP_ENV=production
-APP_HOST=0.0.0.0
-APP_PORT=8000
-APP_LOG_LEVEL=INFO
-APP_TIMEZONE=Europe/Berlin
-APP_NAME=Homelab Dashboard API
-APP_VERSION=0.1.0
-CORS_ALLOW_ORIGINS=["https://dashboard.kaleschke.info"]
-REQUEST_TIMEOUT_SECONDS=5.0
-CACHE_TTL_OVERVIEW_SECONDS=15
-CACHE_TTL_SYSTEM_SECONDS=15
-CACHE_TTL_SERVICES_SECONDS=15
-CACHE_TTL_STORAGE_SECONDS=30
-BESZEL_BASE_URL=http://beszel:8090
-BESZEL_ADMIN_EMAIL=
-BESZEL_ADMIN_PASSWORD=
-UPTIME_KUMA_BASE_URL=http://uptime-kuma:3001
-UPTIME_KUMA_USERNAME=
-UPTIME_KUMA_PASSWORD=
-HOME_ASSISTANT_BASE_URL=http://192.168.178.50:8123
-HOME_ASSISTANT_TOKEN=
-

apps/dashboard/Dockerfile

@@ -1,19 +0,0 @@
-FROM python:3.12-slim
-
-ENV PYTHONDONTWRITEBYTECODE=1 \
-    PYTHONUNBUFFERED=1
-
-WORKDIR /app/backend
-
-COPY backend/requirements.txt ./requirements.txt
-RUN pip install --no-cache-dir -r requirements.txt
-
-COPY backend/app ./app
-WORKDIR /app
-COPY dashboard.html ./dashboard.html
-COPY assets ./assets
-
-WORKDIR /app/backend
-EXPOSE 8000
-
-CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]

apps/dashboard/assets/js/api.js

@@ -1,22 +0,0 @@
-async function fetchJson(path) {
-  const res = await fetch(path);
-  if (!res.ok) throw new Error(path + " HTTP " + res.status);
-  return res.json();
-}
-
-export async function fetchDashboardData() {
-  const [overview, system, services, storage, adguard, scrutiny, immich, backrest, home_assistant, uptime_kuma] =
-    await Promise.all([
-      fetchJson("/api/overview"),
-      fetchJson("/api/system"),
-      fetchJson("/api/services"),
-      fetchJson("/api/storage"),
-      fetchJson("/api/adguard"),
-      fetchJson("/api/scrutiny"),
-      fetchJson("/api/immich"),
-      fetchJson("/api/backrest"),
-      fetchJson("/api/home_assistant"),
-      fetchJson("/api/uptime_kuma"),
-    ]);
-  return { overview, system, services, storage, adguard, scrutiny, immich, backrest, home_assistant, uptime_kuma };
-}

apps/dashboard/assets/js/app.js

@@ -1,40 +0,0 @@
-import { fetchDashboardData } from "./api.js";
-import { getState, subscribe, updateData } from "./state.js";
-import { renderHeader } from "./renderers/header.js";
-import { renderStats } from "./renderers/stats.js";
-import { renderStorage } from "./renderers/storage.js";
-import { renderServices } from "./renderers/services.js";
-import { renderNetworkHealth } from "./renderers/network-health.js";
-import { renderQuickAccess } from "./renderers/quick-access.js";
-import { renderHomeAssistant } from "./renderers/home-assistant.js";
-import { renderUptimeKuma } from "./renderers/uptime-kuma.js";
-import { renderImmich } from "./renderers/immich.js";
-import { renderBackrest } from "./renderers/backrest.js";
-
-function render(state) {
-  renderHeader(state);
-  renderStats(state);
-  renderStorage(state);
-  renderServices(state);
-  renderNetworkHealth(state);
-  renderHomeAssistant(state);
-  renderUptimeKuma(state);
-  renderImmich(state);
-  renderBackrest(state);
-  renderQuickAccess();
-}
-
-subscribe(render);
-
-async function refresh() {
-  try {
-    const data = await fetchDashboardData();
-    updateData(data);
-  } catch (err) {
-    console.error("Dashboard fetch error:", err);
-  }
-}
-
-render(getState());
-refresh();
-setInterval(refresh, (getState().overview?.refresh_hint_seconds ?? 20) * 1000);

apps/dashboard/assets/js/renderers/backrest.js

@@ -1,50 +0,0 @@
-export function renderBackrest(state) {
-  const d = state.backrest || {};
-  const online = d.source_status === "online";
-
-  const pill = document.getElementById("backrest-pill");
-  if (pill) {
-    pill.textContent = online ? "ONLINE" : "OFFLINE";
-    pill.className = "status-pill " + (online ? "pill-online" : "pill-offline");
-  }
-
-  const set = (id, val) => { const el = document.getElementById(id); if (el) el.textContent = val; };
-
-  if (online) {
-    set("backrest-repos", d.repo_count ?? 0);
-    set("backrest-last", fmtAge(d.last_backup_age_hours));
-    set("backrest-errors", d.error_count ?? 0);
-  } else {
-    set("backrest-repos", "—");
-    set("backrest-last", "—");
-    set("backrest-errors", "—");
-  }
-
-  // Color last backup age warn if > 26h
-  const lastEl = document.getElementById("backrest-last");
-  if (lastEl && online) {
-    const age = d.last_backup_age_hours;
-    lastEl.style.color = age !== null && age > 26 ? "var(--clr-warn)" : "";
-  }
-
-  // Color errors warn if any
-  const errEl = document.getElementById("backrest-errors");
-  if (errEl && online) {
-    errEl.style.color = (d.error_count ?? 0) > 0 ? "var(--clr-warn)" : "";
-  }
-
-  // Status dot
-  const dot = document.getElementById("backrest-status-dot");
-  if (dot) {
-    const s = d.last_backup_status || "unknown";
-    dot.className = "status-dot dot-" + (s === "ok" ? "ok" : s === "error" ? "err" : "unk");
-    dot.title = s;
-  }
-}
-
-function fmtAge(hours) {
-  if (hours === null || hours === undefined) return "—";
-  if (hours < 1) return `${Math.round(hours * 60)}m ago`;
-  if (hours < 24) return `${Math.round(hours)}h ago`;
-  return `${Math.round(hours / 24)}d ago`;
-}

apps/dashboard/assets/js/renderers/header.js

@@ -1,20 +0,0 @@
-export function renderHeader(state) {
-  const overview = state.overview || {};
-  const status = overview.overall_status || "offline";
-
-  const dot = document.getElementById("overall-dot");
-  if (dot) {
-    dot.style.background = status === "online" ? "var(--teal)" : status === "degraded" ? "var(--yellow)" : "var(--red)";
-    dot.style.boxShadow = status === "online" ? "0 0 8px var(--teal-glow)" : "";
-  }
-
-  const txt = document.getElementById("overall-status-text");
-  if (txt) txt.textContent = status.toUpperCase();
-
-  const upd = document.getElementById("last-updated");
-  if (upd && overview.generated_at) {
-    const d = new Date(overview.generated_at);
-    const pad = n => String(n).padStart(2, "0");
-    upd.textContent = `updated ${pad(d.getHours())}:${pad(d.getMinutes())}:${pad(d.getSeconds())}`;
-  }
-}

apps/dashboard/assets/js/renderers/home-assistant.js

@@ -1,29 +0,0 @@
-export function renderHomeAssistant(state) {
-  const d = state.home_assistant || {};
-  const online = d.status === "online";
-
-  // pill
-  const pill = document.getElementById("ha-pill");
-  if (pill) {
-    pill.textContent = online ? "ONLINE" : "OFFLINE";
-    pill.className = "status-pill " + (online ? "pill-online" : "pill-offline");
-  }
-
-  // stat blocks
-  const set = (id, val) => { const el = document.getElementById(id); if (el) el.textContent = val; };
-
-  set("ha-lights", online ? `${d.lights_on ?? 0}/${d.lights_total ?? 0}` : "—");
-  set("ha-climate", online ? (d.climate_active ?? 0) : "—");
-  set("ha-doors", online ? (d.doors_open ?? 0) : "—");
-  set("ha-alerts", online ? (d.alerts ?? 0) : "—");
-
-  // version subtitle
-  const ver = document.getElementById("ha-version");
-  if (ver) ver.textContent = d.version ? `v${d.version}` : "";
-
-  // alerts highlight
-  const alertsEl = document.getElementById("ha-alerts");
-  if (alertsEl) {
-    alertsEl.style.color = d.alerts > 0 ? "var(--clr-warn)" : "";
-  }
-}

apps/dashboard/assets/js/renderers/immich.js

@@ -1,28 +0,0 @@
-export function renderImmich(state) {
-  const d = state.immich || {};
-  const online = d.source_status === "online";
-
-  const pill = document.getElementById("immich-pill");
-  if (pill) {
-    pill.textContent = online ? "ONLINE" : "OFFLINE";
-    pill.className = "status-pill " + (online ? "pill-online" : "pill-offline");
-  }
-
-  const set = (id, val) => { const el = document.getElementById(id); if (el) el.textContent = val; };
-
-  if (online) {
-    set("immich-photos", fmtNum(d.photos ?? 0));
-    set("immich-videos", fmtNum(d.videos ?? 0));
-    set("immich-storage", `${(d.storage_gb ?? 0).toFixed(1)} GB`);
-  } else {
-    set("immich-photos", "—");
-    set("immich-videos", "—");
-    set("immich-storage", "—");
-  }
-}
-
-function fmtNum(n) {
-  if (n >= 1_000_000) return (n / 1_000_000).toFixed(1) + "M";
-  if (n >= 1_000) return (n / 1_000).toFixed(1) + "K";
-  return String(n);
-}

apps/dashboard/assets/js/renderers/network-health.js

@@ -1,84 +0,0 @@
-export function renderNetworkHealth(state) {
-  _renderAdGuard(state.adguard || {});
-  _renderScrutiny(state.scrutiny || {});
-}
-
-function _renderAdGuard(d) {
-  const online = d.source_status === "online";
-
-  const pill = document.getElementById("adguard-pill");
-  if (pill) {
-    pill.textContent = online ? "ONLINE" : "OFFLINE";
-    pill.className = "status-pill " + (online ? "pill-online" : "pill-offline");
-  }
-
-  const set = (id, val) => { const el = document.getElementById(id); if (el) el.textContent = val; };
-
-  if (online) {
-    set("adguard-total", fmtK(d.total_queries));
-    set("adguard-blocked", fmtK(d.blocked_queries));
-    set("adguard-blocked-pct", `${d.blocked_percent ?? 0}%`);
-    set("adguard-latency", `${d.avg_processing_ms ?? 0}ms`);
-
-    const bar = document.getElementById("adguard-bar-fill");
-    if (bar) bar.style.width = `${Math.min(d.blocked_percent ?? 0, 100)}%`;
-  } else {
-    ["adguard-total", "adguard-blocked", "adguard-blocked-pct", "adguard-latency"].forEach(id => set(id, "—"));
-    const bar = document.getElementById("adguard-bar-fill");
-    if (bar) bar.style.width = "0%";
-  }
-}
-
-function _renderScrutiny(d) {
-  const online = d.source_status === "online";
-
-  const pill = document.getElementById("scrutiny-pill");
-  if (pill) {
-    pill.textContent = online ? "ONLINE" : "OFFLINE";
-    pill.className = "status-pill " + (online ? "pill-online" : "pill-offline");
-  }
-
-  // stat blocks
-  const set = (id, val) => { const el = document.getElementById(id); if (el) el.textContent = val; };
-  if (online) {
-    set("scrutiny-total", d.total_count ?? 0);
-    set("scrutiny-failed", d.failed_count ?? 0);
-    const passedEl = document.getElementById("scrutiny-passed");
-    if (passedEl) {
-      passedEl.textContent = (d.total_count ?? 0) - (d.failed_count ?? 0);
-    }
-  } else {
-    set("scrutiny-total", "—");
-    set("scrutiny-failed", "—");
-    set("scrutiny-passed", "—");
-  }
-
-  // disk list
-  const list = document.getElementById("scrutiny-list");
-  if (!list) return;
-
-  if (!online || !d.devices || d.devices.length === 0) {
-    list.innerHTML = `<div class="scrutiny-offline">— ${online ? "no devices" : "offline"}</div>`;
-    return;
-  }
-
-  list.innerHTML = d.devices.map(dev => {
-    const ok = dev.status === "passed";
-    const icon = ok ? "✓" : dev.status === "failed" ? "✗" : "?";
-    const cls = ok ? "disk-ok" : dev.status === "failed" ? "disk-fail" : "disk-unk";
-    const temp = dev.temperature != null ? `<span class="disk-temp">${dev.temperature}°C</span>` : "";
-    return `
-      <div class="scrutiny-row">
-        <span class="disk-icon ${cls}">${icon}</span>
-        <span class="disk-name">${dev.name}</span>
-        <span class="disk-model">${dev.model}</span>
-        ${temp}
-      </div>`;
-  }).join("");
-}
-
-function fmtK(n) {
-  if (n >= 1_000_000) return (n / 1_000_000).toFixed(1) + "M";
-  if (n >= 1_000) return (n / 1_000).toFixed(0) + "K";
-  return String(n ?? 0);
-}

apps/dashboard/assets/js/renderers/quick-access.js

@@ -1,29 +0,0 @@
-const QUICK_LINKS = [
-  { label: "Home Assistant", icon: "🏠", url: "https://ha.kaleschke.info" },
-  { label: "Komodo", icon: "🦎", url: "https://komodo.kaleschke.info" },
-  { label: "Uptime Kuma", icon: "📡", url: "https://uptime.kaleschke.info" },
-  { label: "Beszel", icon: "📊", url: "https://beszel.kaleschke.info" },
-  { label: "Firefly III", icon: "🦋", url: "https://firefly.kaleschke.info" },
-  { label: "Paperless", icon: "📄", url: "https://paperless.kaleschke.info" },
-  { label: "Mealie", icon: "🍽️", url: "https://mealie.kaleschke.info" },
-  { label: "Immich", icon: "🖼️", url: "https://immich.kaleschke.info" },
-  { label: "Gitea", icon: "🐙", url: "https://git.kaleschke.info" },
-  { label: "Code Server", icon: "💻", url: "https://code.kaleschke.info" },
-  { label: "FileBrowser", icon: "📁", url: "https://files.kaleschke.info" },
-  { label: "Backrest", icon: "💾", url: "https://backrest.kaleschke.info" },
-  { label: "Vaultwarden", icon: "🔐", url: "https://vault.kaleschke.info" },
-  { label: "AdGuard", icon: "🛡️", url: "https://adguard.kaleschke.info" },
-  { label: "Traefik", icon: "🔀", url: "https://traefik.kaleschke.info" },
-  { label: "Scrutiny", icon: "🔍", url: "https://scrutiny.kaleschke.info" },
-];
-
-export function renderQuickAccess() {
-  const grid = document.getElementById("quick-access-grid");
-  if (!grid) return;
-  grid.innerHTML = QUICK_LINKS.map(({ label, icon, url }) => `
-    <a class="quick-tile" href="${url}" target="_blank" rel="noopener noreferrer">
-      <span class="quick-tile-icon">${icon}</span>
-      <span class="quick-tile-label">${label}</span>
-    </a>
-  `).join("");
-}

apps/dashboard/assets/js/renderers/services.js

@@ -1,24 +0,0 @@
-export function renderServices(state) {
-  const services = state.services || {};
-  const summary = services.summary || {};
-
-  const set = (id, val) => { const el = document.getElementById(id); if (el) el.textContent = val; };
-
-  set("svc-online", summary.online ?? "—");
-  set("svc-degraded", summary.degraded ?? "—");
-  set("svc-offline", summary.offline ?? "—");
-  set("svc-total", summary.total ?? "—");
-
-  const pill = document.getElementById("services-pill");
-  if (pill) {
-    const s = summary.overall_status || "offline";
-    pill.textContent = s.toUpperCase();
-    pill.className = "status-pill " + (s === "online" ? "pill-online" : s === "degraded" ? "pill-degraded" : "pill-offline");
-  }
-
-  // Colour counts
-  const degEl = document.getElementById("svc-degraded");
-  if (degEl) degEl.className = "stat-num" + ((summary.degraded ?? 0) > 0 ? " warn" : "");
-  const offEl = document.getElementById("svc-offline");
-  if (offEl) offEl.className = "stat-num" + ((summary.offline ?? 0) > 0 ? " danger" : "");
-}

apps/dashboard/assets/js/renderers/stats.js

@@ -1,49 +0,0 @@
-export function renderStats(state) {
-  const sys = state.system || {};
-  const overview = state.overview || {};
-  const cpu = sys.cpu || {};
-  const mem = sys.memory || {};
-  const net = sys.network || {};
-  const host = sys.host || {};
-  const docker = overview.docker || state.services?.docker || {};
-
-  const set = (id, val) => { const el = document.getElementById(id); if (el) el.textContent = val; };
-
-  // CPU
-  set("cpu-percent", cpu.usage_percent != null ? `${cpu.usage_percent.toFixed(1)}%` : "—");
-  set("cpu-cores", cpu.cores ?? "—");
-  set("cpu-load", cpu.load_5 != null ? cpu.load_5.toFixed(2) : "—");
-
-  // Colour CPU
-  const cpuEl = document.getElementById("cpu-percent");
-  if (cpuEl && cpu.usage_percent != null) {
-    cpuEl.className = "stat-num" + (cpu.usage_percent > 85 ? " danger" : cpu.usage_percent > 65 ? " warn" : "");
-  }
-
-  // Memory
-  set("ram-percent", mem.usage_percent != null ? `${mem.usage_percent.toFixed(1)}%` : "—");
-  set("ram-used", mem.used_gb != null ? mem.used_gb.toFixed(1) : "—");
-  set("ram-total", mem.total_gb != null ? mem.total_gb.toFixed(0) : "—");
-
-  const ramEl = document.getElementById("ram-percent");
-  if (ramEl && mem.usage_percent != null) {
-    ramEl.className = "stat-num" + (mem.usage_percent > 85 ? " danger" : mem.usage_percent > 65 ? " warn" : "");
-  }
-
-  // Network
-  set("net-rx", net.rx_mbps != null ? net.rx_mbps.toFixed(1) : "—");
-  set("net-tx", net.tx_mbps != null ? net.tx_mbps.toFixed(1) : "—");
-
-  // Host
-  const upDays = host.uptime_seconds != null ? Math.floor(host.uptime_seconds / 86400) : null;
-  set("uptime-days", upDays != null ? upDays : "—");
-  set("host-platform", host.platform ? host.platform.slice(0, 5).toUpperCase() : "—");
-
-  // Docker
-  set("docker-running", docker.running ?? "—");
-  set("docker-stopped", docker.stopped ?? "—");
-  set("docker-total", docker.total ?? "—");
-
-  const stoppedEl = document.getElementById("docker-stopped");
-  if (stoppedEl) stoppedEl.className = "stat-num" + ((docker.stopped ?? 0) > 0 ? " warn" : " dim");
-}

apps/dashboard/assets/js/renderers/storage.js

@@ -1,28 +0,0 @@
-export function renderStorage(state) {
-  const storage = state.storage || {};
-  const grid = document.getElementById("storage-grid");
-  if (!grid) return;
-
-  const disks = storage.disks || [];
-  if (!disks.length) {
-    grid.innerHTML = '<div class="card" style="opacity:0.5; font-family:var(--font-mono); font-size:10px; color:var(--text-dim); padding:12px;">No disk data</div>';
-    return;
-  }
-
-  grid.innerHTML = disks.map(disk => {
-    const pct = disk.usage_percent ?? 0;
-    const fillClass = pct > 85 ? "danger" : pct > 70 ? "warn" : "";
-    const statusColor = disk.status === "critical" ? "var(--red)" : disk.status === "warning" ? "var(--yellow)" : "var(--teal)";
-    return `
-      <div class="card">
-        <div class="disk-header">
-          <span class="disk-name">${disk.name || disk.mount}</span>
-          <span class="disk-usage" style="color:${statusColor}">${pct.toFixed(1)}%</span>
-        </div>
-        <div class="disk-sub">${disk.mount} · ${disk.used_gb?.toFixed(1)}/${disk.total_gb?.toFixed(1)} GB</div>
-        <div class="progress-bar">
-          <div class="progress-fill ${fillClass}" style="width:${Math.min(pct,100)}%"></div>
-        </div>
-      </div>`;
-  }).join("");
-}

apps/dashboard/assets/js/renderers/uptime-kuma.js

@@ -1,53 +0,0 @@
-export function renderUptimeKuma(state) {
-  const d = state.uptime_kuma || {};
-  const online = d.source_status === "online";
-
-  const pill = document.getElementById("uk-pill");
-  if (pill) {
-    pill.textContent = online ? "ONLINE" : "OFFLINE";
-    pill.className = "status-pill " + (online ? "pill-online" : "pill-offline");
-  }
-
-  const set = (id, val) => { const el = document.getElementById(id); if (el) el.textContent = val; };
-  set("uk-up", online ? (d.monitors_up ?? 0) : "—");
-  set("uk-down", online ? (d.monitors_down ?? 0) : "—");
-  const total = (d.monitors_up ?? 0) + (d.monitors_down ?? 0);
-  const pct = total > 0 ? Math.round((d.monitors_up / total) * 100) : (online ? 100 : 0);
-  set("uk-uptime", online ? `${pct}%` : "—");
-
-  // down monitors list
-  const downList = document.getElementById("uk-down-list");
-  if (downList) {
-    const downs = (d.monitors || []).filter(m => m.status === "offline");
-    if (!online || downs.length === 0) {
-      downList.innerHTML = "";
-    } else {
-      downList.innerHTML = downs.map(m =>
-        `<span class="uk-down-name">▼ ${m.name}</span>`
-      ).join("");
-    }
-  }
-
-  // uptime bars per monitor (top 6 by name)
-  const barsContainer = document.getElementById("uk-bars");
-  if (barsContainer) {
-    const monitors = (d.monitors || []).slice(0, 6);
-    if (!online || monitors.length === 0) {
-      barsContainer.innerHTML = '<span class="widget-offline-msg">—</span>';
-    } else {
-      barsContainer.innerHTML = monitors.map(m => {
-        const beats = m.heartbeats && m.heartbeats.length
-          ? m.heartbeats
-          : (m.status === "online" ? Array(20).fill(1) : Array(20).fill(0));
-        const segments = beats.slice(-20).map(b =>
-          `<span class="hb-seg ${b ? "hb-up" : "hb-down"}"></span>`
-        ).join("");
-        return `
-          <div class="uk-monitor-row">
-            <span class="uk-monitor-name">${m.name}</span>
-            <span class="uk-bar">${segments}</span>
-          </div>`;
-      }).join("");
-    }
-  }
-}

apps/dashboard/assets/js/state.js

@@ -1,60 +0,0 @@
-const DEFAULT_DATA = {
-  overview: {
-    generated_at: new Date().toISOString(),
-    overall_status: "online",
-    refresh_hint_seconds: 20,
-    services: { online: 8, degraded: 2, offline: 1, total: 11 },
-    docker: { running: 18, stopped: 2, unhealthy: 1, total: 20, source_status: "online" },
-    system: {
-      cpu_percent: 23,
-      ram_percent: 61,
-      root_storage_percent: 49,
-      network_rx_mbps: 12.4,
-      network_tx_mbps: 3.1,
-      uptime_seconds: 864000,
-    },
-    home_assistant: {
-      status: "online",
-      label: "Home Assistant",
-      version: "2026.3.4",
-      response_time_ms: 142,
-      last_checked: new Date().toISOString(),
-    },
-  },
-  system: {
-    generated_at: new Date().toISOString(),
-    source: { name: "beszel", status: "online", host_name: "nas", agent_name: "beszel-agent" },
-    cpu: { usage_percent: 23, cores: 8, load_1: 0.8, load_5: 0.6, load_15: 0.5 },
-    memory: { used_gb: 12.4, total_gb: 32.0, available_gb: 19.6, usage_percent: 38.7 },
-    network: { primary_interface: "eth0", rx_mbps: 12.4, tx_mbps: 3.1 },
-    host: { uptime_seconds: 864000, platform: "linux", kernel: "6.1.0" },
-  },
-  storage: {
-    generated_at: new Date().toISOString(),
-    summary: { total_used_gb: 2048, total_size_gb: 8192, total_free_gb: 6144, overall_usage_percent: 25 },
-    disks: [],
-  },
-  services: {
-    generated_at: new Date().toISOString(),
-    summary: { overall_status: "online", total: 11, online: 8, degraded: 2, offline: 1 },
-    docker: { running: 18, stopped: 2, unhealthy: 1, total: 20, source_status: "online" },
-    uptime_kuma: { monitors_up: 8, monitors_down: 1, source_status: "online" },
-    items: [],
-  },
-  adguard: { source_name: "adguard", source_status: "offline", total_queries: 0, blocked_queries: 0, blocked_percent: 0, avg_processing_ms: 0 },
-  scrutiny: { source_name: "scrutiny", source_status: "offline", overall_status: "offline", devices: [], failed_count: 0, total_count: 0 },
-  immich: { source_name: "immich", source_status: "offline", photos: 0, videos: 0, storage_gb: 0 },
-  backrest: { source_name: "backrest", source_status: "offline", repo_count: 0, last_backup_age_hours: null, last_backup_status: "unknown", error_count: 0 },
-  home_assistant: { source_name: "home_assistant", status: "offline", version: null, lights_on: 0, lights_total: 0, climate_active: 0, doors_open: 0, alerts: 0 },
-  uptime_kuma: { source_name: "uptime_kuma", source_status: "offline", monitors_up: 0, monitors_down: 0, monitors_paused: 0, total: 0, monitors: [] },
-};
-
-let _state = structuredClone(DEFAULT_DATA);
-const _subscribers = [];
-
-export function getState() { return _state; }
-export function subscribe(fn) { _subscribers.push(fn); }
-export function updateData(partial) {
-  _state = { ..._state, ...partial };
-  _subscribers.forEach((fn) => fn(_state));
-}

apps/dashboard/backend/app/__init__.py

@@ -1 +0,0 @@
-"""Homelab dashboard backend package."""

apps/dashboard/backend/app/clients/__init__.py

@@ -1 +0,0 @@
-"""External system clients."""

