{"id":14913446,"url":"https://github.com/geekau/mediastack","last_synced_at":"2026-04-01T21:37:03.371Z","repository":{"id":65501248,"uuid":"561209625","full_name":"geekau/mediastack","owner":"geekau","description":"The ultimate Docker Compose files and configs to build your desired media stack, quickly and easily, with secure outbound network traffic and secure remote access using multifactor authentication.","archived":false,"fork":false,"pushed_at":"2026-03-21T09:08:15.000Z","size":218,"stargazers_count":1696,"open_issues_count":26,"forks_count":152,"subscribers_count":33,"default_branch":"master","last_synced_at":"2026-03-21T19:26:39.646Z","etag":null,"topics":["authentik","crowdsec","flaresolverr","heimdall","homepage","jellyfin-media-server","jellyseerr","letsencrypt","lidarr","mfa-sso","outbound-vpn","plex-media-server","prowlarr","qbittorrent","radarr","reverse-proxy-server","sabnzbd","sonarr","tailscale","traefik"],"latest_commit_sha":null,"homepage":"https://MediaStack.Guide","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/geekau.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-11-03T07:34:08.000Z","updated_at":"2026-03-21T03:48:28.000Z","dependencies_parsed_at":"2025-01-14T18:50:46.712Z","dependency_job_id":"4fc63356-1e56-4484-b950-97d7676c3cbf","html_url":"https://github.com/geekau/mediastack","commit_stats":null,"previous_names":["geekau/mediastack","geekau/media-stack"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/geekau/mediastack","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/geekau%2Fmediastack","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/geekau%2Fmediastack/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/geekau%2Fmediastack/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/geekau%2Fmediastack/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/geekau","download_url":"https://codeload.github.com/geekau/mediastack/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/geekau%2Fmediastack/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31292423,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-01T21:15:39.731Z","status":"ssl_error","status_checked_at":"2026-04-01T21:15:34.046Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentik","crowdsec","flaresolverr","heimdall","homepage","jellyfin-media-server","jellyseerr","letsencrypt","lidarr","mfa-sso","outbound-vpn","plex-media-server","prowlarr","qbittorrent","radarr","reverse-proxy-server","sabnzbd","sonarr","tailscale","traefik"],"created_at":"2024-09-22T21:01:24.144Z","updated_at":"2026-04-01T21:37:03.357Z","avatar_url":"https://github.com/geekau.png","language":"Shell","funding_links":[],"categories":["Shell","Docker Stacks \u0026 Examples"],"sub_categories":["Other Bouncers"],"readme":"# MediaStack Project (Docker)  \n\nSee you on [Reddit for MediaStack](https://www.reddit.com/r/MediaStack/)  \n\n## What Applications Are Provided In MediaStack  \n\nWelcome to the MediaStack project! MediaStack is your ultimate solution for managing and streaming media collections with applications like Jellyfin and Plex. Using Docker, MediaStack containerises these media servers alongside *ARR applications (Radarr, Sonarr, Lidarr, etc.) for seamless media automation and management.  \n\nList of Docker applications configured in the MediaStack `docker-compose.yaml` file:  \n\n\u003c/br\u003e\n\n\u003ccenter\u003e\n\n| \u003ccenter\u003e Docker Application \u003c/center\u003e | \u003ccenter\u003e Application Role \u003c/center\u003e |  \n|--------------------|------------------|  \n| [Authentik](https://docs.goauthentik.io/docs/install-config/install/docker-compose) | Authentik is an open-source identity provider for SSO, MFA, and access control |  \n| [Bazarr](https://docs.linuxserver.io/images/docker-bazarr) | Bazarr automates the downloading of subtitles for Movies and TV Shows |  \n| [Chromium](https://docs.linuxserver.io/images/docker-chromium/) | Chromium is an an open-source web browser, allowing secure remote Internet browsing through your MediaStack |  \n| [CrowdSec](https://docs.crowdsec.net/u/getting_started/installation/docker/) | CrowdSec is an open-source, collaborative intrusion prevention system that detects and blocks malicious IPs |  \n| [DDNS-Updater](https://hub.docker.com/r/qmcgaw/ddns-updater) | DDNS-Updater automatically updates dynamic DNS records when your home Internet changes IP address |  \n| [Filebot](https://www.filebot.net/) | FileBot is a tool for renaming and organising media files using online metadata sources |  \n| [Flaresolverr](https://github.com/FlareSolverr/FlareSolverr) | Flaresolverr bypasses Cloudflare protection, allowing automated access to websites for scripts and bots |  \n| [Gluetun](https://github.com/qdm12/gluetun-wiki) | Gluetun routes network traffic through a VPN, ensuring privacy and security for Docker containers |  \n| [Grafana](http://docs.grafana.org/installation/docker/) | Grafana is an open-source analytics platform for visualising metrics, logs, and time-series data |  \n| [Guacamole](https://hub.docker.com/r/guacamole/guacamole) | Guacamole is a clientless remote desktop gateway supporting RDP, VNC, and SSH through a web browser |  \n| [Headplane](https://github.com/tale/headplane) | Headplane is a web-based user interface for managing Headscale, the self-hosted alternative to Tailscale |  \n| [Headscale](https://headscale.net/stable/) | Headscale is an open-source, self-hosted alternative to Tailscale's control server for managing WireGuard-based VPNs |  \n| [Heimdall](https://docs.linuxserver.io/images/docker-heimdall) | Heimdall provides a dashboard to easily access and organise web applications and services |  \n| [Homarr](https://homarr.dev/docs/getting-started/after-the-installation) | Homarr is a self-hosted, customisable dashboard for managing and monitoring your server applications |  \n| [Homepage](https://gethomepage.dev/latest/configs/) | Homepage is an alternate to Heimdall, providing a similar dashboard to easily access and organise web applications and services |  \n| [Huntarr](https://github.com/plexguide/Huntarr.io) | [DEPRECATED] Huntarr is an open-source tool that automates finding missing and upgrading media in *ARR libraries |  \n| [Jellyfin](https://jellyfin.org/docs/general/administration/installing#docker) | Jellyfin is a media server that organises, streams, and manages multimedia content for users |  \n| [Lidarr](https://docs.linuxserver.io/images/docker-lidarr) | Lidarr is a Library Manager, automating the management and meta data for your music media files |  \n| [Mylar](https://github.com/mylar3/mylar3/wiki) | Mylar3 is a Library Manager, automating the management and meta data for your comic media files |  \n| [Plex](https://hub.docker.com/r/linuxserver/plex) | Plex is a media server that organises, streams, and manages multimedia content across devices |  \n| [Portainer](https://docs.portainer.io/start/install/server/docker) | Portainer provides a graphical interface for managing Docker environments, simplifying container deployment and monitoring |  \n| [Postgresql](https://hub.docker.com/_/postgres) | PostgreSQL is a powerful, open-source relational database system known for reliability and advanced features |  \n| [Prometheus](https://prometheus.io/docs/introduction/overview/) | Prometheus is an open-source monitoring system that collects and queries metrics using a time-series database |  \n| [Prowlarr](https://docs.linuxserver.io/images/docker-prowlarr) | Prowlarr manages and integrates indexers for various media download applications, automating search and download processes |  \n| [qBittorrent](https://docs.linuxserver.io/images/docker-qbittorrent) | qBittorrent is a peer-to-peer file sharing application that facilitates downloading and uploading torrents |  \n| [Radarr](https://docs.linuxserver.io/images/docker-radarr) | Radarr is a Library Manager, automating the management and meta data for your Movie media files |  \n| [Readarr](https://docs.linuxserver.io/images/docker-readarr) | Readarr is a Library Manager, automating the management and meta data for your eBooks and Comic media files |  \n| [SABnzbd](https://docs.linuxserver.io/images/docker-sabnzbd) | SABnzbd is a Usenet newsreader that automates the downloading of binary files from Usenet |  \n| [Seerr](https://github.com/seerr-team/seerr) | Seerr is a request management tool for Jellyfin, enabling users to request and manage media content |  \n| [Sonarr](https://docs.linuxserver.io/images/docker-sonarr) | Sonarr is a Library Manager, automating the management and meta data for your TV Shows (series) media files |  \n| [Tailscale](https://tailscale.com/) | Tailscale is a secure, peer-to-peer VPN that simplifies network access using WireGuard technology |  \n| [Tdarr](https://docs.tdarr.io/docs/installation/docker/run-compose/) | Tdarr automates the transcoding and management of media files to optimise storage and playback compatibility |  \n| [Traefik](https://doc.traefik.io/traefik/) | Traefik is a modern reverse proxy and load balancer for microservices and containerised applications with full TLS v1.2 \u0026 v1.3 support |  \n| [Traefik-Certs-Dumper](https://hub.docker.com/r/ldez/traefik-certs-dumper) | Traefik Certs Dumper extracts TLS certificates and private keys from Traefik and converts for use by other services |  \n| [Unpackerr](https://github.com/davidnewhall/unpackerr) | Unpackerr