2971 changed files with 1014 additions and 521052 deletions
--- a/.forgejo/workflows/ci.yml
+++ b/.forgejo/workflows/ci.yml
@ -1,77 +0,0 @@
 name: KiteStacks CI
 on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
 jobs:
  # ── Lint Docker Compose files ──────────────────────────────────────────────
  compose-lint:
    name: Validate compose files
    runs-on: docker
    container:
      image: docker:27-cli
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Install docker compose plugin
        run: apk add --no-cache docker-cli-compose
      - name: Validate all compose files
        run: |
          find apps -name "docker-compose.yml" | while read f; do
            echo "Checking $f ..."
            docker compose -f "$f" config --quiet && echo "  OK"
          done
  # ── Secret leak detection ──────────────────────────────────────────────────
  secrets-check:
    name: Check for accidental secrets
    runs-on: docker
    container:
      image: alpine:3.20
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Scan for plaintext secrets patterns
        run: |
          # Fail if any committed file contains common secret patterns
          # Add false-positive exclusions via .secretsignore if needed
          FAIL=0
          check() {
            local pattern="$1"
            local label="$2"
            if git grep -qiP "${pattern}" -- ':!*.md' ':!docs/' ':!.forgejo/' 2>/dev/null; then
              echo "FAIL: possible ${label} found"
              git grep -ilP "${pattern}" -- ':!*.md' ':!docs/' ':!.forgejo/'
              FAIL=1
            fi
          }
          check 'password\s*=\s*["\x27][^"\x27]{8,}' "plaintext password"
          check 'secret_?key\s*=\s*["\x27][A-Za-z0-9+/]{32,}' "hardcoded secret key"
          check 'TUNNEL_TOKEN\s*=\s*ey' "Cloudflare tunnel token"
          check '-----BEGIN.*PRIVATE KEY-----' "private key"
          exit ${FAIL}
  # ── Shell script checks ────────────────────────────────────────────────────
  shellcheck:
    name: Shellcheck scripts
    runs-on: docker
    container:
      image: koalaman/shellcheck-alpine:stable
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Run shellcheck
        run: |
          find scripts -name "*.sh" -exec shellcheck {} +
--- a/.gitignore
+++ b/.gitignore
@ -1,7 +0,0 @@
 # Runtime/container data - do not track live databases or generated app state
 apps/**/postgres/
 apps/**/db/
 apps/**/data/
 apps/grafana/data/
 apps/karakeep/
--- a/.kitestacks_check.py.swp
+++ b/.kitestacks_check.py.swp
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
--- a/DEBUG-DOCUMENTATION.md
+++ b/DEBUG-DOCUMENTATION.md
@ -1,209 +0,0 @@
 # KiteStacks Homelab — Problems We've Seen and How We Fixed Them
 Newest problems at the top.
 ---
 ## 2026-06-18 — Can't SSH into kscloud1
 **What happened:** Trying to connect to the cloud machine (kscloud1) gave a
 "Permission denied" error. The SSH key was missing from the machine.
 **How we found it:** The error message said `publickey,password` — meaning it tried
 the SSH key first and then tried a password, both failed.
 **How we fixed it:**
 1. Used Hetzner's browser console (like a TV remote for the server) to log in as root
 2. Served the SSH public key from monk as a temporary download:
   ```bash
   # On monk — share the key file over a mini web server
   cat ~/.ssh/id_ed25519_kscloud1.pub > ~/key.txt
   python3 -m http.server 7777 --directory ~/
   ```
 3. Downloaded it from the Hetzner console:
   ```bash
   curl http://MONK_TAILSCALE_IP:7777/key.txt > /root/.ssh/authorized_keys
   ```
 4. If the machine had root SSH login disabled:
   ```bash
   sed -i 's/^#*PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
   systemctl restart ssh
   ```
 **Why this works:** The Hetzner console bypasses SSH entirely — it's like plugging a
 keyboard and monitor directly into the server. So even when SSH is broken, you can still
 type commands.
 ---
 ## 2026-06-18 — BookStack Login Said "An Error Occurred"
 **What happened:** Clicking "Login with Authentik" on the wiki showed a generic error.
 No details, no clues — just "An unknown error occurred."
 **Why it happened (three problems at once):**
 **Problem 1 — Missing setting in BookStack**
 BookStack needs `OIDC_ISSUER_DISCOVER=true` to automatically find all the login
 endpoints from Authentik. Without it, BookStack can't verify login tokens.
 **Problem 2 — Authentik was using the wrong login URL format**
 Authentik can either use one shared URL for all apps or a unique URL per app.
 BookStack expects a per-app URL. When the wrong type was set, BookStack tried to
 download login instructions from a URL that returned an HTML page instead of data,
 and then crashed trying to read it.
 **Problem 3 — File permission error hidden by BookStack**
 Running a setup command inside the BookStack container as root created some folders
 that only root could write to. When the normal BookStack process tried to save
 a login session, it couldn't — and BookStack showed a generic error instead of
 the real one.
 **How we fixed it:**
 Step 1 — Change Authentik to use per-app URLs (run this once):
 ```bash
 docker run --rm --network host \
  -e PGPASSWORD="YOUR_DB_PASSWORD" \
  postgres:16 psql -h KSCLOUD1_TAILSCALE_IP -U authentik authentik -c \
  "UPDATE authentik_providers_oauth2_oauth2provider SET issuer_mode='per_provider' WHERE provider_ptr_id=PROVIDER_ID;"
 ```
 Step 2 — Make sure BookStack's settings include:
 ```
 OIDC_ISSUER=https://auth.kitestacks.com/application/o/bookstack/
 OIDC_ISSUER_DISCOVER=true
 ```
 Step 3 — Fix the file permission problem:
 ```bash
 docker exec bookstack chown -R abc:users /config/www/framework/cache/
 ```
 Step 4 — Restart BookStack:
 ```bash
 docker compose up -d
 ```
 ---
 ## 2026-06-18 — Portainer OAuth Login Couldn't See Any Servers
 **What happened:** Logged in through Authentik, got into Portainer, but no environments
 (no servers, nothing to manage) were visible.
 **Why it happened:** Portainer creates new SSO users as "regular users." Regular users
 can't see environments — only admins can. The fix is to create the user as an admin
 **before** they log in for the first time.
 **How we fixed it:**
 Create the user as admin before first login:
 ```bash
 # Get a temporary auth token
 TOKEN=$(curl -sk -X POST https://portainer.kitestacks.com/api/auth \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"YOUR_PASSWORD"}' | python3 -c "import sys,json; print(json.load(sys.stdin)['jwt'])")
 # Create the user with admin role (role 1 = admin)
 curl -sk -X POST "https://portainer.kitestacks.com/api/users" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"username":"user@example.com","role":1}'
 ```
 If they already logged in as a regular user, promote them:
 ```bash
 curl -sk -X PUT "https://portainer.kitestacks.com/api/users/USER_ID" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"role":1}'
 ```
 ---
 ## 2026-06-17 — Three Cloudflare Connectors Instead of Two
 **What happened:** The Cloudflare dashboard was showing 3 tunnel connectors when there
 should only be 2 (one from monk, one from kscloud1). This caused Authentik logins to
 fail randomly — about half the time, the code from the login form would reach the wrong
 connector and get rejected.
 **Why it happened:** The system's built-in cloudflared service was still running on monk,
 alongside the Docker container version. So monk was connecting to Cloudflare twice.
 **How we fixed it:**
 ```bash
 sudo systemctl disable --now cloudflared
 ```
 That stopped the duplicate. Now only the Docker container runs.
 After fixing: verified only 2 connectors in Cloudflare Zero Trust → Networks → Tunnels.
 ---
 ## 2026-06-17 — BookStack Database Kept Crashing
 **What happened:** The BookStack database container (bookstack-db) kept restarting
 and never stayed running. Logs showed: `Table 'mysql.db' doesn't exist`
 **Why it happened:** The database's data folder had leftover files from a previous
 incomplete setup. When MariaDB started, it saw partial old data and crashed trying
 to use it.
 **How we fixed it:**
 ```bash
 # Wipe the broken database files (they're owned by root inside the container)
 docker run --rm -v $(pwd)/db:/db alpine sh -c 'rm -rf /db/*'
 # Start fresh
 docker compose up -d
 ```
 ---
 ## 2026-06-17 — BookStack Said It Couldn't Find the Database
 **What happened:** BookStack started but immediately errored saying it couldn't connect
 to the database (bookstack-db).
 **Why it happened:** BookStack was too fast. It started before the database was fully
 ready, and when it tried to find `bookstack-db` on the internal network, Docker hadn't
 finished registering it yet.
 **How we fixed it:**
 ```bash
 # Just wait a few seconds and restart BookStack
 docker restart bookstack
 ```
 That's it — the database had finished starting up by then.
 ---
 ## Quick Diagnostic Commands
 ```bash
 # See which containers are running (and which are crashing)
 docker ps --format "table {{.Names}}\t{{.Status}}"
 # Follow the live logs of any service
 docker logs CONTAINER_NAME --tail 50 -f
 # Read BookStack's PHP error log
 docker exec bookstack cat /app/www/storage/logs/laravel.log | tail -50
 # Test if BookStack's login redirect works
 curl -sc /tmp/c.txt http://localhost:6875/login -o /tmp/l.html && \
  CSRF=$(grep -oP 'name="_token" value="\K[^"]+' /tmp/l.html | head -1) && \
  curl -v -b /tmp/c.txt -X POST http://localhost:6875/oidc/login \
  -d "_token=$CSRF" --max-redirs 0 2>&1 | grep -E "HTTP|Location"
 # Should show: Location: https://auth.kitestacks.com/application/o/authorize/?...
 # Check Tailscale connections between machines
 tailscale status
 # See if both Cloudflare connectors are working
 docker exec cloudflared cloudflared tunnel info TUNNEL_ID
 ```
--- a/README.md
+++ b/README.md
@ -1,55 +0,0 @@
 # KiteStacks Homelab
 Everything needed to run, fix, and understand the KiteStacks homelab lives here.
 ## What is KiteStacks?
 KiteStacks is a personal homelab — a set of useful web apps that run on two computers
 (monk at home, kscloud1 in Germany). All the websites are accessible over the internet
 through Cloudflare without exposing any home IP addresses.
 ## How to Read This Repo
 | File / Folder | What it is |
 |--------------|------------|
 | `RUNBOOK.md` | **Start here.** Plain-English guide to how everything works and how to do common tasks |
 | `DEBUG-DOCUMENTATION.md` | Every problem we've hit and how we solved it |
 | `docs/` | Detailed setup guides for specific services (Authentik SSO, etc.) |
 | `apps/` | Docker Compose files for each service |
 | `clusters/` | Infrastructure-level configs |
 | `projects/` | Active project notes |
 | `cloud/` | Cloud-specific configurations (kscloud1) |
 | `cloud-migration/` | Archive of cloud migration work and volume backups |
 | `autosync/` | Auto-sync scripts that keep the repo up to date automatically |
 | `osticket/` | OSTicket help-desk project notes |
 ## Services Running Right Now
 | Service | Website | What it does |
 |---------|---------|--------------|
 | Authentik | auth.kitestacks.com | Single login for all services |
 | Portainer | portainer.kitestacks.com | Manage all Docker containers |
 | Forgejo | gitforge.kitestacks.com | Git server (code + scripts) |
 | BookStack | wiki.kitestacks.com | Wiki and notes |
 | Grafana | grafana.kitestacks.com | Server health charts |
 | Karakeep | links.kitestacks.com | Bookmark manager |
 | Kavita | kavita.kitestacks.com | Ebook reader |
 | OSTicket | tasks.kitestacks.com | Help desk / ticket system |
 | Open WebUI | ai.kitestacks.com | AI chat (GPT, Claude, local) |
 | Uptime Kuma | status.kitestacks.com | Service monitor |
 | Portal | www.kitestacks.com | Homepage |
 ## Quick Reference
 ```bash
 # Check all running containers
 docker ps --format "table {{.Names}}\t{{.Status}}"
 # Restart a service
 cd ~/kitestacks-live/docker/SERVICE_NAME && docker compose restart
 # View live logs
 docker logs CONTAINER_NAME --tail 50 -f
 ```
 All usernames and passwords go through Authentik at `https://auth.kitestacks.com`.
--- a/RUNBOOK.md
+++ b/RUNBOOK.md
@ -1,270 +0,0 @@
 # KiteStacks Homelab — How Everything Works
 **Last Updated:** 2026-06-18
 **Status:** Up and running
 **Owner:** kenpat
 ---
 ## The Big Picture
 KiteStacks is a personal homelab — a small set of programs (called "services") that run
 on two computers. One computer sits at home (called **monk**), and one rents space in
 a data center in Germany (called **kscloud1**).
 People on the internet can reach every website without knowing where the computers are,
 because all traffic goes through **Cloudflare** — a free service that acts like a secret
 post-office. Cloudflare knows the address; the rest of the world doesn't.
 ```
 You (browser)
    │
    └─► Cloudflare (the post office)
             │
             ├─► monk  (home machine, runs most services)
             └─► kscloud1  (cloud backup machine in Germany)
 ```
 If monk goes offline, kscloud1 keeps serving the sites — Cloudflare automatically
 switches traffic over. This is called **active-active** (both doors are always open).
 ---
 ## What Runs Where
 ### Services on monk
 | What it is | What it does | Website |
 |------------|--------------|---------|
 | Authentik | Login manager — handles all usernames and passwords | auth.kitestacks.com |
 | Portainer | Dashboard to manage all the Docker containers | portainer.kitestacks.com |
 | Forgejo | Git — stores all the code and scripts | gitforge.kitestacks.com |
 | BookStack | Wiki — where all the notes and guides live | wiki.kitestacks.com |
 | Grafana | Charts showing how healthy the servers are | grafana.kitestacks.com |
 | Karakeep | Saves and organizes bookmarks | links.kitestacks.com |
 | Kavita | Reads ebooks and manga | kavita.kitestacks.com |
 | OSTicket | Help-desk ticket system | tasks.kitestacks.com |
 | Open WebUI | Chat with AI models (GPT, Claude, local models) | ai.kitestacks.com |
 | Uptime Kuma | Watches every service and alerts if one goes down | status.kitestacks.com |
 | KiteStacks Portal | The main homepage with links to everything | www.kitestacks.com |
 ### Services on kscloud1 (cloud backup)
 - A copy of BookStack
 - A copy of the main Portal
 - The login database (PostgreSQL) and session memory (Redis) that Authentik uses
 - The Cloudflare connector (so the site keeps running if monk is off)
 ---
 ## Cloudflare Tunnel (the secret post office)
 ### Why it exists
 Normal websites need a router setting called "port forwarding" and a fixed home IP address.
 Cloudflare Tunnel removes both requirements — monk connects **out** to Cloudflare, and
 Cloudflare forwards visitor traffic back in. Your home address is never exposed.
 ### How to check it's healthy
 Go to Cloudflare Zero Trust → Networks → Tunnels. You should see **2 healthy connectors**
 (one from monk, one from kscloud1).
 ### Adding a new website
 In Cloudflare Zero Trust → Networks → Tunnels → your tunnel → Edit → Public Hostname:
 - Subdomain: `newservice`
 - Domain: `kitestacks.com`
 - Service URL: `http://container-name:port`
 Both monk and kscloud1 need to be running that container on the same port.
 ### Fix: If you see 3 connectors instead of 2
 The old cloudflared system service on monk is probably running alongside the Docker one.
 Run this on monk to fix it:
 ```bash
 sudo systemctl disable --now cloudflared
 ```
 ---
 ## Authentik (the login manager)
 ### What it does
 Every website on KiteStacks uses Authentik for login. Instead of each website having its
 own username and password, Authentik is the one source of truth. You log in once and
 all the websites trust that login. This system is called **SSO** (Single Sign-On).
 ### Where the database lives
 Authentik's user database lives on **kscloud1** (not on monk). Both machines share it
 through a private encrypted network called **Tailscale**.
