diff --git a/.static-ips.yml b/.static-ips.yml
index 084b3ba..9f421d3 100644
--- a/.static-ips.yml
+++ b/.static-ips.yml
@@ -16,3 +16,6 @@ firefly-importer:   10.255.239.31
 # 192.168.2.240/28 range is excluded for DHCP on the DHCP server, so we can use it for static ips
 # the range for the local lan network is 192.168.2.0/24
 syncthing:         192.168.2.241
+
+
+MDNS_REFLECTOR_IP:  10.0.2.254
\ No newline at end of file
diff --git a/_instructions/Adding a new NIC to a Docker container in a specific order.txt b/_instructions/Adding a new NIC to a Docker container in a specific order.txt
new file mode 100644
index 0000000..11c2ccc
--- /dev/null
+++ b/_instructions/Adding a new NIC to a Docker container in a specific order.txt	
@@ -0,0 +1,26 @@
+https://forums.docker.com/t/adding-a-new-nic-to-a-docker-container-in-a-specific-order/19173/2
+Solution 1:
+Just right after your solution, if you only need a different MAC address, just change the corresponding device’s MAC address in the container by some basic tools, say, ifconfig. If you don’t have it in your container, just install net-tools package.
+To change the mac use this: ifconfig eth1 hw ether 08:00:AA:AA:AA:FF
+
+Solution 2:
+Since docker is also using linux’s networking namespaces you can do this in the rock-bottom layer as well. Unfortunately, Docker tries to hide this from the user, but the namespaces are still existing under the hood. In order to get them to be managed by ip netns tool, do the following:
+
+get the process id (pid) of your running container:
+$ sudo docker inspect -f '{{.State.Pid}}' <container name>
+is not your label:tag name, it is the name that docker automatically assign to it once a container is fired up - get yours viadocker ps command and look for the last column (NAME).
+create a symlink from the /proc/ filesystem to /var/run/
+2.1. First, create a netns directory in /var/run/
+$ sudo mkdir -p /var/run/netns
+2.2. Using the PID you have just obtained, create the symlink
+$ sudo ln -sf /proc/<PID>/ns/net /var/run/netns/<YOUR DESIRED NETNS NAME FOR YOU CONTAINER>
+Now, if you execute ip netns list, you will see the networking namespace of your container.
+From now on, there is no docker specific stuffs, just create a veth pair, bring them up, and attach one end of it to the container and you are fine:
+$ sudo ip link add veth1_container type veth peer name veth1_root
+$ sudo ifconfig veth1_container up
+$ sudo ifconfig veth1_root up
+$ sudo ip link set veth1_container netns <YOUR NETNS NAME>
+$ sudo ip netns exec <YOUR NETNS NAME> ifconfig veth1_container up
+The last command might be a bit overcomplicated, but it seemed that bringing up this interface natively in the container is not possible due to missing permissions :face_with_raised_eyebrow:
+
+Note that the MAC address could also be changed in the same way I have shown in solution 1, before attaching it to the container, or after - does not really matter, just different commands need to be used (recall the permission issue just mentioned above).
\ No newline at end of file
diff --git a/_instructions/Electric Eel install.txt b/_instructions/Electric Eel install.txt
new file mode 100644
index 0000000..4fd7a08
--- /dev/null
+++ b/_instructions/Electric Eel install.txt	
@@ -0,0 +1,10 @@
+Electric Eel
+------------
+# After EE installation, and before starting Docker jail
+# Go to Apps->Configuration - click down arrow and select Settings
+# Update the following settings:
+#  Install NVIDIA Drivers: <checked>
+# Click Save
+
+# Go to Apps->Configuration
+# Click Choose Pool and select appropriate pool for your apps
diff --git a/_instructions/add mapping for media.txt b/_instructions/add mapping for media.txt
new file mode 100644
index 0000000..0c5bbbc
--- /dev/null
+++ b/_instructions/add mapping for media.txt	
@@ -0,0 +1,8 @@
+add mapping for media on container config
+-----------------------------------------
+
+# assuming that the folder where media is stored is /mnt/tank/data1/Media:
+# on Truenas shell:
+jlmkr edit docker
+# add the following args to "systemd_nspawn_user_args": 
+--bind='/mnt/tank/data1/Media:/mnt/media'
diff --git a/_instructions/backup databases.txt b/_instructions/backup databases.txt
new file mode 100644
index 0000000..385ab22
--- /dev/null
+++ b/_instructions/backup databases.txt	
@@ -0,0 +1,171 @@
+NB!: List of filenames is at end of this file
+
+Log in to pgAdmin
+User name: stuurmcp@telkomsa.net
+Password: 
+
+Connect to servers; refer to "connecting to servers.txt"
+
+Globals
+*******
+Navigate to Servers => authentik
+Right click on authentik server and select Backup Globals...
+Enter the following on the dialog box that opened:
+General
+-------
+Filename: /2024-08-23/databases/authentik-cnpg-backup-globals.sql
+Role name: postgres
+Click Backup
+
+Servers
+*******
+Navigate to Servers => authentik
+Right click on authentik server and select Backup Server...
+Enter the following on the dialog box that opened (leave all other tabs with default settings):
+General
+-------
+Filename: /2024-08-23/servers/authentik-cnpg-backup-servers.sql
+Role name: postgres
+Click Backup
+-----------------------------------------------------------------------------------------------------------------
+Databases
+*********
+Plain text backup
+=================
+Navigate to Servers => authentik -> Databases -> authentik
+Right click on authentik database and select Backup...
+Enter the following on the different tabs of dialog box that opened:
+General
+-------
+Filename: /2024-08-28/authentik-backup.sql (this maps to: /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/2024-08-28/authentik-backup.sql on truenas)
+Format: Plain
+Encoding: UTF8
+Role name: authentik
+Data Options
+------------
+Sections:
+Pre-data: <select>
+Data: <select>
+Post-data: <select>
+Objects
+-------
+public->Tables: <checked> (do not check public, public should have "-" sign)
+public->1.3 Sequences: <checked>
+template->Tables:  <checked>
+template->1.3 Sequences:  <checked> (NB! not all db's have this)
+Click Backup
+-----------------------------------------------------------------------------------------------------------------
+Do the same with Servers => authentik -> Databases -> postgres with the following changes:
+General
+-------
+Filename:  /2024-08-23/databases/authentik-postgress-backup.sql
+Objects
+-------
+public: <checked>
+Click Backup
+
+Custom backup
+=============
+Repeat the above plain text backup steps with the following changes:
+General
+-------
+Filename:  /2024-08-23/databases/authentik-backup.bak
+Format: Custom
+General
+-------
+Filename:  /2024-08-23/databases/authentik-postgress-backup.bak
+Format: Custom
+
+Filenames
+=========
+Backup date: 2024-08-23
+
+authentik
+---------
+/2024-08-23/globals/authentik-cnpg-backup-globals.sql
+/2024-08-23/servers/authentik-cnpg-backup-servers.sql
+/2024-08-23/databases/authentik-backup.sql
+/2024-08-23/databases/authentik-postgress-backup.sql
+/2024-08-23/databases/authentik-backup.bak
+/2024-08-23/databases/authentik-postgress-backup.bak
+
+fireflyiii
+----------
+/2024-08-23/globals/fireflyiii-cnpg-backup-globals.sql
+/2024-08-23/servers/fireflyiii-cnpg-backup-servers.sql
+/2024-08-23/databases/fireflyiii-backup.sql
+/2024-08-23/databases/fireflyiii-postgress-backup.sql
+/2024-08-23/databases/fireflyiii-backup.bak
+/2024-08-23/databases/fireflyiii-postgress-backup.bak
+
+gitea
+-----
+/2024-08-23/globals/gitea-cnpg-backup-globals.sql
+/2024-08-23/servers/gitea-cnpg-backup-servers.sql
+/2024-08-23/databases/gitea-backup.sql
+/2024-08-23/databases/gitea-postgress-backup.sql
+/2024-08-23/databases/gitea-backup.bak
+/2024-08-23/databases/gitea-postgress-backup.bak
+
+grafana
+-------
+/2024-08-23/globals/grafana-cnpg-backup-globals.sql
+/2024-08-23/servers/grafana-cnpg-backup-servers.sql
+/2024-08-23/databases/grafana-backup.sql
+/2024-08-23/databases/grafana-postgress-backup.sql
+/2024-08-23/databases/grafana-backup.bak
+/2024-08-23/databases/grafana-postgress-backup.bak
+
+home-assistant
+--------------
+/2024-08-23/globals/home-assistant-cnpg-backup-globals.sql
+/2024-08-23/servers/home-assistant-cnpg-backup-servers.sql
+/2024-08-23/databases/home-assistant-backup.sql
+/2024-08-23/databases/home-assistant-postgress-backup.sql
+/2024-08-23/databases/home-assistant-backup.bak
+/2024-08-23/databases/home-assistant-postgress-backup.bak
+
+mealie
+------
+/2024-08-23/globals/mealie-cnpg-backup-globals.sql
+/2024-08-23/servers/mealie-cnpg-backup-servers.sql
+/2024-08-23/databases/mealie-backup.sql
+/2024-08-23/databases/mealie-postgress-backup.sql
+/2024-08-23/databases/mealie-backup.bak
+/2024-08-23/databases/mealie-postgress-backup.bak
+
+onlyoffice-document-server
+--------------------------
+/2024-08-23/globals/onlyoffice-document-server-cnpg-backup-globals.sql
+/2024-08-23/servers/onlyoffice-document-server-cnpg-backup-servers.sql
+/2024-08-23/databases/onlyoffice-document-server-backup.sql
+/2024-08-23/databases/onlyoffice-document-server-postgress-backup.sql
+/2024-08-23/databases/onlyoffice-document-server-backup.bak
+/2024-08-23/databases/onlyoffice-document-server-postgress-backup.bak
+
+photoview
+---------
+/2024-08-23/globals/photoview-cnpg-backup-globals.sql
+/2024-08-23/servers/photoview-cnpg-backup-servers.sql
+/2024-08-23/databases/photoview-backup.sql
+/2024-08-23/databases/photoview-postgress-backup.sql
+/2024-08-23/databases/photoview-backup.bak
+/2024-08-23/databases/photoview-postgress-backup.bak
+
+sheetable
+---------
+/2024-08-23/globals/sheetable-cnpg-backup-globals.sql
+/2024-08-23/servers/sheetable-cnpg-backup-servers.sql
+/2024-08-23/databases/sheetable-backup.sql
+/2024-08-23/databases/sheetable-postgress-backup.sql
+/2024-08-23/databases/sheetable-backup.bak
+/2024-08-23/databases/sheetable-postgress-backup.bak
+
+vaultwarden
+-----------
+/2024-08-23/globals/vaultwarden-cnpg-backup-globals.sql
+/2024-08-23/servers/vaultwarden-cnpg-backup-servers.sql
+/2024-08-23/databases/vaultwarden-backup.sql
+/2024-08-23/databases/vaultwarden-postgress-backup.sql
+/2024-08-23/databases/vaultwarden-backup.bak
+/2024-08-23/databases/vaultwarden-postgress-backup.bak
\ No newline at end of file
diff --git a/_instructions/bulk operations - docker compose .txt b/_instructions/bulk operations - docker compose .txt
new file mode 100644
index 0000000..0ae5517
--- /dev/null
+++ b/_instructions/bulk operations - docker compose .txt	
@@ -0,0 +1,12 @@
+
+To stop and inactivate all container stacks
+-------------------------------------------
+# in docker shell
+cd /opt/stacks
+for i in $(ls -d *); do docker compose -f $i/compose.yml down; done
+
+To start all container stacks
+-----------------------------
+# in docker shell
+cd /opt/stacks
+for i in $(ls -d *); do docker compose -f $i/compose.yml up -d; done
\ No newline at end of file
diff --git a/_instructions/cnpg.txt b/_instructions/cnpg.txt
new file mode 100644
index 0000000..57afb7a
--- /dev/null
+++ b/_instructions/cnpg.txt
@@ -0,0 +1,14 @@
+version: "3.8"
+services:
+  postgres:
+    image: postgres:14-alpine
+    restart: always
+    environment:
+      - POSTGRES_USER=root
+      - POSTGRES_PASSWORD=yAwAPZyyMwFOZtjKcIdLCgKHSIBczj3nkLqISUzePlaR73X
+    ports:
+      - "5432:5432"
+    volumes:
+     - db:/var/lib/postgresql/data
+volumes:
+  db: 
\ No newline at end of file
diff --git a/_instructions/connecting servers.txt b/_instructions/connecting servers.txt
new file mode 100644
index 0000000..e004191
--- /dev/null
+++ b/_instructions/connecting servers.txt	
@@ -0,0 +1,44 @@
+If /mnt/stpool1/Users/<user>/truestuff folder is not present
+-----------------------------------------------------------
+cd ~ or cd /mnt/stpool1/Users/<user>/
+git clone https://code.lksz.me/szmedia/truestuff.git
+
+Database access
+---------------
+# passwords can be obtained by:
+# Option 1:
+# go to Truenas -> Apps -> <select app> -> Edit
+# scroll to Postgresql; the password should be visible in the Password field
+# Option 2:
+# open truenas shell / ssh as root
+cd /mnt/stpool1/Users/<user>/truestuff
+./tcdbinfo.sh
+# log in to pgAdmin
+# from here onwards, it assumed that authentik is the server to be connected to:
+
+Register server
+===============
+# If server is already registered, right click on authentik server and select Properties, otherwise:
+# Right click on Servers and select Register -> Server...
