diff --git a/.env.example b/.env.example
index c736e17..06df216 100644
--- a/.env.example
+++ b/.env.example
@@ -36,9 +36,10 @@ TAILSCALE_TAGS=tag:nas
 # Enable Tailscale Funnel (public access) for HTTPS? Set to 'true' or 'false'. 'false' uses Serve (Tailnet only, recommended).
 ENABLE_FUNNEL_HTTPS=false
 
-# --- Primary Hostname ---
-# Primary hostname used by Traefik for routing. Derived from Tailscale settings by default.
-HOSTNAME=${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}
+# --- Primary Application Hostname ---
+# Primary hostname used by Traefik/Authelia. Derived from Tailscale settings by default.
+# Renamed from HOSTNAME to avoid collision with host system environment variable.
+APP_HOSTNAME=${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}
 
 # --- Application Credentials ---
 # qBittorrent Web UI Credentials (change default!)
@@ -67,9 +68,9 @@ AUTHELIA_SESSION_SECRET= # Example: your_strong_session_secret
 AUTHELIA_STORAGE_ENCRYPTION_KEY= # Example: your_strong_storage_encryption_key
 AUTHELIA_REDIS_PASSWORD= # Example: your_strong_redis_password
 
-# Authelia Session Configuration
-AUTHELIA_SESSION_DOMAIN=${HOSTNAME}
-AUTHELIA_DEFAULT_REDIRECT_URL=https://${HOSTNAME}/home
+# Authelia Session Configuration (Note: These may be less relevant with config v4.38+ structure)
+AUTHELIA_SESSION_DOMAIN=${APP_HOSTNAME}
+AUTHELIA_DEFAULT_REDIRECT_URL=https://${APP_HOSTNAME}/home
 
 # --- API Keys & Integration Tokens (Optional - Mainly for Homepage Widgets) ---
 # Find API keys within each application's settings (usually Settings > General or Security)
diff --git a/README.md b/README.md
index 6447e72..d6db25a 100644
--- a/README.md
+++ b/README.md
@@ -159,18 +159,18 @@ This file controls essential settings. Copy `.env.example` to `.env` and modify
 | `TAILSCALE_HOSTNAME`        | Desired hostname for this NAS within Tailscale.                                                                                                                       | `tailscale-nas`                                  |
 | `TAILSCALE_TAGS`            | Optional tags for the Tailscale node (e.g., `tag:nas`).                                                                                                               | `tag:nas`                                        |
 | `ENABLE_FUNNEL_HTTPS`       | Use Tailscale Funnel (`true` = public access via Tailscale domain) or Serve (`false` = Tailnet-only access, recommended).                                              | `false`                                          |
-| `HOSTNAME`                  | Primary hostname used by Traefik/Authelia. Defaults to Tailscale FQDN. Can be overridden if using custom DNS pointing to Tailscale IP.                                | `${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}` |
+| `APP_HOSTNAME`              | Primary hostname used by Traefik/Authelia. Defaults to Tailscale FQDN. Renamed from `HOSTNAME` to avoid host system conflicts. Can be overridden if using custom DNS. | `${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}` |
 