 ### Adding a new app to SSO
 1. Go to `https://auth.kitestacks.com/if/admin/`
 2. **Providers** → Create → OAuth2/OpenID Provider
 3. Name it after the app (e.g., `myapp`)
 4. Note the Client ID and Client Secret
 5. **Application** → Create → link it to the provider
 6. Set up the app with:
   - Login URL (your app's OIDC issuer URL)
   - Client ID and Client Secret
   - Callback URL: `https://yourapp.kitestacks.com/auth/callback`
 ---
 ## Portainer (the container dashboard)
 ### What it does
 Portainer is a web dashboard that shows all running Docker containers. Think of Docker
 containers like small self-contained boxes — each one runs one program. Portainer lets
 you start, stop, restart, and view logs for all the boxes without typing commands.
 ### If you get locked out
 ```bash
 # Stop Portainer
 docker stop portainer
 # Reset the password (the command will print a new temporary password)
 docker run --rm -v portainer_data:/data portainer/helper-reset-password
 # Start it again
 docker start portainer
 ```
 ### First-time OAuth login issue
 When someone logs into Portainer through Authentik for the first time, they get created
 as a regular user (not admin). They won't be able to see any servers. To fix this,
 create their account as admin **before** their first login:
 ```bash
 # Step 1: Get a login token
 TOKEN=$(curl -sk -X POST https://portainer.kitestacks.com/api/auth \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"YOUR_PASSWORD"}' | python3 -c "import sys,json; print(json.load(sys.stdin)['jwt'])")
 # Step 2: Create the user as admin (role 1 = admin)
 curl -sk -X POST "https://portainer.kitestacks.com/api/users" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"username":"user@example.com","role":1}'
 ```
 ---
 ## BookStack (the wiki)
 ### What it does
 BookStack is a self-hosted wiki — like a private Wikipedia just for this homelab.
 All notes, runbooks, and guides live here.
 ### Important settings
 BookStack uses Authentik for login. Two settings must be correct:
 - `OIDC_ISSUER_DISCOVER=true` — tells BookStack to automatically find all login endpoints
 - `OIDC_ISSUER` — must point to the per-app Authentik URL, like:
  `https://auth.kitestacks.com/application/o/bookstack/`
 ### Fix: If cache breaks after running a PHP command
 Sometimes running admin commands inside the container breaks file permissions:
 ```bash
 docker exec bookstack chown -R abc:users /config/www/framework/cache/
 ```
 ### Clear BookStack's config cache
 ```bash
 docker exec bookstack php /app/www/artisan config:clear
 docker exec bookstack php /app/www/artisan cache:clear
 ```
 ---
 ## kscloud1 (the cloud backup machine)
 ### SSH access
 ```bash
 ssh -i ~/.ssh/id_ed25519_kscloud1 root@KSCLOUD1_TAILSCALE_IP
 ```
 ### If you can't SSH in (key was lost)
 1. Open Hetzner Cloud console → your server → **Console** tab (this is like a TV remote for the server)
 2. Log in as `root` using the Linux root password
 3. On monk, share your public SSH key temporarily:
   ```bash
   cat ~/.ssh/id_ed25519_kscloud1.pub > ~/key.txt
   python3 -m http.server 7777 --directory ~/
   ```
 4. In the Hetzner console, type:
   ```bash
   curl http://MONK_TAILSCALE_IP:7777/key.txt > /root/.ssh/authorized_keys
   ```
 5. If root SSH is disabled:
   ```bash
   sed -i 's/^#*PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
   systemctl restart ssh
   ```
 ---
 ## OSTicket (help desk)
 OSTicket is the ticket/task system at `tasks.kitestacks.com`.
 Emails sent to `kitestacks.helpdesk@gmail.com` become tickets automatically.
 To test that email is working: Admin Panel → Diagnostics → Send Test Email
 ---
 ## Forgejo (code storage)
 Forgejo is the Git server — all scripts, configs, and docs live here.
 ### Create an API token for automation
 ```bash
 docker exec -u git forgejo forgejo admin user generate-access-token \
  --username kenpat \
  --token-name "my-token" \
  --raw \
  --scopes "read:user,write:user,read:repository,write:repository"
 ```
 Note: SSH to gitforge.kitestacks.com only works from inside the local network,
 not through Cloudflare (Cloudflare blocks non-HTTPS ports).
 For git operations from monk, use `ssh://git@localhost:2222/kenpat/repo.git`.
 ---
 ## Everyday Docker Commands
 ```bash
 # See all running containers and their status
 docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}"
 # View recent logs for a service
 docker logs CONTAINER_NAME --tail 50 -f
 # Restart a service
 cd ~/kitestacks-live/docker/SERVICE_NAME
 docker compose restart
 # Stop and restart a service (harder reset)
 docker compose down && docker compose up -d
 # Pull latest image and restart
 docker compose pull && docker compose up -d
 ```
 ---
 ## Tailscale (the private tunnel between machines)
 Tailscale creates an encrypted private network between monk and kscloud1.
 Nothing on this network is visible to the public internet.
 Used for:
 - monk connecting to kscloud1's PostgreSQL and Redis (for Authentik)
 - SSH from monk to kscloud1
 - Prometheus on monk scraping metrics from kscloud1
 To check connection status:
 ```bash
 tailscale status
 ```
--- a/apps/authentik-ldap/docker-compose.yml
+++ b/apps/authentik-ldap/docker-compose.yml
@ -1,32 +0,0 @@
 services:
  authentik-ldap:
    image: ghcr.io/goauthentik/ldap:2025.2.4
    container_name: authentik-ldap
    restart: unless-stopped
    environment:
      AUTHENTIK_HOST: https://auth.kitestacks.com
      AUTHENTIK_INSECURE: "false"
      # Token from Authentik outpost "osTicket LDAP Outpost"
      # Regenerate via: Authentik admin → Outposts → osTicket LDAP Outpost → token
      AUTHENTIK_TOKEN: REDACTED
    networks:
      - kitestacks
      - osticket_default
  # socat proxy: bridges standard LDAP port 389 → outpost port 3389
  # Required because Net_LDAP2 (osTicket's LDAP library) always uses port 389
  authentik-ldap-proxy:
    image: alpine/socat
    container_name: authentik-ldap-proxy
    restart: unless-stopped
    command: TCP-LISTEN:389,fork,reuseaddr TCP:authentik-ldap:3389
    depends_on:
      - authentik-ldap
    networks:
      - osticket_default
 networks:
  kitestacks:
    external: true
  osticket_default:
    external: true
--- a/apps/authentik/AUTHENTIK.md
+++ b/apps/authentik/AUTHENTIK.md
@ -1,78 +0,0 @@
 # Authentik SSO — Setup & Status
 ## Server
 - **Host:** `<IP_REDACTED>` (Assassin, Debian 6.12.90 amd64)
 - **Authentik version:** 2025.2.4 (Enterprise)
 - **Stack location:** `/home/kenpat/docker/authentik/docker-compose.yml`
 - **Web UI:** `http://<IP_REDACTED>:<port>` / `http://<IP_REDACTED>:<port>/if/admin/`
 - **API base:** `http://<IP_REDACTED>:<port>/api/v3/`
 ## Architecture
 Authentik runs as a 4-container stack:
 | Container | Role |
 |-----------|------|
 | `authentik` | Web server (port <port>) |
 | `authentik-worker` | Background task worker |
 | `authentik-postgres` | PostgreSQL 16 database |
 | `authentik-redis` | Redis cache |
 Both server and worker are on the `kitestacks` external Docker network.
 ## Configured Applications
 | App | Provider Type | Client ID | Status |
 |-----|--------------|-----------|--------|
 | Grafana | OAuth2/OIDC | `grafana` | ✅ Configured |
 | Kavita | OAuth2/OIDC | `kavita` | ✅ Configured, secret filled |
 | Open WebUI | OAuth2/OIDC | `open-webui` | ✅ Configured |
 | Forgejo | OAuth2/OIDC | `forgejo` | ✅ Configured, OAuth2 source in Forgejo admin |
 | OpenProject | OAuth2/OIDC | `openproject` | ✅ Configured, secret filled, upgraded to v15 |
 | Shaarli | Proxy | — | ✅ Proxy Provider + Embedded Outpost, CF tunnel pending |
 | Uptime Kuma | Proxy | — | ✅ Proxy Provider + Embedded Outpost, CF tunnel pending |
 | LiteLLM | Proxy | — | ✅ Proxy Provider + Embedded Outpost, CF tunnel pending |
 > Cloudflare tunnel routes for Shaarli, Uptime Kuma, LiteLLM still point to service containers directly — update to `http://authentik:<port>` in the Cloudflare dashboard to activate proxy protection.
 ## All Services Running on Server
 | Service | Image | External Port |
 |---------|-------|---------------|
 | forgejo | forgejo:<port> | <port> (HTTP), <port> (SSH) |
 | kite-openwebui | open-webui | <port> |
 | grafana | grafana-oss | <port> |
 | cloudflared | cloudflared | — (tunnel) |
 | shaarli | shaarli | <port> |
 | homepage | nginx | <port> |
 | homepage-test | gethomepage | <port> |
 | kitestacks-portal | nginx | <port> |
 | openproject | openproject:<port> | <port> |
 | kite-litellm | litellm | <port> |
 | bookstack | bookstack | <port> |
 | authentik | server:latest | <port> |
 | kavita | kavita | <port> |
 | portainer | portainer-ce | <port> |
 | prometheus | prometheus | <port> |
 | node-exporter | node-exporter | <port> |
 | uptime-kuma | uptime-kuma | <port> |
 ## External Access (Cloudflare Tunnel)
 Tunnel is token-based — ingress rules live in the Cloudflare dashboard:  
 **dash.cloudflare.com → Zero Trust → Networks → Tunnels**
 No local `config.yml` — all routing configured via the dashboard.
 ## Pending
 - [ ] Update Cloudflare tunnel routes: `links.kitestacks.com`, `status.kitestacks.com`, `llm.kitestacks.com` → `http://authentik:<port>`
 - [ ] Update Cloudflare tunnel route: `tasks.kitestacks.com` → `http://openproject:<port>`
 - [ ] Test SSO end-to-end for all services
 - [ ] Phase 2: add friend's Authentik account, verify auto-provisioning across all apps
 ## Excluded from SSO
 - Portainer — admin tool, excluded by design
 - Prometheus / Node Exporter — internal metrics, excluded by design
 - Homepage — public landing page, no auth needed
--- a/apps/authentik/docker-compose.myl
+++ b/apps/authentik/docker-compose.myl
@ -1,56 +0,0 @@
 services:
  postgresql:
    image: postgres:16-alpine
    container_name: authentik-postgres
    restart: unless-stopped
    environment:
      POSTGRES_PASSWORD: ${PG_PASS}
      POSTGRES_USER: authentik
      POSTGRES_DB: authentik
    volumes:
      - ./postgres:/var/lib/postgresql/data
  redis:
    image: redis:alpine
    container_name: authentik-redis
    restart: unless-stopped
  authentik:
    image: ghcr.io/goauthentik/server:latest
    container_name: authentik
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
    ports:
      - "9001:9000"
    depends_on:
      - postgresql
      - redis
  authentik-worker:
    image: ghcr.io/goauthentik/server:latest
    container_name: authentik-worker
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
    depends_on:
      - postgresql
      - redis
--- a/apps/authentik/docker-compose.yml
+++ b/apps/authentik/docker-compose.yml
@ -1,69 +0,0 @@
 services:
  postgresql:
    image: postgres:16-alpine
    container_name: authentik-postgres
    restart: unless-stopped
    environment:
      POSTGRES_PASSWORD: ${PG_PASS}
      POSTGRES_USER: authentik
      POSTGRES_DB: authentik
    volumes:
      - ./postgres:/var/lib/postgresql/data
  redis:
    image: redis:alpine
    container_name: authentik-redis
    restart: unless-stopped
  authentik:
    image: ghcr.io/goauthentik/server:latest
    container_name: authentik
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
    ports:
      - "9001:9000"
    depends_on:
      - postgresql
      - redis
    networks:
      - default
      - kitestacks
  authentik-worker:
    image: ghcr.io/goauthentik/server:latest
    container_name: authentik-worker
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
    depends_on:
      - postgresql
      - redis
    networks:
      - default
      - kitestacks
 networks:
  kitestacks:
    external: true
--- a/apps/bookstack/bookstack/.migrations
+++ b/apps/bookstack/bookstack/.migrations
@ -1,2 +0,0 @@
 01-nginx-site-confs-default
 02-default-location
--- a/apps/bookstack/bookstack/keys/cert.crt
+++ b/apps/bookstack/bookstack/keys/cert.crt
@ -1,23 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIDxzCCAq+gAwIBAgIUVt05s9wgylfcEPx3fQDn2e4dF3owDQYJKoZIhvcNAQEL
 BQAwaDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMREwDwYDVQQHDAhDYXJsc2Jh
 ZDEXMBUGA1UECgwOTGludXhzZXJ2ZXIuaW8xFDASBgNVBAsMC0xTSU8gU2VydmVy
 MQowCAYDVQQDDAEqMB4XDTI2MDYwNTAwNDczMloXDTM2MDYwMjAwNDczMlowaDEL
 MAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMREwDwYDVQQHDAhDYXJsc2JhZDEXMBUG
 A1UECgwOTGludXhzZXJ2ZXIuaW8xFDASBgNVBAsMC0xTSU8gU2VydmVyMQowCAYD
 VQQDDAEqMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAooBdmf0Nmewk
 YIreTSqKgHJpj+C5uiYflmiQ7TBNrMCyeg7VrkDKlAIbrMsWDbdxbJ3gIWX/+WL9
 iFG3SVwLwj3OLAdaPhLU8vodrjMkxkNFHk7CFNG53sEOU1WOskdwK3xtWUx3F6CD
 tBJwWyIepdsiXiFoug6kgKZ7r7Koraqp7fW36iNztvW+V2DakF6F4ufSduzq1zTZ
 mp+woGVPUVcI2UPoOuKLQqIt93GmHbmFqw1AKKZkbaoTxJHVnz56YfjmMn/ls+8s
 ovLX8wR9zSp+ExwitrbD//zyWYt7GWmDZIuSB0pqb/ofXDSijiDiobM5UJ6bygv1
 BAXXbyg0pwIDAQABo2kwZzAdBgNVHQ4EFgQUSWIeem3I7aV7kjCN9t2xKz9ayBEw
 HwYDVR0jBBgwFoAUSWIeem3I7aV7kjCN9t2xKz9ayBEwDwYDVR0TAQH/BAUwAwEB
 /zAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggEBAIsbdBRB
 sENi2gz8zRqL9oEwiZ6n02mvd/uYh0ReBxp5AAkRJ0v1vqhMtCi26lHA2FoUdUFS
 aOKitgpXZn3oP5SqBVfxsE9WUTBP544H3lsUKnsQl06dBpKQCmXrnVedM6ktb33P
 EpppqudyS+y+mNVLi9lM4bMqGxQRdze2y4p9+qNYHREczkPgMlEgujOKcd533YJ/
 EbrwKgvYBWQeR0Rl0YnGS3j/mFXYYfsg4jpxHezX5tZRWT7FTtV8GpcchR97qvZH
 Ax/cOIYmWF0KIkiW8qTmiMowwm2pEQLxOOxaLwPsICk6jf9kvPeHdu1+aMfvuZhc
 MbvugyYpqDKGRCg=
 -----END CERTIFICATE-----
--- a/apps/bookstack/bookstack/keys/cert.key
+++ b/apps/bookstack/bookstack/keys/cert.key
@ -1,28 +0,0 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCigF2Z/Q2Z7CRg
 it5NKoqAcmmP4Lm6Jh+WaJDtME2swLJ6DtWuQMqUAhusyxYNt3FsneAhZf/5Yv2I
 UbdJXAvCPc4sB1o+EtTy+h2uMyTGQ0UeTsIU0bnewQ5TVY6yR3ArfG1ZTHcXoIO0
 EnBbIh6l2yJeIWi6DqSApnuvsqitqqnt9bfqI3O29b5XYNqQXoXi59J27OrXNNma
 n7CgZU9RVwjZQ+g64otCoi33caYduYWrDUAopmRtqhPEkdWfPnph+OYyf+Wz7yyi
 8tfzBH3NKn4THCK2tsP//PJZi3sZaYNki5IHSmpv+h9cNKKOIOKhszlQnpvKC/UE
 BddvKDSnAgMBAAECggEAFP1Bmc8+v3/p3vJw7kStaRPeILBlLO8Zq2LMPWa80bB+
 HRfnb798qwtuqa39pj3oj6AAwC+dlYe8uavcYcRa3HcBN1ynwlbKXKwDw2lluZoc
 xmJj3S6NtID5KbhmWw6xJVzH/v3KcCnSeSLckljg3olkcgYcsdOMWfWnCjWoZe3t
 jZqwhHKn7tLUKvkcbsILGp5iM0Ff5fJeqfnCMOOAgpFpGdsLT0Ro3Hl3RGOGx29z
 TBey3I2pKyaK4sC+Z444lmvPlSNA/+hXmn0CxncG1d6KqPSdVd4+rK3ubJLDM0l0
 wzbzUFeCBWdWORpgJ5JirGD4Z24pU8g2zO75Rx3fiQKBgQDWa4Y0rheR3CPTE/g9
 p8lT8RRGBxge50ldbw7au3+zt89AKVbZ0+PnllWgjgL/qx4bWvOJp9q9WUODhjVO
 Qd+B3vlWtlLzBcs53KbVf49E6Ag4g3KvcJ4R7dHLlBNkvcqBwnHyR8WuBDNTWbr2
 Yy6r5P6SXIB27W6ex1KyfCslKwKBgQDCA3D9ppWX9Wj6miJ/0cvJUSKL7wMu+Hhl
 JTt8sL0KfuOzLU4/5jtkWXSxCqEWzGteWc7s5rIi/NILBJRxGPG7T/e6R3+n+iiu
 T7qgoihl5gecw7sK3PzEAcJMd9TwCiD8Wcy7gGiRz/0Ajqju6fB7i5KqoYodqnTq
 a1cM7ySodQKBgQC7e9klRvQk/a/1aIiuoH9RfoKTmLBmlSV5JRp/92J56ka1e3AN
 l1C3tqO4d3P3yc/Ra3125+ZDmkGGR1tkygR8slKil1mAVZiVR3I5TAgh4CEQCR/G
 d1o/owrGTvuGIs1nGHY5urgGqHWYc+Ueeyrb8qcFowxQ8NrAythsaFXxcQKBgQC/
 qPKoQTaqxW8NkdLe/nwYxqQgJN+6OQ+Gq/9WMKqvgaajTPBuQ50Mhyq18tAsW4j9
 zi6S7VuxIJzG8aFLEN9MsbUCOrurT398o5q0MT1DXLjMbreKBcFWSH6PWBntf7QS
 VwvfdvzWfudq84ODcWt2QO2EzsxIfim9ooh+aIiIOQKBgErUJXO3Z6YqxpHjZka9
 0zXRZaUHBTTTQTy014VUT69bKKgwYvaecKZlzgzlzj4wEAZuNmgWQfinGEfUezu8
 VwL+a0BsWnQDMAK96FWGFfui55DmXp8Wo+pzIrSR7O0+GPnSr6B6RPjwEuFKziWX
 v4HTdlayWFSvB+uArMUKowFP
 -----END PRIVATE KEY-----
--- a/apps/bookstack/bookstack/nginx/nginx.conf
+++ b/apps/bookstack/bookstack/nginx/nginx.conf
@ -1,98 +0,0 @@
 ## Version 2025/12/26 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/3.23/root/defaults/nginx/nginx.conf.sample
 ### Based on alpine defaults
 # https://git.alpinelinux.org/aports/tree/main/nginx/nginx.conf?h=3.23-stable
 user abc;
