refactor(update-setup): Enhance configuration update process with error handling and summary reporting

- Removed outdated configuration files and scripts.
- Introduced a new setup script to streamline environment and Authelia configuration updates.
- Enhanced .gitignore to exclude unnecessary files.
- Updated README to reflect new setup process and configuration details for Authelia v4.38+.

.gitignore

@@ -1,9 +1,8 @@
 *.env
-*.bak
 .idea
 docker-compose.override.yml
 /authelia/*.yml
-!/authelia/*.example.yml
+!/authelia/configuration.example.yml
 /homepage/logs
 /homepage/*.yaml
 /homepage/*.css

README.md

@@ -14,22 +14,19 @@ The core idea is to manage media libraries (movies, TV shows, music), automate d
   - [Required Setup Steps](#required-setup-steps)
   - [Quick Start Guide](#quick-start-guide)
   - [Configuration (`.env` Variables)](#configuration-env-variables)
-    - [Core System \& Paths](#core-system--paths)
+      - [Core System \& Paths](#core-system--paths)
-    - [Networking \& Access (Tailscale)](#networking--access-tailscale)
+      - [Networking \& Access (Tailscale)](#networking--access-tailscale)
-    - [Authentication (Authelia)](#authentication-authelia)
+      - [Authentication (Authelia)](#authentication-authelia)
-    - [Service Credentials](#service-credentials)
+      - [Service Credentials](#service-credentials)
-    - [Homepage Customization \& Widgets](#homepage-customization--widgets)
+      - [Homepage Customization \& Widgets](#homepage-customization--widgets)
-    - [Optional Features \& Services](#optional-features--services)
+      - [Optional Features \& Services](#optional-features--services)
   - [Detailed Setup \& Usage](#detailed-setup--usage)
     - [Authelia User Management](#authelia-user-management)
     - [(Optional) VPN Configuration](#optional-vpn-configuration)
     - [(Optional) Traefik DNS Challenge](#optional-traefik-dns-challenge)
   - [Service Access](#service-access)
-    - [Setup Script Commands (`update-setup.sh`)](#setup-script-commands-update-setupsh)
-    - [Managing Service Authentication](#managing-service-authentication-authelia-policies)
   - [Optional Services](#optional-services)
   - [Troubleshooting](#troubleshooting)
-    - [Middleware Not Found Errors](#middleware-not-found-errors)
     - [SELinux Socket Permissions (Docker)](#selinux-socket-permissions-docker)
     - [Authelia v4.38+ Configuration](#authelia-v438-configuration)
     - [Tailscale Issues](#tailscale-issues)
@@ -40,64 +37,58 @@ The core idea is to manage media libraries (movies, TV shows, music), automate d
 
 This stack uses a combination of key services for routing, access, and security:
 
-- **[Tailscale](https://tailscale.com):** Provides a secure overlay network (WireGuard-based VPN) connecting your devices. It allows access to the NAS services from anywhere without opening firewall ports and handles HTTPS termination via its built-in `tailscale serve` or `tailscale funnel` features. All other services run within Tailscale's network namespace.
+*   **[Tailscale](https://tailscale.com):** Provides a secure overlay network (WireGuard-based VPN) connecting your devices. It allows access to the NAS services from anywhere without opening firewall ports and handles HTTPS termination via its built-in `tailscale serve` or `tailscale funnel` features. All other services run within Tailscale's network namespace.
-- **[Traefik](https://traefik.io):** Acts as a reverse proxy *within* the Tailscale network. It discovers services via Docker labels and routes incoming requests (from Tailscale) to the appropriate container based on paths (e.g., `/sonarr`, `/radarr`).
+*   **[Traefik](https://traefik.io):** Acts as a reverse proxy *within* the Tailscale network. It discovers services via Docker labels and routes incoming requests (from Tailscale) to the appropriate container based on paths (e.g., `/sonarr`, `/radarr`).
-- **[Authelia](https://www.authelia.com):** Serves as the authentication gateway. Traefik forwards requests to Authelia for verification. If a user isn't logged in, they are redirected to the Authelia portal (`/`). Once authenticated, Authelia sets a session cookie (stored in Redis), and Traefik allows access to the requested service. You can configure which services require authentication via environment variables.
+*   **[Authelia](https://www.authelia.com):** Serves as the authentication gateway. Traefik forwards requests to Authelia for verification. If a user isn't logged in, they are redirected to the Authelia portal (`/`). Once authenticated, Authelia sets a session cookie (stored in Redis), and Traefik allows access to the requested service.
 
 ## Features
 
 This stack includes the following services, categorized for clarity:
 
 **Core Infrastructure:**
-
+*   **Reverse Proxy:** [Traefik](https://traefik.io) - Manages internal routing and service discovery.
-- **Reverse Proxy:** [Traefik](https://traefik.io) - Manages internal routing and service discovery.
+*   **Secure Remote Access:** [Tailscale](https://tailscale.com) - Provides VPN access and HTTPS.
-- **Secure Remote Access:** [Tailscale](https://tailscale.com) - Provides VPN access and HTTPS.
+*   **Authentication:** [Authelia](https://www.authelia.com) & [Redis](https://redis.io) - Single sign-on portal and session management.
-- **Authentication:** [Authelia](https://www.authelia.com) & [Redis](https://redis.io) - Single sign-on portal and session management.
+*   **Dashboard:** [Homepage](https://gethomepage.dev) - Centralized access point (at `/home`).
-- **Dashboard:** [Homepage](https://gethomepage.dev) - Centralized access point (at `/home`).
 
 **Media Management (\*Arr Suite):**
-
+*   [Sonarr](https://sonarr.tv): TV show management.
-- [Sonarr](https://sonarr.tv): TV show management.
+*   [Radarr](https://radarr.video): Movie management.
-- [Radarr](https://radarr.video): Movie management.
+*   [Lidarr](https://lidarr.audio) (Optional): Music management.
-- [Lidarr](https://lidarr.audio) (Optional): Music management.
+*   [Bazarr](https://www.bazarr.media/): Subtitle management.
-- [Bazarr](https://www.bazarr.media/): Subtitle management.
+*   [Prowlarr](https://github.com/Prowlarr/Prowlarr): Indexer management for *arr apps.
-- [Prowlarr](https://github.com/Prowlarr/Prowlarr): Indexer management for *arr apps.
 
