add knecht

docs/index.md

@@ -86,6 +86,8 @@ The `proxy` network is an **external** bridge network created manually. All serv
 | `watchtower`  | Automatic image updates        | [watchtower.md](watchtower.md)   |
 | `beszel`      | Container & host metrics       | [beszel.md](beszel.md)           |
 | `dozzle`      | Container log viewer           | [dozzle.md](dozzle.md)           |
+| `rrr`         | Media automation (VPN-routed)  | [rrr.md](rrr.md)                 |
+| `jellyfin`    | Media server                   | [jellyfin.md](jellyfin.md)       |
 
 ---
 
@@ -105,7 +107,12 @@ Internet
    ├── portainer.home.jens.pub  ──→  portainer:9000
    ├── vault.home.jens.pub      ──→  vaultwarden:80 (password manager)
    ├── beszel.home.jens.pub    ──→  beszel:8090 (metrics)
-   └── logs.home.jens.pub      ──→  dozzle:8080 (log viewer)
+   ├── logs.home.jens.pub      ──→  dozzle:8080 (log viewer)
+   ├── sonarr.home.jens.pub    ──→  gluetun→sonarr:8989 (TV, via Mullvad)
+   ├── radarr.home.jens.pub    ──→  gluetun→radarr:7878 (movies, via Mullvad)
+   ├── prowlarr.home.jens.pub  ──→  gluetun→prowlarr:9696 (indexers, via Mullvad)
+   ├── sabnzbd.home.jens.pub   ──→  gluetun→sabnzbd:8080 (Usenet DL, via Mullvad)
+   └── jellyfin.home.jens.pub  ──→  jellyfin:8096 (media server)
 
 [adguard/adguardhome]   ──── DNS :53 (TCP/UDP)
 [portainer/portainer-ee] ──── Portainer UI :9443

docs/jellyfin.md

@@ -0,0 +1,42 @@
+# Jellyfin
+
+**Purpose:** Self-hosted media server for streaming TV and movies from the local library.
+
+| Property     | Value                                                                               |
+| ------------ | ----------------------------------------------------------------------------------- |
+| Image        | `lscr.io/linuxserver/jellyfin:latest`                                               |
+| Web UI       | <https://jellyfin.home.jens.pub>                                                    |
+| Compose file | [`../services/jellyfin/docker-compose.yml`](../services/jellyfin/docker-compose.yml) |
+
+---
+
+## Environment Variables
+
+| Variable      | Description                              |
+| ------------- | ---------------------------------------- |
+| `PUID`        | Host user ID for volume ownership        |
+| `PGID`        | Host group ID for volume ownership       |
+| `TZ`          | Timezone (e.g. `Europe/Berlin`)          |
+| `TV_PATH`     | Host path to TV library                  |
+| `MOVIES_PATH` | Host path to movies library              |
+
+---
+
+## Volumes
+
+| Volume            | Mount             | Purpose                        |
+| ----------------- | ----------------- | ------------------------------ |
+| `jellyfin_config` | `/config`         | Database, metadata, settings   |
+| `jellyfin_cache`  | `/cache`          | Transcoding cache              |
+| `${TV_PATH}`      | `/media/tv:ro`    | TV library (read-only)         |
+| `${MOVIES_PATH}`  | `/media/movies:ro`| Movies library (read-only)     |
+
+Media is mounted read-only — Jellyfin only reads, Sonarr/Radarr manage the files.
+
+---
+
+## Networks
+
+- `proxy` (external) — Traefik routes `jellyfin.home.jens.pub` → port `8096`
+
+Jellyfin is intentionally **not** routed through the VPN — it serves local clients and doesn't need outbound anonymity.