apps/dashboard/backend/app/clients/adguard_client.py

@@ -1,55 +0,0 @@
-from __future__ import annotations
-
-import logging
-
-from app.clients.base import BaseHTTPClient
-from app.config import Settings
-from app.models.sources import AdGuardSnapshot
-
-
-logger = logging.getLogger(__name__)
-
-
-class AdGuardClient(BaseHTTPClient):
-    """
-    Reads DNS statistics from AdGuard Home's /control/stats endpoint.
-    Requires Basic Auth (username + password).
-    """
-
-    def __init__(self, settings: Settings) -> None:
-        super().__init__(settings, "adguard", settings.adguard_base_url)
-
-    async def fetch_stats(self) -> AdGuardSnapshot:
-        snapshot = AdGuardSnapshot()
-        if not self.base_url:
-            logger.info("adguard skipped: base URL missing")
-            return snapshot
-
-        if not self.settings.adguard_username or not self.settings.adguard_password:
-            logger.info("adguard skipped: no credentials configured")
-            return snapshot
-
-        data = await self._request_json(
-            "GET",
-            "/control/stats",
-            auth=(self.settings.adguard_username, self.settings.adguard_password),
-        )
-
-        if data is None:
-            logger.warning("adguard: empty or failed response")
-            return snapshot
-
-        total = int(data.get("num_dns_queries") or 0)
-        blocked = int(data.get("num_blocked_filtering") or 0)
-        avg_ms = round(float(data.get("avg_processing_time") or 0.0) * 1000, 2)
-        blocked_pct = round((blocked / total * 100), 1) if total > 0 else 0.0
-
-        result = AdGuardSnapshot(
-            source_status="online",
-            total_queries=total,
-            blocked_queries=blocked,
-            blocked_percent=blocked_pct,
-            avg_processing_ms=avg_ms,
-        )
-        logger.info("adguard stats: %s", result.model_dump())
-        return result

apps/dashboard/backend/app/clients/backrest_client.py

@@ -1,82 +0,0 @@
-from __future__ import annotations
-
-import logging
-from datetime import datetime, timezone
-
-from app.clients.base import BaseHTTPClient
-from app.config import Settings
-from app.models.sources import BackrestSnapshot
-
-logger = logging.getLogger(__name__)
-
-
-class BackrestClient(BaseHTTPClient):
-    def __init__(self, settings: Settings) -> None:
-        super().__init__(settings, "backrest", settings.backrest_base_url)
-
-    def _auth(self) -> tuple[str, str] | None:
-        if self.settings.backrest_username and self.settings.backrest_password:
-            return (self.settings.backrest_username, self.settings.backrest_password)
-        return None
-
-    async def fetch_status(self) -> BackrestSnapshot:
-        snapshot = BackrestSnapshot()
-        if not self.base_url:
-            logger.info("backrest skipped: base URL missing")
-            return snapshot
-
-        auth = self._auth()
-
-        # Get config (repo list) via Connect-RPC
-        data = await self._request_json(
-            "POST", "/v1.Backrest/GetConfig",
-            json={},
-            auth=auth,
-        )
-        if not isinstance(data, dict):
-            return snapshot
-
-        repos = data.get("repos") or []
-        repo_count = len(repos) if isinstance(repos, list) else 0
-
-        # Get recent operations via Connect-RPC
-        last_backup_age_hours: float | None = None
-        error_count = 0
-        last_backup_status = "unknown"
-
-        ops_data = await self._request_json(
-            "POST", "/v1.Backrest/GetOperations",
-            json={"lastN": 20},
-            auth=auth,
-        )
-        if isinstance(ops_data, dict):
-            ops = ops_data.get("operations") or []
-            backup_ops = [
-                op for op in ops
-                if isinstance(op, dict) and op.get("backupOp") is not None
-            ]
-            error_ops = [op for op in backup_ops if op.get("status") == "STATUS_ERROR"]
-            error_count = len(error_ops)
-
-            if backup_ops:
-                latest = backup_ops[0]
-                ts = latest.get("unixTimeEndMs")
-                if ts:
-                    ended = datetime.fromtimestamp(int(ts) / 1000, tz=timezone.utc)
-                    now = datetime.now(timezone.utc)
-                    last_backup_age_hours = round((now - ended).total_seconds() / 3600, 1)
-                status_str = latest.get("status", "")
-                if status_str == "STATUS_SUCCESS":
-                    last_backup_status = "ok"
-                elif status_str == "STATUS_ERROR":
-                    last_backup_status = "error"
-                else:
-                    last_backup_status = "unknown"
-
-        return BackrestSnapshot(
-            source_status="online",
-            repo_count=repo_count,
-            last_backup_age_hours=last_backup_age_hours,
-            last_backup_status=last_backup_status,
-            error_count=error_count,
-        )

apps/dashboard/backend/app/clients/base.py

@@ -1,111 +0,0 @@
-from __future__ import annotations
-
-import logging
-from typing import Any
-
-import httpx
-
-from app.config import Settings
-
-
-logger = logging.getLogger(__name__)
-
-
-class BaseHTTPClient:
-    def __init__(self, settings: Settings, name: str, base_url: str | None) -> None:
-        self.settings = settings
-        self.name = name
-        self.base_url = str(base_url).rstrip("/") if base_url else None
-
-    async def _request_json(
-        self,
-        method: str,
-        path: str,
-        *,
-        headers: dict[str, str] | None = None,
-        params: dict[str, Any] | None = None,
-        auth: tuple[str, str] | None = None,
-        json: Any | None = None,
-    ) -> Any | None:
-        response = await self._request(
-            method,
-            path,
-            headers=headers,
-            params=params,
-            auth=auth,
-            json=json,
-        )
-        if response is None:
-            return None
-
-        try:
-            return response.json()
-        except ValueError:
-            logger.warning("%s returned non-JSON payload for %s", self.name, path)
-            return None
-
-    async def _request_text(
-        self,
-        method: str,
-        path: str,
-        *,
-        headers: dict[str, str] | None = None,
-        params: dict[str, Any] | None = None,
-        auth: tuple[str, str] | None = None,
-    ) -> str | None:
-        response = await self._request(
-            method,
-            path,
-            headers=headers,
-            params=params,
-            auth=auth,
-        )
-        if response is None:
-            return None
-        return response.text
-
-    async def _request(
-        self,
-        method: str,
-        path: str,
-        *,
-        headers: dict[str, str] | None = None,
-        params: dict[str, Any] | None = None,
-        auth: tuple[str, str] | None = None,
-        json: Any | None = None,
-    ) -> httpx.Response | None:
-        if not self.base_url:
-            logger.info("%s client skipped because base URL is not configured", self.name)
-            return None
-
-        url = f"{self.base_url}/{path.lstrip('/')}"
-
-        try:
-            async with httpx.AsyncClient(
-                timeout=self.settings.request_timeout_seconds,
-                trust_env=False,
-            ) as client:
-                response = await client.request(
-                    method,
-                    url,
-                    headers=headers,
-                    params=params,
-                    auth=auth,
-                    json=json,
-                )
-                response.raise_for_status()
-                return response
-        except httpx.TimeoutException:
-            logger.warning("%s request timed out: %s %s", self.name, method, url)
-        except httpx.HTTPStatusError as exc:
-            logger.warning(
-                "%s request failed with status %s for %s %s",
-                self.name,
-                exc.response.status_code,
-                method,
-                url,
-            )
-        except httpx.HTTPError as exc:
-            logger.warning("%s request error for %s %s: %s", self.name, method, url, exc)
-
-        return None

apps/dashboard/backend/app/clients/beszel_client.py

@@ -1,431 +0,0 @@
-from __future__ import annotations
-
-from datetime import datetime, timedelta, timezone
-import logging
-from typing import Any
-
-from app.clients.base import BaseHTTPClient
-from app.config import Settings
-from app.models.sources import (
-    BeszelDiskMetric,
-    BeszelSystemSnapshot,
-    DockerContainerSummary,
-    DockerSnapshot,
-)
-
-
-logger = logging.getLogger(__name__)
-
-
-class BeszelClient(BaseHTTPClient):
-    """
-    Beszel exposes a PocketBase-backed REST API. The exact record schema may
-    change between Beszel releases, so this client intentionally normalizes
-    multiple likely field layouts into a stable internal snapshot.
-    """
-
-    def __init__(self, settings: Settings) -> None:
-        super().__init__(settings, "beszel", settings.beszel_base_url)
-        self._admin_jwt: str | None = None
-        self._admin_jwt_expires_at: datetime | None = None
-
-    async def fetch_system_snapshot(self) -> BeszelSystemSnapshot:
-        snapshot = BeszelSystemSnapshot()
-        if not self.base_url:
-            logger.info("beszel skipped: base URL missing")
-            return snapshot
-
-        headers = await self._build_auth_headers()
-        if headers is None:
-            logger.warning("beszel skipped: no usable auth method configured")
-            return snapshot
-
-        payload = await self._request_json(
-            "GET",
-            "/api/collections/system_stats/records",
-            headers=headers,
-            params={"page": 1, "perPage": 1, "sort": "-created"},
-        )
-        if not payload:
-            logger.warning("beszel returned empty payload")
-            return snapshot
-
-        logger.info("beszel raw payload: %s", payload)
-
-        items = payload.get("items") if isinstance(payload, dict) else None
-        if not items:
-            logger.warning("beszel returned no system_stats records")
-            return snapshot
-
-        record = items[0]
-        details = await self._fetch_system_details(headers, record)
-        normalized = self._normalize_snapshot(record, details)
-        logger.info("beszel normalized snapshot: %s", normalized.model_dump())
-        return normalized
-
-    async def fetch_container_snapshot(self) -> DockerSnapshot:
-        snapshot = DockerSnapshot()
-        if not self.base_url:
-            return snapshot
-
-        headers = await self._build_auth_headers()
-        if headers is None:
-            return snapshot
-
-        payload = await self._request_json(
-            "GET",
-            "/api/collections/containers/records",
-            headers=headers,
-            params={"page": 1, "perPage": 200, "sort": "-updated"},
-        )
-        logger.info("beszel raw containers payload: %s", payload)
-
-        if not isinstance(payload, dict):
-            logger.warning("beszel containers mapping: payload is not a dict")
-            return snapshot
-        items = payload.get("items")
-        if not isinstance(items, list):
-            logger.warning("beszel containers mapping: items missing or not a list")
-            return snapshot
-        if not items:
-            logger.warning("beszel containers mapping: no container records returned")
-            return snapshot
-
-        containers: list[DockerContainerSummary] = []
-        running = 0
-        stopped = 0
-        unhealthy = 0
-
-        for item in items:
-            if not isinstance(item, dict):
-                continue
-            state = self._normalize_container_state(item)
-            if state == "running":
-                running += 1
-            elif state == "unhealthy":
-                unhealthy += 1
-            else:
-                stopped += 1
-
-            containers.append(
-                DockerContainerSummary(
-                    id=str(item.get("id") or ""),
-                    name=str(item.get("name") or item.get("container") or item.get("service") or "unknown"),
-                    state=state,
-                    status_text=str(item.get("status") or item.get("state") or "unknown"),
-                    image=str(item.get("image") or ""),
-                    health=str(item.get("health") or item.get("health_status") or "").lower() or None,
-                )
-            )
-
-        normalized = DockerSnapshot(
-            source_status="online",
-            running=running,
-            stopped=stopped,
-            unhealthy=unhealthy,
-            total=len(containers),
-            containers=containers,
-        )
-        logger.info("beszel normalized containers snapshot: %s", normalized.model_dump())
-        return normalized
-
-    def _normalize_snapshot(self, record: dict[str, Any], details: dict[str, Any] | None) -> BeszelSystemSnapshot:
-        stats = self._coerce_mapping(record.get("stats") or {})
-        details = self._coerce_mapping(details or {})
-        details_payload = self._coerce_mapping(
-            details.get("details")
-            or details.get("stats")
-            or details.get("info")
-            or details.get("data")
-            or {}
-        )
-        expanded_system = self._coerce_mapping(self._coerce_mapping(record.get("expand")).get("system"))
-
-        memory_used_gb = self._as_float(stats.get("m"))
-        memory_total_gb = self._as_float(stats.get("m"))
-        if stats.get("mp"):
-            memory_total_gb = round(memory_used_gb / (self._as_float(stats.get("mp")) / 100), 1) if self._as_float(stats.get("mp")) else memory_used_gb
-        memory_available_gb = max(round(memory_total_gb - memory_used_gb, 1), 0.0)
-        network_pair = stats.get("b") if isinstance(stats.get("b"), list) else []
-        disks = self._normalize_disks(
-            details_payload.get("disks")
-            or details_payload.get("disk")
-            or details_payload.get("mounts")
-            or details.get("disks")
-            or details.get("disk")
-            or details.get("mounts")
-            or []
-        )
-        if not disks and self._as_float(stats.get("dp")) > 0:
-            disk_pct = self._as_float(stats.get("dp"))
-            disk_used = self._as_float(stats.get("du"))
-            disk_total = round(disk_used / (disk_pct / 100), 1) if disk_pct > 0 else 0.0
-            disk_free = round(max(disk_total - disk_used, 0.0), 1)
-            logger.info("beszel storage fallback: using dp=%.1f du=%.1f from stats", disk_pct, disk_used)
-            disks = [BeszelDiskMetric(
-                name="rootfs",
-                mount="/",
-                used_gb=disk_used,
-                total_gb=disk_total,
-                free_gb=disk_free,
-                usage_percent=disk_pct,
-            )]
-        if not disks:
-            logger.info("beszel storage unsupported: no disks/mounts in payload")
-
-        return BeszelSystemSnapshot(
-            source_status="online",
-            host_name=str(
-                details_payload.get("hostname")
-                or details_payload.get("host")
-                or details.get("hostname")
-                or details.get("host")
-                or expanded_system.get("name")
-                or record.get("system_name")
-                or record.get("name")
-                or "unknown"
-            ),
-            agent_name="beszel-agent",
-            cpu_usage_percent=self._as_float(stats.get("cpu")),
-            cpu_cores=len(stats.get("cpus")) if isinstance(stats.get("cpus"), list) else 0,
-            load_1=0.0,
-            load_5=0.0,
-            load_15=0.0,
-            memory_used_gb=memory_used_gb,
-            memory_total_gb=memory_total_gb,
-            memory_available_gb=memory_available_gb,
-            memory_usage_percent=self._as_float(stats.get("mp")),
-            primary_interface=str(
-                details_payload.get("primary_interface")
-                or details_payload.get("interface")
-                or details.get("primary_interface")
-                or "primary"
-            ),
-            network_rx_mbps=self._network_value_to_mbps(network_pair[0] if len(network_pair) > 0 else 0),
-            network_tx_mbps=self._network_value_to_mbps(network_pair[1] if len(network_pair) > 1 else 0),
-            uptime_seconds=self._minutes_to_seconds(stats.get("d")),
-            platform=str(
-                details_payload.get("platform")
-                or details_payload.get("os")
-                or details.get("platform")
-                or "unknown"
-            ),
-            kernel=str(details_payload.get("kernel") or details.get("kernel") or "unknown"),
-            disks=disks,
-        )
-
-    async def _fetch_system_details(
-        self,
-        headers: dict[str, str],
-        stats_record: dict[str, Any],
-    ) -> dict[str, Any] | None:
-        system_id = stats_record.get("system")
-        params: dict[str, Any] = {
-            "page": 1,
-            "perPage": 100,
-            "sort": "-created",
-        }
-
-        payload = await self._request_json(
-            "GET",
-            "/api/collections/system_details/records",
-            headers=headers,
-            params=params,
-        )
-        logger.info("beszel raw details payload: %s", payload)
-
-        if not isinstance(payload, dict):
-            logger.warning("beszel system_details mapping: payload is not a dict")
-            return None
-        items = payload.get("items")
-        if isinstance(items, list) and items:
-            if system_id:
-                for item in items:
-                    if isinstance(item, dict) and str(item.get("system") or "") == str(system_id):
-                        return item
-            return items[0]
-        logger.warning("beszel system_details mapping: no matching detail records returned")
-        return None
-
-    @staticmethod
-    def _normalize_container_state(item: dict[str, Any]) -> str:
-        raw = " ".join(
-            str(item.get(key) or "")
-            for key in ("status", "state", "health", "health_status")
-        ).lower()
-        if "unhealthy" in raw or "degraded" in raw:
-            return "unhealthy"
-        if any(token in raw for token in ("running", "up", "healthy", "active")):
-            return "running"
-        if raw.strip():
-            return "stopped"
-        return "unknown"
-
-    async def _build_auth_headers(self) -> dict[str, str] | None:
-        admin_headers = await self._get_admin_auth_headers()
-        if admin_headers:
-            return admin_headers
-        if self.settings.beszel_api_token:
-            return {"Authorization": self.settings.beszel_api_token}
-        return None
-
-    async def _get_admin_auth_headers(self) -> dict[str, str] | None:
-        if not self.settings.beszel_admin_email or not self.settings.beszel_admin_password:
-            return None
-
-        now = datetime.now(timezone.utc)
-        if self._admin_jwt and self._admin_jwt_expires_at and now < self._admin_jwt_expires_at:
-            return {"Authorization": self._admin_jwt}
-
-        auth_payload = await self._request_json(
-            "POST",
-            "/api/collections/_superusers/auth-with-password",
-            headers={"Content-Type": "application/json"},
-            params=None,
-        )
-        if auth_payload is None:
-            auth_payload = await self._request_json_with_body(
-                "POST",
-                "/api/collections/_superusers/auth-with-password",
-                json_body={
-                    "identity": self.settings.beszel_admin_email,
-                    "password": self.settings.beszel_admin_password,
-                },
-            )
-
-        if not isinstance(auth_payload, dict):
-            logger.warning("beszel admin auth failed: no payload")
-            return None
-
-        token = auth_payload.get("token")
-        if not token:
-            logger.warning("beszel admin auth failed: token missing")
-            return None
-
-        self._admin_jwt = str(token)
-        self._admin_jwt_expires_at = now + timedelta(minutes=30)
-        logger.info("beszel admin auth succeeded")
-        return {"Authorization": self._admin_jwt}
-
-    async def _request_json_with_body(
-        self,
-        method: str,
-        path: str,
-        *,
-        json_body: dict[str, Any],
-    ) -> Any | None:
-        if not self.base_url:
-            return None
-
-        import httpx
-
-        url = f"{self.base_url}/{path.lstrip('/')}"
-        try:
-            async with httpx.AsyncClient(
-                timeout=self.settings.request_timeout_seconds,
-                trust_env=False,
-            ) as client:
-                response = await client.request(
-                    method,
-                    url,
-                    json=json_body,
-                    headers={"Content-Type": "application/json"},
-                )
-                response.raise_for_status()
-                return response.json()
-        except httpx.TimeoutException:
-            logger.warning("beszel auth request timed out: %s %s", method, url)
-        except httpx.HTTPStatusError as exc:
-            logger.warning("beszel auth request failed with status %s for %s %s", exc.response.status_code, method, url)
-            try:
-                logger.info("beszel auth error payload: %s", exc.response.json())
-            except ValueError:
-                logger.info("beszel auth error text: %s", exc.response.text)
-        except httpx.HTTPError as exc:
-            logger.warning("beszel auth request error for %s %s: %s", method, url, exc)
-        return None
-
-    def _normalize_disks(self, raw_disks: Any) -> list[BeszelDiskMetric]:
-        if isinstance(raw_disks, dict):
-            raw_disks = [
-                {"mount": key, **(value if isinstance(value, dict) else {"used": value})}
-                for key, value in raw_disks.items()
-            ]
-        disks: list[BeszelDiskMetric] = []
-        if not isinstance(raw_disks, list):
-            return disks
-
-        for item in raw_disks:
-            if not isinstance(item, dict):
-                continue
-            total_gb = self._bytes_to_gb(item.get("total") or item.get("total_bytes"))
-            used_gb = self._bytes_to_gb(item.get("used") or item.get("used_bytes"))
-            free_gb = self._bytes_to_gb(item.get("free") or item.get("free_bytes"))
-            usage_percent = self._as_float(item.get("usage_percent") or item.get("percent"))
-            if not total_gb and used_gb and free_gb:
-                total_gb = round(used_gb + free_gb, 1)
-
-            disks.append(
-                BeszelDiskMetric(
-                    name=str(item.get("name") or item.get("device") or item.get("mount") or "disk"),
-                    mount=str(item.get("mount") or item.get("path") or "/"),
-                    used_gb=used_gb,
-                    total_gb=total_gb,
-                    free_gb=free_gb,
-                    usage_percent=usage_percent,
-                )
-            )
-        return disks
-
-    @staticmethod
-    def _coerce_mapping(value: Any) -> dict[str, Any]:
-        return value if isinstance(value, dict) else {}
-
-    @staticmethod
-    def _as_float(value: Any) -> float:
-        try:
-            return round(float(value or 0), 1)
-        except (TypeError, ValueError):
-            return 0.0
-
-    @staticmethod
-    def _as_int(value: Any) -> int:
-        try:
-            return int(float(value or 0))
-        except (TypeError, ValueError):
-            return 0
-
-    @classmethod
-    def _bytes_to_gb(cls, value: Any) -> float:
-        if value in (None, ""):
-            return 0.0
-        try:
-            return round(float(value) / (1024 ** 3), 1)
-        except (TypeError, ValueError):
-            return 0.0
-
-    @classmethod
-    def _bytes_per_second_to_mbps(cls, value: Any) -> float:
-        if value in (None, ""):
-            return 0.0
-        try:
-            return round((float(value) * 8) / 1_000_000, 1)
-        except (TypeError, ValueError):
-            return 0.0
-
-    @classmethod
-    def _network_value_to_mbps(cls, value: Any) -> float:
-        try:
-            numeric = float(value or 0)
-        except (TypeError, ValueError):
-            return 0.0
-        if numeric <= 0:
-            return 0.0
-        return round((numeric * 8) / 1_000_000, 1)
-
-    @classmethod
-    def _minutes_to_seconds(cls, value: Any) -> int:
-        try:
-            return int(float(value or 0) * 60)
-        except (TypeError, ValueError):
-            return 0

apps/dashboard/backend/app/clients/docker_proxy_client.py

@@ -1,103 +0,0 @@
-from __future__ import annotations
-
-import logging
-
-from app.clients.beszel_client import BeszelClient
-from app.clients.base import BaseHTTPClient
-from app.config import Settings
-from app.models.sources import DockerContainerSummary, DockerSnapshot
-
-
-logger = logging.getLogger(__name__)
-
-
-class DockerProxyClient(BaseHTTPClient):
-    def __init__(self, settings: Settings) -> None:
-        super().__init__(settings, "docker-proxy", settings.docker_proxy_base_url)
-        self.beszel_client = BeszelClient(settings)
-
-    async def fetch_containers(self) -> DockerSnapshot:
-        snapshot = DockerSnapshot()
-        payload = await self._request_json("GET", "/containers/json", params={"all": "true"})
-        if not isinstance(payload, list):
-            logger.warning("docker proxy returned non-list payload: %s", payload)
-            fallback = await self.beszel_client.fetch_container_snapshot()
-            if fallback.source_status == "online":
-                logger.info("docker proxy fallback to beszel containers succeeded")
-                return fallback
-            logger.warning(
-                "docker integration unavailable: docker proxy unreachable and beszel container fallback returned no usable data"
-            )
-            return snapshot
-
-        logger.info("docker proxy raw payload count: %s", len(payload))
-        logger.info("docker proxy raw payload sample: %s", payload[:3])
-
-        containers: list[DockerContainerSummary] = []
-        running = 0
-        stopped = 0
-        unhealthy = 0
-
-        for item in payload:
-            if not isinstance(item, dict):
-                continue
-
-            state = self._normalize_state(item)
-            if state == "running":
-                running += 1
-            elif state == "unhealthy":
-                unhealthy += 1
-            else:
-                stopped += 1
-
-            containers.append(
-                DockerContainerSummary(
-                    id=str(item.get("Id") or item.get("ID") or ""),
-                    name=self._normalize_name(item.get("Names")),
-                    state=state,
-                    status_text=str(item.get("Status") or item.get("State") or "unknown"),
-                    image=str(item.get("Image") or ""),
-                    health=self._extract_health(item),
-                )
-            )
-
-        normalized = DockerSnapshot(
-            source_status="online",
-            running=running,
-            stopped=stopped,
-            unhealthy=unhealthy,
-            total=len(containers),
-            containers=containers,
-        )
-        logger.info("docker proxy normalized snapshot: %s", normalized.model_dump())
-        return normalized
-
-    @staticmethod
-    def _normalize_name(names: object) -> str:
-        if isinstance(names, list) and names:
-            return str(names[0]).lstrip("/")
-        return "unknown"
-
-    @classmethod
-    def _normalize_state(cls, item: dict) -> str:
-        status_text = str(item.get("Status") or "").lower()
-        state = str(item.get("State") or "").lower()
-        health = cls._extract_health(item)
-
-        if health == "unhealthy" or "unhealthy" in status_text:
-            return "unhealthy"
-        if state == "running":
-            return "running"
-        if state:
-            return "stopped"
-        return "unknown"
-
-    @staticmethod
-    def _extract_health(item: dict) -> str | None:
-        if isinstance(item.get("Health"), str):
-            return str(item["Health"]).lower()
-        if isinstance(item.get("State"), dict):
-            health = item["State"].get("Health")
-            if isinstance(health, dict):
-                return str(health.get("Status") or "").lower() or None
-        return None

apps/dashboard/backend/app/clients/home_assistant_client.py

@@ -1,83 +0,0 @@
-from __future__ import annotations
-
-from datetime import datetime, timezone
-import logging
-from time import perf_counter
-
-from app.clients.base import BaseHTTPClient
-from app.config import Settings
-from app.models.sources import HomeAssistantSnapshot
-
-
-logger = logging.getLogger(__name__)
-
-
-class HomeAssistantClient(BaseHTTPClient):
-    def __init__(self, settings: Settings) -> None:
-        super().__init__(settings, "home-assistant", settings.home_assistant_base_url)
-
-    async def fetch_status(self) -> HomeAssistantSnapshot:
-        snapshot = HomeAssistantSnapshot()
-        if not self.base_url or not self.settings.home_assistant_token:
-            logger.info("home assistant skipped: base URL or token missing")
-            return snapshot
-
-        headers = {
-            "Authorization": f"Bearer {self.settings.home_assistant_token}",
-            "Content-Type": "application/json",
-        }
-
-        started_at = perf_counter()
-        api_info = await self._request_json("GET", "/api/", headers=headers)
-        logger.info("home assistant raw /api/ response: %s", api_info)
-
-        elapsed_ms = int((perf_counter() - started_at) * 1000)
-        config = await self._request_json("GET", "/api/config", headers=headers)
-        logger.info("home assistant raw /api/config response: %s", config)
-
-        version = None
-        if isinstance(config, dict):
-            version = config.get("version")
-
-        # Fetch entity states for widget counts
-        lights_on = 0
-        lights_total = 0
-        climate_active = 0
-        doors_open = 0
-        alerts = 0
-
-        try:
-            states = await self._request_json("GET", "/api/states", headers=headers)
-            if isinstance(states, list):
-                for entity in states:
-                    eid = entity.get("entity_id", "")
-                    state = entity.get("state", "")
-                    if eid.startswith("light."):
-                        lights_total += 1
-                        if state == "on":
-                            lights_on += 1
-                    elif eid.startswith("climate."):
-                        if state not in ("off", "unavailable", "unknown"):
-                            climate_active += 1
-                    elif eid.startswith("binary_sensor.") and "door" in eid:
-                        if state == "on":
-                            doors_open += 1
-                    elif eid.startswith("persistent_notification."):
-                        if state == "notifying":
-                            alerts += 1
-        except Exception as exc:
-            logger.warning("home assistant fetch states failed: %s", exc)
-
-        normalized = HomeAssistantSnapshot(
-            status="online",
-            version=str(version) if version else None,
-            response_time_ms=elapsed_ms,
-            last_checked=datetime.now(timezone.utc),
-            lights_on=lights_on,
-            lights_total=lights_total,
-            climate_active=climate_active,
-            doors_open=doors_open,
-            alerts=alerts,
-        )
-        logger.info("home assistant normalized snapshot: %s", normalized.model_dump())
-        return normalized