 **Download Clients:**
-
+*   [qBittorrent](https://www.qbittorrent.org): Bittorrent client.
-- [qBittorrent](https://www.qbittorrent.org): Bittorrent client.
+*   [SABnzbd](https://sabnzbd.org/) (Optional): Usenet download client.
-- [SABnzbd](https://sabnzbd.org/) (Optional): Usenet download client.
 
 **Media Serving & Requests:**
-
+*   [Jellyfin](https://jellyfin.org): Media server for streaming.
-- [Jellyfin](https://jellyfin.org): Media server for streaming.
+*   [Jellyseerr](https://github.com/FallenBagel/jellyseerr): Media request management.
-- [Jellyseerr](https://github.com/FallenBagel/jellyseerr): Media request management.
 
 **Utilities:**
-
+*   [Watchtower](https://containrrr.dev/watchtower/): Automatic container updates.
-- [Watchtower](https://containrrr.dev/watchtower/): Automatic container updates.
+*   [Autoheal](https://github.com/willfarrell/docker-autoheal/): Automatic container restarts on failure.
-- [Autoheal](https://github.com/willfarrell/docker-autoheal/): Automatic container restarts on failure.
+*   [Unpackerr](https://unpackerr.zip): Automated archive extraction.
-- [Unpackerr](https://unpackerr.zip): Automated archive extraction.
 
 **Optional Services (Enabled via Profiles):**
-
+*   [AdGuard Home](https://adguard.com/en/adguard-home/overview.html): Network-wide ad blocking.
-- [AdGuard Home](https://adguard.com/en/adguard-home/overview.html): Network-wide ad blocking.
+*   [Calibre-Web](https://github.com/janeczku/calibre-web): E-book library management.
-- [Calibre-Web](https://github.com/janeczku/calibre-web): E-book library management.
+*   [Decluttarr](https://github.com/manimatter/decluttarr): Automated download cleanup.
-- [Decluttarr](https://github.com/manimatter/decluttarr): Automated download cleanup.
+*   [Tandoor Recipes](https://docs.tandoor.dev/): Recipe management.
-- [Tandoor Recipes](https://docs.tandoor.dev/): Recipe management.
+*   [Joplin Server](https://joplinapp.org/): Note-taking synchronization server.
-- [Joplin Server](https://joplinapp.org/): Note-taking synchronization server.
+*   [Home Assistant](https://www.home-assistant.io/): Home automation platform.
-- [Home Assistant](https://www.home-assistant.io/): Home automation platform.
+*   [Immich](https://immich.app/): Self-hosted photo and video backup.
-- [Immich](https://immich.app/): Self-hosted photo and video backup.
+*   [FlareSolverr](https://github.com/FlareSolverr/FlareSolverr): Bypasses Cloudflare challenges (e.g., for Prowlarr).
-- [FlareSolverr](https://github.com/FlareSolverr/FlareSolverr): Bypasses Cloudflare challenges (e.g., for Prowlarr).
 
 ## Prerequisites
 
-- **Linux Host:** A system capable of running Docker (e.g., Ubuntu, Debian, Fedora).
+*   **Linux Host:** A system capable of running Docker (e.g., Ubuntu, Debian, Fedora).
-- **Docker & Docker Compose:** Latest versions installed. See [Docker Engine Install](https://docs.docker.com/engine/install/) and [Docker Compose Install](https://docs.docker.com/compose/install/).
+*   **Docker & Docker Compose:** Latest versions installed. See [Docker Engine Install](https://docs.docker.com/engine/install/) and [Docker Compose Install](https://docs.docker.com/compose/install/).
-- **User Permissions:** Ability to run `docker` commands (user in `docker` group or use `sudo`).
+*   **User Permissions:** Ability to run `docker` commands (user in `docker` group or use `sudo`).
-- **Basic Linux Knowledge:** Familiarity with command line, text editors, and file permissions.
+*   **Basic Linux Knowledge:** Familiarity with command line, text editors, and file permissions.
-- **Tailscale Account:** Required for remote access. [Sign up here](https://tailscale.com/login).
+*   **Tailscale Account:** Required for remote access. [Sign up here](https://tailscale.com/login).
-- **(Optional) SELinux:** If enabled, see [Troubleshooting](#selinux-socket-permissions-docker).
+*   **(Optional) SELinux:** If enabled, see [Troubleshooting](#selinux-socket-permissions).
 
 ## Required Setup Steps
 
@@ -120,30 +111,19 @@ These steps are **mandatory** for a working installation. Without properly compl
 
 4. **⚠️ Required: Security Credentials**
    - Generate four strong random secrets using `openssl rand -hex 32`:
-
      ```bash
      echo "AUTHELIA_JWT_SECRET=$(openssl rand -hex 32)"
      echo "AUTHELIA_SESSION_SECRET=$(openssl rand -hex 32)"
      echo "AUTHELIA_STORAGE_ENCRYPTION_KEY=$(openssl rand -hex 32)"
      echo "AUTHELIA_REDIS_PASSWORD=$(openssl rand -hex 32)"
      ```
-
    - Add these to your `.env` file as shown
    
-5. **⚠️ Required: Create Authelia Account**
+5. **⚠️ Required: Create Admin Password**
-   - Create an Authelia account (only for yourself and those you trust!)
-
-     ```bash
-     docker run --rm authelia/authelia:latest authelia hash-password 'your_secure_password'
-     ```
-
-6. **ℹ️ Optional: Set up**
    - Generate a password hash for Authelia:
-
      ```bash
      docker run --rm authelia/authelia:latest authelia hash-password 'your_secure_password'
      ```
-
    - Replace the example hash in `authelia/users_database.yml` with your generated hash
 
 ## Quick Start Guide
@@ -151,14 +131,12 @@ These steps are **mandatory** for a working installation. Without properly compl
 After completing all [Required Setup Steps](#required-setup-steps) above, follow these steps to get up and running:
 
 1. **Clone Repository:**
-
    ```bash
    git clone https://github.com/AdrienPoupa/docker-compose-nas.git
    cd docker-compose-nas
    ```
 
 2. **Configure Environment:**
-
    ```bash
    # Create an .env file from the example
    cp .env.example .env
@@ -168,7 +146,6 @@ After completing all [Required Setup Steps](#required-setup-steps) above, follow
    ```
 
 3. **Configure Authelia Admin:**
-
    ```bash
    # Generate a password hash
    docker run --rm authelia/authelia:latest authelia hash-password 'your_secure_password'
@@ -178,29 +155,23 @@ After completing all [Required Setup Steps](#required-setup-steps) above, follow
    ```
 
 4. **Run the Setup Script:**
-
    ```bash
    # Make the script executable
    chmod +x ./update-setup.sh
    
-   # Run the setup tool (use 'all' for initial setup)
+   # Run the setup tool
-   ./update-setup.sh all
+   ./update-setup.sh
    ```
-
+   This interactive script will guide you through:
-   This script will:
+   - Updating your `.env` file while preserving existing values
-   - Update your `.env` file while preserving existing values (`update-env`).
+   - Configuring Authelia with your Tailscale domain settings
-   - Configure Authelia with your Tailscale domain settings (`update-authelia`).
+   - Setting up service configurations and retrieving API keys
-   - Set up service configurations and retrieve API keys (`update-services`).
-
-   You can also run individual commands like `./update-setup.sh update-authelia`. Run `./update-setup.sh help` for all options.
 
