Docker & Compose Stacks

All containerized services run inside a Proxmox LXC with Docker Engine installed. Stacks are organized by function and managed as separate Compose projects.

Stack organization

/opt/stacks/
├── media/          → Jellyfin, *arr stack, qBittorrent
├── infra/          → Traefik, Authentik, Portainer
├── productivity/   → Nextcloud, Vaultwarden, Paperless-NGX
├── monitoring/     → Grafana, Prometheus, Uptime Kuma
└── home/           → Scrypted, Node-RED, Zigbee2MQTT

Each stack has its own docker-compose.yml and a .env file (git-ignored, sourced from a secrets manager).

Traefik as the reverse proxy

All external-facing services go through Traefik with automatic Let’s Encrypt certs. Internal services use a wildcard cert for *.home.syrsyn.com.

# Minimal service label example
labels:
  - traefik.enable=true
  - traefik.http.routers.myapp.rule=Host(`myapp.home.syrsyn.com`)
  - traefik.http.routers.myapp.tls=true
  - traefik.http.routers.myapp.middlewares=authentik@docker

Authentik for SSO

Most services sit behind Authentik for single sign-on. The forward-auth middleware on Traefik handles the redirect without touching the upstream service config.

Volume mounts

Data volumes use bind mounts to a path on the Unraid NFS share, so data survives container and LXC restarts independently.

volumes:
  - /mnt/unraid/appdata/myapp:/data