+
+# Enter the following in the dialog box that opened:
+General
+-------
+Name: authentik
+Server group: Servers
+Background: <checked>
+Foreground: <checked>
+Connect now? <select> (won't be displayed if editing properties)
+Connection
+----------
+Host name/address: authentik-cnpg-main-rw.ix-authentik.svc.cluster.local
+Port: 5432
+Maintenance database: postgres
+Username: authentik
+Kerberos authentication?: <not selected>
+Password: <authentik user password as obtained above> (this field will show only if Connect now? is selected on General tab)
+Role: <leave blank>
+# Click Save
+# Right click on authentik server and select Connect Server
+# Enter authentik user password if Connect now? wasn't selected earlier
+
diff --git a/_instructions/creating user password hash strings for user authorisation with traefik basic-auth middlewares.txt b/_instructions/creating user password hash strings for user authorisation with traefik basic-auth middlewares.txt
new file mode 100644
index 0000000..999896f
--- /dev/null
+++ b/_instructions/creating user password hash strings for user authorisation with traefik basic-auth middlewares.txt	
@@ -0,0 +1,32 @@
+Creating user password hash strings for user authorisation with traefik basic-auth middlewares
+----------------------------------------------------------------------------------------------
+
+# If not installed, install htpasswd:
+jlmkr shell docker
+apt update & apt install apache2-utils
+# The user credentials can be applied as a label entry in an app's compose.yml file or as a line entry in a text file; these two methods can co-exist
+# 
+# When used as a label entry, all '$''s need to be escaped with a second '$'; sed can be used for this purpose
+#
+# Example: Create user authorisation credentials for users 'alice' with password 'test!234' and 'bob' with password 'test$678' for sonarr application using basic-auth
+# First, assign middlewares to router in sonarr compose.yml file; this is required irrespective of the method chosen below; add the following label to sonarr's compose.yml file:
+ - "traefik.http.routers.ROUTER_NAME.middlewares=MIDDLEWARES_NAME"  # replace ROUTER_NAME with appropriate name and replace MIDDLEWARES_NAME with whatever name you choose for this middlewares 
+#
+# userList method
+# ---------------
+mkdir /opt/stacks/traefik/users
+echo $(htpasswd -nB alice) >> /opt/stacks/traefik/users/sonarr.txt
+echo $(htpasswd -nB bob) >> /opt/stacks/traefik/users/sonarr.txt
+# If not already present, add the following middlewares label to sonarr's compose.yml file  (if newly added/modified, requires sonarr restart)
+ - "traefik.http.middlewares.MIDDLEWARES_NAME.basicauth.usersfile=/mnt/users/sonarr.txt"
+# the above requires the following traefik compose file volume mount entry (if newly added/modified, requires traefik restart):
+ /opt/stacks/traefik/users:/mnt/users
+#
+# app compose file label method
+# -----------------------------
+echo $(htpasswd -nB alice) | sed -e s/\\$/\\$\\$/g
+echo $(htpasswd -nB bob) | sed -e s/\\$/\\$\\$/g
+# Edit/add output of above to the basicauth.users label to sonarr's compose.yml file as follows (comma separated):
+ - "traefik.http.middlewares.MIDDLEWARES_NAME.basicauth.users=alice:$$2y$$05$$kvFK1SXs5mOzYLXiWT0Bku8rLeUoZWZxBI5./jX/vkhEiYlN/xB1W,
+    bob:$$2y$$05$$E2DeZC3L.wQxYMWlxhtTRusys23y4fabhvzOKTgKNMSzw9cweBeJK"
+# above edit to sonarr's compose file requires sonarr restart
diff --git a/_instructions/docker networking.txt b/_instructions/docker networking.txt
new file mode 100644
index 0000000..5b8380a
--- /dev/null
+++ b/_instructions/docker networking.txt	
@@ -0,0 +1,38 @@
+root@docker:~# docker network ls
+NETWORK ID     NAME               DRIVER    SCOPE
+686ee7b7a074   bridge             bridge    local
+cdea694fc9ad   dockge_default     bridge    local
+ecac792b2998   host               host      local
+ad588c406203   jellyfin_default   bridge    local
+7851b5889a4e   mealie_default     bridge    local
+ac7d41d8a7ec   none               null      local
+5b85a298149a   pgadmin_default    bridge    local
+
+root@docker:~# bridge link
+9: vethbbcbbc7@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-5b85a298149a state forwarding priority 32 cost 2
+11: vetha18f304@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-ad588c406203 state forwarding priority 32 cost 2
+15: veth400a90a@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-cdea694fc9ad state forwarding priority 32 cost 2
+21: vethc9534c9@if20: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-7851b5889a4e state forwarding priority 32 cost 2
+23: veth7e06b85@if22: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-7851b5889a4e state forwarding priority 32 cost 2
+
+docker exec -it mealie sh
+
+troubleshooting network:
+docker run -it --net container:postgres nicolaka/netshoot
+
+https://www.youtube.com/watch?v=bKFMS5C4CG0&t=1s
+https://www.youtube.com/watch?v=5grbXvV_DSk&t=1s
+
+The Docker daemon socket, usually located at /var/run/docker.sock, is used for communication between the Docker client and the Docker daemon. The Docker daemon manages Docker containers and images, while the Docker client is used to issue commands to the daemon.
+
+Step 1:
+Create docker group if not exist : sudo groupadd docker
+
+Step 2:
+Add user to docker group : sudo usermod -aG docker ${USER}
+
+Step 3:
+Change docker.sock to new permission : sudo chmod 666 /var/run/docker.sock
+
+Step 4:
+Finally restart docker daemon service : sudo systemctl restart docker
\ No newline at end of file
diff --git a/_instructions/docker networks before containers install.txt b/_instructions/docker networks before containers install.txt
new file mode 100644
index 0000000..b052e63
--- /dev/null
+++ b/_instructions/docker networks before containers install.txt	
@@ -0,0 +1,38 @@
+docker networks before containers install
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
+        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
+        inet6 fe80::42:8bff:fedb:32ee  prefixlen 64  scopeid 0x20<link>
+        ether 02:42:8b:db:32:ee  txqueuelen 0  (Ethernet)
+        RX packets 103  bytes 10139 (9.9 KiB)
+        RX errors 0  dropped 0  overruns 0  frame 0
+        TX packets 190  bytes 48106 (46.9 KiB)
+        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
+
+lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
+        inet 127.0.0.1  netmask 255.0.0.0
+        inet6 ::1  prefixlen 128  scopeid 0x10<host>
+        loop  txqueuelen 1000  (Local Loopback)
+        RX packets 19  bytes 1416 (1.3 KiB)
+        RX errors 0  dropped 0  overruns 0  frame 0
+        TX packets 19  bytes 1416 (1.3 KiB)
+        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
+
+mv-enp7s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
+        inet 10.0.0.61  netmask 255.255.255.0  broadcast 10.0.0.255
+        inet6 fe80::7ce3:5aff:fef4:dd35  prefixlen 64  scopeid 0x20<link>
+        ether 7e:e3:5a:f4:dd:35  txqueuelen 1000  (Ethernet)
+        RX packets 39171034  bytes 45928220310 (42.7 GiB)
+        RX errors 0  dropped 358675  overruns 0  frame 0
+        TX packets 21793818  bytes 14489297575 (13.4 GiB)
+        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
+
+vee-eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
+        inet 192.168.2.6  netmask 255.255.255.0  broadcast 192.168.2.255
+        inet6 fe80::5447:e1ff:fed0:ba83  prefixlen 64  scopeid 0x20<link>
+        ether 56:47:e1:d0:ba:83  txqueuelen 1000  (Ethernet)
+        RX packets 344  bytes 40309 (39.3 KiB)
+        RX errors 0  dropped 0  overruns 0  frame 0
+        TX packets 128943  bytes 5419294 (5.1 MiB)
+        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
\ No newline at end of file
diff --git a/_instructions/docker-config.txt b/_instructions/docker-config.txt
new file mode 100644
index 0000000..867021a
--- /dev/null
+++ b/_instructions/docker-config.txt
@@ -0,0 +1,94 @@
+startup=1
+gpu_passthrough_intel=0
+gpu_passthrough_nvidia=1
+# Turning off seccomp filtering improves performance at the expense of security
+seccomp=1
+
+# Use bridge networking to provide an isolated network namespace,
+# so docker can manage firewall rules
+# Alternatively use --network-macvlan=eno1 instead of --network-bridge
+# Ensure to change eno1/br1 to the interface name you want to use
+# You may want to add additional options here, e.g. bind mounts
+systemd_nspawn_user_args=--network-macvlan=enp7s0
+        --network-veth-extra=ve-docker-1:vee-eth1
+        --resolv-conf=bind-host
+        --system-call-filter='add_key keyctl bpf'
+        --bind='/mnt/SSD1/docker/data:/mnt/data'
+        --bind='/mnt/SSD1/docker/stacks:/opt/stacks'
+        --bind='/mnt/stpool1/NData1/Media:/mnt/media'
+        --bind='/mnt/stpool1/Shared_Data:/mnt/shared'
+        --bind='/mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net:/mnt/migrate'
+
+# Script to run on the HOST before starting the jail
+# Load kernel module and config kernel settings required for docker
+pre_start_hook=#!/usr/bin/bash
+        set -euo pipefail
+        echo 'PRE_START_HOOK'
+        echo 1 > /proc/sys/net/ipv4/ip_forward
+        modprobe br_netfilter
+        echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
+        echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables
+
+# Script to run on the HOST after starting the jail
+post_start_hook=#!/usr/bin/bash
+        set -euo pipefail
+        echo 'POST_START_HOOK'
+        ip link set dev ve-docker-1 master br1    # adds ve-docker-1 to br1 bridge members on host
+        ip link set dev ve-docker-1 up            # activates ve-docker-1 on host
+
+# Only used while creating the jail
+distro=debian
+release=bookworm
+
+# Install docker inside the jail:
+# https://docs.docker.com/engine/install/debian/#install-using-the-repository
+# Will also install the NVIDIA Container Toolkit if gpu_passthrough_nvidia=1 during initial setup
+# https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/install-guide.html
+initial_setup=#!/usr/bin/bash
+        set -euo pipefail
+
+        apt-get update && apt-get -y install ca-certificates curl
+        install -m 0755 -d /etc/apt/keyrings
+        curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
+        chmod a+r /etc/apt/keyrings/docker.asc
+
+        echo \
+        "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
+        $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
+        tee /etc/apt/sources.list.d/docker.list > /dev/null
+
+        apt-get update
+        apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+
+        # The /usr/bin/nvidia-smi will be present when gpu_passthrough_nvidia=1
+        if [ -f /usr/bin/nvidia-smi ]; then
+            curl -fsSL https://nvidia.github.io/libnvidia-container/gpgkey -o /etc/apt/keyrings/nvidia.asc
+            chmod a+r /etc/apt/keyrings/nvidia.asc
+            curl -s -L https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list | \
+            sed 's#deb https://#deb [signed-by=/etc/apt/keyrings/nvidia.asc] https://#g' | \
+            tee /etc/apt/sources.list.d/nvidia-container-toolkit.list
+
+           apt-get update
+           apt-get install -y nvidia-container-toolkit
+
+           nvidia-ctk runtime configure --runtime=docker
+           systemctl restart docker
+        fi
+
+        docker info
+
+# You generally will not need to change the options below
+systemd_run_default_args=--property=KillMode=mixed
+        --property=Type=notify
+        --property=RestartForceExitStatus=133
+        --property=SuccessExitStatus=133
+        --property=Delegate=yes
+        --property=TasksMax=infinity
+        --collect
+        --setenv=SYSTEMD_NSPAWN_LOCK=0
+
+systemd_nspawn_default_args=--keep-unit
+        --quiet
+        --boot
+        --bind-ro=/sys/module
+        --inaccessible=/sys/module/apparmor
diff --git a/_instructions/enable automatic ssh login on truenas server b/_instructions/enable automatic ssh login on truenas server
new file mode 100644
index 0000000..f07afb4
--- /dev/null
+++ b/_instructions/enable automatic ssh login on truenas server	
@@ -0,0 +1,28 @@
+
+enable automatic ssh login on truenas server
+--------------------------------------------
+# Download and install puTTY
+https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
+
+# Run PuTTYgen
+# If you have a .ppk file already, load your public key from the previously saved .ppk file (folder is usually C:\Users\%USERNAME%\.ssh\)
+# Otherwise generate a private/public key pair using the PuTTYgen tool as follow:
+#   - Select radio button RSA, entering 4096 number of bits or ECDSA, entering nistp384 or nistp521
+#   - Click on Generate and move mouse cursor randomly over the blank area
+#   - Enter Key passphrase and confirmation (remember this passphrase as you will enter this for all future Windows sessions)
+#   - Click on Save private key (save in folder C:\Users\%USERNAME%\.ssh\)
+
+# Open truenas ssh session as the user for who you want to enable auto login
+# Navigate to home folder:
+cd ~
+# check if .ssh folder exists, if not, create folder:
+mkdir ~/.ssh
+# Select and copy text in PuTTYgen window under heading "Public key for pasting in to OpenSSH authorized_keys file" to clipboard
+# In the truenas shell, use the copied text in the following command:
+echo 'public-key-copied-from-PuTTYgen-window' >> ~/.ssh/authorized_keys
+# test by opening new / another truenas ssh session, which should open truenas shell without login request
+
+
+ 
+
+
diff --git a/_instructions/inplace-rebalancing.xlsx b/_instructions/inplace-rebalancing.xlsx
new file mode 100644
index 0000000..beaa92e
Binary files /dev/null and b/_instructions/inplace-rebalancing.xlsx differ
diff --git a/_instructions/jailmaker.txt b/_instructions/jailmaker.txt
new file mode 100644
index 0000000..2f5c398
--- /dev/null
+++ b/_instructions/jailmaker.txt
@@ -0,0 +1,457 @@
+Helpful tools
+-------------
+# Install PuTTY and Pageant for easy copying of files/folders from Windows to NAS server
+
+Jailmaker
+---------
+# Create datasets
+/mnt/SSD1/docker/data (replace SSD1 with name of pool)
+/mnt/SSD1/docker/stacks
+/mnt/SSD1/jailmaker
+
+install jailmaker
+-----------------
+# Open shell
+cd /mnt/SSD1
+git clone https://github.com/Jip-Hop/jailmaker.git
+cd /mnt/SSD1/jailmaker
+nano ~/.zshrc (assuming shell is zsh)
+# add the following alias:
+alias jlmkr="sudo -E '/mnt/SSD1/jailmaker/jlmkr.py'"
+# execute the contents of .zshrc
+source /root/.zshrc
+jlmkr list
+# should return "No jails."