 5. **Start the Stack:**
-
    ```bash
    # Start containers
    docker compose up -d
    ```
-
    *(Wait for containers to download and start)*
 
 6. **Access Your NAS:**
@@ -245,6 +216,8 @@ This file controls essential settings. Copy `.env.example` to `.env` and modify
 | **`AUTHELIA_SESSION_SECRET`**       | **Required.** Random secret for session cookies. **Generate your own!**                                                                   | *(None - Example in file)*   |
 | **`AUTHELIA_STORAGE_ENCRYPTION_KEY`** | **Required.** Random secret for encrypting data at rest (e.g., SQLite DB). **Generate your own!**                                         | *(None - Example in file)*   |
 | **`AUTHELIA_REDIS_PASSWORD`**       | **Required.** Password for the Redis database (used for session storage). **Generate your own!**                                            | *(None - Example in file)*   |
+| `AUTHELIA_SESSION_DOMAIN`           | *Deprecated.* Domain for session cookies. Should match `APP_HOSTNAME`. (Handled within `authelia/configuration.yml` in v4.38+)              | `${APP_HOSTNAME}`            |
+| `AUTHELIA_DEFAULT_REDIRECT_URL`     | *Deprecated.* Where users land after login. (Handled within `authelia/configuration.yml` in v4.38+)                                         | `https://${APP_HOSTNAME}/home` |
 
 #### Service Credentials
 
@@ -307,23 +280,20 @@ This file controls essential settings. Copy `.env.example` to `.env` and modify
 
 Authelia uses the `authelia/users_database.yml` file to manage users.
 
-- **Setting the Initial Admin Password:**
+*   **Setting the Initial Admin Password:**
-    1. As mentioned in the Quick Start, you **must** set a strong password for the default `admin` user.
+    1.  As mentioned in the Quick Start, you **must** set a strong password for the default `admin` user.
-    2. Generate a hash using Docker (replace `'your_secure_password'`):
+    2.  Generate a hash using Docker (replace `'your_secure_password'`):
-
         ```bash
         docker run --rm authelia/authelia:latest authelia hash-password 'your_secure_password'
         ```
+    3.  Copy the **entire output hash** (starting with `$argon2id...`).
+    4.  Open `authelia/users_database.yml` and replace the example `password:` value under `admin:` with your generated hash.
+    5.  Ensure the `admin` user belongs to the `admins` and `users` groups as shown in the example.
 