apps/dashboard/backend/app/clients/immich_client.py

@@ -1,45 +0,0 @@
-from __future__ import annotations
-
-import logging
-
-from app.clients.base import BaseHTTPClient
-from app.config import Settings
-from app.models.sources import ImmichSnapshot
-
-
-logger = logging.getLogger(__name__)
-
-
-class ImmichClient(BaseHTTPClient):
-    def __init__(self, settings: Settings) -> None:
-        super().__init__(settings, "immich", settings.immich_base_url)
-
-    async def fetch_stats(self) -> ImmichSnapshot:
-        snapshot = ImmichSnapshot()
-        if not self.base_url or not self.settings.immich_api_key:
-            logger.info("immich skipped: base URL or API key missing")
-            return snapshot
-
-        headers = {"x-api-key": self.settings.immich_api_key}
-
-        try:
-            data = await self._request_json("GET", "/api/server/statistics", headers=headers)
-        except Exception as exc:
-            logger.warning("immich fetch_stats failed: %s", exc)
-            return snapshot
-
-        if not isinstance(data, dict):
-            logger.warning("immich unexpected response type: %s", type(data))
-            return snapshot
-
-        photos = int(data.get("photos", 0))
-        videos = int(data.get("videos", 0))
-        usage_bytes = int(data.get("usage", 0))
-        usage_gb = round(usage_bytes / (1024 ** 3), 1)
-
-        return ImmichSnapshot(
-            source_status="online",
-            photos=photos,
-            videos=videos,
-            storage_gb=usage_gb,
-        )

apps/dashboard/backend/app/clients/scrutiny_client.py

@@ -1,79 +0,0 @@
-from __future__ import annotations
-
-import logging
-
-from app.clients.base import BaseHTTPClient
-from app.config import Settings
-from app.models.sources import ScrutinyDevice, ScrutinySnapshot
-
-
-logger = logging.getLogger(__name__)
-
-
-class ScrutinyClient(BaseHTTPClient):
-    """
-    Reads SMART disk health data from Scrutiny's /api/summary endpoint.
-    No authentication required.
-    """
-
-    def __init__(self, settings: Settings) -> None:
-        super().__init__(settings, "scrutiny", settings.scrutiny_base_url)
-
-    async def fetch_summary(self) -> ScrutinySnapshot:
-        snapshot = ScrutinySnapshot()
-        if not self.base_url:
-            logger.info("scrutiny skipped: base URL missing")
-            return snapshot
-
-        data = await self._request_json("GET", "/api/summary")
-
-        if data is None:
-            logger.warning("scrutiny: empty or failed response")
-            return snapshot
-
-        devices = self._parse_devices(data)
-        failed = sum(1 for d in devices if d.status == "failed")
-        overall: str = "online" if failed == 0 and len(devices) > 0 else ("offline" if failed > 0 else "offline")
-
-        result = ScrutinySnapshot(
-            source_status="online",
-            devices=devices,
-            overall_status=overall,
-            failed_count=failed,
-            total_count=len(devices),
-        )
-        logger.info("scrutiny summary: %s devices, %s failed", len(devices), failed)
-        return result
-
-    @staticmethod
-    def _parse_devices(data: dict) -> list[ScrutinyDevice]:
-        devices: list[ScrutinyDevice] = []
-        summary: dict = (data.get("data") or {}).get("summary") or {}
-
-        for device_path, device_data in summary.items():
-            device_info: dict = device_data.get("device") or {}
-            smart_data = device_data.get("smart") or []
-
-            name = device_info.get("device_name") or device_path.split("/")[-1]
-            model = device_info.get("model_name") or "Unknown"
-
-            if isinstance(smart_data, dict):
-                # smart is a dict keyed by timestamp strings; grab the most recent value
-                latest_smart = smart_data[max(smart_data)] if smart_data else {}
-            elif isinstance(smart_data, list):
-                latest_smart = smart_data[-1] if smart_data else {}
-            else:
-                latest_smart = {}
-            if not isinstance(latest_smart, dict):
-                latest_smart = {}
-            status_code = latest_smart.get("Status", -1)
-            if status_code == 0:
-                status = "passed"
-            elif status_code > 0:
-                status = "failed"
-            else:
-                status = "unknown"
-
-            devices.append(ScrutinyDevice(name=name, model=model, status=status))
-
-        return sorted(devices, key=lambda d: d.name)

apps/dashboard/backend/app/clients/uptime_kuma_client.py

@@ -1,190 +0,0 @@
-from __future__ import annotations
-
-import logging
-import re
-
-import httpx
-
-from app.clients.base import BaseHTTPClient
-from app.config import Settings
-from app.models.sources import UptimeKumaMonitor, UptimeKumaSnapshot
-
-METRIC_LINE_RE = re.compile(r'^(?P<name>[a-zA-Z_:][a-zA-Z0-9_:]*){(?P<labels>[^}]*)}s+(?P<value>.+)$')
-LABEL_RE = re.compile(r'(w+)="((?:[^"\\]|\\.)*)"')
-
-logger = logging.getLogger(__name__)
-
-
-class UptimeKumaClient(BaseHTTPClient):
-    """
-    Reads Uptime Kuma monitor status from the /metrics endpoint.
-
-    Auth: once an API key exists in Uptime Kuma, username/password Basic Auth
-    is permanently disabled. The correct format is HTTP Basic Auth with an
-    empty username and the API key as the password: auth=("", api_key).
-    """
-
-    def __init__(self, settings: Settings) -> None:
-        super().__init__(settings, "uptime-kuma", settings.uptime_kuma_base_url)
-
-    async def fetch_monitors(self) -> UptimeKumaSnapshot:
-        snapshot = UptimeKumaSnapshot()
-        if not self.base_url:
-            logger.info("uptime kuma skipped: no base URL configured")
-            return snapshot
-
-        raw_metrics: str | None = None
-
-        # Primary: API key as Basic Auth password (empty username)
-        if self.settings.uptime_kuma_api_key:
-            raw_metrics = await self._request_metrics_with_mode(
-                "api-key",
-                auth=("", self.settings.uptime_kuma_api_key),
-            )
-
-        # Fallback: regular username/password (only works if no API keys exist)
-        if raw_metrics is None and self.settings.uptime_kuma_username and self.settings.uptime_kuma_password:
-            raw_metrics = await self._request_metrics_with_mode(
-                "basic-user",
-                auth=(self.settings.uptime_kuma_username, self.settings.uptime_kuma_password),
-            )
-
-        if raw_metrics is None and not (
-            self.settings.uptime_kuma_api_key
-            or (self.settings.uptime_kuma_username and self.settings.uptime_kuma_password)
-        ):
-            logger.info("uptime kuma skipped: no usable metrics auth configured")
-            return snapshot
-
-        if not raw_metrics:
-            logger.warning("uptime kuma returned empty metrics payload or metrics auth failed")
-            return snapshot
-
-        logger.info("uptime kuma raw metrics first 40 lines: %s", raw_metrics.splitlines()[:40])
-        monitors = self._parse_metrics(raw_metrics)
-        up = sum(1 for monitor in monitors if monitor.status == "online")
-        down = sum(1 for monitor in monitors if monitor.status == "offline")
-        paused = sum(1 for monitor in monitors if monitor.status == "degraded")
-        normalized = UptimeKumaSnapshot(
-            source_status="online",
-            monitors_up=up,
-            monitors_down=down,
-            monitors_paused=paused,
-            total=len(monitors),
-            monitors=monitors,
-        )
-        logger.info("uptime kuma normalized snapshot: %s", normalized.model_dump())
-        return normalized
-
-    async def _request_metrics_with_mode(
-        self,
-        mode: str,
-        *,
-        auth: tuple[str, str] | None = None,
-    ) -> str | None:
-        if not self.base_url:
-            return None
-        url = f"{self.base_url}/metrics"
-        try:
-            async with httpx.AsyncClient(
-                timeout=self.settings.request_timeout_seconds,
-                trust_env=False,
-            ) as client:
-                response = await client.request("GET", url, auth=auth)
-            if response.status_code == 200 and response.text:
-                logger.info("uptime kuma metrics auth succeeded via %s", mode)
-                return response.text
-            if response.status_code in (401, 403):
-                logger.warning(
-                    "uptime kuma metrics auth failed via %s with status %s",
-                    mode,
-                    response.status_code,
-                )
-                return None
-        except httpx.TimeoutException:
-            logger.warning("uptime kuma metrics request timed out via %s", mode)
-        except httpx.HTTPError as exc:
-            logger.warning("uptime kuma metrics request error via %s: %s", mode, exc)
-        return None
-
-    def _parse_metrics(self, payload: str) -> list[UptimeKumaMonitor]:
-        status_by_id: dict[str, UptimeKumaMonitor] = {}
-        for line in payload.splitlines():
-            parsed = self._parse_metric_line(line)
-            if parsed is None:
-                continue
-            metric_name, labels, raw_value = parsed
-            monitor_id = labels.get("monitor_id") or labels.get("id") or labels.get("monitor") or labels.get("monitor_name")
-            monitor_name = labels.get("monitor_name") or labels.get("name")
-            if not monitor_id or not monitor_name:
-                continue
-            if monitor_id not in status_by_id:
-                status_by_id[monitor_id] = UptimeKumaMonitor(
-                    id=self._as_int(monitor_id),
-                    name=monitor_name,
-                )
-            monitor = status_by_id[monitor_id]
-            if metric_name == "monitor_status":
-                status_code = self._as_int_from_float(raw_value)
-                if status_code == 1:
-                    monitor.status = "online"
-                elif status_code == 3:
-                    monitor.status = "degraded"
-                else:
-                    monitor.status = "offline"
-            elif metric_name == "monitor_response_time":
-                latency = self._as_float(raw_value)
-                monitor.latency_ms = int(latency) if latency >= 0 else None
-            elif metric_name == "monitor_uptime":
-                duration = labels.get("duration", "")
-                if duration == "24":
-                    uptime = self._as_float(raw_value)
-                    if 0.0 <= uptime <= 1.0:
-                        monitor.uptime_24h = round(uptime * 100, 1)
-
-        # Build synthetic heartbeat bar (20 segments) from uptime_24h
-        for monitor in status_by_id.values():
-            if not monitor.heartbeats:
-                if monitor.uptime_24h >= 99.9:
-                    monitor.heartbeats = [1] * 20
-                elif monitor.uptime_24h <= 0.1:
-                    monitor.heartbeats = [0] * 20
-                else:
-                    green_count = round(monitor.uptime_24h / 100 * 20)
-                    monitor.heartbeats = [0] * (20 - green_count) + [1] * green_count
-
-        return list(status_by_id.values())
-
-    @staticmethod
-    def _parse_metric_line(line: str) -> tuple[str, dict[str, str], str] | None:
-        if not line or line.startswith("#"):
-            return None
-        match = METRIC_LINE_RE.match(line.strip())
-        if not match:
-            return None
-        labels = {
-            key: value.encode("utf-8").decode("unicode_escape")
-            for key, value in LABEL_RE.findall(match.group("labels"))
-        }
-        return match.group("name"), labels, match.group("value")
-
-    @staticmethod
-    def _as_float(value: str) -> float:
-        try:
-            return float(value)
-        except (ValueError, TypeError):
-            return -1.0
-
-    @staticmethod
-    def _as_int(value: str) -> int:
-        try:
-            return int(value)
-        except (ValueError, TypeError):
-            return 0
-
-    @staticmethod
-    def _as_int_from_float(value: str) -> int:
-        try:
-            return int(float(value))
-        except (ValueError, TypeError):
-            return 0

apps/dashboard/backend/app/config.py

@@ -1,79 +0,0 @@
-from __future__ import annotations
-
-import logging
-from functools import lru_cache
-from pathlib import Path
-from typing import Literal
-
-from pydantic import Field, HttpUrl
-from pydantic_settings import BaseSettings, SettingsConfigDict
-
-BACKEND_ROOT_DIR = Path(__file__).resolve().parents[1]
-ENV_FILE_PATH = BACKEND_ROOT_DIR / ".env"
-
-
-class Settings(BaseSettings):
-    model_config = SettingsConfigDict(
-        env_file=ENV_FILE_PATH,
-        env_file_encoding="utf-8",
-        case_sensitive=False,
-        extra="ignore",
-    )
-
-    app_env: Literal["development", "production", "test"] = "development"
-    app_host: str = "0.0.0.0"
-    app_port: int = 8000
-    app_log_level: Literal["DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL"] = "INFO"
-    app_timezone: str = "Europe/Berlin"
-    app_name: str = "Homelab Dashboard API"
-    app_version: str = "0.1.0"
-    app_root_dir: Path = Path(__file__).resolve().parents[2]
-
-    cors_allow_origins: list[str] = Field(default_factory=lambda: ["http://localhost:3000"])
-
-    cache_ttl_overview_seconds: int = Field(default=20, ge=1)
-    cache_ttl_system_seconds: int = Field(default=10, ge=1)
-    cache_ttl_services_seconds: int = Field(default=15, ge=1)
-    cache_ttl_storage_seconds: int = Field(default=30, ge=1)
-
-    request_timeout_seconds: float = Field(default=5.0, gt=0)
-
-    beszel_base_url: HttpUrl | None = None
-    beszel_api_token: str | None = None
-    beszel_admin_email: str | None = None
-    beszel_admin_password: str | None = None
-
-    docker_proxy_base_url: HttpUrl | None = None
-
-    uptime_kuma_base_url: HttpUrl | None = None
-    uptime_kuma_api_key: str | None = None
-    uptime_kuma_username: str | None = None
-    uptime_kuma_password: str | None = None
-
-    home_assistant_base_url: HttpUrl | None = None
-    home_assistant_token: str | None = None
-
-    adguard_base_url: HttpUrl | None = None
-    adguard_username: str | None = None
-    adguard_password: str | None = None
-
-    scrutiny_base_url: HttpUrl | None = None
-
-    immich_base_url: HttpUrl | None = None
-    immich_api_key: str | None = None
-
-    backrest_base_url: HttpUrl | None = None
-    backrest_username: str | None = None
-    backrest_password: str | None = None
-
-
-@lru_cache(maxsize=1)
-def get_settings() -> Settings:
-    return Settings()
-
-
-def configure_logging(level: str) -> None:
-    logging.basicConfig(
-        level=getattr(logging, level.upper(), logging.INFO),
-        format="%(asctime)s %(levelname)s %(name)s %(message)s",
-    )

apps/dashboard/backend/app/main.py

@@ -1,93 +0,0 @@
-from __future__ import annotations
-
-import logging
-from contextlib import asynccontextmanager
-from pathlib import Path
-
-from fastapi import FastAPI
-from fastapi.responses import FileResponse
-from fastapi.middleware.cors import CORSMiddleware
-from fastapi.staticfiles import StaticFiles
-
-from app.config import configure_logging, get_settings
-from app.routes.adguard import router as adguard_router
-from app.routes.backrest import router as backrest_router
-from app.routes.home_assistant import router as home_assistant_router
-from app.routes.immich import router as immich_router
-from app.routes.overview import router as overview_router
-from app.routes.scrutiny import router as scrutiny_router
-from app.routes.services import router as services_router
-from app.routes.storage import router as storage_router
-from app.routes.system import router as system_router
-from app.routes.uptime_kuma import router as uptime_kuma_router
-
-
-logger = logging.getLogger(__name__)
-
-
-@asynccontextmanager
-async def lifespan(app: FastAPI):
-    settings = get_settings()
-    configure_logging(settings.app_log_level)
-    logger.info("Starting %s v%s in %s mode", settings.app_name, settings.app_version, settings.app_env)
-    logger.info(
-        "Config loaded: HOME_ASSISTANT_BASE_URL=%s HOME_ASSISTANT_TOKEN_SET=%s BESZEL_BASE_URL=%s DOCKER_PROXY_BASE_URL=%s UPTIME_KUMA_BASE_URL=%s IMMICH_BASE_URL=%s BACKREST_BASE_URL=%s",
-        bool(settings.home_assistant_base_url),
-        bool(settings.home_assistant_token),
-        bool(settings.beszel_base_url),
-        bool(settings.docker_proxy_base_url),
-        bool(settings.uptime_kuma_base_url),
-        bool(settings.immich_base_url),
-        bool(settings.backrest_base_url),
-    )
-    yield
-    logger.info("Stopping %s", settings.app_name)
-
-
-settings = get_settings()
-
-app = FastAPI(
-    title=settings.app_name,
-    version=settings.app_version,
-    lifespan=lifespan,
-)
-
-app.add_middleware(
-    CORSMiddleware,
-    allow_origins=settings.cors_allow_origins,
-    allow_credentials=True,
-    allow_methods=["GET"],
-    allow_headers=["*"],
-)
-
-app.include_router(overview_router)
-app.include_router(system_router)
-app.include_router(services_router)
-app.include_router(storage_router)
-app.include_router(adguard_router)
-app.include_router(scrutiny_router)
-app.include_router(immich_router)
-app.include_router(backrest_router)
-app.include_router(home_assistant_router)
-app.include_router(uptime_kuma_router)
-
-assets_dir = settings.app_root_dir / "assets"
-dashboard_file = settings.app_root_dir / "dashboard.html"
-
-if assets_dir.exists():
-    app.mount("/assets", StaticFiles(directory=assets_dir), name="assets")
-
-
-@app.get("/health", tags=["health"])
-async def health() -> dict[str, str]:
-    return {
-        "status": "ok",
-        "service": settings.app_name,
-        "version": settings.app_version,
-        "environment": settings.app_env,
-    }
-
-
-@app.get("/", include_in_schema=False)
-async def dashboard() -> FileResponse:
-    return FileResponse(dashboard_file)

apps/dashboard/backend/app/models/__init__.py

@@ -1 +0,0 @@
-"""Pydantic models for API and domain data."""

apps/dashboard/backend/app/models/common.py

@@ -1,23 +0,0 @@
-from __future__ import annotations
-
-from datetime import datetime
-from typing import Literal
-
-from pydantic import BaseModel, ConfigDict
-
-
-SourceStatus = Literal["online", "offline", "unsupported"]
-OverallStatus = Literal["online", "degraded", "offline"]
-HealthStatus = Literal["healthy", "warning", "offline"]
-DiskStatus = Literal["online", "warning", "critical", "offline"]
-ServiceKind = Literal["core", "service"]
-ServiceSource = Literal["home_assistant", "uptime_kuma", "docker", "manual"]
-DockerContainerState = Literal["running", "stopped", "unhealthy", "unknown"]
-
-
-class APIModel(BaseModel):
-    model_config = ConfigDict(extra="ignore", populate_by_name=True)
-
-
-class TimestampedResponse(APIModel):
-    generated_at: datetime

apps/dashboard/backend/app/models/overview.py

@@ -1,44 +0,0 @@
-from __future__ import annotations
-
-from app.models.common import APIModel, OverallStatus, SourceStatus, TimestampedResponse
-
-
-class OverviewServicesSummary(APIModel):
-    online: int
-    degraded: int
-    offline: int
-    total: int
-
-
-class OverviewDockerSummary(APIModel):
-    running: int
-    stopped: int
-    unhealthy: int
-    total: int
-    source_status: SourceStatus
-
-
-class OverviewSystemSummary(APIModel):
-    cpu_percent: float
-    ram_percent: float
-    root_storage_percent: float
-    network_rx_mbps: float
-    network_tx_mbps: float
-    uptime_seconds: int
-
-
-class OverviewHomeAssistantSummary(APIModel):
-    status: SourceStatus
-    label: str
-    version: str | None = None
-    response_time_ms: int | None = None
-    last_checked: str | None = None
-
-
-class OverviewResponse(TimestampedResponse):
-    overall_status: OverallStatus
-    refresh_hint_seconds: int
-    services: OverviewServicesSummary
-    docker: OverviewDockerSummary
-    system: OverviewSystemSummary
-    home_assistant: OverviewHomeAssistantSummary

apps/dashboard/backend/app/models/services.py

@@ -1,52 +0,0 @@
-from __future__ import annotations
-
-from app.models.common import (
-    APIModel,
-    DockerContainerState,
-    HealthStatus,
-    OverallStatus,
-    ServiceKind,
-    ServiceSource,
-    SourceStatus,
-    TimestampedResponse,
-)
-
-
-class ServicesDockerSummary(APIModel):
-    running: int
-    stopped: int
-    unhealthy: int
-    total: int
-    source_status: SourceStatus
-
-
-class ServicesUptimeKumaSummary(APIModel):
-    monitors_up: int
-    monitors_down: int
-    monitors_paused: int
-    total: int
-    source_status: SourceStatus
-
-
-class ServicesSummary(APIModel):
-    overall_status: OverallStatus
-    docker: ServicesDockerSummary
-    uptime_kuma: ServicesUptimeKumaSummary
-
-
-class ServiceItem(APIModel):
-    id: str
-    name: str
-    kind: ServiceKind
-    status: OverallStatus
-    health: HealthStatus
-    latency_ms: int | None = None
-    docker_state: DockerContainerState
-    url: str | None = None
-    source: ServiceSource
-    last_checked: str | None = None
-
-
-class ServicesResponse(TimestampedResponse):
-    summary: ServicesSummary
-    services: list[ServiceItem]

apps/dashboard/backend/app/models/sources.py

@@ -1,132 +0,0 @@
-from __future__ import annotations
-
-from datetime import datetime
-
-from pydantic import Field
-
-from app.models.common import APIModel, DockerContainerState, OverallStatus, SourceStatus
-
-
-class BeszelDiskMetric(APIModel):
-    name: str
-    mount: str
-    used_gb: float
-    total_gb: float
-    free_gb: float
-    usage_percent: float
-
-
-class BeszelSystemSnapshot(APIModel):
-    source_name: str = "beszel"
-    source_status: SourceStatus = "offline"
-    host_name: str = "unknown"
-    agent_name: str = "beszel-agent"
-    cpu_usage_percent: float = 0.0
-    cpu_cores: int = 0
-    load_1: float = 0.0
-    load_5: float = 0.0
-    load_15: float = 0.0
-    memory_used_gb: float = 0.0
-    memory_total_gb: float = 0.0
-    memory_available_gb: float = 0.0
-    memory_usage_percent: float = 0.0
-    primary_interface: str = "unknown"
-    network_rx_mbps: float = 0.0
-    network_tx_mbps: float = 0.0
-    uptime_seconds: int = 0
-    platform: str = "unknown"
-    kernel: str = "unknown"
-    disks: list[BeszelDiskMetric] = Field(default_factory=list)
-
-
-class DockerContainerSummary(APIModel):
-    id: str
-    name: str
-    state: DockerContainerState
-    status_text: str
-    image: str
-    health: str | None = None
-
-
-class DockerSnapshot(APIModel):
-    source_name: str = "docker"
-    source_status: SourceStatus = "offline"
-    containers: list[DockerContainerSummary] = Field(default_factory=list)
-    running: int = 0
-    stopped: int = 0
-    unhealthy: int = 0
-    total: int = 0
-
-
-class UptimeKumaMonitor(APIModel):
-    id: int
-    name: str
-    status: str = "unknown"  # "online" | "offline" | "degraded" | "unknown"
-    uptime_24h: float = 0.0
-    heartbeats: list[int] = Field(default_factory=list)  # 1=up, 0=down, last 20
-
-
-class UptimeKumaSnapshot(APIModel):
-    source_name: str = "uptime_kuma"
-    source_status: SourceStatus = "offline"
-    monitors_up: int = 0
-    monitors_down: int = 0
-    monitors_paused: int = 0
-    total: int = 0
-    monitors: list[UptimeKumaMonitor] = Field(default_factory=list)
-
-
-class HomeAssistantSnapshot(APIModel):
-    source_name: str = "home_assistant"
-    status: SourceStatus = "offline"
-    label: str = "Home Assistant"
-    version: str | None = None
-    response_time_ms: int | None = None
-    last_checked: datetime | None = None
-    lights_on: int = 0
-    lights_total: int = 0
-    climate_active: int = 0
-    doors_open: int = 0
-    alerts: int = 0
-
-
-class AdGuardSnapshot(APIModel):
-    source_name: str = "adguard"
-    source_status: SourceStatus = "offline"
-    total_queries: int = 0
-    blocked_queries: int = 0
-    blocked_percent: float = 0.0
-    avg_processing_ms: float = 0.0
-
-
-class ScrutinyDevice(APIModel):
-    name: str
-    model: str
-    status: str = "unknown"  # "passed" | "failed" | "unknown"
-    temperature: int | None = None
-
-
-class ScrutinySnapshot(APIModel):
-    source_name: str = "scrutiny"
-    source_status: SourceStatus = "offline"
-    overall_status: str = "offline"
-    devices: list[ScrutinyDevice] = Field(default_factory=list)
-    failed_count: int = 0
-    total_count: int = 0
-
-
-class ImmichSnapshot(APIModel):
-    source_name: str = "immich"
-    source_status: SourceStatus = "offline"
-    photos: int = 0
-    videos: int = 0
-    storage_gb: float = 0.0
-
-
-class BackrestSnapshot(APIModel):
-    source_name: str = "backrest"
-    source_status: SourceStatus = "offline"
-    repo_count: int = 0
-    last_backup_age_hours: float | None = None
-    last_backup_status: str = "unknown"  # "ok" | "error" | "unknown"
-    error_count: int = 0

apps/dashboard/backend/app/models/storage.py

@@ -1,27 +0,0 @@
-from __future__ import annotations
-
-from app.models.common import APIModel, DiskStatus, OverallStatus, SourceStatus, TimestampedResponse
-
-
-class StorageSummary(APIModel):
-    overall_status: OverallStatus
-    source_status: SourceStatus
-    critical_disks: int
-    warning_disks: int
-    total_disks: int
-
-
-class StorageDisk(APIModel):
-    name: str
-    mount: str
-    used_gb: float
-    total_gb: float
-    free_gb: float
-    usage_percent: float
-    status: DiskStatus
-
-
-class StorageResponse(TimestampedResponse):
-    summary: StorageSummary
-    root: StorageDisk
-    disks: list[StorageDisk]

apps/dashboard/backend/app/models/system.py

@@ -1,45 +0,0 @@
-from __future__ import annotations
-
-from app.models.common import APIModel, SourceStatus, TimestampedResponse
-
-
-class SystemSource(APIModel):
-    name: str
-    status: SourceStatus
-    host_name: str
-    agent_name: str
-
-
-class SystemCPU(APIModel):
-    usage_percent: float
-    cores: int
-    load_1: float
-    load_5: float
-    load_15: float
-
-
-class SystemMemory(APIModel):
-    used_gb: float
-    total_gb: float
-    available_gb: float
-    usage_percent: float
-
-
-class SystemNetwork(APIModel):
-    primary_interface: str
-    rx_mbps: float
-    tx_mbps: float
-
-
-class SystemHost(APIModel):
-    uptime_seconds: int
-    platform: str
-    kernel: str
-
-
-class SystemResponse(TimestampedResponse):
-    source: SystemSource
-    cpu: SystemCPU
-    memory: SystemMemory
-    network: SystemNetwork
-    host: SystemHost

apps/dashboard/backend/app/routes/__init__.py

@@ -1 +0,0 @@
-"""API route modules."""