 #### Authentication (Authelia)
 
 | Variable                            | Description                                                                                                                               | Default                      |
 | :---------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------- | :--------------------------- |
-| **`AUTHELIA_JWT_SECRET`**           | **Required.** Random secret for signing JWTs. **Generate your own!**                                                                      | *(None - Example in file)*   |
+| **`AUTHELIA_JWT_SECRET`**           | **Required.** Random secret for Authelia (used for password reset JWT). **Generate your own!**                                              | *(None - Example in file)*   |
 | **`AUTHELIA_SESSION_SECRET`**       | **Required.** Random secret for session cookies. **Generate your own!**                                                                   | *(None - Example in file)*   |
-| **`AUTHELIA_STORAGE_ENCRYPTION_KEY`** | **Required.** Random secret for encrypting data at rest. **Generate your own!**                                                           | *(None - Example in file)*   |
-| **`AUTHELIA_REDIS_PASSWORD`**       | **Required.** Password for the Redis database. **Generate your own!**                                                                     | *(None - Example in file)*   |
-| `AUTHELIA_SESSION_DOMAIN`           | Domain for session cookies. Should match `HOSTNAME`.                                                                                      | `${HOSTNAME}`                |
-| `AUTHELIA_DEFAULT_REDIRECT_URL`     | Where users land after login.                                                                                                             | `https://${HOSTNAME}/home`   |
+| **`AUTHELIA_STORAGE_ENCRYPTION_KEY`** | **Required.** Random secret for encrypting data at rest (e.g., SQLite DB). **Generate your own!**                                         | *(None - Example in file)*   |
+| **`AUTHELIA_REDIS_PASSWORD`**       | **Required.** Password for the Redis database (used for session storage). **Generate your own!**                                            | *(None - Example in file)*   |
+| `AUTHELIA_SESSION_DOMAIN`           | *Deprecated.* Domain for session cookies. Should match `APP_HOSTNAME`. (Handled within `authelia/configuration.yml` in v4.38+)              | `${APP_HOSTNAME}`            |
+| `AUTHELIA_DEFAULT_REDIRECT_URL`     | *Deprecated.* Where users land after login. (Handled within `authelia/configuration.yml` in v4.38+)                                         | `https://${APP_HOSTNAME}/home` |
 
 #### Service Credentials
 
@@ -305,7 +305,7 @@ With the default Tailscale setup and Authelia enabled, services are securely acc
 
 Replace `<TAILSCALE_NODE>` with your Tailscale device name (e.g., `tailscale-nas.your-tailnet.ts.net`) or its Tailscale IP address.
 
-If you configure DNS for your `HOSTNAME` variable to point to the Tailscale IP, you can use `https://<HOSTNAME>/<service_path>`.
+If you configure DNS for your `APP_HOSTNAME` variable to point to the Tailscale IP, you can use `https://<APP_HOSTNAME>/<service_path>`.
 
 ## Optional Services
 
diff --git a/authelia/configuration.yml b/authelia/configuration.yml
index 155c6ae..53cdd1d 100644
--- a/authelia/configuration.yml
+++ b/authelia/configuration.yml
@@ -1,31 +1,36 @@
-# Authelia Configuration File
+# Authelia Configuration File v4.38+
 # Documentation: https://www.authelia.com/configuration/
 
-# Default configuration options affecting multiple sections.
-default_redirection_url: ${AUTHELIA_DEFAULT_REDIRECT_URL}
-
-# Server settings (listening address, paths, etc.)
+# Server settings using the new 'address' format
 server:
-  host: 0.0.0.0
-  port: 9091
+  # host: 0.0.0.0 # Deprecated
+  # port: 9091 # Deprecated
+  address: 'tcp://0.0.0.0:9091' # Listen on all interfaces, port 9091
 
 # Logging configuration
 log:
   level: info
   format: text # or json
 
-# Session configuration
+# Session configuration using the new 'domains' list format
 session:
   name: authelia_session
   secret: ${AUTHELIA_SESSION_SECRET}
   expiration: 1h # Adjust as needed
   inactivity: 5m # Adjust as needed
-  domain: ${AUTHELIA_SESSION_DOMAIN} # Set from .env
+  # domain: ${AUTHELIA_SESSION_DOMAIN} # Deprecated top-level domain
   redis:
     host: redis
     port: 6379
+    # Set password directly here instead of relying on potentially problematic env var
     password: ${AUTHELIA_REDIS_PASSWORD}
     database_index: 0
+  # Define session domains explicitly
+  domains:
+    - domain: ${APP_HOSTNAME} # Use the renamed variable from .env
+      default_redirection_url: https://${APP_HOSTNAME}/home # Default redirect after login
+      # Optional: Define specific Authelia portal URL if different from domain root
+      # authelia_url: https://${APP_HOSTNAME}/
 
 # Regulation (brute force protection)
 regulation:
@@ -34,10 +39,11 @@ regulation:
   ban_time: 5m
 
 # Storage (for user preferences, etc. - encrypted using storage key)
+# Using SQLite as defined. Ensure Redis above is only for session state.
 storage:
   encryption_key: ${AUTHELIA_STORAGE_ENCRYPTION_KEY}
   local:
-    path: /config/db.sqlite3 # Example using SQLite for simple storage needs
+    path: /config/db.sqlite3
 