+# Go to System Settings -> Advanced -> Init/Shutdown Scripts -> Add
+Description: start jailmaker
+Type: Command
+Command: /mnt/SSD1/jailmaker/jlmkr.py startup
+When: Post Init
+Enabled: <checked>
+Timeout: 30
+
+Nvidia GPU
+----------
+# If you want to pass through Nvidia GPU and the truenas scale version is Electric Eel:
+# Go to Apps->Configuration - click down arrow and select Settings
+# Update the following settings:
+#  Install NVIDIA Drivers: <checked>
+# Click Save
+
+install docker
+--------------
+# Go to https://github.com/Jip-Hop/jailmaker
+# Navigate to templates/docker/config
+# Select then entire config file and copy to clipboard
+# Open shell and enter
+jlmkr create
+# Enter "y" at the prompt: Do you wish to create a jail from a config template? [y/N]
+# nano will open
+# Right click to paste config copied earlier
+Press ctrl-y to scroll to top
+# Change gpu_passthrough_nvidia to "1" to install NVIDIA Container Toolkit during initial setup (if a want to pass through an Nvidia card)
+gpu_passthrough_nvidia=1
+# Ensure that "systemd_nspawn_user_args" is set according to the interface setup of your truenas
+# e.g. if bridge, change to:
+systemd_nspawn_user_args=--network-bridge=br1 (br1 is the name of the targeted interface)
+    --resolv-conf=bind-host
+    --system-call-filter='add_key keyctl bpf'
+# or, if no bridge, change to:
+systemd_nspawn_user_args=--network-macvlan=enp7s0 (enp7s0 is the name of the targeted interface)
+    --resolv-conf=bind-host
+    --system-call-filter='add_key keyctl bpf'
+# Edit config file further as needed
+# Save and exit
+Enter jail name: docker
+Enter "y" at the prompt: Do you want to start this jail now (when create is done)? [Y/n]
+jlmkr list
+expected result:
+NAME   RUNNING STARTUP GPU_INTEL GPU_NVIDIA OS     VERSION ADDRESSES
+docker True    False   False     False      debian 12      10.0.0.162… (ip address might be diffrent)
+# If it fails to start: ----
+jlmkr edit docker
+# Fix the issue in the config file (probably network issue)
+# Restart docker
+jlmkr restart docker
+# end of if it fails to start ----
+jlmkr shell docker # open docker shell
+apt install nano
+
+container static ip for macvlan
+-------------------------------
+jlmkr shell docker # open docker shell
+nano /etc/systemd/network/mv-dhcp.network
+# Comment out existing entries under network with #, set DHCP to false and specify Address and Gateway, e.g.:
+[Network]
+#DHCP=yes
+#LinkLocalAddressing=ipv6
+DHCP=false
+Address=10.0.0.61/24  # should be ip you want for docker container
+Gateway=10.0.0.2      # should be default gateway
+
+reboot 
+jlmkr shell docker
+ip a (verify that ip is correct)
+
+container static ip for bridge
+------------------------------
+https://github.com/Jip-Hop/jailmaker/blob/main/docs/network.md
+nano /etc/systemd/network/80-container-host0.network
+# Comment out existing entries under network with #, set DHCP to false and specify Address, Gateway and LinkLocalAddressing=no, e.g.:
+[Network]
+#DHCP=yes
+#LinkLocalAddressing=ipv6
+#LLDP=yes
+#EmitLLDP=customer-bridge
+DHCP=false
+Address=10.0.0.61/24
+# comment Gateway line if this is not the default interface
+Gateway=10.0.0.2
+LinkLocalAddressing=no
+LLDP=yes
+EmitLLDP=customer-bridge
+
+systemctl restart systemd-networkd
+systemctl status systemd-networkd
+ip a (verify that ip is correct)
+
+Making docker ip address static using router/dhcp server
+--------------------------------------------------------
+# NB! the static ip address setting in network files explained above is the preferred method as docker sometimes contact dhcp server with what appears to be an ipv6 mac instead of ipv4 mac.
+jlmkr shell docker (open docker shell)
+ip a
+# Note the mac address of mv-enp7s0@if2 (enp7s0 is the interface specified in the config file)
+# Set up dhcp server to issue same ip for this mac (static ip)
+reboot docker jail
+jlmkr shell docker
+ip a (verify that ip is correct)
+# If not, release and renew IP as follows
+dhclient -v -r mv-enp7s0  (where mv- is the prefix defined in /etc/systemd/network/mv-dhcp.network under [Match]; enp7s0 is the host i/f docker is tied to) 
+dhclient -v mv-enp7s0
+
+Additional Bridge Interface
+---------------------------
+# https://github.com/Jip-Hop/jailmaker/discussions/179#discussioncomment-9499289
+# Create extra interfaces and join them to host bridges manually with systemd-nspwan 
+
+The --network-veth-extra argument instructs system-nspawn to create an addition linked interface between the host and jail and uses a syntax of
+--network-veth-extra=ve-docker-1:vee-eth1 #Adds virtual link between host and jail with ve-docker-1 i/f being created in the host and vee-eth1 being created in the jail
+or
+--network-veth-extra=ve-docker-1 #Adds virtual link between host and jail with ve-docker-1 i/f being created in the host and ve-docker-1 being created in the jail, i.e. uses the same name
+
+# However, for network connectivity, we need to connect to a bridge on the host.
+# To create bridge interface on the host (truenas):
+# Go to Network
+# Select physical i/f that we will bridge to, e.g. ens2f0, and click on edit (pen icon)
+# Note the IP address assigned to the interface
+# Uncheck DHCP if selected and remove aliases if any
+# Save
+# DO NOT CLICK ON "Test Changes" OR "Revert Changes" YET, as we will add bridge first
+# Click on Add
+Type: Bridge
+Name: br1
+Description: Link to Docker - 192
+DHCP: <unchecked>
+Autoconfigure IPv6: <unchecked>
+Bridge Members: ens2f0
+Aliases: Add
+IP Address: <same as the IP that was assigned to ens2f0>
+# Save
+# Now click on "Test Changes"
+
+# Next, we will edit docker config file to configure additional virtual ethernet link and bridge connection
+jlmkr edit docker
+# Add --network-veth-extra argument to systemd_nspawn_user_args, similar to the following:
+systemd_nspawn_user_args=--network-macvlan=enp7s0
+        --network-veth-extra=ve-docker-1:vee-eth1  # new addition, NB! jail interface name must start with vee-
+        --resolv-conf=bind-host
+        --system-call-filter='add_key keyctl bpf'
+        ...
+
+# In order for this virtual link to connect to the outside, we need to link ve-docker-1 to br1 on the host (truenas).
+# This is done with the ExecStartPost post commands in the initialisation script.
+# Add post_start_hook stanza, similar to the following: (NB! this is separate to the pre-existing pre_start_hook stanza, i.e. it is standing by itself)
+# Script to run on the HOST after starting the jail
+post_start_hook=#!/usr/bin/bash
+        set -euo pipefail
+        echo 'POST_START_HOOK'
+        ip link set dev ve-docker-1 master br1    # links ve-docker-1 to br1 on host
+        ip link set dev ve-docker-1 up            # activates ve-docker-1 on host
+
+# Save and exit
+jlmkr restart docker
+# Verify in host/truenas that ve-docker-1 interface was created
+jlmkr shell docker
+ip a
+# Verify that vee-eth1@##### interface was created
+
+# Add static ip as network config for new network
+nano /etc/systemd/network/vee-dhcp.network
+# Comment out old settings under [Network] and add ip address and gateway
+# -------------- snip --------------
+[Match]
+Virtualization=container
+Name=vee-*
+
+[Network]
+#DHCP=yes
+#LinkLocalAddressing=ipv6
+#Bridge=br0
+DHCP=false
+Address=192.168.2.6/24
+# uncomment following line if this is the default interface
+#Gateway=192.168.2.1
+
+[DHCPv4]
+UseDNS=true
+UseTimezone=true
+# -------------- snip --------------
+systemctl restart systemd-networkd
+systemctl status systemd-networkd
+ip a  #verify that ip is correct
+# Update dhcp and dns servers with IP config of vee-eth1@##### interface
+
+Add bindings for docker container
+---------------------------------
+exit # out of docker shell
+jlmkr edit docker
+# Add the following args to "systemd_nspawn_user_args": 
+--bind='/mnt/SSD1/docker/data:/mnt/data'
+--bind='/mnt/SSD1/docker/stacks:/opt/stacks'
+
+# systemd_nspawn_user_args should reflect the following (example shows bindings added - other args might differ):
+systemd_nspawn_user_args=--network-macvlan=enp7s0  # this will update /etc/systemd/network/mv-dhcp.network
+        --resolv-conf=bind-host
+        --system-call-filter='add_key keyctl bpf'
+        --bind='/mnt/SSD1/docker/data:/mnt/data'       # new addition
+        --bind='/mnt/SSD1/docker/stacks:/opt/stacks'   # new addition
+        --bind='/mnt/stpool1/NData1/Media:/mnt/media'  # new addition
+        --bind='/mnt/stpool1/Downloads:/mnt/downloads' # new addition
+        --bind='/mnt/stpool1/Shared_Data:/mnt/shared'  # new addition
+        --bind='/mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net:/mnt/migrate'   # new addition
+
+# The last 3 bindings are for audio/video, shared and migrate folders respectively. Refer to jellyfin and database restore instructions for usage
+
+jlmkr restart docker
+
+Install Dockge
+--------------
+jlmkr shell docker
+nano ~/install_dockge.sh
+# Copy script below OR go to https://dockge.kuma.pet and copy installation script from there to install_dockge.sh:
+
+# ----- snip -----
+# Create directories that store your stacks and store Dockge's stack
+mkdir -p /opt/stacks /opt/dockge
+cd /opt/dockge
+
+# Download your compose.yaml
+curl "https://dockge.kuma.pet/compose.yaml?port=5001&stacksPath=%2Fopt%2Fstacks" --output compose.yaml
+
+# Start the Server
+docker compose up -d
+
+# If you are using docker-compose V1 or Podman
+# docker-compose up -d
+# ----- snip -----
+
+# Save and exit
+sh ~/install_dockge.sh
+# Dockge should install and start
+
+# Login to Dockge
+# Go to http://10.0.0.61:5001 (10.0.0.61 is ip of docker container)
+# Enter admin as username and choose desired password (write down password)
+
+Set jail to startup when system is started
+------------------------------------------
+exit #out of docker shell
+jlmkr edit docker
+# Change first line to:
+startup=1
+
+Enabling dockge secure login
+============================
+# Install traefik using newly installed Dockge. Refer to traefik installation instructions.
+# Install a second app and configure it to use traefik
+# Troubleshoot any issues with secure access to the app and/or traefik dashboard
+# This will ensure correct installation and working of traefik once you have success with secure accessing the new app
+# Open docker shell:
+jlmkr shell docker
+cd /opt/dockge
+# Make backup of compose.yaml
+cp -v compose.yaml compose.yaml.bak
+nano compose.yaml
+# Under server.dockge
+# Comment out ports stanza, e.g.:
+#    ports:
+#      - 5001:5001
+# Add the following under server.dockge
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net1
+      - traefik.http.routers.dockge-rtr.rule=Host(`dockge.sthome.org`)
+      - traefik.http.routers.dockge-rtr.entrypoints=websecure
+      - traefik.http.routers.dockge-rtr.tls.certresolver=sthomeresolver
+      - traefik.http.routers.dockge-rtr.service=dockge-svc
+      #
+      - traefik.http.services.dockge-svc.loadbalancer.server.port=5001
+    networks:
+      - traefik-net1
+
+# Add the following root entry:
+networks:
+  traefik-net1:
+    external: true
+# You can remove "version" line, i.e. the first line, to avoid docker complaining about version being obsolete on container restart
+# Finished product should look as follows:
+------------- snip -------------
+services:
+  dockge:
+    image: louislam/dockge:1
+    restart: unless-stopped
+#    ports:
+#      - 5001:5001
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./data:/app/data
+      # Stacks Directory
+      # ⚠️ READ IT CAREFULLY. If you did it wrong, your data could end up writing into a WRONG PATH.
+      # ⚠️ 1. FULL path only. No relative path (MUST)
+      # ⚠️ 2. Left Stacks Path === Right Stacks Path (MUST)
+      - /opt/stacks:/opt/stacks
+    environment:
+      # Tell Dockge where to find the stacks
+      - DOCKGE_STACKS_DIR=/opt/stacks
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net1
+      - traefik.http.routers.dockge-rtr.rule=Host(`dockge.sthome.org`)
+      - traefik.http.routers.dockge-rtr.entrypoints=websecure
+      - traefik.http.routers.dockge-rtr.tls.certresolver=sthomeresolver
+      - traefik.http.routers.dockge-rtr.service=dockge-svc
+      #
+      - traefik.http.services.dockge-svc.loadbalancer.server.port=5001
+    networks:
+      - traefik-net1
+networks:
+  traefik-net1:
+    external: true
+------------- snip -------------
+# Save and exit
+docker compose restart
+# Test access to dockge using https://dockge.sthome.org (no port should be specified)
+
+Replacing dockge docker.sock with a socket proxy
+================================================
+# refer: https://github.com/louislam/dockge/discussions/369
+# The following instruction:
+#   1. Replaces dockge service's /var/run/docker.sock volume with a DOCKER_HOST environment variable
+#   2. Adds socket-proxy service to project 
+# in Truenas shell, edit dockge compose.yml
+nano /mnt/SSD1/jailmaker/jails/docker/rootfs/opt/dockge/compose.yaml
+# under services.dockge.volumes comment out "/var/run/docker.sock:/var/run/docker.sock"
+# under services.dockge.environment add "DOCKER_HOST=tcp://socket-proxy-dockge:2375"
+# under services.dockge.networks add "socket_proxy"
+# Add the socket_proxy under top level "networks", e.g.:
+# ---- snip ----
+networks:
+  traefik-net1:
+    external: true
+  socket_proxy:
+    driver: bridge
+# ---- snip ----
+
+# Amend services.dockge.networks by adding socket-proxy
+# ---- snip ----
+    networks:
+      - traefik-net1
+      - socket_proxy
+# ---- snip ----
+
+# Add the following under services
+# --- snip ---
+  socket-proxy:
+    container_name: socket-proxy-dockge
+    image: tecnativa/docker-socket-proxy
+    restart: always
+    networks:
+      socket_proxy:
+    #     ipv4_address: xyz
+    privileged: true
+    # ports:
+    #   - "127.0.0.1:2375:2375"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+    environment:
+      - LOG_LEVEL=debug # debug,info,notice,warning,err,crit,alert,emerg
+      ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
+      # 0 to revoke access.