apps/dashboard/backend/app/routes/adguard.py

@@ -1,16 +0,0 @@
-from __future__ import annotations
-
-from fastapi import APIRouter, Depends
-
-from app.models.sources import AdGuardSnapshot
-from app.services.aggregator import AggregatorService, get_aggregator_service
-
-
-router = APIRouter(prefix="/api", tags=["adguard"])
-
-
-@router.get("/adguard", response_model=AdGuardSnapshot)
-async def get_adguard(
-    aggregator: AggregatorService = Depends(get_aggregator_service),
-) -> AdGuardSnapshot:
-    return await aggregator.get_adguard()

apps/dashboard/backend/app/routes/backrest.py

@@ -1,16 +0,0 @@
-from __future__ import annotations
-
-from fastapi import APIRouter, Depends
-
-from app.models.sources import BackrestSnapshot
-from app.services.aggregator import AggregatorService, get_aggregator_service
-
-
-router = APIRouter(prefix="/api", tags=["backrest"])
-
-
-@router.get("/backrest", response_model=BackrestSnapshot)
-async def get_backrest(
-    aggregator: AggregatorService = Depends(get_aggregator_service),
-) -> BackrestSnapshot:
-    return await aggregator.get_backrest()

apps/dashboard/backend/app/routes/home_assistant.py

@@ -1,16 +0,0 @@
-from __future__ import annotations
-
-from fastapi import APIRouter, Depends
-
-from app.models.sources import HomeAssistantSnapshot
-from app.services.aggregator import AggregatorService, get_aggregator_service
-
-
-router = APIRouter(prefix="/api", tags=["home_assistant"])
-
-
-@router.get("/home_assistant", response_model=HomeAssistantSnapshot)
-async def get_home_assistant(
-    aggregator: AggregatorService = Depends(get_aggregator_service),
-) -> HomeAssistantSnapshot:
-    return await aggregator.get_home_assistant()

apps/dashboard/backend/app/routes/immich.py

@@ -1,16 +0,0 @@
-from __future__ import annotations
-
-from fastapi import APIRouter, Depends
-
-from app.models.sources import ImmichSnapshot
-from app.services.aggregator import AggregatorService, get_aggregator_service
-
-
-router = APIRouter(prefix="/api", tags=["immich"])
-
-
-@router.get("/immich", response_model=ImmichSnapshot)
-async def get_immich(
-    aggregator: AggregatorService = Depends(get_aggregator_service),
-) -> ImmichSnapshot:
-    return await aggregator.get_immich()

apps/dashboard/backend/app/routes/overview.py

@@ -1,16 +0,0 @@
-from __future__ import annotations
-
-from fastapi import APIRouter, Depends
-
-from app.models.overview import OverviewResponse
-from app.services.aggregator import AggregatorService, get_aggregator_service
-
-
-router = APIRouter(prefix="/api", tags=["overview"])
-
-
-@router.get("/overview", response_model=OverviewResponse)
-async def get_overview(
-    aggregator: AggregatorService = Depends(get_aggregator_service),
-) -> OverviewResponse:
-    return await aggregator.get_overview()

apps/dashboard/backend/app/routes/scrutiny.py

@@ -1,16 +0,0 @@
-from __future__ import annotations
-
-from fastapi import APIRouter, Depends
-
-from app.models.sources import ScrutinySnapshot
-from app.services.aggregator import AggregatorService, get_aggregator_service
-
-
-router = APIRouter(prefix="/api", tags=["scrutiny"])
-
-
-@router.get("/scrutiny", response_model=ScrutinySnapshot)
-async def get_scrutiny(
-    aggregator: AggregatorService = Depends(get_aggregator_service),
-) -> ScrutinySnapshot:
-    return await aggregator.get_scrutiny()

apps/dashboard/backend/app/routes/services.py

@@ -1,16 +0,0 @@
-from __future__ import annotations
-
-from fastapi import APIRouter, Depends
-
-from app.models.services import ServicesResponse
-from app.services.aggregator import AggregatorService, get_aggregator_service
-
-
-router = APIRouter(prefix="/api", tags=["services"])
-
-
-@router.get("/services", response_model=ServicesResponse)
-async def get_services(
-    aggregator: AggregatorService = Depends(get_aggregator_service),
-) -> ServicesResponse:
-    return await aggregator.get_services()

apps/dashboard/backend/app/routes/storage.py

@@ -1,16 +0,0 @@
-from __future__ import annotations
-
-from fastapi import APIRouter, Depends
-
-from app.models.storage import StorageResponse
-from app.services.aggregator import AggregatorService, get_aggregator_service
-
-
-router = APIRouter(prefix="/api", tags=["storage"])
-
-
-@router.get("/storage", response_model=StorageResponse)
-async def get_storage(
-    aggregator: AggregatorService = Depends(get_aggregator_service),
-) -> StorageResponse:
-    return await aggregator.get_storage()

apps/dashboard/backend/app/routes/system.py

@@ -1,16 +0,0 @@
-from __future__ import annotations
-
-from fastapi import APIRouter, Depends
-
-from app.models.system import SystemResponse
-from app.services.aggregator import AggregatorService, get_aggregator_service
-
-
-router = APIRouter(prefix="/api", tags=["system"])
-
-
-@router.get("/system", response_model=SystemResponse)
-async def get_system(
-    aggregator: AggregatorService = Depends(get_aggregator_service),
-) -> SystemResponse:
-    return await aggregator.get_system()

apps/dashboard/backend/app/routes/uptime_kuma.py

@@ -1,16 +0,0 @@
-from __future__ import annotations
-
-from fastapi import APIRouter, Depends
-
-from app.models.sources import UptimeKumaSnapshot
-from app.services.aggregator import AggregatorService, get_aggregator_service
-
-
-router = APIRouter(prefix="/api", tags=["uptime_kuma"])
-
-
-@router.get("/uptime_kuma", response_model=UptimeKumaSnapshot)
-async def get_uptime_kuma(
-    aggregator: AggregatorService = Depends(get_aggregator_service),
-) -> UptimeKumaSnapshot:
-    return await aggregator.get_uptime_kuma()

apps/dashboard/backend/app/services/__init__.py

@@ -1 +0,0 @@
-"""Application services."""

apps/dashboard/backend/app/services/aggregator.py

@@ -1,429 +0,0 @@
-from __future__ import annotations
-
-import asyncio
-import logging
-from datetime import datetime, timezone
-from functools import lru_cache
-from typing import Iterable
-
-from app.clients.adguard_client import AdGuardClient
-from app.clients.backrest_client import BackrestClient
-from app.clients.beszel_client import BeszelClient
-from app.clients.docker_proxy_client import DockerProxyClient
-from app.clients.home_assistant_client import HomeAssistantClient
-from app.clients.immich_client import ImmichClient
-from app.clients.scrutiny_client import ScrutinyClient
-from app.clients.uptime_kuma_client import UptimeKumaClient
-from app.config import Settings, get_settings
-from app.models.common import DiskStatus, HealthStatus, OverallStatus
-from app.models.overview import (
-    OverviewDockerSummary,
-    OverviewHomeAssistantSummary,
-    OverviewResponse,
-    OverviewServicesSummary,
-    OverviewSystemSummary,
-)
-from app.models.services import (
-    ServiceItem,
-    ServicesDockerSummary,
-    ServicesResponse,
-    ServicesSummary,
-    ServicesUptimeKumaSummary,
-)
-from app.models.sources import (
-    AdGuardSnapshot,
-    BackrestSnapshot,
-    BeszelDiskMetric,
-    BeszelSystemSnapshot,
-    DockerSnapshot,
-    HomeAssistantSnapshot,
-    ImmichSnapshot,
-    ScrutinySnapshot,
-    UptimeKumaMonitor,
-    UptimeKumaSnapshot,
-)
-from app.models.storage import StorageDisk, StorageResponse, StorageSummary
-from app.models.system import (
-    SystemCPU,
-    SystemHost,
-    SystemMemory,
-    SystemNetwork,
-    SystemResponse,
-    SystemSource,
-)
-from app.services.cache import TTLCacheService
-
-
-logger = logging.getLogger(__name__)
-
-
-class AggregatorService:
-    def __init__(
-        self,
-        settings: Settings,
-        cache: TTLCacheService,
-        beszel_client: BeszelClient,
-        docker_client: DockerProxyClient,
-        uptime_kuma_client: UptimeKumaClient,
-        home_assistant_client: HomeAssistantClient,
-        adguard_client: AdGuardClient,
-        scrutiny_client: ScrutinyClient,
-        immich_client: ImmichClient,
-        backrest_client: BackrestClient,
-    ) -> None:
-        self.settings = settings
-        self.cache = cache
-        self.beszel_client = beszel_client
-        self.docker_client = docker_client
-        self.uptime_kuma_client = uptime_kuma_client
-        self.home_assistant_client = home_assistant_client
-        self.adguard_client = adguard_client
-        self.scrutiny_client = scrutiny_client
-        self.immich_client = immich_client
-        self.backrest_client = backrest_client
-
-    async def get_system(self) -> SystemResponse:
-        return await self.cache.get_or_load(
-            "system",
-            self.settings.cache_ttl_system_seconds,
-            self._build_system,
-        )
-
-    async def get_storage(self) -> StorageResponse:
-        return await self.cache.get_or_load(
-            "storage",
-            self.settings.cache_ttl_storage_seconds,
-            self._build_storage,
-        )
-
-    async def get_services(self) -> ServicesResponse:
-        return await self.cache.get_or_load(
-            "services",
-            self.settings.cache_ttl_services_seconds,
-            self._build_services,
-        )
-
-    async def get_adguard(self) -> AdGuardSnapshot:
-        return await self.cache.get_or_load(
-            "adguard",
-            self.settings.cache_ttl_services_seconds,
-            self.adguard_client.fetch_stats,
-        )
-
-    async def get_scrutiny(self) -> ScrutinySnapshot:
-        return await self.cache.get_or_load(
-            "scrutiny",
-            self.settings.cache_ttl_storage_seconds,
-            self.scrutiny_client.fetch_summary,
-        )
-
-    async def get_immich(self) -> ImmichSnapshot:
-        return await self.cache.get_or_load(
-            "immich",
-            self.settings.cache_ttl_services_seconds,
-            self.immich_client.fetch_stats,
-        )
-
-    async def get_backrest(self) -> BackrestSnapshot:
-        return await self.cache.get_or_load(
-            "backrest",
-            self.settings.cache_ttl_services_seconds,
-            self.backrest_client.fetch_status,
-        )
-
-    async def get_home_assistant(self) -> HomeAssistantSnapshot:
-        return await self.cache.get_or_load(
-            "home_assistant",
-            self.settings.cache_ttl_services_seconds,
-            self.home_assistant_client.fetch_status,
-        )
-
-    async def get_uptime_kuma(self) -> UptimeKumaSnapshot:
-        return await self.cache.get_or_load(
-            "uptime_kuma",
-            self.settings.cache_ttl_services_seconds,
-            self.uptime_kuma_client.fetch_monitors,
-        )
-
-    async def get_overview(self) -> OverviewResponse:
-        return await self.cache.get_or_load(
-            "overview",
-            self.settings.cache_ttl_overview_seconds,
-            self._build_overview,
-        )
-
-    async def _build_system(self) -> SystemResponse:
-        snapshot = await self.beszel_client.fetch_system_snapshot()
-        now = datetime.now(timezone.utc)
-        return SystemResponse(
-            generated_at=now,
-            source=SystemSource(
-                name=snapshot.source_name,
-                status=snapshot.source_status,
-                host_name=snapshot.host_name,
-                agent_name=snapshot.agent_name,
-            ),
-            cpu=SystemCPU(
-                usage_percent=snapshot.cpu_usage_percent,
-                cores=snapshot.cpu_cores,
-                load_1=snapshot.load_1,
-                load_5=snapshot.load_5,
-                load_15=snapshot.load_15,
-            ),
-            memory=SystemMemory(
-                used_gb=snapshot.memory_used_gb,
-                total_gb=snapshot.memory_total_gb,
-                available_gb=snapshot.memory_available_gb,
-                usage_percent=snapshot.memory_usage_percent,
-            ),
-            network=SystemNetwork(
-                primary_interface=snapshot.primary_interface,
-                rx_mbps=snapshot.network_rx_mbps,
-                tx_mbps=snapshot.network_tx_mbps,
-            ),
-            host=SystemHost(
-                uptime_seconds=snapshot.uptime_seconds,
-                platform=snapshot.platform,
-                kernel=snapshot.kernel,
-            ),
-        )
-
-    async def _build_storage(self) -> StorageResponse:
-        snapshot = await self.beszel_client.fetch_system_snapshot()
-        now = datetime.now(timezone.utc)
-
-        disks = [self._map_disk(d, snapshot.source_status) for d in snapshot.disks]
-        storage_source_status = snapshot.source_status
-        if snapshot.source_status == "online" and not disks:
-            storage_source_status = "unsupported"
-
-        if disks:
-            root = next((d for d in disks if d.mount == "/"), disks[0])
-        else:
-            root = StorageDisk(
-                name="rootfs",
-                mount="/",
-                used_gb=0.0,
-                total_gb=0.0,
-                free_gb=0.0,
-                usage_percent=0.0,
-                status="offline" if snapshot.source_status == "offline" else "online",
-            )
-
-        critical_count = sum(1 for d in disks if d.status == "critical")
-        warning_count = sum(1 for d in disks if d.status == "warning")
-        overall_status: OverallStatus = (
-            "offline" if snapshot.source_status == "offline"
-            else ("degraded" if critical_count or warning_count else "online")
-        )
-
-        return StorageResponse(
-            generated_at=now,
-            summary=StorageSummary(
-                overall_status=overall_status,
-                source_status=storage_source_status,
-                critical_disks=critical_count,
-                warning_disks=warning_count,
-                total_disks=len(disks),
-            ),
-            root=root,
-            disks=disks,
-        )
-
-    async def _build_services(self) -> ServicesResponse:
-        docker_snap, uk_snap = await asyncio.gather(
-            self.docker_client.fetch_containers(),
-            self.uptime_kuma_client.fetch_monitors(),
-        )
-        now = datetime.now(timezone.utc)
-
-        monitor_by_name = {
-            self._normalize_identifier(m.name): m for m in uk_snap.monitors
-        }
-        docker_by_name = {
-            self._normalize_identifier(c.name): c for c in docker_snap.containers
-        }
-
-        items: list[ServiceItem] = []
-        merged_names = sorted(set(docker_by_name) | set(monitor_by_name))
-        for norm in merged_names:
-            container = docker_by_name.get(norm)
-            monitor = monitor_by_name.get(norm)
-            status = self._resolve_overall_status(
-                container.state if container else "unknown", monitor
-            )
-            items.append(ServiceItem(
-                id=norm,
-                name=monitor.name if monitor else container.name,
-                kind="service",
-                status=status,
-                health=self._status_to_health(status),
-                latency_ms=monitor.latency_ms if monitor else None,
-                docker_state=container.state if container else "unknown",
-                url=None,
-                source="uptime_kuma" if monitor else "docker",
-                last_checked=now.isoformat(),
-            ))
-
-        statuses = [i.status for i in items]
-        overall = self._aggregate_statuses(statuses)
-
-        return ServicesResponse(
-            generated_at=now,
-            summary=ServicesSummary(
-                overall_status=overall,
-                docker=ServicesDockerSummary(
-                    running=docker_snap.running,
-                    stopped=docker_snap.stopped,
-                    unhealthy=docker_snap.unhealthy,
-                    total=docker_snap.total,
-                    source_status=docker_snap.source_status,
-                ),
-                uptime_kuma=ServicesUptimeKumaSummary(
-                    monitors_up=uk_snap.monitors_up,
-                    monitors_down=uk_snap.monitors_down,
-                    monitors_paused=uk_snap.monitors_paused,
-                    total=uk_snap.total,
-                    source_status=uk_snap.source_status,
-                ),
-            ),
-            services=items,
-        )
-
-    async def _build_overview(self) -> OverviewResponse:
-        system_snap, docker_snap, uk_snap, ha_snap = await asyncio.gather(
-            self.beszel_client.fetch_system_snapshot(),
-            self.docker_client.fetch_containers(),
-            self.uptime_kuma_client.fetch_monitors(),
-            self.home_assistant_client.fetch_status(),
-        )
-        now = datetime.now(timezone.utc)
-
-        statuses: list[OverallStatus] = []
-        for container in docker_snap.containers:
-            name_lower = self._normalize_identifier(container.name)
-            monitor = next(
-                (m for m in uk_snap.monitors if self._normalize_identifier(m.name) == name_lower),
-                None,
-            )
-            statuses.append(self._resolve_overall_status(container.state, monitor))
-
-        overall = self._aggregate_statuses(statuses)
-
-        return OverviewResponse(
-            generated_at=now,
-            overall_status=overall,
-            refresh_hint_seconds=self.settings.cache_ttl_overview_seconds,
-            services=OverviewServicesSummary(
-                online=sum(1 for s in statuses if s == "online"),
-                degraded=sum(1 for s in statuses if s == "degraded"),
-                offline=sum(1 for s in statuses if s == "offline"),
-                total=len(statuses),
-            ),
-            docker=OverviewDockerSummary(
-                running=docker_snap.running,
-                stopped=docker_snap.stopped,
-                unhealthy=docker_snap.unhealthy,
-                total=docker_snap.total,
-                source_status=docker_snap.source_status,
-            ),
-            system=OverviewSystemSummary(
-                cpu_percent=system_snap.cpu_usage_percent,
-                ram_percent=system_snap.memory_usage_percent,
-                root_storage_percent=system_snap.disks[0].usage_percent if system_snap.disks else 0.0,
-                network_rx_mbps=system_snap.network_rx_mbps,
-                network_tx_mbps=system_snap.network_tx_mbps,
-                uptime_seconds=system_snap.uptime_seconds,
-            ),
-            home_assistant=OverviewHomeAssistantSummary(
-                status=ha_snap.status,
-                label=ha_snap.label,
-                version=ha_snap.version,
-                response_time_ms=ha_snap.response_time_ms,
-                last_checked=ha_snap.last_checked.isoformat() if ha_snap.last_checked else None,
-            ),
-        )
-
-    @staticmethod
-    def _normalize_identifier(value: str) -> str:
-        return "".join(ch.lower() for ch in value if ch.isalnum())
-
-    @staticmethod
-    def _resolve_overall_status(
-        docker_state: str,
-        monitor: UptimeKumaMonitor | None,
-    ) -> OverallStatus:
-        if monitor:
-            if monitor.status == "offline":
-                return "offline"
-            if monitor.status == "degraded":
-                return "degraded"
-        if docker_state == "unhealthy":
-            return "degraded"
-        if docker_state == "stopped":
-            return "offline"
-        if docker_state == "running":
-            return "online"
-        return "offline" if monitor is None else monitor.status
-
-    @staticmethod
-    def _status_to_health(status: OverallStatus) -> HealthStatus:
-        if status == "online":
-            return "healthy"
-        if status == "degraded":
-            return "warning"
-        return "offline"
-
-    def _map_disk(self, disk: BeszelDiskMetric, source_status: str) -> StorageDisk:
-        if source_status == "offline":
-            status: DiskStatus = "offline"
-        elif disk.usage_percent >= 90:
-            status = "critical"
-        elif disk.usage_percent >= 75:
-            status = "warning"
-        else:
-            status = "online"
-
-        return StorageDisk(
-            name=disk.name,
-            mount=disk.mount,
-            used_gb=disk.used_gb,
-            total_gb=disk.total_gb,
-            free_gb=disk.free_gb,
-            usage_percent=disk.usage_percent,
-            status=status,
-        )
-
-    @staticmethod
-    def _aggregate_statuses(statuses: Iterable[OverallStatus]) -> OverallStatus:
-        normalized = list(statuses)
-        if not normalized:
-            return "offline"
-        if any(s == "offline" for s in normalized):
-            return "degraded" if any(s == "online" for s in normalized) else "offline"
-        if any(s in {"degraded", "warning", "critical"} for s in normalized):
-            return "degraded"
-        return "online"
-
-
-@lru_cache(maxsize=1)
-def get_cache_service() -> TTLCacheService:
-    return TTLCacheService()
-
-
-@lru_cache(maxsize=1)
-def get_aggregator_service() -> AggregatorService:
-    settings = get_settings()
-    cache = get_cache_service()
-    return AggregatorService(
-        settings=settings,
-        cache=cache,
-        beszel_client=BeszelClient(settings),
-        docker_client=DockerProxyClient(settings),
-        uptime_kuma_client=UptimeKumaClient(settings),
-        home_assistant_client=HomeAssistantClient(settings),
-        adguard_client=AdGuardClient(settings),
-        scrutiny_client=ScrutinyClient(settings),
-        immich_client=ImmichClient(settings),
-        backrest_client=BackrestClient(settings),
-    )

apps/dashboard/backend/app/services/cache.py

@@ -1,60 +0,0 @@
-from __future__ import annotations
-
-import asyncio
-import logging
-from dataclasses import dataclass
-from datetime import datetime, timedelta, timezone
-from typing import Awaitable, Callable, Generic, TypeVar
-
-
-logger = logging.getLogger(__name__)
-
-T = TypeVar("T")
-
-
-@dataclass
-class CacheEntry(Generic[T]):
-    value: T
-    expires_at: datetime
-    updated_at: datetime
-
-
-class TTLCacheService:
-    def __init__(self) -> None:
-        self._entries: dict[str, CacheEntry[object]] = {}
-        self._locks: dict[str, asyncio.Lock] = {}
-
-    async def get_or_load(
-        self,
-        key: str,
-        ttl_seconds: int,
-        loader: Callable[[], Awaitable[T]],
-    ) -> T:
-        entry = self._entries.get(key)
-        if entry and not self._is_expired(entry):
-            return entry.value  # type: ignore[return-value]
-
-        lock = self._locks.setdefault(key, asyncio.Lock())
-        async with lock:
-            entry = self._entries.get(key)
-            if entry and not self._is_expired(entry):
-                return entry.value  # type: ignore[return-value]
-
-            try:
-                value = await loader()
-                now = datetime.now(timezone.utc)
-                self._entries[key] = CacheEntry(
-                    value=value,
-                    expires_at=now + timedelta(seconds=ttl_seconds),
-                    updated_at=now,
-                )
-                return value
-            except Exception as exc:
-                if entry:
-                    logger.warning("Cache loader failed for %s, serving stale data: %s", key, exc)
-                    return entry.value  # type: ignore[return-value]
-                raise
-
-    @staticmethod
-    def _is_expired(entry: CacheEntry[object]) -> bool:
-        return datetime.now(timezone.utc) >= entry.expires_at

apps/dashboard/backend/requirements.txt

@@ -1,4 +0,0 @@
-fastapi==0.116.1
-uvicorn[standard]==0.35.0
-pydantic-settings==2.10.1
-httpx==0.28.1