extracts and moves downloaded media files to their appropriate directories for organisation and access |  \n| [Valkey](https://hub.docker.com/r/valkey/valkey) | Valkey is an open-source, high-performance, in-memory key-value datastore, serving as a drop-in replacement for Redis |  \n| [Whisparr](https://wiki.servarr.com/whisparr) | Whisparr is a Library Manager, automating the management and meta data for your Adult media files |  \n\n\u003c/br\u003e\u003c/br\u003e\n\n| \u003ccenter\u003eUbuntu Linux Install - Docker Compose Build\u003c/center\u003e | \u003ccenter\u003eWindows 11 Install - Docker with WSL and Ubuntu\u003c/center\u003e |  \n|----------------------------------------|----------------------------------------|  \n| [![MediaStack - A Detailed Installation Walkthru (Ubuntu Linux)](https://i.ytimg.com/vi/zz2XjrurgXI/hq720.jpg)](https://youtu.be/zz2XjrurgXI \"MediaStack - A Detailed Installation Walkthru (Ubuntu Linux)\") | [![MediaStack - Ultimate Guide on Windows 11 Docker with WSL and Ubuntu](https://i.ytimg.com/vi/N--e1O5SqPw/hq720.jpg)](https://youtu.be/N--e1O5SqPw \"MediaStack - Ultimate Guide on Windows 11 Docker with WSL and Ubuntu\") |  \n\n\u003c/br\u003e\n\n\u003c/center\u003e\n\n\u003c/br\u003e\u003c/br\u003e\n\nMediaStack is your ultimate solution for managing and streaming media collections with applications like Jellyfin and Plex. Using Docker, MediaStack containerises these media servers alongside *ARR applications (Radarr, Sonarr, Lidarr, etc.) for seamless media automation and management.  \n\nYou will also be able to connect to your MediaStack instance security from the Internet using the following two methods:  \n\n- **Secure Reverse Proxy:** Traefik, Authentik, and CrowdSec provides a full reverse proxy solution with free Let's Encrypt digital certificates, including SSO / OAuth2 / OpenID / SAML / Radius / LDAP identity providers and MFA. Traefik Certs Dumper extracts the Let's Encrypt cetificates so you can install them on other systems.  \n\n- **Secure Tailscale VPN:** Headscale is an open source Tailscale Coordination Server, allowing remote Tailscale clients to connect to the Headscale and Tailscale applications, and accessing all of the containers over the VPN connection. Include Headplane to provide a WebUI portal to manage Headscale settings.  \n\n\u003e **NOTE:** The Traefik reverse proxy configuration for incoming connections, has been configured with the strongest of the modern cipher suites, using only TLSv1.2 and TSLv1.3 as minimum protocols, and enforces strong security headers to provide your MediaStack with the strongest security / privacy when you connect from the Internet.  \n\n\u003c/br\u003e\n\n## Internal Container Access (From Home)\n\nEdit the \"**Import Bookmarks - MediaStackGuide Applications (Internal URLs).html**\" file, and find / replace all of the **`localhost`** entries with the IP address running Docker in your home network.  \n\nThen import the Bookmarks into your web browser.  \n\n## External Container Access (From Internet)\n\nEdit the \"**Import Bookmarks - MediaStackGuide Applications (External URLs).html**\" file, and find / replace all of the **`YOUR_DOMAIN_NAME`** entries with your Internet domain name.  \n\nAll of the Docker images / containers in the Docker Compose file, have already been labelled for Traefik, and they will be automatically detected and assigned the correct routing based on the incoming Internet URL, using your domain name.  \n\nPort forward your incoming connections on your home Internet gateway / router, to the IP Address of your computer running Docker, using Ports 80 and 443 - If these are taken, you can use alternate ports using the **REVERSE_PROXY_PORT_HTTP(S)** settings in the **.ENV** variable file.  \n\n## How Do I Use The MediaStack Repo  \n\n- **base-working-files:** Download all of these files into a single directory located on your Docker computer. Then download the `docker-compose.yaml` file located in one of the following configurations, into the same directory.  \n\n- **docker-compose.yaml:** Download one of the `docker-compose.yaml` configuration files:  \n\n  - **full-download-vpn:** The `docker-compose.yaml` file located in this directory is configured so all outgoing network connections / media downloads are protected with the Gluetun VPN Tunnel, to provide maximum privacy on your Internet connection. **This is the recommended configuration for new users**.  \n\n  - **mini-download-vpn:** The `docker-compose.yaml` file located in this directory is configured so only the SABnzbd (Usenet) and qBittorrent (Torrents) are protected with the Gluetun VPN Tunnel, to provide a moderate level of privacy just on your download activities.  \n\n  - **no-download-vpn:** The `docker-compose.yaml` file located in this directory does not have Gluetun, or any other form of VPN for outgoing Internet traffic; you will have limited no privacy on downloads.  \n\nYou can now configure the `docker-compose.yaml`, `.env`, and other files downloaded from the **base-working-files** configuration directory.  \n\n\u003c/br\u003e\n\n## What is: \"Full Download VPN\"\n\nThis configuration set builds a fully encrypted VPN network architecture, and routes all network traffic from the Docker containers through the Gluetun container, where it is encrypted into a VPN, before it passes securely across the internet. This setup ensures that all data packets are encrypted, providing robust privacy and security. The primary benefit of this approach is the comprehensive protection of data, safeguarding against eavesdropping, and maintaining user privacy.  \n\nHowever, this heightened security method comes with trade-offs. Encrypting and decrypting all traffic can lead to increased latency and reduced network speeds. This can particularly impact applications requiring high bandwidth or low latency, such as media streaming or real-time communication tools. Nonetheless, for users prioritising privacy and security over speed, this setup is ideal.  \n\n\u003c/br\u003e\n\u003ccenter\u003e\n\n``` mermaid\nflowchart TD\n  subgraph DockerNet[\"Full Download VPN\"]\n    Gluetun\n    Jellyfin\n    Plex\n    Seerr\n    Prowlarr\n    Radarr\n    Readarr\n    Sonarr\n    Mylar\n    Whisparr\n    Bazarr\n    Lidarr\n    Tdarr\n    Huntarr\n    SABnzbd\n    qBittorrent\n    Label@{ label: \"\u003cdiv style=\\\"color:\\\"\u003e\u003cspan style=\\\"color:\\\"\u003eIP Subnet: 172.28.10.0/24\u003c/span\u003e\u003c/div\u003e\" }\n    NIC[\"Network Adapter\"]\n  end\n\n  Jellyfin     Jellyfin_Gluetun@    ---- Gluetun\n  Plex         Plex_Gluetun@        ---  Gluetun\n  Seerr        Seerr_Gluetun@       ---- Gluetun\n  Prowlarr     Prowlarr_Gluetun@    ---  Gluetun\n  Radarr       Radarr_Gluetun@      ---- Gluetun\n  Readarr      Readarr_Gluetun@     ---  Gluetun\n  Sonarr       Sonarr_Gluetun@      ---- Gluetun\n  Mylar        Mylar_Gluetun@       ---  Gluetun\n  Whisparr     Whisparr_Gluetun@    ---- Gluetun\n  Bazarr       Bazarr_Gluetun@      ---  Gluetun\n  Lidarr       Lidarr_Gluetun@      ---- Gluetun\n  Tdarr        Tdarr_Gluetun@       ---  Gluetun\n  Huntarr      Huntarr_Gluetun@     ---- Gluetun\n  SABnzbd      SABnzbd_Gluetun@     ---  Gluetun\n  qBittorrent  qBittorrent_Gluetun@ ---- Gluetun\n  Gluetun      Gluetun_NIC@         ==\u003e NIC\n  NIC          NIC_Gateway@         ==\u003e Gateway\n  Gateway      Gateway_VPN@         ==\u003e VPN\n  Gateway[\"Home Gateway\"]\n  VPN{\"VPN Server\u003cbr\u003eAnchor Point\"}\n\n  style Gluetun      stroke:#2962FF\n  style Jellyfin     stroke:#2962FF\n  style Plex         stroke:#2962FF\n  style Seerr        stroke:#2962FF\n  style Prowlarr     stroke:#2962FF\n  style Radarr       stroke:#2962FF\n  style Readarr      stroke:#2962FF\n  style Sonarr       stroke:#2962FF\n  style Mylar        stroke:#2962FF\n  style Whisparr     stroke:#2962FF\n  style Bazarr       stroke:#2962FF\n  style Lidarr       stroke:#2962FF\n  style Tdarr        stroke:#2962FF\n  style Huntarr      stroke:#2962FF\n  style SABnzbd      stroke:#2962FF\n  style qBittorrent  stroke:#2962FF\n  style Label        stroke:none\n  style NIC          stroke:green,    stroke-width:2px\n  style Gateway      stroke:green,    stroke-width:2px\n  style VPN          stroke:green,    stroke-width:2px\n\n  linkStyle 0        stroke:orange\n  linkStyle 1        stroke:orange\n  linkStyle 2        stroke:orange\n  linkStyle 3        stroke:orange\n  linkStyle 4        stroke:orange\n  linkStyle 5        stroke:orange\n  linkStyle 6        stroke:orange\n  linkStyle 7        stroke:orange\n  linkStyle 8        stroke:orange\n  linkStyle 9        stroke:orange\n  linkStyle 10       stroke:orange\n  linkStyle 11       stroke:orange\n  linkStyle 12       stroke:orange\n  linkStyle 13       stroke:orange\n  linkStyle 14       stroke:orange\n  linkStyle 15       stroke:green\n  linkStyle 16       stroke:green\n  linkStyle 17       stroke:green\n\n  Jellyfin_Gluetun@{     animation: fast }\n  Plex_Gluetun@{         animation: fast }\n  Seerr_Gluetun@{        animation: fast }\n  Prowlarr_Gluetun@{     animation: fast }\n  Radarr_Gluetun@{       animation: fast }\n  Readarr_Gluetun@{      animation: fast }\n  Sonarr_Gluetun@{       animation: fast }\n  Mylar_Gluetun@{        animation: fast }\n  Whisparr_Gluetun@{     animation: fast }\n  Bazarr_Gluetun@{       animation: fast }\n  Lidarr_Gluetun@{       animation: fast }\n  Tdarr_Gluetun@{        animation: fast }\n  Huntarr_Gluetun@{      animation: fast }\n  SABnzbd_Gluetun@{      animation: fast }\n  qBittorrent_Gluetun@{  animation: fast }\n  Gluetun_NIC@{          animation: slow }\n  NIC_Gateway@{          animation: slow }\n  Gateway_VPN@{          animation: slow }\n```\n\n\u003c/center\u003e\n\u003c/br\u003e\u003c/br\u003e\n\n\u003e NOTE: Many of the Docker applications are passing traffic through the Gluetun VPN container. When the Gluetun container stops, or if the VPN network connection is interrupted, then all network traffic for the other Docker applications, will also stop until Gluetun re-establishes the secure VPN connection.