 # Set number of worker processes automatically based on number of CPU cores.
 include /config/nginx/worker_processes.conf;
 # Enables the use of JIT for regular expressions to speed-up their processing.
 pcre_jit on;
 # Configures default error logger.
 error_log /config/log/nginx/error.log;
 # Includes files with directives to load dynamic modules.
 include /etc/nginx/modules/*.conf;
 # Include files with config snippets into the root context.
 include /etc/nginx/conf.d/*.conf;
 events {
    # The maximum number of simultaneous connections that can be opened by
    # a worker process.
    worker_connections 1024;
 }
 http {
    # Includes mapping of file name extensions to MIME types of responses
    # and defines the default type.
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    # Name servers used to resolve names of upstream servers into addresses.
    # It's also needed when using tcpsocket and udpsocket in Lua modules.
    #resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001];
    include /config/nginx/resolver.conf;
    # Don't tell nginx version to the clients. Default is 'on'.
    server_tokens off;
    # Specifies the maximum accepted body size of a client request, as
    # indicated by the request header Content-Length. If the stated content
    # length is greater than this size, then the client receives the HTTP
    # error code 413. Set to 0 to disable. Default is '1m'.
    client_max_body_size 0;
    # Sendfile copies data between one FD and other from within the kernel,
    # which is more efficient than read() + write(). Default is off.
    sendfile on;
    # Causes nginx to attempt to send its HTTP response head in one packet,
    # instead of using partial frames. Default is 'off'.
    tcp_nopush on;
    # all ssl related config moved to ssl.conf
    # included in server blocks where listen 443 is defined
    # Enable gzipping of responses.
    #gzip on;
    # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
    gzip_vary on;
    # Helper variable for proxying websockets.
    map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
    }
    # Enable http2 by default for all servers
    http2 on;
    http3 on;
    quic_retry on;
    # Sets the path, format, and configuration for a buffered log write.
    access_log /config/log/nginx/access.log;
    client_body_temp_path /tmp/nginx 1 2;
    proxy_temp_path /tmp/nginx-proxy;
    fastcgi_temp_path /tmp/nginx-fastcgi;
    uwsgi_temp_path /tmp/nginx-uwsgi;
    scgi_temp_path /tmp/nginx-scgi;
    proxy_cache_path /tmp/nginx-proxy-cache keys_zone=lsio-proxy:10m;
    fastcgi_cache_path /tmp/nginx-fcgi-cache keys_zone=lsio-fcgi:10m;
    scgi_cache_path /tmp/nginx-scgi-cache keys_zone=lsio-scgi:10m;
    uwsgi_cache_path /tmp/nginx-uwsgi-cache keys_zone=lsio-uwsgi:10m;
    # Includes virtual hosts configs.
    include /etc/nginx/http.d/*.conf;
    include /config/nginx/site-confs/*.conf;
 }
 daemon off;
 pid /run/nginx.pid;
--- a/apps/bookstack/bookstack/nginx/nginx.conf.sample
+++ b/apps/bookstack/bookstack/nginx/nginx.conf.sample
@ -1,98 +0,0 @@
 ## Version 2025/12/26 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/3.23/root/defaults/nginx/nginx.conf.sample
 ### Based on alpine defaults
 # https://git.alpinelinux.org/aports/tree/main/nginx/nginx.conf?h=3.23-stable
 user abc;
 # Set number of worker processes automatically based on number of CPU cores.
 include /config/nginx/worker_processes.conf;
 # Enables the use of JIT for regular expressions to speed-up their processing.
 pcre_jit on;
 # Configures default error logger.
 error_log /config/log/nginx/error.log;
 # Includes files with directives to load dynamic modules.
 include /etc/nginx/modules/*.conf;
 # Include files with config snippets into the root context.
 include /etc/nginx/conf.d/*.conf;
 events {
    # The maximum number of simultaneous connections that can be opened by
    # a worker process.
    worker_connections 1024;
 }
 http {
    # Includes mapping of file name extensions to MIME types of responses
    # and defines the default type.
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    # Name servers used to resolve names of upstream servers into addresses.
    # It's also needed when using tcpsocket and udpsocket in Lua modules.
    #resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001];
    include /config/nginx/resolver.conf;
    # Don't tell nginx version to the clients. Default is 'on'.
    server_tokens off;
    # Specifies the maximum accepted body size of a client request, as
    # indicated by the request header Content-Length. If the stated content
    # length is greater than this size, then the client receives the HTTP
    # error code 413. Set to 0 to disable. Default is '1m'.
    client_max_body_size 0;
    # Sendfile copies data between one FD and other from within the kernel,
    # which is more efficient than read() + write(). Default is off.
    sendfile on;
    # Causes nginx to attempt to send its HTTP response head in one packet,
    # instead of using partial frames. Default is 'off'.
    tcp_nopush on;
    # all ssl related config moved to ssl.conf
    # included in server blocks where listen 443 is defined
    # Enable gzipping of responses.
    #gzip on;
    # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
    gzip_vary on;
    # Helper variable for proxying websockets.
    map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
    }
    # Enable http2 by default for all servers
    http2 on;
    http3 on;
    quic_retry on;
    # Sets the path, format, and configuration for a buffered log write.
    access_log /config/log/nginx/access.log;
    client_body_temp_path /tmp/nginx 1 2;
    proxy_temp_path /tmp/nginx-proxy;
    fastcgi_temp_path /tmp/nginx-fastcgi;
    uwsgi_temp_path /tmp/nginx-uwsgi;
    scgi_temp_path /tmp/nginx-scgi;
    proxy_cache_path /tmp/nginx-proxy-cache keys_zone=lsio-proxy:10m;
    fastcgi_cache_path /tmp/nginx-fcgi-cache keys_zone=lsio-fcgi:10m;
    scgi_cache_path /tmp/nginx-scgi-cache keys_zone=lsio-scgi:10m;
    uwsgi_cache_path /tmp/nginx-uwsgi-cache keys_zone=lsio-uwsgi:10m;
    # Includes virtual hosts configs.
    include /etc/nginx/http.d/*.conf;
    include /config/nginx/site-confs/*.conf;
 }
 daemon off;
 pid /run/nginx.pid;
--- a/apps/bookstack/bookstack/nginx/resolver.conf
+++ b/apps/bookstack/bookstack/nginx/resolver.conf
@ -1,3 +0,0 @@
 # This file is auto-generated only on first start, based on the container's /etc/resolv.conf file. Feel free to modify it as you wish.
 resolver  127.0.0.11 valid=30s;
--- a/apps/bookstack/bookstack/nginx/site-confs/default.conf
+++ b/apps/bookstack/bookstack/nginx/site-confs/default.conf
@ -1,46 +0,0 @@
 ## Version 2025/12/26 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/3.23/root/defaults/nginx/site-confs/default.conf.sample
 server {
    listen 80 default_server;
    listen [::]:80 default_server;
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
    listen 443 quic reuseport default_server;
    listen [::]:443 quic reuseport default_server;
    server_name _;
    include /config/nginx/ssl.conf;
    set $root /app/www/public;
    if (!-d /app/www/public) {
        set $root /config/www;
    }
    root $root;
    index index.html index.htm index.php;
    location / {
        # enable for basic auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;
        try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args;
    }
    location ~ ^(.+\.php)(.*)$ {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;
        fastcgi_split_path_info ^(.+\.php)(.*)$;
        if (!-f $document_root$fastcgi_script_name) { return 404; }
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
    }
    # deny access to .htaccess/.htpasswd files
    location ~ /\.ht {
        deny all;
    }
 }
--- a/apps/bookstack/bookstack/nginx/site-confs/default.conf.sample
+++ b/apps/bookstack/bookstack/nginx/site-confs/default.conf.sample
@ -1,46 +0,0 @@
 ## Version 2025/12/26 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/3.23/root/defaults/nginx/site-confs/default.conf.sample
 server {
    listen 80 default_server;
    listen [::]:80 default_server;
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
    listen 443 quic reuseport default_server;
    listen [::]:443 quic reuseport default_server;
    server_name _;
    include /config/nginx/ssl.conf;
    set $root /app/www/public;
    if (!-d /app/www/public) {
        set $root /config/www;
    }
    root $root;
    index index.html index.htm index.php;
    location / {
        # enable for basic auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;
        try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args;
    }
    location ~ ^(.+\.php)(.*)$ {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;
        fastcgi_split_path_info ^(.+\.php)(.*)$;
        if (!-f $document_root$fastcgi_script_name) { return 404; }
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
    }
    # deny access to .htaccess/.htpasswd files
    location ~ /\.ht {
        deny all;
    }
 }
--- a/apps/bookstack/bookstack/nginx/ssl.conf
+++ b/apps/bookstack/bookstack/nginx/ssl.conf
@ -1,36 +0,0 @@
 ## Version 2026/05/04 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/3.23/root/defaults/nginx/ssl.conf.sample
 ssl_certificate /config/keys/cert.crt;
 ssl_certificate_key /config/keys/cert.key;
 # HSTS (ngx_http_headers_module is required) (63072000 seconds)
 #add_header Strict-Transport-Security "max-age=63072000" always;
 ### Mozilla SSL Configuration Generator
 # generated 2026-05-04, Mozilla Guideline v6.0, nginx 1.28.3, OpenSSL 3.5.6, intermediate config, HSTS
 # https://ssl-config.mozilla.org/#server=nginx&version=1.28.3&config=intermediate&openssl=3.5.6&hsts&guideline=6.0
 # intermediate configuration
 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_ecdh_curve X25519MLKEM768:X25519:prime256v1:secp384r1;
 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
 ssl_prefer_server_ciphers off;
 # see also ssl_session_ticket_key alternative to stateful session cache
 ssl_session_timeout 1d;
 ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
 ### Mozilla Practical security implementation
 # https://developer.mozilla.org/en-US/docs/Web/Security
 #add_header Access-Control-Allow-Origin $http_origin always;
 #add_header Content-Security-Policy "upgrade-insecure-requests; base-uri 'self'; form-action 'self'; frame-ancestors 'self';" always;
 #add_header Cross-Origin-Resource-Policy "same-origin" always;
 #add_header Referrer-Policy "same-origin" always;
 #add_header X-Content-Type-Options "nosniff" always;
 #add_header X-Frame-Options "SAMEORIGIN" always;
 ### Optional additional headers
 #add_header Alt-Svc 'h3=":443"' always;
 #add_header Cache-Control "no-transform" always;
 #add_header Permissions-Policy "interest-cohort=()" always;
 #add_header X-UA-Compatible "IE=Edge" always;
 #add_header X-XSS-Protection "1; mode=block" always;
--- a/apps/bookstack/bookstack/nginx/ssl.conf.sample
+++ b/apps/bookstack/bookstack/nginx/ssl.conf.sample
@ -1,36 +0,0 @@
 ## Version 2026/05/04 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/3.23/root/defaults/nginx/ssl.conf.sample
 ssl_certificate /config/keys/cert.crt;
 ssl_certificate_key /config/keys/cert.key;
 # HSTS (ngx_http_headers_module is required) (63072000 seconds)
 #add_header Strict-Transport-Security "max-age=63072000" always;
 ### Mozilla SSL Configuration Generator
 # generated 2026-05-04, Mozilla Guideline v6.0, nginx 1.28.3, OpenSSL 3.5.6, intermediate config, HSTS
 # https://ssl-config.mozilla.org/#server=nginx&version=1.28.3&config=intermediate&openssl=3.5.6&hsts&guideline=6.0
 # intermediate configuration
 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_ecdh_curve X25519MLKEM768:X25519:prime256v1:secp384r1;
 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
 ssl_prefer_server_ciphers off;
 # see also ssl_session_ticket_key alternative to stateful session cache
 ssl_session_timeout 1d;
 ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
 ### Mozilla Practical security implementation
 # https://developer.mozilla.org/en-US/docs/Web/Security
 #add_header Access-Control-Allow-Origin $http_origin always;
 #add_header Content-Security-Policy "upgrade-insecure-requests; base-uri 'self'; form-action 'self'; frame-ancestors 'self';" always;
 #add_header Cross-Origin-Resource-Policy "same-origin" always;
 #add_header Referrer-Policy "same-origin" always;
 #add_header X-Content-Type-Options "nosniff" always;
 #add_header X-Frame-Options "SAMEORIGIN" always;
 ### Optional additional headers
 #add_header Alt-Svc 'h3=":443"' always;
 #add_header Cache-Control "no-transform" always;
 #add_header Permissions-Policy "interest-cohort=()" always;
 #add_header X-UA-Compatible "IE=Edge" always;
 #add_header X-XSS-Protection "1; mode=block" always;
--- a/apps/bookstack/bookstack/nginx/worker_processes.conf
+++ b/apps/bookstack/bookstack/nginx/worker_processes.conf
@ -1,3 +0,0 @@
 # This file is auto-generated only on first start, based on the cpu cores detected. Feel free to change it to any other number or to auto to let nginx handle it automatically.