docs/rrr.md

@@ -0,0 +1,84 @@
+# rrr — Media Automation Stack
+
+**Purpose:** Automated media acquisition pipeline (TV + movies) routed entirely through MullvadVPN.
+
+| Service   | Image                                  | Web UI                                   |
+| --------- | -------------------------------------- | ---------------------------------------- |
+| gluetun   | `qmcgaw/gluetun:latest`               | —                                        |
+| Sonarr    | `lscr.io/linuxserver/sonarr:latest`   | <https://sonarr.home.jens.pub>           |
+| Radarr    | `lscr.io/linuxserver/radarr:latest`   | <https://radarr.home.jens.pub>           |
+| Prowlarr  | `lscr.io/linuxserver/prowlarr:latest> | <https://prowlarr.home.jens.pub>         |
+| SABnzbd   | `lscr.io/linuxserver/sabnzbd:latest`  | <https://sabnzbd.home.jens.pub>          |
+| Compose   | [`../services/rrr/docker-compose.yml`](../services/rrr/docker-compose.yml) | |
+
+---
+
+## Architecture
+
+All traffic from this stack is forced through MullvadVPN via **gluetun**. Sonarr, Radarr, Prowlarr, and NZBGet all set `network_mode: service:gluetun`, which means they share gluetun's network namespace. Any outbound connection from these containers exits through the WireGuard tunnel — they have no direct internet access.
+
+```
+Traefik (proxy network)
+   │
+   └── gluetun (proxy network + WireGuard tunnel to Mullvad)
+          │  (shared network namespace via network_mode: service:gluetun)
+          ├── sonarr    :8989  — TV show management
+          ├── radarr    :7878  — Movie management
+          ├── prowlarr  :9696  — Indexer management (feeds Sonarr + Radarr)
+          └── sabnzbd   :8080  — Usenet downloader
+```
+
+Since all four containers share one network namespace, they communicate with each other via `localhost:<port>`. Use these addresses when configuring integrations:
+
+| Connection          | Address                   |
+| ------------------- | ------------------------- |
+| Prowlarr → Sonarr   | `http://localhost:8989`   |
+| Prowlarr → Radarr   | `http://localhost:7878`   |
+| Sonarr → SABnzbd    | `http://localhost:8080`   |
+| Radarr → SABnzbd    | `http://localhost:8080`   |
+
+Traefik labels live on gluetun (not the individual apps) because gluetun is the only container attached to the `proxy` network. Each router explicitly references its service with the correct backend port.
+
+Sonarr, Radarr, and NZBGet all mount the same `DOWNLOADS_PATH` so completed downloads are immediately available for import.
+
+---
+
+## Environment Variables
+
+Set these in Portainer's stack environment variables when deploying.
+
+| Variable               | Description                                                   |
+| ---------------------- | ------------------------------------------------------------- |
+| `WIREGUARD_PRIVATE_KEY` | WireGuard private key from Mullvad account                   |
+| `WIREGUARD_ADDRESSES`   | WireGuard IP assigned by Mullvad (e.g. `10.66.109.243/32`)  |
+| `SERVER_CITIES`         | Optional preferred cities (e.g. `Gothenburg,Stockholm`)      |
+| `PUID`                  | Host user ID for volume file ownership (`id -u`)             |
+| `PGID`                  | Host group ID for volume file ownership (`id -g`)            |
+| `TZ`                    | Timezone (e.g. `Europe/Berlin`)                              |
+| `TV_PATH`               | Host path to TV library                                      |
+| `MOVIES_PATH`           | Host path to movies library                                  |
+| `DOWNLOADS_PATH`        | Host path to NZBGet downloads directory                      |
+
+To get the WireGuard credentials: log in to mullvad.net → Account → WireGuard configuration → Generate key → download the config file. Copy `PrivateKey` and `Address` from that file.
+
+---
+
+## Volumes
+
+| Volume           | Mount                | Purpose                        |
+| ---------------- | -------------------- | ------------------------------ |
+| `gluetun_data`   | `/gluetun`           | gluetun state and cert cache   |
+| `sonarr_config`  | `/config`            | Sonarr database and settings   |
+| `radarr_config`  | `/config`            | Radarr database and settings   |
+| `prowlarr_config`| `/config`            | Prowlarr database and settings |
+| `sabnzbd_config` | `/config`            | SABnzbd config and scripts     |
+| `${TV_PATH}`     | `/tv`                | TV library (Sonarr)            |
+| `${MOVIES_PATH}` | `/movies`            | Movies library (Radarr)        |
+| `${DOWNLOADS_PATH}` | `/downloads`      | Shared download dir (all)      |
+
+---
+
+## Networks
+
+- **gluetun**: `proxy` (external) — only container Traefik can reach
+- **sonarr / radarr / prowlarr / nzbget**: `network_mode: service:gluetun` — no independent network attachment