\n\n\u003c/br\u003e\n\n## What is: \"Mini Download VPN\"\n\nThis configuration set builds a minimal encrypted VPN network, soley for the Torrent and Usenet downloads for the qBittorrent and SABnzbd Docker containers, which route all network traffic through the Gluetun Docker container, where it is encrypted into a VPN before routing out to the Internet. All other Docker containers connect to the Docker bridge network (not Gluetun), and pass their network traffic directly out to the Internet though your Internet Service Provider. This approach ensures that only the Torrent and Usenet downloaded data is encrypted, while other containers operate with unencrypted traffic flows. The advantage here is that it maintains higher network performance for most applications, avoiding potential latency and bandwidth reductions associated with full encryption.  \n\nHowever, this comes at the cost of leaving some network traffic potentially exposed to interception or monitoring. This setup is suitable for users who require high performance for certain applications but still want to protect specific, sensitive download activities.  \n\n\u003c/br\u003e\n\u003ccenter\u003e\n\n``` mermaid\nflowchart TD\n  subgraph DockerNet[\"Mini Download VPN\"]\n    Gluetun\n    Jellyfin\n    Plex\n    Seerr\n    Prowlarr\n    Radarr\n    Readarr\n    Sonarr\n    Mylar\n    Whisparr\n    Bazarr\n    Lidarr\n    Tdarr\n    Huntarr\n    SABnzbd\n    qBittorrent\n    Label@{ label: \"\u003cdiv style=\\\"color:\\\"\u003e\u003cspan style=\\\"color:\\\"\u003eIP Subnet: 172.28.10.0/24\u003c/span\u003e\u003c/div\u003e\" }\n    NIC[\"Network Adapter\"]\n  end\n\n  Jellyfin     Jellyfin_NIC@        ---- NIC\n  Plex         Plex_NIC@            ---  NIC\n  Seerr        Seerr_NIC@           ---- NIC\n  Prowlarr     Prowlarr_NIC@        ---  NIC\n  Radarr       Radarr_NIC@          ---- NIC\n  Readarr      Readarr_NIC@         ---  NIC\n  Sonarr       Sonarr_NIC@          ---- NIC\n  Mylar        Mylar_NIC@           ---  NIC\n  Whisparr     Whisparr_NIC@        ---- NIC\n  Bazarr       Bazarr_NIC@          ---  NIC\n  Lidarr       Lidarr_NIC@          ---- NIC\n  Tdarr        Tdarr_NIC@           ---  NIC\n  Huntarr      Huntarr_NIC@         ---- NIC\n  SABnzbd      SABnzbd_Gluetun@     ---  Gluetun\n  qBittorrent  qBittorrent_Gluetun@ ---  Gluetun\n  Gluetun      Gluetun_NIC@         ==\u003e  NIC\n  NIC          NIC_Gateway_0@       ==\u003e  Gateway\n  NIC          NIC_Gateway_1@       ==\u003e  Gateway\n  Gateway      Gateway_VPN_1@       ==\u003e  Internet\n  Gateway      Gateway_VPN_0@       ==\u003e  VPN\n  Gateway[\"Home Gateway\"]\n  Internet{\"🔥Insecure🔥\u003cbr\u003e🔥Internet🔥\"}\n  VPN{\"VPN Server\u003cbr\u003eAnchor Point\"}\n\n  style Gluetun      stroke:#2962FF\n  style Jellyfin     stroke:#2962FF\n  style Plex         stroke:#2962FF\n  style Seerr        stroke:#2962FF\n  style Prowlarr     stroke:#2962FF\n  style Radarr       stroke:#2962FF\n  style Readarr      stroke:#2962FF\n  style Sonarr       stroke:#2962FF\n  style Mylar        stroke:#2962FF\n  style Whisparr     stroke:#2962FF\n  style Bazarr       stroke:#2962FF\n  style Lidarr       stroke:#2962FF\n  style Tdarr        stroke:#2962FF\n  style Huntarr      stroke:#2962FF\n  style SABnzbd      stroke:#2962FF\n  style qBittorrent  stroke:#2962FF\n  style Label        stroke:none\n  style NIC          stroke:green,    stroke-width:2px\n  style Gateway      stroke:green,    stroke-width:2px\n  style Internet     stroke:red,      stroke-width:2px\n  style VPN          stroke:green,    stroke-width:2px\n\n  linkStyle 0        stroke:orange\n  linkStyle 1        stroke:orange\n  linkStyle 2        stroke:orange\n  linkStyle 3        stroke:orange\n  linkStyle 4        stroke:orange\n  linkStyle 5        stroke:orange\n  linkStyle 6        stroke:orange\n  linkStyle 7        stroke:orange\n  linkStyle 8        stroke:orange\n  linkStyle 9        stroke:orange\n  linkStyle 10       stroke:orange\n  linkStyle 11       stroke:orange\n  linkStyle 12       stroke:orange\n  linkStyle 13       stroke:orange\n  linkStyle 14       stroke:orange\n  linkStyle 15       stroke:green\n  linkStyle 16       stroke:red\n  linkStyle 17       stroke:green\n  linkStyle 18       stroke:red\n  linkStyle 19       stroke:green\n\n  Jellyfin_NIC@{         animation: fast }\n  Plex_NIC@{             animation: fast }\n  Seerr_NIC@{            animation: fast }\n  Prowlarr_NIC@{         animation: fast }\n  Radarr_NIC@{           animation: fast }\n  Readarr_NIC@{          animation: fast }\n  Sonarr_NIC@{           animation: fast }\n  Mylar_NIC@{            animation: fast }\n  Whisparr_NIC@{         animation: fast }\n  Bazarr_NIC@{           animation: fast }\n  Lidarr_NIC@{           animation: fast }\n  Tdarr_NIC@{            animation: fast }\n  Huntarr_NIC@{          animation: fast }\n  SABnzbd_Gluetun@{      animation: fast }\n  qBittorrent_Gluetun@{  animation: fast }\n  Gluetun_NIC@{          animation: slow }\n  NIC_Gateway_0@{        animation: slow }\n  NIC_Gateway_1@{        animation: slow }\n  Gateway_VPN_0@{        animation: slow }\n  Gateway_VPN_1@{        animation: slow }\n```\n\n\u003c/center\u003e\n\u003c/br\u003e\n\n## What is: \"No Download VPN\"\n\nThe Gluetun VPN container has been removed from this network architecture / design, and the containers are all communicating directly to the Internet without any VPN for privacy.\n\n\u003c/br\u003e\n\u003ccenter\u003e\n\n``` mermaid\nflowchart TD\n  subgraph DockerNet[\"No Download VPN\"]\n    Jellyfin\n    Plex\n    Seerr\n    Prowlarr\n    Radarr\n    Readarr\n    Sonarr\n    Mylar\n    Whisparr\n    Bazarr\n    Lidarr\n    Tdarr\n    Huntarr\n    SABnzbd\n    qBittorrent\n    Label@{ label: \"\u003cdiv style=\\\"color:\\\"\u003e\u003cspan style=\\\"color:\\\"\u003eIP Subnet: 172.28.10.0/24\u003c/span\u003e\u003c/div\u003e\" }\n    NIC[\"Network Adapter\"]\n  end\n\n  Jellyfin     Jellyfin_NIC@     ---- NIC\n  Plex         Plex_NIC@         ---  NIC\n  Seerr        Seerr_NIC@        ---- NIC\n  Prowlarr     Prowlarr_NIC@     ---  NIC\n  Radarr       Radarr_NIC@       ---- NIC\n  Readarr      Readarr_NIC@      ---  NIC\n  Sonarr       Sonarr_NIC@       ---- NIC\n  Mylar        Mylar_NIC@        ---  NIC\n  Whisparr     Whisparr_NIC@     ---- NIC\n  Bazarr       Bazarr_NIC@       ---  NIC\n  Lidarr       Lidarr_NIC@       ---- NIC\n  Tdarr        Tdarr_NIC@        ---  NIC\n  Huntarr      Huntarr_NIC@      ---- NIC\n  SABnzbd      SABnzbd_NIC@      ---  NIC\n  qBittorrent  qBittorrent_NIC@  ---- NIC\n  NIC          NIC_Gateway@      ==\u003e  Gateway\n  Gateway      Gateway_VPN@      ==\u003e  Internet\n  Gateway[\"Home Gateway\"]\n  Internet{\"🔥Insecure🔥\u003cbr\u003e🔥Internet🔥\"}\n  \n  style Jellyfin     stroke:#2962FF\n  style Plex         stroke:#2962FF\n  style Seerr        stroke:#2962FF\n  style Prowlarr     stroke:#2962FF\n  style Radarr       stroke:#2962FF\n  style Readarr      stroke:#2962FF\n  style Sonarr       stroke:#2962FF\n  style Mylar        stroke:#2962FF\n  style Whisparr     stroke:#2962FF\n  style Bazarr       stroke:#2962FF\n  style Lidarr       stroke:#2962FF\n  style Tdarr        stroke:#2962FF\n  style Huntarr      stroke:#2962FF\n  style SABnzbd      stroke:#2962FF\n  style qBittorrent  stroke:#2962FF\n  style Label        stroke:none\n  style NIC          stroke:green,    stroke-width:2px\n  style Gateway      stroke:green,    stroke-width:2px\n  style Internet     stroke:red,      stroke-width:2px\n  \n  linkStyle 0       stroke:orange\n  linkStyle 1       stroke:orange\n  linkStyle 2       stroke:orange\n  linkStyle 3       stroke:orange\n  linkStyle 4       stroke:orange\n  linkStyle 5       stroke:orange\n  linkStyle 6       stroke:orange\n  linkStyle 7       stroke:orange\n  linkStyle 8       stroke:orange\n  linkStyle 9       stroke:orange\n  linkStyle 10      stroke:orange\n  linkStyle 11      stroke:orange\n  linkStyle 12      stroke:orange\n  linkStyle 13      stroke:orange\n  linkStyle 14      stroke:orange\n  linkStyle 15      stroke:red\n  linkStyle 16      stroke:red\n\n  Jellyfin_NIC@{         animation: fast }\n  Plex_NIC@{             animation: fast }\n  Seerr_NIC@{            animation: fast }\n  Prowlarr_NIC@{         animation: fast }\n  Radarr_NIC@{           animation: fast }\n  Readarr_NIC@{          animation: fast }\n  Sonarr_NIC@{           animation: fast }\n  Mylar_NIC@{            animation: fast }\n  Whisparr_NIC@{         animation: fast }\n  Bazarr_NIC@{           animation: fast }\n  Lidarr_NIC@{           animation: fast }\n  Tdarr_NIC@{            animation: fast }\n  Huntarr_NIC@{          animation: fast }\n  