 worker_processes 8;
--- a/apps/bookstack/bookstack/php/php-local.ini
+++ b/apps/bookstack/bookstack/php/php-local.ini
@ -1,3 +0,0 @@
 ; Edit this file to override php.ini directives
 date.timezone = America/Chicago
--- a/apps/bookstack/bookstack/php/www2.conf
+++ b/apps/bookstack/bookstack/php/www2.conf
@ -1,5 +0,0 @@
 ; Edit this file to override www.conf and php-fpm.conf directives and restart the container
 ; Pool name
 [www]
--- a/apps/bookstack/bookstack/www/index.html
+++ b/apps/bookstack/bookstack/www/index.html
@ -1,34 +0,0 @@
    <html>
        <head>
            <title>Welcome to our server</title>
            <style>
            body{
                font-family: Helvetica, Arial, sans-serif;
            }
            .message{
                width:330px;
                padding:20px 40px;
                margin:0 auto;
                background-color:#f9f9f9;
                border:1px solid #ddd;
            }
            center{
                margin:40px 0;
            }
            h1{
                font-size: 18px;
                line-height: 26px;
            }
            p{
                font-size: 12px;
            }
            </style>
        </head>
        <body>
            <div class="message">
                <h1>Welcome to our server</h1>
                <p>The website is currently being setup under this address.</p>
                <p>For help and support, please contact: <a href="me@example.com">me@example.com</a></p>
            </div>
        </body>
    </html>
--- a/apps/bookstack/docker-compose.yml
+++ b/apps/bookstack/docker-compose.yml
@ -1,33 +0,0 @@
 services:
  bookstack:
    image: lscr.io/linuxserver/bookstack:latest
    container_name: bookstack
    restart: unless-stopped
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/Chicago
      - APP_URL=http://192.168.1.205:6875
      - DB_HOST=bookstack-db
      - DB_PORT=3306
      - DB_USERNAME=bookstack
      - DB_PASSWORD=bookstackpassword
      - DB_DATABASE=bookstackapp
    volumes:
      - ./bookstack:/config
    ports:
      - "6875:80"
    depends_on:
      - bookstack-db
  bookstack-db:
    image: mariadb:11
    container_name: bookstack-db
    restart: unless-stopped
    environment:
      - MYSQL_ROOT_PASSWORD=supersecretrootpassword
      - MYSQL_DATABASE=bookstackapp
      - MYSQL_USER=bookstack
      - MYSQL_PASSWORD=bookstackpassword
    volumes:
      - ./db:/var/lib/mysql
--- a/apps/cloudflared/.env.example
+++ b/apps/cloudflared/.env.example
@ -1 +0,0 @@
 TUNNEL_TOKEN=<cloudflare_tunnel_connector_token>
--- a/apps/cloudflared/docker-compose.yml
+++ b/apps/cloudflared/docker-compose.yml
@ -1,15 +0,0 @@
 services:
  cloudflared:
    image: cloudflare/cloudflared:latest
    container_name: cloudflared
    restart: unless-stopped
    command: tunnel --no-autoupdate run
    environment:
      - TUNNEL_TOKEN=${TUNNEL_TOKEN:?set TUNNEL_TOKEN in .env}
    networks:
      - default
      - kitestacks
 networks:
  kitestacks:
    external: true
--- a/apps/forgejo-runner/docker-compose.yml
+++ b/apps/forgejo-runner/docker-compose.yml
@ -1,26 +0,0 @@
 services:
  forgejo-runner:
    image: code.forgejo.org/forgejo/runner:3.5.0
    container_name: forgejo-runner
    restart: unless-stopped
    depends_on:
      - forgejo
    environment:
      # Set after running: forgejo-runner register (see docs/ci-cd-setup.md)
      FORGEJO_INSTANCE_URL: "http://forgejo:3000"
    volumes:
      - ./config:/etc/act_runner
      - /var/run/docker.sock:/var/run/docker.sock
      - runner_data:/data
    networks:
      - default
      - kitestacks
    command: daemon
 volumes:
  runner_data:
    name: forgejo_runner_data
 networks:
  kitestacks:
    external: true
--- a/apps/forgejo/docker-compose.yml
+++ b/apps/forgejo/docker-compose.yml
@ -1,25 +0,0 @@
 services:
  forgejo:
    image: codeberg.org/forgejo/forgejo:11
    container_name: forgejo
    restart: unless-stopped
    ports:
      - "3006:3000"
      - "2222:22"
    environment:
      - USER_UID=1000
      - USER_GID=1000
      - FORGEJO__server__DOMAIN=gitforge.kitestacks.com
      - FORGEJO__server__ROOT_URL=https://gitforge.kitestacks.com/
      - FORGEJO__server__SSH_DOMAIN=gitforge.kitestacks.com
      - FORGEJO__server__SSH_PORT=2222
      - FORGEJO__actions__ENABLED=true
    volumes:
      - ./data:/data
    networks:
      - default
      - kitestacks
 networks:
  kitestacks:
    external: true
--- a/apps/forgejo/uptime-kuma/configmap.yaml
+++ b/apps/forgejo/uptime-kuma/configmap.yaml
@ -1,147 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: kitestacks-monitors
  namespace: monitoring
 data:
  monitors.json: [
  {
    "name": "Open Web UI",
    "type": "http",
    "method": "GET",
    "url": "https://www.kitestacks.com",
    "interval": 60,
    "retries": 3
  },
  {
    "name": "Auth",
    "type": "http",
    "method": "GET",
    "url": "https://auth.kitestacks.com",
    "interval": 60,
    "retries": 3
  },
  {
    "name": "Kavita",
    "type": "http",
    "method": "GET",
    "url": "http://kavita.kitestacks.com:5000",
    "interval": 60,
    "retries": 3
  },
  {
    "name": "Tasks",
    "type": "http",
    "method": "GET",
    "url": "http://tasks.kitestacks.com:8080",
    "interval": 60,
    "retries": 3
  },
  {
    "name": "AI",
    "type": "http",
    "method": "GET",
    "url": "http://ai.kitestacks.com:3100",
    "interval": 60,
    "retries": 3
  },
  {
    "name": "Forgejo",
    "type": "http",
    "method": "GET",
    "url": "http://gitforge.kitestacks.com:3006",
    "interval": 60,
    "retries": 3
  },
  {
    "name": "Linkding",
    "type": "http",
    "method": "GET",
    "url": "http://links.kitestacks.com:9005",
    "interval": 60,
    "retries": 3
  },
  {
    "name": "Grafana",
    "type": "http",
    "method": "GET",
    "url": "http://grafana.kitestacks.com:3150",
    "interval": 60,
    "retries": 3
  },
  {
    "name": "OpenProject",
    "type": "http",
    "method": "GET",
    "url": "http://openproject.kitestacks.com:8080",
    "interval": 60,
    "retries": 3
  },
  {
    "name": "Prometheus",
    "type": "tcp",
    "host": "prometheus.kitestacks.com",
    "port": 9090,
    "interval": 60,
    "retries": 3
  },
  {
    "name": "Node Exporter",
    "type": "tcp",
    "host": "node-exporter.kitestacks.com",
    "port": 9100,
    "interval": 60,
    "retries": 3
  },
  {
    "name": "Pixel 4",
    "type": "ping",
    "host": "192.168.1.201",
    "interval": 60,
    "retries": 3
  },
  {
    "name": "Lenovo T14",
    "type": "ping",
    "host": "192.168.1.205",
    "interval": 60,
    "retries": 3
  },
  {
    "name": "Lenovo T14s",
    "type": "ping",
    "host": "192.168.1.206",
    "interval": 60,
    "retries": 3
  },
  {
    "name": "Gaming Desktop",
    "type": "ping",
    "host": "192.168.1.207",
    "interval": 60,
    "retries": 3
  },
  {
    "name": "Tesla Model Y",
    "type": "ping",
    "host": "192.168.1.208",
    "interval": 60,
    "retries": 3
  },
  {
    "name": "Mom's HP Laptop",
    "type": "ping",
    "host": "192.168.1.209",
    "interval": 60,
    "retries": 3
  },
  {
    "name": "Uptime Kuma",
    "type": "http",
    "method": "GET",
    "url": "https://status.kitestacks.com",
    "interval": 60,
    "retries": 3
  }
 ]
--- a/apps/forgejo/uptime-kuma/kitestacks-cron.yaml
+++ b/apps/forgejo/uptime-kuma/kitestacks-cron.yaml
@ -1,172 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: kitestacks-monitors
  namespace: monitoring
 data:
  monitors.json: |
    [
      {
        "name": "Open Web UI",
        "type": "http",
        "method": "GET",
        "url": "https://www.kitestacks.com",
        "interval": 60,
        "retries": 3
      },
      {
        "name": "Auth",
        "type": "http",
        "method": "GET",
        "url": "https://auth.kitestacks.com",
        "interval": 60,
        "retries": 3
      },
      {
        "name": "Kavita",
        "type": "http",
        "method": "GET",
        "url": "http://kavita.kitestacks.com:5000",
        "interval": 60,
        "retries": 3
      },
      {
        "name": "Tasks",
        "type": "http",
        "method": "GET",
        "url": "http://tasks.kitestacks.com:8080",
        "interval": 60,
        "retries": 3
      },
      {
        "name": "AI",
        "type": "http",
        "method": "GET",
        "url": "http://ai.kitestacks.com:3100",
        "interval": 60,
        "retries": 3
      },
      {
        "name": "Forgejo",
        "type": "http",
        "method": "GET",
        "url": "http://gitforge.kitestacks.com:3006",
        "interval": 60,
        "retries": 3
      },
      {
        "name": "Linkding",
        "type": "http",
        "method": "GET",
        "url": "http://links.kitestacks.com:9005",
        "interval": 60,
        "retries": 3
      },
      {
        "name": "Grafana",
        "type": "http",
        "method": "GET",
        "url": "http://grafana.kitestacks.com:3150",
        "interval": 60,
        "retries": 3
      },
      {
        "name": "OpenProject",
        "type": "http",
        "method": "GET",
        "url": "http://openproject.kitestacks.com:8080",
        "interval": 60,
        "retries": 3
      },
      {
        "name": "Prometheus",
        "type": "tcp",
        "host": "prometheus.kitestacks.com",
        "port": 9090,
        "interval": 60,
        "retries": 3
      },
      {
        "name": "Node Exporter",
        "type": "tcp",
        "host": "node-exporter.kitestacks.com",
        "port": 9100,
        "interval": 60,
        "retries": 3
      },
      {
        "name": "Pixel 4",
        "type": "ping",
        "host": "192.168.1.201",
        "interval": 60,
        "retries": 3
      },
      {
        "name": "Lenovo T14",
        "type": "ping",
        "host": "192.168.1.205",
        "interval": 60,
        "retries": 3
      },
      {
        "name": "Lenovo T14s",
        "type": "ping",
        "host": "192.168.1.206",
        "interval": 60,
        "retries": 3
      },
      {
        "name": "Gaming Desktop",
        "type": "ping",
        "host": "192.168.1.207",
        "interval": 60,
        "retries": 3
      },
      {
        "name": "Tesla Model Y",
        "type": "ping",
        "host": "192.168.1.208",
        "interval": 60,
        "retries": 3
      },
      {
        "name": "Mom's HP Laptop",
        "type": "ping",
        "host": "192.168.1.209",
        "interval": 60,
        "retries": 3
      },
      {
        "name": "Uptime Kuma",
        "type": "http",
        "method": "GET",
        "url": "https://status.kitestacks.com",
        "interval": 60,
        "retries": 3
      }
    ]
 ---
 apiVersion: batch/v1
 kind: CronJob
 metadata:
  name: kitestacks-monitors-check
  namespace: monitoring
 spec:
  schedule: "*/5 * * * *"
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: monitor-check
            image: python:3.12-slim
            command: ["python3", "/scripts/kitestacks_check.py"]
            volumeMounts:
              - name: monitors
                mountPath: /scripts
          restartPolicy: OnFailure
          volumes:
            - name: monitors
              configMap:
                name: kitestacks-monitors
--- a/apps/forgejo/uptime-kuma/kitestacks-monitors.json
+++ b/apps/forgejo/uptime-kuma/kitestacks-monitors.json
@ -1,140 +0,0 @@
 [
  {
    "name": "Open Web UI",
    "type": "http",
    "method": "GET",
    "url": "https://www.kitestacks.com",
    "interval": 60,
    "retries": 3
  },
  {
    "name": "Auth",
    "type": "http",
    "method": "GET",
    "url": "https://auth.kitestacks.com",
    "interval": 60,
    "retries": 3
  },
  {
    "name": "Kavita",
    "type": "http",
    "method": "GET",
    "url": "http://kavita.kitestacks.com:5000",
    "interval": 60,
    "retries": 3
  },
  {
    "name": "Tasks",
    "type": "http",
    "method": "GET",
    "url": "http://tasks.kitestacks.com:8080",
    "interval": 60,
    "retries": 3
  },
  {
    "name": "AI",
    "type": "http",
    "method": "GET",
    "url": "http://ai.kitestacks.com:3100",
    "interval": 60,
    "retries": 3
  },
  {
    "name": "Forgejo",
    "type": "http",
    "method": "GET",
    "url": "http://gitforge.kitestacks.com:3006",
    "interval": 60,
    "retries": 3
  },
  {
    "name": "Linkding",
    "type": "http",
    "method": "GET",
    "url": "http://links.kitestacks.com:9005",
    "interval": 60,
    "retries": 3
  },
  {
    "name": "Grafana",
    "type": "http",
    "method": "GET",
    "url": "http://grafana.kitestacks.com:3150",
    "interval": 60,
    "retries": 3
  },
  {
    "name": "OpenProject",
    "type": "http",
    "method": "GET",
    "url": "http://openproject.kitestacks.com:8080",
    "interval": 60,
    "retries": 3
  },
  {
    "name": "Prometheus",
    "type": "tcp",
    "host": "prometheus.kitestacks.com",
    "port": 9090,
    "interval": 60,
    "retries": 3
  },
  {
    "name": "Node Exporter",
    "type": "tcp",
    "host": "node-exporter.kitestacks.com",
    "port": 9100,
    "interval": 60,
    "retries": 3
  },
  {
    "name": "Pixel 4",
    "type": "ping",
    "host": "192.168.1.201",
    "interval": 60,
    "retries": 3
  },
  {
    "name": "Lenovo T14",
    "type": "ping",
    "host": "192.168.1.205",
    "interval": 60,
    "retries": 3
  },
  {
    "name": "Lenovo T14s",
    "type": "ping",
    "host": "192.168.1.206",
    "interval": 60,
    "retries": 3
  },
  {
    "name": "Gaming Desktop",
    "type": "ping",
    "host": "192.168.1.207",
    "interval": 60,
    "retries": 3
  },
  {
    "name": "Tesla Model Y",
    "type": "ping",
    "host": "192.168.1.208",
    "interval": 60,
    "retries": 3
  },
  {
    "name": "Mom's HP Laptop",
    "type": "ping",
    "host": "192.168.1.209",
    "interval": 60,
    "retries": 3
  },
  {
    "name": "Uptime Kuma",
    "type": "http",
    "method": "GET",
    "url": "https://status.kitestacks.com",
    "interval": 60,
    "retries": 3
  }
 ]
--- a/apps/forgejo/uptime-kuma/scripts/kitestacks_uptimecheck.py
+++ b/apps/forgejo/uptime-kuma/scripts/kitestacks_uptimecheck.py
@ -1,32 +0,0 @@
 #!/usr/bin/env python3
 import json
 import requests
 import subprocess
 # Load the monitors JSON
 with open("/scripts/kitestacks-monitors.json", "r") as f:
    monitors = json.load(f)
 for monitor in monitors:
    name = monitor.get("name")
    mtype = monitor.get("type")
    try:
        if mtype == "http":