-    3. Copy the **entire output hash** (starting with `$argon2id...`).
+*   **Adding More Users:**
-    4. Open `authelia/users_database.yml` and replace the example `password:` value under `admin:` with your generated hash.
+    1.  Generate a password hash for the new user as shown above.
-    5. Ensure the `admin` user belongs to the `admins` and `users` groups as shown in the example.
+    2.  Edit `authelia/users_database.yml`.
-
+    3.  Add a new entry under `users:`, following the format of the `admin` user:
-- **Adding More Users:**
-    1. Generate a password hash for the new user as shown above.
-    2. Edit `authelia/users_database.yml`.
-    3. Add a new entry under `users:`, following the format of the `admin` user:
-
         ```yaml
         users:
           admin:
@@ -335,31 +305,30 @@ Authelia uses the `authelia/users_database.yml` file to manage users.
             groups:
               - users # Add to 'admins' group if needed
         ```
+    4.  Save the file. Authelia should pick up the changes automatically (or restart the Authelia container: `docker compose restart authelia`).
 
-    4. Save the file and restart Authelia: `docker compose restart authelia`.
+*   **Enabling User Registration (Optional):**
+    1.  Edit `authelia/configuration.yml`.
+    2.  Find the commented-out `registration:` section near the bottom.
+    3.  Uncomment it and set `enable: true`:
+        ```yaml
+        # registration:
+        #   enable: false # Set to true to enable registration form
+        ```
+        becomes:
+        ```yaml
+        registration:
+          enable: true
+        ```
+    4.  Save the file and restart Authelia (`docker compose restart authelia`).
+    5.  A "Register" link will now appear on the Authelia login page.
 
-- **Adding/Updating Users (Recommended Method):**
+*   **Approving Registered Users:**
-    Use the setup script's interactive tool:
+    1.  When a user registers (if enabled), their details are added to `authelia/users_database.yml` but marked as `disabled: true`.
-
+    2.  To approve them, edit `authelia/users_database.yml`.
-    ```bash
+    3.  Find the new user's entry.
-    ./update-setup.sh manage-accounts
+    4.  Change `disabled: true` to `disabled: false` (or simply remove the `disabled: true` line).
-    ```
+    5.  Save the file. The user should now be able to log in.
-
-    This script handles password hashing and file formatting, reducing the chance of errors. It will prompt you for the username, display name, email, and groups, then generate a secure password hash.
-
-- **Enabling User Registration (Optional):**
-    1. Edit `authelia/configuration.yml`.
-    2. Find the commented-out `registration:` section near the bottom.
-    3. Uncomment it and set `enable: true`.
-    4. Save the file and restart Authelia (`docker compose restart authelia`).
-    5. A "Register" link will now appear on the Authelia login page.
-
-- **Approving Registered Users:**
-    1. When a user registers (if enabled), their details are added to `authelia/users_database.yml` but marked as `disabled: true`.
-    2. To approve them, edit `authelia/users_database.yml`.
-    3. Find the new user's entry.
-    4. Change `disabled: true` to `disabled: false` (or simply remove the `disabled: true` line).
-    5. Save the file. The user should now be able to log in.
 
 ### (Optional) VPN Configuration
 
@@ -371,103 +340,54 @@ Authelia uses the `authelia/users_database.yml` file to manage users.
 
 ## Service Access
 
-With the default Tailscale setup and Authelia enabled, services are securely accessible via HTTPS using your Tailscale node's name or IP. Authentication is controlled by the included `update-setup.sh` script.
+With the default Tailscale setup and Authelia enabled, services are securely accessible via HTTPS using your Tailscale node's name or IP. Access requires authentication via Authelia.
 
-- **Login Portal:** `https://<TAILSCALE_NODE>/` (Redirects unauthenticated users here for secured services)
+*   **Login Portal:** `https://<TAILSCALE_NODE>/` (Redirects unauthenticated users here)
-- **Homepage Dashboard:** `https://<TAILSCALE_NODE>/home` (Requires login by default)
+*   **Homepage Dashboard:** `https://<TAILSCALE_NODE>/home` (Accessible after login)
-- **Sonarr:** `https://<TAILSCALE_NODE>/sonarr` (Requires login by default)
+*   **Sonarr:** `https://<TAILSCALE_NODE>/sonarr` (Requires login)
-- **Radarr:** `https://<TAILSCALE_NODE>/radarr` (Requires login by default)
+*   **Radarr:** `https://<TAILSCALE_NODE>/radarr` (Requires login)
-- **qBittorrent:** `https://<TAILSCALE_NODE>/qbittorrent` (Requires login by default)
+*   **qBittorrent:** `https://<TAILSCALE_NODE>/qbittorrent`
-- **Jellyfin:** `https://<TAILSCALE_NODE>/jellyfin` (Requires login by default)
+*   **Jellyfin:** `https://<TAILSCALE_NODE>/jellyfin`
-- ...and so on.
+*   ...and so on.
 
 Replace `<TAILSCALE_NODE>` with your Tailscale device name (e.g., `tailscale-nas.your-tailnet.ts.net`) or its Tailscale IP address.
 
 If you configure DNS for your `APP_HOSTNAME` variable to point to the Tailscale IP, you can use `https://<APP_HOSTNAME>/<service_path>`.
 
-### Setup Script Commands (`update-setup.sh`)
-
-The `update-setup.sh` script provides various commands to manage your configuration. Run `./update-setup.sh help` to see all options.
-
-**Core Setup & Updates:**
-
-- `./update-setup.sh update-env`: Updates `.env` from `.env.example`, preserving existing values and highlighting new/deprecated keys.
-- `./update-setup.sh update-authelia`: Updates `authelia/configuration.yml` from the example, applying domain settings from `.env` and attempting to preserve secrets (uses `yq` if available).
-- `./update-setup.sh update-services`: Updates configurations for running *arr/qBittorrent/Bazarr containers (sets URL base, extracts API keys to `.env`). Restarts affected containers.
-- `./update-setup.sh all`: Runs `update-env`, `update-authelia`, and `update-services` sequentially. Recommended for initial setup and major updates.
-
-**Authelia Policy Management:**
-
-- `./update-setup.sh manage-policies`: Starts an interactive menu to list or set Authelia access policies (`one_factor`, `two_factor`, `bypass`, `deny`) for specific services defined in `authelia/configuration.yml`.
-- `./update-setup.sh list-policies`: Lists services defined in `authelia/configuration.yml` and their current access policy.
-- `./update-setup.sh set-policy <service> <policy>`: Directly sets the Authelia access policy for the specified `<service>` to the given `<policy>` (e.g., `one_factor`, `two_factor`, `bypass`, `deny`).
-
-> **Important:** After changing Authelia policies using `manage-policies` or `set-policy`, you **must** restart Authelia for the changes to take effect:
->
-> ```bash
-> docker compose restart authelia
-> ```
-
-**User & File Management:**
-
-- `./update-setup.sh manage-accounts`: Starts an interactive tool to add or update users in `authelia/users_database.yml`. It generates password hashes and prompts for user details.
-- `./update-setup.sh cleanup`: Interactively finds and deletes old backup files (`.bak`) created by the script. Allows keeping the most recent backup of each type.
-
-**Help:**
-
-- `./update-setup.sh help`: Displays the full list of commands and usage instructions.
-
-### Managing Service Authentication (Authelia Policies)
-
-Use the `update-setup.sh` script to easily control which services require Authelia login and what level of authentication is needed. This is done by managing *access control rules* within Authelia's configuration (`authelia/configuration.yml`).
-
-See the `Authelia Policy Management` commands in the [Setup Script Commands](#setup-script-commands-update-setupsh) section above for details on how to list and set policies like `one_factor`, `two_factor`, `bypass`, or `deny` for each service.
-
 ## Optional Services
 
 Several services are included but disabled by default. Enable them by adding their profile name to the `COMPOSE_PROFILES` variable in your `.env` file (separate multiple profiles with commas).
 
 Example: Enable Lidarr and SABnzbd
-
 ```dotenv
 COMPOSE_PROFILES=lidarr,sabnzbd
 ```
 
 Available Profiles:
-
+*   `lidarr`: Music management.
-- `lidarr`: Music management.
+*   `sabnzbd`: Usenet download client.
-- `sabnzbd`: Usenet download client.
+*   `flaresolverr`: Bypasses Cloudflare challenges for Prowlarr.
-- `flaresolverr`: Bypasses Cloudflare challenges for Prowlarr.
+*   `adguardhome`: Network-wide ad blocking (see `adguardhome/README.md`).
-- `adguardhome`: Network-wide ad blocking (see `adguardhome/README.md`).
+*   `calibre-web`: E-book library management.
-- `calibre-web`: E-book library management.
+*   `decluttarr`: Automated download cleanup.
-- `decluttarr`: Automated download cleanup.
+*   `tandoor`: Recipe management (see `tandoor/README.md`).
-- `tandoor`: Recipe management (see `tandoor/README.md`).
+*   `joplin`: Note-taking server (see `joplin/README.md`).
-- `joplin`: Note-taking server (see `joplin/README.md`).
+*   `homeassistant`: Home automation (see `homeassistant/README.md`).
-- `homeassistant`: Home automation (see `homeassistant/README.md`).
+*   `immich`: Photo management (see `immich/README.md`).
-- `immich`: Photo management (see `immich/README.md`).
 
 ## Troubleshooting
 
-### Middleware Not Found Errors
-
-If you see error messages like `middleware "authelia-auth@docker" does not exist` in the Traefik logs, please check Authelia logs for any fatal errors. It is likely due to a misconfigured `configuration.yml` in `authelia/configuration.yml`
-
-Make sure Traefik can access the Docker socket. See the [SELinux Socket Permissions](#selinux-socket-permissions-docker) section below for more details.
-
 ### SELinux Socket Permissions (Docker)
 
 If you are running Docker on a host with SELinux enabled (like Fedora, CentOS, RHEL) and services like Traefik, Watchtower, or Autoheal fail with "permission denied" errors when trying to access `/var/run/docker.sock`:
 
-1. **Check Audit Logs:** Immediately after seeing the error, check the SELinux audit log on the host:
+1.  **Check Audit Logs:** Immediately after seeing the error, check the SELinux audit log on the host:
-
     ```bash
     sudo ausearch -m avc -ts recent
     ```
-
     Look for lines containing `denied`, `docker.sock`, and the name of the failing service (e.g., `traefik`, `watchtower`).
 