+      # 1 to grant access.
+      ## Granted by Default
+      # - EVENTS=1
+      # - PING=1
+      # - VERSION=1
+      # # Security critical
+      - AUTH=0
+      - SECRETS=0
+      - POST=1          # dockge 
+      # # Not always needed      
+      - BUILD=0
+      - COMMIT=0
+      - CONFIGS=0
+      - CONTAINERS=1    # dockge, Portainer, Traefik
+      - DISTRIBUTION=0
+      - EXEC=1          # dockge (run Container Shell)
+      - IMAGES=1        # dockge, Portainer
+      - INFO=1          # dockge, Portainer
+      - NETWORKS=1      # dockge, Portainer
+      - NODES=0
+      - PLUGINS=0
+      - SERVICES=1      # dockge, Portainer
+      - SESSION=0
+      - SWARM=0
+      - SYSTEM=1
+      - TASKS=1
+      - VOLUMES=1
+# --- snip ---
+# See dockge\compose.yml for file with traefik reverse proxy and socket-proxy added
+# This is the preferred config for dockge
+
+Troubleshooting
+---------------
+If you having trouble accessing dockge after applying the above:
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Check if traefik is running (note: if traefik is not running, Dockge will be unavailable)
+# Restart traefik inside the /opt/stacks/traefik folder with docker compose up -d or 
+# if traefik cannot be restarted, undo the secure dockge login by stepping through the following:
+ # uncomment the ports stanza in /opt/dockge/compose.yaml
+ cd /opt/dockge
+ docker compose stop
+ docker compose build
+ docker compose up -d
+ # use dockge.sthome.org:5001 to access Dockge
+# After sorting out the issue with traefik, it is important to comment out the ports stanza in the dockge compose file and rebuild & restart as explained above.
+# Otherwise insecure access to dockge will remain available.
+
+If containers use the wrong default route
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# in docker shell, list ip routes
+ip r
+# note the default gateway entry(ies), i.e. lines starting with "default via" followed by a gateway ip and an network interface name. See if there are more than one of these lines
+# if more than one, you need to remove the default route(s) that are irrelevant / incorrect
+# to remove extraneous default route(s) use "ip route del" followed by the text displayed with "ip r" command of the extraneous default gateway, e.g.:
+ip route del default via 192.168.2.1 dev vee-eth1 proto static
+# double check the network configs to see if there are more than one gateway in total, e.g.:
+nano /etc/systemd/network/vee-dhcp.network
+nano /etc/systemd/network/80-container-host0.network
+# comment out extraneous gateway(s)
+
+
+
+
+
+
+
+
+
diff --git a/_instructions/restoring databases-psql.txt b/_instructions/restoring databases-psql.txt
new file mode 100644
index 0000000..16a7c9c
--- /dev/null
+++ b/_instructions/restoring databases-psql.txt	
@@ -0,0 +1,54 @@
+Precondition
+------------
+Destination database is newly created, i.e. completely empty, if not refer to "Clearing target database" 
+
+Preparation
+-----------
+If restoration is to made to postgres running in jailmaker/docker, ensure that docker config file has the following binding under systemd_nspawn_user_args.
+On truenas shell enter: jlmkr edit docker
+Edit systemd_nspawn_user_args setting to include:
+        --bind='/mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net:/mnt/migrate'
+
+Backup file access
+------------------
+Postgres can access the backup file in at least two ways:
+1. Copying the file to a folder in postgres container using docker cp, or
+2. Mounting the /mnt/migrate folder in postgres container
+
+Option 1. Copying the file to a folder in postgres container
+------------------------------------------------------------
+On truenas shell, open docker shell:
+jlmkr shell docker
+docker ps
+Container list will be displayed, e.g.:
+CONTAINER ID   IMAGE                       COMMAND                  CREATED          STATUS                 PORTS     NAMES
+572f221431ca   vaultwarden/server:latest   "/start.sh"              2 hours ago      Up 2 hours (healthy)   80/tcp    vaultwarden
+adb7d77f22ee   postgres:15                 "docker-entrypoint.s…"   2 hours ago      Up 2 hours (healthy)   5432/tcp  pg_vaultwarden
+
+Note the postgres CONTAINER ID, i.e. adb7d77f22ee:
+docker cp /mnt/migrate adb7d77f22ee:/var/backups
+
+Option 2. Mounting the migrate folder in postgres container
+-----------------------------------------------------------
+Edit postgres docker-compose file and a mount under services.postgres.volumes: - /mnt/migrate:/var/backups
+Rebuild postgres container
+
+Restore vaultwarden database using psql
+--------===========--------------------
+In docker shell:
+docker stop vaultwarden
+docker exec -it pg_vaultwarden sh
+psql -U vaultwarden -d vaultwarden < /var/backups/2024-08-27/databases/vaultwarden-backup.sql
+exit (exit pg_vaultwarden shell)
+docker start vaultwarden
+
+Clearing target database
+------------------------
+The restore process requires a completely empty database, so if this is an existing database it needs to be cleared first.
+If there is any data present that might need to be recovered in future, backup the target database first, before following the steps hereafter.
+We will delete then recreate database:
+In docker shell, docker stop vaultwarden
+Use pgadmin to delete Servers -> vaultwarden -> vaultwarden database
+Create new database with same name, i.e. vaultwarden
+In docker shell, docker start vaultwarden
+
diff --git a/_instructions/restoring databases.txt b/_instructions/restoring databases.txt
new file mode 100644
index 0000000..bf00a62
--- /dev/null
+++ b/_instructions/restoring databases.txt	
@@ -0,0 +1,161 @@
+NB!: List of filenames is at end of this file
+
+Preparation
+-----------
+If restoration is to made to postgres running in jailmaker/docker, ensure that docker config file has the following binding under systemd_nspawn_user_args.
+On truenas shell enter:
+jlmkr edit docker
+mapping to shared folder
+------------------------
+Edit systemd_nspawn_user_args setting to include:
+        --bind='/mnt/stpool1/Shared_Data:/mnt/shared'
+copy backup files to /mnt/stpool1/Shared_Data/backups/postgres
+Ensure that pgAdmin has a mapping to /mnt/shared/backups/postgres
+
+OR direct mapping to truecharts pgadmin storage folder:
+-------------------------------------------------------
+Edit systemd_nspawn_user_args setting to include:
+        --bind='/mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net:/mnt/migrate'
+Ensure that pgAdmin has a mapping to /mnt/migrate
+
+Restore
+-------
+Log in to pgAdmin
+User name: stuurmcp@telkomsa.net
+Password: 
+
+Copy backup files to pgadmin storage folder in container
+--------------------------------------------------------
+On truenas shell:
+jlmkr shell docker
+docker ps
+Container list will be displayed, e.g.:
+CONTAINER ID   IMAGE                                   COMMAND                  CREATED          STATUS                    PORTS    NAMES
+42a544cf2181   ghcr.io/mealie-recipes/mealie:v1.12.0   "/app/run.sh"            15 minutes ago   Up 14 minutes (healthy)            mealie
+4ebb127ffe6d   postgres:15                             "docker-entrypoint.s…"   15 minutes ago   Up 15 minutes (healthy)            postgres
+2334cd77c4cf   dpage/pgadmin4                          "/entrypoint.sh"         18 minutes ago   Up 18 minutes                      pgadmin-pgadmin-1
+Note the container id for pgadmin4 and postgres:
+To copy to container, use: docker cp /mount-path-in-docker-jail/backup-folder containerId:/storage-path-in-container
+
+To copy to pgadmin for pgadmin gui restore:
+docker cp /mnt/shared/backups/postgres/2024-08-23 2334cd77c4cf:/var/lib/pgadmin/storage/stuurmcp_telkomsa.net
+
+To copy to postgres for cmd line pg_restore/psql restore:
+docker cp /mnt/shared/backups/postgres/2024-08-23 4ebb127ffe6d:/var/backups
+
+Assuming that we are restoring mealie database
+Create SSD1/docker/data/postgres/mealie dataset; permissions postgres:postgres
+
+pgAdmin gui restore
+-------------------
+Register connect to server using above details (name connection "mealie", Host name/address "mealie_pg")
+Right click on Databases under mealie server and choose Create->Database...
+Name the database "mealie"
+Click Save
+Right click database name, i.e. mealie and select Restore...
+Format: Custom or tar
+Name: mealie
+
+cmd line pg_restore/psql restore
+--------------------------------
+docker exec -it pg_mealie sh
+psql -U mealie -d mealie < /var/backups/2024-08-27/databases/mealie-backup.sql
+or
+pg_restore -h localhost -U postgres -d mealie /var/backups/2024-08-23/databases/mealie-backup.tar
+
+full db backup arg list:
+PGPASSWORD="your_pass" psql -h localhost -U mealie -d mealie -f /var/backups/2024-08-23/databases/mealie-backup.tar
+
+Filenames
+=========
+Backup date: 2024-08-23
+
+authentik
+---------
+/2024-08-23/globals/authentik-cnpg-backup-globals.sql
+/2024-08-23/servers/authentik-cnpg-backup-servers.sql
+/2024-08-23/databases/authentik-backup.sql
+/2024-08-23/databases/authentik-postgress-backup.sql
+/2024-08-23/databases/authentik-backup.bak
+/2024-08-23/databases/authentik-postgress-backup.bak
+
+fireflyiii
+----------
+/2024-08-23/globals/fireflyiii-cnpg-backup-globals.sql
+/2024-08-23/servers/fireflyiii-cnpg-backup-servers.sql
+/2024-08-23/databases/fireflyiii-backup.sql
+/2024-08-23/databases/fireflyiii-postgress-backup.sql
+/2024-08-23/databases/fireflyiii-backup.bak
+/2024-08-23/databases/fireflyiii-postgress-backup.bak
+
+gitea
+-----
+/2024-08-23/globals/gitea-cnpg-backup-globals.sql
+/2024-08-23/servers/gitea-cnpg-backup-servers.sql
+/2024-08-23/databases/gitea-backup.sql
+/2024-08-23/databases/gitea-postgress-backup.sql
+/2024-08-23/databases/gitea-backup.bak
+/2024-08-23/databases/gitea-postgress-backup.bak
+
+grafana
+-------
+/2024-08-23/globals/grafana-cnpg-backup-globals.sql
+/2024-08-23/servers/grafana-cnpg-backup-servers.sql
+/2024-08-23/databases/grafana-backup.sql
+/2024-08-23/databases/grafana-postgress-backup.sql
+/2024-08-23/databases/grafana-backup.bak
+/2024-08-23/databases/grafana-postgress-backup.bak
+
+home-assistant
+--------------
+/2024-08-23/globals/home-assistant-cnpg-backup-globals.sql
+/2024-08-23/servers/home-assistant-cnpg-backup-servers.sql
+/2024-08-23/databases/home-assistant-backup.sql
+/2024-08-23/databases/home-assistant-postgress-backup.sql
+/2024-08-23/databases/home-assistant-backup.bak
+/2024-08-23/databases/home-assistant-postgress-backup.bak
+
+mealie
+------
+/2024-08-23/globals/mealie-cnpg-backup-globals.sql
+/2024-08-23/servers/mealie-cnpg-backup-servers.sql
+/2024-08-23/databases/mealie-backup.sql
+/2024-08-23/databases/mealie-postgress-backup.sql
+/2024-08-23/databases/mealie-backup.bak
+/2024-08-23/databases/mealie-postgress-backup.bak
+
+onlyoffice-document-server
+--------------------------
+/2024-08-23/globals/onlyoffice-document-server-cnpg-backup-globals.sql
+/2024-08-23/servers/onlyoffice-document-server-cnpg-backup-servers.sql
+/2024-08-23/databases/onlyoffice-document-server-backup.sql
+/2024-08-23/databases/onlyoffice-document-server-postgress-backup.sql
+/2024-08-23/databases/onlyoffice-document-server-backup.bak
+/2024-08-23/databases/onlyoffice-document-server-postgress-backup.bak
+
+photoview
+---------
+/2024-08-23/globals/photoview-cnpg-backup-globals.sql
+/2024-08-23/servers/photoview-cnpg-backup-servers.sql
+/2024-08-23/databases/photoview-backup.sql
+/2024-08-23/databases/photoview-postgress-backup.sql
+/2024-08-23/databases/photoview-backup.bak
+/2024-08-23/databases/photoview-postgress-backup.bak
+
+sheetable
+---------
+/2024-08-23/globals/sheetable-cnpg-backup-globals.sql
+/2024-08-23/servers/sheetable-cnpg-backup-servers.sql
+/2024-08-23/databases/sheetable-backup.sql
+/2024-08-23/databases/sheetable-postgress-backup.sql
+/2024-08-23/databases/sheetable-backup.bak
+/2024-08-23/databases/sheetable-postgress-backup.bak
+
+vaultwarden
+-----------
+/2024-08-23/globals/vaultwarden-cnpg-backup-globals.sql
+/2024-08-23/servers/vaultwarden-cnpg-backup-servers.sql
+/2024-08-23/databases/vaultwarden-backup.sql
+/2024-08-23/databases/vaultwarden-postgress-backup.sql
+/2024-08-23/databases/vaultwarden-backup.bak
+/2024-08-23/databases/vaultwarden-postgress-backup.bak
\ No newline at end of file
diff --git a/_instructions/set ACL permissions for media.txt b/_instructions/set ACL permissions for media.txt
new file mode 100644
index 0000000..fcabdea
--- /dev/null
+++ b/_instructions/set ACL permissions for media.txt	
@@ -0,0 +1,14 @@
+set ACL permissions for media folder to be accessible by media group
+--------------------------------------------------------------------
+
+On Truenas shell:
+# read and note acl entries
+getfacl /mnt/stpool1/NData1
+getfacl /mnt/stpool1/NData1/Media
+# set read and execute permissions for media group on parent folder
+setfacl -m g:media:5 /mnt/stpool1/NData1
+# set full permissions for media group on Media folder recursively
+setfacl -R -m g:media:7 /mnt/stpool1/NData1/Media
+# modify defaults recursively
+setfacl -R -d -m g:media:7 /mnt/stpool1/NData1/Media
+# NB! if you want to remove all acl entries from a folder recursively, use setfacl -b -R <foldername>
\ No newline at end of file
diff --git a/_instructions/static ips.txt b/_instructions/static ips.txt
new file mode 100644
index 0000000..1863f10
--- /dev/null
+++ b/_instructions/static ips.txt	
@@ -0,0 +1,22 @@
+number  mac address  ip address  description  action
+1 00:a0:98:76:1c:90 10.0.0.15 upd.sthome.org
+2 00:18:ae:c5:2f:f0 10.0.0.10 cctv.sthome.org
+3 00:15:99:9c:fb:4d 10.0.0.24 clx-3185fw.sthome.org
+4 80:5e:0c:83:02:10 10.0.0.19 phone1.sthome.org
+5 ec:71:db:3f:65:09 10.0.0.101 cam-driveway.sthome.org
+6 38:d5:47:c8:00:77 10.0.0.20 truenas.sthome.org
+7                   10.0.0.22 pve.sthome.org
+8 00:26:55:d9:73:b2 10.0.0.21 truenasvm.sthome.org