SABnzbd_NIC@{          animation: fast }\n  qBittorrent_NIC@{      animation: fast }\n  NIC_Gateway@{          animation: slow }\n  Gateway_VPN@{          animation: slow }\n```\n\n\u003c/center\u003e\n\u003c/br\u003e\n\n## What Do I Need To Configure\n\nFollow the steps below to deploy your MediaStack quickly:  \n\n- Download all of the files in the `base-working-file` GitHub folder, and **one** of the pre-configured `docker-compose.yaml` files into the same directory  \n- Update the `.env` file with all the configuration settings / values for your system needs  \n- Replace `example.com` with your Internet domain in the following files:  \n  - `headscale-config.yaml`  \n  - `headplane-config.yaml`  \n  - `traefik-dynamic.yaml`  \n  - `traefik-internal.yaml`  \n  - `traefik-static.yaml`  \n- Update `cookie_secret` variable in `headplane-config.yaml` using 32 random characters  \n- Update `restart.sh` script with your values for:  \n  - **`FOLDER_FOR_YAMLS`**=/docker \u0026nbsp;  \u0026nbsp;  \u0026nbsp;  \u0026nbsp;  \u0026nbsp;  \u0026nbsp;  \u0026nbsp;  \u0026nbsp; # \u003c-- Folder where the yaml and .env files are located  \n- Enable execution of shell scripts with `sudo chmod 775 *sh`  \n\nStart your MediaStack with `./restart.sh`  \n\n\u003e NOTE: The `restart.sh` script reads the variables in the `.env` environment file, then does most of the configuration / management for you - it will tell you if you have issues.  \n\nThe Postgresql server still needs some minor configuration to complete the MediaStack deployment:  \n\n- Set access permissions on Authentik Postgresql database with `./secure_authentik_database.sh` script  \n- Set up Guacamole Postgresql database and access permissions with `./create_guacamole_database.sh` script  \n\nRestart MediaStack again after changes with `./restart.sh`  \n\n\u003c/br\u003e\n\n## Starting / Maintaining MediaStack\n\nTo start MediaStack, you first need to configure all of the files for your system... i.e. variables for storage locations and docker user id. Then you can start your stack with the following commands:\n\n``` bash\nsudo chmod 775 *sh\n./restart.sh\n```\n\nThe `restart.sh` script will:\n\n- **Reads** the variables and values saved in the `.env` environment file to manage the MediaStack using your configuration.  \n\n- **Creates** folder structure for all of the persistant storage data, and for your download / media files.  \n\n- **Permissions** are set on all files and directories for the persistant data and download / media files.\n\n- **Validates** configuration of the `docker-compose.yaml` and `.env` files for errors to ensure MediaStack will start before shutting down the running containers.  \n\n- **Download** all of the Docker images needed to run MediaStack, if there are newer Docker images on the internet (than on your Docker host), then it will download the `latest` images from the Internet.  \n\n- **Shutdown** all running Docker applications and forcably purge all **non-persistent** Docker containers, volumes, and networks (MediaStack stores all persistent data in the storage locations from the configuration files to survive reboots / system failure).  \n\n- **Moves** all of the configuration files you downloaded / edited, into the correct working locations within the persistent data storage directories.  \n\n- **Restart** all Docker containers. If newer images were downloaded during the restart, then they will be used and the application will use the same persistent data volumes.  \n\n- **Purge** all Docker images that are not presently being used after the restart. This will delete the older / unused images after newer images have been downloaded.  \n\n\u003e NOTE: The **`restart.sh`** script was written to be the most effective / effecient way to easily deploy and update the MediaStack with new releases, and is recommended for new users.  \n\n``` bash\n./secure_authentik_database.sh\n```\n\nThe `secure_authentik_database.sh` script will secure the active Authentik database in Postgresql with a database username and password.\n\n``` bash\n./create_guacamole_database.sh\n```\n\nThe `create_guacamole_database.sh` script will create the new database and schema in Postgresql for Guacamole and secure the database with a username and password.\n\n\u003e NOTE: The **`secure_authentik_database.sh`** and **`create_guacamole_database.sh`** scripts are mainly used during initial setup of MediaStack, and are only considered one-purpose use.\n\n\u003c/br\u003e\n\n## Check Status of VPN Connection\n\nThe MediaStack project focuses on **Security** and **Privacy** as some of the basic networking concepts, and uses the Gluetun Docker application to encrypt your network traffic as it passes across the Internet.\n\nIf you are having network connectivity issues, or would like to check the network status of your Docker applications, there are several commands / checks that you can perform to check on connection status.\n\n- Check running Docker processes:\n\n``` bash\nsudo docker ps\n```\n\n- Check IP Addresses of containers in the \"mediastack\" network:\n\n``` bash\nsudo docker network inspect mediastack | grep -E '(\"Name\"|IPv4)'\n```\n\n- Connect to Gluetun Docker container and check the IP Address:\n\n``` bash\nsudo docker exec gluetun /bin/sh -c \"wget -qO- ifconfig.io\"\n```\n\n- Use the following command to connect to the Docker application and start a shell CLI:\n\n``` bash\nsudo docker exec -it gluetun /bin/sh\n```\n\n- Use the following web links to check your own IP Address, and the location of the VPN IP Address:\n\n  - [https://ifconfig.io](https://ifconfig.io)  \n  - [https://iplocation.net](https://iplocation.net)  \n\n\u003c/br\u003e  \n\n\u003e **REMEMBER:**   If the Gluetun container is not running, or the VPN connection is down, then all Docker containers behind the Gluetun VPN container will stop passing network traffic.  \n\n\u003c/br\u003e\n\n## How To Access The Applications In Home Network\n\nUnderstanding how to access the Docker applications within your own home network can be a confusing concept for those new to Docker, more so when some of the Docker applications are hidden behind other Docker applications, such as Gluetun.  \n\nImagine the following deployment scenario:  \n\n- **User 1** has deployed their Docker applications using the \"**Mini Download VPN**\" YAML files, so only the qBittorrent container is using the Gluetun VPN to encrypt network traffic to the Internet. Therefore, **User 1** accesses the **Jellyfin** application directly, with the URL of: **\u003chttp://jellyfin:8096\u003e**.  \n\n- **User 2** has deployed their Docker applications using the \"**Full Download VPN**\" YAML files, which has all of the \"Media Player\" and \"Downloading\" Docker containers connecting to the Internet through the Gluetun VPN, encrypting all network traffic. Therefore, **User 2**  accesses the **Jellyfin** application by using the Gluetun container, which then uses port-redirection to forward the network traffic into Jellyfin. This URL will be: **\u003chttp://gluetun:8096\u003e**.  \n\nThe YAML configuration files are already set up to do all the network firewalling, port forwarding, and VPN connections as standard, all that most people will need to do, it just update the **`docker-compose.env`** file and update all the IP Addresses for VPN login details for your own environment.  \n\n\u003c/br\u003e\n\u003ccenter\u003e\n\n``` mermaid\nflowchart TB\n  subgraph HomeNet[\"Home Network\"]\n    user1\n    user2\n    NIC\n    subgraph DockerNet[\"Docker Network\"]\n      Gluetun\n      Jellyfin\n      Label@{ label: \"\u003cdiv style=\\\"color:\\\"\u003e\u003cspan style=\\\"color:\\\"\u003eIP Subnet: 172.28.10.0/24\u003c/span\u003e\u003c/div\u003e\" }\n    end\n  Gluetun\n  end\n\n  user1     user1_NIC@         -- Port\u003c/br\u003e8096 --- NIC\n  user2     user2_NIC@         -- Port\u003c/br\u003e8096 --- NIC\n  NIC       NIC_Jellyfin@      --- Jellyfin\n  NIC       NIC_Gluetun@       --- Gluetun\n  Gluetun   Gluetun_Jellyfin@  --- Jellyfin\n\n  user1[\"😊 User 1\"]\n  user2[\"😊 User 2\"]\n  NIC[\"Network Adapter\u003cp\u003e192.168.1.10\"]\n  Gluetun[\"Gluetun HTTP:8096\"]\n  Jellyfin[\"Jellyfin HTTP:8096\"]\n  \n  style user1     stroke:#2962FF,   stroke-width:2px\n  style user2     stroke:#2962FF,   stroke-width:2px\n  style NIC       stroke:#2962FF,   stroke-width:2px\n  style Gluetun   stroke:#2962FF,   stroke-width:2px\n  style Jellyfin  stroke:#2962FF,   stroke-width:2px\n\n  linkStyle 0     stroke:red,       stroke-width:2px,  stroke-dasharray:5\n  linkStyle 1     stroke:green,     stroke-width:2px,  stroke-dasharray:5\n  linkStyle 2     stroke:red,       stroke-width:2px,  stroke-dasharray:5\n  linkStyle 3     stroke:green,     stroke-width:2px,  stroke-dasharray:5\n  linkStyle 4     stroke:green,     stroke-width:2px,  stroke-dasharray:5\n\n  user1_NIC@{        animation: slow }\n  user2_NIC@{        animation: fast }\n  NIC_Jellyfin@{     animation: slow }\n  NIC_Gluetun@{      animation: fast }\n  Gluetun_Jellyfin@{ animation: fast }\n```\n\n\u003c/center\u003e\n\u003c/br\u003e\u003c/br\u003e\n\nThe network settings for your home network, and the Docker network, can be adjusted in the **`.env`** file. Likewise, if the Gluetun container is routing outbound VPN traffic for any of the Docker applications, it can also accept inbound network traffic and re-route the traffic to any of the Docker containers connected to the Gluetun VPN, based on the port redirect rules in the Gluetun YAML file.