apps/dashboard/dashboard.html

@@ -1,431 +0,0 @@
-<!DOCTYPE html>
-<html lang="de">
-<head>
-<meta charset="UTF-8">
-<meta name="viewport" content="width=device-width, initial-scale=1.0">
-<title>KalliLab Control Panel</title>
-<link href="https://fonts.googleapis.com/css2?family=Orbitron:wght@400;600;700&family=Share+Tech+Mono&family=Exo+2:wght@300;400;600&display=swap" rel="stylesheet">
-<style>
-  :root {
-    --bg: #060b09;
-    --bg2: #0a1210;
-    --card: rgba(8, 18, 15, 0.88);
-    --card-border: rgba(0, 220, 140, 0.18);
-    --card-hover: rgba(0, 220, 140, 0.28);
-    --teal: #00dc8c;
-    --teal-dim: #009e65;
-    --teal-bright: #00ffaa;
-    --teal-glow: rgba(0, 220, 140, 0.4);
-    --text: #b8d4cc;
-    --text-dim: #5a8a7a;
-    --text-bright: #d8f0e8;
-    --clr-warn: #ff4466;
-    --red: #ff4466;
-    --yellow: #ffcc44;
-    --blue: #44aaff;
-    --graph: #00cc88;
-    --font-display: 'Orbitron', monospace;
-    --font-mono: 'Share Tech Mono', monospace;
-    --font-body: 'Exo 2', sans-serif;
-  }
-  * { margin: 0; padding: 0; box-sizing: border-box; }
-  body {
-    background: var(--bg);
-    color: var(--text);
-    font-family: var(--font-body);
-    min-height: 100vh;
-    overflow-x: hidden;
-    position: relative;
-  }
-  body::before {
-    content: '';
-    position: fixed;
-    inset: 0;
-    background-image:
-      linear-gradient(rgba(0, 220, 140, 0.025) 1px, transparent 1px),
-      linear-gradient(90deg, rgba(0, 220, 140, 0.025) 1px, transparent 1px);
-    background-size: 40px 40px;
-    z-index: 0;
-    pointer-events: none;
-  }
-  @keyframes scanline {
-    0% { top: -5%; }
-    100% { top: 105%; }
-  }
-  .scanline {
-    position: fixed;
-    left: 0; right: 0;
-    height: 2px;
-    background: linear-gradient(90deg, transparent, rgba(0,220,140,0.06), rgba(0,220,140,0.10), rgba(0,220,140,0.06), transparent);
-    z-index: 1;
-    animation: scanline 8s linear infinite;
-    pointer-events: none;
-  }
-  .wrapper {
-    position: relative;
-    z-index: 2;
-    max-width: 1340px;
-    margin: 0 auto;
-    padding: 0 10px 32px;
-  }
-  .header {
-    display: flex;
-    align-items: center;
-    justify-content: space-between;
-    padding: 10px 0 8px;
-    border-bottom: 1px solid var(--card-border);
-    margin-bottom: 10px;
-    gap: 12px;
-  }
-  .header-logo { display: flex; align-items: center; gap: 10px; }
-  .logo-text {
-    font-family: var(--font-display);
-    font-size: 16px;
-    font-weight: 700;
-    color: var(--teal-bright);
-    text-shadow: 0 0 20px var(--teal-glow);
-    letter-spacing: 2px;
-  }
-  .logo-sub {
-    font-family: var(--font-mono);
-    font-size: 9px;
-    color: var(--text-dim);
-    letter-spacing: 2px;
-    text-transform: uppercase;
-  }
-  .header-center { display: flex; flex-direction: column; align-items: center; gap: 2px; }
-  .overall-status { font-family: var(--font-mono); font-size: 10px; letter-spacing: 2px; color: var(--teal-dim); }
-  .status-indicator {
-    display: flex; align-items: center; gap: 6px;
-    font-family: var(--font-display); font-size: 11px;
-    color: var(--teal-bright); text-shadow: 0 0 10px var(--teal-glow);
-  }
-  .status-dot-main { width: 8px; height: 8px; border-radius: 50%; background: var(--teal); box-shadow: 0 0 8px var(--teal-glow); }
-  .header-right { display: flex; flex-direction: column; align-items: flex-end; gap: 2px; }
-  .clock {
-    font-family: var(--font-display); font-size: 24px; font-weight: 700;
-    color: var(--teal-bright); text-shadow: 0 0 20px var(--teal-glow), 0 0 40px rgba(0,220,140,0.2);
-    letter-spacing: 2px;
-  }
-  .date-str { font-family: var(--font-mono); font-size: 10px; color: var(--text-dim); text-align: right; }
-  #last-updated { font-family: var(--font-mono); font-size: 9px; color: var(--text-dim); text-align: right; }
-  .section-header {
-    display: flex; align-items: center; gap: 8px; margin-bottom: 6px;
-    font-family: var(--font-display); font-size: 8px; font-weight: 600;
-    letter-spacing: 3px; text-transform: uppercase; color: var(--teal-dim);
-  }
-  .section-header::after { content: ''; flex: 1; height: 1px; background: linear-gradient(90deg, var(--card-border), transparent); }
-  .widget-row { display: grid; gap: 8px; margin-bottom: 8px; }
-  .row-5 { grid-template-columns: repeat(5, 1fr); }
-  .row-4 { grid-template-columns: repeat(4, 1fr); }
-  .row-3 { grid-template-columns: repeat(3, 1fr); }
-  .row-2 { grid-template-columns: repeat(2, 1fr); }
-  .row-2-1 { grid-template-columns: 2fr 1fr; }
-  .row-1-2 { grid-template-columns: 1fr 2fr; }
-  .row-3-2 { grid-template-columns: 3fr 2fr; }
-  .card {
-    background: rgba(6, 14, 11, 0.78);
-    border: 1px solid var(--card-border);
-    border-radius: 8px;
-    padding: 8px 10px;
-    transition: border-color 0.2s, box-shadow 0.2s;
-    backdrop-filter: blur(14px) saturate(1.4);
-    -webkit-backdrop-filter: blur(14px) saturate(1.4);
-  }
-  .card:hover { border-color: rgba(0,220,140,0.32); box-shadow: 0 0 16px rgba(0,220,140,0.07), inset 0 0 20px rgba(0,220,140,0.02); }
-  .card-title {
-    font-family: var(--font-display); font-size: 8px; font-weight: 600;
-    letter-spacing: 2px; text-transform: uppercase; color: var(--teal-dim);
-    margin-bottom: 6px; display: flex; align-items: center; justify-content: space-between; gap: 6px;
-  }
-  .card-title-left { display: flex; align-items: center; gap: 6px; }
-  .card-title .dot { width: 5px; height: 5px; border-radius: 50%; background: var(--teal); box-shadow: 0 0 5px var(--teal-glow); flex-shrink: 0; }
-  .stats-grid { display: flex; justify-content: space-around; gap: 6px; flex-wrap: wrap; }
-  .stat-block { text-align: center; min-width: 40px; }
-  .stat-num { font-family: var(--font-display); font-size: 17px; font-weight: 700; color: var(--teal-bright); text-shadow: 0 0 10px var(--teal-glow); line-height: 1.1; }
-  .stat-num.dim { color: var(--teal-dim); text-shadow: none; font-size: 14px; }
-  .stat-num.warn { color: var(--yellow); text-shadow: 0 0 10px rgba(255,204,68,0.4); }
-  .stat-num.danger { color: var(--red); text-shadow: 0 0 10px rgba(255,68,102,0.4); }
-  .stat-num.blue { color: var(--blue); text-shadow: 0 0 10px rgba(68,170,255,0.4); }
-  .stat-label { font-family: var(--font-mono); font-size: 8px; color: var(--text-dim); letter-spacing: 1px; text-transform: uppercase; margin-top: 1px; }
-  .status-pill { font-family: var(--font-mono); font-size: 7px; letter-spacing: 1px; padding: 1px 5px; border-radius: 3px; font-weight: 700; }
-  .pill-online { background: rgba(0,220,140,0.12); color: var(--teal); border: 1px solid rgba(0,220,140,0.3); }
-  .pill-offline { background: rgba(255,68,102,0.1); color: var(--red); border: 1px solid rgba(255,68,102,0.25); }
-  .pill-degraded { background: rgba(255,204,68,0.1); color: var(--yellow); border: 1px solid rgba(255,204,68,0.25); }
-  .progress-wrap { margin-top: 5px; }
-  .progress-label { display: flex; justify-content: space-between; font-family: var(--font-mono); font-size: 9px; color: var(--text-dim); margin-bottom: 2px; }
-  .progress-bar { height: 3px; background: rgba(0,220,140,0.1); border-radius: 2px; overflow: hidden; }
-  .progress-fill { height: 100%; background: linear-gradient(90deg, var(--teal-dim), var(--teal-bright)); border-radius: 2px; box-shadow: 0 0 5px var(--teal-glow); transition: width 1s ease; }
-  .progress-fill.warn { background: linear-gradient(90deg, #cc8800, var(--yellow)); }
-  .progress-fill.danger { background: linear-gradient(90deg, #cc2244, var(--red)); }
-  .service-header { display: flex; align-items: center; gap: 7px; margin-bottom: 7px; }
-  .service-icon { width: 24px; height: 24px; border-radius: 5px; display: flex; align-items: center; justify-content: center; font-size: 14px; flex-shrink: 0; }
-  .service-name { font-family: var(--font-display); font-size: 9px; font-weight: 600; color: var(--text-bright); letter-spacing: 1px; flex: 1; }
-  .service-version { font-family: var(--font-mono); font-size: 8px; color: var(--text-dim); }
-  .sys-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 1px 10px; font-family: var(--font-mono); font-size: 10px; }
-  .sys-row { display: flex; justify-content: space-between; padding: 1px 0; }
-  .sys-key { color: var(--text-dim); }
-  .sys-val { color: var(--teal); }
-  .disk-header { display: flex; justify-content: space-between; align-items: baseline; margin-bottom: 3px; }
-  .disk-name { font-family: var(--font-display); font-size: 9px; color: var(--text-bright); letter-spacing: 1px; }
-  .disk-usage { font-family: var(--font-mono); font-size: 9px; color: var(--teal); }
-  .disk-sub { font-family: var(--font-mono); font-size: 8px; color: var(--text-dim); margin-bottom: 4px; }
-  .scrutiny-row { display: flex; align-items: center; gap: 6px; padding: 2px 0; font-family: var(--font-mono); font-size: 9px; border-bottom: 1px solid rgba(0,220,140,0.05); }
-  .scrutiny-row:last-child { border-bottom: none; }
-  .disk-icon { font-size: 10px; font-weight: bold; width: 12px; text-align: center; }
-  .disk-ok { color: var(--teal); }
-  .disk-fail { color: var(--red); }
-  .disk-unk { color: var(--text-dim); }
-  .disk-name-col { flex: 1; color: var(--text-bright); min-width: 0; overflow: hidden; text-overflow: ellipsis; white-space: nowrap; }
-  .disk-model { color: var(--text-dim); font-size: 8px; max-width: 90px; overflow: hidden; text-overflow: ellipsis; white-space: nowrap; }
-  .disk-temp { color: var(--teal-dim); font-size: 8px; white-space: nowrap; }
-  .scrutiny-offline { font-family: var(--font-mono); font-size: 9px; color: var(--text-dim); padding: 4px 0; }
-  .uk-monitor-row { display: flex; align-items: center; gap: 6px; margin-bottom: 3px; }
-  .uk-monitor-name { font-family: var(--font-mono); font-size: 8px; color: var(--text-dim); min-width: 70px; max-width: 90px; overflow: hidden; text-overflow: ellipsis; white-space: nowrap; }
-  .uk-bar { display: flex; gap: 1px; flex: 1; }
-  .hb-seg { height: 7px; flex: 1; border-radius: 1px; }
-  .hb-up { background: var(--teal); box-shadow: 0 0 3px var(--teal-glow); opacity: 0.85; }
-  .hb-down { background: var(--red); box-shadow: 0 0 3px rgba(255,68,102,0.4); opacity: 0.85; }
-  .uk-down-name { display: block; font-family: var(--font-mono); font-size: 8px; color: var(--red); padding: 1px 0; }
-  .status-dot { display: inline-block; width: 7px; height: 7px; border-radius: 50%; flex-shrink: 0; }
-  .dot-ok { background: var(--teal); box-shadow: 0 0 5px var(--teal-glow); }
-  .dot-err { background: var(--red); box-shadow: 0 0 5px rgba(255,68,102,0.4); }
-  .dot-unk { background: var(--text-dim); }
-  .adguard-bar-wrap { margin-top: 5px; }
-  .adguard-bar { height: 3px; background: rgba(0,220,140,0.1); border-radius: 2px; overflow: hidden; position: relative; }
-  .adguard-bar-fill { height: 100%; background: linear-gradient(90deg, var(--teal-dim), var(--teal-bright)); border-radius: 2px; box-shadow: 0 0 5px var(--teal-glow); width: 0%; transition: width 1s ease; }
-  .net-health-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 8px; }
-  #quick-access-grid { display: grid; grid-template-columns: repeat(auto-fill, minmax(100px, 1fr)); gap: 6px; }
-  .quick-tile { display: flex; flex-direction: column; align-items: center; gap: 4px; padding: 8px 6px 7px; background: rgba(6, 14, 11, 0.72); border: 1px solid var(--card-border); border-radius: 7px; cursor: pointer; transition: all 0.18s; text-decoration: none; color: var(--text); backdrop-filter: blur(14px); -webkit-backdrop-filter: blur(14px); }
-  .quick-tile:hover { border-color: rgba(0,220,140,0.4); background: rgba(0,220,140,0.05); transform: translateY(-2px); box-shadow: 0 4px 18px rgba(0,220,140,0.10); }
-  .quick-tile-icon { font-size: 18px; line-height: 1; }
-  .quick-tile-label { font-family: var(--font-mono); font-size: 9px; color: var(--text-dim); text-align: center; line-height: 1.2; }
-  .quick-tile:hover .quick-tile-label { color: var(--teal); }
-  .docker-row { display: flex; gap: 6px; font-family: var(--font-mono); font-size: 9px; margin-top: 4px; flex-wrap: wrap; }
-  .docker-chip { padding: 2px 6px; border-radius: 3px; background: rgba(0,220,140,0.07); border: 1px solid rgba(0,220,140,0.15); color: var(--teal-dim); }
-  .docker-chip.running { color: var(--teal); border-color: rgba(0,220,140,0.3); }
-  .docker-chip.stopped { color: var(--yellow); border-color: rgba(255,204,68,0.3); background: rgba(255,204,68,0.06); }
-  .docker-chip.unhealthy { color: var(--red); border-color: rgba(255,68,102,0.3); background: rgba(255,68,102,0.06); }
-  @media (max-width: 1100px) {
-    .row-5 { grid-template-columns: repeat(3, 1fr); }
-    .row-4 { grid-template-columns: repeat(2, 1fr); }
-  }
-  @media (max-width: 780px) {
-    .row-5, .row-4, .row-3 { grid-template-columns: repeat(2, 1fr); }
-    .row-2, .row-2-1, .row-1-2, .row-3-2 { grid-template-columns: 1fr; }
-    .net-health-grid { grid-template-columns: 1fr; }
-    #quick-access-grid { grid-template-columns: repeat(auto-fill, minmax(80px, 1fr)); }
-  }
-</style>
-</head>
-<body>
-<div class="scanline"></div>
-<div class="wrapper">
-
-  <!-- HEADER -->
-  <header class="header" id="header">
-    <div class="header-logo">
-      <div>
-        <div class="logo-text">KALLILAB</div>
-        <div class="logo-sub">Control Panel</div>
-      </div>
-    </div>
-    <div class="header-center">
-      <div class="overall-status">SYSTEM STATUS</div>
-      <div class="status-indicator">
-        <span class="status-dot-main" id="overall-dot"></span>
-        <span id="overall-status-text">LOADING</span>
-      </div>
-    </div>
-    <div class="header-right">
-      <div class="clock" id="clock">--:--:--</div>
-      <div class="date-str" id="date-str">---</div>
-      <div id="last-updated">never updated</div>
-    </div>
-  </header>
-
-  <!-- SYSTEM STATS ROW -->
-  <div class="section-header"><span>&#x2B21;</span> SYSTEM</div>
-  <div class="widget-row row-5" id="stats-row" style="margin-bottom:8px;">
-    <div class="card">
-      <div class="card-title"><span class="dot"></span>CPU</div>
-      <div class="stats-grid">
-        <div class="stat-block"><div class="stat-num" id="cpu-percent">&#x2014;</div><div class="stat-label">Usage %</div></div>
-        <div class="stat-block"><div class="stat-num dim" id="cpu-cores">&#x2014;</div><div class="stat-label">Cores</div></div>
-        <div class="stat-block"><div class="stat-num dim" id="cpu-load">&#x2014;</div><div class="stat-label">Load 5m</div></div>
-      </div>
-    </div>
-    <div class="card">
-      <div class="card-title"><span class="dot"></span>MEMORY</div>
-      <div class="stats-grid">
-        <div class="stat-block"><div class="stat-num" id="ram-percent">&#x2014;</div><div class="stat-label">Usage %</div></div>
-        <div class="stat-block"><div class="stat-num dim" id="ram-used">&#x2014;</div><div class="stat-label">Used GB</div></div>
-        <div class="stat-block"><div class="stat-num dim" id="ram-total">&#x2014;</div><div class="stat-label">Total GB</div></div>
-      </div>
-    </div>
-    <div class="card">
-      <div class="card-title"><span class="dot"></span>NETWORK</div>
-      <div class="stats-grid">
-        <div class="stat-block"><div class="stat-num" id="net-rx">&#x2014;</div><div class="stat-label">&#x2193; Mbps</div></div>
-        <div class="stat-block"><div class="stat-num" id="net-tx">&#x2014;</div><div class="stat-label">&#x2191; Mbps</div></div>
-      </div>
-    </div>
-    <div class="card">
-      <div class="card-title"><span class="dot"></span>HOST</div>
-      <div class="stats-grid">
-        <div class="stat-block"><div class="stat-num" id="uptime-days">&#x2014;</div><div class="stat-label">Uptime d</div></div>
-        <div class="stat-block"><div class="stat-num dim" id="host-platform">&#x2014;</div><div class="stat-label">OS</div></div>
-      </div>
-    </div>
-    <div class="card">
-      <div class="card-title"><span class="dot"></span>DOCKER</div>
-      <div class="stats-grid">
-        <div class="stat-block"><div class="stat-num" id="docker-running">&#x2014;</div><div class="stat-label">Running</div></div>
-        <div class="stat-block"><div class="stat-num dim" id="docker-stopped">&#x2014;</div><div class="stat-label">Stopped</div></div>
-        <div class="stat-block"><div class="stat-num dim" id="docker-total">&#x2014;</div><div class="stat-label">Total</div></div>
-      </div>
-    </div>
-  </div>
-
-  <!-- STORAGE + SCRUTINY ROW -->
-  <div class="section-header"><span>&#x2B21;</span> STORAGE &amp; HEALTH</div>
-  <div style="display:grid; grid-template-columns: 1fr 280px; gap:8px; margin-bottom:8px;">
-    <div>
-      <div class="widget-row row-3" id="storage-grid">
-        <!-- Disk cards injected by renderer -->
-      </div>
-    </div>
-    <div class="card">
-      <div class="card-title">
-        <div class="card-title-left"><span class="dot"></span>SCRUTINY</div>
-        <span class="status-pill pill-offline" id="scrutiny-pill">OFFLINE</span>
-      </div>
-      <div class="stats-grid" style="margin-bottom:5px;">
-        <div class="stat-block"><div class="stat-num" id="scrutiny-total">&#x2014;</div><div class="stat-label">Disks</div></div>
-        <div class="stat-block"><div class="stat-num" id="scrutiny-passed">&#x2014;</div><div class="stat-label">Passed</div></div>
-        <div class="stat-block"><div class="stat-num danger" id="scrutiny-failed">&#x2014;</div><div class="stat-label">Failed</div></div>
-      </div>
-      <div id="scrutiny-list"></div>
-    </div>
-  </div>
-
-  <!-- SERVICE WIDGETS ROW 1 -->
-  <div class="section-header"><span>&#x2B21;</span> SERVICES</div>
-  <div class="widget-row row-3" style="margin-bottom:8px;">
-    <div class="card">
-      <div class="card-title">
-        <div class="card-title-left">
-          <span class="service-icon" style="background:rgba(65,105,225,0.15);">&#x1F3E0;</span>
-          <span class="service-name">HOME ASSISTANT</span>
-        </div>
-        <span class="status-pill pill-offline" id="ha-pill">OFFLINE</span>
-      </div>
-      <div class="stats-grid">
-        <div class="stat-block"><div class="stat-num" id="ha-lights">&#x2014;</div><div class="stat-label">Lights</div></div>
-        <div class="stat-block"><div class="stat-num" id="ha-climate">&#x2014;</div><div class="stat-label">Climate</div></div>
-        <div class="stat-block"><div class="stat-num" id="ha-doors">&#x2014;</div><div class="stat-label">Doors</div></div>
-        <div class="stat-block"><div class="stat-num danger" id="ha-alerts">&#x2014;</div><div class="stat-label">Alerts</div></div>
-      </div>
-      <div style="margin-top:4px; font-family:var(--font-mono); font-size:8px; color:var(--text-dim);" id="ha-version"></div>
-    </div>
-    <div class="card">
-      <div class="card-title">
-        <div class="card-title-left">
-          <span class="service-icon" style="background:rgba(0,220,140,0.12);">&#x1F43B;</span>
-          <span class="service-name">UPTIME KUMA</span>
-        </div>
-        <span class="status-pill pill-offline" id="uk-pill">OFFLINE</span>
-      </div>
-      <div class="stats-grid" style="margin-bottom:5px;">
-        <div class="stat-block"><div class="stat-num" id="uk-up">&#x2014;</div><div class="stat-label">Up</div></div>
-        <div class="stat-block"><div class="stat-num danger" id="uk-down">&#x2014;</div><div class="stat-label">Down</div></div>
-        <div class="stat-block"><div class="stat-num" id="uk-uptime">&#x2014;</div><div class="stat-label">24h %</div></div>
-      </div>
-      <div id="uk-down-list"></div>
-      <div id="uk-bars"></div>
-    </div>
-    <div class="card">
-      <div class="card-title">
-        <div class="card-title-left">
-          <span class="service-icon" style="background:rgba(255,204,68,0.12);">&#x1F4F7;</span>
-          <span class="service-name">IMMICH</span>
-        </div>
-        <span class="status-pill pill-offline" id="immich-pill">OFFLINE</span>
-      </div>
-      <div class="stats-grid">
-        <div class="stat-block"><div class="stat-num" id="immich-photos">&#x2014;</div><div class="stat-label">Photos</div></div>
-        <div class="stat-block"><div class="stat-num" id="immich-videos">&#x2014;</div><div class="stat-label">Videos</div></div>
-        <div class="stat-block"><div class="stat-num dim" id="immich-storage">&#x2014;</div><div class="stat-label">Storage</div></div>
-      </div>
-    </div>
-  </div>
-
-  <!-- SERVICE WIDGETS ROW 2 -->
-  <div class="widget-row row-3" style="margin-bottom:8px;">
-    <div class="card">
-      <div class="card-title">
-        <div class="card-title-left">
-          <span class="service-icon" style="background:rgba(68,170,255,0.12);">&#x1F4BE;</span>
-          <span class="service-name">BACKREST</span>
-          <span class="status-dot dot-unk" id="backrest-status-dot" title="unknown"></span>
-        </div>
-        <span class="status-pill pill-offline" id="backrest-pill">OFFLINE</span>
-      </div>
-      <div class="stats-grid">
-        <div class="stat-block"><div class="stat-num dim" id="backrest-last">&#x2014;</div><div class="stat-label">Last Backup</div></div>
-        <div class="stat-block"><div class="stat-num" id="backrest-repos">&#x2014;</div><div class="stat-label">Repos</div></div>
-        <div class="stat-block"><div class="stat-num danger" id="backrest-errors">&#x2014;</div><div class="stat-label">Errors</div></div>
-      </div>
-    </div>
-    <div class="card">
-      <div class="card-title">
-        <div class="card-title-left">
-          <span class="service-icon" style="background:rgba(0,220,140,0.12);">&#x1F6E1;&#xFE0F;</span>
-          <span class="service-name">ADGUARD DNS</span>
-        </div>
-        <span class="status-pill pill-offline" id="adguard-pill">OFFLINE</span>
-      </div>
-      <div class="stats-grid" style="margin-bottom:5px;">
-        <div class="stat-block"><div class="stat-num" id="adguard-total">&#x2014;</div><div class="stat-label">Queries</div></div>
-        <div class="stat-block"><div class="stat-num" id="adguard-blocked">&#x2014;</div><div class="stat-label">Blocked</div></div>
-        <div class="stat-block"><div class="stat-num dim" id="adguard-blocked-pct">&#x2014;</div><div class="stat-label">Block %</div></div>
-        <div class="stat-block"><div class="stat-num dim" id="adguard-latency">&#x2014;</div><div class="stat-label">Latency</div></div>
-      </div>
-      <div class="adguard-bar-wrap"><div class="adguard-bar"><div class="adguard-bar-fill" id="adguard-bar-fill"></div></div></div>
-    </div>
-    <div class="card">
-      <div class="card-title">
-        <div class="card-title-left"><span class="dot"></span>SERVICES OVERVIEW</div>
-        <span class="status-pill pill-offline" id="services-pill">&#x2014;</span>
-      </div>
-      <div class="stats-grid">
-        <div class="stat-block"><div class="stat-num" id="svc-online">&#x2014;</div><div class="stat-label">Online</div></div>
-        <div class="stat-block"><div class="stat-num warn" id="svc-degraded">&#x2014;</div><div class="stat-label">Degraded</div></div>
-        <div class="stat-block"><div class="stat-num danger" id="svc-offline">&#x2014;</div><div class="stat-label">Offline</div></div>
-        <div class="stat-block"><div class="stat-num dim" id="svc-total">&#x2014;</div><div class="stat-label">Total</div></div>
-      </div>
-    </div>
-  </div>
-
-  <!-- QUICK ACCESS -->
-  <div class="section-header"><span>&#x2B21;</span> QUICK ACCESS</div>
-  <div id="quick-access-grid"></div>
-
-</div><!-- /wrapper -->
-
-<script type="module" src="/assets/js/app.js"></script>
-<script>
-  // Clock
-  function updateClock() {
-    const now = new Date();
-    const pad = n => String(n).padStart(2, '0');
-    document.getElementById('clock').textContent =
-      `${pad(now.getHours())}:${pad(now.getMinutes())}:${pad(now.getSeconds())}`;
-    document.getElementById('date-str').textContent =
-      now.toLocaleDateString('de-DE', { weekday: 'short', day: '2-digit', month: '2-digit', year: 'numeric' });
-  }
-  updateClock();
-  setInterval(updateClock, 1000);
-</script>
-</body>
-</html>

apps/dashboard/docker-compose.yml

@@ -1,54 +0,0 @@
-services:
-  dashboard:
-    image: ${DASHBOARD_IMAGE}
-    container_name: kallilab-dashboard
-    restart: unless-stopped
-    environment:
-      APP_ENV: production
-      APP_HOST: 0.0.0.0
-      APP_PORT: 8000
-      APP_LOG_LEVEL: INFO
-      APP_TIMEZONE: Europe/Berlin
-      APP_NAME: Homelab Dashboard API
-      APP_VERSION: 0.1.0
-      CORS_ALLOW_ORIGINS: '["https://dashboard.kaleschke.info"]'
-      REQUEST_TIMEOUT_SECONDS: 5.0
-      CACHE_TTL_OVERVIEW_SECONDS: 15
-      CACHE_TTL_SYSTEM_SECONDS: 15
-      CACHE_TTL_SERVICES_SECONDS: 15
-      CACHE_TTL_STORAGE_SECONDS: 30
-      BESZEL_BASE_URL: http://beszel:8090
-      BESZEL_ADMIN_EMAIL: ${BESZEL_ADMIN_EMAIL}
-      BESZEL_ADMIN_PASSWORD: ${BESZEL_ADMIN_PASSWORD}
-      UPTIME_KUMA_BASE_URL: http://uptime-kuma:3001
-      UPTIME_KUMA_API_KEY: ${UPTIME_KUMA_API_KEY}
-      UPTIME_KUMA_USERNAME: ${UPTIME_KUMA_USERNAME}
-      UPTIME_KUMA_PASSWORD: ${UPTIME_KUMA_PASSWORD}
-      HOME_ASSISTANT_BASE_URL: ${HOME_ASSISTANT_BASE_URL}
-      HOME_ASSISTANT_TOKEN: ${HOME_ASSISTANT_TOKEN}
-      ADGUARD_BASE_URL: http://adguard:80
-      ADGUARD_USERNAME: ${ADGUARD_USERNAME}
-      ADGUARD_PASSWORD: ${ADGUARD_PASSWORD}
-      SCRUTINY_BASE_URL: http://scrutiny:8080
-      IMMICH_BASE_URL: http://immich_server:2283
-      IMMICH_API_KEY: ${IMMICH_API_KEY}
-      BACKREST_BASE_URL: http://backrest:9898
-      BACKREST_USERNAME: ${BACKREST_USERNAME}
-      BACKREST_PASSWORD: ${BACKREST_PASSWORD}
-    networks:
-      - frontend_net
-    security_opt:
-      - no-new-privileges:true
-    labels:
-      - traefik.enable=true
-      - traefik.docker.network=frontend_net
-      - traefik.http.routers.dashboard.rule=Host(`dashboard.kaleschke.info`)
-      - traefik.http.routers.dashboard.entrypoints=websecure
-      - traefik.http.routers.dashboard.tls=true
-      - traefik.http.routers.dashboard.tls.certresolver=le
-      - traefik.http.routers.dashboard.middlewares=authelia@file,secure-headers@file
-      - traefik.http.services.dashboard.loadbalancer.server.port=8000
-
-networks:
-  frontend_net:
-    external: true