-2. **Generate Custom Policy:** If denials are found, you may need to create a custom SELinux policy module using `audit2allow`. Pipe the denial messages into it:
+2.  **Generate Custom Policy:** If denials are found, you may need to create a custom SELinux policy module using `audit2allow`. Pipe the denial messages into it:
-
     ```bash
     # Generate policy files (my-dockersock.te and my-dockersock.pp)
     sudo ausearch -m avc -ts recent | audit2allow -M my-dockersock
@@ -475,7 +395,6 @@ If you are running Docker on a host with SELinux enabled (like Fedora, CentOS, R
     # Install the policy module
     sudo semodule -i my-dockersock.pp
     ```
-
     This allows the specific actions that were being denied. You might need to repeat this if different denials appear after applying the first policy.
 
 ### Authelia v4.38+ Configuration
@@ -500,17 +419,17 @@ Authelia v4.38+ introduces significant changes to its configuration structure, p
    - Configures cookie domains properly to avoid Public Suffix List issues
    - Sets up proper access control rules for both your domain and its subdomains
 
-If you encounter any of these common errors:
+4. **File Permissions**: The Authelia container runs with your user ID and group ID, preventing permission issues when managing the configuration files with git or other tools.
 
-```log
+If you encounter any of these common errors, running the setup script should resolve them:
+```
 error: option 'domain' is not a valid cookie domain: the domain is part of the special public suffix list
 error: option 'authelia_url' does not share a cookie scope with domain
 error: can't be specified at the same time: option 'domain' and option 'cookies'
 configuration key 'jwt_secret' is deprecated in 4.38.0
 ```
 
-Running the setup script should resolve them. After making changes to the configuration, restart Authelia with:
+After making changes to the configuration, restart Authelia with:
-
 ```bash
 docker compose restart authelia
 ```
@@ -519,17 +438,16 @@ See the [Authelia documentation](https://www.authelia.com/configuration/session/
 
 ### Tailscale Issues
 
-- **Authentication:** Ensure your `TAILSCALE_AUTHKEY` in `.env` is valid and hasn't expired (especially if using ephemeral keys). Check the `tailscale` container logs (`docker compose logs tailscale`) for authentication errors.
+*   **Authentication:** Ensure your `TAILSCALE_AUTHKEY` in `.env` is valid and hasn't expired (especially if using ephemeral keys). Check the `tailscale` container logs (`docker compose logs tailscale`) for authentication errors.
-- **Connectivity:** Verify the `tailscale` container is running and connected to your Tailnet (`docker compose exec tailscale tailscale status`).
+*   **Connectivity:** Verify the `tailscale` container is running and connected to your Tailnet (`docker compose exec tailscale tailscale status`).
-- **Funnel/Serve Command:** If you modified the Tailscale command, ensure the syntax for `tailscale funnel` or `tailscale serve` is correct.
+*   **Funnel/Serve Command:** If you modified the Tailscale command, ensure the syntax for `tailscale funnel` or `tailscale serve` is correct.
 
 ### File Permissions
 
 If services report permission errors when accessing `/config` or `/data` directories, double-check that:
-
+*   The `USER_ID` and `GROUP_ID` in your `.env` file match the owner/group of the corresponding `CONFIG_ROOT` and `DATA_ROOT` directories on your host.
-- The `USER_ID` and `GROUP_ID` in your `.env` file match the owner/group of the corresponding `CONFIG_ROOT` and `DATA_ROOT` directories on your host.
+*   The host directories have appropriate read/write permissions for that user/group.
-- The host directories have appropriate read/write permissions for that user/group.
+*   If using SELinux, the `:Z` flag on the volume mounts in `docker-compose.yml` is correctly applied to allow the container to write to the host paths.
-- If using SELinux, the `:Z` flag on the volume mounts in `docker-compose.yml` is correctly applied to allow the container to write to the host paths.
 
 ## Advanced Topics
 

authelia/configuration.example.yml

@@ -54,76 +54,14 @@ authentication_backend:
 
 # Access control rules
 access_control:
-  default_policy: deny # Deny access by default
+  default_policy: deny
   rules:
-    # Rules are processed in order. First match wins.
+    # This will match any subdomain of your specific Tailscale domain
-    # It's recommended to put more specific rules first.
-
-    # 1. Bypass rules (No authentication required)
-    # Allow access to Authelia's own endpoints
     - domain: '*.your-tailnet.ts.net'
-      path_regex: '^/auth.*' # Match /auth and anything after it
-      policy: bypass
-    # Allow access to the root path (will be redirected by Traefik later)
-    - domain: '*.your-tailnet.ts.net'
-      path: '/'
-      policy: bypass
-    # Allow access to API endpoints (as requested, review security implications)
-    - domain: '*.your-tailnet.ts.net'
-      path_regex: '^/api.*' # Match /api and anything after it
-      policy: bypass
-
-    # 2. One-Factor Authentication Rules (Requires login)
-    # Add rules for each service you want to protect.
-    # The domain should match your Tailscale domain.
-    # The path should match the Traefik PathPrefix for the service.
-    - domain: '*.your-tailnet.ts.net'
-      path_regex: '^/sonarr.*'
       policy: one_factor
-    - domain: '*.your-tailnet.ts.net'
+    # Also match the main domain without subdomain
-      path_regex: '^/radarr.*'
+    - domain: 'your-tailnet.ts.net'
       policy: one_factor
-    - domain: '*.your-tailnet.ts.net'
-      path_regex: '^/lidarr.*'
-      policy: one_factor
-    - domain: '*.your-tailnet.ts.net'
-      path_regex: '^/bazarr.*'
-      policy: one_factor
-    - domain: '*.your-tailnet.ts.net'
-      path_regex: '^/qbittorrent.*'
-      policy: one_factor
-    - domain: '*.your-tailnet.ts.net'
-      path_regex: '^/sabnzbd.*'
-      policy: one_factor
-    - domain: '*.your-tailnet.ts.net'
-      path_regex: '^/calibre.*'
-      policy: one_factor
-    - domain: '*.your-tailnet.ts.net'
-      path_regex: '^/home.*' # Protect the homepage
-      policy: one_factor
-    - domain: '*.your-tailnet.ts.net'
-      path_regex: '^/jellyseerr.*'
-      policy: one_factor
-    - domain: '*.your-tailnet.ts.net'
-      path_regex: '^/prowlarr.*'
-      policy: one_factor
-    - domain: '*.your-tailnet.ts.net'
-      path_regex: '^/flaresolverr.*'
-      policy: one_factor
-    # Add other services here following the pattern:
-    # - domain: '*.your-tailnet.ts.net'
-    #   path_regex: '^/<service_path>.*'
-    #   policy: one_factor
-
-    # 3. Default rule for the domain (optional, if you want a catch-all)
-    # This rule will apply if no path-specific rule above matches.
-    # You might want to deny or require one_factor for unmatched paths.
-    # Example: Deny any other path on the domain
-    # - domain: '*.your-tailnet.ts.net'
-    #   policy: deny
-    # Example: Require login for any other path
-    # - domain: '*.your-tailnet.ts.net'
-    #   policy: one_factor
 
