homelab/docs/index.md

# Portainer — Homelab Documentation

> Generated: 2026-04-02
> Source: <https://portainer.home.jens.pub>

---

## Instance Overview

| Property       | Value                             |
| -------------- | --------------------------------- |
| Edition        | Portainer EE (Enterprise Edition) |
| Image          | `portainer/portainer-ee:lts`      |
| URL            | <https://portainer.home.jens.pub>   |
| Container port | 9443 (HTTPS)                      |
| Uptime         | Running                           |

---

## Portainer Settings

| Setting                 | Value                        |
| ----------------------- | ---------------------------- |
| Authentication          | Internal (username/password) |
| Minimum password length | 12 characters                |
| User session timeout    | 8 hours                      |
| Snapshot interval       | 5 minutes                    |
| Edge compute            | Disabled                     |
| OAuth / LDAP            | Not configured               |

### Users

| Username | Role          |
| -------- | ------------- |
| `jens`   | Administrator |

---

## Environment (Endpoint)

Single environment: **local**

| Property           | Value                         |
| ------------------ | ----------------------------- |
| Type               | Docker standalone             |
| Connection         | `unix:///var/run/docker.sock` |
| Docker version     | 29.3.0                        |
| CPUs               | 6                             |
| Memory             | ~15.5 GB                      |
| Running containers | 3                             |
| Volumes            | 4                             |
| Images             | 7                             |
| Stacks             | 2 (traefik, adguard)          |
| Swarm              | No                            |

### Security Settings

- Bind mounts for regular users: **disabled**
- Privileged mode for regular users: **disabled**
- Host namespace for regular users: **disabled**
- Stack management for regular users: **allowed**

---

## Docker Networks

| Name     | Driver | Scope | Notes                             |
| -------- | ------ | ----- | --------------------------------- |
| `proxy`  | bridge | local | Shared network used by all stacks |
| `bridge` | bridge | local | Docker default                    |
| `host`   | host   | local | Docker default                    |
| `none`   | null   | local | Docker default                    |

The `proxy` network is an **external** bridge network created manually. All services that need Traefik routing must be attached to it.

---

## Running Stacks

| Stack      | Purpose                        | Docs                     |
| ---------- | ------------------------------ | ------------------------ |
| `traefik`     | Reverse proxy + TLS            | [traefik.md](traefik.md)         |
| `adguard`     | DNS ad/tracker blocking        | [adguard.md](adguard.md)         |
| `portainer`   | Container management UI        | [portainer.md](portainer.md)     |
| `vaultwarden` | Password manager               | [vaultwarden.md](vaultwarden.md) |
| `watchtower`  | Automatic image updates        | [watchtower.md](watchtower.md)   |
| `beszel`      | Container & host metrics       | [beszel.md](beszel.md)           |
| `dozzle`      | Container log viewer           | [dozzle.md](dozzle.md)           |
| `rrr`         | Media automation (VPN-routed)  | [rrr.md](rrr.md)                 |
| `jellyfin`    | Media server                   | [jellyfin.md](jellyfin.md)       |

---

## Service Map

```
Internet
   │
   ▼
[Host :80/:443]
   │
   ▼
[traefik:v3.6]  ──── TLS wildcard cert (*.home.jens.pub via Namecheap DNS-01)
   │
   ├── traefik.home.jens.pub    ──→  Traefik dashboard (api@internal)
   ├── adguard.home.jens.pub    ──→  adguard:80 (AdGuard web UI)
   ├── portainer.home.jens.pub  ──→  portainer:9000
   ├── vault.home.jens.pub      ──→  vaultwarden:80 (password manager)
   ├── beszel.home.jens.pub    ──→  beszel:8090 (metrics)
   ├── logs.home.jens.pub      ──→  dozzle:8080 (log viewer)
   ├── sonarr.home.jens.pub    ──→  gluetun→sonarr:8989 (TV, via Mullvad)
   ├── radarr.home.jens.pub    ──→  gluetun→radarr:7878 (movies, via Mullvad)
   ├── prowlarr.home.jens.pub  ──→  gluetun→prowlarr:9696 (indexers, via Mullvad)
   ├── sabnzbd.home.jens.pub   ──→  gluetun→sabnzbd:8080 (Usenet DL, via Mullvad)
   └── jellyfin.home.jens.pub  ──→  jellyfin:8096 (media server)

[adguard/adguardhome]   ──── DNS :53 (TCP/UDP)
[portainer/portainer-ee] ──── Portainer UI :9443

All services share the external `proxy` bridge network.
```

---

## Notes & Considerations

- **Sensitive credentials in stack definitions:** The `traefik` stack has the Namecheap API key and source IP hardcoded in the compose environment. Consider moving these to a `.env` file or Portainer's secret/environment variable management.
- **AdGuard image tag:** Using `latest` — consider pinning to a specific version for reproducibility.
- **Portainer not in a stack:** The Portainer container itself is not managed as a Portainer stack (typical self-managed setup).
- **Access control:** The `traefik` stack is admin-only. The `adguard` stack grants explicit access to user `jens` (ID 1).