+9 e0:bb:9e:84:c7:74 10.0.0.25 l1250.sthome.org
+10 1c:fd:08:77:53:5c 10.0.0.30 wstat.sthome.org
+11 1c:fd:08:77:53:5d 10.0.0.31 wstat.sthome.org
+12 ec:71:db:57:2e:fb 10.0.0.102 cam-backyard.sthome.org
+13 ec:71:db:c6:d9:32 10.0.0.103 cam-patio.sthome.org
+14 ec:71:db:e9:af:a3 10.0.0.104 cam-eastwall.sthome.org
+15 74:56:3c:4e:74:98 10.0.0.33 mediac.sthome.org
+16 44:91:7c:07:3f:ba 10.0.0.43 zelna-nokia.sthome.org
+17 4e:21:00:35:e7:fb 10.0.0.42 chris-samsung5g.sthome.org
+18 30:ab:6a:fc:09:64 10.0.0.41 chris-samsung.sthome.org
+19 7e:e3:5a:f4:dd:35 10.0.0.61 docker.sthome.org
+20 bc:24:11:80:54:54 10.0.0.51 frigate-local.sthome.org
+21 bc:24:11:06:32:3c 10.0.0.1 dserver.sthome.org 
\ No newline at end of file
diff --git a/_instructions/to copy file from truenas k3s container .txt b/_instructions/to copy file from truenas k3s container .txt
new file mode 100644
index 0000000..ada75ef
--- /dev/null
+++ b/_instructions/to copy file from truenas k3s container .txt	
@@ -0,0 +1,13 @@
+To copy file from truenas k3s container 
+---------------------------------------
+
+# get fullname of pod:
+# Option 1:
+# go to Apps can click on the relevant app
+# under Workloads, click the shell icon and in the Choose pod window, select and copy the name of the relevant pod appearing in the first textbox to clipboard
+# Option 2:
+# list pods in the app's namespace:
+k3s kubectl get pods -n ix-<appname>
+# select and copy the relevant pod's name to clipboard
+# use the following command to copy the a file from the container (container = appname)
+k3s kubectl cp -c <container> <namespace>/<podname>:/path/to/file/in/container/filename.ext  /local/path/and/filename.ext 
\ No newline at end of file
diff --git a/_instructions/to install and use htpasswd.txt b/_instructions/to install and use htpasswd.txt
new file mode 100644
index 0000000..b07f4ca
--- /dev/null
+++ b/_instructions/to install and use htpasswd.txt	
@@ -0,0 +1,7 @@
+
+Install htpasswd:
+apt update & apt install apache2-utils
+
+Create password hash for user admin with traefik basicauth
+echo $(htpasswd -nB admin) | sed -e s/\\$/\\$\\$/g
+Enter and confirm password to hash
diff --git a/_instructions/to list networks with subnets.txt b/_instructions/to list networks with subnets.txt
new file mode 100644
index 0000000..c5c2169
--- /dev/null
+++ b/_instructions/to list networks with subnets.txt	
@@ -0,0 +1,5 @@
+
+# to list networks with subnets
+apt-get update
+apt-get install q
+docker network inspect $(docker network ls | awk '$3 == "bridge" { print $1}') | jq -r '.[] | .Name + " " + .IPAM.Config[0].Subnet' -
\ No newline at end of file
diff --git a/_instructions/to reset postgresql database password.txt b/_instructions/to reset postgresql database password.txt
new file mode 100644
index 0000000..8fb3f49
--- /dev/null
+++ b/_instructions/to reset postgresql database password.txt	
@@ -0,0 +1,55 @@
+
+To reset postgresql database password
+-------------------------------------
+
+# example below uses vaultwarden as the app with db user "vaultwarden" and db name "vaultwarden"
+# all commands are executed from docker shell
+
+# stop vaultwarden
+cd /opt/stacks/vaultwarden
+docker compose down
+
+# Edit pg_hba.conf
+nano /mnt/data/vaultwarden/pgdata/pg_hba.conf
+
+# at the bottom of the file, comment out "host all all all scram-sha-256" and add new line "host all all all trust"
+# result should look as follows:
+# -- snip --
+ # host all all all scram-sha-256
+ host all all all trust
+# -- snip --
+
+# start postgresql
+cd /opt/stacks/vaultwarden
+docker compose up -d postgresql
+
+# exec into vaultwarden-postgresql-1
+docker exec -it vaultwarden-postgresql-1 bash
+
+# open psql shell
+psql -U vaultwarden -d vaultwarden
+
+# update password for "vaultwarden" user; "ALTER ROLE" should be returned
+ALTER USER vaultwarden WITH PASSWORD 'new_password';
+
+# (optional) ensure that "vaultwarden" user owns "vaultwarden" database
+ALTER DATABASE vaultwarden OWNER TO vaultwarden
+
+# quit psql shell
+\q
+
+# exit to docker shell
+exit
+
+# restore pg_hba.conf
+nano /mnt/data/vaultwarden/pgdata/pg_hba.conf
+
+# at the bottom of the file, uncomment out "host all all all scram-sha-256" and remove line "host all all all trust"
+# result should look as follows:
+# -- snip --
+ host all all all scram-sha-256
+# -- snip --
+
+# start vaultwarden
+cd /opt/stacks/vaultwarden
+docker compose up -d
\ No newline at end of file
diff --git a/_instructions/to upgrade postgresql.txt b/_instructions/to upgrade postgresql.txt
new file mode 100644
index 0000000..f72958d
--- /dev/null
+++ b/_instructions/to upgrade postgresql.txt	
@@ -0,0 +1,62 @@
+
+To upgrade postgresql
+---------------------
+
+# example below uses vaultwarden as the app with db user "vaultwarden" and db name "vaultwarden"
+# all commands are executed from docker shell, unless stated otherwise
+
+# stop vaultwarden
+cd /opt/stacks/vaultwarden
+docker compose down
+
+# start postgresql
+cd /opt/stacks/vaultwarden
+docker compose up -d postgresql
+
+# dump database
+cd /opt/stacks/vaultwarden
+mkdir /mnt/data/vaultwarden/pgbackups/$(date -I)
+docker exec vaultwarden-postgresql-1 pg_dumpall -U vaultwarden > /mnt/data/vaultwarden/pgbackups/$(date -I)/vaultwarden-backup.sql
+chown -R postgres:postgres /mnt/data/vaultwarden/pgbackups/$(date -I)
+chmod -R 700 /mnt/data/vaultwarden/pgbackups/$(date -I)
+
+# stop postgresql
+cd /opt/stacks/vaultwarden
+docker compose down postgresql
+
+# rename pgdata (we don't delete yet; in order to have a rollback option)
+# in Truenas shell, enter
+zfs rename SSD1/docker/data/vaultwarden/pgdata SSD1/docker/data/vaultwarden/pgdata-old
+
+# create new pgdata dataset
+# in Truenas shell, enter
+zfs create SSD1/docker/data/vaultwarden/pgdata
+chown -R postgres:postgres /mnt/SSD1/docker/data/vaultwarden/pgdata
+chmod 700 /mnt/SSD1/docker/data/vaultwarden/pgdata
+
+# edit the vaultwarden compose.yml file to the new version of the postgresql image
+# -- snip --
+  postgresql:
+    image: postgres:17-alpine
+# -- snip --
+
+# pull image
+docker compose pull
+
+# start new postgresql container
+docker compose up -d postgresql
+
+# import database dump
+cat /mnt/data/vaultwarden/pgbackups/$(date -I)/vaultwarden-backup.sql | docker exec -i vaultwarden-postgresql-1 psql -U vaultwarden
+
+# stop postgresql
+cd /opt/stacks/vaultwarden
+docker compose down postgresql
+
+# start stack
+cd /opt/stacks/vaultwarden
+docker compose up -d
+
+# Check if all is ok
+# Log into vaultwarden as check if all looks ok
+# If ok, delete the pgdata-old dataset using Truenas GUI, or later (after confidence is high enough)
\ No newline at end of file
diff --git a/_instructions/troubleshooting container network.txt b/_instructions/troubleshooting container network.txt
new file mode 100644
index 0000000..9a89d98
--- /dev/null
+++ b/_instructions/troubleshooting container network.txt	
@@ -0,0 +1,39 @@
+https://github.com/nicolaka/netshoot
+
+# Container's Network Namespace: If you're having networking issues with your application's container, you can launch netshoot with that container's network namespace like this:
+docker run -it --net container:<container_name> nicolaka/netshoot
+
+# Host's Network Namespace: If you think the networking issue is on the host itself, you can launch netshoot with that host's network namespace:
+docker run -it --net host nicolaka/netshoot
+
+# Launching netshoot with NET_ADMIN and CAP_NET_RAW capabilities. Capturing packets on eth0 with icmp 
+docker run --rm --cap-add=NET_ADMIN --cap-add=NET_RAW -it nicolaka/netshoot termshark -i eth0 icmp
+
+# Capturing with “tcpdump” for viewing with Wireshark inside netshoot
+# -------------------------------------------------------------------
+docker run -it --net container:<container_name> nicolaka/netshoot      # launch netshoot with container's network namespace
+tcpdump -i <interface> -s 65535 -w <file>                              # capture with tcpdump
+docker cp <containerId>:/file/path/within/container /host/path/target  # copy dump file from netshoot to host
+
+# Example of tcpdump capture: (using two terminals)
+# -------------------------------------------------
+# launch netshoot with plex's network namespace from docker shell
+  docker run -it --net container:plex nicolaka/netshoot
+
+# run tcpdump within netshoot container: 
+  tcpdump -i eth0 -s 65535 -w /tmp/plexdump.cap
+  
+# stop the dump
+  ctrl-c
+
+# to get netshoot container name/id; using other terminal, in docker shell, enter:
+  docker ps | grep "netshoot"
+  
+# result of above; first item is containerId, last item is container name:
+       0c3986714b3f   nicolaka/netshoot   "zsh"   35 minutes ago   Up 35 minutes   exciting_jang 
+
+# copy file to current folder
+  docker cp exciting_jang:/tmp/plexdump.cap  ./             
+  
+# you can now exit from netshoot in first terminal
+
diff --git a/_instructions/troubleshooting containers default gateway.txt b/_instructions/troubleshooting containers default gateway.txt
new file mode 100644
index 0000000..721e99d
--- /dev/null
+++ b/_instructions/troubleshooting containers default gateway.txt	
@@ -0,0 +1,86 @@
+
+
+# https://www.youtube.com/watch?v=WDQIv-Kd6hk&t=22s
+https://serverfault.com/questions/696747/routing-from-docker-containers-using-a-different-physical-network-interface-and
+
+# in container shell
+ip route get 8.8.8.8
+8.8.8.8 via 10.255.224.1 dev eth0  src 10.255.224.4
+
+# in docker shell
+ip -4 -br a s dev br-traefik-net1
+br-traefik-net1  UP             10.255.224.1/20
+
+ip route get 8.8.8.8
+8.8.8.8 via 10.0.0.2 dev mv-enp7s0 src 10.0.0.61 uid 0
+    cache
+
+ip r
+default via 192.168.2.1 dev vee-eth1 proto static
+default via 10.0.0.2 dev mv-enp7s0 proto static
+10.0.0.0/24 dev mv-enp7s0 proto kernel scope link src 10.0.0.61
+10.255.224.0/20 dev br-traefik-net1 proto kernel scope link src 10.255.224.1
+10.255.240.0/24 dev br-traefik-net2 proto kernel scope link src 10.255.240.1
+172.16.224.0/24 dev br-4da896b4a65a proto kernel scope link src 172.16.224.1
+172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
+172.18.0.0/16 dev br-f5ab0a59124f proto kernel scope link src 172.18.0.1
+192.168.2.0/24 dev vee-eth1 proto kernel scope link src 192.168.2.6
+
+sysctl net.ipv4.ip_forward
+net.ipv4.ip_forward = 1
+
+# reply packets
+ip route get 10.255.224.4
+10.255.224.4 dev br-traefik-net1 src 10.255.224.1 uid 0
+    cache
+
+ip -4 -br a s dev br-traefik-net1
+br-traefik-net1  UP             10.255.224.1/20
+
+tcpdump -ni mv-enp7s0 icmp
+tcpdump -ni vee-eth1 icmp
+
+#list namespaces
+lsns -t net
+
+cat ~/snat.conf
+
+# load config
+nft -f ~/snat.conf
+
+# list loaded configs
+nft list ruleset
+
+Change metric of default route to interface
+-------------------------------------------
+ip r
+default via 192.168.2.1 dev vee-eth1 proto static
+default via 10.0.0.2 dev mv-enp7s0 proto static
+10.0.0.0/24 dev mv-enp7s0 proto kernel scope link src 10.0.0.61
+10.255.224.0/20 dev br-traefik-net1 proto kernel scope link src 10.255.224.1
+10.255.240.0/24 dev br-traefik-net2 proto kernel scope link src 10.255.240.1
+172.16.224.0/24 dev br-2a6971a42c02 proto kernel scope link src 172.16.224.1
+172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
+172.18.0.0/16 dev br-aa39a4420c90 proto kernel scope link src 172.18.0.1
+192.168.2.0/24 dev vee-eth1 proto kernel scope link src 192.168.2.6
+# then delete i/f, e.g. vee-eth1
+ip route del default via 192.168.2.1
+# then add with metric
+ip route add default via 192.168.2.1 metric 50
+ip r
+default via 10.0.0.2 dev mv-enp7s0 proto static
+default via 192.168.2.1 dev vee-eth1 metric 50
+10.0.0.0/24 dev mv-enp7s0 proto kernel scope link src 10.0.0.61
+10.255.224.0/20 dev br-traefik-net1 proto kernel scope link src 10.255.224.1
+10.255.240.0/24 dev br-traefik-net2 proto kernel scope link src 10.255.240.1
+172.16.224.0/24 dev br-2a6971a42c02 proto kernel scope link src 172.16.224.1
+172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
+172.18.0.0/16 dev br-aa39a4420c90 proto kernel scope link src 172.18.0.1
+192.168.2.0/24 dev vee-eth1 proto kernel scope link src 192.168.2.6
+
+
+
+
+
+
+	
diff --git a/_instructions/troubleshooting mounts.txt b/_instructions/troubleshooting mounts.txt
new file mode 100644
index 0000000..50ae0d8
--- /dev/null
+++ b/_instructions/troubleshooting mounts.txt	
@@ -0,0 +1,3 @@
+
+# to list mounts
+ findmnt -lo source,target,fstype,label,options,used -t zfs
\ No newline at end of file
diff --git a/_instructions/zfs rename dataset.txt b/_instructions/zfs rename dataset.txt
new file mode 100644
index 0000000..074e1f9
--- /dev/null
+++ b/_instructions/zfs rename dataset.txt	
@@ -0,0 +1,4 @@
+zfs rename  dataset
+-------------------
+
+zfs rename poolname/datasetA/ugly poolname/datasetA/sightly
\ No newline at end of file
diff --git a/dashy/data/config/config.yml b/dashy/data/config/config.yml
index 282c590..260052b 100644
--- a/dashy/data/config/config.yml
+++ b/dashy/data/config/config.yml
@@ -61,6 +61,13 @@ sections:
         statusCheck: true
         statusCheckUrl: https://pve.sthome.org:8006
         target: newtab
+      - title: Portainer
+        description: Container management for proxmox/frigate
+        icon: dashboard-icons/svg/portainer.svg
+        url: https://portainer-local.sthome.org:9443/#!/auth
+        statusCheck: true
+        statusCheckUrl: https://portainer-local.sthome.org:9443
+        target: newtab
       - title: Traefik
         description: Reverse proxy and load balancer
         icon: dashboard-icons/svg/traefik.svg
diff --git a/esphome/Connecting esp32.txt b/esphome/Connecting esp32.txt
new file mode 100644
index 0000000..8983bcc
--- /dev/null
+++ b/esphome/Connecting esp32.txt	
@@ -0,0 +1,22 @@
+Ensure that Wifi that ESP will be connecting to, is configure for WPA-PSK/WPA2-PSK MIXED authentication
+
+Plug in ESP32 into USB port of computer that runs the web browser.