 # Notifier configuration
 notifier:

docker-compose.yml

@@ -13,11 +13,14 @@ services:
       - --experimental.plugins.rewrite-body.version=v1.2.0
       - --experimental.plugins.rewriteHeaders.modulename=github.com/XciD/traefik-plugin-rewrite-headers
       - --experimental.plugins.rewriteHeaders.version=v0.0.3
-      - --providers.docker.network=docker-compose-nas
+    network_mode: service:tailscale # Add this line
-      - --providers.docker.endpoint=unix:///var/run/docker.sock
+    # ports: # Remove this section
-    network_mode: service:tailscale
+    #   - "80:80"
+    #   - "443:443"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
+    # extra_hosts: # Remove this section
+    #   - host.docker.internal:172.17.0.1
     healthcheck:
       test: ["CMD", "traefik", "healthcheck", "--ping"]
       interval: 30s
@@ -28,11 +31,11 @@ services:
     restart: always
     environment:
       - REDIS_PASSWORD=${AUTHELIA_REDIS_PASSWORD}
-    command: ["redis-server", "--requirepass", "${AUTHELIA_REDIS_PASSWORD}"]
+    command: ["redis-server", "--requirepass", "${AUTHELIA_REDIS_PASSWORD}"] # Use actual password variable
     volumes:
       - ${CONFIG_ROOT:-.}/redis:/data:Z
     healthcheck:
-      test: ["CMD", "redis-cli", "-a", "${AUTHELIA_REDIS_PASSWORD}", "ping"]
+      test: ["CMD", "redis-cli", "-a", "${AUTHELIA_REDIS_PASSWORD}", "ping"] # Use actual password variable
       interval: 5s
       timeout: 3s
       retries: 5
@@ -44,25 +47,31 @@ services:
     volumes:
       - ${CONFIG_ROOT:-.}/authelia:/config:Z
     environment:
+      # Core secrets
+      - AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET}
       - AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET}
       - AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_STORAGE_ENCRYPTION_KEY}
       - AUTHELIA_SESSION_REDIS_PASSWORD=${AUTHELIA_REDIS_PASSWORD}
+      # Only environment variable needed for identity validation
       - AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET=${AUTHELIA_JWT_SECRET}
+      # Timezone
       - TZ=${TIMEZONE}
     labels:
       - traefik.enable=true
-      - traefik.http.routers.authelia.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/auth`) # Changed rule
+      # Rule for Authelia portal itself (handles internal paths like /api, /logout etc.)
+      - traefik.http.routers.authelia.rule=PathPrefix(`/`)
       - traefik.http.routers.authelia.entrypoints=web
-      # - traefik.http.routers.authelia.priority=100 # Removed priority
+      - traefik.http.routers.authelia.priority=100 # High priority to catch root path
       - traefik.http.services.authelia.loadbalancer.server.port=9091
-      - traefik.http.middlewares.authelia-auth.forwardAuth.address=http://authelia:9091/api/verify # Simplified forwardAuth address
+      # Define the forwardAuth middleware
-      - traefik.http.routers.authelia.middlewares=https-proto@docker
+      - traefik.http.middlewares.authelia-auth.forwardAuth.address=http://authelia:9091/api/verify?rd=https://${APP_HOSTNAME}/
       - traefik.http.middlewares.authelia-auth.forwardAuth.trustForwardHeader=true
       - traefik.http.middlewares.authelia-auth.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email
+      # Homepage labels for Authelia itself
       - homepage.group=Security
       - homepage.name=Authelia
       - homepage.icon=authelia.png
-      - homepage.href=/auth # Updated href
+      - homepage.href=https://${APP_HOSTNAME}/
       - homepage.description=Authentication Portal
   sonarr:
     image: lscr.io/linuxserver/sonarr
@@ -81,9 +90,9 @@ services:
       retries: 10
     labels:
       - traefik.enable=true
-      - traefik.http.routers.sonarr.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/sonarr`) # Added Host check
+      - traefik.http.routers.sonarr.rule=PathPrefix(`/sonarr`)
       - traefik.http.routers.sonarr.entrypoints=web
-      - traefik.http.routers.sonarr.middlewares=https-proto@docker,authelia-auth@docker
+      - traefik.http.routers.sonarr.middlewares=authelia-auth@docker
       - traefik.http.services.sonarr.loadbalancer.server.port=8989
       - homepage.group=Media
       - homepage.name=Sonarr
@@ -111,9 +120,9 @@ services:
       retries: 10
     labels:
       - traefik.enable=true
-      - traefik.http.routers.radarr.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/radarr`) # Added Host check
+      - traefik.http.routers.radarr.rule=PathPrefix(`/radarr`)
       - traefik.http.routers.radarr.entrypoints=web
-      - traefik.http.routers.radarr.middlewares=https-proto@docker,authelia-auth@docker
+      - traefik.http.routers.radarr.middlewares=authelia-auth@docker
       - traefik.http.services.radarr.loadbalancer.server.port=7878
       - homepage.group=Media
       - homepage.name=Radarr
@@ -141,9 +150,9 @@ services:
       retries: 10
     labels:
       - traefik.enable=true
-      - traefik.http.routers.lidarr.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/lidarr`) # Added Host check
+      - traefik.http.routers.lidarr.rule=PathPrefix(`/lidarr`)
       - traefik.http.routers.lidarr.entrypoints=web
-      - traefik.http.routers.lidarr.middlewares=https-proto@docker,authelia-auth@docker
+      - traefik.http.routers.lidarr.middlewares=authelia-auth@docker
       - traefik.http.services.lidarr.loadbalancer.server.port=8686
       - homepage.group=Media
       - homepage.name=Lidarr
@@ -173,9 +182,9 @@ services:
       retries: 10
     labels:
       - traefik.enable=true