apps/dawarich/.env.example

@@ -0,0 +1,16 @@
+COMPOSE_PROJECT_NAME=dawarich
+
+TZ=Europe/Berlin
+DAWARICH_HOST=dawarich.kaleschke.info
+APPLICATION_HOSTS=dawarich.kaleschke.info,dawarich_app,localhost,127.0.0.1,::1
+
+POSTGRES_USER=dawarich
+POSTGRES_DB=dawarich_production
+GRAFANA_DB_USER=dawarich_grafana_ro
+
+PHOTON_API_HOST=photon.komoot.io
+PHOTON_API_USE_HTTPS=true
+
+METRICS_USERNAME=prometheus
+BACKGROUND_PROCESSING_CONCURRENCY=5
+RAILS_MAX_THREADS=10

apps/dawarich/README.md

@@ -0,0 +1,164 @@
+# Dawarich Stack
+
+Produktionsvorlage fuer Dawarich im KalliLab-Homelab mit GitOps ueber Gitea und Komodo.
+
+## Gepruefter Stand
+
+- Dawarich Release: `1.8.1` (GitHub latest am 2026-06-11)
+- Docker Image: `freikin/dawarich:1.8.1`
+- Hinweis: `freika/dawarich` existiert auf Docker Hub nicht; das offizielle Image aus dem Upstream-Compose ist `freikin/dawarich`.
+- Dawarich Tracking-Endpoint fuer OwnTracks: `/api/v1/owntracks/points?api_key=<api-key>`
+- Dawarich Prometheus ab 1.7.7: Web-Service `/metrics`; Port `9394` ist intern fuer Sidekiq-Metriken.
+
+Quellen:
+
+- https://github.com/Freika/dawarich/releases/tag/1.8.1
+- https://dawarich.app/docs/getting-started/track-your-location/
+- https://dawarich.app/docs/self-hosting/monitoring/prometheus/
+
+## Dateien
+
+```text
+apps/dawarich/
+|-- docker-compose.yml
+|-- .env.example
+|-- prometheus-scrape.snippet.yml
+|-- homeassistant-dawarich.example.yaml
+|-- grafana/
+|   |-- datasource-dawarich.yml
+|   `-- dashboard-dawarich.json
+|-- postgres/initdb/20-grafana-readonly.sh
+`-- secrets/*.txt.example
+```
+
+## Setup-Reihenfolge
+
+1. Stack-Verzeichnis nach Komodo/Gitea uebernehmen: `apps/dawarich`.
+2. `.env.example` als nicht versionierte Stack-`.env` oder Komodo Stack Environment anlegen.
+3. Secret-Dateien auf dem Unraid-Host erstellen:
+
+```bash
+install -d -m 700 /mnt/user/appdata/secrets
+openssl rand -base64 48 > /mnt/user/appdata/secrets/dawarich_postgres_password.txt
+openssl rand -base64 48 | tr -dc 'A-Za-z0-9._~-' | head -c 48 > /mnt/user/appdata/secrets/dawarich_redis_password.txt
+openssl rand -hex 64 > /mnt/user/appdata/secrets/dawarich_secret_key_base.txt
+openssl rand -base64 48 > /mnt/user/appdata/secrets/dawarich_metrics_password.txt
+openssl rand -base64 48 > /mnt/user/appdata/secrets/dawarich_grafana_ro_password.txt
+chmod 600 /mnt/user/appdata/secrets/dawarich_*.txt
+```
+
+4. Bind-Volume-Zielpfade vor dem ersten Deploy anlegen:
+
+```bash
+install -d -m 750 \
+  /mnt/user/appdata/dawarich/postgres17 \
+  /mnt/user/appdata/dawarich/redis \
+  /mnt/user/appdata/dawarich/shared \
+  /mnt/user/appdata/dawarich/public \
+  /mnt/user/appdata/dawarich/watched \
+  /mnt/user/appdata/dawarich/storage
+```
+
+5. In Komodo als Compose-Stack deployen. `frontend_net` und `backend_net` muessen bereits existieren.
+6. Ersten Login in Dawarich durchfuehren und den API-Key im Account-Bereich erzeugen.
+7. Home Assistant `homeassistant-dawarich.example.yaml` in das Smart-Home-Fachrepo uebernehmen und `device_tracker.your_phone` ersetzen.
+
+## Traefik und Authelia
+
+Die UI liegt auf `https://dawarich.kaleschke.info` und nutzt `authelia@file,secure-headers@file`.
+
+Der Healthcheck und die Tracking-API-Routen fuer OwnTracks, Overland und Traccar sind separat und priorisiert ohne Authelia geroutet, weil Mobile Clients per Dawarich-API-Key authentifizieren und keine Browser-ForwardAuth-Challenge verarbeiten koennen.
+
+## Prometheus
+
+`prometheus-scrape.snippet.yml` ist die dienstnahe Referenz. Produktiv ist der Job bereits in `monitoring/prometheus/prometheus.yml` eingetragen.
+
+Der Monitoring-Stack ist dafuer bereits vorbereitet:
+
+- `/mnt/user/appdata/secrets/dawarich_metrics_password.txt` ist in Dawarich und Prometheus eingebunden.
+
+Nicht `dawarich_app:9394` scrapen: das ist nach aktueller Dawarich-Doku veraltet. Der Web-Service aggregiert App- und Sidekiq-Metriken unter `/metrics`. Im KalliLab scrapt Prometheus intern `http://dawarich_app:3000/metrics` ueber `backend_net` und setzt `X-Forwarded-Proto: https`, damit Dawarich mit `APPLICATION_PROTOCOL=https` keinen HTTPS-Redirect erzeugt.
+
+Verifikation aus dem Prometheus-Container:
+
+```bash
+PW="$(cat /run/secrets/dawarich_metrics_password)"
+curl -i -u "prometheus:${PW}" http://dawarich_app:3000/metrics
+```
+
+Erwartung:
+
+- `200`: Scrape ist direkt funktionsfaehig.
+- `301`/`308` nach HTTPS: `http_headers` mit `X-Forwarded-Proto: https` im Prometheus-Job beibehalten.
+- `403 Blocked host`: `dawarich_app` in `APPLICATION_HOSTS` aufnehmen.
+
+## Grafana
+
+Der Read-only-User `dawarich_grafana_ro` wird beim ersten DB-Init durch `postgres/initdb/20-grafana-readonly.sh` angelegt.
+
+Bei einer bereits initialisierten DB das Script einmal manuell im DB-Container ausfuehren:
+
+```bash
+docker exec dawarich_db /docker-entrypoint-initdb.d/20-grafana-readonly.sh
+```
+
+Die produktive Provisionierung ist bereits in den vorhandenen Monitoring-Stack integriert:
+
+- Datasource: `monitoring/grafana/provisioning/datasources/dawarich.yml`
+- Dashboard: `monitoring/grafana/dashboards/dawarich.json`
+- Grafana haengt an `backend_net`, damit `dawarich_db:5432` erreichbar ist.
+- `DAWARICH_GRAFANA_RO_PASSWORD` wird beim Grafana-Start aus `/mnt/user/appdata/secrets/dawarich_grafana_ro_password.txt` exportiert.
+
+## Home Assistant
+
+Dawarich akzeptiert OwnTracks-kompatible Location-Punkte per:
+
+```text
+https://dawarich.kaleschke.info/api/v1/owntracks/points?api_key=<dawarich-api-key>
+```
+
+`homeassistant-dawarich.example.yaml` enthaelt:
+
+- `rest_command.dawarich_push_owntracks`
+- Automation fuer `device_tracker`-State-Changes
+- API-Key aus HA `secrets.yaml` als `dawarich_api_key`
+
+Alternativ existiert eine HACS-Integration `dawarich-home-assistant`; die YAML-Variante hier bleibt absichtlich transparent und GitOps-lesbar.
+
+## Backup mit Borg
+
+Borg-relevante Daten liegen unter:
+
+```text
+/mnt/user/appdata/dawarich/postgres17
+/mnt/user/appdata/dawarich/redis
+/mnt/user/appdata/dawarich/shared
+/mnt/user/appdata/dawarich/public
+/mnt/user/appdata/dawarich/watched
+/mnt/user/appdata/dawarich/storage
+/mnt/user/appdata/secrets/dawarich_*.txt
+```
+
+Primaerer Restore-Weg fuer die DB sollte ein logischer Dump plus Appdaten sein. Raw-Postgres-Verzeichnisse sind nur fuer gleiches Major/PostGIS-Image und sauberen Shutdown geeignet.
+
+Empfohlener Dump vor Borg:
+
+```bash
+docker exec dawarich_db pg_dump -U dawarich -d dawarich_production -Fc > /mnt/user/backups/borg/dumps/latest/dawarich.dump
+```
+
+## Updates
+
+- Kein `latest` verwenden.
+- Vor jedem Update Release Notes lesen, besonders bei Dawarich und PostGIS.
+- Dawarich App und Sidekiq muessen immer dasselbe Image-Tag nutzen.
+- PostGIS-Major-/Minor-Wechsel getrennt planen und vorher Dump plus Restore-Probe erstellen.
+- Image-Digests nach Review bewusst aktualisieren.
+
+## Rollback
+
+1. Komodo Stack stoppen.
+2. Vorherigen Git-Commit mit altem Image-Tag/Digest deployen.
+3. Falls nur App-Code gewechselt wurde: Stack starten und Healthchecks pruefen.
+4. Falls DB-Migrationen gelaufen sind: DB aus `dawarich.dump` in einen frischen PostGIS-17-Container restoren; kein blindes Zurueckkopieren eines Live-Postgres-Verzeichnisses.
+5. Dawarich UI, `/api/v1/health`, Prometheus-Scrape und HA-Push testen.

apps/dawarich/docker-compose.yml

@@ -0,0 +1,274 @@
+name: dawarich
+
+x-dawarich-image: &dawarich_image freikin/dawarich:1.8.1@sha256:7c70f2169e848ed77ae1cec01dd10ec4a73a70a785d4e4d248db1735c0bc25ed
+
+services:
+  dawarich_db:
+    image: postgis/postgis:17-3.5-alpine@sha256:fc07e7a034e013d50ada575673b798ca6277e000b8364e39e217f612d94bd9a5
+    container_name: dawarich_db
+    restart: unless-stopped
+    shm_size: 1G
+    environment:
+      TZ: ${TZ}
+      POSTGRES_USER: ${POSTGRES_USER}
+      POSTGRES_DB: ${POSTGRES_DB}
+      POSTGRES_PASSWORD_FILE: /run/secrets/dawarich_postgres_password
+      GRAFANA_DB_USER: ${GRAFANA_DB_USER}
+      PGDATA: /var/lib/postgresql/data
+    volumes:
+      - dawarich_db_data:/var/lib/postgresql/data
+      - dawarich_shared:/var/shared
+      - ./postgres/initdb:/docker-entrypoint-initdb.d:ro
+    networks:
+      - backend_net
+    secrets:
+      - dawarich_postgres_password
+      - dawarich_grafana_ro_password
+    expose:
+      - "5432"
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U \"$${POSTGRES_USER}\" -d \"$${POSTGRES_DB}\""]
+      interval: 10s
+      timeout: 10s
+      retries: 5
+      start_period: 30s
+    security_opt:
+      - no-new-privileges:true
+
+  dawarich_redis:
+    image: redis:7-alpine@sha256:6ab0b6e7381779332f97b8ca76193e45b0756f38d4c0dcda72dbb3c32061ab99
+    container_name: dawarich_redis
+    restart: unless-stopped
+    command:
+      - /bin/sh
+      - -lc
+      - |
+        exec redis-server \
+          --save 900 1 \
+          --save 300 10 \
+          --appendonly no \
+          --requirepass "$$(cat /run/secrets/dawarich_redis_password)"
+    volumes:
+      - dawarich_redis_data:/data
+    networks:
+      - backend_net
+    secrets:
+      - dawarich_redis_password
+    expose:
+      - "6379"
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli -a \"$$(cat /run/secrets/dawarich_redis_password)\" --raw incr ping >/dev/null"]
+      interval: 10s
+      timeout: 10s
+      retries: 5
+      start_period: 30s
+    security_opt:
+      - no-new-privileges:true
+
+  dawarich_app:
+    image: *dawarich_image
+    container_name: dawarich_app
+    restart: unless-stopped
+    stdin_open: true
+    tty: true
+    entrypoint:
+      - /bin/sh
+      - -lc
+    command:
+      - |
+        export DATABASE_PASSWORD="$$(cat /run/secrets/dawarich_postgres_password)"
+        export REDIS_URL="redis://:$$(cat /run/secrets/dawarich_redis_password)@dawarich_redis:6379/0"
+        export SECRET_KEY_BASE="$$(cat /run/secrets/dawarich_secret_key_base)"
+        export METRICS_PASSWORD="$$(cat /run/secrets/dawarich_metrics_password)"
+        exec web-entrypoint.sh bin/rails server -p 3000 -b ::
+    environment:
+      TZ: ${TZ}
+      RAILS_ENV: production
+      DATABASE_HOST: dawarich_db
+      DATABASE_PORT: "5432"
+      DATABASE_USERNAME: ${POSTGRES_USER}
+      DATABASE_NAME: ${POSTGRES_DB}
+      APPLICATION_HOSTS: ${APPLICATION_HOSTS}
+      APPLICATION_PROTOCOL: https
+      TIME_ZONE: ${TZ}
+      SELF_HOSTED: "true"
+      STORE_GEODATA: "true"
+      PHOTON_API_HOST: ${PHOTON_API_HOST:-photon.komoot.io}
+      PHOTON_API_USE_HTTPS: "${PHOTON_API_USE_HTTPS:-true}"
+      RAILS_LOG_TO_STDOUT: "true"
+      PROMETHEUS_EXPORTER_ENABLED: "true"
+      METRICS_USERNAME: ${METRICS_USERNAME}
+      SIDEKIQ_METRICS_URL: http://dawarich_sidekiq:9394/metrics
+      BACKGROUND_PROCESSING_CONCURRENCY: ${BACKGROUND_PROCESSING_CONCURRENCY}
+      RAILS_MAX_THREADS: ${RAILS_MAX_THREADS}
+    volumes:
+      - dawarich_public:/var/app/public
+      - dawarich_watched:/var/app/tmp/imports/watched
+      - dawarich_storage:/var/app/storage
+      - dawarich_db_data:/dawarich_db_data:ro
+    networks:
+      - frontend_net
+      - backend_net
+    secrets:
+      - dawarich_postgres_password
+      - dawarich_redis_password
+      - dawarich_secret_key_base
+      - dawarich_metrics_password
+    expose:
+      - "3000"
+    healthcheck:
+      test: ["CMD-SHELL", "wget -qO - --header=\"Host: ${DAWARICH_HOST}\" --header=\"X-Forwarded-Proto: https\" http://127.0.0.1:3000/api/v1/health | grep -q '\"status\"[[:space:]]*:[[:space:]]*\"ok\"'"]
+      interval: 10s
+      timeout: 10s
+      retries: 30
+      start_period: 30s
+    depends_on:
+      dawarich_db:
+        condition: service_healthy
+      dawarich_redis:
+        condition: service_healthy
+    security_opt:
+      - no-new-privileges:true
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=frontend_net
+
+      # Public API-key endpoints for mobile apps and Home Assistant pushes.
+      - traefik.http.routers.dawarich-api.rule=Host(`${DAWARICH_HOST}`) && (Path(`/api/v1/health`) || Path(`/api/v1/owntracks/points`) || Path(`/api/v1/overland/batches`) || Path(`/api/v1/traccar/points`))
+      - traefik.http.routers.dawarich-api.entrypoints=websecure
+      - traefik.http.routers.dawarich-api.tls=true
+      - traefik.http.routers.dawarich-api.tls.certresolver=le
+      - traefik.http.routers.dawarich-api.priority=100
+      - traefik.http.routers.dawarich-api.middlewares=secure-headers@file
+      - traefik.http.routers.dawarich-api.service=dawarich
+
+      # UI and all other routes require Authelia ForwardAuth.
+      - traefik.http.routers.dawarich.rule=Host(`${DAWARICH_HOST}`)
+      - traefik.http.routers.dawarich.entrypoints=websecure
+      - traefik.http.routers.dawarich.tls=true
+      - traefik.http.routers.dawarich.tls.certresolver=le
+      - traefik.http.routers.dawarich.priority=10
+      - traefik.http.routers.dawarich.middlewares=authelia@file,secure-headers@file
+      - traefik.http.routers.dawarich.service=dawarich
+      - traefik.http.services.dawarich.loadbalancer.server.port=3000
+
+  dawarich_sidekiq:
+    image: *dawarich_image
+    container_name: dawarich_sidekiq
+    restart: unless-stopped
+    stdin_open: true
+    tty: true
+    entrypoint:
+      - /bin/sh
+      - -lc
+    command:
+      - |
+        export DATABASE_PASSWORD="$$(cat /run/secrets/dawarich_postgres_password)"
+        export REDIS_URL="redis://:$$(cat /run/secrets/dawarich_redis_password)@dawarich_redis:6379/0"
+        export SECRET_KEY_BASE="$$(cat /run/secrets/dawarich_secret_key_base)"
+        export METRICS_PASSWORD="$$(cat /run/secrets/dawarich_metrics_password)"
+        exec sidekiq-entrypoint.sh sidekiq
+    environment:
+      TZ: ${TZ}
+      RAILS_ENV: production
+      DATABASE_HOST: dawarich_db
+      DATABASE_PORT: "5432"
+      DATABASE_USERNAME: ${POSTGRES_USER}
+      DATABASE_NAME: ${POSTGRES_DB}
+      APPLICATION_HOSTS: ${APPLICATION_HOSTS}
+      APPLICATION_PROTOCOL: https
+      TIME_ZONE: ${TZ}
+      SELF_HOSTED: "true"
+      STORE_GEODATA: "true"
+      PHOTON_API_HOST: ${PHOTON_API_HOST:-photon.komoot.io}
+      PHOTON_API_USE_HTTPS: "${PHOTON_API_USE_HTTPS:-true}"
+      RAILS_LOG_TO_STDOUT: "true"
+      PROMETHEUS_EXPORTER_ENABLED: "true"
+      PROMETHEUS_EXPORTER_PORT: "9394"
+      METRICS_USERNAME: ${METRICS_USERNAME}
+      BACKGROUND_PROCESSING_CONCURRENCY: "5"
+      RAILS_MAX_THREADS: ${RAILS_MAX_THREADS}
+    volumes:
+      - dawarich_public:/var/app/public
+      - dawarich_watched:/var/app/tmp/imports/watched
+      - dawarich_storage:/var/app/storage
+    networks:
+      - backend_net
+    secrets:
+      - dawarich_postgres_password
+      - dawarich_redis_password
+      - dawarich_secret_key_base
+      - dawarich_metrics_password
+    expose:
+      - "9394"
+    healthcheck:
+      test: ["CMD-SHELL", "pgrep -f sidekiq >/dev/null"]
+      interval: 10s
+      timeout: 10s
+      retries: 30
+      start_period: 30s
+    depends_on:
+      dawarich_db:
+        condition: service_healthy
+      dawarich_redis:
+        condition: service_healthy
+      dawarich_app:
+        condition: service_healthy
+    security_opt:
+      - no-new-privileges:true
+
+networks:
+  frontend_net:
+    external: true
+  backend_net:
+    external: true
+
+volumes:
+  dawarich_db_data:
+    driver: local
+    driver_opts:
+      type: none
+      o: bind
+      device: /mnt/user/appdata/dawarich/postgres17
+  dawarich_redis_data:
+    driver: local
+    driver_opts:
+      type: none
+      o: bind
+      device: /mnt/user/appdata/dawarich/redis
+  dawarich_shared:
+    driver: local
+    driver_opts:
+      type: none
+      o: bind
+      device: /mnt/user/appdata/dawarich/shared
+  dawarich_public:
+    driver: local
+    driver_opts:
+      type: none
+      o: bind
+      device: /mnt/user/appdata/dawarich/public
+  dawarich_watched:
+    driver: local
+    driver_opts:
+      type: none
+      o: bind
+      device: /mnt/user/appdata/dawarich/watched
+  dawarich_storage:
+    driver: local
+    driver_opts:
+      type: none
+      o: bind
+      device: /mnt/user/appdata/dawarich/storage
+
+secrets:
+  dawarich_postgres_password:
+    file: /mnt/user/appdata/secrets/dawarich_postgres_password.txt
+  dawarich_redis_password:
+    file: /mnt/user/appdata/secrets/dawarich_redis_password.txt
+  dawarich_secret_key_base:
+    file: /mnt/user/appdata/secrets/dawarich_secret_key_base.txt
+  dawarich_metrics_password:
+    file: /mnt/user/appdata/secrets/dawarich_metrics_password.txt
+  dawarich_grafana_ro_password:
+    file: /mnt/user/appdata/secrets/dawarich_grafana_ro_password.txt

apps/dawarich/grafana/dashboard-dawarich.json

@@ -0,0 +1,355 @@
+{
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "grafana",
+          "uid": "-- Grafana --"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "type": "dashboard"
+      }
+    ]
+  },
+  "editable": false,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 0,
+  "id": null,
+  "links": [],
+  "panels": [
+    {
+      "datasource": {
+        "type": "postgres",
+        "uid": "dawarich-postgres"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "custom": {
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              }
+            ]
+          },
+          "unit": "none"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 16,
+        "w": 16,
+        "x": 0,
+        "y": 0
+      },
+      "id": 1,
+      "options": {
+        "basemap": {
+          "config": {},
+          "name": "Layer 0",
+          "type": "default"
+        },
+        "controls": {
+          "mouseWheelZoom": true,
+          "showAttribution": true,
+          "showDebug": false,
+          "showMeasure": false,
+          "showScale": true,
+          "showZoom": true
+        },
+        "layers": [
+          {
+            "config": {
+              "showLegend": true,
+              "style": {
+                "color": {
+                  "fixed": "dark-green"
+                },
+                "opacity": 0.55,
+                "rotation": {
+                  "fixed": 0,
+                  "max": 360,
+                  "min": -360,
+                  "mode": "mod"
+                },
+                "size": {
+                  "fixed": 4,
+                  "max": 15,
+                  "min": 2
+                },
+                "symbol": {
+                  "fixed": "img/icons/marker/circle.svg",
+                  "mode": "fixed"
+                },
+                "textConfig": {
+                  "fontSize": 12,
+                  "offsetX": 0,
+                  "offsetY": 0,
+                  "textAlign": "center",
+                  "textBaseline": "middle"
+                }
+              }
+            },
+            "location": {
+              "latitude": "latitude",
+              "longitude": "longitude",
+              "mode": "coords"
+            },
+            "name": "Location points",
+            "tooltip": true,
+            "type": "markers"
+          }
+        ],
+        "tooltip": {
+          "mode": "details"
+        },
+        "view": {
+          "allLayers": true,
+          "id": "fit",
+          "lat": 51,
+          "lon": 10,
+          "zoom": 5
+        }
+      },
+      "pluginVersion": "13.0.2",
+      "targets": [
+        {
+          "datasource": {
+            "type": "postgres",
+            "uid": "dawarich-postgres"
+          },
+          "editorMode": "code",
+          "format": "table",
+          "rawQuery": true,
+          "rawSql": "SELECT\n  to_timestamp(timestamp) AS \"time\",\n  ST_Y(lonlat::geometry) AS latitude,\n  ST_X(lonlat::geometry) AS longitude,\n  accuracy,\n  tracker_id\nFROM points\nWHERE $__unixEpochFilter(timestamp)\n  AND lonlat IS NOT NULL\nORDER BY timestamp DESC\nLIMIT 20000;",
+          "refId": "A"
+        }
+      ],
+      "title": "Location Points",
+      "type": "geomap"
+    },
+    {
+      "datasource": {
+        "type": "postgres",
+        "uid": "dawarich-postgres"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "drawStyle": "bars",
+            "fillOpacity": 70,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "never",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              }
+            ]
+          },
+          "unit": "km"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 8,
+        "x": 16,
+        "y": 0
+      },
+      "id": 2,
+      "options": {
+        "legend": {
+          "calcs": [
+            "sum"
+          ],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "hideZeros": false,
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "13.0.2",
+      "targets": [
+        {
+          "datasource": {
+            "type": "postgres",
+            "uid": "dawarich-postgres"
+          },
+          "editorMode": "code",
+          "format": "time_series",
+          "rawQuery": true,
+          "rawSql": "SELECT\n  make_date(year, month, 1)::timestamp AS \"time\",\n  round((distance::numeric / 1000.0), 2) AS \"km\"\nFROM stats\nWHERE make_date(year, month, 1)::timestamp BETWEEN $__timeFrom() AND $__timeTo()\nORDER BY 1;",
+          "refId": "A"
+        }
+      ],
+      "title": "Kilometers per Month",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "postgres",
+        "uid": "dawarich-postgres"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "drawStyle": "bars",
+            "fillOpacity": 70,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "never",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              }
+            ]
+          },
+          "unit": "short"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 8,
+        "x": 16,
+        "y": 8
+      },
+      "id": 3,
+      "options": {
+        "legend": {
+          "calcs": [
+            "sum"
+          ],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "hideZeros": false,
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "13.0.2",
+      "targets": [
+        {
+          "datasource": {
+            "type": "postgres",
+            "uid": "dawarich-postgres"
+          },
+          "editorMode": "code",
+          "format": "time_series",
+          "rawQuery": true,
+          "rawSql": "SELECT\n  date_trunc('day', to_timestamp(timestamp)) AS \"time\",\n  count(*) AS \"points\"\nFROM points\nWHERE $__unixEpochFilter(timestamp)\nGROUP BY 1\nORDER BY 1;",
+          "refId": "A"
+        }
+      ],
+      "title": "Points per Day",
+      "type": "timeseries"
+    }
+  ],
+  "preload": false,
+  "refresh": "5m",
+  "schemaVersion": 41,
+  "tags": [
+    "dawarich",
+    "location"
+  ],
+  "templating": {
+    "list": []
+  },
+  "time": {
+    "from": "now-30d",
+    "to": "now"
+  },
+  "timepicker": {},
+  "timezone": "browser",
+  "title": "Dawarich",
+  "uid": "dawarich",
+  "version": 1,
+  "weekStart": ""
+}

apps/dawarich/grafana/datasource-dawarich.yml

@@ -0,0 +1,17 @@
+apiVersion: 1
+
+datasources:
+  - name: Dawarich PostgreSQL
+    uid: dawarich-postgres
+    type: postgres
+    access: proxy
+    url: dawarich_db:5432
+    database: dawarich_production
+    user: dawarich_grafana_ro
+    editable: false
+    jsonData:
+      sslmode: disable
+      postgresVersion: 1700
+      timescaledb: false
+    secureJsonData:
+      password: $DAWARICH_GRAFANA_RO_PASSWORD