            url = monitor.get("url")
            method = monitor.get("method", "GET").upper()
            resp = requests.request(method, url, timeout=10, verify=False)
            print(f"[{name}] HTTP {method} {url} -> Status {resp.status_code}")
        elif mtype == "tcp":
            host = monitor.get("host")
            port = monitor.get("port")
            result = subprocess.run(["nc", "-zvw3", host, str(port)], capture_output=True)
            print(f"[{name}] TCP {host}:{port} -> Returncode {result.returncode}")
        elif mtype == "ping":
            host = monitor.get("host")
            result = subprocess.run(["ping", "-c", "1", host], capture_output=True)
            print(f"[{name}] Ping {host} -> Returncode {result.returncode}")
        else:
            print(f"[{name}] Unknown type: {mtype}")
    except Exception as e:
        print(f"[{name}] Error: {e}")
--- a/apps/forgejo/uptime-kuma/uptime-kuma
+++ b/apps/forgejo/uptime-kuma/uptime-kuma
--- a/apps/forgejo/uptime-kuma/uptime-kuma-ingress.yaml
+++ b/apps/forgejo/uptime-kuma/uptime-kuma-ingress.yaml
@ -1,24 +0,0 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: uptime-kuma-ingress
  namespace: monitoring
  annotations:
    kubernetes.io/ingress.class: nginx       # or your ingress controller name
    cert-manager.io/cluster-issuer: letsencrypt-prod # if using cert-manager for TLS
 spec:
  rules:
    - host: status.kitestacks.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: uptime-kuma
                port:
                  number: 3001
  tls:
    - hosts:
        - status.kitestacks.com
      secretName: uptime-kuma-tls
--- a/apps/grafana/data/grafana.db
+++ b/apps/grafana/data/grafana.db
--- a/apps/grafana/docker-compose.yml
+++ b/apps/grafana/docker-compose.yml
@ -1,7 +0,0 @@
 services:
  grafana:
    image: grafana/grafana-oss
    container_name: grafana
    ports:
      - "3150:3000"   # host:container
    restart: unless-stopped
--- a/apps/grafana/grafana-networkpolicy.yaml
+++ b/apps/grafana/grafana-networkpolicy.yaml
@ -1,19 +0,0 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: allow-grafana-ingress
  namespace: monitoring
 spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: grafana
  policyTypes:
  - Ingress
  ingress:
  - from:
    - ipBlock:
        cidr: 192.168.1.0/24  # replace with your LAN subnet
    ports:
    - protocol: TCP
      port: 3000
--- a/apps/grafana/test-autosync.txt
+++ b/apps/grafana/test-autosync.txt
--- a/apps/homepage-archived-2026-06-07/Dockerfile
+++ b/apps/homepage-archived-2026-06-07/Dockerfile
@ -1,13 +0,0 @@
 # Use Node.js Alpine base
 FROM node:20-alpine
 WORKDIR /app
 # Copy all homepage files
 COPY . /app
 # Expose port for the homepage
 EXPOSE 8080
 # Start the homepage (adjust if your entry point is different)
 CMD ["node", "server.js"]
--- a/apps/homepage-archived-2026-06-07/backups/config-before-test-work-2026-06-06-2102/bookmarks.yaml
+++ b/apps/homepage-archived-2026-06-07/backups/config-before-test-work-2026-06-06-2102/bookmarks.yaml
@ -1,6 +0,0 @@
 - Social:
    - Discord:
        - abbr: 
          href: https://discord.gg/QbdveTb6Kw
--- a/apps/homepage-archived-2026-06-07/backups/config-before-test-work-2026-06-06-2102/custom.css
+++ b/apps/homepage-archived-2026-06-07/backups/config-before-test-work-2026-06-06-2102/custom.css
--- a/apps/homepage-archived-2026-06-07/backups/config-before-test-work-2026-06-06-2102/custom.js
+++ b/apps/homepage-archived-2026-06-07/backups/config-before-test-work-2026-06-06-2102/custom.js
--- a/apps/homepage-archived-2026-06-07/backups/config-before-test-work-2026-06-06-2102/docker.yaml
+++ b/apps/homepage-archived-2026-06-07/backups/config-before-test-work-2026-06-06-2102/docker.yaml
@ -1,10 +0,0 @@
 ---
 # For configuration options and examples, please see:
 # https://gethomepage.dev/configs/docker/
 # my-docker:
 #   host: 127.0.0.1
 #   port: 2375
 # my-docker:
 #   socket: /var/run/docker.sock
--- a/apps/homepage-archived-2026-06-07/backups/config-before-test-work-2026-06-06-2102/kubernetes.yaml
+++ b/apps/homepage-archived-2026-06-07/backups/config-before-test-work-2026-06-06-2102/kubernetes.yaml
@ -1,2 +0,0 @@
 ---
 # sample kubernetes config
--- a/apps/homepage-archived-2026-06-07/backups/config-before-test-work-2026-06-06-2102/proxmox.yaml
+++ b/apps/homepage-archived-2026-06-07/backups/config-before-test-work-2026-06-06-2102/proxmox.yaml
@ -1,5 +0,0 @@
 ---
 # pve:
 #   url: https://proxmox.host.or.ip:8006
 #   token: username@pam!Token ID
 #   secret: secret
--- a/apps/homepage-archived-2026-06-07/backups/config-before-test-work-2026-06-06-2102/services-live.yaml
+++ b/apps/homepage-archived-2026-06-07/backups/config-before-test-work-2026-06-06-2102/services-live.yaml
@ -1,90 +0,0 @@
 - Infrastructure:
    - Portainer:
        icon: portainer.png
        href: https://portainer.kitestacks.com
        description: Docker Management
    - Authentik:
        icon: authentik.png
        href: https://auth.kitestacks.com
        description: Identity Provider
    - Cloudflare:
        icon: cloudflare.png
        href: https://dash.cloudflare.com
        description: DNS & Tunnel Management
    - Uptime Kuma:
        icon: uptime-kuma.png
        href: https://status.kitestacks.com
        description: Uptime Monitoring
 - AI:
    - Kite AI:
        icon: open-webui.png
        href: https://ai.kitestacks.com
        description: Private AI Workspace
    - LiteLLM:
        icon: si-openai
        href: https://llm.kitestacks.com
        description: AI Model Gateway
    - OpenRouter:
        icon: si-openai
        href: https://openrouter.ai
        description: Hosted AI Models
 - Library:
    - Kavita:
        icon: kavita.png
        href: https://kavita.kitestacks.com
        description: Books, Comics & PDFs
    - Linkding:
        icon: linkding.png
        href: https://links.kitestacks.com
        description: Bookmark Library
 - Code:
    - Forgejo:
        icon: forgejo.png
        href: https://gitforge.kitestacks.com
        description: Self-Hosted Git
 - TicketSystem:
    - OpenProject:
        icon: openproject.png
        href: https://tasks.kitestacks.com
        description: Project Management
 - Monitoring:
    - Grafana:
        icon: grafana.png
        href: http://192.168.1.205:3150
        description: Monitoring Dashboards
    - Prometheus:
        icon: prometheus.png
        href: http://192.168.1.205:9090
        description: Metrics Database
    - Node Exporter:
        icon: prometheus.png
        href: http://192.168.1.205:9100
        description: Host Metrics
 - Future Projects:
    - Kubernetes:
        icon: kubernetes.png
        href: https://kubernetes.io
        description: Cluster Platform
    - FluxCD:
        icon: flux-cd.png
        href: https://fluxcd.io
        description: GitOps Automation
    - Cilium:
        icon: cilium.png
        href: https://cilium.io
        description: eBPF Networking
    - CloudNativePG:
        icon: postgresql.png
        href: https://cloudnative-pg.io
        description: PostgreSQL Operator
 - Social:
    - Discord:
        icon: discord.png
        href: https://discord.gg
        description: Discord
--- a/apps/homepage-archived-2026-06-07/backups/config-before-test-work-2026-06-06-2102/services.yaml
+++ b/apps/homepage-archived-2026-06-07/backups/config-before-test-work-2026-06-06-2102/services.yaml
@ -1,90 +0,0 @@
 - Infrastructure:
    - Portainer:
        icon: portainer.png
        href: https://portainer.kitestacks.com
        description: Docker Management
    - Authentik:
        icon: authentik.png
        href: https://auth.kitestacks.com
        description: Identity Provider
    - Cloudflare:
        icon: cloudflare.png
        href: https://dash.cloudflare.com
        description: DNS & Tunnel Management
    - Uptime Kuma:
        icon: uptime-kuma.png
        href: https://status.kitestacks.com
        description: Uptime Monitoring
 - AI:
    - Kite AI:
        icon: open-webui.png
        href: https://ai.kitestacks.com
        description: Private AI Workspace
    - LiteLLM:
        icon: si-openai
        href: https://llm.kitestacks.com
        description: AI Model Gateway
    - OpenRouter:
        icon: si-openai
        href: https://openrouter.ai
        description: Hosted AI Models
 - Library:
    - Kavita:
        icon: kavita.png
        href: https://kavita.kitestacks.com
        description: Books, Comics & PDFs
    - Shaarli:
        icon: shaarli.png
        href: https://links.kitestacks.com
        description: Bookmark Library
 - Code:   
    - Forgejo:
        icon: forgejo.png
        href: https://gitforge.kitestacks.com
        description: Self-Hosted Git
 - TicketSystem:
    - OpenProject:
        icon: openproject.png
        href: https://tasks.kitestacks.com
        description: Project Management
 - Monitoring:
    - Grafana:
        icon: grafana.png
        href: http://192.168.1.205:3150
        description: Monitoring Dashboards
    - Prometheus:
        icon: prometheus.png
        href: http://192.168.1.205:9090
        description: Metrics Database
    - Node Exporter:
        icon: prometheus.png
        href: http://192.168.1.205:9100
        description: Host Metrics
 - Future Projects:
    - Kubernetes:
        icon: kubernetes.png
        href: https://kubernetes.io
        description: Cluster Platform
    - FluxCD:
        icon: flux-cd.png
        href: https://fluxcd.io
        description: GitOps Automation
    - Cilium:
        icon: cilium.png
        href: https://cilium.io
        description: eBPF Networking
    - CloudNativePG:
        icon: postgresql.png
        href: https://cloudnative-pg.io
        description: PostgreSQL Operator
 - Social:
    - Discord:
        icon: discord.png
        href: https://discord.gg
        description: Discord
--- a/apps/homepage-archived-2026-06-07/backups/config-before-test-work-2026-06-06-2102/settings-live.yaml
+++ b/apps/homepage-archived-2026-06-07/backups/config-before-test-work-2026-06-06-2102/settings-live.yaml
@ -1,32 +0,0 @@
 ---
 title: KiteStacks.AO
 theme: dark
 color: slate
 headerStyle: boxed
 hideVersion: true
 useEqualHeights: true
 layout:
  Infrastructure:
    style: row
    columns: 1
  Library:
    style: row
    columns: 1
  Code:
    style: row
    columns: 1
  Projects:
    style: row
    columns: 1
  Monitoring:
    style: row
    columns: 2
  Social:
    style: row
    columns: 1
--- a/apps/homepage-archived-2026-06-07/backups/config-before-test-work-2026-06-06-2102/settings.yaml
+++ b/apps/homepage-archived-2026-06-07/backups/config-before-test-work-2026-06-06-2102/settings.yaml
@ -1,32 +0,0 @@
 ---
 title: KiteStacks.AO
 theme: dark
 color: slate
 headerStyle: boxed
 hideVersion: true
 useEqualHeights: true
 layout:
  Infrastructure:
    style: row
    columns: 1
  Library:
    style: row
    columns: 1
  Code:
    style: row
    columns: 1
  Projects:
    style: row
    columns: 1
  Monitoring:
    style: row
    columns: 2
  Social:
    style: row
    columns: 1
--- a/apps/homepage-archived-2026-06-07/backups/config-before-test-work-2026-06-06-2102/widgets-live.yaml
+++ b/apps/homepage-archived-2026-06-07/backups/config-before-test-work-2026-06-06-2102/widgets-live.yaml
@ -1,24 +0,0 @@
 ---
 - resources:
    label: System
    cpu: true
    memory: true
    disk: /
 - datetime:
    text_size: xl
    format:
      dateStyle: full
      timeStyle: short
 - openmeteo:
    label: Wheaton
    latitude: 41.8661
    longitude: -88.1065
    timezone: America/Chicago
    units: imperial
    cache: 5
 - search:
    provider: google
    target: _blank
--- a/apps/homepage-archived-2026-06-07/backups/config-before-test-work-2026-06-06-2102/widgets.yaml
+++ b/apps/homepage-archived-2026-06-07/backups/config-before-test-work-2026-06-06-2102/widgets.yaml
@ -1,24 +0,0 @@
 ---
 - resources:
    label: System
    cpu: true
    memory: true
    disk: /
 - datetime:
    text_size: xl
    format:
      dateStyle: full
      timeStyle: short
 - openmeteo:
    label: Wheaton
    latitude: 41.8661
    longitude: -88.1065
    timezone: America/Chicago
    units: imperial
    cache: 5
 - search:
    provider: google
    target: _blank
--- a/apps/homepage-archived-2026-06-07/config-test/bookmarks.yaml
+++ b/apps/homepage-archived-2026-06-07/config-test/bookmarks.yaml
@ -1,6 +0,0 @@
 - Social:
    - Discord:
        - abbr: 
          href: https://discord.gg/QbdveTb6Kw
--- a/apps/homepage-archived-2026-06-07/config-test/custom.css
+++ b/apps/homepage-archived-2026-06-07/config-test/custom.css
@ -1,91 +0,0 @@
 /* ==========================================================
   KITESTACKS CYBERPUNK TEST THEME
   TEST ONLY
   ========================================================== */
 /* Background */
 body {
  background: url("/images/cyberpunk-bg.png") center center fixed !important;
  background-size: cover !important;
 }
 /* Remove old injected banner */
 body::before,
 body::after {
  display: none !important;
  content: none !important;
 }
 /* Dark overlay for readability */
 body::selection {
  background: rgba(56,189,248,0.35);
 }
 /* Main containers */
 div[class*="service"],
 div[class*="widget"],
 .card,
 .service-card {
  background: rgba(7,15,30,0.72) !important;
  backdrop-filter: blur(10px);
  -webkit-backdrop-filter: blur(10px);
  border: 1px solid rgba(56,189,248,0.25) !important;
  border-radius: 18px !important;
  box-shadow:
    0 0 15px rgba(56,189,248,0.08),
    0 0 30px rgba(56,189,248,0.05) !important;
 }
 /* Section headers */
 h2 {
  color: #dbeafe !important;
  font-weight: 700 !important;
  letter-spacing: 0.03em !important;
  text-shadow:
    0 0 8px rgba(56,189,248,0.45);
 }
 /* Search box */
 input[type="text"] {
  background: rgba(5,10,20,0.75) !important;
  border: 1px solid rgba(56,189,248,0.35) !important;
  border-radius: 14px !important;
 }
 /* Widget row */
 div[class*="widget"] {
  border-radius: 18px !important;
 }
 /* Hover effects */
 a:hover .service-card,
 .service-card:hover,
 .card:hover {
  transform: translateY(-2px);
  box-shadow:
    0 0 15px rgba(56,189,248,0.25),
    0 0 35px rgba(56,189,248,0.18) !important;
  transition: all .2s ease;
 }
 /* Footer */
 footer {
  backdrop-filter: blur(8px);
 }
 /* Slightly dim the background for readability */
 body::after {
  content: "";
  position: fixed;
  inset: 0;
  background: rgba(0,0,20,0.45);