+
+Open https://esphome.sthome.org in Google Chrome or MS Edge web browser
+
+Click on Prepare for first use
+
+On success, click on Connect Wifi
+
+Select relevant SSD1 and enter Wifi password
+
+sthome-ut1
+
+ESPhome uses mDNS witch is a multicast protocol, multicast does not cross vlans.
+
+You have 4 options:
+
+Use a Firewall/Router that permits mDNS to cross vlans
+Use Avahi reflector on a RPI connected to all vlans
+On hass.io add the "status_use_ping=true"
+On esphome docker dashboard use the env "ESPHOME_DASHBOARD_USE_PING=true"
diff --git a/esphome/esphome_jm.txt b/esphome/esphome_jm.txt
new file mode 100644
index 0000000..0871485
--- /dev/null
+++ b/esphome/esphome_jm.txt
@@ -0,0 +1,35 @@
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: esphome
+Username: esphome
+Disable Password: <select>
+Email: <leave blank>
+UID: (note)
+Create New Primary Group: <select>
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+esphome UID: 3017
+esphome GID: 3016
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*esphome"
+# create following dataset if not present
+zfs create SSD1/docker/data/esphome
+zfs create SSD1/docker/data/esphome/config
+chown -R esphome:esphome /mnt/SSD1/docker/data/esphome
+
+Create stacks folder
+---------------------
+mkdir -p /mnt/SSD1/docker/stacks/esphome
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in esphome folder, enter:
+./cp2nas 192.168.2.2
+
diff --git a/esphome/logs_sthome-24g4_rename.txt b/esphome/logs_sthome-24g4_rename.txt
new file mode 100644
index 0000000..f1f9d91
--- /dev/null
+++ b/esphome/logs_sthome-24g4_rename.txt
@@ -0,0 +1,358 @@
+INFO ESPHome 2025.3.3
+INFO Reading configuration /config/sthome-24g4.yaml...
+Updating /config/sthome-24g4.yaml to /config/sthome-ut1.yaml
+
+INFO ESPHome 2025.3.3
+INFO Reading configuration /config/sthome-ut1.yaml...
+esphome:
+  name: sthome-ut1
+  friendly_name: !secret 'wifi_ssid'
+  min_version: 2025.3.3
+  build_path: build/sthome-ut1
+  area: ''
+  platformio_options: {}
+  includes: []
+  libraries: []
+  name_add_mac_suffix: false
+esp32:
+  board: esp32dev
+  framework:
+    version: 2.0.5
+    advanced:
+      ignore_efuse_custom_mac: false
+    source: ~3.20005.0
+    platform_version: platformio/espressif32@5.4.0
+    type: arduino
+  flash_size: 4MB
+  variant: ESP32
+logger:
+  baud_rate: 115200
+  tx_buffer_size: 512
+  deassert_rts_dtr: false
+  hardware_uart: UART0
+  level: DEBUG
+  logs: {}
+api:
+  encryption:
+    key: 0Ki4j7JX8Y1IkMGh1fBBu2Dg6DgrnUq8GEXKZvkzeSY=[redacted]
+  port: 6053
+  password: ''[redacted]
+  reboot_timeout: 15min
+ota:
+- platform: esphome
+  password: 37f546590fcc15e1323d273540eb623a[redacted]
+  version: 2
+  port: 3232
+wifi:
+  ap:
+    ssid: Sthome-24G4 Fallback Hotspot[redacted]
+    password: 7SglIlgdkpAD[redacted]
+    ap_timeout: 1min
+  domain: .local
+  reboot_timeout: 15min
+  power_save_mode: LIGHT
+  fast_connect: false
+  passive_scan: false
+  enable_on_boot: true
+  networks:
+  - ssid: !secret 'wifi_ssid'[redacted]
+    password: !secret 'wifi_password'[redacted]
+    priority: 0.0
+  use_address: sthome-ut1.local
+captive_portal: {}
+
+INFO Configuration is valid!
+INFO ESPHome 2025.3.3
+INFO Reading configuration /config/sthome-ut1.yaml...
+INFO Generating C++ source...
+INFO Core config, version or integrations changed, cleaning build files...
+INFO Compiling app...
+Processing sthome-ut1 (board: esp32dev; framework: arduino; platform: platformio/espressif32@5.4.0)
+--------------------------------------------------------------------------------
+Library Manager: Installing esphome/AsyncTCP-esphome @ 2.1.4
+INFO Installing esphome/AsyncTCP-esphome @ 2.1.4
+Unpacking  [####################################]  100%
+Library Manager: AsyncTCP-esphome@2.1.4 has been installed!
+INFO AsyncTCP-esphome@2.1.4 has been installed!
+Library Manager: Installing esphome/ESPAsyncWebServer-esphome @ 3.3.0
+INFO Installing esphome/ESPAsyncWebServer-esphome @ 3.3.0
+Unpacking  [####################################]  100%
+Library Manager: ESPAsyncWebServer-esphome@3.3.0 has been installed!
+INFO ESPAsyncWebServer-esphome@3.3.0 has been installed!
+Library Manager: Resolving dependencies...
+INFO Resolving dependencies...
+Library Manager: Installing esphome/noise-c @ 0.1.6
+INFO Installing esphome/noise-c @ 0.1.6
+Unpacking  [####################################]  100%
+Library Manager: noise-c@0.1.6 has been installed!
+INFO noise-c@0.1.6 has been installed!
+Library Manager: Resolving dependencies...
+INFO Resolving dependencies...
+Library Manager: Installing esphome/libsodium @ 1.10018.4
+INFO Installing esphome/libsodium @ 1.10018.4
+Unpacking  [####################################]  100%
+Library Manager: libsodium@1.10018.4 has been installed!
+INFO libsodium@1.10018.4 has been installed!
+HARDWARE: ESP32 240MHz, 320KB RAM, 4MB Flash
+ - toolchain-xtensa-esp32 @ 8.4.0+2021r2-patch5
+Dependency Graph
+|-- AsyncTCP-esphome @ 2.1.4
+|-- WiFi @ 2.0.0
+|-- FS @ 2.0.0
+|-- Update @ 2.0.0
+|-- ESPAsyncWebServer-esphome @ 3.3.0
+|-- DNSServer @ 2.0.0
+|-- ESPmDNS @ 2.0.0
+|-- noise-c @ 0.1.6
+Compiling .pioenvs/sthome-ut1/src/esphome/components/api/api_connection.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/api/api_frame_helper.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/api/api_pb2.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/api/api_pb2_service.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/api/api_server.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/api/list_entities.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/api/proto.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/api/subscribe_state.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/api/user_services.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/captive_portal/captive_portal.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/esp32/core.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/esp32/gpio.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/esp32/preferences.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/esphome/ota/ota_esphome.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/logger/logger.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/logger/logger_esp32.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/logger/logger_esp8266.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/logger/logger_host.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/logger/logger_libretiny.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/logger/logger_rp2040.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/md5/md5.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/mdns/mdns_component.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/mdns/mdns_esp32.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/mdns/mdns_esp8266.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/mdns/mdns_host.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/mdns/mdns_libretiny.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/mdns/mdns_rp2040.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/network/util.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/ota/ota_backend.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/ota/ota_backend_arduino_esp32.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/ota/ota_backend_arduino_esp8266.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/ota/ota_backend_arduino_libretiny.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/ota/ota_backend_arduino_rp2040.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/ota/ota_backend_esp_idf.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/safe_mode/safe_mode.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/socket/bsd_sockets_impl.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/socket/lwip_raw_tcp_impl.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/socket/lwip_sockets_impl.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/socket/socket.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/web_server_base/web_server_base.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/wifi/wifi_component.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/wifi/wifi_component_esp32_arduino.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/wifi/wifi_component_esp8266.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/wifi/wifi_component_esp_idf.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/wifi/wifi_component_libretiny.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/components/wifi/wifi_component_pico_w.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/core/application.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/core/color.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/core/component.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/core/component_iterator.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/core/controller.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/core/entity_base.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/core/helpers.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/core/log.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/core/ring_buffer.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/core/scheduler.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/core/string_ref.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/core/time.cpp.o
+Compiling .pioenvs/sthome-ut1/src/esphome/core/util.cpp.o
+Compiling .pioenvs/sthome-ut1/src/main.cpp.o
+Building .pioenvs/sthome-ut1/bootloader.bin
+Generating partitions .pioenvs/sthome-ut1/partitions.bin
+Creating esp32 image...
+Successfully created esp32 image.