 # Authentication backend (using file-based user database)
 authentication_backend:
@@ -56,21 +62,28 @@ access_control:
   default_policy: deny # Deny access by default
   rules:
     # Rule to allow authenticated users access to the domain
-    - domain: ${AUTHELIA_SESSION_DOMAIN}
+    # Use the renamed variable APP_HOSTNAME here as well
+    - domain: ${APP_HOSTNAME}
       policy: one_factor # Requires username/password
 
-# Notifier (Optional, for password resets, etc. - configure if needed)
-# notifier:
-#   smtp:
-#     address: smtp.example.com:587
-#     username: user@example.com
-#     password: password
-#     sender: Authelia <authelia@example.com>
-#     subject: "[Authelia] {title}"
-#     startup_check_address: test@authelia.com
+# Notifier configuration (Required since v4.38+)
+# Added basic filesystem notifier to satisfy the requirement.
+# Configure SMTP if you need email notifications (e.g., password reset).
+notifier:
+  filesystem:
+    filename: /config/notification.txt
+  # smtp:
+  #   address: smtp.example.com:587
+  #   username: user@example.com
+  #   password: password # Consider using secrets
+  #   sender: Authelia <authelia@example.com>
+  #   subject: "[Authelia] {title}"
+  #   startup_check_address: test@authelia.com
 
-# JWT configuration (used for forwardAuth)
-jwt_secret: ${AUTHELIA_JWT_SECRET}
+# Identity Validation (includes JWT secret for password reset, moved from top level)
+identity_validation:
+  reset_password:
+    jwt_secret: ${AUTHELIA_JWT_SECRET} # Moved from top level
 
 # Identity Providers (None configured for this setup)
 identity_providers:
diff --git a/docker-compose.yml b/docker-compose.yml
index 67e76b3..cb59bea 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -56,19 +56,19 @@ services:
     labels:
       - traefik.enable=true
       # Rule for Authelia portal itself (handles internal paths like /api, /logout etc.)
-      - traefik.http.routers.authelia.rule=Host(`${HOSTNAME}`)
+      - traefik.http.routers.authelia.rule=PathPrefix(`/`)
       - traefik.http.routers.authelia.entrypoints=web
       - traefik.http.routers.authelia.priority=100 # High priority to catch root path
       - traefik.http.services.authelia.loadbalancer.server.port=9091
       # Define the forwardAuth middleware
-      - traefik.http.middlewares.authelia-auth.forwardAuth.address=http://authelia:9091/api/verify?rd=https://${HOSTNAME}/
+      - traefik.http.middlewares.authelia-auth.forwardAuth.address=http://authelia:9091/api/verify?rd=https://${APP_HOSTNAME}/
       - traefik.http.middlewares.authelia-auth.forwardAuth.trustForwardHeader=true
       - traefik.http.middlewares.authelia-auth.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email
       # Homepage labels for Authelia itself (optional, but can be nice)
       - homepage.group=Security
       - homepage.name=Authelia
       - homepage.icon=authelia.png # You might need to add this icon
-      - homepage.href=https://${HOSTNAME}/ # Link to the login portal
+      - homepage.href=https://${APP_HOSTNAME}/ # Link to the login portal
       - homepage.description=Authentication Portal
   sonarr:
     image: lscr.io/linuxserver/sonarr
@@ -532,7 +532,7 @@ services:
     labels:
       - traefik.enable=true
       # Rule for homepage, now at /home, needs auth
-      - traefik.http.routers.homepage.rule=Host(`${HOSTNAME}`) && PathPrefix(`/home`)
+      - traefik.http.routers.homepage.rule=PathPrefix(`/home`)
       - traefik.http.routers.homepage.entrypoints=web
       - traefik.http.routers.homepage.priority=10 # Lower priority than Authelia's root rule
       - traefik.http.middlewares.homepage-stripprefix.stripPrefix.prefixes=/home