-      - traefik.http.routers.bazarr.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/bazarr`) # Added Host check
+      - traefik.http.routers.bazarr.rule=PathPrefix(`/bazarr`)
       - traefik.http.routers.bazarr.entrypoints=web
-      - traefik.http.routers.bazarr.middlewares=https-proto@docker,authelia-auth@docker
+      - traefik.http.routers.bazarr.middlewares=authelia-auth@docker
       - traefik.http.services.bazarr.loadbalancer.server.port=6767
       - homepage.group=Download
       - homepage.name=Bazarr
@@ -208,10 +217,10 @@ services:
       retries: 10
     labels:
       - traefik.enable=true
-      - traefik.http.routers.jellyseerr.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/jellyseerr`) # Added Host check
+      - traefik.http.routers.jellyseerr.rule=PathPrefix(`/jellyseerr`)
       - traefik.http.routers.jellyseerr.entrypoints=web
       - traefik.http.services.jellyseerr.loadbalancer.server.port=5055
-      - traefik.http.routers.jellyseerr.middlewares=https-proto@docker,jellyseerr-stripprefix,jellyseerr-rewrite,jellyseerr-rewriteHeaders,authelia-auth@docker
+      - traefik.http.routers.jellyseerr.middlewares=jellyseerr-stripprefix,jellyseerr-rewrite,jellyseerr-rewriteHeaders,authelia-auth@docker
       - traefik.http.middlewares.jellyseerr-stripprefix.stripPrefix.prefixes=/jellyseerr
       - traefik.http.middlewares.jellyseerr-rewriteHeaders.plugin.rewriteHeaders.rewrites[0].header=location
       - traefik.http.middlewares.jellyseerr-rewriteHeaders.plugin.rewriteHeaders.rewrites[0].regex=^/(.+)$
@@ -282,9 +291,9 @@ services:
       retries: 10
     labels:
       - traefik.enable=true
-      - traefik.http.routers.prowlarr.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/prowlarr`) # Added Host check
+      - traefik.http.routers.prowlarr.rule=PathPrefix(`/prowlarr`)
       - traefik.http.routers.prowlarr.entrypoints=web
-      - traefik.http.routers.prowlarr.middlewares=https-proto@docker,authelia-auth@docker
+      - traefik.http.routers.prowlarr.middlewares=authelia-auth@docker
       - traefik.http.services.prowlarr.loadbalancer.server.port=9696
       - homepage.group=Download
       - homepage.name=Prowlarr
@@ -306,9 +315,9 @@ services:
       - TZ=${TIMEZONE}
     labels:
       - traefik.enable=true
-      - traefik.http.routers.flaresolverr.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/flaresolverr`) # Added Host check
+      - traefik.http.routers.flaresolverr.rule=PathPrefix(`/flaresolverr`)
       - traefik.http.routers.flaresolverr.entrypoints=web
-      - traefik.http.routers.flaresolverr.middlewares=https-proto@docker,authelia-auth@docker
+      - traefik.http.routers.flaresolverr.middlewares=authelia-auth@docker
       - traefik.http.services.flaresolverr.loadbalancer.server.port=8191
     profiles:
       - flaresolverr
@@ -326,20 +335,25 @@ services:
       - ${DOWNLOAD_ROOT}:/data/torrents:Z
     restart: always
     healthcheck:
+      # Container may fail if the PIA's token expired, so mark as unhealthy when there is no internet connection
+      # see: https://github.com/qdm12/gluetun/issues/641#issuecomment-933856220
       test:
         ["CMD", "curl", "--fail", "http://127.0.0.1:8080", "https://google.com"]
       interval: 30s
       retries: 10
     labels:
       - traefik.enable=true
-      - traefik.http.routers.qbittorrent.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/qbittorrent`) # Added Host check
+      - traefik.http.routers.qbittorrent.rule=PathPrefix(`/qbittorrent`)
       - traefik.http.routers.qbittorrent.entrypoints=web
       - traefik.http.services.qbittorrent.loadbalancer.server.port=8080
-      - traefik.http.routers.qbittorrent.middlewares=https-proto@docker,qbittorrent-strip-slash,qbittorrent-stripprefix,authelia-auth@docker
+      - traefik.http.routers.qbittorrent.middlewares=qbittorrent-strip-slash,qbittorrent-stripprefix,authelia-auth@docker
+      # https://github.com/qbittorrent/qBittorrent/issues/5693#issuecomment-552146296
       - traefik.http.middlewares.qbittorrent-stripprefix.stripPrefix.prefixes=/qbittorrent
+      # https://community.traefik.io/t/middleware-to-add-the-if-needed/1895/19
       - traefik.http.middlewares.qbittorrent-strip-slash.redirectregex.regex=(^.*\/qbittorrent$$)
       - traefik.http.middlewares.qbittorrent-strip-slash.redirectregex.replacement=$$1/
       - traefik.http.middlewares.qbittorrent-strip-slash.redirectregex.permanent=false
+      #- com.centurylinklabs.watchtower.depends-on=/vpn
       - homepage.group=Download
       - homepage.name=qBittorrent
       - homepage.icon=qbittorrent.png
@@ -378,9 +392,9 @@ services:
     restart: always
     labels:
       - traefik.enable=true
-      - traefik.http.routers.sabnzbd.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/sabnzbd`) # Added Host check
+      - traefik.http.routers.sabnzbd.rule=PathPrefix(`/sabnzbd`) # Simplified rule
       - traefik.http.routers.sabnzbd.entrypoints=web
-      - traefik.http.routers.sabnzbd.middlewares=https-proto@docker,authelia-auth@docker
+      - traefik.http.routers.sabnzbd.middlewares=authelia-auth@docker
       - traefik.http.services.sabnzbd.loadbalancer.server.port=8080
       - homepage.group=Download
       - homepage.name=Sabnzbd
@@ -400,7 +414,7 @@ services:
       - PUID=${USER_ID}
       - PGID=${GROUP_ID}
       - TZ=${TIMEZONE}
-      - JELLYFIN_PublishedServerUrl=https://${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}/jellyfin