+Compiling .pioenvs/sthome-ut1/lib07a/AsyncTCP-esphome/AsyncTCP.cpp.o
+Compiling .pioenvs/sthome-ut1/lib18f/WiFi/WiFi.cpp.o
+Compiling .pioenvs/sthome-ut1/lib18f/WiFi/WiFiAP.cpp.o
+Compiling .pioenvs/sthome-ut1/lib18f/WiFi/WiFiClient.cpp.o
+Compiling .pioenvs/sthome-ut1/lib18f/WiFi/WiFiGeneric.cpp.o
+Compiling .pioenvs/sthome-ut1/lib18f/WiFi/WiFiMulti.cpp.o
+Compiling .pioenvs/sthome-ut1/lib18f/WiFi/WiFiSTA.cpp.o
+Compiling .pioenvs/sthome-ut1/lib18f/WiFi/WiFiScan.cpp.o
+Compiling .pioenvs/sthome-ut1/lib18f/WiFi/WiFiServer.cpp.o
+Compiling .pioenvs/sthome-ut1/lib18f/WiFi/WiFiUdp.cpp.o
+Compiling .pioenvs/sthome-ut1/lib6ca/FS/FS.cpp.o
+Compiling .pioenvs/sthome-ut1/lib6ca/FS/vfs_api.cpp.o
+Compiling .pioenvs/sthome-ut1/libb83/Update/HttpsOTAUpdate.cpp.o
+Compiling .pioenvs/sthome-ut1/libb83/Update/Updater.cpp.o
+Compiling .pioenvs/sthome-ut1/libce5/ESPAsyncWebServer-esphome/AsyncEventSource.cpp.o
+Archiving .pioenvs/sthome-ut1/lib07a/libAsyncTCP-esphome.a
+Compiling .pioenvs/sthome-ut1/libce5/ESPAsyncWebServer-esphome/AsyncWebSocket.cpp.o
+Compiling .pioenvs/sthome-ut1/libce5/ESPAsyncWebServer-esphome/WebAuthentication.cpp.o
+Compiling .pioenvs/sthome-ut1/libce5/ESPAsyncWebServer-esphome/WebHandlers.cpp.o
+Compiling .pioenvs/sthome-ut1/libce5/ESPAsyncWebServer-esphome/WebRequest.cpp.o
+Compiling .pioenvs/sthome-ut1/libce5/ESPAsyncWebServer-esphome/WebResponses.cpp.o
+Compiling .pioenvs/sthome-ut1/libce5/ESPAsyncWebServer-esphome/WebServer.cpp.o
+Compiling .pioenvs/sthome-ut1/lib5e9/DNSServer/DNSServer.cpp.o
+Archiving .pioenvs/sthome-ut1/lib18f/libWiFi.a
+Archiving .pioenvs/sthome-ut1/lib6ca/libFS.a
+Compiling .pioenvs/sthome-ut1/lib3c3/ESPmDNS/ESPmDNS.cpp.o
+Archiving .pioenvs/sthome-ut1/libb83/libUpdate.a
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_core/ed25519/core_ed25519.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_core/ed25519/core_ristretto255.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_core/salsa/ref/core_salsa_ref.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_generichash/blake2b/generichash_blake2.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_generichash/blake2b/ref/blake2b-compress-avx2.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_generichash/blake2b/ref/blake2b-compress-ref.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_generichash/blake2b/ref/blake2b-compress-sse41.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_generichash/blake2b/ref/blake2b-compress-ssse3.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_generichash/blake2b/ref/blake2b-ref.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_generichash/blake2b/ref/generichash_blake2b.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_hash/crypto_hash.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_hash/sha256/cp/hash_sha256_cp.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_hash/sha256/hash_sha256.c.o
+Archiving .pioenvs/sthome-ut1/lib5e9/libDNSServer.a
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_hash/sha512/cp/hash_sha512_cp.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_hash/sha512/hash_sha512.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_onetimeauth/crypto_onetimeauth.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_onetimeauth/poly1305/donna/poly1305_donna.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_onetimeauth/poly1305/onetimeauth_poly1305.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_pwhash/argon2/argon2-core.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_pwhash/argon2/argon2-encoding.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_pwhash/argon2/argon2-fill-block-avx2.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_pwhash/argon2/argon2-fill-block-avx512f.c.o
+Archiving .pioenvs/sthome-ut1/lib3c3/libESPmDNS.a
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_pwhash/argon2/argon2-fill-block-ref.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_pwhash/argon2/argon2-fill-block-ssse3.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_pwhash/argon2/argon2.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_pwhash/argon2/blake2b-long.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_pwhash/argon2/pwhash_argon2i.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_pwhash/argon2/pwhash_argon2id.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_scalarmult/crypto_scalarmult.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_scalarmult/curve25519/ref10/x25519_ref10.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_scalarmult/curve25519/scalarmult_curve25519.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_sign/crypto_sign.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_sign/ed25519/ref10/keypair.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_sign/ed25519/ref10/obsolete.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_sign/ed25519/ref10/open.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_sign/ed25519/ref10/sign.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_sign/ed25519/sign_ed25519.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_stream/chacha20/ref/chacha20_ref.c.o
+Archiving .pioenvs/sthome-ut1/libce5/libESPAsyncWebServer-esphome.a
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_stream/chacha20/stream_chacha20.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_stream/crypto_stream.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_stream/salsa20/ref/salsa20_ref.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_stream/salsa20/stream_salsa20.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_stream/salsa20/xmm6/salsa20_xmm6-asm.S.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_stream/salsa20/xmm6/salsa20_xmm6.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_stream/salsa20/xmm6int/salsa20_xmm6int-avx2.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_stream/salsa20/xmm6int/salsa20_xmm6int-sse2.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/crypto_verify/sodium/verify.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/randombytes/internal/randombytes_internal_random.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/randombytes/randombytes.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/randombytes/sysrandom/randombytes_sysrandom.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/sodium/codecs.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/sodium/core.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/sodium/runtime.c.o
+Compiling .pioenvs/sthome-ut1/libf54/libsodium/sodium/utils.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/backend/openssl/cipher-aesgcm.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/backend/ref/cipher-aesgcm.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/backend/ref/cipher-chachapoly.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/backend/ref/dh-curve25519.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/backend/ref/hash-blake2b.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/backend/ref/hash-blake2s.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/backend/ref/hash-sha256.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/backend/sodium/cipher-aesgcm.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/backend/sodium/cipher-chachapoly.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/backend/sodium/dh-curve25519.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/backend/sodium/hash-blake2b.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/backend/sodium/hash-sha256.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/crypto/aes/rijndael-alg-fst.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/crypto/blake2/blake2b.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/crypto/blake2/blake2s.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/crypto/chacha/chacha.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/crypto/donna/curve25519-donna-c64.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/crypto/donna/curve25519-donna.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/crypto/donna/poly1305-donna.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/crypto/sha2/sha256.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/crypto/sha2/sha512.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/crypto/x25519/x25519.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/protocol/cipherstate.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/protocol/dhstate.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/protocol/errors.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/protocol/handshakestate.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/protocol/hashstate.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/protocol/internal.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/protocol/names.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/protocol/patterns.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/protocol/rand_os.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/protocol/rand_sodium.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/protocol/randstate.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/protocol/signstate.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/protocol/symmetricstate.c.o
+Compiling .pioenvs/sthome-ut1/libda9/noise-c/protocol/util.c.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/Esp.cpp.o
+Archiving .pioenvs/sthome-ut1/libda9/libnoise-c.a
+Archiving .pioenvs/sthome-ut1/libf54/libsodium.a
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/FirmwareMSC.cpp.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/FunctionalInterrupt.cpp.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/HWCDC.cpp.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/HardwareSerial.cpp.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/IPAddress.cpp.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/IPv6Address.cpp.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/MD5Builder.cpp.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/Print.cpp.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/Stream.cpp.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/StreamString.cpp.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/Tone.cpp.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/USB.cpp.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/USBCDC.cpp.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/USBMSC.cpp.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/WMath.cpp.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/WString.cpp.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/base64.cpp.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/cbuf.cpp.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/esp32-hal-adc.c.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/esp32-hal-bt.c.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/esp32-hal-cpu.c.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/esp32-hal-dac.c.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/esp32-hal-gpio.c.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/esp32-hal-i2c-slave.c.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/esp32-hal-i2c.c.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/esp32-hal-ledc.c.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/esp32-hal-matrix.c.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/esp32-hal-misc.c.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/esp32-hal-psram.c.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/esp32-hal-rgb-led.c.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/esp32-hal-rmt.c.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/esp32-hal-sigmadelta.c.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/esp32-hal-spi.c.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/esp32-hal-time.c.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/esp32-hal-timer.c.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/esp32-hal-tinyusb.c.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/esp32-hal-touch.c.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/esp32-hal-uart.c.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/firmware_msc_fat.c.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/libb64/cdecode.c.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/libb64/cencode.c.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/main.cpp.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/stdlib_noniso.c.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/wiring_pulse.c.o
+Compiling .pioenvs/sthome-ut1/FrameworkArduino/wiring_shift.c.o
+Archiving .pioenvs/sthome-ut1/libFrameworkArduino.a
+Linking .pioenvs/sthome-ut1/firmware.elf
+RAM:   [=         ]  12.4% (used 40640 bytes from 327680 bytes)
+Flash: [=====     ]  49.5% (used 907665 bytes from 1835008 bytes)
+Building .pioenvs/sthome-ut1/firmware.bin
+Creating esp32 image...
+Successfully created esp32 image.
+esp32_create_combined_bin([".pioenvs/sthome-ut1/firmware.bin"], [".pioenvs/sthome-ut1/firmware.elf"])
+SHA digest in image updated
+Wrote 0xef020 bytes to file /config/.esphome/build/sthome-ut1/.pioenvs/sthome-ut1/firmware.factory.bin, ready to flash to offset 0x0
+esp32_copy_ota_bin([".pioenvs/sthome-ut1/firmware.bin"], [".pioenvs/sthome-ut1/firmware.elf"])
+========================= [SUCCESS] Took 32.39 seconds =========================
+INFO Successfully compiled program.
+INFO Resolving IP address of sthome-24g4.local in mDNS
+INFO Resolving IP address of sthome-24g4.local
+ERROR Error resolving IP address of sthome-24g4.local. Is it connected to WiFi?
+ERROR (If this error persists, please set a static IP address: https://esphome.io/components/wifi.html#manual-ips)
+ERROR Error resolving IP address: Error resolving address with mDNS: Did not respond. Maybe the device is offline., [Errno -2] Name or service not known
diff --git a/esphome/stacks/.env b/esphome/stacks/.env
new file mode 100644
index 0000000..f97db50
--- /dev/null
+++ b/esphome/stacks/.env
@@ -0,0 +1,15 @@
+#
+# values to be used for substitution by docker compose in compose.yml AND .*.env files
+#
+APPLICATION_NAME=esphome
+
+DOCKERDIR=/mnt/SSD1/docker/
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATADIR=${DOCKERDIR}/data/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+PUID=3066
+PGID=3067
+DOMAINNAME=sthome.org
+WEBUI_PORT=6052
\ No newline at end of file
diff --git a/esphome/stacks/.esphome.env b/esphome/stacks/.esphome.env
new file mode 100644
index 0000000..031027b
--- /dev/null
+++ b/esphome/stacks/.esphome.env
@@ -0,0 +1,6 @@
+#
+# environment variables for emby
+# 
+PUID=${PUID}
+PGID=${PGID}
+TZ=Africa/Johannesburg
\ No newline at end of file
diff --git a/esphome/stacks/compose.yml b/esphome/stacks/compose.yml
new file mode 100644
index 0000000..9421298
--- /dev/null
+++ b/esphome/stacks/compose.yml
@@ -0,0 +1,62 @@
+name: esphome
+
+networks:
+  traefik-net:
+    external: true
+  mdns-net:
+    external: true
+
+services:
+  esphome:
+    hostname: esphome
+    image: esphome/esphome
+    env_file: .esphome.env
+    volumes:
+      - /var/run/dbus:/var/run/dbus
+      - /var/run/avahi-daemon/socket:/var/run/avahi-daemon/socket
+      - /etc/localtime:/etc/localtime:ro
+      - ${DATADIR}/config:/config
+    restart: unless-stopped
+    privileged: true
+    networks:
+      - traefik-net
+      - mdns-net
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      #
+      # http services
+      # -------------
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
+      #
+      # http routers
+      # ------------
+      # limit router to web ":80" entrypoint
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # attach middlewares to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-secureHeaders-redirect@file"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      #
+      # limit router to websecure ":443" entrypoint
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # attach middlewares to router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-secureHeaders@file"
+      # tls 
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      # apply tls options
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file"
+      # generate certificates using following certresolver
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
+#  avahi-tools:
+#    volumes:
+#      - /run/dbus:/var/run/dbus
+#      - /run/avahi-daemon:/var/run/avahi-daemon
+#    image: ahasbini/avahi-tools:latest
+#    command: avahi-publish-service -s truenas.sthome.org _ssh._tcp 2222
\ No newline at end of file
diff --git a/esphome/sthome-24g4-firmware.factory.bin b/esphome/sthome-24g4-firmware.factory.bin
new file mode 100644
index 0000000..ddbcea4
Binary files /dev/null and b/esphome/sthome-24g4-firmware.factory.bin differ
diff --git a/esphome/sthome-24g4.yaml b/esphome/sthome-24g4.yaml
new file mode 100644
index 0000000..ab1e680
--- /dev/null
+++ b/esphome/sthome-24g4.yaml
@@ -0,0 +1,47 @@
+esphome:
+  name: sthome-24g4
+  friendly_name: sthome-2.4G4
+
+esp32:
+  board: esp32dev
+  framework:
+    type: arduino
+
+# Enable logging
+logger:
+
+# Enable Home Assistant API
+api:
+  encryption:
+    key: "0Ki4j7JX8Y1IkMGh1fBBu2Dg6DgrnUq8GEXKZvkzeSY="
+
+ota:
+  - platform: esphome
+    password: "37f546590fcc15e1323d273540eb623a"
+
+wifi:
+#  ssid: !secret wifi_ssid
+#  password: !secret wifi_password
+# multiple Wifi SSIDs
+  networks:
+  - ssid: !secret wifi_ssid1
+    password: !secret wifi_password1
+  - ssid: !secret wifi_ssid2
+    password: !secret wifi_password2
+  - ssid: !secret wifi_ssid3
+    password: !secret wifi_password3
+  - ssid: !secret wifi_ssid4
+    password: !secret wifi_password4
+  manual_ip:
+    # Set this to the IP of the ESP
+    static_ip: 10.0.2.1
+    gateway: 10.0.0.2
+    subnet: 255.255.240.0
+    dns1: 10.0.0.1
+    dns2: 10.0.0.2
+  # Enable fallback hotspot (captive portal) in case wifi connection fails
+  ap:
+    ssid: "Sthome-24G4 Fallback Hotspot"
+    password: "7SglIlgdkpAD"
+
+captive_portal:
\ No newline at end of file
diff --git a/external/traefik-users/frigate.txt b/external/traefik-users/frigate.txt
index 2084684..9b7ffcc 100644
--- a/external/traefik-users/frigate.txt
+++ b/external/traefik-users/frigate.txt
@@ -2,4 +2,6 @@ admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
 chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
 Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC
 home:$2y$05$VjkUjMGVdxMn3N/rMK8nBuh1jAUfezo8i4167enEg7i9Xl45cVQGi
-Home:$2y$05$JP8tB1nkPA8tbhEnhGV6teke.X87eFX4V9hi9qa2ArLISJ4Ksf2ca
\ No newline at end of file
+Home:$2y$05$JP8tB1nkPA8tbhEnhGV6teke.X87eFX4V9hi9qa2ArLISJ4Ksf2ca
+zelna:$2y$10$1OREtkEjjO0834TnxYAaWe2.N.gM4V01cOqDRRoEmG.SiiIvLsEk.