apps/dawarich/homeassistant-dawarich.example.yaml

@@ -0,0 +1,47 @@
+# Add `dawarich_api_key` to Home Assistant `secrets.yaml`.
+# The endpoint is the current OwnTracks-compatible Dawarich endpoint:
+# https://<host>/api/v1/owntracks/points?api_key=<api-key>
+
+rest_command:
+  dawarich_push_owntracks:
+    url: "https://dawarich.kaleschke.info/api/v1/owntracks/points?api_key={{ api_key }}"
+    method: POST
+    content_type: "application/json"
+    payload: >-
+      {
+        "_type": "location",
+        "lat": {{ latitude }},
+        "lon": {{ longitude }},
+        "tst": {{ timestamp }},
+        "acc": {{ accuracy | default(0) }},
+        "alt": {{ altitude | default(0) }},
+        "batt": {{ battery | default(0) }},
+        "tid": "{{ tracker_id[:2] }}"
+      }
+
+automation:
+  - id: dawarich_push_device_tracker_location
+    alias: Dawarich - push device tracker location
+    mode: queued
+    max: 20
+    trigger:
+      - platform: state
+        entity_id:
+          - device_tracker.your_phone
+    condition:
+      - condition: template
+        value_template: >-
+          {{ trigger.to_state is not none
+             and state_attr(trigger.entity_id, 'latitude') is number
+             and state_attr(trigger.entity_id, 'longitude') is number }}
+    action:
+      - service: rest_command.dawarich_push_owntracks
+        data:
+          api_key: !secret dawarich_api_key
+          tracker_id: "{{ trigger.entity_id.split('.')[1] }}"
+          latitude: "{{ state_attr(trigger.entity_id, 'latitude') }}"
+          longitude: "{{ state_attr(trigger.entity_id, 'longitude') }}"
+          accuracy: "{{ state_attr(trigger.entity_id, 'gps_accuracy') | default(0, true) }}"
+          altitude: "{{ state_attr(trigger.entity_id, 'altitude') | default(0, true) }}"
+          battery: "{{ state_attr(trigger.entity_id, 'battery_level') | default(0, true) }}"
+          timestamp: "{{ as_timestamp(trigger.to_state.last_updated) | int }}"

apps/dawarich/postgres/initdb/20-grafana-readonly.sh

@@ -0,0 +1,35 @@
+#!/bin/sh
+set -eu
+
+GRAFANA_USER="${GRAFANA_DB_USER:-dawarich_grafana_ro}"
+GRAFANA_PASSWORD="$(cat /run/secrets/dawarich_grafana_ro_password)"
+
+sql_ident() {
+  printf '"%s"' "$(printf '%s' "$1" | sed 's/"/""/g')"
+}
+
+sql_literal() {
+  printf "'%s'" "$(printf '%s' "$1" | sed "s/'/''/g")"
+}
+
+DB_IDENT="$(sql_ident "$POSTGRES_DB")"
+USER_IDENT="$(sql_ident "$GRAFANA_USER")"
+USER_LITERAL="$(sql_literal "$GRAFANA_USER")"
+PASSWORD_LITERAL="$(sql_literal "$GRAFANA_PASSWORD")"
+
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<EOSQL
+DO \$\$
+BEGIN
+  IF NOT EXISTS (SELECT 1 FROM pg_catalog.pg_roles WHERE rolname = ${USER_LITERAL}) THEN
+    EXECUTE 'CREATE ROLE ${USER_IDENT} LOGIN PASSWORD ${PASSWORD_LITERAL}';
+  ELSE
+    EXECUTE 'ALTER ROLE ${USER_IDENT} WITH LOGIN PASSWORD ${PASSWORD_LITERAL}';
+  END IF;
+END
+\$\$;
+
+GRANT CONNECT ON DATABASE ${DB_IDENT} TO ${USER_IDENT};
+GRANT USAGE ON SCHEMA public TO ${USER_IDENT};
+GRANT SELECT ON ALL TABLES IN SCHEMA public TO ${USER_IDENT};
+ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO ${USER_IDENT};
+EOSQL

apps/dawarich/prometheus-scrape.snippet.yml

@@ -0,0 +1,20 @@
+# Dawarich 1.8.1 serves the Prometheus endpoint on the web service at
+# /metrics. Port 9394 is the internal Sidekiq metrics endpoint consumed by
+# dawarich_app via SIDEKIQ_METRICS_URL.
+#
+# Prerequisites in monitoring/docker-compose.yml:
+# - mount Docker secret/file `/mnt/user/appdata/secrets/dawarich_metrics_password.txt`
+#   into the Prometheus container at `/run/secrets/dawarich_metrics_password`
+
+- job_name: dawarich
+  metrics_path: /metrics
+  basic_auth:
+    username: prometheus
+    password_file: /run/secrets/dawarich_metrics_password
+  http_headers:
+    X-Forwarded-Proto:
+      values:
+        - https
+  static_configs:
+    - targets:
+        - dawarich_app:3000

apps/dawarich/secrets/dawarich_grafana_ro_password.txt.example

@@ -0,0 +1 @@
+replace-with-a-long-random-grafana-readonly-password

apps/dawarich/secrets/dawarich_metrics_password.txt.example

@@ -0,0 +1 @@
+replace-with-a-long-random-metrics-password

apps/dawarich/secrets/dawarich_postgres_password.txt.example

@@ -0,0 +1 @@
+replace-with-a-long-random-postgres-password

apps/dawarich/secrets/dawarich_redis_password.txt.example

@@ -0,0 +1 @@
+replace-with-a-long-random-url-safe-redis-password

apps/dawarich/secrets/dawarich_secret_key_base.txt.example

@@ -0,0 +1 @@
+replace-with-output-of-openssl-rand-hex-64

apps/firefly-fints/docker-compose.yml

@@ -1,24 +0,0 @@
-version: "3.9"
-
-services:
-  firefly-fints:
-    image: benkl/firefly-iii-fints-importer:latest
-    container_name: firefly-fints
-    restart: unless-stopped
-    env_file:
-      - .env
-    volumes:
-      - /mnt/user/appdata/firefly-fints:/data
-    networks:
-      - frontend_net
-    security_opt:
-      - no-new-privileges:true
-    ports:
-      - "8091:8080"
-    dns:
-      - 1.1.1.1
-      - 8.8.8.8
-
-networks:
-  frontend_net:
-    external: true

apps/firefly/.db.env

@@ -1,4 +0,0 @@
-MYSQL_RANDOM_ROOT_PASSWORD=yes
-MYSQL_DATABASE=firefly
-MYSQL_USER=firefly
-MYSQL_PASSWORD=firefly

apps/firefly/.env

@@ -1,16 +0,0 @@
-APP_KEY=base64:ZHr3GRFkH9jEJ6TtoD6pEEsLHEfRViqqxSV6G7Zsba8=
-APP_URL=https://firefly.kaleschke.info
-
-DB_HOST=firefly-db
-DB_PORT=3306
-DB_CONNECTION=mysql
-DB_DATABASE=firefly
-DB_USERNAME=firefly
-DB_PASSWORD=firefly
-
-TRUSTED_PROXIES=**
-APP_ENV=production
-APP_DEBUG=false
-LOG_CHANNEL=stack
-
-TZ=Europe/Berlin

apps/firefly/.importer.env

@@ -1,8 +0,0 @@
-TZ=Europe/Berlin
-APP_ENV=production
-APP_DEBUG=false
-LOG_CHANNEL=stack
-
-TRUSTED_PROXIES=**
-FIREFLY_III_URL=http://firefly-app:8080
-VANITY_URL=https://firefly.kaleschke.info

apps/firefly/docker-compose.yml

@@ -1,67 +0,0 @@
-version: "3.9"
-
-services:
-  firefly-db:
-    image: mariadb:10.11
-    container_name: firefly-db
-    restart: unless-stopped
-    env_file:
-      - .db.env
-    volumes:
-      - /mnt/user/appdata/firefly/db:/var/lib/mysql
-    networks:
-      - backend_net
-    security_opt:
-      - no-new-privileges:true
-
-  firefly-app:
-    image: fireflyiii/core:latest
-    container_name: firefly-app
-    restart: unless-stopped
-    depends_on:
-      - firefly-db
-    env_file:
-      - .env
-    volumes:
-      - /mnt/user/appdata/firefly/upload:/var/www/html/storage/upload
-    networks:
-      - frontend_net
-      - backend_net
-    security_opt:
-      - no-new-privileges:true
-    labels:
-      - "traefik.enable=true"
-      - "traefik.docker.network=frontend_net"
-      - "traefik.http.routers.firefly.rule=Host(`firefly.kaleschke.info`)"
-      - "traefik.http.routers.firefly.entrypoints=websecure"
-      - "traefik.http.routers.firefly.tls=true"
-      - "traefik.http.routers.firefly.tls.certresolver=le"
-      - "traefik.http.services.firefly.loadbalancer.server.port=8080"
-
-  firefly-importer:
-    image: fireflyiii/data-importer:latest
-    container_name: firefly-importer
-    restart: unless-stopped
-    depends_on:
-      - firefly-app
-    env_file:
-      - .env
-      - .importer.env
-    networks:
-      - frontend_net
-    security_opt:
-      - no-new-privileges:true
-    labels:
-      - "traefik.enable=true"
-      - "traefik.docker.network=frontend_net"
-      - "traefik.http.routers.firefly-importer.rule=Host(`import.firefly.kaleschke.info`)"
-      - "traefik.http.routers.firefly-importer.entrypoints=websecure"
-      - "traefik.http.routers.firefly-importer.tls=true"
-      - "traefik.http.routers.firefly-importer.tls.certresolver=le"
-      - "traefik.http.services.firefly-importer.loadbalancer.server.port=8080"
-
-networks:
-  frontend_net:
-    external: true
-  backend_net:
-    external: true

apps/homepage/docker-compose.yml

@@ -1,42 +0,0 @@
-services:
-  homepage:
-    image: ghcr.io/gethomepage/homepage:latest
-    container_name: homepage
-    restart: unless-stopped
-    environment:
-      HOMEPAGE_ALLOWED_HOSTS: home.kaleschke.info
-      HOMEPAGE_VAR_GITEA_TOKEN: ${HOMEPAGE_VAR_GITEA_TOKEN}
-      HOMEPAGE_VAR_ADGUARD_USERNAME: ${HOMEPAGE_VAR_ADGUARD_USERNAME}
-      HOMEPAGE_VAR_ADGUARD_PASSWORD: ${HOMEPAGE_VAR_ADGUARD_PASSWORD}
-      HOMEPAGE_VAR_KOMODO_API_KEY: ${HOMEPAGE_VAR_KOMODO_API_KEY}
-      HOMEPAGE_VAR_KOMODO_API_SECRET: ${HOMEPAGE_VAR_KOMODO_API_SECRET}
-      HOMEPAGE_VAR_BACKREST_USERNAME: ${HOMEPAGE_VAR_BACKREST_USERNAME}
-      HOMEPAGE_VAR_BACKREST_PASSWORD: ${HOMEPAGE_VAR_BACKREST_PASSWORD}
-      HOMEPAGE_VAR_SPEEDTEST_API_KEY: ${HOMEPAGE_VAR_SPEEDTEST_API_KEY}
-      HOMEPAGE_VAR_PAPERLESS_TOKEN: ${HOMEPAGE_VAR_PAPERLESS_TOKEN}
-      HOMEPAGE_VAR_FILEBROWSER_USERNAME: ${HOMEPAGE_VAR_FILEBROWSER_USERNAME}
-      HOMEPAGE_VAR_FILEBROWSER_PASSWORD: ${HOMEPAGE_VAR_FILEBROWSER_PASSWORD}
-      HOMEPAGE_VAR_IMMICH_API_KEY: ${HOMEPAGE_VAR_IMMICH_API_KEY}
-      HOMEPAGE_VAR_MEALIE_TOKEN: ${HOMEPAGE_VAR_MEALIE_TOKEN}
-      HOMEPAGE_VAR_UPTIME_SLUG: ${HOMEPAGE_VAR_UPTIME_SLUG}
-    volumes:
-      - /mnt/user/appdata/homepage:/app/config
-      - /mnt/user/appdata/homepage/images:/app/public/images
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-    networks:
-      - frontend_net
-    labels:
-      - traefik.enable=true
-      - traefik.docker.network=frontend_net
-      - traefik.http.routers.homepage.rule=Host(`home.kaleschke.info`)
-      - traefik.http.routers.homepage.entrypoints=websecure
-      - traefik.http.routers.homepage.tls=true
-      - traefik.http.routers.homepage.tls.certresolver=le
-      - traefik.http.routers.homepage.middlewares=authelia@file,secure-headers@file
-      - traefik.http.services.homepage.loadbalancer.server.port=3000
-    security_opt:
-      - no-new-privileges:true
-
-networks:
-  frontend_net:
-    external: true

apps/immich/docker-compose.yml

@@ -1,9 +1,7 @@
-version: "3.9"
-
 services:
   immich-server:
     container_name: immich_server
-    image: ghcr.io/immich-app/immich-server:release
+    image: ghcr.io/immich-app/immich-server:v2.7.5@sha256:c15bff75068effb03f4355997d03dc7e0fc58720c2b54ad6f7f10d1bc57efaa5
     restart: unless-stopped
     depends_on:
       - redis
@@ -14,10 +12,10 @@ services:
       DB_PASSWORD: ${IMMICH_DB_PASSWORD}
       DB_DATABASE_NAME: immich
       REDIS_HOSTNAME: redis
+      TZ: Europe/Berlin
     volumes:
       - /mnt/user/photos/immich:/usr/src/app/upload
       - /mnt/user/photos/family_archive:/usr/src/app/external
-      - /etc/localtime:/etc/localtime:ro
     networks:
       - immich_default
       - frontend_net
@@ -34,18 +32,40 @@ services:
 
   immich-machine-learning:
     container_name: immich_machine_learning
-    image: ghcr.io/immich-app/immich-machine-learning:release
+    image: ghcr.io/immich-app/immich-machine-learning:v2.7.5@sha256:a2501141440f10516d329fdfba2c68082e19eb9ba6016c061ac80d23beadf7f3
     restart: unless-stopped
+    environment:
+      # Workaround fuer gunicorn-25.1.0-Control-Socket-Bug: der Worker haengt
+      # nach "Control socket listening at /usr/src/gunicorn.ctl" und erreicht
+      # nie "Application startup complete" -> Container bleibt dauerhaft
+      # unhealthy, ML (Gesichtserkennung/CLIP/Smart-Search) ist tot.
+      # --no-control-socket deaktiviert das fehlerhafte Feature. immich-ml
+      # startet gunicorn als Subprozess, der GUNICORN_CMD_ARGS aus der Env
+      # liest und anhaengt. Bestaetigte Upstream-Regression seit Immich 2.6
+      # (immich#27228, gunicorn#3510). Re-check: bei Immich-Update, das
+      # gunicorn auf >25.1.0/<25.1.0 mit Fix bringt, wieder entfernen.
+      GUNICORN_CMD_ARGS: "--no-control-socket"
     volumes:
       - model-cache:/cache
     networks:
+      # immich_default (internal) = Erreichbarkeit durch immich-server.
+      # immich_egress (nicht-internal) = Outbound zu huggingface, damit ML die
+      # Modelle (CLIP ViT-B-32, buffalo_l) einmalig nach model-cache laedt.
+      # Ohne dieses Netz scheitert der Modell-Download an der DNS-Aufloesung
+      # (immich_default ist internal: true) -> Smart Search/Gesichtserkennung tot.
       - immich_default
+      - immich_egress
+    dns:
+      # Egress-Netz braucht externe Aufloesung (huggingface.co); explizit nach
+      # docs/WORKFLOW.md "DNS-Regeln fuer Container", analog traefik/ddns-updater.
+      - 1.1.1.1
+      - 8.8.8.8
     security_opt:
       - no-new-privileges:true
 
   redis:
     container_name: immich_redis
-    image: redis:7
+    image: redis:8.8.0-alpine@sha256:09160599abd229764c0fb44cb6be640294e1d360a54b19985ab4843dcf2d90f1
     restart: unless-stopped
     networks:
       - immich_default
@@ -54,14 +74,15 @@ services:
 
   database:
     container_name: immich_postgres
-    image: tensorchord/pgvecto-rs:pg14-v0.2.0
+    image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23
     restart: unless-stopped
     environment:
       POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
       POSTGRES_USER: immich
       POSTGRES_DB: immich
+    shm_size: 128mb
     volumes:
-      - /mnt/user/appdata/immich_postgres:/var/lib/postgresql/data
+      - /mnt/user/appdata/immich_postgres_vectorchord:/var/lib/postgresql/data
       - /mnt/user/appdata/secrets/immich_postgres_password.txt:/run/secrets/postgres_password:ro
     networks:
       - immich_default
@@ -76,5 +97,10 @@ networks:
     name: immich_default
     internal: true
     driver: bridge
+  immich_egress:
+    # Bewusst NICHT internal: nur fuer den ML-Modell-Download (Outbound).
+    # Nur immich_machine_learning haengt hier; DB/Redis bleiben in immich_default.
+    name: immich_egress
+    driver: bridge
   frontend_net:
     external: true

apps/mail-archiver/docker-compose.yml

@@ -1,7 +1,6 @@
-version: "3.9"
 services:
   mail-archiver:
-    image: s1t5/mailarchiver
+    image: s1t5/mailarchiver@sha256:9ab6f51fa036c7869f64cb052a18f7bb8b9951a120ce1c03df43a273a20d3f59
     container_name: mail-archiver
     restart: unless-stopped
     environment:
@@ -25,6 +24,7 @@ services:
       - "traefik.http.routers.mail-archiver.entrypoints=websecure"
       - "traefik.http.routers.mail-archiver.tls=true"
       - "traefik.http.routers.mail-archiver.tls.certresolver=le"
+      - "traefik.http.routers.mail-archiver.middlewares=authelia@file,secure-headers@file"
       - "traefik.http.services.mail-archiver.loadbalancer.server.port=5000"
 networks:
   backend_net:

apps/mealie/docker-compose.yml

@@ -1,9 +1,15 @@
 services:
   mealie:
-    image: ghcr.io/mealie-recipes/mealie:v3.12.0
+    image: ghcr.io/mealie-recipes/mealie:v3.19.2@sha256:f68e959bf66f4f458893ea58facac71690fe6f2ac7a31466b5cecb41b4e99c02
     container_name: mealie
     restart: unless-stopped
 
+    # OIDC: Authelia ueber Host-LAN-IP -> Traefik erreichbar (Container-DNS loest
+    # auth.kaleschke.info sonst nicht; gleiches Muster wie Komodo. SNI bleibt der
+    # Hostname, Let's-Encrypt-Cert validiert weiter.
+    extra_hosts:
+      - "auth.kaleschke.info:192.168.178.58"
+
     environment:
       TZ: Europe/Berlin
       ALLOW_SIGNUP: "false"
@@ -14,13 +20,22 @@ services:
       POSTGRES_SERVER: mealie-postgres
       POSTGRES_DB: mealie
       POSTGRES_USER: mealie
-      POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
+      POSTGRES_PASSWORD: ${MEALIE_POSTGRES_PASSWORD}
 
       BASE_URL: https://mealie.kaleschke.info
 
+      # --- Authelia OIDC SSO (additiv, 2026-06-06; lokaler Login bleibt) ---
+      OIDC_AUTH_ENABLED: "true"
+      OIDC_PROVIDER_NAME: Authelia
+      OIDC_CONFIGURATION_URL: https://auth.kaleschke.info/.well-known/openid-configuration
+      OIDC_CLIENT_ID: mealie
+      OIDC_CLIENT_SECRET: ${MEALIE_OIDC_CLIENT_SECRET}
+      OIDC_SIGNUP_ENABLED: "true"
+      OIDC_AUTO_REDIRECT: "false"
+      OIDC_REMEMBER_ME: "true"
+
     volumes:
       - /mnt/user/appdata/mealie/data:/app/data
-      - /mnt/user/appdata/secrets/mealie_postgres_password.txt:/run/secrets/postgres_password:ro
 
     networks:
       - frontend_net
@@ -39,7 +54,7 @@ services:
       - traefik.http.services.mealie.loadbalancer.server.port=9000
 
   mealie-postgres:
-    image: postgres:17
+    image: postgres:18.4@sha256:29ee7bb30d804447dc9a91fd0d74322ae1dc3a4072cc6346f70a5ed6e783b565
     container_name: mealie-postgres
     restart: unless-stopped
 
@@ -48,10 +63,10 @@ services:
       POSTGRES_USER: mealie
       POSTGRES_DB: mealie
       POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
-      PGDATA: /var/lib/postgresql/data
+      PGDATA: /var/lib/postgresql/18/docker
 
     volumes:
-      - /mnt/user/appdata/mealie/postgres:/var/lib/postgresql/data
+      - /mnt/user/appdata/mealie/postgres18:/var/lib/postgresql
       - /mnt/user/appdata/secrets/mealie_postgres_password.txt:/run/secrets/postgres_password:ro
 
     networks:

apps/n8n/docker-compose.yml

@@ -0,0 +1,51 @@
+services:
+  n8n:
+    image: docker.n8n.io/n8nio/n8n:2.27.3@sha256:a772d24e6b4f9b3848be5a57c5e45437eed1965bbbcefa2f9a93f4835b6639fa
+    container_name: n8n
+    restart: unless-stopped
+
+    security_opt:
+      - no-new-privileges:true
+
+    dns:
+      - 1.1.1.1
+      - 8.8.8.8
+
+    environment:
+      TZ: Europe/Berlin
+      GENERIC_TIMEZONE: Europe/Berlin
+
+      N8N_HOST: n8n.kaleschke.info
+      N8N_PORT: "5678"
+      N8N_PROTOCOL: https
+      N8N_EDITOR_BASE_URL: https://n8n.kaleschke.info/
+      WEBHOOK_URL: https://n8n.kaleschke.info/
+      N8N_PROXY_HOPS: "1"
+
+      N8N_ENCRYPTION_KEY: ${N8N_ENCRYPTION_KEY}
+
+      N8N_DIAGNOSTICS_ENABLED: "false"
+      N8N_PERSONALIZATION_ENABLED: "false"
+      N8N_HIRING_BANNER_ENABLED: "false"
+      N8N_RUNNERS_ENABLED: "true"
+      N8N_BLOCK_ENV_ACCESS_IN_NODE: "true"
+
+    volumes:
+      - /mnt/user/appdata/n8n/data:/home/node/.n8n
+
+    networks:
+      - frontend_net
+
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=frontend_net"
+      - "traefik.http.routers.n8n.rule=Host(`n8n.kaleschke.info`)"
+      - "traefik.http.routers.n8n.entrypoints=websecure"
+      - "traefik.http.routers.n8n.tls=true"
+      - "traefik.http.routers.n8n.tls.certresolver=le"
+      - "traefik.http.routers.n8n.middlewares=secure-headers@file"
+      - "traefik.http.services.n8n.loadbalancer.server.port=5678"
+
+networks:
+  frontend_net:
+    external: true