\n\nThe different network VPN security, and inbound redirection to the Gluetun attached Docker applications have already been configured in the YAML files, most users should just need to adjust the **`.env`** file to suit your network IP addressing, then deploy the applications using the **`./restart.sh`** script.\n\n\u003c/br\u003e\n\n## How Are The Filesystems Mapped Between The Docker Application And The Host Computer ?\n\nAll of the filesystems are automatically mapped between your host computers hard drives, and the virtual drives within the Docker containers. The filesystem mapping is configured in all of the YAML configuration files, so the Docker applications use the same folder structure.\n\nYou will need to set up the following variables in the **`.env`** environment configuration file, so the Docker applications can connect to the media / data storage on the local computer.\n\n``` bash\nFOLDER_FOR_MEDIA=/your-media-folder       # Change to where you want your media to be stored\nFOLDER_FOR_DATA=/your-app-configs         # Change to where you want your container configurations to be stored\n```\n\nThe **`FOLDER_FOR_MEDIA`** variable can be either Linux, Windows, MacOS, Synology, or NFS filesystems, and is the location for all of the **media storage, and transient download files** being used by the Bittorrent and Usenet applications. The filesystem mapping and directory structure between the Docker host computer, and the Docker applications, is shown in the folder structure below.  \n\nThe **`FOLDER_FOR_DATA`** variable can also be either Linux, Windows, MacOS, Synology, or NFS filesystems, and is the **configuration storage** for all of the Docker applications. Docker will store the running configuration of each of the Docker applications, into their own directory, inside the **`FOLDER_FOR_DATA`** directory.  \n\nThe **`restart.sh`** script will automatically create the directory structure below, based on the values you add in the **`.env`** file.  \n\n``` { .text .no-copy }\n    $ tree $FOLDER_FOR_MEDIA\n\n    ⠀⠀⠀⠀⠀Docker Host Computer:⠀⠀⠀⠀⠀⠀⠀⠀⠀Inside Docker Containers:\n    ├── /FOLDER_FOR_MEDIA   ⠀       ├── /data\n    ⠀⠀⠀⠀⠀├── media                  ⠀⠀⠀⠀├── media        \u003c-- Media is stored / managed under this folder\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── anime                 │⠀⠀⠀⠀├── anime       \u003c-- Sonarr Media Library Manager\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── audio                 │⠀⠀⠀⠀├── audio       \u003c-- Lidarr Media Library Manager\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── books                 │⠀⠀⠀⠀├── books       \u003c-- Readarr Media Library Manager\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── comics                │⠀⠀⠀⠀├── comics      \u003c-- Mylar Media Library Manager\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── movies                │⠀⠀⠀⠀├── movies      \u003c-- Radarr Media Library Manager\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── music                 │⠀⠀⠀⠀├── music       \u003c-- Lidarr Media Library Manager\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── photos                │⠀⠀⠀⠀├── photos      \u003c-- N/A - Add Personal Photos\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── tv                    │⠀⠀⠀⠀├── tv          \u003c-- Sonarr Media Library Manager\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀└── xxx                   │⠀⠀⠀⠀└── xxx         \u003c-- Whisparr Media Library Manager\n    ⠀⠀⠀⠀⠀├── torrents               ⠀⠀⠀⠀├── torrents     \u003c-- Folder for Torrent Downloads Data\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── anime                 │⠀⠀⠀⠀├── anime       \u003c-- Anime Category (Sonarr)\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── audio                 │⠀⠀⠀⠀├── audio       \u003c-- Audio Category (Lidarr)\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── books                 │⠀⠀⠀⠀├── books       \u003c-- Book Category (Readarr)\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── comics                │⠀⠀⠀⠀├── comics      \u003c-- Comic Category (Mylar)\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── complete              │⠀⠀⠀⠀├── complete    \u003c-- Completed / General Downloads\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── console               │⠀⠀⠀⠀├── console     \u003c-- Comic Category (Manual DL)\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── incomplete            │⠀⠀⠀⠀├── incomplete  \u003c-- Incomplete / Working Downloads\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── movies                │⠀⠀⠀⠀├── movies      \u003c-- Movie Category (Radarr)\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── music                 │⠀⠀⠀⠀├── music       \u003c-- Music Category (Lidarr)\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── prowlarr              │⠀⠀⠀⠀├── prowlarr    \u003c-- Uncategorised Downloads from Prowlarr\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── software              │⠀⠀⠀⠀├── software    \u003c-- Software Category (Manual DL)\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── tv                    │⠀⠀⠀⠀├── tv          \u003c-- TV Series (Sonarr)\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀└── xxx                   │⠀⠀⠀⠀└── xxx         \u003c-- Adult / XXX Category (Whisparr)\n    ⠀⠀⠀⠀⠀├── usenet                 ⠀⠀⠀⠀├── usenet       \u003c-- Folder for Usenet Downloads Data\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── anime                 │⠀⠀⠀⠀├── anime       \u003c-- Anime Category (Sonarr)\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── audio                 │⠀⠀⠀⠀├── audio       \u003c-- Audio Category (Lidarr)\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── books                 │⠀⠀⠀⠀├── books       \u003c-- Book Category (Readarr)\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── comics                │⠀⠀⠀⠀├── comics      \u003c-- Comic Category (Mylar)\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── complete              │⠀⠀⠀⠀├── complete    \u003c-- Completed / General Downloads\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── console               │⠀⠀⠀⠀├── console     \u003c-- Comic Category (Manual DL)\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── incomplete            │⠀⠀⠀⠀├── incomplete  \u003c-- Incomplete / Working Downloads\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── movies                │⠀⠀⠀⠀├── movies      \u003c-- Movie Category (Radarr)\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── music                 │⠀⠀⠀⠀├── music       \u003c-- Music Category (Lidarr)\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── prowlarr              │⠀⠀⠀⠀├── prowlarr    \u003c-- Uncategorised Downloads from Prowlarr\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── software              │⠀⠀⠀⠀├── software    \u003c-- Software Category (Manual DL)\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀├── tv                    │⠀⠀⠀⠀├── tv          \u003c-- TV Series (Sonarr)\n    ⠀⠀⠀⠀⠀│⠀⠀⠀⠀└── xxx                   │⠀⠀⠀⠀└── xxx         \u003c-- Adult / XXX Category (Whisparr)\n    ⠀⠀⠀⠀⠀├── watch                  ⠀⠀⠀⠀└── watch       \u003c-- Add .nzb and .torrent files for manual download\n    ⠀⠀⠀⠀⠀│\n    ⠀⠀⠀⠀⠀│    ⠀⠀⠀⠀⠀    ⠀⠀⠀⠀⠀    ⠀⠀⠀ ⠀⠀      Below Folders Only Mapped To Filebot Container\n    ⠀⠀⠀⠀⠀└── filebot               ├── /filebot\n    ⠀⠀⠀⠀⠀ ⠀⠀⠀⠀├── input                 ├── input      \u003c-- Add Files Here for Renaming by Filebot\n    ⠀⠀⠀⠀⠀ ⠀⠀⠀⠀└── output                └── output     \u003c-- Files Moved Here After Renaming by Filebot\n```\n\n\u003c/br\u003e\n\n## Secure Remote Network Access\n\nAll Docker configurations are designed to allow secure remote access to your applications while away from home. The network diagram below illustrates a secure architecture built on Docker, Traefik, Authentik, CrowdSec, Cloudflare DNS, and MFA. This setup ensures that only users you explicitly authorise can access internal Docker-based services from the Internet.  \n\nAt the core is your Docker infrastructure, typically running on subnet 172.28.10.0/24 (customisable as needed). Multiple applications are hosted as Docker containers within this network. Once remotely authenticated, users are granted access to Heimdall, Homarr, or Homepage—these serve as landing page portals, providing easy navigation to other internal applications.  \n\nIncoming remote connections are routed through Traefik, which acts as a reverse proxy and terminates SSL using a valid digital certificate to secure all HTTPS sessions. Traefik intercepts all requests and forwards them to the appropriate internal service. CrowdSec analyses incoming traffic against threat intelligence feeds and blocks requests from sources identified as malicious or suspicious.  \n\nThis architecture provides a secure, scalable, and manageable solution for remote access. Only authorised, authenticated users can reach your internal applications, with threat detection and strong access controls in place—balancing security with ease of use.  \n\n\u003c/br\u003e\n\n\u003ccenter\u003e\n\n``` mermaid\nflowchart LR\n  subgraph subGraph0[\"Internet Zone\"]\n    goodguy[\"😊 Good Guys\"]\n    badguy[\"🕵 Bad Guys\"]\n  end\n  subgraph subGraph1[\"Reverse Proxy Layer\"]\n    traefik[\"🛡️Traefik\"]\n    crowdsec[\"🔍 CrowdSec\"]\n  end\n  subgraph subGraph2[\"Auth Layer\"]\n    auth[\"🛂 Authentik\"]\n  end\n  subgraph subGraph3[\"Internal Web Applications\"]\n    webauth[\"👮‍♂️ Web Apps\u003cp\u003eAuth / SSO / MFA\u003c/p\u003e\"]\n    webapp[\"🖥️ Web Apps\"]\n  end\n\n  block[\"💥 Access Blocked\"]\n  goodguy  goodguy_traefik@     -- 1 ---\u003e traefik\n  badguy   badguy_traefik@      -- 1 ---\u003e traefik\n  traefik  traefik_crowdsec_0@  -- 2 ---\u003e crowdsec\n  traefik  traefik_crowdsec_1@  -- 2 ---\u003e crowdsec\n  crowdsec crowdsec_traefik_0@  -- 3 ---\u003e traefik\n  crowdsec crowdsec_traefik_1@  -- 3 ---\u003e traefik\n  traefik  traefik_block@       -- 4 ---\u003e block\n  traefik  traefik_webauth@     -- 4 ---\u003e webauth\n  webauth  webauth_auth@        -- 5 ---\u003e auth\n  auth     auth_webauth_0@      -- 6 ---\u003e webauth\n  auth     auth_webauth_1@      -- 6 ---\u003e webauth\n  webauth  webauth_webapp@      -- 7 ---\u003e webapp\n  webauth  webauth_block@       -- 7 --\u003e  block\n  crowdsec ~~~~ auth\n\n  style goodguy   stroke:green,        stroke-width:2px\n  style badguy    stroke:brown,        stroke-width:2px\n  style traefik   stroke:blue,         stroke-width:2px\n  style crowdsec  stroke:blue,         stroke-width:2px\n  style auth      stroke:orange,       stroke-width:2px\n  style webauth   stroke:orange,       stroke-width:2px\n  style webapp    stroke:green,        stroke-width:2px\n  style block     stroke:brown,        stroke-width:2px\n  linkStyle 0     stroke:green,        stroke-width:2px\n  linkStyle 1     stroke:red,          stroke-width:2px,  stroke-dasharray:5\n  linkStyle 2     stroke:green,        stroke-width:2px\n  linkStyle 3     stroke:red,          stroke-width:2px,  stroke-dasharray:5\n  linkStyle 4     stroke:green,        stroke-width:2px\n  linkStyle 5     stroke:red,          stroke-width:2px,  stroke-dasharray:5\n  linkStyle 6     stroke:red,          stroke-width:2px,  stroke-dasharray:5\n  linkStyle 7     stroke:green,        stroke-width:2px\n  linkStyle 8     stroke:green,        stroke-width:2px\n  linkStyle 9     stroke:green,        stroke-width:2px\n  linkStyle 10    stroke:red,          stroke-width:2px,  stroke-dasharray:5\n  linkStyle 11    stroke:green,        stroke-width:2px\n  linkStyle 12    stroke:red,          stroke-width:2px,  stroke-dasharray:5\n\n  goodguy_traefik@{    animation: fast }\n  badguy_traefik@{     animation: slow }\n  traefik_crowdsec_0@{ animation: fast }\n  traefik_crowdsec_1@{ animation: slow }\n  crowdsec_traefik_0@{ animation: fast }\n  crowdsec_traefik_1@{ animation: slow }\n  traefik_block@{      animation: slow }\n  traefik_webauth@{    animation: fast }\n  webauth_auth@{       animation: fast }\n  auth_webauth_0@{     animation: fast }\n  auth_webauth_1@{     animation: slow }\n  webauth_webapp@{     animation: fast }\n  webauth_block@{      animation: slow }\n \n```\n\n\u003c/br\u003e\n\n| Step:  | Component:   | Action:                                                                                                  |\n|:------:|--------------|----------------------------------------------------------------------------------------------------------|\n|   1    | User         | Sends HTTPS web request to Docker web application via Traefik.                                           |\n|   2    | Traefik      | Reverse proxy receives HTTPS request and requests threat intelligence check.                             |\n|   3    | CrowdSec     | Threat analysis identifies traffic as good or bad and notifies Traefik.                                  |\n|   4    | Traefik      | Bad traffic is blocked by the Traefik bouncer plugin; good traffic continues toward the web application. |\n|   5    | Web Auth     | ForwardAuth middleware intercepts request, delegates authentication / authorisation to Authentik.        |\n|   6    | Authentik    | Authenticates user (including MFA) and grants access if user is authorised.                              |\n|   7    | Web App      | Allows or blocks access based on Authentik permissions and application-level access controls.            |\n\n\u003c/center\u003e\n\u003c/br\u003e\u003c/br\u003e\n\n## Tailscale Mesh Network Access\n\nMediaStack also supports secure remote access via a Tailscale mesh network, providing direct, encrypted connectivity between approved devices and internal Docker applications. The architecture leverages Headscale (an open-source Tailscale coordination server) and Headplane (web UI for Headscale) to manage device enrollment, key exchange, and mesh configuration independently of Tailscale’s commercial cloud.\n\nAuthorised users install the Tailscale client on their devices, which automatically establish secure peer-to-peer tunnels to the Docker network. These tunnels operate over the internal subnet (typically 172.28.10.0/24, but configurable as needed), allowing seamless, private access to internal applications - even when outside the home or office.\n\nAll mesh connections are authenticated and managed through Headscale, ensuring that only devices you approve can participate in the network. Traffic is encrypted end-to-end using WireGuard, and access can be further restricted with network ACLs and exit nodes if required. The result is a secure, manageable, and flexible remote access solution - removing the need for traditional VPNs, exposing minimal attack surface, and retaining full control over your access policy.\n\n\u003ccenter\u003e\n\n``` mermaid\nflowchart LR\n  subgraph subGraph0[\"Internet Zone\"]\n    client[\"😊 Tailscale Client\"]\n    badguy[\"🕵 Bad Guys\"]\n  end\n  subgraph subGraph1[\"Reverse Proxy Layer\"]\n    traefik[\"🛡️Traefik\"]\n    crowdsec[\"🔍 CrowdSec\"]\n  end\n  subgraph subGraph2[\"Tailscale Meshed Network\"]\n    traefik    traefik_headscale@    -- 4 ---  headscale\n    headplane  headplane_headscale@  -- 8 ---  headscale\n    direction TB\n    headplane[\"✈️ Headplane\u003cbr\u003e( Headscale WebUI )\"]\n    headscale[\"🖧 Headscale\u003cbr\u003e( Coordination Server )\"]\n    tailscale[\"🛡️ Tailscale\u003cbr\u003e( Exit-Node )\"]\n  end\n  subgraph subGraph3[\"Internal Web Applications\"]\n    headscale\n    webapp[\"🖥️ Web Apps\"]\n  end\n\n  block[\"💥 Access Blocked\"]\n  exit[\"🌐 Exit-Node\u003cp\u003eNetwork Exit\"]\n  client     client_traefik@       -- 1 ---  traefik\n  badguy     badguy_traefik@       -- 1 ---  traefik\n  traefik    traefik_crowdsec_0@   -- 2 ---- crowdsec\n  traefik    traefik_crowdsec_1@   -- 2 ---- crowdsec\n  crowdsec   crowdsec_traefik_0@   -- 3 ---- traefik\n  crowdsec   crowdsec_traefik_1@   -- 3 ---- traefik\n  traefik    traefik_block@        -- 4 ---  block\n  headscale  headscale_tailscale@  -- 5 ---  tailscale\n  headscale  headscale_block@      -- 5 ---  block\n  tailscale  tailscale_webapp@     -- 6 ---  webapp\n  tailscale  tailscale_exit@       -- 7 ---  exit\n  crowdsec                         ~~~       headplane\n\n  style client     stroke:green,        stroke-width:2px\n  style badguy     stroke:brown,        stroke-width:2px\n  style traefik    stroke:blue,         stroke-width:2px\n  style crowdsec   stroke:blue,         stroke-width:2px\n  style headplane  stroke:orange,       stroke-width:2px\n  style headscale  stroke:orange,       stroke-width:2px\n  style webapp     stroke:green,        stroke-width:2px\n  style block      stroke:brown,        stroke-width:2px\n  style tailscale  stroke:orange,       stroke-width:2px\n  style exit       stroke:green,        stroke-width:2px\n\n  linkStyle 0      stroke:green,        stroke-width:2px\n  linkStyle 1      stroke:green,        stroke-width:2px\n  linkStyle 2      stroke:green,        stroke-width:2px\n  linkStyle 3      stroke:red,          stroke-width:2px\n  linkStyle 4      stroke:green,        stroke-width:2px\n  linkStyle 5      stroke:red,          stroke-width:2px\n  linkStyle 6      stroke:green,        stroke-width:2px\n  linkStyle 7      stroke:red,          stroke-width:2px\n  linkStyle 8      stroke:red,          stroke-width:2px\n  linkStyle 9      stroke:green,        stroke-width:2px\n  linkStyle 10     stroke:red,          stroke-width:2px\n  linkStyle 11     stroke:green,        stroke-width:2px\n  linkStyle 12     stroke:green,        stroke-width:2px\n  linkStyle 13     stroke:transparent\n\n  client_traefik@{       animation: fast }\n  badguy_traefik@{       animation: slow }\n  traefik_crowdsec_0@{   animation: fast }\n  traefik_crowdsec_1@{   animation: slow }\n  crowdsec_traefik_0@{   animation: fast }\n  crowdsec_traefik_1@{   animation: slow }\n  traefik_headscale@{    animation: fast }\n  traefik_block@{        animation: slow }\n  headplane_headscale@{  animation: fast }\n  headscale_tailscale@{  animation: fast }\n  headscale_block@{      animation: slow }\n  tailscale_webapp@{     animation: fast }\n  tailscale_exit@{       animation: fast }\n```\n\n\u003c/br\u003e\u003c/br\u003e\n\n| Step:  | Component:       | Action:                                                                                |\n|:------:|------------------|----------------------------------------------------------------------------------------|\n|   1    | Tailscale Client | Sends network request via Traefik reverse proxy.                                       |\n|   2    | Traefik          | Receives network request and submits for threat intelligence check.                    |\n|   3    | CrowdSec         | Analyses request for threats and informs Traefik to allow or block the request.        |\n|   4    | Traefik          | Allowed request is forwarded to Headscale coordination server.                         |\n|   5    | Headscale        | Coordinates device registration, key exchange, and mesh networking via Tailscale.      |\n|   6    | Tailscale        | Requests for Docker Web Applications are sent to the relevant web port on Docker host. |\n|   7    | Tailscale        | Requests for Internet services are routed out via your home Internet connection.       |\n|   8    | Headplane        | Provides Web UI/API for managing Headscale - Manages users, devices, routes and ACLs.  |\n\n\u003c/center\u003e\n\u003c/br\u003e\u003c/br\u003e\n\n## Configure Headscale / Tailscale / Headplane\n\nReplace all instances of `example.com` in the configuration files with your own domain name  \n\n\u003e NOTE: Tailscale Authkey can't be set in `.env` file until the Headscale container has been deployed after the first restart.  \n\n## Register Tailscale Exit Node with Headscale\n\nExecute these commands once Headscale has been deployed:  \n\n``` bash\nsudo docker exec -it headscale headscale users create exit-node\nsudo docker exec -it headscale headscale users list\n```\n\nList of users will be displayed showing their \"ID\" number:  \n\n``` bash\nID | Name | Username  | Email | Created            \n1  |      | exit-node |       | 2025-05-17 23:30:00\n```\n\nCreate a PreAuthKey for \"exit-node\" with following command:  \n\n``` bash\nsudo docker exec -it headscale headscale --user 1 preauthkeys create\n```\n\nOutput will display as:\n\n``` bash\n2025-05-18T09:46:34+10:00 TRC expiration has been set expiration=3600000\n4f9e5c04a019273ef6356b3f4c173b2a896749e7364993f5\n```\n\nAdd the authkey to `TAILSCALE_AUTHKEY` in the `.env` file.  \n\nRestart the Tailscale container:  \n\n``` bash\nsudo docker compose restart tailscale\n```\n\nCheck Tailscale exit node has connected and registered with Headscale:  \n\n``` bash\nsudo docker exec -it headscale headscale nodes list\n```\n\nCheck to see if the Tailscale exit node has registered the local / home subnet addresses with the Headscale server:  \n\n``` bash\nsudo docker exec -it headscale headscale nodes list-routes\n```\n\nList of routes for each host will be displayed showing their \"ID\" number:  \n\n``` bash\nID | Hostname  | Approved | Available                                       | Serving (Primary)\n1  | exit-node |          | 0.0.0.0/0, 192.168.1.0/24, 172.28.10.0/24, ::/0 |  \n```\n\nEnable IP routing out of the Tailscale exit node with the following command:  \n\n``` bash\nsudo docker exec -it headscale headscale nodes approve-routes --identifier 1 --routes \"0.0.0.0/0,192.168.1.0/24,172.28.10.0/24,::/0\"\nsudo docker exec -it headscale headscale nodes list-routes\n```\n\nThe IP routes will now be enabled and look like this:  \n\n``` bash\nID | Hostname  | Approved                                        | Available                                       | Serving (Primary)  \n1  | exit-node | 0.0.0.0/0, 192.168.1.0/24, 172.28.10.0/24, ::/0 | 0.0.0.0/0, 192.168.1.0/24, 172.28.10.0/24, ::/0 | 192.168.1.0/24, 172.28.10.0/24, 0.0.0.0/0, ::/0\n```\n\n### Register Mobile Tailscale Application with Headscale\n\nYou can now download the official Tailscale application, and when prompted to login, select a custom URL.  \n\nEnter your home Headscale URL: [https://headscale.example.com](https://headscale.example.com)  \n\nWhen you select connect, it will ask if you want to go to the URL, select Yes, then it will show a connection string like  \n\n``` bash\nheadscale nodes register --user USERNAME --key 64LErdY2YcnMdNLNYc6wJJzE\n```\n\nWe need to first create a user account, then register the Tailscale node against that account:  \n\n``` bash\nsudo docker exec -it headscale headscale users create alice\nsudo docker exec -it headscale headscale nodes register --user alice --key 64LErdY2YcnMdNLNYc6wJJzE\n```\n\nThe Tailscale will now automatically connect with the Headscale server, which can be checked with commands:  \n\n``` bash\nsudo docker exec -it headscale headscale users list\nsudo docker exec -it headscale headscale nodes list\nsudo docker exec -it headscale headscale nodes list-routes\n```\n\nYou can now go to the Tailscale application on your phone, and select `Exit Node` --\u003e `exit-node` and turn on `Allow Local Network Access`.  \n\nYou can also go into the Tailscale application settings on your phone, and turn on `VPN On Demand`, so you always have remote access when away from home.  \n\n### WebUI Managed with Headplane\n\nHeadplane is a WebUI control for Headscale and is accessible at [https://headplane.example.com/admin/](https://headplane.example.com/admin/)    NOTE: \"/\" is needed at the end.  \n\nYou can generate an API key to connect Headplane to Headscale with:  \n\n``` bash\nsudo docker exec -it headscale headscale apikeys create --expiration 999d\n```\n\nThe API Key can now be used in the Headplane portal:  \n\n``` bash\nxRYtN-G.frqhgHAC3jqLMbBqVTTRwAs2lWxSTeHr\n```\n\nThe API Key can be stored in the Headplane configuration so its always used without prompting:\n\n``` bash\nvi headplane-config.yaml\n```\n\nUpdate this section:  \n\n``` bash\n  headscale_api_key: \"xRYtN-G.frqhgHAC3jqLMbBqVTTRwAs2lWxSTeHr\"\n```\n\nRestart the MediaStack so the configuration file is copied to the correct locaton:  \n\n``` bash\n./restart.sh\n```\n\n\u003c/br\u003e\n\n### Additional Support for Headscale / Tailscale / Headplane\n\nYou can head over to any of the websites for futher configuration details, or connect to the Discord server and discuss issues with other users:  \n\n- Headscale: [https://headscale.net/stable](https://headscale.net/stable)  \n- Tailscale: [https://tailscale.com](https://tailscale.com)  \n- Headplane: [https://github.com/tale/headplane](https://github.com/tale/headplane)  \n\u003c/br\u003e\n- Support Discord: [https://discord.gg/c84AZQhmpx](https://discord.gg/c84AZQhmpx)  \n\n## Configuring Authentik\n\nAdjust Authentik brand:  \n\n- Admin Interface --\u003e System --\u003e Brands --\u003e Edit \"authentik-default\"  \n- Title: MediaStack - Authentik  \n- Select \"Update\"  \n\nForce MFA for all users:  \n\n- Admin Interface --\u003e Flows and Stages --\u003e Stages --\u003e Edit \"default-authentication-mfa-validation\"  \n- Not configured action: Force the user to configure an authenticator  \n- Selected Stages: default-authentication-login (User Login Stage)  \n- Select \"Update\"  \n\n## Add Application in Authentik\n\nCreate Authentik Application:  \n\n- Admin Interface --\u003e Applications --\u003e Create with Provider  \n- Name: Authentik  \n- Slug: authentik  \n- Launch URL: \u003chttps://auth.example.com\u003e            \u003c-- change to your domain  \n  - Open in New Tab: No  \n- Select \"Next\"  \n- Choose A Provider: Proxy Provider  \n- Select \"Next\"  \n- Name: Provider for Authentik  \n- Authorization flow: default-provider-authorization-explicit-consent (Authorize Application)  \n- Select \"Forward auth (domain level)\"  \n- Authentication URL: \u003chttps://auth.example.com\u003e    \u003c-- change to your domain  \n- Cookie domain: example.com                        \u003c-- change to your domain  \n- Advanced flow settings:  \n- Authentication flow: default-authentication-flow (Welcome to authentik!)  \n- Select \"Next\"  \n- Configure Bindings - skip this step  \n- Select \"Next\"  \n- Select \"Submit\"  \n\nAdd application to outposts:  \n\n- Admin Interface --\u003e Applications --\u003e Outposts  \n- Edit: \"authentik Embedded Outpost\"  \n- Update Outpost:  \n- Select \"Authentik\" application in \"Available Applications\" and move across to \"Selected Applications\"  \n- Select \"Update\"  \n\nRestart docker stack:  \n\n``` bash\nsudo docker compose down\nsudo docker compose up -d\n```\n\nor  \n\n``` bash\n./restart.sh\n```\n\nGoto: [https://auth.example.com](https://auth.example.com) \u003c-- change to your domain  \n\n\u003c/br\u003e\n\n## Configure CrowdSec\n\nCreate a Crowdsec account, and obtain your Crowdsec security engine enrolement key from:  \n\n- [https://app.crowdsec.net/security-engines](https://app.crowdsec.net/security-engines)  \n\n``` bash\nsudo docker exec crowdsec cscli console enroll cm1yipaufk0021g1u01fq27s3\nsudo docker exec crowdsec cscli collections install crowdsecurity/base-http-scenarios crowdsecurity/http-cve crowdsecurity/linux crowdsecurity/iptables crowdsecurity/sshd crowdsecurity/traefik crowdsecurity/plex\nsudo docker exec crowdsec cscli parsers install crowdsecurity/syslog-logs crowdsecurity/iptables-logs crowdsecurity/sshd-logs crowdsecurity/traefik-logs crowdsecurity/whitelists\nsudo docker exec crowdsec cscli appsec-configs install crowdsecurity/virtual-patching crowdsecurity/appsec-default crowdsecurity/generic-rules\nsudo docker exec crowdsec cscli appsec-rules install crowdsecurity/base-config\nsudo docker exec crowdsec cscli console enable console_management\nsudo docker exec crowdsec cscli capi register\nsudo docker exec crowdsec cscli bouncers add traefik-bouncer\n```\n\nCrowdsec will output the Local API Key (crowdsecLapiKey) for the bouncer:  \n\n``` bash\nAPI key for 'traefik-bouncer':\n\n   8andilX0JKYIu8z+R4imPkIgG+TMdCttAuMaHrsV7ZU\n\nPlease keep this key since you will not be able to retrieve it!