  pointer-events: none;
  z-index: -1;
 }
 EOF
--- a/apps/homepage-archived-2026-06-07/config-test/custom.css.pre-cyberpunk-backup
+++ b/apps/homepage-archived-2026-06-07/config-test/custom.css.pre-cyberpunk-backup
@ -1,31 +0,0 @@
 body::before {
  content: "";
  display: block;
  height: 155px;
  margin: 24px 38px 10px 38px;
  background-image: url("/images/kitestacks-logo.png");
  background-repeat: no-repeat;
  background-position: left center;
  background-size: 360px auto;
  border-bottom: 2px solid rgba(56, 189, 248, 0.75);
 }
 body::after {
  content: "Personal Infrastructure Platform";
  position: absolute;
  top: 128px;
  left: 185px;
  font-size: 15px;
  letter-spacing: 0.18em;
  text-transform: uppercase;
  color: rgba(203, 213, 225, 0.75);
 }
 .service-card,
 div[class*="service"] {
  border-radius: 14px !important;
 }
 h2 {
  letter-spacing: -0.02em;
 }
--- a/apps/homepage-archived-2026-06-07/config-test/custom.js
+++ b/apps/homepage-archived-2026-06-07/config-test/custom.js
--- a/apps/homepage-archived-2026-06-07/config-test/docker.yaml
+++ b/apps/homepage-archived-2026-06-07/config-test/docker.yaml
@ -1,10 +0,0 @@
 ---
 # For configuration options and examples, please see:
 # https://gethomepage.dev/configs/docker/
 # my-docker:
 #   host: 127.0.0.1
 #   port: 2375
 # my-docker:
 #   socket: /var/run/docker.sock
--- a/apps/homepage-archived-2026-06-07/config-test/images/cyberpunk-bg.png
+++ b/apps/homepage-archived-2026-06-07/config-test/images/cyberpunk-bg.png
--- a/apps/homepage-archived-2026-06-07/config-test/images/kitestacks-icon.png
+++ b/apps/homepage-archived-2026-06-07/config-test/images/kitestacks-icon.png
--- a/apps/homepage-archived-2026-06-07/config-test/images/kitestacks-logo.png
+++ b/apps/homepage-archived-2026-06-07/config-test/images/kitestacks-logo.png
--- a/apps/homepage-archived-2026-06-07/config-test/kubernetes.yaml
+++ b/apps/homepage-archived-2026-06-07/config-test/kubernetes.yaml
@ -1,2 +0,0 @@
 ---
 # sample kubernetes config
--- a/apps/homepage-archived-2026-06-07/config-test/proxmox.yaml
+++ b/apps/homepage-archived-2026-06-07/config-test/proxmox.yaml
@ -1,5 +0,0 @@
 ---
 # pve:
 #   url: https://proxmox.host.or.ip:8006
 #   token: username@pam!Token ID
 #   secret: secret
--- a/apps/homepage-archived-2026-06-07/config-test/services-live.yaml
+++ b/apps/homepage-archived-2026-06-07/config-test/services-live.yaml
@ -1,90 +0,0 @@
 - Infrastructure:
    - Portainer:
        icon: portainer.png
        href: https://portainer.kitestacks.com
        description: Docker Management
    - Authentik:
        icon: authentik.png
        href: https://auth.kitestacks.com
        description: Identity Provider
    - Cloudflare:
        icon: cloudflare.png
        href: https://dash.cloudflare.com
        description: DNS & Tunnel Management
    - Uptime Kuma:
        icon: uptime-kuma.png
        href: https://status.kitestacks.com
        description: Uptime Monitoring
 - AI:
    - Kite AI:
        icon: open-webui.png
        href: https://ai.kitestacks.com
        description: Private AI Workspace
    - LiteLLM:
        icon: si-openai
        href: https://llm.kitestacks.com
        description: AI Model Gateway
    - OpenRouter:
        icon: si-openai
        href: https://openrouter.ai
        description: Hosted AI Models
 - Library:
    - Kavita:
        icon: kavita.png
        href: https://kavita.kitestacks.com
        description: Books, Comics & PDFs
    - Linkding:
        icon: linkding.png
        href: https://links.kitestacks.com
        description: Bookmark Library
 - Code:
    - Forgejo:
        icon: forgejo.png
        href: https://gitforge.kitestacks.com
        description: Self-Hosted Git
 - TicketSystem:
    - OpenProject:
        icon: openproject.png
        href: https://tasks.kitestacks.com
        description: Project Management
 - Monitoring:
    - Grafana:
        icon: grafana.png
        href: http://192.168.1.205:3150
        description: Monitoring Dashboards
    - Prometheus:
        icon: prometheus.png
        href: http://192.168.1.205:9090
        description: Metrics Database
    - Node Exporter:
        icon: prometheus.png
        href: http://192.168.1.205:9100
        description: Host Metrics
 - Future Projects:
    - Kubernetes:
        icon: kubernetes.png
        href: https://kubernetes.io
        description: Cluster Platform
    - FluxCD:
        icon: flux-cd.png
        href: https://fluxcd.io
        description: GitOps Automation
    - Cilium:
        icon: cilium.png
        href: https://cilium.io
        description: eBPF Networking
    - CloudNativePG:
        icon: postgresql.png
        href: https://cloudnative-pg.io
        description: PostgreSQL Operator
 - Social:
    - Discord:
        icon: discord.png
        href: https://discord.gg
        description: Discord
--- a/apps/homepage-archived-2026-06-07/config-test/services.yaml
+++ b/apps/homepage-archived-2026-06-07/config-test/services.yaml
@ -1,89 +0,0 @@
 - Infrastructure:
    - Portainer:
        icon: portainer.png
        href: https://portainer.kitestacks.com
        description: Docker Management
    - Authentik:
        icon: authentik.png
        href: https://auth.kitestacks.com
        description: Identity & Access
    - Cloudflare:
        icon: cloudflare.png
        href: https://dash.cloudflare.com
        description: DNS & Tunnel Control
    - Uptime Kuma:
        icon: uptime-kuma.png
        href: https://status.kitestacks.com
        description: Service Health
 - Monitoring:
    - Grafana:
        icon: grafana.png
        href: http://192.168.1.205:3150
        description: Dashboards & Metrics
    - Prometheus:
        icon: prometheus.png
        href: http://192.168.1.205:9090
        description: Metrics Database
    - Node Exporter:
        icon: prometheus.png
        href: http://192.168.1.205:9100
        description: Host Telemetry
 - AI & Automation:
    - Kite AI:
        icon: open-webui.png
        href: https://ai.kitestacks.com
        description: Private AI Workspace
    - LiteLLM:
        icon: si-openai
        href: https://llm.kitestacks.com
        description: Model Gateway
    - OpenRouter:
        icon: si-openai
        href: https://openrouter.ai
        description: Hosted AI Models
 - Knowledge Base:
    - Kavita:
        icon: kavita.png
        href: https://kavita.kitestacks.com
        description: Books, Comics & PDFs
    - Shaarli:
        icon: shaarli.png
        href: https://links.kitestacks.com
        description: Bookmark Library
 - Development:
    - Forgejo:
        icon: forgejo.png
        href: https://gitforge.kitestacks.com
        description: Self-Hosted Git
    - OpenProject:
        icon: openproject.png
        href: https://tasks.kitestacks.com
        description: Project Management
 - Community:
    - Discord:
        icon: discord.png
        href: https://discord.gg
        description: Community Hub
 - Future Projects:
    - Kubernetes:
        icon: kubernetes.png
        href: https://kubernetes.io
        description: Coming Soon
    - FluxCD:
        icon: flux-cd.png
        href: https://fluxcd.io
        description: Coming Soon
    - Cilium:
        icon: cilium.png
        href: https://cilium.io
        description: Coming Soon
    - CloudNativePG:
        icon: postgresql.png
        href: https://cloudnative-pg.io
        description: Coming Soon
--- a/apps/homepage-archived-2026-06-07/config-test/services.yaml.bak
+++ b/apps/homepage-archived-2026-06-07/config-test/services.yaml.bak
@ -1,90 +0,0 @@
 - Infrastructure:
    - Portainer:
        icon: portainer.png
        href: https://portainer.kitestacks.com
        description: Docker Management
    - Authentik:
        icon: authentik.png
        href: https://auth.kitestacks.com
        description: Identity Provider
    - Cloudflare:
        icon: cloudflare.png
        href: https://dash.cloudflare.com
        description: DNS & Tunnel Management
    - Uptime Kuma:
        icon: uptime-kuma.png
        href: https://status.kitestacks.com
        description: Uptime Monitoring
 - AI:
    - Kite AI:
        icon: open-webui.png
        href: https://ai.kitestacks.com
        description: Private AI Workspace
    - LiteLLM:
        icon: si-openai
        href: https://llm.kitestacks.com
        description: AI Model Gateway
    - OpenRouter:
        icon: si-openai
        href: https://openrouter.ai
        description: Hosted AI Models
 - Library:
    - Kavita:
        icon: kavita.png
        href: https://kavita.kitestacks.com
        description: Books, Comics & PDFs
    - Shaarli:
        icon: shaarli.png
        href: https://links.kitestacks.com
        description: Bookmark Library
 - Code:   
    - Forgejo:
        icon: forgejo.png
        href: https://gitforge.kitestacks.com
        description: Self-Hosted Git
 - TicketSystem:
    - OpenProject:
        icon: openproject.png
        href: https://tasks.kitestacks.com
        description: Project Management
 - Monitoring:
    - Grafana:
        icon: grafana.png
        href: http://192.168.1.205:3150
        description: Monitoring Dashboards
    - Prometheus:
        icon: prometheus.png
        href: http://192.168.1.205:9090
        description: Metrics Database
    - Node Exporter:
        icon: prometheus.png
        href: http://192.168.1.205:9100
        description: Host Metrics
 - Future Projects:
    - Kubernetes:
        icon: kubernetes.png
        href: https://kubernetes.io
        description: Cluster Platform
    - FluxCD:
        icon: flux-cd.png
        href: https://fluxcd.io
        description: GitOps Automation
    - Cilium:
        icon: cilium.png
        href: https://cilium.io
        description: eBPF Networking
    - CloudNativePG:
        icon: postgresql.png
        href: https://cloudnative-pg.io
        description: PostgreSQL Operator
 - Social:
    - Discord:
        icon: discord.png
        href: https://discord.gg
        description: Discord
--- a/apps/homepage-archived-2026-06-07/config-test/settings-live.yaml
+++ b/apps/homepage-archived-2026-06-07/config-test/settings-live.yaml
@ -1,32 +0,0 @@
 ---
 title: KiteStacks.AO
 theme: dark
 color: slate
 headerStyle: boxed
 hideVersion: true
 useEqualHeights: true
 layout:
  Infrastructure:
    style: row
    columns: 1
  Library:
    style: row
    columns: 1
  Code:
    style: row
    columns: 1
  Projects:
    style: row
    columns: 1
  Monitoring:
    style: row
    columns: 2
  Social:
    style: row
    columns: 1
--- a/apps/homepage-archived-2026-06-07/config-test/settings.yaml
+++ b/apps/homepage-archived-2026-06-07/config-test/settings.yaml
@ -1,37 +0,0 @@
 ---
 title: KiteStacks
 theme: dark
 color: slate
 headerStyle: boxed
 hideVersion: true
 useEqualHeights: true
 layout:
  Infrastructure:
    style: row
    columns: 4
  Monitoring:
    style: row
    columns: 3
  AI & Automation:
    style: row
    columns: 3
  Knowledge Base:
    style: row
    columns: 2
  Development:
    style: row
    columns: 2
  Community:
    style: row
    columns: 1
  Future Projects:
    style: row
    columns: 4
--- a/apps/homepage-archived-2026-06-07/config-test/settings.yaml.bak
+++ b/apps/homepage-archived-2026-06-07/config-test/settings.yaml.bak
@ -1,32 +0,0 @@
 ---
 title: KiteStacks.AO
 theme: dark
 color: slate
 headerStyle: boxed
 hideVersion: true
 useEqualHeights: true
 layout:
  Infrastructure:
    style: row
    columns: 1
  Library:
    style: row
    columns: 1
  Code:
    style: row
    columns: 1
  Projects:
    style: row
    columns: 1
  Monitoring:
    style: row
    columns: 2
  Social:
    style: row
    columns: 1
--- a/apps/homepage-archived-2026-06-07/config-test/widgets-live.yaml
+++ b/apps/homepage-archived-2026-06-07/config-test/widgets-live.yaml
@ -1,24 +0,0 @@
 ---
 - resources:
    label: System
    cpu: true
    memory: true
    disk: /
 - datetime:
    text_size: xl
    format:
      dateStyle: full
      timeStyle: short
 - openmeteo:
    label: Wheaton
    latitude: 41.8661
    longitude: -88.1065
    timezone: America/Chicago
    units: imperial
    cache: 5
 - search:
    provider: google
    target: _blank
--- a/apps/homepage-archived-2026-06-07/config-test/widgets.yaml
+++ b/apps/homepage-archived-2026-06-07/config-test/widgets.yaml
@ -1,24 +0,0 @@
 ---
 - resources:
    label: System
    cpu: true
    memory: true
    disk: /
 - datetime:
    text_size: xl
    format:
      dateStyle: full
      timeStyle: short
 - openmeteo:
    label: Wheaton
    latitude: 41.8661
    longitude: -88.1065
    timezone: America/Chicago
    units: imperial
    cache: 5
 - search:
    provider: google
    target: _blank
--- a/apps/homepage-archived-2026-06-07/config-test/widgets.yaml.bak
+++ b/apps/homepage-archived-2026-06-07/config-test/widgets.yaml.bak
@ -1,24 +0,0 @@
 ---
 - resources:
    label: System
    cpu: true
    memory: true
    disk: /
 - datetime:
    text_size: xl
    format:
      dateStyle: full
      timeStyle: short
 - openmeteo:
    label: Wheaton
    latitude: 41.8661
    longitude: -88.1065
    timezone: America/Chicago
    units: imperial
    cache: 5
 - search:
    provider: google
    target: _blank
--- a/apps/homepage-archived-2026-06-07/config/bookmarks.yaml
+++ b/apps/homepage-archived-2026-06-07/config/bookmarks.yaml
@ -1,6 +0,0 @@
 - Social:
    - Discord:
        - abbr: 
          href: https://discord.gg/QbdveTb6Kw
--- a/apps/homepage-archived-2026-06-07/config/custom.css
+++ b/apps/homepage-archived-2026-06-07/config/custom.css
--- a/apps/homepage-archived-2026-06-07/config/custom.js
+++ b/apps/homepage-archived-2026-06-07/config/custom.js
--- a/apps/homepage-archived-2026-06-07/config/docker.yaml
+++ b/apps/homepage-archived-2026-06-07/config/docker.yaml
@ -1,10 +0,0 @@
 ---
 # For configuration options and examples, please see:
 # https://gethomepage.dev/configs/docker/
 # my-docker:
 #   host: 127.0.0.1
 #   port: 2375
 # my-docker:
 #   socket: /var/run/docker.sock
--- a/apps/homepage-archived-2026-06-07/config/kubernetes.yaml
+++ b/apps/homepage-archived-2026-06-07/config/kubernetes.yaml
@ -1,2 +0,0 @@
 ---
 # sample kubernetes config
--- a/apps/homepage-archived-2026-06-07/config/proxmox.yaml
+++ b/apps/homepage-archived-2026-06-07/config/proxmox.yaml
@ -1,5 +0,0 @@
 ---