apps/n8n/workflows/mail-to-gitea-issue.json

@@ -0,0 +1,284 @@
+{
+  "name": "GMX -> OpenAI -> Gitea Issue (Super Productivity)",
+  "nodes": [
+    {
+      "parameters": {
+        "pollTimes": {
+          "item": [
+            {
+              "mode": "everyMinute"
+            }
+          ]
+        },
+        "format": "simple",
+        "options": {
+          "customEmailConfig": "[\"UNSEEN\"]",
+          "forceReconnect": 15
+        },
+        "postProcessAction": "read"
+      },
+      "id": "11111111-1111-1111-1111-111111111111",
+      "name": "IMAP: GMX UNSEEN",
+      "type": "n8n-nodes-base.emailReadImap",
+      "typeVersion": 2,
+      "position": [
+        240,
+        300
+      ],
+      "credentials": {
+        "imap": {
+          "id": "REPLACE_GMX_IMAP_CRED_ID",
+          "name": "GMX IMAP"
+        }
+      }
+    },
+    {
+      "parameters": {
+        "assignments": {
+          "assignments": [
+            {
+              "id": "a1",
+              "name": "from",
+              "value": "={{ $json.from }}",
+              "type": "string"
+            },
+            {
+              "id": "a2",
+              "name": "subject",
+              "value": "={{ $json.subject }}",
+              "type": "string"
+            },
+            {
+              "id": "a3",
+              "name": "date",
+              "value": "={{ $json.date }}",
+              "type": "string"
+            },
+            {
+              "id": "a4",
+              "name": "messageId",
+              "value": "={{ $json.messageId || $json['message-id'] || '' }}",
+              "type": "string"
+            },
+            {
+              "id": "a5",
+              "name": "text",
+              "value": "={{ ($json.text || $json.textPlain || '').toString().slice(0, 8000) }}",
+              "type": "string"
+            }
+          ]
+        },
+        "options": {}
+      },
+      "id": "22222222-2222-2222-2222-222222222222",
+      "name": "Extract mail fields",
+      "type": "n8n-nodes-base.set",
+      "typeVersion": 3.4,
+      "position": [
+        460,
+        300
+      ]
+    },
+    {
+      "parameters": {
+        "method": "POST",
+        "url": "https://api.openai.com/v1/chat/completions",
+        "authentication": "genericCredentialType",
+        "genericAuthType": "httpHeaderAuth",
+        "sendHeaders": true,
+        "headerParameters": {
+          "parameters": [
+            {
+              "name": "Content-Type",
+              "value": "application/json"
+            }
+          ]
+        },
+        "sendBody": true,
+        "specifyBody": "json",
+        "jsonBody": "={\n  \"model\": \"gpt-4o-mini\",\n  \"temperature\": 0.2,\n  \"response_format\": {\n    \"type\": \"json_schema\",\n    \"json_schema\": {\n      \"name\": \"issue_extraction\",\n      \"strict\": true,\n      \"schema\": {\n        \"type\": \"object\",\n        \"additionalProperties\": false,\n        \"required\": [\"title\", \"body_md\", \"priority\", \"due_date\", \"category\"],\n        \"properties\": {\n          \"title\":    { \"type\": \"string\", \"maxLength\": 80 },\n          \"body_md\":  { \"type\": \"string\" },\n          \"priority\": { \"type\": \"string\", \"enum\": [\"niedrig\", \"normal\", \"hoch\"] },\n          \"due_date\": { \"type\": [\"string\", \"null\"], \"description\": \"ISO YYYY-MM-DD oder null\" },\n          \"category\": { \"type\": \"string\" }\n        }\n      }\n    }\n  },\n  \"messages\": [\n    {\n      \"role\": \"system\",\n      \"content\": \"Du extrahierst aus einer E-Mail eine Aufgabe fuer ein Issue-Tracking-System. Antworte ausschliesslich gemaess JSON-Schema. Sprache: Deutsch.\\n- title: imperativ, max. 80 Zeichen, ohne abschliessenden Punkt.\\n- body_md: 2 bis 6 Saetze. Was ist zu tun, warum, bis wann. Keine Begruessungen.\\n- priority: niedrig | normal | hoch.\\n- due_date: ISO YYYY-MM-DD wenn aus Mail ableitbar, sonst null.\\n- category: kurzes Schlagwort (rechnung, termin, technik, familie, sonstiges, ...).\"\n    },\n    {\n      \"role\": \"user\",\n      \"content\": {{ JSON.stringify('Absender: ' + $json.from + '\\nDatum: ' + $json.date + '\\nBetreff: ' + $json.subject + '\\n\\nMailtext:\\n' + $json.text) }}\n    }\n  ]\n}",
+        "options": {
+          "timeout": 60000
+        }
+      },
+      "id": "33333333-3333-3333-3333-333333333333",
+      "name": "OpenAI: extract issue",
+      "type": "n8n-nodes-base.httpRequest",
+      "typeVersion": 4.2,
+      "position": [
+        680,
+        300
+      ],
+      "credentials": {
+        "httpHeaderAuth": {
+          "id": "REPLACE_OPENAI_HEADER_AUTH_CRED_ID",
+          "name": "OpenAI Bearer"
+        }
+      }
+    },
+    {
+      "parameters": {
+        "assignments": {
+          "assignments": [
+            {
+              "id": "b1",
+              "name": "extracted",
+              "value": "={{ JSON.parse($json.choices[0].message.content) }}",
+              "type": "object"
+            },
+            {
+              "id": "b2",
+              "name": "mail",
+              "value": "={{ $('Extract mail fields').item.json }}",
+              "type": "object"
+            }
+          ]
+        },
+        "options": {}
+      },
+      "id": "44444444-4444-4444-4444-444444444444",
+      "name": "Parse OpenAI JSON",
+      "type": "n8n-nodes-base.set",
+      "typeVersion": 3.4,
+      "position": [
+        900,
+        300
+      ]
+    },
+    {
+      "parameters": {
+        "assignments": {
+          "assignments": [
+            {
+              "id": "c1",
+              "name": "title",
+              "value": "={{ ($json.extracted.priority === 'hoch' ? '[P1] ' : '') + $json.extracted.title }}",
+              "type": "string"
+            },
+            {
+              "id": "c2",
+              "name": "body",
+              "value": "={{ $json.extracted.body_md + '\\n\\n---\\n**Kategorie:** ' + $json.extracted.category + '\\n**Prioritaet:** ' + $json.extracted.priority + ($json.extracted.due_date ? '\\n**Faellig:** ' + $json.extracted.due_date : '') + '\\n**Quelle:** Mail von ' + $json.mail.from + ' (' + $json.mail.date + ')\\n**Betreff:** ' + $json.mail.subject + '\\n**Message-ID:** ' + $json.mail.messageId }}",
+              "type": "string"
+            }
+          ]
+        },
+        "options": {}
+      },
+      "id": "55555555-5555-5555-5555-555555555555",
+      "name": "Build issue payload",
+      "type": "n8n-nodes-base.set",
+      "typeVersion": 3.4,
+      "position": [
+        1120,
+        300
+      ]
+    },
+    {
+      "parameters": {
+        "method": "POST",
+        "url": "https://git.kaleschke.info/api/v1/repos/Micha/mails/issues",
+        "authentication": "genericCredentialType",
+        "genericAuthType": "httpHeaderAuth",
+        "sendHeaders": true,
+        "headerParameters": {
+          "parameters": [
+            {
+              "name": "Content-Type",
+              "value": "application/json"
+            },
+            {
+              "name": "Accept",
+              "value": "application/json"
+            }
+          ]
+        },
+        "sendBody": true,
+        "specifyBody": "json",
+        "jsonBody": "={\n  \"title\": {{ JSON.stringify($json.title) }},\n  \"body\": {{ JSON.stringify($json.body) }},\n  \"assignees\": [\"Micha\"]\n}",
+        "options": {
+          "timeout": 30000
+        }
+      },
+      "id": "66666666-6666-6666-6666-666666666666",
+      "name": "Gitea: create issue",
+      "type": "n8n-nodes-base.httpRequest",
+      "typeVersion": 4.2,
+      "position": [
+        1340,
+        300
+      ],
+      "credentials": {
+        "httpHeaderAuth": {
+          "id": "REPLACE_GITEA_HEADER_AUTH_CRED_ID",
+          "name": "Gitea Token"
+        }
+      }
+    }
+  ],
+  "connections": {
+    "IMAP: GMX UNSEEN": {
+      "main": [
+        [
+          {
+            "node": "Extract mail fields",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Extract mail fields": {
+      "main": [
+        [
+          {
+            "node": "OpenAI: extract issue",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "OpenAI: extract issue": {
+      "main": [
+        [
+          {
+            "node": "Parse OpenAI JSON",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Parse OpenAI JSON": {
+      "main": [
+        [
+          {
+            "node": "Build issue payload",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Build issue payload": {
+      "main": [
+        [
+          {
+            "node": "Gitea: create issue",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    }
+  },
+  "active": false,
+  "settings": {
+    "executionOrder": "v1"
+  },
+  "meta": {
+    "instanceId": "homelab-n8n"
+  },
+  "tags": []
+}

apps/nextcloud/docker-compose.yml

@@ -0,0 +1,84 @@
+services:
+  nextcloud:
+    image: nextcloud:34.0.0-apache@sha256:851ca6ef9da101ce3c8a32ec7b6fc65a726b380b5f466307a54c17d32fb77c9a
+    container_name: nextcloud
+    restart: unless-stopped
+    depends_on:
+      - nextcloud-postgres
+      - nextcloud-redis
+    environment:
+      TZ: Europe/Berlin
+      POSTGRES_HOST: nextcloud-postgres
+      POSTGRES_DB: nextcloud
+      POSTGRES_USER: nextcloud
+      POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
+      REDIS_HOST: nextcloud-redis
+      NEXTCLOUD_ADMIN_USER_FILE: /run/secrets/admin_user
+      NEXTCLOUD_ADMIN_PASSWORD_FILE: /run/secrets/admin_password
+      NEXTCLOUD_DATA_DIR: /var/www/html/data
+      NEXTCLOUD_TRUSTED_DOMAINS: cloud.kaleschke.info
+      TRUSTED_PROXIES: 172.16.0.0/12
+      OVERWRITEHOST: cloud.kaleschke.info
+      OVERWRITEPROTOCOL: https
+      OVERWRITECLIURL: https://cloud.kaleschke.info
+    volumes:
+      - /mnt/user/appdata/nextcloud/html:/var/www/html
+      - /mnt/user/documents/nextcloud-data:/var/www/html/data
+      - /mnt/user/appdata/secrets/nextcloud_postgres_password.txt:/run/secrets/postgres_password:ro
+      - /mnt/user/appdata/secrets/nextcloud_admin_user.txt:/run/secrets/admin_user:ro
+      - /mnt/user/appdata/secrets/nextcloud_admin_password.txt:/run/secrets/admin_password:ro
+    networks:
+      - frontend_net
+      - nextcloud_internal
+    security_opt:
+      - no-new-privileges:true
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=frontend_net"
+      - "traefik.http.routers.nextcloud.rule=Host(`cloud.kaleschke.info`)"
+      - "traefik.http.routers.nextcloud.entrypoints=websecure"
+      - "traefik.http.routers.nextcloud.tls=true"
+      - "traefik.http.routers.nextcloud.tls.certresolver=le"
+      - "traefik.http.routers.nextcloud.middlewares=nextcloud-redirectregex"
+      - "traefik.http.middlewares.nextcloud-redirectregex.redirectregex.permanent=true"
+      - "traefik.http.middlewares.nextcloud-redirectregex.redirectregex.regex=https://(.*)/.well-known/(?:card|cal)dav"
+      - "traefik.http.middlewares.nextcloud-redirectregex.redirectregex.replacement=https://$${1}/remote.php/dav"
+      - "traefik.http.services.nextcloud.loadbalancer.server.port=80"
+
+  nextcloud-postgres:
+    image: postgres:18.4@sha256:29ee7bb30d804447dc9a91fd0d74322ae1dc3a4072cc6346f70a5ed6e783b565
+    container_name: nextcloud-postgres
+    restart: unless-stopped
+    environment:
+      TZ: Europe/Berlin
+      POSTGRES_DB: nextcloud
+      POSTGRES_USER: nextcloud
+      POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
+      PGDATA: /var/lib/postgresql/18/docker
+    volumes:
+      - /mnt/user/appdata/nextcloud/postgres18:/var/lib/postgresql
+      - /mnt/user/appdata/secrets/nextcloud_postgres_password.txt:/run/secrets/postgres_password:ro
+    networks:
+      - nextcloud_internal
+    security_opt:
+      - no-new-privileges:true
+
+  nextcloud-redis:
+    image: redis:8.8.0-alpine@sha256:09160599abd229764c0fb44cb6be640294e1d360a54b19985ab4843dcf2d90f1
+    container_name: nextcloud-redis
+    restart: unless-stopped
+    command: redis-server --save 60 1 --loglevel warning
+    volumes:
+      - /mnt/user/appdata/nextcloud/redis:/data
+    networks:
+      - nextcloud_internal
+    security_opt:
+      - no-new-privileges:true
+
+networks:
+  frontend_net:
+    external: true
+
+  nextcloud_internal:
+    driver: bridge
+    internal: true

apps/ntfy/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   ntfy:
-    image: binwiederhier/ntfy:latest
+    image: binwiederhier/ntfy@sha256:f8a9b104313b87cc24ae4f775f39e6328205b57dff6ede3eaf098a91e5d79f59
     container_name: ntfy
     restart: unless-stopped
     dns:                       

apps/paperless-gpt/docker-compose.yml

@@ -1,8 +1,6 @@
-version: '3.8'
-
 services:
   paperless-gpt:
-    image: icereed/paperless-gpt:latest
+    image: icereed/paperless-gpt:v0.25.1@sha256:c0ce6186028911101a2cfe68353f14a9dbb2653596f3f1cff94de4b6db3114ff
     container_name: paperless-gpt
     restart: unless-stopped
     security_opt:
@@ -17,20 +15,25 @@ services:
       PAPERLESS_API_TOKEN: "${PAPERLESS_API_TOKEN}"
       MANUAL_TAG: "paperless-gpt"
       AUTO_TAG: "paperless-gpt-auto"
-      LLM_PROVIDER: "ollama"
-      LLM_MODEL: "cnshenyang/qwen3-nothink:14b"
-      OLLAMA_HOST: "http://192.168.178.103:11434"
+      LLM_PROVIDER: "openai"
+      LLM_MODEL: "gpt-5.4-mini"
+      OPENAI_API_KEY: "${OPENAI_API_KEY}"
+      OPENAI_BASE_URL: "https://api.openai.com/v1"
+      TOKEN_LIMIT: "12000"
+      LLM_REQUESTS_PER_MINUTE: "30"
       LLM_LANGUAGE: "German"
       OCR_PROVIDER: "llm"
-      VISION_LLM_PROVIDER: "ollama"
-      VISION_LLM_MODEL: "cnshenyang/qwen3-nothink:14b"
+      VISION_LLM_PROVIDER: "openai"
+      VISION_LLM_MODEL: "gpt-5.4-mini"
+      VISION_LLM_TEMPERATURE: "1.0"
+      VISION_LLM_REQUESTS_PER_MINUTE: "20"
       OCR_PROCESS_MODE: "image"
       CREATE_NEW_TAGS: "true"
       AUTO_GENERATE_TITLE: "true"
       AUTO_GENERATE_TAGS: "true"
       AUTO_GENERATE_CORRESPONDENTS: "true"
       AUTO_GENERATE_DOCUMENT_TYPE: "true"
-      LOG_LEVEL: "debug"
+      LOG_LEVEL: "info"
     volumes:
       - /mnt/user/appdata/paperless-gpt/data:/app/data
       - /mnt/user/appdata/paperless-gpt/prompts:/app/prompts

apps/paperless/docker-compose.yml

@@ -1,9 +1,11 @@
-version: "3.9"
 services:
   paperless:
-    image: ghcr.io/paperless-ngx/paperless-ngx:2.20.10
+    image: ghcr.io/paperless-ngx/paperless-ngx:2.20.15@sha256:6c86cad803970ea782683a8e80e7403444c5bf3cf70de63b4d3c8e87500db92f
     container_name: paperless-ngx
     restart: unless-stopped
+    # OIDC: Authelia ueber Host-LAN-IP -> Traefik erreichbar (Container-DNS sonst nicht)
+    extra_hosts:
+      - "auth.kaleschke.info:192.168.178.58"
     security_opt:
       - no-new-privileges:true
     environment:
@@ -17,6 +19,24 @@ services:
       - PAPERLESS_TIME_ZONE=Europe/Berlin
       - PAPERLESS_OCR_LANGUAGE=deu+eng
       - PAPERLESS_URL=https://paperless.kaleschke.info
+
+      # --- Authelia OIDC SSO (additiv, 2026-06-06; lokaler Login bleibt) ---
+      - PAPERLESS_APPS=allauth.socialaccount.providers.openid_connect
+      - PAPERLESS_SOCIAL_AUTO_SIGNUP=true
+      - 'PAPERLESS_SOCIALACCOUNT_PROVIDERS={"openid_connect":{"OAUTH_PKCE_ENABLED":true,"APPS":[{"provider_id":"authelia","name":"Authelia","client_id":"paperless","secret":"${PAPERLESS_OIDC_SECRET}","settings":{"server_url":"https://auth.kaleschke.info"}}]}}'
+
+      # Barcode / ASN
+      - PAPERLESS_CONSUMER_ENABLE_BARCODES=1
+      - PAPERLESS_CONSUMER_ENABLE_ASN_BARCODE=1
+      - PAPERLESS_CONSUMER_ASN_BARCODE_PREFIX=ASN
+
+      # Erkennung robuster für kleine Labels
+      - PAPERLESS_CONSUMER_BARCODE_DPI=600
+      - PAPERLESS_CONSUMER_BARCODE_UPSCALE=1.5
+
+      # Optional: alle Seiten prüfen
+      - PAPERLESS_CONSUMER_BARCODE_MAX_PAGES=0
+
     volumes:
       - /mnt/user/documents/scans_inbox:/usr/src/paperless/consume
       - /mnt/user/appdata/paperless-ngx/data:/usr/src/paperless/data

apps/super-productivity/docker-compose.yml

@@ -0,0 +1,25 @@
+services:
+  super-productivity:
+    image: johannesjo/super-productivity:v18.12.0@sha256:2c84668a961b090dd931f6e117dde5195b7c674d8453e0d511b777c23c242bc8
+    container_name: super-productivity
+    restart: unless-stopped
+
+    security_opt:
+      - no-new-privileges:true
+
+    networks:
+      - frontend_net
+
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=frontend_net"
+      - "traefik.http.routers.super-productivity.rule=Host(`sp.kaleschke.info`)"
+      - "traefik.http.routers.super-productivity.entrypoints=websecure"
+      - "traefik.http.routers.super-productivity.tls=true"
+      - "traefik.http.routers.super-productivity.tls.certresolver=le"
+      - "traefik.http.routers.super-productivity.middlewares=authelia@file,secure-headers@file"
+      - "traefik.http.services.super-productivity.loadbalancer.server.port=80"
+
+networks:
+  frontend_net:
+    external: true

apps/unbound/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   unbound:
-    image: shaanmajid/unbound:latest
+    image: shaanmajid/unbound:1.25.1@sha256:6fa3d5257ff6d95ab16153c62fabfe256edc0db515f94755f5edeb1f2a2258ab
     container_name: unbound
     restart: unless-stopped
     volumes:

audit/raw/01_volumes_partitions.txt

@@ -0,0 +1,22 @@
+### VOLUMES ###
+DriveLetter  Label            FS    Size_GB   Free_GB  Health
+C            (kein Label)     NTFS  166.9     59.5     Healthy
+D            Daten-Projekte   NTFS  167.7     148.6    Healthy
+E            Games            NTFS  930.6     714.9    Healthy
+G            M2 SSD           NTFS  930.9     877.5    Healthy
+H            Externe HDD      NTFS  7452.0    3801.3   Healthy
+(kein BW)    Recovery x5      NTFS  diverse   diverse  Healthy
+
+### DISKS ###
+Disk 0  INTEL SSDSC2BW180A3L  SATA  167.68 GB  GPT  Healthy  Serial: CVCV3105053K180EGN
+Disk 1  INTEL SSDSC2BW180A3L  SATA  167.68 GB  GPT  Healthy  Serial: CVCV311302TH180EGN
+Disk 2  Samsung SSD 980 PRO 1TB  NVMe  931.51 GB  GPT  Healthy
+Disk 3  WDC WDS100T2B0C        NVMe  931.51 GB  GPT  Healthy
+Disk 4  asmedia ASM235         USB   7.28 TB    GPT  Healthy
+
+### PARTITIONS ###
+Disk 0: [Reserved 16MB] [C: 166.87 GB Basic] [Recovery 809 MB]
+Disk 1: [Reserved 15.98 MB] [D: 167.66 GB Basic]
+Disk 2: [Reserved 15.98 MB] [E: 930.63 GB Basic] [Recovery 885 MB]   <- F: ist weg
+Disk 3: [System 100 MB] [Reserved 16 MB] [G: 930.89 GB Basic] [Recovery 524 MB]
+Disk 4: [Reserved 15.98 MB] [H: 7.28 TB Basic]

audit/raw/02_folder_structure.txt

@@ -0,0 +1,52 @@
+### D:\ TOP-LEVEL ###
+00_Inbox        Directory  2026-06-04
+10_Dokumente    Directory  2026-06-04
+11_Bilder       Directory  2026-06-04  [ReadOnly-Attribut gesetzt]
+12_Videos       Directory  2026-06-04
+13_Musik        Directory  2026-06-04
+14_Downloads    Directory  2026-06-04
+20_Projekte     Directory  2026-06-04
+30_Finanzen     Directory  2026-06-04
+90_Archiv       Directory  2026-06-04
+Micha           Directory  2026-06-05  [Altquelle, noch vorhanden]
+WSL             Directory  2026-06-04  [nicht in Soll-Doku]
+DumpStack.log   File
+
+### D:\Micha INHALT ###
+Videos          Directory  2026-06-05  [1 Datei, 0 MB - fast leer]
+(alle anderen Unterordner weg)
+
+### D:\00_Inbox INHALT ###
+Desktop         Directory  2026-06-05  [ReadOnly - das ist das Known-Folder-Ziel!]
+
+### E:\ TOP-LEVEL ###
+BattleNet       Directory  2026-06-04  [SOLL]
+EA              Directory  2026-06-04  [SOLL]
+EpicGames       Directory  2026-06-04  [SOLL]
+Riot            Directory  2026-06-04  [SOLL]
+Steam           Directory  2026-06-05  [SOLL]
+Ubisoft         Directory  2026-06-04  [SOLL]
+_Standalone     FEHLT!                 [SOLL laut Doku]
+
+### G:\ TOP-LEVEL ###
+Apps            Directory  2026-06-04  [nicht in Soll-Doku]
+Gitea_Clone     Directory  2026-04-15  [nicht in Soll-Doku - bewusst, homelab-infra]
+repos           Directory  2026-06-05  [SOLL]
+Tools           Directory  2026-06-05  [SOLL - Doku schreibt 'tools' lowercase, NTFS case-insensitive]
+Workspace       Directory  2026-06-04  [nicht in Soll-Doku]
+
+### KNOWN FOLDER REDIRECTS (Ist) ###
+Desktop   -> D:\00_Inbox\Desktop      [ABWEICHUNG! Soll: D:\Micha\Desktop]
+Documents -> D:\10_Dokumente          [OK]
+Downloads -> D:\14_Downloads          [OK]
+Pictures  -> D:\11_Bilder             [OK]
+Music     -> D:\13_Musik              [OK]
+Videos    -> D:\12_Videos             [OK]
+
+### DOPPELBESTAND D:\Micha\* vs D:\NN_* ###
+D:\Micha\Dokumente : NICHT VORHANDEN  |  D:\10_Dokumente  : 4011 Dateien, 595 MB
+D:\Micha\Bilder    : NICHT VORHANDEN  |  D:\11_Bilder     : 7789 Dateien, 12367 MB
+D:\Micha\Videos    : 1 Datei, 0 MB   |  D:\12_Videos     : 1 Datei, 0 MB
+D:\Micha\Musik     : NICHT VORHANDEN  |  D:\13_Musik      : 0 Dateien
+D:\Micha\Downloads : NICHT VORHANDEN  |  D:\14_Downloads  : 2186 Dateien, 2211 MB
+D:\Micha\Finanzen  : NICHT VORHANDEN  |  D:\30_Finanzen   : 126 Dateien, 123 MB

audit/raw/03_os_security.txt

@@ -0,0 +1,63 @@
+### OS BASELINE ###
+Caption:       Microsoft Windows 11 Pro
+Build:         26200
+Version:       10.0.26200
+Architecture:  64-Bit
+InstallDate:   2026-05-10 13:11:27
+LastBoot:      2026-06-05 07:57:08
+Uptime:        0.04 Tage (~1 Stunde zum Audit-Zeitpunkt)
+Manufacturer:  Micro-Star International Co., Ltd.
+Model:         MS-7D32
+RAM:           31.79 GB
+CPU:           Intel Core i5-14600KF, 14 Cores, 20 Threads, 3500 MHz
+
+### AKTIVIERUNG ###
+Name:          Windows(R), Professional edition
+LicenseStatus: 1 (Aktiv)
+Channel:       OEM_DM
+
+### AUSSTEHENDE UPDATES ###
+Windows Update pending: 0
+Reboot pending:         Nein
+
+### DEFENDER ###
+AMProductVersion:   4.18.26040.7
+AMServiceEnabled:   True
+AntivirusEnabled:   True
+AntispywareEnabled: True
+RealTimeProtection: True
+TamperProtection:   True
+SignatureAge:       0 Tage (aktuell)
+Exclusions:        KEIN ADMIN -> nicht lesbar
+ASR Rules:         KEIN ADMIN -> nicht lesbar (Get-MpPreference liefert leer)
+
+### FIREWALL ###
+Domain:  Enabled, DefaultInboundAction: NotConfigured, DefaultOutboundAction: NotConfigured
+Private: Enabled, DefaultInboundAction: NotConfigured, DefaultOutboundAction: NotConfigured
+Public:  Enabled, DefaultInboundAction: NotConfigured, DefaultOutboundAction: NotConfigured
+HINWEIS: NotConfigured = Windows-Default (eingehend blockieren, ausgehend erlauben)
+
+### BITLOCKER ###
+KEIN ADMIN -> Get-BitLockerVolume verweigert (Access Denied). Status unbekannt.
+
+### SECURE BOOT ###
+KEIN ADMIN -> Confirm-SecureBootUEFI verweigert. Status unbekannt.
+
+### TPM ###
+KEIN ADMIN -> Get-Tpm liefert alle Felder leer. Status unbekannt.
+
+### UAC ###
+EnableLUA:                  1 (aktiv)
+ConsentPromptBehaviorAdmin: 5 (Nachfrage mit UI, ohne Secure Desktop laut Wert, aber...)
+PromptOnSecureDesktop:      1 (Secure Desktop ist AN - Standard-Konfiguration korrekt)
+
+### LOKALE ADMINS ###
+Gruppe Administratoren: Administrator, michi
+
+### BCD ###
+KEIN ADMIN -> bcdedit /enum verweigert.
+Letzte bekannte Aussage (Doku boot-cleanup-plan): Keine partition=F: Referenz nach Cleanup + Neustarttest.
+
+### WinRE ###
+KEIN ADMIN -> reagentc /info verweigert.
+Letzte bekannte Aussage (Doku): WinRE Disabled.

audit/raw/04_network_ssh.txt

@@ -0,0 +1,58 @@
+### NETZWERK-ADAPTER (UP) ###
+Ethernet     Intel I225-V  MAC: 04-7C-16-53-04-E4  1 Gbps
+Tailscale    Tunnel                                 100 Gbps (virtuell)
+vEthernet    WSL (Hyper-V) MAC: 00-15-5D-F3-5F-C9  10 Gbps (virtuell)
+
+### IP-ADRESSEN ###
+Ethernet:   192.168.178.103/24
+Tailscale:  100.78.133.37/32
+WSL bridge: 172.26.80.1/20
+(WLAN, Bluetooth etc.: APIPA 169.254.x.x - nicht konfiguriert/inaktiv)
+
+### DNS ###
+Ethernet DNS: 192.168.178.58  (= Kallilabcore AdGuard Home)
+WLAN DNS:     192.168.178.58
+
+### TAILSCALE STATUS ###
+100.78.133.37  baerchen-1     (dieser Rechner)     online
+100.105.203.21 baerchen       (alter Rechner)       offline, last seen 20h ago
+100.73.83.55   iphone-14      iOS                  online
+100.112.0.90   kallilab-core  linux                online
+100.80.98.33   kallilabcore   linux                active; direct 192.168.178.58:49917
+
+### LAUSCHENDE TCP-PORTS ###
+Port   Adresse          Prozess            Bemerkung
+135    0.0.0.0/::       svchost            RPC Endpoint Mapper
+139    192.168.178.103  System             NetBIOS
+445    ::               System             SMB
+3000   ::1/::           wslrelay / docker  Docker / WSL lokal
+5040   0.0.0.0          svchost            WS-Discovery (WDAS)
+5357   ::               System             WSD HTTP
+7680   ::               svchost            WUDO (Delivery Optimization)
+11434  127.0.0.1        ollama             Ollama API (lokal)
+22885  127.0.0.1        Battle.net         lokal
+26822  127.0.0.1        MSI.TerminalServer MSI Center
+27036  0.0.0.0          steam              Steam Remote Play (0.0.0.0 - offen!)
+27060  127.0.0.1        steam              Steam lokal
+32683  127.0.0.1        MSI.CentralServer  MSI Center
+33683  127.0.0.1        MSI.CentralServer  MSI Center
+38810  fd7a:...         tailscaled
+49553  100.78.133.37    tailscaled
+50123  127.0.0.1        iCUE               Corsair lokal
+51037  127.0.0.1        RazerAppEngine
+55316  127.0.0.1        RazerAppEngine
+59686  127.0.0.1        steam
+60999  127.0.0.1        Agent              Claude Code
+
+### SSH ###
+~\.ssh\config: LEER (keine Host-Eintraege)
+~\.ssh\id_ed25519: vorhanden (411 Bytes, erstellt 2026-04-04)
+~\.ssh\id_ed25519.pub: vorhanden (97 Bytes)
+~\.ssh\known_hosts: vorhanden (4719 Bytes, zuletzt 2026-06-04)
+~\.ssh\known_hosts.old + .pre-port222-Backup: vorhanden
+
+KEY PERMISSIONS id_ed25519:
+  NT-AUTORITAET\SYSTEM      FullControl  Allow
+  VORDEFINIERT\Administratoren FullControl  Allow
+  baerchen\michi            FullControl  Allow
+BEFUND: Zu viele Berechtigungen - Admins-Gruppe hat FullControl auf Private Key.