+Zelna:$2y$10$vgfcMmEB3L8nAReV4cUyw.BR7PAMIEmzNdeCpLNcHxvepul88InZ6
\ No newline at end of file
diff --git a/grafana/stacks/compose.yml b/grafana/stacks/compose.yml
index 1f9fbce..376ba4f 100644
--- a/grafana/stacks/compose.yml
+++ b/grafana/stacks/compose.yml
@@ -30,11 +30,11 @@ services:
       # HTTP Routers
       - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
       - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
-      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-redirect@file"
       - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
       - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
       - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
-      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders@file"
       - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
       - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file"
       - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
diff --git a/home-assistant/Alves C. Lua Programming. The Ultimate Beginner's Guide...Step by Step 3ed 2021/Alves C. Lua Programming. The Ultimate Beginner's Guide...Step by Step 3ed 2021.pdf b/home-assistant/Alves C. Lua Programming. The Ultimate Beginner's Guide...Step by Step 3ed 2021/Alves C. Lua Programming. The Ultimate Beginner's Guide...Step by Step 3ed 2021.pdf
new file mode 100644
index 0000000..9cf32f9
Binary files /dev/null and b/home-assistant/Alves C. Lua Programming. The Ultimate Beginner's Guide...Step by Step 3ed 2021/Alves C. Lua Programming. The Ultimate Beginner's Guide...Step by Step 3ed 2021.pdf differ
diff --git a/home-assistant/Alves C. Lua Programming. The Ultimate Beginner's Guide...Step by Step 3ed 2021/Coutinho C. Roblox Lua Scripting Essentials. A Step-by-Step Guide 2023.pdf b/home-assistant/Alves C. Lua Programming. The Ultimate Beginner's Guide...Step by Step 3ed 2021/Coutinho C. Roblox Lua Scripting Essentials. A Step-by-Step Guide 2023.pdf
new file mode 100644
index 0000000..132d7c9
Binary files /dev/null and b/home-assistant/Alves C. Lua Programming. The Ultimate Beginner's Guide...Step by Step 3ed 2021/Coutinho C. Roblox Lua Scripting Essentials. A Step-by-Step Guide 2023.pdf differ
diff --git a/home-assistant/Programming in Lua - 4th Edition/Programming in Lua - 4th Edition.epub b/home-assistant/Programming in Lua - 4th Edition/Programming in Lua - 4th Edition.epub
new file mode 100644
index 0000000..1d595d5
Binary files /dev/null and b/home-assistant/Programming in Lua - 4th Edition/Programming in Lua - 4th Edition.epub differ
diff --git a/home-assistant/Programming in Lua - 4th Edition/Programming in Lua - 4th Edition.mobi b/home-assistant/Programming in Lua - 4th Edition/Programming in Lua - 4th Edition.mobi
new file mode 100644
index 0000000..debaac1
Binary files /dev/null and b/home-assistant/Programming in Lua - 4th Edition/Programming in Lua - 4th Edition.mobi differ
diff --git a/home-assistant/Programming in Lua - 4th Edition/Programming in Lua - 4th Edition.pdf b/home-assistant/Programming in Lua - 4th Edition/Programming in Lua - 4th Edition.pdf
new file mode 100644
index 0000000..b88c1b2
Binary files /dev/null and b/home-assistant/Programming in Lua - 4th Edition/Programming in Lua - 4th Edition.pdf differ
diff --git a/home-assistant/home-automation.txt b/home-assistant/home-automation.txt
new file mode 100644
index 0000000..90c5a65
--- /dev/null
+++ b/home-assistant/home-automation.txt
@@ -0,0 +1 @@
+Video: https://www.youtube.com/watch?v=J_KblaAVE18&t=936s
diff --git a/home-assistant/stacks/.env b/home-assistant/stacks/.env
index bbe8634..db5dc86 100644
--- a/home-assistant/stacks/.env
+++ b/home-assistant/stacks/.env
@@ -1,8 +1,10 @@
 #
 # values to be used for substitution by docker compose in compose.yml AND .*.env files
 #
+DOMAINNAME=sthome.org
+
 APPLICATION_NAME=home-assistant 
-DOCKERDIR=/mnt/SSD1/docker/
+DOCKERDIR=/mnt/SSD1/docker
 MEDIADIR=/mnt/stpool1/NData1/Media
 DOWNLOADSDIR=/mnt/stpool1/Downloads
 
@@ -10,10 +12,12 @@ STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
 DATAROOT=${DOCKERDIR}/data
 DATADIR=${DATAROOT}/${APPLICATION_NAME}
 SECRETSDIR=${STACKSDIR}/secrets
-
-DOMAINNAME=sthome.org
 WEBUI_PORT=8123
 
+APP2_NAME=esphome
+APP2_DATADIR=${DATAROOT}/${APP2_NAME}
+APP2_WEBUI_PORT=6052
+
 #
 # Generate DB_PASSWORD with:
 # openssl rand 36 | base64 -w 0 > /mnt/SSD1/docker/stacks/home-assistant/secrets/home-assistant_postgresql_password
diff --git a/home-assistant/stacks/.esphome.env b/home-assistant/stacks/.esphome.env
new file mode 100644
index 0000000..f7e4dc8
--- /dev/null
+++ b/home-assistant/stacks/.esphome.env
@@ -0,0 +1,6 @@
+#
+# environment variables for emby
+# 
+PUID=3066
+PGID=3067
+TZ=Africa/Johannesburg
\ No newline at end of file
diff --git a/home-assistant/stacks/compose.yml b/home-assistant/stacks/compose.yml
index 36830f7..fb508e0 100644
--- a/home-assistant/stacks/compose.yml
+++ b/home-assistant/stacks/compose.yml
@@ -14,6 +14,8 @@ networks:
     external: true
   postgres-net:
     external: true
+  mdns-net:
+    external: true
 
 services:
   home-assistant:
@@ -29,47 +31,57 @@ services:
     networks:
       - traefik-net
       - postgres-net
+      - mdns-net
     depends_on:
       postgresql:
         condition: service_healthy
     labels:
       - traefik.enable=true
       - traefik.docker.network=traefik-net
-      # http middlewares
-      # ---------------------------
-      #- "traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.users=${ADMIN_CREDENTIALS}, ${USER_CREDENTIALS}"
-      #- "traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.usersfile=/mnt/users/common.txt"
-      - "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.scheme=https"
-      - "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.permanent=true"
-      #
-      # http services
-      # -------------
       - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
-      #
-      # http routers
-      # ------------
-      # limit router to web ":80" entrypoint
       - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
-      # set match criteria for router
       - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
-      # attach middlewares to router
-      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=${APPLICATION_NAME}-https-redirect"
-      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-secureHeaders-redirect@file"
       - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
-      #
-      # limit router to websecure ":443" entrypoint
       - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
-      # set match criteria for router
       - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
-      # set router to be dedicated to secure requests only for the host specified in match criteria 
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-secureHeaders@file"
       - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
-      # generate certificates using following certresolver
-      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=sthomeresolver"
-      # attach middlewares to router
-      #- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=${APPLICATION_NAME}-auth"
-      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
       - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
-
+#  esphome:
+#    hostname: esphome
+#    image: esphome/esphome
+#    env_file: .esphome.env
+#    volumes:
+#      - /etc/localtime:/etc/localtime:ro
+#      - ${APP2_DATADIR}/config:/config
+#    restart: unless-stopped
+#    privileged: true
+#    networks:
+#      - traefik-net
+#    labels:
+#      - traefik.enable=true
+#      - traefik.docker.network=traefik-net
+#      - "traefik.http.services.${APP2_NAME}-svc.loadbalancer.server.port=${APP2_WEBUI_PORT}"
+#      - "traefik.http.routers.${APP2_NAME}-rtr.entrypoints=web"
+#      - "traefik.http.routers.${APP2_NAME}-rtr.rule=Host(`${APP2_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+#      - "traefik.http.routers.${APP2_NAME}-rtr.middlewares=http-mw-secureHeaders-redirect@file"
+#      - "traefik.http.routers.${APP2_NAME}-rtr.service=${APP2_NAME}-svc"
+#      - "traefik.http.routers.${APP2_NAME}-secure-rtr.entrypoints=websecure"
+#      - "traefik.http.routers.${APP2_NAME}-secure-rtr.rule=Host(`${APP2_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+#      - "traefik.http.routers.${APP2_NAME}-secure-rtr.middlewares=http-mw-secureHeaders@file"
+#      - "traefik.http.routers.${APP2_NAME}-secure-rtr.tls=true"
+#      - "traefik.http.routers.${APP2_NAME}-secure-rtr.tls.options=tls-options@file"
+#      - "traefik.http.routers.${APP2_NAME}-secure-rtr.tls.certresolver=solver-dns"
+#      - "traefik.http.routers.${APP2_NAME}-secure-rtr.service=${APP2_NAME}-svc"
+#  avahi-tools:
+#    volumes:
+#      - /run/dbus:/var/run/dbus
+#      - /run/avahi-daemon:/var/run/avahi-daemon
+#    image: ahasbini/avahi-tools:latest
+#    command: avahi-publish-service -s truenas.sthome.org _ssh._tcp 2222
   postgresql:
     image: postgres:16-alpine
     hostname: "${APPLICATION_NAME}_postgresql"
diff --git a/kavita/stacks/compose.yml b/kavita/stacks/compose.yml
index 5a0c87b..eb96dcb 100644
--- a/kavita/stacks/compose.yml
+++ b/kavita/stacks/compose.yml
@@ -16,19 +16,12 @@ services:
       - traefik-net
     volumes:
       - "${DATADIR}/config:/config"
-      - "${MEDIADIR}/Books/manga:/manga"
-      - "${MEDIADIR}/Books/comics:/comics"
-      - "${MEDIADIR}/Books/ebooks:/ebooks"
+      - "${MEDIADIR}/Books:/books"
     restart: unless-stopped
     labels:
       - traefik.enable=true
       - traefik.docker.network=traefik-net
       #
-      # http middlewares
-      # ---------------------------
-      - "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.scheme=https"
-      - "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.permanent=true"
-      #
       # http services
       # -------------
       - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
@@ -40,7 +33,7 @@ services:
       # set match criteria for router
       - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
       # attach middlewares to router
-      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=${APPLICATION_NAME}-https-redirect"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-secureHeaders-redirect@file"
       # assign svc target to router
       - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
       #
@@ -51,6 +44,8 @@ services:
       # set router to be dedicated to secure requests only for the host specified in match criteria 
       - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
       # generate certificates using following certresolver
-      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=sthomeresolver"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
+      # attach middlewares to router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-secureHeaders@file"
       # assign svc target to router
       - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
diff --git a/mdns-reflector/stacks/.env b/mdns-reflector/stacks/.env
new file mode 100644
index 0000000..654268a
--- /dev/null
+++ b/mdns-reflector/stacks/.env
@@ -0,0 +1,2 @@
+
+MDNS_REFLECTOR_IP=10.0.2.254
\ No newline at end of file
diff --git a/mdns-reflector/stacks/.mdns-reflector.env b/mdns-reflector/stacks/.mdns-reflector.env
new file mode 100644
index 0000000..4a014be
--- /dev/null
+++ b/mdns-reflector/stacks/.mdns-reflector.env
@@ -0,0 +1,2 @@
+
+REFLECTOR_ENABLE_REFLECTOR="yes"
\ No newline at end of file
diff --git a/mdns-reflector/stacks/compose.yml b/mdns-reflector/stacks/compose.yml
new file mode 100644
index 0000000..f87489d
--- /dev/null
+++ b/mdns-reflector/stacks/compose.yml
@@ -0,0 +1,20 @@
+  # for containers requiring multi-cast dns, e.g. home-assistant, esphome, etc.
+  name: mdns-reflector
+
+  services:
+    mdns-reflector:
+      image: flungo/avahi:latest
+      env_file: .mdns-reflector.env
+      hostname: mdns-reflector
+      networks:
+        mdns-net: null
+        macvlan1:
+          ipv4_address: "${MDNS_REFLECTOR_IP}"
+      deploy:
+        replicas: 1
+  
+  networks:
+    mdns-net:
+      external: true
+    macvlan1:
+      external: true
diff --git a/networks/stacks/compose.yml b/networks/stacks/compose.yml
index 1d81869..58ececd 100644
--- a/networks/stacks/compose.yml
+++ b/networks/stacks/compose.yml
@@ -1,6 +1,21 @@
 
 name: networks
-
+services:
+  netbb:
+    image: busybox
+    hostname: netsvc2
+    networks:
+      - traefik-net
+      - postgres-net
+      - mariadb-net
+      - mysql-net
+      - authentik-net
+      - fireflyiii-net
+      - vaultwarden-net
+      - digikam-net
+      - macvlan0
+      - macvlan1
+      - mdns-net
 networks:
   macvlan0:
     name: macvlan0
@@ -13,7 +28,17 @@ networks:
       config:
         - subnet: 192.168.2.0/24 
           gateway: 192.168.2.1
-      
+  macvlan1:
+    name: macvlan1
+    driver: macvlan
+    driver_opts:
+      parent: enp7s0
+      com.docker.network.macvlan.mode: bridge
+      com.docker.network.bridge.name: "br-localnet"
+    ipam:
+      config:
+        - subnet: 10.0.0.0/20
+          gateway: 10.0.0.2
   traefik-net:
     name: traefik-net
     attachable: true
@@ -66,21 +91,13 @@ networks:
     internal: true
     driver_opts:
       com.docker.network.bridge.name: "br-digikam"
-      
-services:
-  netbb:
-    image: busybox
-    hostname: netsvc2
-    networks:
-      - traefik-net
-      - postgres-net
-      - mariadb-net
-      - mysql-net
-      - authentik-net
-      - fireflyiii-net
-      - vaultwarden-net
-      - digikam-net
-      - macvlan0
+  mdns-net:
+    name: mdns-net
+    driver: bridge
+    internal: true
+    driver_opts:
+      com.docker.network.bridge.name: "br-mdns"      
+
 
 
 
diff --git a/wg-easy/stacks/.env b/wg-easy/stacks/.env
index 8bb05f5..4e3adab 100644
--- a/wg-easy/stacks/.env
+++ b/wg-easy/stacks/.env
@@ -28,7 +28,7 @@ WG_HOST=vpn.sthome.org
 PASSWORD_HASH=$$2a$$12$$S9vnQ5EtnaXhsjpMLUNR0eervb/Koooa26VrzAjjIGbWRpxuHUenS # NB: the single quotes around the hash should be removed, hint = a
 
 WG_DEFAULT_ADDRESS=10.8.0.x
-WG_DEFAULT_DNS=192.168.2.1, 10.0.0.1, 1.1.1.1
+WG_DEFAULT_DNS=10.0.0.1, 1.1.1.1
 WG_ALLOWED_IPS=0.0.0.0/0, ::/0 
 WG_PERSISTENT_KEEPALIVE=25