 # pve:
 #   url: https://proxmox.host.or.ip:8006
 #   token: username@pam!Token ID
 #   secret: secret
--- a/apps/homepage-archived-2026-06-07/config/services-live.yaml
+++ b/apps/homepage-archived-2026-06-07/config/services-live.yaml
@ -1,90 +0,0 @@
 - Infrastructure:
    - Portainer:
        icon: portainer.png
        href: https://portainer.kitestacks.com
        description: Docker Management
    - Authentik:
        icon: authentik.png
        href: https://auth.kitestacks.com
        description: Identity Provider
    - Cloudflare:
        icon: cloudflare.png
        href: https://dash.cloudflare.com
        description: DNS & Tunnel Management
    - Uptime Kuma:
        icon: uptime-kuma.png
        href: https://status.kitestacks.com
        description: Uptime Monitoring
 - AI:
    - Kite AI:
        icon: open-webui.png
        href: https://ai.kitestacks.com
        description: Private AI Workspace
    - LiteLLM:
        icon: si-openai
        href: https://llm.kitestacks.com
        description: AI Model Gateway
    - OpenRouter:
        icon: si-openai
        href: https://openrouter.ai
        description: Hosted AI Models
 - Library:
    - Kavita:
        icon: kavita.png
        href: https://kavita.kitestacks.com
        description: Books, Comics & PDFs
    - Linkding:
        icon: linkding.png
        href: https://links.kitestacks.com
        description: Bookmark Library
 - Code:
    - Forgejo:
        icon: forgejo.png
        href: https://gitforge.kitestacks.com
        description: Self-Hosted Git
 - TicketSystem:
    - OpenProject:
        icon: openproject.png
        href: https://tasks.kitestacks.com
        description: Project Management
 - Monitoring:
    - Grafana:
        icon: grafana.png
        href: http://192.168.1.205:3150
        description: Monitoring Dashboards
    - Prometheus:
        icon: prometheus.png
        href: http://192.168.1.205:9090
        description: Metrics Database
    - Node Exporter:
        icon: prometheus.png
        href: http://192.168.1.205:9100
        description: Host Metrics
 - Future Projects:
    - Kubernetes:
        icon: kubernetes.png
        href: https://kubernetes.io
        description: Cluster Platform
    - FluxCD:
        icon: flux-cd.png
        href: https://fluxcd.io
        description: GitOps Automation
    - Cilium:
        icon: cilium.png
        href: https://cilium.io
        description: eBPF Networking
    - CloudNativePG:
        icon: postgresql.png
        href: https://cloudnative-pg.io
        description: PostgreSQL Operator
 - Social:
    - Discord:
        icon: discord.png
        href: https://discord.gg
        description: Discord
--- a/apps/homepage-archived-2026-06-07/config/services.yaml
+++ b/apps/homepage-archived-2026-06-07/config/services.yaml
@ -1,90 +0,0 @@
 - Infrastructure:
    - Portainer:
        icon: portainer.png
        href: https://portainer.kitestacks.com
        description: Docker Management
    - Authentik:
        icon: authentik.png
        href: https://auth.kitestacks.com
        description: Identity Provider
    - Cloudflare:
        icon: cloudflare.png
        href: https://dash.cloudflare.com
        description: DNS & Tunnel Management
    - Uptime Kuma:
        icon: uptime-kuma.png
        href: https://status.kitestacks.com
        description: Uptime Monitoring
 - AI:
    - Kite AI:
        icon: open-webui.png
        href: https://ai.kitestacks.com
        description: Private AI Workspace
    - LiteLLM:
        icon: si-openai
        href: https://llm.kitestacks.com
        description: AI Model Gateway
    - OpenRouter:
        icon: si-openai
        href: https://openrouter.ai
        description: Hosted AI Models
 - Library:
    - Kavita:
        icon: kavita.png
        href: https://kavita.kitestacks.com
        description: Books, Comics & PDFs
    - Shaarli:
        icon: shaarli.png
        href: https://links.kitestacks.com
        description: Bookmark Library
 - Code:   
    - Forgejo:
        icon: forgejo.png
        href: https://gitforge.kitestacks.com
        description: Self-Hosted Git
 - TicketSystem:
    - OpenProject:
        icon: openproject.png
        href: https://tasks.kitestacks.com
        description: Project Management
 - Monitoring:
    - Grafana:
        icon: grafana.png
        href: http://192.168.1.205:3150
        description: Monitoring Dashboards
    - Prometheus:
        icon: prometheus.png
        href: http://192.168.1.205:9090
        description: Metrics Database
    - Node Exporter:
        icon: prometheus.png
        href: http://192.168.1.205:9100
        description: Host Metrics
 - Future Projects:
    - Kubernetes:
        icon: kubernetes.png
        href: https://kubernetes.io
        description: Cluster Platform
    - FluxCD:
        icon: flux-cd.png
        href: https://fluxcd.io
        description: GitOps Automation
    - Cilium:
        icon: cilium.png
        href: https://cilium.io
        description: eBPF Networking
    - CloudNativePG:
        icon: postgresql.png
        href: https://cloudnative-pg.io
        description: PostgreSQL Operator
 - Social:
    - Discord:
        icon: discord.png
        href: https://discord.gg
        description: Discord
--- a/apps/homepage-archived-2026-06-07/config/settings-live.yaml
+++ b/apps/homepage-archived-2026-06-07/config/settings-live.yaml
@ -1,32 +0,0 @@
 ---
 title: KiteStacks.AO
 theme: dark
 color: slate
 headerStyle: boxed
 hideVersion: true
 useEqualHeights: true
 layout:
  Infrastructure:
    style: row
    columns: 1
  Library:
    style: row
    columns: 1
  Code:
    style: row
    columns: 1
  Projects:
    style: row
    columns: 1
  Monitoring:
    style: row
    columns: 2
  Social:
    style: row
    columns: 1
--- a/apps/homepage-archived-2026-06-07/config/settings.yaml
+++ b/apps/homepage-archived-2026-06-07/config/settings.yaml
@ -1,32 +0,0 @@
 ---
 title: KiteStacks.AO
 theme: dark
 color: slate
 headerStyle: boxed
 hideVersion: true
 useEqualHeights: true
 layout:
  Infrastructure:
    style: row
    columns: 1
  Library:
    style: row
    columns: 1
  Code:
    style: row
    columns: 1
  Projects:
    style: row
    columns: 1
  Monitoring:
    style: row
    columns: 2
  Social:
    style: row
    columns: 1
--- a/apps/homepage-archived-2026-06-07/config/widgets-live.yaml
+++ b/apps/homepage-archived-2026-06-07/config/widgets-live.yaml
@ -1,24 +0,0 @@
 ---
 - resources:
    label: System
    cpu: true
    memory: true
    disk: /
 - datetime:
    text_size: xl
    format:
      dateStyle: full
      timeStyle: short
 - openmeteo:
    label: Wheaton
    latitude: 41.8661
    longitude: -88.1065
    timezone: America/Chicago
    units: imperial
    cache: 5
 - search:
    provider: google
    target: _blank
--- a/apps/homepage-archived-2026-06-07/config/widgets.yaml
+++ b/apps/homepage-archived-2026-06-07/config/widgets.yaml
@ -1,24 +0,0 @@
 ---
 - resources:
    label: System
    cpu: true
    memory: true
    disk: /
 - datetime:
    text_size: xl
    format:
      dateStyle: full
      timeStyle: short
 - openmeteo:
    label: Wheaton
    latitude: 41.8661
    longitude: -88.1065
    timezone: America/Chicago
    units: imperial
    cache: 5
 - search:
    provider: google
    target: _blank
--- a/apps/homepage-archived-2026-06-07/docker-compose.test.yml
+++ b/apps/homepage-archived-2026-06-07/docker-compose.test.yml
@ -1,12 +0,0 @@
 services:
  homepage-test:
    image: ghcr.io/gethomepage/homepage:latest
    container_name: homepage-test
    restart: unless-stopped
    ports:
      - "3007:3000"
    environment:
      - HOMEPAGE_ALLOWED_HOSTS=localhost:3007,192.168.1.205:3007,www.kitestacks.test.com,kitestacks.test.com
    volumes:
      - ./config-test:/app/config
      - /var/run/docker.sock:/var/run/docker.sock:ro
--- a/apps/homepage-archived-2026-06-07/docker-compose.yml
+++ b/apps/homepage-archived-2026-06-07/docker-compose.yml
@ -1,13 +0,0 @@
 services:
  homepage:
    image: ghcr.io/gethomepage/homepage:latest
    container_name: homepage
    restart: unless-stopped
    ports:
      - "3005:3000"
    environment:
      - HOMEPAGE_ALLOWED_HOSTS=localhost:3005,192.168.1.205:3005,www.kitestacks.com,kitestacks.com,home.kitestacks.com
    volumes:
      - ./config:/app/config
      - /var/run/docker.sock:/var/run/docker.sock:ro
--- a/apps/homepage-archived-2026-06-07/services.yaml
+++ b/apps/homepage-archived-2026-06-07/services.yaml
@ -1,69 +0,0 @@
 - Infrastructure:
    - Homepage:
        icon: homepage.png
        href: https://www.kitestacks.com
        description: Main Dashboard
    - Authentik:
        icon: authentik.png
        href: https://auth.kitestacks.com
        description: Identity Provider
    - Portainer:
        icon: portainer.png
        href: https://portainer.kitestacks.com
        description: Container Management
 - Development:
    - Forgejo:
        icon: forgejo.png
        href: https://git.kitestacks.com
        description: Git Repositories
    - OpenProject:
        icon: openproject.png
        href: https://tasks.kitestacks.com
        description: Project Management
 - AI:
    - Kite AI:
        icon: open-webui.png
        href: https://ai.kitestacks.com
        description: AI Workspace
    - LiteLLM:
        icon: litellm.png
        href: https://llm.kitestacks.com
        description: Model Gateway
    - OpenRouter:
        icon: si-openai
        href: https://openrouter.ai
        description: Hosted AI Models
 - Library:
    - Kavita:
        icon: kavita.png
        href: https://kavita.kitestacks.com
        description: Books & Documents
    - Shaarli:
        icon: shaarli.png
        href: https://links.kitestacks.com
        description: Bookmark Library
 - Monitoring:
    - Grafana:
        icon: grafana.png
        href: https://grafana.kitestacks.com
        description: Dashboards
    - Prometheus:
        icon: prometheus.png
        href: https://prometheus.kitestacks.com
        description: Metrics Collection
    - Uptime Kuma:
        icon: uptime-kuma.png
        href: https://status.kitestacks.com
        description: Service Monitoring
--- a/apps/homepage-archived-2026-06-07/test-autosync.txt
+++ b/apps/homepage-archived-2026-06-07/test-autosync.txt
--- a/apps/homepage-backup-pre-cyberpunk-2026-06-07-0152.tar.gz
+++ b/apps/homepage-backup-pre-cyberpunk-2026-06-07-0152.tar.gz
--- a/apps/kavita/config/appsettings.json
+++ b/apps/kavita/config/appsettings.json
@ -1,15 +0,0 @@
 {
  "TokenKey": "0dAB10RcaX3mUwxMGE5pVcauZhDybFyoaPM6bGup5GLTFGq3yO6GFKpsnWCJ2TMS8GT2BpB4cXXc8wqB7mOV14\u002BS3ys5fgb2eWjX31DrmDgfJJYapAFr2Unx\u002BTv5fpeS9TyH\u002BnzAEhISPxXRApn4n6zJ7RUbJ79QEGyX2eKCjxJqsV6xBrHta4weL7zGQmPcWoMswezglOnFMoEYhzURpyVkwl1KeXFnfbdrPuGzcUCtsbdjBoRYXqIn5gcdjDOyrdwAxNT8Of3CGMnYFGLzg0kMIwPzBPqD5nsGXBisHQYEPUSwYsIIGwAfYLV3HtS\u002B\u002BXagEW3pgnbHYljsxSTQ==",
  "Port": 5000,
  "IpAddresses": "",
  "BaseUrl": "/",
  "Cache": 75,
  "AllowIFraming": false,
  "OpenIdConnectSettings": {
    "Authority": "https://auth.kitestacks.com/application/o/kavita/",
    "ClientId": "kavita",
    "Secret": "73038a9414121817852fb59923f7ff3870cc5af78098c09a0311d37a74c663b6a8b266c823db0a812e8e784241ead772",
    "CustomScopes": [],
    "Enabled": true
  }
 }
--- a/apps/kavita/config/backups/kavita_backup_v0.9.0.2_06_05_2026_2026-06-05T02_00_06Z.zip
+++ b/apps/kavita/config/backups/kavita_backup_v0.9.0.2_06_05_2026_2026-06-05T02_00_06Z.zip
--- a/apps/kavita/config/cache-long/github_latest_release_cache.json
+++ b/apps/kavita/config/cache-long/github_latest_release_cache.json
@ -1,41 +0,0 @@
 {
  "CurrentVersion": "0.9.0.2",
  "UpdateVersion": "0.9.0.2",
  "UpdateBody": "\u003Cp\u003E\u003Cstrong\u003EAll users are strongly advised to update immediately.\u003C/strong\u003E\u003C/p\u003E\n\u003Cp\u003EThere has been a critical vulnerability discovered in Kavita. Please update your instances.\u003C/p\u003E\n\u003Cp\u003EAll versions prior to this release are impacted.\u003C/p\u003E\n\u003Cp\u003EIf you are holding out on an old release due to some change in Kavita, please raise a FR and I will work with you to help bridge that feature gap.\u003C/p\u003E\n\u003Cp\u003EDetails/CVE will be shared at a later date to give users time to update.\u003C/p\u003E\n\u003Cp\u003EEdit: CVE Published: CVE-2026-47202\u003C/p\u003E\n\u003Ch1\u003EChanged\u003C/h1\u003E\n\u003Cul\u003E\n\u003Cli\u003EChanged: OIDC validation no longer requires super safe urls.\u003C/li\u003E\n\u003C/ul\u003E\n\u003Ch1\u003EFixed\u003C/h1\u003E\n\u003Cul\u003E\n\u003Cli\u003EFixed: Fixed reading list detail tab not having tabs wired up.\u003C/li\u003E\n\u003Cli\u003EFixed: Fixed series/chapter rating always returning 0 if you had rated it.\u003C/li\u003E\n\u003Cli\u003EFixed: Fixed bookmarks not loading.\u003C/li\u003E\n\u003Cli\u003EFixed: Fixed text \u0026amp; image bookmarks being switched.\u003C/li\u003E\n\u003Cli\u003EFixed: Fixed long chapter names causing wrapping in activity overview.\u003C/li\u003E\n\u003Cli\u003EFixed: Fixed epub bookmarks not loading.\u003C/li\u003E\n\u003Cli\u003EFixed: Fixed text \u0026amp; image bookmarks being switched.\u003C/li\u003E\n\u003Cli\u003EFixed: Fixed long chapter names causing wrapping in activity overview.\u003C/li\u003E\n\u003Cli\u003EFixed: Fixed people not being removed from series if chapter metadata has none.\u003C/li\u003E\n\u003Cli\u003EFixed: Fixed series not being added to a collection under some circumstances.\u003C/li\u003E\n\u003Cli\u003EFixed: Fixed early reloading causing double K\u002B plus calls when matching on the series page.\u003C/li\u003E\n\u003Cli\u003EFixed: Fixed annotations duplicating \u0026amp; swallowing text under some circumstances.\u003C/li\u003E\n\u003Cli\u003EFixed: Fixed annotations not being shown under specific circumstances.\u003C/li\u003E\n\u003Cli\u003EFixed: Fixed external links containing sometimes being scoped out of a book.\u003C/li\u003E\n\u003Cli\u003EFixed: Fixed search being unreliable when searching with year metadata.\u003C/li\u003E\n\u003C/ul\u003E\n",
  "UpdateTitle": "v0.9.0.2 - Security Hotfix",
  "UpdateUrl": "https://github.com/Kareadita/Kavita/releases/tag/v0.9.0.2",
  "IsDocker": true,
  "IsPrerelease": false,
  "PublishDate": "2026-05-14T14:04:05Z",
  "IsOnNightlyInRelease": false,
  "IsReleaseNewer": false,
  "IsReleaseEqual": true,
  "Added": [],
  "Removed": [],
  "Changed": [
    "OIDC validation no longer requires super safe urls."
  ],
  "Fixed": [
    "Fixed reading list detail tab not having tabs wired up.",
    "Fixed series/chapter rating always returning 0 if you had rated it.",
    "Fixed bookmarks not loading.",
    "Fixed text \u0026 image bookmarks being switched.",
    "Fixed long chapter names causing wrapping in activity overview.",
    "Fixed epub bookmarks not loading.",
    "Fixed text \u0026 image bookmarks being switched.",
    "Fixed long chapter names causing wrapping in activity overview.",
    "Fixed people not being removed from series if chapter metadata has none.",
    "Fixed series not being added to a collection under some circumstances.",
    "Fixed early reloading causing double K\u002B plus calls when matching on the series page.",
    "Fixed annotations duplicating \u0026 swallowing text under some circumstances.",
    "Fixed annotations not being shown under specific circumstances.",
    "Fixed external links containing sometimes being scoped out of a book.",
    "Fixed search being unreliable when searching with year metadata."
  ],
  "Theme": [],
  "Developer": [],
  "Api": [],
  "FeatureRequests": [],
  "KnownIssues": [],
  "BlogPart": "\u003Cp\u003E\u003Cstrong\u003EAll users are strongly advised to update immediately.\u003C/strong\u003E\u003C/p\u003E\n\u003Cp\u003EThere has been a critical vulnerability discovered in Kavita. Please update your instances.\u003C/p\u003E\n\u003Cp\u003EAll versions prior to this release are impacted.\u003C/p\u003E\n\u003Cp\u003EIf you are holding out on an old release due to some change in Kavita, please raise a FR and I will work with you to help bridge that feature gap.\u003C/p\u003E\n\u003Cp\u003EDetails/CVE will be shared at a later date to give users time to update.\u003C/p\u003E\n\u003Cp\u003EEdit: CVE Published: CVE-2026-47202\u003C/p\u003E\n"
 }
--- a/apps/kavita/config/cache-long/github_nightly_cache.json
+++ b/apps/kavita/config/cache-long/github_nightly_cache.json
@ -1,27 +0,0 @@
 [
  {
    "Version": "0.9.0.7",
    "PrNumber": 4733,
    "Date": "2026-06-05T21:46:13+00:00"
  },
  {
    "Version": "0.9.0.6",
    "PrNumber": 4731,
    "Date": "2026-05-31T14:59:13+00:00"
  },
  {
    "Version": "0.9.0.5",
    "PrNumber": 4727,
    "Date": "2026-05-27T16:43:27+00:00"
  },
  {
    "Version": "0.9.0.4",
    "PrNumber": 4711,
    "Date": "2026-05-21T13:10:03+00:00"
  },
  {
    "Version": "0.9.0.3",
    "PrNumber": 4691,
    "Date": "2026-05-19T18:28:36+00:00"
  }
 ]
--- a/apps/kavita/config/cache-long/github_releases_cache.json
+++ b/apps/kavita/config/cache-long/github_releases_cache.json
--- a/apps/kavita/config/cache-long/pr_cache/pr_4691.json
+++ b/apps/kavita/config/cache-long/pr_cache/pr_4691.json
@ -1,7 +0,0 @@
 {
  "Title": "Cover Chooser Overhaul",
  "Body": "\r\n\u003Cimg width=\u00221127\u0022 height=\u0022773\u0022 alt=\u0022image\u0022 src=\u0022https://github.com/user-attachments/assets/ba3fe03a-880c-4c48-a348-25169f0afdc8\u0022 /\u003E\r\n\u003Cimg width=\u0022965\u0022 height=\u0022658\u0022 alt=\u0022image\u0022 src=\u0022https://github.com/user-attachments/assets/55b8c9ac-3781-4725-ac7a-2176214b3489\u0022 /\u003E\r\n\r\n\r\n# Added\r\n- Added: (Kavita\u002B) Cover chooser will now present cover image choices from Kavita\u002B (powered by Hardcover, MangaBaka, and ComicBookRoundup). \r\n\r\n# Changed\r\n- Changed: Redesigned Kavita\u0027s Cover Image chooser to use tabs for individual types of media (Current, Uploaded, Volume, Chapter, Kavita\u002B).  (Closes #3891) (Thanks @therobbiedavis for the great design)\r\n- Changed: Moved the Reset cover image from a weird button into a dedicated button with clear labeling if the underlying cover was locked or not. \r\n\r\n# Fixed\r\n- Fixed: Fixed up a case where entity title service would avoid having Volume X in some cases\r\n- Fixed: Fixed Chrome PWA not showing the install button (Thanks @Ansh2209 )\r\n",
  "Html_Url": "https://github.com/Kareadita/Kavita/pull/4691",
  "Merged_At": "2026-05-19T18:27:50Z",
  "Number": 4691
 }
--- a/apps/kavita/config/cache-long/pr_cache/pr_4711.json
+++ b/apps/kavita/config/cache-long/pr_cache/pr_4711.json
@ -1,7 +0,0 @@
 {
  "Title": "Kavita\u002B Audit Log",
  "Body": "\r\n\u003Cimg width=\u00221860\u0022 height=\u0022743\u0022 alt=\u0022image\u0022 src=\u0022https://github.com/user-attachments/assets/563b5045-c954-4b9a-9206-1ceb81fa773d\u0022 /\u003E\r\n\r\n\u003Cimg width=\u00221656\u0022 height=\u0022755\u0022 alt=\u0022image\u0022 src=\u0022https://github.com/user-attachments/assets/fb372b91-0ef1-4472-8215-633c776b3ebb\u0022 /\u003E\r\n\r\n\u003Cimg width=\u00221113\u0022 height=\u0022751\u0022 alt=\u0022image\u0022 src=\u0022https://github.com/user-attachments/assets/ae3496e3-31eb-4854-8c2f-d84307f75881\u0022 /\u003E\r\n\r\n\r\nThis is the first piece of a lot of architectural changes to make the Kavita\u002B integration feel understandable. Since Kavita\u002B launched, the systems have been evolving, but understanding what is happening under the hood has been difficult. The pressure was added with both AniList and MAL having many downtime events and users wondering when metadata is matching, needs rematching, or why a scrobble event didn\u0027t post. \r\n\r\nI hope this Audit system helps shed light and I am open to feedback to ensure it addresses the needs. \r\n\r\n\r\n# Added\r\n- Added: Added 3 new screens that help users understand what Kavita\u002B is doing around their series, their scrobbling, and for admins, the whole behind the scenes logic. (Closes #4705)\r\n\r\n# Changed\r\n- Changed: Scrobbling screen is likely going to be replaced by the new screens\r\n\r\n# Fixed\r\n- Fixed: Fixed a bug where marking a chapter as read wasn\u0027t triggering scrobbling.\r\n- Fixed: Fixed a bug where MAL was never getting a proper response for token expiration in the Account Screen\r\n- Fixed: Fixed a bug where series detail page could refresh the cover when a chapter cover update event triggered. \r\n\r\nNote: Relies on #4691",
  "Html_Url": "https://github.com/Kareadita/Kavita/pull/4711",
  "Merged_At": "2026-05-21T13:09:15Z",
  "Number": 4711
 }
--- a/apps/kavita/config/cache-long/pr_cache/pr_4727.json
+++ b/apps/kavita/config/cache-long/pr_cache/pr_4727.json
@ -1,7 +0,0 @@
 {
  "Title": "Kavita\u002B Match UX Refresh",
  "Body": "\r\n\u003Cimg width=\u00221150\u0022 height=\u0022551\u0022 alt=\u0022image\u0022 src=\u0022https://github.com/user-attachments/assets/dfb1fcb3-9502-4b3c-89d5-1ac823a7f0c3\u0022 /\u003E\r\n\r\nNote: Although you see Hardcover, it is not enabled yet in Kavita. This will come later. \r\n\r\n# Added\r\n- Added: Kavita\u002B Match can now accept direct ids via anilist:1234 in addition to existing urls. \r\n\r\n# Changed\r\n- Changed: Massive UX refresh to the Match modal for Kavita\u002B to surface tips on how to search. (Closes #4725)\r\n\r\n",
  "Html_Url": "https://github.com/Kareadita/Kavita/pull/4727",
  "Merged_At": "2026-05-27T16:42:40Z",
  "Number": 4727
 }
--- a/apps/kavita/config/cache-long/pr_cache/pr_4731.json
+++ b/apps/kavita/config/cache-long/pr_cache/pr_4731.json
@ -1,7 +0,0 @@
 {
  "Title": "Feature/kavita\u002B license",
  "Body": "\r\n\u003Cimg width=\u00221880\u0022 height=\u0022653\u0022 alt=\u0022image\u0022 src=\u0022https://github.com/user-attachments/assets/203bc8bf-a4c2-49c0-ae74-03d86de5d4fb\u0022 /\u003E\r\n\r\n\u003Cimg width=\u00221876\u0022 height=\u0022817\u0022 alt=\u0022image\u0022 src=\u0022https://github.com/user-attachments/assets/f62d4b8e-6660-4aca-8b5a-fb98b38b45e9\u0022 /\u003E\r\n\r\n\u003Cimg width=\u00221852\u0022 height=\u0022794\u0022 alt=\u0022image\u0022 src=\u0022https://github.com/user-attachments/assets/d13674e9-28e3-430c-8322-3b131d572018\u0022 /\u003E\r\n\r\nThis is another massive rework to Kavita/Kavita\u002B around the first setup to understanding the impact and status of Kavita\u002B. The main focus is on expanded availablility of information for licensed servers, helping users understand what Kavita\u002B is, and streamlining and polishing the registration/management points. \r\n\r\n**Note:  The discord button is not implemented and some providers are not fully realized. This will come later.**\r\n\r\n\r\n# Added\r\n- Added: Added an upsell page that explains what Kavita\u002B is, so users are more informed, rather than linking to the wiki\r\n- Added: Added a status page to services that Kavita\u002B relies on, to surface incidents (like AL going down and scrobbling not working)\r\n- Added: Added stats about what Kavita\u002B is doing and how many calls your license has made (note: Not all data will be present, existing data is mixy)\r\n\r\n# Changed\r\n- Changed: Complete overhaul to the Kavita\u002B license page. New design have an upsell feel (from the main site) that explains what Kavita\u002B is. \r\n- Changed: When editing the license, the email is auto-filled for you\r\n- Changed: Expanded how much information we log out in the Kavita\u002B Audit pages (develop)\r\n- Changed: Kavita\u002B Audit will now track Metadata Sync trigger (Manual, on file Add, Background Sync)\r\n- Changed: Lots of polish added to the Match screen and made all the screens much nicer on mobile (develop)\r\n\r\n# Fixed\r\n- Fixed: Fixed incorrect native/docker wiki links (Fixes #4704)\r\n- Fixed: Fixed incorrect setup link (Fixes #4702)\r\n- Fixed: Fixed my activity throwing an exception when no K\u002B license. (develop)\r\n- Fixed: Fixed CBL Upload restriction and reworked the hardening of how file upload validation checks are done. Ensure we log out when we reject and why.\r\n- Fixed: Fixed up/down not responding to keypresses (Fixes #4697)\r\n\r\n# Developer\r\n- Reworked the cover chooser logic so that everything is streamlined via a file upload rather than base64 nonsense (bloated images). Base64 still exists for a non-breaking API, but Kavita will upload a file via upload/upload-by-file which scopes to a temp directory and returns a filename to pass going forward.\r\n\r\n#4709 ",
  "Html_Url": "https://github.com/Kareadita/Kavita/pull/4731",
  "Merged_At": "2026-05-31T14:58:33Z",
  "Number": 4731
 }
--- a/apps/kavita/config/cache-long/pr_cache/pr_4733.json
+++ b/apps/kavita/config/cache-long/pr_cache/pr_4733.json
@ -1,7 +0,0 @@
 {
  "Title": "Scrobble Provider Rework",
  "Body": "This is a massive update to our Scrobble system and a major expansion into providers, by adding 2 new ones: Hardcover (Traditional Books) and MangaBaka (Manga, Light Novels, etc). We\u0027ve reworked the code from scratch to bring a much better experience, from rate limit tweaks, to allowing backfilling per-provider unlimited times, to the ability to build rules to trigger states for scrobble. \r\n\r\nWe will be taking a break from delivering overhauls to realign the UX and polish these recent additions. Please help by testing and providing feedback, both positive and constructive. \r\n\r\n\r\n\u003Cimg width=\u00221624\u0022 height=\u0022814\u0022 alt=\u0022image\u0022 src=\u0022https://github.com/user-attachments/assets/8d302034-7cc0-4aa6-80a7-d5ab3e87ae8b\u0022 /\u003E\r\n\r\n\u003Cimg width=\u00221612\u0022 height=\u0022846\u0022 alt=\u0022image\u0022 src=\u0022https://github.com/user-attachments/assets/a394f31b-2701-44d4-866c-db13950cd271\u0022 /\u003E\r\n\r\n\r\n# Added \r\n- Added: Added Mangabaka as scrobble provider\r\n- Added: Added Hardcover as scrobble provider\r\n- Added: Added per provider settings (library, age ratings, scrobble progress/ratings/reviews, etc))\r\n- Added: Added inactive \u0026 on hold rules (Auto transition series/books from reading to on hold after x days) (Closes #2447)\r\n- Added: Scrobble Providers can now show information, like username. \r\n\r\n# Changed\r\n- Changed: Improved AniList scrobble speed drastically \r\n- Changed: Scrobble keybind now opens my activity instead\r\n- Changed: Users can now run backfilling of history per provider as many times as they want. Kavita will slowly churn thru it all (note: Re-running multiple times will drastically inflate queue for no reason). \r\n- Changed: (UX) Complete UX overhaul of Scrobble providers (now found under Kavita\u002B \u003E Connections )\r\n\r\n# Fixed\r\n- Fixed: Fixed up token expired warning showing too often (Fixes #4728, Fixes #4720)\r\n- Fixed: Fixed being unable to reset external ids (Fixes #4719)\r\n- Fixed: Fixed getting stuck in a loop if OIDC config is removed while previously being logged in with OIDC\r\n- Fixed: Fixed scrobble events getting marked as processed when hitting the rate limit under some circumstances\r\n- Fixed: Fixed a bug where Rereading a chapter then moving to the next wouldn\u0027t reset the page to 0\r\n\r\nCloses #4710, Closes #4733, Closes #3685",
  "Html_Url": "https://github.com/Kareadita/Kavita/pull/4733",
  "Merged_At": "2026-06-05T21:45:36Z",
  "Number": 4733
 }
--- a/apps/kavita/config/cache.db
+++ b/apps/kavita/config/cache.db
--- a/Show more
+++ b/Show more
		`@ -1,2 +0,0 @@`
			`01-nginx-site-confs-default`
			`02-default-location`
		`@ -1,3 +0,0 @@`
			`# This file is auto-generated only on first start, based on the container's /etc/resolv.conf file. Feel free to modify it as you wish.`

			`resolver 127.0.0.11 valid=30s;`
		`@ -1,3 +0,0 @@`
			`# This file is auto-generated only on first start, based on the cpu cores detected. Feel free to change it to any other number or to auto to let nginx handle it automatically.`

			`worker_processes 8;`
		`@ -1,3 +0,0 @@`
			`; Edit this file to override php.ini directives`

			`date.timezone = America/Chicago`
		`@ -1 +0,0 @@`
			`TUNNEL_TOKEN=<cloudflare_tunnel_connector_token>`