\n```\n\nThe CrowdSec Local API Key (crowdsecLapiKey) needs to be added to the Traefik `dynamic.yaml` file  \n\n``` bash\nsudo vi traefik-dynamic.yaml\n```\n\n``` yaml\n          crowdsecLapiKey: 8andilX0JKYIu8z+R4imPkIgG+TMdCttAuMaHrsV7ZU\n```\n\n``` bash\n./restart.sh\n```\n\nYou must go back to [https://app.crowdsec.net/security-engines](https://app.crowdsec.net/security-engines) and approve registration of the new CrowdSec docker engine into the online portal.  \n\nCheck the status of Crowdsec components:  \n\n``` bash\nsudo docker exec crowdsec cscli console status\nsudo docker exec crowdsec cscli collections list\nsudo docker exec crowdsec cscli scenarios list\nsudo docker exec crowdsec cscli parsers list\nsudo docker exec crowdsec cscli bouncers list\nsudo docker exec crowdsec cscli alerts list\nsudo docker exec crowdsec cscli metrics\n\n\nsudo docker exec crowdsec cscli appsec-configs list\nsudo docker exec crowdsec cscli appsec-rules list\n```\n\nCrowdsec will display the following output:  \n\n``` bash\n+--------------------+-----------+------------------------------------------------------+\n| Option Name        | Activated | Description                                          |\n+--------------------+-----------+------------------------------------------------------+\n| custom             | ✅        | Forward alerts from custom scenarios to the console  |\n| manual             | ✅        | Forward manual decisions to the console              |\n| tainted            | ✅        | Forward alerts from tainted scenarios to the console |\n| context            | ✅        | Forward context with alerts to the console           |\n| console_management | ✅        | Receive decisions from console                       |\n+--------------------+-----------+------------------------------------------------------+\n-------------------------------------------------------------------------------------------------------------\n COLLECTIONS                                                                                                 \n-------------------------------------------------------------------------------------------------------------\n Name                               📦 Status    Version  Local Path                                         \n-------------------------------------------------------------------------------------------------------------\n crowdsecurity/base-http-scenarios  ✔️  enabled  1.0      /etc/crowdsec/collections/base-http-scenarios.yaml \n crowdsecurity/http-cve             ✔️  enabled  2.9      /etc/crowdsec/collections/http-cve.yaml            \n crowdsecurity/iptables             ✔️  enabled  0.2      /etc/crowdsec/collections/iptables.yaml            \n crowdsecurity/linux                ✔️  enabled  0.2      /etc/crowdsec/collections/linux.yaml               \n crowdsecurity/plex                 ✔️  enabled  0.1      /etc/crowdsec/collections/plex.yaml                \n crowdsecurity/sshd                 ✔️  enabled  0.5      /etc/crowdsec/collections/sshd.yaml                \n crowdsecurity/traefik              ✔️  enabled  0.1      /etc/crowdsec/collections/traefik.yaml             \n-------------------------------------------------------------------------------------------------------------\n--------------------------------------------------------------------------------------------------------------\n PARSERS                                                                                                      \n--------------------------------------------------------------------------------------------------------------\n Name                            📦 Status    Version  Local Path                                             \n--------------------------------------------------------------------------------------------------------------\n crowdsecurity/cri-logs          ✔️  enabled  0.1      /etc/crowdsec/parsers/s00-raw/cri-logs.yaml            \n crowdsecurity/dateparse-enrich  ✔️  enabled  0.2      /etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml \n crowdsecurity/docker-logs       ✔️  enabled  0.1      /etc/crowdsec/parsers/s00-raw/docker-logs.yaml         \n crowdsecurity/geoip-enrich      ✔️  enabled  0.5      /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml     \n crowdsecurity/http-logs         ✔️  enabled  1.3      /etc/crowdsec/parsers/s02-enrich/http-logs.yaml        \n crowdsecurity/iptables-logs     ✔️  enabled  0.5      /etc/crowdsec/parsers/s01-parse/iptables-logs.yaml     \n crowdsecurity/plex-allowlist    ✔️  enabled  0.2      /etc/crowdsec/parsers/s02-enrich/plex-allowlist.yaml   \n crowdsecurity/sshd-logs         ✔️  enabled  2.9      /etc/crowdsec/parsers/s01-parse/sshd-logs.yaml         \n crowdsecurity/syslog-logs       ✔️  enabled  0.8      /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml         \n crowdsecurity/traefik-logs      ✔️  enabled  0.9      /etc/crowdsec/parsers/s01-parse/traefik-logs.yaml      \n crowdsecurity/whitelists        ✔️  enabled  0.3      /etc/crowdsec/parsers/s02-enrich/whitelists.yaml       \n--------------------------------------------------------------------------------------------------------------\n-----------------------------------------------------------------------------\n Name             IP Address  Valid  Last API pull  Type  Version  Auth Type \n-----------------------------------------------------------------------------\n traefik-bouncer              ✔️                                   api-key   \n-----------------------------------------------------------------------------\nNo active alerts\n------------------------------------------------------------------------------------------------------\n APPSEC-CONFIGS                                                                                       \n------------------------------------------------------------------------------------------------------\n Name                          📦 Status    Version  Local Path                                       \n------------------------------------------------------------------------------------------------------\n crowdsecurity/appsec-default  ✔️  enabled  0.2      /etc/crowdsec/appsec-configs/appsec-default.yaml \n crowdsecurity/generic-rules   ✔️  enabled  0.3      /etc/crowdsec/appsec-configs/generic-rules.yaml  \n------------------------------------------------------------------------------------------------------\n----------------------------------------------------------------------------------------------\n APPSEC-RULES                                                                                 \n----------------------------------------------------------------------------------------------\n Name                       📦 Status    Version  Local Path                                  \n----------------------------------------------------------------------------------------------\n crowdsecurity/base-config  ✔️  enabled  0.1      /etc/crowdsec/appsec-rules/base-config.yaml \n----------------------------------------------------------------------------------------------\n```\n\n## WebUI Management For Docker - Portainer  \n\nManaging Docker via the CLI can be complex and challenging, especially for users who are not familiar with command-line syntax and operations. The CLI requires precise commands and a good understanding of Docker’s functionalities, which can be time-consuming and prone to errors.  \n\nMediaStack includes the \"**Community Edition**\" of Portainer, which offers a user-friendly alternative to CLI, by providing a graphical web application to manage Docker environments. With Portainer, users can easily deploy, configure, and monitor Docker containers through an intuitive interface. This reduces the complexity and learning curve associated with the CLI, making Docker management accessible and efficient for both beginners and experienced users. Portainer simplifies Docker operations, enhances productivity, and improves overall user experience.  \n\nYou can access your Portainer instance at: [http://localhost:9000](http://localhost:9000)  \n\n\u003c/br\u003e  \n\n## Piracy Notice  \n\nUsing Docker to deploy the applications in the MediaStack is a great way to store, manage, and access your digital media that you own, or have legally acquired, and particularly when dealing with the digital media your children are exposed to. Docker allows easy deployment, updates, and maintenance, ensuring optimal performance without system interference.  \n\nWe strongly emphasise the ethical and legal use of technology, advocating for managing media that users have rights to, such as purchased copies. Our community does not condone or tolerate piracy or related discussions. Piracy violates intellectual property laws and undermines content creators. Our forums focus on supporting users in managing their media content legally and responsibly.  \n\nBy respecting legal guidelines and content creators' rights, we ensure a supportive, ethical community dedicated to lawful media management.  \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgeekau%2Fmediastack","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgeekau%2Fmediastack","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgeekau%2Fmediastack/lists"}