+      - JELLYFIN_PublishedServerUrl=${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}/jellyfin
     volumes:
       - ${CONFIG_ROOT:-.}/jellyfin:/config:Z
       - ${DATA_ROOT}:/data:Z
@@ -414,9 +428,9 @@ services:
       retries: 10
     labels:
       - traefik.enable=true
-      - traefik.http.routers.jellyfin.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/jellyfin`) # Added Host check
+      - traefik.http.routers.jellyfin.rule=PathPrefix(`/jellyfin`)
       - traefik.http.routers.jellyfin.entrypoints=web
-      - traefik.http.routers.jellyfin.middlewares=https-proto@docker # Only HTTPS, no auth
+      - traefik.http.routers.jellyfin.middlewares=authelia-auth@docker
       - traefik.http.services.jellyfin.loadbalancer.server.port=8096
       - homepage.group=Media
       - homepage.name=Jellyfin
@@ -445,8 +459,8 @@ services:
       - traefik.http.middlewares.calibre-headers.headers.customRequestHeaders.X-Scheme=https
       - traefik.http.middlewares.calibre-headers.headers.customRequestHeaders.X-Script-Name=/calibre
       - traefik.http.middlewares.calibre-stripprefixregex.stripPrefixRegex.regex=/calibre
-      - traefik.http.routers.calibre.middlewares=https-proto@docker,calibre-headers,calibre-stripprefixregex,authelia-auth@docker
+      - traefik.http.routers.calibre.middlewares=calibre-headers,calibre-stripprefixregex,authelia-auth@docker
-      - traefik.http.routers.calibre.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/calibre`) # Added Host check
+      - traefik.http.routers.calibre.rule=PathPrefix(`/calibre`)
       - traefik.http.routers.calibre.entrypoints=web
       - traefik.http.services.calibre.loadbalancer.server.port=8083
       - homepage.group=Media
@@ -509,6 +523,7 @@ services:
       - HOMEPAGE_VAR_WEATHER_LONG=${HOMEPAGE_VAR_WEATHER_LONG}
       - HOMEPAGE_VAR_WEATHER_TIME=${TIMEZONE}
       - HOMEPAGE_VAR_WEATHER_UNIT=${HOMEPAGE_VAR_WEATHER_UNIT}
+      # Explicitly allow the hostname constructed from Tailscale variables
       - HOMEPAGE_ALLOWED_HOSTS=${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}
     volumes:
       - ${CONFIG_ROOT:-.}/homepage:/app/config:Z
@@ -519,16 +534,17 @@ services:
       [sh, -c, "cp -n /app/config/tpl/*.yaml /app/config && node server.js"]
     labels:
       - traefik.enable=true
-      - traefik.http.routers.homepage.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/home`) # Changed rule to root
+      # Rule for homepage, now at /home, needs auth
+      - traefik.http.routers.homepage.rule=PathPrefix(`/home`)
       - traefik.http.routers.homepage.entrypoints=web
-      # - traefik.http.routers.homepage.priority=10 # Removed priority
+      - traefik.http.routers.homepage.priority=10 # Lower priority than Authelia's root rule
-      # Global middleware for setting HTTPS header
+      - traefik.http.middlewares.homepage-stripprefix.stripPrefix.prefixes=/home
-      - traefik.http.middlewares.https-proto.headers.customrequestheaders.X-Forwarded-Proto=https
+      - traefik.http.routers.homepage.middlewares=homepage-stripprefix,authelia-auth@docker
-      - traefik.http.routers.homepage.middlewares=https-proto@docker,authelia-auth@docker
+      # Homepage's own labels for discovery (unchanged)
       - homepage.group=Dashboard
       - homepage.name=Homepage
       - homepage.icon=homepage.png
-      - homepage.href=/ # Updated href
+      - homepage.href=/home # Update link to new path
       - homepage.description=Service Dashboard
   watchtower:
     image: ghcr.io/containrrr/watchtower:latest
@@ -549,22 +565,23 @@ services:
   tailscale:
     image: tailscale/tailscale:latest
     container_name: tailscale
-    hostname: ${TAILSCALE_HOSTNAME:-tailscale-nas}
+    hostname: ${TAILSCALE_HOSTNAME:-tailscale-nas} # Hostname for Tailscale access
     environment:
-      TS_AUTHKEY: ${TAILSCALE_AUTHKEY}
+      TS_AUTHKEY: ${TAILSCALE_AUTHKEY} # Needs to be set in .env
-      TS_EXTRA_ARGS: "--advertise-tags=${TAILSCALE_TAGS:-tag:nas}"
+      TS_EXTRA_ARGS: "--advertise-tags=${TAILSCALE_TAGS:-tag:nas}" # Keep tags if desired
       TS_STATE_DIR: "/var/lib/tailscale"
       TS_USERSPACE: "false"
+      # Switch to enable Funnel (public access) or Serve (Tailnet only)
       ENABLE_FUNNEL_HTTPS: ${ENABLE_FUNNEL_HTTPS:-false}
     volumes:
-      - ${CONFIG_ROOT:-.}/tailscale/state:/var/lib/tailscale:Z
+      - ${CONFIG_ROOT:-.}/tailscale/state:/var/lib/tailscale:Z # Persist state
-      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/run/docker.sock:/var/run/docker.sock # Optional, keep if needed
     devices:
       - /dev/net/tun:/dev/net/tun
     cap_add:
       - NET_ADMIN
       - NET_RAW
-    extra_hosts:
+    extra_hosts: # Add this section
       - host.docker.internal:172.17.0.1
     restart: always
     command:
@@ -588,6 +605,8 @@ services:
         done
         echo " Tailscaled is running."
 
+        # --- Start Tailscale Funnel/Serve ---
+        # Check the ENABLE_FUNNEL_HTTPS variable
         if [ "${ENABLE_FUNNEL_HTTPS}" = "true" ]; then
           echo "ENABLE_FUNNEL_HTTPS is true. Setting up Funnel -> http://localhost:80..."
           tailscale funnel --bg http://localhost:80
@@ -597,9 +616,10 @@ services:
           tailscale serve --bg http://localhost:80
           echo "Tailscale Serve configured."
         fi
+        # --- End Tailscale Funnel/Serve ---
 
         echo "Tailscale forwarding configured. Container will remain running."
-        wait
+        wait # Wait indefinitely for background processes
 
 networks:
   default: