commit d067d5f1f7e42fafd0c304a27ddaa99a87a3d076
Author: Chris <stuurmcp@telkomsa.net>
Date:   Thu Apr 3 22:57:52 2025 +0200

    first commit

diff --git a/.static-ips.yml b/.static-ips.yml
new file mode 100644
index 0000000..084b3ba
--- /dev/null
+++ b/.static-ips.yml
@@ -0,0 +1,18 @@
+# we use the last 256 block of ipv4 addresses in the traefik subnet to reserve some static ips
+# use this file to manage the static ips used in the different compose.yml files
+
+# range that we will use for static ips is 10.255.239.0/24
+gluetun-arr:        10.255.239.1
+gluetun-bw:         10.255.239.2
+gluetun-qb:         10.255.239.3
+plex:               10.255.239.20
+tautulli:           10.255.239.21
+overseerr:          10.255.239.22
+firefly:            10.255.239.30
+firefly-importer:   10.255.239.31
+
+# we use macvlan0 to connect to the local lan network. This lan has no internet access, so we can attach containers directly to it.
+# the range that we will use for static ips is 192.168.2.240 to 192.168.2.254, i.e. 192.168.2.240/28 
+# 192.168.2.240/28 range is excluded for DHCP on the DHCP server, so we can use it for static ips
+# the range for the local lan network is 192.168.2.0/24
+syncthing:         192.168.2.241
diff --git a/audiobookshelf/audiobookshelf_jm.txt b/audiobookshelf/audiobookshelf_jm.txt
new file mode 100644
index 0000000..381f39c
--- /dev/null
+++ b/audiobookshelf/audiobookshelf_jm.txt
@@ -0,0 +1,59 @@
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: audbkshelf
+Username: audbkshelf
+Disable Password: <select>
+Email: stuurmcp@telkomsa.net
+UID: (note)
+Create New Primary Group: <unselect>
+Primary Group: media
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+audbkshelf UID: 3030
+audbkshelf GID: 3029
+
+Once off
+--------
+# if not done already: 
+# add mapping for media: follow steps in "add mapping for media.txt"
+# set ACL permissions for media in "set ACL permissions for media.txt"
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*audiobookshelf"
+# create following datasets if not present
+zfs create SSD1/docker/data/audiobookshelf
+zfs create SSD1/docker/data/audiobookshelf/appdata
+zfs create SSD1/docker/data/audiobookshelf/config
+chown -R audbkshelf:audbkshelf /mnt/SSD1/docker/data/audiobookshelf
+
+Create folder
+-------------
+mkdir /mnt/SSD1/docker/stacks/audiobookshelf
+
+Migrating data from old audiobookshelf (source) to newly installed one (target)
+------------------------------------------------------------------------
+# stop old/source audiobookshelf media server
+heavyscript app --stop audiobookshelf
+# verify on Truenas -> Apps that audiobookshelf has stopped
+# stop new/target audiobookshelf media server (if it was started)
+# on Dockge, select audiobookshelf and click stop
+# copy the source to target folder:
+cp -pr /mnt/stpool1/apps/audiobookshelf/. /mnt/SSD1/docker/data/audiobookshelf/config/
+cp -pr /mnt/stpool1/appdata/audiobookshelf/. /mnt/SSD1/docker/data/audiobookshelf/appdata/
+chown -R audbkshelf:audbkshelf /mnt/SSD1/docker/data/audiobookshelf
+
+Copy folder to docker stacks
+----------------------------
+In Windows cmd shell in audiobookshelf parent (apps) folder, enter:
+./cp2nas 10.0.0.20 audiobookshelf
+# or
+pscp -P 22 -r audiobookshelf/stacks/*.* root@10.0.0.20:/mnt/SSD1/docker/stacks/audiobookshelf/
+
+
+
diff --git a/audiobookshelf/cp2nas.ps1 b/audiobookshelf/cp2nas.ps1
new file mode 100644
index 0000000..95f96af
--- /dev/null
+++ b/audiobookshelf/cp2nas.ps1
@@ -0,0 +1,94 @@
+############### MAIN ###############
+# main function
+#
+$Main =
+{
+    [CmdletBinding()]
+    Param(
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $destHost,
+        [Parameter(Mandatory=$false)]
+        [string[]] $apps
+    )
+    $applist=[System.Collections.Generic.List[object]]::new()
+    If($PSBoundParameters.ContainsKey("apps")) {
+        foreach ($appname in $apps)
+        {
+            if ($appname.Contains('*')) {
+                $wclist=Get-ChildItem $appname -Directory |  ForEach-Object { $_.Name }
+                # if wildcard is specified, we only add folders with a 'stacks' subfolder
+                foreach ($wcname in $wclist) {
+                    if ((Test-Path -Path "$wcname\stacks")) {
+                        $applist.Add($wcname)
+                     }
+                }
+            }
+            else {
+                # here we don't have to check for a 'stacks' subfolder as the user specified appname explicitly
+                $applist.Add($appname)
+            }
+        }
+        # remove duplicates
+        $uniqlist=$applist | Sort-Object -Unique
+        foreach ($appname in $uniqlist)
+        {
+            copyfolder $destHost $appname "$appname\"
+        }
+    }
+    else {
+        # we're in the app subfolder, so only one stacks folder to copy
+        $appname="$pwd".Split("\\")[-1]
+        copyfolder $destHost  $appname ".\"
+    }
+}
+
+#######################################################################
+# copies specified app's stacks and traefik-rules subfolders to truenas
+# 
+Function copyfolder
+{
+    [CmdletBinding()]
+    Param(
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $destHost,
+
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $appname,
+
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $srcdir
+    )
+    $srcStacksDir=$srcdir+"stacks"
+    $srcTraefikRulesDir=$srcdir+"traefik-rules"
+    if (-Not(Test-Path -Path $srcStacksDir)) {
+        Write-Host "Source path doesn't exist: ""$PSScriptRoot\$srcStacksDir\*.*"". No files copied!"  -ForegroundColor Red
+        Write-Host "Usage: in app folder       : ./cp2nas DEST|IP"
+        Write-Host "       in app parent folder: ./cp2nas DEST|IP app1, app2, app3, ..."
+        Write-Host "       in app parent folder: ./cp2nas DEST|IP *"
+        Write-Host "       in app parent folder: ./cp2nas DEST|IP wcstring1, wcstring2, ..."
+        return
+    }
+    $destStacks="/mnt/SSD1/docker/stacks/"
+    $destDir=$destStacks+$appname+"/"
+    $destTraefikRulesDir=$destStacks+"traefik/rules/"
+    $date=Get-Date -format "yyyy-MM-ddTHH:mm:ss"
+    Write-Host "$date# pscp -P 22 -r ""$srcStacksDir\*.*"" root@${destHost}:""${destDir}""" -ForegroundColor Green
+    Write-Host "Copying to ${destHost}:""${destStacks}" -NoNewline 
+    Write-Host "${appname}/" -ForegroundColor DarkYellow  -NoNewline 
+    Write-Host """:"
+    pscp -P 22 -r "$srcStacksDir\*.*" root@${destHost}:""${destDir}""
+    if ((Test-Path -Path "$srcTraefikRulesDir")) {
+        Write-Host "$date# pscp -P 22 -r ""$srcTraefikRulesDir\*.*"" root@${destHost}:""${destTraefikRulesDir}""" -ForegroundColor Green
+        Write-Host "Copying to ${destHost}:""${destStacks}" -NoNewline 
+        Write-Host "traefik/rules/" -ForegroundColor DarkYellow  -NoNewline 
+        Write-Host """:"
+        pscp -P 22 -r "$srcTraefikRulesDir\*.*" root@${destHost}:""${destTraefikRulesDir}""
+    }
+}
+
+###################################
+& $Main @Args
\ No newline at end of file
diff --git a/audiobookshelf/stacks/.audiobookshelf.env b/audiobookshelf/stacks/.audiobookshelf.env
new file mode 100644
index 0000000..7bc736b
--- /dev/null
+++ b/audiobookshelf/stacks/.audiobookshelf.env
@@ -0,0 +1,16 @@
+# https://www.audiobookshelf.org/docs/#env-configuration
+
+PUID=${PUID}
+PGID=${MEDIA_GID}  # we assign media gid to process gid to enable to access media folders
+TZ=${TZ}
+
+#CONFIG_PATH=/config
+#METADATA_PATH=/metadata
+#FFMPEG_PATH=/usr/bin/ffmpeg
+#FFPROBE_PATH=/usr/bin/ffprobe
+#TONE_PATH=/usr/local/bin/tone
+#HOST=
+#PORT=
+#TOKEN_SECRET=
+SOURCE=docker
+
diff --git a/audiobookshelf/stacks/.env b/audiobookshelf/stacks/.env
new file mode 100644
index 0000000..e3ea791
--- /dev/null
+++ b/audiobookshelf/stacks/.env
@@ -0,0 +1,20 @@
+
+APPLICATION_NAME=audiobookshelf
+DOCKERDIR=/mnt/SSD1/docker/
+MEDIADIR=/mnt/stpool1/NData1/Media
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATADIR=${DOCKERDIR}/data/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+CT_DOWNLOADS=/Downloads
+CT_MEDIA=/Media
+DOMAINNAME=sthome.org
+
+PUID=3030
+PGID=3029 
+MEDIA_GID=3017
+
+TZ=Africa/Johannesburg
+
+WEBUI_PORT=80
+
diff --git a/audiobookshelf/stacks/compose.yml b/audiobookshelf/stacks/compose.yml
new file mode 100644
index 0000000..a0b690b
--- /dev/null
+++ b/audiobookshelf/stacks/compose.yml
@@ -0,0 +1,54 @@
+name: audiobookshelf
+
+networks:
+  traefik-net:
+    external: true
+
+services:
+  audiobookshelf:
+    image: ghcr.io/advplyr/audiobookshelf:latest
+    env_file: .audiobookshelf.env
+    hostname: audiobookshelf
+    group_add:
+      - "${PGID}" 
+    networks:
+      - traefik-net
+    volumes:
+      - "${DATADIR}/config:/config"
+      - "${DATADIR}/appdata:/metadata"
+      - "${MEDIADIR}/Books/audiobooks:/audiobooks"
+      - "${MEDIADIR}/Podcasts:/podcasts"
+    restart: unless-stopped
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik-net"
+       #
+      # http services
+      # -------------
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
+      #
+      # http routers
+      # ------------
+      # limit router to web ":80" entrypoint (Note: web entrypoint http requests are globally redirected to websecure router in traefik.yml)
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # attach middlewares to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=middlewares-https-redirectScheme@file"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      #
+      # limit router to websecure ":443" entrypoint
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # attach middlewares to router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=chain-no-auth@file"
+      # set router to be dedicated to secure requests only for the host specified in match criteria 
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      # apply tls options
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-opts@file"
+      # generate certificates using certresolver specified
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
diff --git a/authentik/README.md b/authentik/README.md
new file mode 100644
index 0000000..14c0352
--- /dev/null
+++ b/authentik/README.md
@@ -0,0 +1,902 @@
+#Source https://github.com/brokenscripts/authentik_traefik/tree/traefik3?tab=readme-ov-file
+
+# Authentik 2024+ and Traefik 3.x  
+
+**Ensure all `CHANGEME` and `domain.tld` values are changed to match YOUR environment!**  
+
+Important changes: Traefik 2.x write up has been renamed from the `main` branch to `traefik2`.  Traefik 3.x and Authentik 2024.x now reside on the `traefik3` branch, which will be the default branch.  
+
+--- 
+
+# Overview  
+This guide assumes that there is a working Traefik v3.x+ running and that the Traefik network is called traefik. I will also be using the embedded outpost instead of a standalone proxy outpost container.
+
+Additionally, I am **NOT** allowing Authentik to view the Docker socket (`/var/run/docker.sock`) and auto create providers.  
+
+If you want to learn more on how to setup Traefik or just some more detailed explanation, visit Anand and Smart Home Beginner at https://www.smarthomebeginner.com/.  
+
+My folder / repo structure is weird because this is a condensed version of what I have running.  I did not want to leave dead links or bad configurations, so modify to your environment.  
+
+Authentik is heavier on resources than Authelia, but it is pretty neat!  
+
+# DNS Records  
+Ensure that a DNS record exists for `authentik.domain.tld` as the compose and all material here assumes that will be the record name.  This is the bare minimum requirement!  
+
+I highly recommend Pi-hole https://pi-hole.net/ for your domain!  
+
+Records that are used in this example:  
+  - `traefik.domain.tld` - Traefik 3.x Dashboard  
+  - `authentik.domain.tld` - Authentik WebUI  
+  - `whoami-individual.domain.tld` - WhoAmI using Authentik middleware - Individual Provider  
+  - `whoami-catchall.domain.tld` - WhoAmI using Authentik middleware - Domain Wide Catch All
+  - `whoami.domain.tld` - WhoAmI no authentik middleware  
+
+The way I have my records in Pi-hole setup, since all of these are containers:  
+
+**DNS Records**  
+| Domain | IP |  
+| ------ | -- |  
+| traefik.domain.tld | 192.168.1.26 |  
+
+This IP is the host that my containers are running on.  
+
+**CNAME Records**  
+| Domain | Target |  
+| ------ | -- |  
+| authentik.domain.tld | traefik.domain.tld |  
+| whoami-individual.domain.tld | traefik.domain.tld |  
+| whoami-catchall.domain.tld | traefik.domain.tld |  
+| whoami.domain.tld | traefik.domain.tld |  
+
+# Docker Compose setup for Authentik  
+Authentik's developer has an initial docker compose setup guide and `docker-compose.yml` located at:  
+> [!NOTE]  
+> https://goauthentik.io/docs/installation/docker-compose  
+> https://goauthentik.io/docker-compose.yml  
+
+In order for the forwardAuth to make sense, I've modified the provided docker-compose.yml and added the appropriate Traefik labels. I am also using docker secrets in order to protect sensitive information.  
+
+> [!NOTE]  
+> I am using "fake" docker secrets and binding them into the compose instead of saving sensitive data in environment variables. You can remove the secrets section and work with regular environment variables if that makes more sense for your environment. This is strictly a working example, hopefully with enough documentation to help anyone else that might be stuck.  
+
+First create an environment variable file `.env` in the same directory as the `compose.yaml` with the following information, ensuring to update everywhere that has a ***CHANGEME*** to match your environment. If you want, these values can all be manually coded into the `compose.yaml` instead of having a separate file.  
+ 
+## Environment Variables File  
+Check [.env](./my-compose/.env) for the latest version of the contents below.  
+<details>  
+
+<summary>.env</summary>  
+
+```bash
+################################################################
+# .env
+# When both env_file and environment are set for a service, values set by environment have precedence.
+# https://docs.docker.com/compose/environment-variables/envvars-precedence/
+#
+# CANNOT MIX ARRAYS (KEY: VAL) AND MAPS (KEY=VAL)
+# Ex: Cannot have .ENV var as TZ=US and then a var here as DB_ENGINE: sqlite, has to be DB_ENGINE=sqlite
+# Otherwise unexpected type map[string]interface {} occurs
+# https://github.com/docker/compose/issues/11567
+#
+################################################################
+DOCKERDIR=/home/CHANGEME/docker
+PUID=1100
+PGID=1100
+TZ=America/Chicago
+DOMAINNAME=domain.tld
+
+################################################################  
+#################### Traefik 3 - June 2024 #####################
+# Cloudflare IPs (IPv4 and/or IPv6): https://www.cloudflare.com/ips/
+################################################################  
+CLOUDFLARE_IPS=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22
+LOCAL_IPS=127.0.0.1/32,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
+#CLOUDFLARE_EMAIL= # Moved to Docker Secrets
+#CLOUDFLARE_API_KEY= # Moved to Docker Secrets
+
+################################################################  
+# Authentik (https://docs.goauthentik.io/docs/)
+# Environment Variables (https://docs.goauthentik.io/docs/installation/configuration)
+################################################################  
+POSTGRES_PASSWORD_FILE=/run/secrets/authentik_postgresql_password
+#POSTGRES_USER_FILE=/run/secrets/authentik_postgresql_user
+POSTGRES_USER_FILE=/run/secrets/authentik_postgresql_db
+POSTGRES_DB_FILE=/run/secrets/authentik_postgresql_db
+AUTHENTIK_REDIS__HOST=authentik_redis
+AUTHENTIK_POSTGRESQL__HOST=authentik_postgresql
+AUTHENTIK_POSTGRESQL__NAME=file:///run/secrets/authentik_postgresql_db
+#AUTHENTIK_POSTGRESQL__USER=file:///run/secrets/authentik_postgresql_user
+AUTHENTIK_POSTGRESQL__USER=file:///run/secrets/authentik_postgresql_db
+AUTHENTIK_POSTGRESQL__PASSWORD=file:///run/secrets/authentik_postgresql_password
+AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
+AUTHENTIK_DISABLE_UPDATE_CHECK=false
+AUTHENTIK_ERROR_REPORTING__ENABLED=false
+AUTHENTIK_LOG_LEVEL=info # debug, info, warning, error, trace
+AUTHENTIK_SECRET_KEY=file:///run/secrets/authentik_secret_key # openssl rand 60 | base64 -w 0
+AUTHENTIK_COOKIE_DOMAIN=${DOMAINNAME}
+# AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS: CHANGEME_IFAPPLICABLE # Defaults to all of: 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fe80::/10, ::1/128
+DOCKER_HOST: tcp://socket-proxy:2375 # Use this if you have Socket Proxy enabled.
+AUTHENTIK_EMAIL__HOST=smtp.gmail.com
+AUTHENTIK_EMAIL__PORT=587
+AUTHENTIK_EMAIL__USERNAME=file:///run/secrets/gmail_smtp_username
+AUTHENTIK_EMAIL__PASSWORD=file:///run/secrets/gmail_smtp_password
+AUTHENTIK_EMAIL__USE_TLS=false
+AUTHENTIK_EMAIL__USE_SSL=false
+AUTHENTIK_EMAIL__TIMEOUT=10
+AUTHENTIK_EMAIL__FROM=file:///run/secrets/gmail_smtp_username
+
+################################################################  
+# GeoIP ( https://github.com/maxmind/geoipupdate)  
+# Environment Variables (https://github.com/maxmind/geoipupdate/blob/main/doc/docker.md)  
+################################################################  
+GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN" # Space seperated 
+GEOIPUPDATE_FREQUENCY=8 # Frequency to check for updates, in hours
+GEOIPUPDATE_ACCOUNT_ID_FILE=/run/secrets/geoip_account_id
+GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/geoip_license_key
+```
+
+</details>  
+
+---  
+
+## Compose File  
+I really like how Anand did his `compose.yaml` file to be a stack of includes for cleaner organization.  
+
+[compose.yaml](./my-compose/compose.yaml) - Defines the base networks, secrets, and other compose files below to include when ran.  
+  - [Authentik](./my-compose/authentik/compose.yaml)  
+  - [socket-proxy](./my-compose/socket-proxy/compose.yaml)  
+  - [traefik 3.x](./my-compose/traefik/compose.yaml)  
+  - [whoami](./my-compose/whoami/compose.yaml)  
+
+The 2 other `whoami` containers are inside of the Authentik compose since they are examples, strictly for demonstration and then removed.  
+
+## Docker Secrets  
+The following secrets (defined in the base compose.yaml need to be created)  
+
+I recommend you create secrets with the following syntax:  
+```bash
+echo -n 'VALUE_CHANGEME' > SECRET_NAME_CHANGEME
+```
+
+Check out Traefik's info at https://doc.traefik.io/traefik/https/acme/#providers.  Cloudflare Specific information: https://go-acme.github.io/lego/dns/cloudflare/  
+- `cf_email`  
+- `cf_dns_api_token`  
+  ```bash
+  echo -n 'CHANGEME@gmail.com' > cf_email
+  echo -n 'CHANGEME-LONGAPI-CHANGEME' > cf_dns_api_token
+  ```
+
+Authentik specific (https://docs.goauthentik.io/docs/installation/docker-compose#preparation)  
+- `authentik_postgresql_db`  
+- `authentik_postgresql_user`  
+- `authentik_postgresql_password`  
+- `authentik_secret_key`  
+  ```bash
+  echo -n 'authentik_db' > authentik_postgresql_db
+  echo -n 'authentik_user' > authentik_postgresql_user
+  openssl rand 36 | base64 -w 0 > authentik_postgresql_password
+  openssl rand 60 | base64 -w 0 > authentik_secret_key
+  ```
+
+Create a gmail account and input the info.  
+- `gmail_smtp_username`  
+- `gmail_smtp_password`  
+  ```bash
+  echo -n 'CHANGEME@gmail.com' > gmail_smtp_username
+  echo -n 'CHANGEME' > gmail_smtp_password
+  ```
+
+Go to https://dev.maxmind.com/geoip/geolite2-free-geolocation-data in order to generate a free license key (https://www.maxmind.com/en/accounts/current/license-key) for use.  
+- `geoip_account_id`  
+- `geoip_license_key`  
+  ```bash
+  echo -n 'CHANGEME' > geoip_account_id
+  echo -n 'CHANGEME' > geoip_license_key
+  ```
+
+---  
+
+# Traefik Setup  
+## Configuration  
+I like having Traefik's configuration in a file, it makes more sense to me compared to passing a ton of command arguments in the compose.  
+- [./appdata/traefik/config/traefik.yaml](./appdata/traefik/config/traefik.yaml)  
+
+<details>
+
+<summary>traefik.yaml</summary>  
+
+```yaml
+# Traefik 3.x (YAML)
+# Updated 2024-June-04
+
+################################################################
+# Global configuration - https://doc.traefik.io/traefik/reference/static-configuration/file/
+################################################################
+global:
+  checkNewVersion: false
+  sendAnonymousUsage: false
+
+################################################################
+# Entrypoints - https://doc.traefik.io/traefik/routing/entrypoints/
+################################################################
+entryPoints:
+  web:
+    address: ":80"
+    # Global HTTP to HTTPS redirection
+    http:
+      redirections:
+        entrypoint:
+          to: websecure
+          scheme: https
+
+  websecure:
+    address: ":443"
+    http:
+      tls:
+        options: tls-opts@file
+        certResolver: le
+        domains:
+          - main: "domain.tld"
+            sans:
+              - "*.domain.tld"
+    forwardedHeaders:
+      trustedIPs:
+        # Cloudflare (https://www.cloudflare.com/ips-v4)
+        - "173.245.48.0/20"
+        - "103.21.244.0/22"
+        - "103.22.200.0/22"
+        - "103.31.4.0/22"
+        - "141.101.64.0/18"
+        - "108.162.192.0/18"
+        - "190.93.240.0/20"
+        - "188.114.96.0/20"
+        - "197.234.240.0/22"
+        - "198.41.128.0/17"
+        - "162.158.0.0/15"
+        - "104.16.0.0/13"
+        - "104.24.0.0/14"
+        - "172.64.0.0/13"
+        - "131.0.72.0/22"
+        # Local IPs
+        - "127.0.0.1/32"
+        - "10.0.0.0/8"
+        - "192.168.0.0/16"
+        - "172.16.0.0/12"
+
+################################################################
+# Logs - https://doc.traefik.io/traefik/observability/logs/
+################################################################
+log:
+  level: INFO # Options: DEBUG, PANIC, FATAL, ERROR (Default), WARN, and INFO
+  filePath: /logs/traefik-container.log # Default is to STDOUT
+  # format: json # Uses text format (common) by default
+  noColor: false # Recommended to be true when using common
+  maxSize: 100 # In megabytes
+  compress: true # gzip compression when rotating
+
+################################################################
+# Access logs - https://doc.traefik.io/traefik/observability/access-logs/
+################################################################
+accessLog:
+  addInternals: true  # things like ping@internal
+  filePath: /logs/traefik-access.log # In the Common Log Format (CLF) by default
+  bufferingSize: 100 # Number of log lines
+  fields:
+    names:
+      StartUTC: drop  # Write logs in Container Local Time instead of UTC
+  filters:
+    statusCodes:
+      - "204-299"
+      - "400-499"
+      - "500-599"
+
+################################################################
+# API and Dashboard
+################################################################
+api:
+  dashboard: true
+  # Rely on api@internal and Traefik with Middleware to control access
+  # insecure: true
+
+################################################################
+# Providers - https://doc.traefik.io/traefik/providers/docker/
+################################################################
+providers:
+  docker:
+    #endpoint: "unix:///var/run/docker.sock" # Comment if using socket-proxy
+    endpoint: "tcp://socket-proxy:2375" # Uncomment if using socket proxy
+    exposedByDefault: false
+    network: traefik  # network to use for connections to all containers
+    # defaultRule: TODO
+
+  # Enable auto loading of newly created rules by watching a directory
+  file:
+  # Apps, LoadBalancers, TLS Options, Middlewares, Middleware Chains
+    directory: /rules
+    watch: true
+
+################################################################
+# Let's Encrypt (ACME)
+################################################################
+certificatesResolvers:
+  le:
+    acme:
+      email: "CHANGEME@gmail.com"
+      storage: "/data/acme.json"
+      #caServer: "https://acme-staging-v02.api.letsencrypt.org/directory" # Comment out when going prod
+      dnsChallenge:
+        provider: cloudflare
+        #delayBeforeCheck: 30 # Default is 2m0s.  This changes the delay (in seconds)
+        # Custom DNS server resolution
+        resolvers:
+          - "1.1.1.1:53"
+          - "8.8.8.8:53"
+```
+
+</details>
+
+
+## acme.json  
+When traefik comes up and authenticates with Let's Encrypt a `acme.json` will be created at  
+- `./appdata/traefik/data/acme.json`  
+
+## Rules / Middleware Preparation  
+I've included several of the `rules` I use in my own setup located at  
+- [./appdata/traefik/rules](./appdata/traefik/rules/)  
+
+> [!NOTE]
+> The one that makes Authentik work is `middlewares-authentik.yaml` OR `forwardAuth-authentik.yaml`.  They are the exact same thing, but you can decide which name makes more sense to use.  In the `compose.yaml` I am using `middlewares-authentik`, but to me it makes more sense to use `forwardAuth-authentik` so when you are reading the traefik label's you know what it is supposed to do.  Your choice.  
+
+Traefik is already proxying the connections to the Authentik container/service. Additional middleware rules and an embedded outpost must be configured to enable authentication with Authentik through Traefik, `forwardAuth`.  
+
+In order to setup `forwardAuth` at a minimum, Traefik requires a **declaration**. Authentik provides an example, but in accordance with the `compose.yaml` the values below should make more sense.  
+
+<details>  
+
+<summary>middlewares-authentik.yaml</summary>  
+
+```yaml
+################################################################
+# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
+# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
+# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
+#
+# Dynamic configuration
+################################################################
+http:
+  middlewares:
+    ################################################################
+    # Forward Authentication - OAUTH / 2FA
+    ################################################################
+    #
+    # https://github.com/goauthentik/authentik/issues/2366
+    forwardAuth-authentik:
+      forwardAuth:
+        address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik"
+        trustForwardHeader: true
+        authResponseHeaders:
+          - X-authentik-username
+          - X-authentik-groups
+          - X-authentik-email
+          - X-authentik-name
+          - X-authentik-uid
+          - X-authentik-jwt
+          - X-authentik-meta-jwks
+          - X-authentik-meta-outpost
+          - X-authentik-meta-provider
+          - X-authentik-meta-app
+          - X-authentik-meta-version
+```
+
+</details>  
+
+The Forward Authentication **WILL NOT** work unless the middleware is enabled.
+
+> [!WARNING]  
+> "Priority based on rule length" Authentik generates the priority for authentication based on rule length (Traefik label). This means if you have a rule (Traefik label) for Authentik to listen on multiple host names with `OR, ||` statements, it will have a higher priority than the embedded outpost. Refer to [goauthentik/authentik#2180](https://github.com/goauthentik/authentik/issues/2180) about setting the priority for the embedded outpost.
+
+
+# Bringing the Stack Online  
+Time to start up the stack and begin configuration.  Ensure this command is ran from the same directory as `compose.yaml`.  
+```bash
+docker compose up -d
+```  
+
+---  
+
+
+# Authentik Setup  
+Because Authentik uses cookies, I recommend using Incognito for each piece of testing, so you don't have to clear cookies every time or when something is setup incorrectly.  
+
+> [!WARNING]  
+> **While using a container behind Authentik, it prompts for authentication, and then flashes but doesn't load.  This generally indicates cookies are messing up  the loading.  So use INCOGNITO**.  
+
+
+## Initial Setup  
+With Authentik being reverse proxied through Traefik and the middleware showing as enabled in Traefik's dashboard, then configuration of Authentik can begin.  
+
+1. Navigate to Authentik at `https://authentik.domain.tld/if/flow/initial-setup/`  
+2. Login to Authentik to begin setup.  
+
+> [!NOTE]
+> If this is the first time logging in you will have to set the password for `akadmin` (default user).  If establishing the default credentials ***fails*** - the setup is not working correctly.  
+
+![Authentik-Initial-Setup](./images/setup.png)  
+
+The default user is `akadmin`, which is a super user.  This initial setup will setup the Super User's email and Password.  You will change the username FROM `akadmin` to whatever you want.  
+
+The first screen you'll see after setting the password and email is:  
+![First-Screen](./images/firstscreen.png)  
+
+## (Optional) Change `akadmin` username  
+You can change the username from `akadmin` to whatever.  
+In the `Admin Interface` go to 
+1. Directory 
+2. Users 
+3. Click on **Edit** beside `akadmin`  
+
+![edit-admin-name](./images/edit_admin_name.png)  
+
+![name-change](./images/name_change.png)  
+
+---
+
+## (Information) Error Screen before Provider and Application  
+I think this is important for anyone that attempts to set this up.  
+
+If you attempt to navigate to a page that IS using Authentik's forwardAuth middleware but haven't finished setting up a provider and application (individual or domain wide catch all) then you will see a screen like this:  
+![error-before-setup](./images/error_before_setup.png)  
+
+---  
+
+## Applications / Providers  
+In the current version, for this documentation `2024.6.0`, Authentik now includes a Wizard to aid with setting up a Application and Provider instead of manually doing it.  
+
+I am going to set up my `Individual Application` manually and the `Domain Wide / Catch All` using the Wizard.  ONLY to show how you can do either method, both work!  
+
+> [!NOTE]
+> I am using the embedded outpost.  The embedded outpost requires version `2021.8.1` or newer. This prevents needing the seperate Forward Auth / Proxy Provider container.
+
+> [!WARNING]
+> Individual applications have a higher priority than the catch all, so you can set up both!
+
+### Domain Wide / Catch All (forwardAuth) using the Wizard  
+In order for this to "Catch All" you must set a traefik middleware on each service.  Look inside the `compose.yaml`.  This specific snippet is from the `whoami-individual` service inside the `authentik/compose.yaml`:  
+
+Specifically the `middlewares-authentik@file"` line.  
+```yaml
+    labels:
+      - "traefik.enable=true"
+      ## HTTP Routers
+      - "traefik.http.routers.whoami-individual-rtr.rule=Host(`whoami-individual.${DOMAINNAME}`)"
+      ## Middlewares
+      - "traefik.http.routers.whoami-individual-rtr.middlewares=middlewares-authentik@file"
+```
+
+Navigate to: 
+1. Applications  
+2. Applications  
+3. "Create with Wizard"  
+![app-page](./images/applications_page.png)  
+
+#### Wizard Page 1 - "Application Details"  
+- Name: `Domain Wide Forward Auth Catch All`  
+- Slug: `domain-wide-forward-auth-catch-all`  
+- Group: `empty`  
+- Policy Engine Mode: `any`  
+- UI Settings:
+  - Launch URL: `empty`  
+  _Do NOT put anything in the Launch URL, it needs to autodetect since it's the catch all rule_  
+  - Open in new tab: `unchecked`  
+
+![Catch-All-P1](./images/catch_all_p1.png)  
+
+#### Wizard Page 2 - "Provider Type"  
+- Forward Auth (Domain Level)  
+  _Notice the blue highlight underneath showing the selection!_  
+
+![catch-all-p2](./images/catch_all_p2.png)  
+
+#### Wizard Page 3 - "Provider Configuration"  
+- Name: `Provider for Domain Wide Forward Auth Catch All`  
+- Authentication Flow: `empty`  
+  _This is user choice, I recommend getting the basics setup and THEN modifying authentication flow for the catch all_  
+- Authorization Flow: `default-provider-authorization-explicit-consent (Authorize Application)`  
+  _Explicit requires user interaction aka clicking a button to continue versus implicit which is just trust_  
+- External Host: `https://authentik.domain.tld`  
+- Cookie Domain: `domain.tld`  
+- Token Validity: `hours=24`  
+![catch-all-p3](./images/catch_all_p3.png)  
+
+When all is done, you should have success.  If not, carefully review the previous settings.  You most likely forgot `https://` in front of `authentik.domain.tld`  
+![wizard-success](./images/wizard_success.png)  
+
+#### Embedded Outpost (Domain Wide)  
+Navigate to the Outposts screen and edit the Embedded Outpost:  
+1. Applications
+2. Outposts  
+3. Edit the Embedded Outpost  
+
+![edit-embed](./images/edit_embed.png)  
+
+Notice how the above picture has `Providers` empty?  
+
+Update the Outpost to have the `Domain Wide Forward Auth Catch All` in `Selected Applications`  
+
+***BEFORE Adding***  
+![before-add](./images/before_add.png)  
+***AFTER Adding***  
+![after-add](./images/after_add.png)  
+
+Now the Embedded Outpost shows the `Provider` for the Catch All rule instead of it being empty/blank:  
+![updated-provider](./images/updated_provider.png)  
+
+
+### Domain Wide / Catch All Test/Validation  
+Now that the catch all rule is in place, validate it using the already running `whoami-catchall` container created:  
+
+Navigate to `whoami-catchall.domain.tld` and it will immediately redirect you to Authentik to login:  
+![fa-splash](./images/fa_splash.png)  
+
+Sign in with your username or email address initially created. After inputting username & password, it should show you the "Redirecting" screen prior to actual redirection:  
+![whoami-all](./images/whoami-all.png)  
+
+The `X-Authentik-Meta-App` will contain information about the specific Application used to get here. Notice that this matches the `slug` previously created.  
+```yaml
+X-Authentik-Meta-App: domain-wide-forward-auth-catch-all
+```  
+
+
+### Individual Application (forwardAuth) manual  
+Maybe you don't want to use the wizard, though I'm not sure why.  So here's how you can do it without the Wizard.  
+
+An Application specific Forward Auth configuration will allow different authentication flows to be selected and not disrupt the default domain authentication flow. For example the default domain authentication flow allows a user to authentication with Authentik using username/password only. An application specific could be used for app with additional security ie an OTP, or local networks only, etc.. In most cases the default authentication flow will serve most homelab uses.  
+
+As of version 2022.07.03 authentik still requires `/outpost.goauthentik.io/` to be routed **IF USING INDIVIDUAL APPLICATIONS INSTEAD OF A SINGLE DOMAIN WIDE CATCH-ALL**. At the end of July 2022 `BeryJu` has an upcoming fix that should remove the below label.  
+
+> _Note: This does not seem to be required on everyone's setup. Individual Application forwardAuth does not work on mine without this label. I recommend you check your setup both with this label._  
+
+> [!NOTE]  
+> ["providers/proxy: no exposed urls #3151"](https://github.com/goauthentik/authentik/pull/3151) This PR greatly simplifies the Forward auth setup for traefik and envoy. It'll remove the requirement `/outpost.goauthentik.io` to be openly accessible, which makes setup easier and decreases attack surface.  
+
+This label is applied to the `authentik_server` container.  Even if you don't use individual applications, keep this label just in case you DO in the future!  
+```bash
+    labels:
+      - "traefik.enable=true"
+      ## Individual Application forwardAuth regex (catch any subdomain using individual application forwardAuth)  
+      - "traefik.http.routers.authentik-output-rtr.rule=HostRegexp(`{subdomain:[a-z0-9-]+}.${DOMAINNAME}`) && PathPrefix(`/outpost.goauthentik.io/`)"
+```
+
+#### Provider Creation (Individual Application) - Manual  
+In the Admin Interface, go to:  
+2. Applications  
+3. Providers  
+4. Create  
+
+![manual-create-p](./images/manual_create_p.png)  
+
+Select `Proxy Provider`  
+![m-pp](./images/m-pp.png)  
+
+Use the following settings:  
+- Name: `whoami-individual provider`  
+- Authentication Flow: `empty`  
+  _This is user choice, I recommend getting the basics setup and THEN modifying authentication flow for the catch all_  
+- Authorization Flow: `default-provider-authorization-explicit-consent (Authorize Application)`  
+- Type: `Forward auth (single application)`  
+  _Single Application is where we change it up!_  
+- External Host: `https://whoami-individual.domain.tld`  
+- Token Validity: `hours=24`  
+![m-pp-settings](./images/m-pp-settings.png)  
+
+After hitting Finish it will show that it's not bound to an Application:
+![unbound-provider](./images/unbound-provider.png)  
+
+#### Application Creation (Individual Application) - Manual  
+In the Admin Interface, go to:  
+1. Applications  
+2. Applications  
+3. Create  
+
+![m-app](./images/m-app.png)  
+
+- Name: `whoami-individual application`  
+- Slug: `whoami-individual-application`  
+- Group: `empty`  
+- Provider: `whoami-individual provider`  
+  ___This is where you bind it to the previously created provider!___
+- Backchannel Providers: `empty`  
+- Policy Engine Mode: `any`  
+- UI Settings  
+  - Launch URL: `https://whoami-individual.domain.tld`  
+    _Since this is an individual application, specify where it is found at_  
+
+![Manual-App-Create](./images/m-app-c.png)  
+
+After hitting Create it will show that it is now bound to the previously created provider:  
+![Manual-App-Bound](./images/m-app-bound.png)  
+
+#### Embedded Outpost (Individual Application)  
+Navigate to the Outposts screen and edit the Embedded Outpost:  
+1. Applications
+2. Outposts  
+3. Edit the Embedded Outpost  
+
+![embed-outpost-2](./images/embed_outpost_edit2.png)  
+
+Highlight any application you want the outpost to be able to provide for. In this case Highlight `whoami-individual application`  
+
+***BEFORE HIGHLIGHT***  
+Notice that BEFORE highlighting and adding to Selected Applications, it still has only the `Domain Wide Forward Auth Catch All` rule in Selected Applications:  
+
+![before-add-2nd](./images/before_add_2nd.png)  
+
+***AFTER HIGHLIGHT***  
+This will include both the domain wide (catch all) and the individual application bound to this outpost.  
+![after-add-2nd](./images/after_add_2nd.png)  
+
+After hitting Update the Outpost page will show that the embedded outpost now has both providers bound to it:  
+![outpost-with-2](./images/outpost_with2.png)  
+
+
+### Individual Application Test/Validation  
+Now that the individual application rule is in place, validate it using the already running `whoami-individual` container created:  
+
+Navigate to `whoami-individual.domain.tld` and it will immediately redirect you to Authentik to login:  
+![fa-splash](./images/fa_splash2.png)  
+
+Sign in with your username or email address initially created. After inputting username & password, it should show you the "Redirecting" screen prior to actual redirection:  
+![whoami-all](./images/whoami-indiv.png)  
+
+The `X-Authentik-Meta-App` will contain information about the specific Application used to get here. Notice that this matches the `slug` previously created.  
+```yaml
+X-Authentik-Meta-App: whoami-individual-application
+```  
+
+## (Optional) New User Creation  
+Inside the Admin Interface do the following steps to create an additional user:  
+
+1. Directory  
+2. Users  
+3. Create  
+
+![user-create-1](./images/user_create1.png)  
+
+Fill in the required information:  
+![account-create-info](./images/account_create_info.png)  
+
+
+## (Optional) Add user to Administrator/Superuser Group  
+Inside the Admin Interface do the following steps to add a user to the `Admins` group:  
+1. Directory  
+2. Groups  
+3. Left click/Open `authentik Admins`  
+
+![admins-open](./images/admins_open.png)  
+
+Next, add an existing user to the Users tab:  
+1. Users
+2. Add existing user  
+
+![add-existing-user1](./images/add_existing1.png)  
+
+Add the user
+![user-added](./images/user_added.png)  
+
+
+## (Optional) Change user password  
+Inside the Admin Interface do the following:  
+1. Directory
+2. Users
+3. Left click/Open the specific user  
+
+![open-user](./images/open_user.png)  
+
+![set-pw](./images/set_pw.png)  
+
+
+## Yubikey  
+
+Read this section before just doing it!  
+
+https://docs.goauthentik.io/docs/flow/stages/authenticator_webauthn/#authenticator-attachment  
+
+> [!WARNING]  
+> To prevent locking yourself out and having to start over by deleting your postgres database, create a backup administrator (as done above) or work on a non-administrator account.  
+
+> [!NOTE]  
+> If you are unable to perform the below steps, skip to the ***Force Authentication*** section below.  
+
+***Recommended to Switch to standard browser / NOT Incognito.***  
+
+IF you are in the `Admin Interface` navigate to the `User Interface` via the button at the top left:  
+![user_interface_button](./images/user_interface_button.png)  
+
+
+Navigate to the `MFA Devices` screen:  
+1. Settings  
+2. MFA Devices  
+3. Enroll  
+4. WebAuthn device  
+
+![settings-cog](./images/settings_cog.png)  
+
+
+### Enrollment with Credential on Key  
+
+![mfa-dev](./images/mfa_dev.png)  
+
+During setup process, depending on your WebAuthn settings you might get prompted for a PIN:
+![webauthn-pin](./images/webauthn-pin.png)  
+
+If you are unsure about this, then review the following Yubikey documentation / explanation (https://support.yubico.com/hc/en-us/articles/4402836718866-Understanding-YubiKey-PINs)  
+> _If you are being prompted for a PIN (including setting one up), and you're not sure which PIN it is, most likely it is your YubiKey's FIDO2 PIN._  
+
+
+Now complete the WebAuthn Setup:  
+![webauthn1](./images/webauthn1.png)  
+
+Hit next and you'll see that you are about to setup your key:  
+![webauthn2](./images/webauthn2.png)  
+
+---  
+
+![choose-path](./images/choose_path.png)  
+
+> [!CAUTION]  
+> By performing the setup like this, it asks to create a credential on the Yubikey device itself. If you want to make it where it does NOT create the credential itself skip setup for now and go to the `Modify WebAuthn Credential Creation Location` section where I will show how to change the save credential to key option. After changing that option, you can revisit setup.
+
+
+***STOP*** - Read the Above Caution Statement before continuing!  
+
+If you're ok with creating the credential on your key, continue!  
+
+![webauthn3](./images/webauthn3.png)  
+
+---  
+
+
+### Modify WebAuthn Credential Creation Location  
+In order to modify the default settings to prevent saving a credential on the Yubikey itself perform the following steps.
+
+1. Go to the Admin Interface  
+2. Flows and Stages  
+3. Stages  
+4. Edit `default-authenticator-webauthn-setup`  
+
+![edit-webauthn](./images/edit_webauthn.png)  
+
+Review the default settings:  
+![res-key-def](./images/res_key_def.png)  
+
+Edit the `Resident key requirement`  
+- Default: `Preferred: The authenticator can create and store a dedicated credential, but if it doesn't that's alright too`  
+
+Unfortunately, if I try to skip the dedicated credential, I am unable to setup a Yubikey. I am going to set this option to:  
+- Modified: `Discouraged: The authenticator should not create a dedicated credential`  
+
+![res-key-change](./images/res_key_change.png)  
+
+
+#### (Optional) Edit the `User verification` depending on your WebAuthn expertise.  
+I am leaving it default:  
+- Default: `Preferred: User verification is preferred if available, but not required`  
+
+
+#### (Optional) Authenticator preference  
+Authentik by default has no preference set for the Authenticator, as shown in the above picture. This can be changed to be explicitly `Yubikey` OR `Windows Hello/TouchID`. If you do not want to be prompted by Windows Hello, as shown in the Windows Hello section, then set this to `A "roaming" authenticator, like a YubiKey`.  
+![yubi-pref](./images/yubi_pref.png)  
+
+
+#### Finish Registration  
+If you chose to NOT save your key on the Yubikey like above, then scroll back up to continue the registration / finish it.  
+![finish-mfa-reg](./images/finish_mfa_reg.png)  
+
+
+### (Troubleshooting) Windows Hello  
+During Security Key enrollment, if you are interrupted by Windows Hello shown here:  
+![win-hello](./images/win_hello.png)  
+
+Press `ESC` to continue to actual Yubikey enrollment. This only seems to happen if you have previously setup Windows Hello.  
+
+> [!NOTE]  
+> If you are prompted for a PIN that you do not know, go to the `Enrollment with Credential on Key` section for the Yubikey documentation link to address the PIN.  Optionally, you can also Force it to skip Windows Hello and go straight to the Yubikey by modifying the `default-authenticator-webauthn-setup`, as seen in the `(Optional) Authenticator preference` section above.  
+
+
+### (Optional) Force Multi-Factor Authentication (MFA)  
+To configure an authentication a user must be in the state that forces them to add an authentication. In order to do this, I am going to modify the default flow for authentication regarding MFA devices.
+
+1. Go to the Admin Interface  
+2. Flows & Stages  
+3. Stages  
+4. Edit `default-authentication-mfa-validation`  
+
+![default-mfa](./images/default_mfa.png)  
+
+The initial settings for the `default-authentication-mfa-validation` stage look like this:  
+![mfa-stage-defaults](./images/mfa-stage-defaults.png)  
+
+Change the `Device Classes` to what options you want you or other users to have (by default). I am only going to **REMOVE** static tokens.  
+![no-static](./images/no-static.png)  
+
+Modify the `Not configured action` to `Force the user to configure an authenticator`:  
+- Default: `Continue`  
+- Modified: `Force the user to configure an authenticator`  
+![force-mfa](./images/force-mfa.png)  
+
+After setting the `Not configured action` to `Force the user to configure an authenticator` it will unlock the `Configuration stages` options as seen above.  
+This section, as it says right below it  
+> Stages used to configure Authenticator when user doesn't have any compatible devices. After this configuration Stage passes, the user is not prompted again.  
+> When multiple stages are selected, the user can choose which one they want to enroll.  
+- Select: `default-authenticator-totp-setup (TOP Authenticator Setup Stage)`  
+- Select: `default-authenticator-webauthn-setup (WebAuthn Authenticator Setup Stage)`  
+
+In order to highlight multiple, use the `Shift` key.  
+![mfa-selections](./images/mfa-selections.png)  
+
+Hit `Update`  
+
+Open another **INCOGNITO** browser and navigate back to the `whoami-individual` URL or `authentik`'s URL and sign in.
+
+After entering the username/password a new window pop-up asks to select an authenticator method -- choose `default-authenticator-webauthn-setup`. The following steps should match the **Yubikey** section above.  
+
+This will only give you this option if you did not previously register your Yubikey inside of the MFA devices.  
+
+
+## Domain Wide (Tenet) Policies  
+View the **Default** Flows by going to the Admin Interface  
+1. System  
+2. Brands  
+3. Edit `authentik-default`  
+![domain-defaults](./images/domain-def.png)  
+
+Expand down `Default flows`  
+![def-flows](./images/def-flows.png)  
+
+Notice that the **DEFAULT** Authentication flow is `default-authentication-flow (Welcome to authentik!)`  
+
+Navigate to: 
+- Flows and Stages  
+- Flows  
+
+In order to view the default `default-authentication-flow`.  
+
+Why does this matter?  To understand the way YOU have this identity tool setup.  
+
+```mermaid
+graph LR
+  A[Start] --> B[Authentication];
+  B --> C[Authorization];
+  C --> D[Login];
+```
+
+### Authentication default  
+By default the flow for all **authentication**, `default-authentication-flow`, is as follows:
+
+```mermaid
+graph LR
+  A[Start] --> B[Username];
+  B --> C[Password];
+  C --> D{MFA Configured?};
+  D -->|No| F[Login];
+  D -->|Yes| E[MFA Prompt<br>Forced];
+  E --> F;
+```
+
+### Authorization defaults  
+There are two policies for **authorization**, explicit, `default-provider-authorization-explicit-consent`, and implicit, `default-provider-authorization-implicit-consent`.  By default the **explicit** policy is used.  
+#### Explicit  
+Explicit, `default-provider-authorization-explicit-consent`, requires a pop-up showing that you accept your information is about to be shared with the site.  This could be your email, username or whatever you have setup.  
+
+```mermaid
+graph LR
+  A[Start] --> B[Consent];
+  B --> C[Continue];
+```
+
+#### Implicit  
+Implicit, `default-provider-authorization-implicit-consent`, means that by logging in you accept your information (email or username, etc.) will be shared with the site, do not prompt, just continue through.  
+```mermaid
+graph LR
+  A[Start] --> B[Continue];
+```
diff --git a/authentik/authentik_jm.txt b/authentik/authentik_jm.txt
new file mode 100644
index 0000000..8baebdb
--- /dev/null
+++ b/authentik/authentik_jm.txt
@@ -0,0 +1,88 @@
+# https://github.com/brokenscripts/authentik_traefik
+
+Pre-requisite:
+traefik needs to be installed as per traefik folder ..\traefik
+
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: authentik
+Username: authentik
+Disable Password: <select>
+Email: <leave blank>
+Create New Primary Group: <select>
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+PUID: 3014
+PGID: 3013
+Update .env file accordingly (PUID, PGID)
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*authentik"
+# create following datasets if not present
+zfs create SSD1/docker/data/authentik
+zfs create SSD1/docker/data/authentik/appdata
+zfs create SSD1/docker/data/authentik/pgdata
+chown -R authentik:authentik /mnt/SSD1/docker/data/authentik
+chown -R postgres:postgres /mnt/SSD1/docker/data/authentik/pgdata
+
+Create folders
+--------------
+In Truenas shell:
+mkdir -p /opt/stacks/authentik/secrets
+mkdir -p /mnt/SSD1/docker/data/authentik/appdata/redis/data
+mkdir -p /mnt/SSD1/docker/data/authentik/appdata/geoip/data
+mkdir /mnt/SSD1/docker/data/authentik/appdata/media
+mkdir /mnt/SSD1/docker/data/authentik/appdata/custom-templates
+chown -R authentik:authentik /mnt/SSD1/docker/data/authentik/appdata/
+
+Copy folders to docker stacks
+-----------------------------
+In Windows cmd shell in authentik parent (apps) folder:
+./cp2nas 10.0.0.20 authentik
+# or
+pscp -P 22 -r authentik/stacks/*.* root@10.0.0.20:/mnt/SSD1/docker/stacks/authentik/
+pscp -P 22 -r authentik/traefik-rules/*.* root@10.0.0.20:/mnt/SSD1/docker/stacks/traefik/rules/
+
+Create secrets
+--------------
+# In Docker shell:
+# install pwgen:
+sudo apt-get install -y pwgen
+echo -n $(pwgen -s 40 1) > /opt/stacks/authentik/secrets/authentik_postgresql_password
+echo -n $(pwgen -s 50 1) > /opt/stacks/authentik/secrets/authentik_secret_key
+In Truenas shell:
+cd /mnt/SSD1/docker/stacks/authentik/secrets
+echo -n 'your_postgresql_database_name' > /mnt/SSD1/docker/stacks/authentik/secrets/authentik_postgresql_database
+echo -n 'your_postgresql_username' > /mnt/SSD1/docker/stacks/authentik/secrets/authentik_postgresql_username
+# openssl rand 36 | base64 -w 0 > /mnt/SSD1/docker/stacks/authentik/secrets/authentik_postgresql_password
+# openssl rand 60 | base64 -w 0 > /mnt/SSD1/docker/stacks/authentik/secrets/authentik_secret_key
+echo -n 'your_smtp_username' > /mnt/SSD1/docker/stacks/authentik/secrets/smtp_username
+echo -n 'your_smtp_password' > /mnt/SSD1/docker/stacks/authentik/secrets/smtp_password
+chown -R authentik:authentik /mnt/SSD1/docker/stacks/authentik/secrets/
+chmod -R 400 /mnt/SSD1/docker/stacks/authentik/secrets/
+# read existing acl permissions, if any
+getfacl /mnt/SSD1/docker/stacks/authentik/secrets
+# set acl permissions
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/authentik/secrets
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/authentik/secrets/authentik_postgresql_password
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/authentik/secrets/authentik_postgresql_username
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/authentik/secrets/authentik_postgresql_database
+# NB! if you want to remove all acl entries from a folder recursively, use setfacl -b -R <foldername>
+# to list secrets in secrets dir
+cd /mnt/SSD1/docker/stacks/authentik/secrets
+for i in $(ls -1); do echo $i = `cat $i`; done | sort
+
+Start authentik
+---------------
+# Refresh / start Dockge
+# Update and start authentik
+
+Setup
+-----
+# Follow the instructions at https://github.com/brokenscripts/authentik_traefik/blob/traefik3/README.md or authentik_setup_jm.txt to setup authentik
diff --git a/authentik/authentik_setup_jm.txt b/authentik/authentik_setup_jm.txt
new file mode 100644
index 0000000..2547ab5
--- /dev/null
+++ b/authentik/authentik_setup_jm.txt
@@ -0,0 +1,293 @@
+# https://github.com/brokenscripts/authentik_traefik
+
+Setup
+-----
+# It is strongly recommended to follow excellent instructions at https://github.com/brokenscripts/authentik_traefik/blob/traefik3/README.md which include illustrations / screen dumps.
+# The following is an attempted text representation of the same instructions.
+# Navigate to Authentik at https://authentik.sthome.org/if/flow/initial-setup/
+# At first login, set the email and password for akadmin (default user)
+# Change akadmin username to preferred username:
+# Go to Admin Interface -> Directory -> Users -> Edit (pencil icon under Actions in akadmin row)
+# Change username (and email if needed), then click on Update
+#
+# Domain Wide / Catch All (forwardAuth) using the Wizard
+# ======================================================
+# For each app that will use authentik, edit the traefik labels in its compose.yml by adding the following lines:
+      ## attach AUTHENTIK forwardauth middlewares to router; comment out if not using authentik
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=forwardAuth-authentik@file"
+# NB! The "${APPLICATION_NAME}-secure-rtr" part is the name of the router; modify it if needed
+# The online instructions use "whoami-individual" service as an example. This service is in the authentik compose.yml file and has this line already present.
+#
+# Wizard: create application with provider
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Navigate to Applications -> Applications -> "Create with Wizard"
+# Wizard Page 1 - "Application Details"
+#  Name: Domain Wide Forward Auth Catch All
+#  Slug: domain-wide-forward-auth-catch-all
+#  Group: <leave empty>
+#  Policy Engine Mode: any
+#  UI Settings:
+#    Launch URL: <leave empty>
+#    Do NOT put anything in the Launch URL, it needs to autodetect since it's the catch all rule
+#    Open in new tab: <unselected>
+# Click Next
+# Wizard Page 2 - "Provider Type"
+#  Click on "Forward Auth (Domain Level)"
+# Click Next
+# Wizard Page 3 - "Provider Configuration"
+#  Name: Provider for Domain Wide Forward Auth Catch All
+#  Authentication Flow: <leave empty>
+#      This is user choice; the author recommends getting the basics setup and THEN modifying authentication flow for the catch all
+#  Authorization Flow: default-provider-authorization-explicit-consent (Authorize Application)
+#      Explicit requires user interaction aka clicking a button to continue versus implicit which is just trust
+#  External Host: https://authentik.domain.tld
+#  Cookie Domain: domain.tld
+#  Token Validity: hours=24
+# Click Submit
+# Click Close
+#
+# Embedded Outpost (Domain Wide)
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Navigate to the Applications -> Outposts
+# Notice that there are nothing in the Providers column in authentik Embedded Outpost row
+# Click on Edit (pencil icon under Actions in authentik Embedded Outpost row)
+# Select "Domain Wide Forward Auth Catch All" in "Available Applications"
+# Click on ">" in order to have the "Domain Wide Forward Auth Catch All" in Selected Applications
+# Click Update
+# Notice the added provider in the Providers column in authentik Embedded Outpost row
+#
+# Domain Wide / Catch All Test/Validation
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Using browser, go to whoami-catchall.domain.tld; it should redirect you to Authentik to login
+# Sign in with your username or email address initially created. After inputting username & password, it should show you the "Redirecting" screen prior to actual redirection
+#
+# Individual Application (forwardAuth) manual
+# ===========================================
+# Provider Creation (Individual Application) - Manual
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# In the Admin Interface, go to: Applications -> Providers -> Create
+# Select "Proxy Provider"
+# Click Next
+# On "new Provider" screen enter:
+#  Name: whoami-individual provider
+#  Authentication Flow: <leave empty>
+#      This is user choice, the author recommends getting the basics setup and THEN modifying authentication flow for the catch all
+#  Authorization Flow: default-provider-authorization-explicit-consent (Authorize Application)
+#  Type: Forward auth (single application)
+#  Single Application is where we change it up!
+#  External Host: https://whoami-individual.domain.tld
+#  Token Validity: hours=24
+# Click Finish
+# After hitting Finish it will warn that it's not bound to an Application
+#
+# Application Creation (Individual Application) - Manual
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# In the Admin Interface, go to Applications -> Applications -> Create
+# On the "Create Application" screen enter:
+#  Name: whoami-individual application
+#  Slug: whoami-individual-application
+#  Group: <leave empty>
+#  Provider: whoami-individual provider
+#      This is where you bind it to the previously created provider!
+#  Backchannel Providers: <leave empty>
+#  Policy Engine Mode: any
+#  UI Settings
+#    Launch URL: https://whoami-individual.domain.tld
+#        Since this is an individual application, specify where it is found at
+# Click Create
+# After hitting Create it will show that it is now bound to the previously created provider
+#
+# Embedded Outpost (Individual Application)
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Navigate to Applications -> Outposts 
+# Click on Edit (pencil icon under Actions in authentik Embedded Outpost row)
+# Notice that it still has only the Domain Wide Forward Auth Catch All rule in Selected Applications
+# Select any application you want the outpost to be able to provide for. In this case Select whoami-individual application in "Available Applications"
+# Click on ">" 
+# Click Update
+# Now both the domain wide (catch all) and the individual application are bound to this outpost.
+#
+# Individual Application Test/Validation
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Using browser, go to whoami-individual.domain.tld; it should redirect you to Authentik to login
+# Sign in with your username or email address initially created. After inputting username & password, it should show you the "Redirecting" screen prior to actual redirection
+#
+# New User Creation
+# =================
+# Inside the Admin Interface navigate to Directory -> Users -> Create
+# On "Create User" screen enter:
+#  Username: admin
+#  Name: Administrator
+#  User type: internal
+#  Email: admin@domain.tld
+#  Is active: <checked>
+#  Path: users
+# Click Create
+#
+# Add user to Administrator/Superuser Group
+# =========================================
+# Inside the Admin Interface navigate to Directory -> Groups 
+# Left click/Open authentik Admins
+# Go to Users tab
+# Click "Add existing user"
+# Click + and add user
+#
+# Change user password
+# ====================
+# Inside the Admin Interface navigate to Directory -> Users
+# Left click/Open the specific user
+# Click "Set password"
+#
+# Setting up Gitea to use Authentik
+# =================================
+# Skip the following section if you want to use an existing / default authorization flow
+# Creating custom Authorization flow for gitea
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Inside the Admin Interface navigate to Flows and Stages -> Flows
+# Click Create
+#   Name: sthome-application-authorization
+#   Title: Redirecting to %(app)s
+#   Slug: <leave as-is / use prefilled value>
+#   Designation: Authorization
+#   Authentication: Require authentication
+#   Behavior Settings:
+#     Compatilibity mode: <select>
+#     Denied action: MEASSAGE_CONTINUE
+#     Policy engine mode: any
+# Click Create
+#
+# Creating Gitea provider and application
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# refer: https://docs.goauthentik.io/integrations/services/gitea/
+#
+# Step 1: create gitea Provider
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Inside the Admin Interface navigate to Applications -> Providers
+# Click Create
+# In "New provider" screen, select "OAuth2/OpenID Provider"
+#  Click Next
+#  Name: gitea
+#  Authentication Flow: <leave empty for now>
+#  Authorization Flow: default-provider-authorization-explicit-consent (Authorize Application)
+#  Protocol settings:
+#    Client type: Confidential
+#    Client ID: <leave as-is> PdTOme1WrQtgWQYa8fIfiedMyWBVKc9pqMz3qUa2
+#    Client Secret: <leave as-is> CNKd9D8AYvhDxzy4YKnU7hJoIHKgX3ADnmY5t6CtkVo2lseEwrnFLUSedZdmL55XECos7KpERlZ4S5GVUhbh2qG15DzbbYXuN9hv2sntsxWkQgRt7auCOJCJ7o8vxErI
+#    Redirect URIs: https://gitea.sthome.org/user/oauth2/authentik/callback
+#    Signing Key: Select any available key
+#  NB! Take note of the Client ID and Client Secret, you'll need to give them to Gitea in Step 3.
+#  Click Finish
+#
+# Step 2: create gitea Application
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# In the Admin Interface, go to Applications -> Applications -> Create
+# On the "Create Application" screen enter:
+#  Name: gitea
+#  Slug: gitea-slug
+#  Group: <leave empty>
+#  Provider: gitea
+#      This is where you bind it to the previously created provider!
+#  Backchannel Providers: <leave empty>
+#  Policy Engine Mode: any
+#  UI Settings
+#    Launch URL: https://gitea.sthome.org
+#            If left empty, authentik will derive from gitea OpenID Connect Auto Discovery URL and add the port no (9000)
+# Click Create
+#
+# Step 3: Configuring gitea to use authentik
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Browse to the Authentication Sources page at https://gitea.sthome.org/admin/auths 
+# Click "Add Authentication Source"
+# Change the following fields:
+#   Authentication Type: OAuth2
+#   Authentication Name: authentik
+#   OAuth2 Provider: OpenID Connect
+#   Client ID (Key): <as noted Step 1>
+#   Client Secret:  <as noted Step 1>
+#   Icon URL: https://authentik.sthome.org/static/dist/assets/icons/icon.svg
+#   OpenID Connect Auto Discovery URL: https://authentik.sthome.org/application/o/gitea-slug/.well-known/openid-configuration
+#          If authentik and gitea is on the same internal network behind a reverse proxy, e.g. traefik, and are accessed (browsed to) from outside of this internal network then this OIDC Auto Discovery URL should be accessible externally and internally. The consequence is that the internal DNS should resolve to the external traefik entrypoint (port 443) with traefik routing it to authentik port 9000. (Otherwise accessing authentik on the internal network will require the OIDC Auto Discovery URL to include port 9000, which will cause the redirect to authentik (from external network) to fail.) Refer to: https://www.reddit.com/r/Authentik/comments/1ggimab/authentik_with_traefik_in_docker/
+#   Additional Scopes: email profile
+#   Click "Add Authentication Source"
+# Your Gitea login page should now have a Sign in With followed by the authentik logo which you can click on to sign-in to Gitea with Authentik creds.
+# 
+# Step 4 (optional Claims for authorization management)
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# This step is optional and shows how to set claims to control the permissions of users in gitea by adding them to groups.
+#
+# Define Groups:
+# The following groups will be used:
+#    - gituser for normal Gitea users.
+#    - gitadmin for Gitea users with administrative permissions.
+#    - gitrestricted for restricted Gitea users.
+# Users who are in none of these groups will not be able to log in to gitea.
+#
+# In the authentik Admin Interface, go to Directory -> Groups -> Create
+#   Name: gituser
+#   Leave other settings untouched.
+#   Click Create
+#   Repeat for gitadmin and gitrestricted
+# You can add Members to the groups now or anytime later.
+# 
+# Adding user to a group (from the User screen):
+# In the authentik Admin Interface, go to Directory -> Users
+# Select the user (click on the listed Name)
+#   Click the "Groups" tab at the top
+#   Click "Add to existing group"
+#   Click on "+" and select the desired groups
+#   Click "Add" twice
+#
+# Adding user to a group (from the Group screen):
+# In the authentik Admin Interface, go to Directory -> Groups
+# Select the group (click on the listed Name)
+#   Click the "Users" tab at the top
+#   Click "Add to existing user"
+#   Click on "+" and select the desired user
+#   Click "Add" twice
+
+# Create Custom Property Mapping:
+# In the authentik Admin Interface, go to Customization -> Property Mappings -> Create
+# On "New property mapping" screen, "Select Type" tab,
+# Select Scope Mapping, click Next
+# On "Create Scope Mapping" tab, enter:
+#    Name: authentik gitea OAuth Mapping: OpenID 'gitea'
+#    Scope name: gitea 
+#    Description: <leave empty>
+#    Expression: enter the following text lines between --- snip ---:
+# --- snip ---
+gitea_claims = {}
+if request.user.ak_groups.filter(name="gituser").exists():
+    gitea_claims["gitea"]= "user"
+if request.user.ak_groups.filter(name="gitadmin").exists():
+    gitea_claims["gitea"]= "admin"
+if request.user.ak_groups.filter(name="gitrestricted").exists():
+    gitea_claims["gitea"]= "restricted"
+
+return gitea_claims
+# --- snip ---
+# 
+# Add the custom Property Mapping to the Gitea Provider:
+# In authentik, go to Applications -> Providers
+#   Edit gitea provider (click pencil icon under Actions in gitea row)
+# Expand the Advanced protocol settings and select the following Mappings (hold ctrl key and select, i.e. left click with mouse):
+#    authentik default OAuth Mapping: OpenID 'email'
+#    authentik default OAuth Mapping: OpenID 'profile'
+#    authentik default OAuth Mapping: OpenID 'openid'
+#    authentik gitea OAuth Mapping: OpenID 'gitea'
+# Click Update 
+# 
+# Configure Gitea to use the new claims:
+# In .gitea.env file, set environment variable as follows:
+    GITEA__oauth2_client__ENABLE_AUTO_REGISTRATION=true
+# 
+# Navigate to the Authentication Sources page at https://gitea.sthome.org/admin/auths and edit the authentik Authentication Source (click on pencil icon)
+# Change the following fields
+#    Additional Scopes: email profile gitea
+#    Required Claim Name: gitea
+#    Required Claim Value: <leave empty>
+#    Claim name providing group names for this source. (Optional): gitea
+#    Group Claim value for administrator users. (Optional - requires claim name above): admin
+#    Group Claim value for restricted users. (Optional - requires claim name above): restricted
+# Click "Update Authentication Source"
+# 
+# Users without any of the defined groups should no longer be able to log in. Users of the group gitadmin should have administrative privileges, and users in the group gitrestricted should be restricted.
\ No newline at end of file
diff --git a/authentik/cp2nas.ps1 b/authentik/cp2nas.ps1
new file mode 100644
index 0000000..c76fd40
--- /dev/null
+++ b/authentik/cp2nas.ps1
@@ -0,0 +1,135 @@
+############### CONST ##############
+$destJailDir="/mnt/SSD1/docker/"
+$stacksfolder="stacks/"
+$datafolder="data/"
+$destStacks=$destJailDir+$stacksfolder
+$destData=$destJailDir+$datafolder
+$destTraefikRulesDir=$destData+"traefik/rules/"
+$destTraefikUsersDir=$destData+"traefik/users/"
+############### MAIN ###############
+# main function
+#
+$Main =
+{
+    [CmdletBinding()]
+    Param(
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $destHost,
+        [Parameter(Mandatory=$false)]
+        [string[]] $apps
+    )
+    $applist=[System.Collections.Generic.List[object]]::new()
+    If($PSBoundParameters.ContainsKey("apps")) {
+        foreach ($appname in $apps)
+        {
+            if ($appname.Contains('*')) {
+                $wclist=Get-ChildItem $appname -Directory |  ForEach-Object { $_.Name }
+                # if wildcard is specified, we only add folders with a 'stacks' subfolder
+                foreach ($wcname in $wclist) {
+                    if ((Test-Path -Path "$wcname\stacks")) {
+                        $applist.Add($wcname)
+                     }
+                }
+            }
+            else {
+                # here we don't have to check for a 'stacks' subfolder as the user specified appname explicitly
+                $applist.Add($appname)
+            }
+        }
+        # remove duplicates
+        $uniqlist=$applist | Sort-Object -Unique
+        foreach ($appname in $uniqlist)
+        {
+            copyfolder $destHost $appname "$appname\"
+        }
+    }
+    else {
+        # we're in the app subfolder, so only one stacks folder to copy
+        $appname="$pwd".Split("\\")[-1]
+        copyfolder $destHost  $appname ".\"
+    }
+}
+#######################################################################
+# copies specified folder to data folder on truenas
+# 
+Function copytosubfolder
+{
+    [CmdletBinding()]
+    Param(
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $destHost,
+
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $folder,
+
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $subfolder,
+
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $srcdir,
+
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $destdir
+    )
+    if ((Test-Path -Path "$srcdir")) {
+        Write-Host "$date# pscp -P 22 -r ""$srcdir\*.*"" root@${destHost}:""${destdir}""" -ForegroundColor Green
+        Write-Host "Copying to ${destHost}:""${destJailDir}" -NoNewline 
+        Write-Host "${folder}" -ForegroundColor Cyan  -NoNewline 
+        Write-Host "${subfolder}" -ForegroundColor DarkYellow  -NoNewline 
+        Write-Host """:"
+        pscp -P 22 -r "$srcdir\*.*" root@${destHost}:""${destdir}""
+    }
+}
+#######################################################################
+# copies specified app's stacks and traefik-rules subfolders to truenas
+# 
+Function copyfolder
+{
+    [CmdletBinding()]
+    Param(
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $destHost,
+
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $subfolder,
+
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $srcdir
+    )
+    $srcStacksDir=$srcdir+"stacks"
+    $srcTraefikRulesDir=$srcdir+"traefik-rules"
+    $srcTraefikUsersDir=$srcdir+"traefik-users"
+    if (-Not(Test-Path -Path $srcStacksDir)) {
+        Write-Host "Source path doesn't exist: ""$PSScriptRoot\$srcStacksDir\*.*"". No files copied!"  -ForegroundColor Red
+        Write-Host "Usage: in app folder       : ./cp2nas DEST|IP"
+        Write-Host "       in app parent folder: ./cp2nas DEST|IP app1, app2, app3, ..."
+        Write-Host "       in app parent folder: ./cp2nas DEST|IP *"
+        Write-Host "       in app parent folder: ./cp2nas DEST|IP wcstring1, wcstring2, ..."
+        return
+    }
+    $destAppStacksDir=$destStacks+$subfolder+"/"
+    $date=Get-Date -format "yyyy-MM-ddTHH:mm:ss"
+    #Write-Host "$date# pscp -P 22 -r ""$srcStacksDir\*.*"" root@${destHost}:""${destAppStacksDir}""" -ForegroundColor Green
+    #Write-Host "Copying to ${destHost}:""${destStacks}" -NoNewline 
+    #Write-Host "${subfolder}/" -ForegroundColor DarkYellow  -NoNewline 
+    #Write-Host """:"
+    #pscp -P 22 -r "$srcStacksDir\*.*" root@${destHost}:""${destAppStacksDir}""
+    copytosubfolder $destHost "${stacksfolder}" "${subfolder}" "${srcStacksDir}"  "${destAppStacksDir}"
+   
+    # check for data dir destinations and copy
+    copytosubfolder $destHost "${stacksfolder}" "traefik/rules/" "${srcTraefikRulesDir}"  "${destTraefikRulesDir}"
+    copytosubfolder $destHost "${stacksfolder}" "traefik/users/" "${srcTraefikUsersDir}"  "${destTraefikUsersDir}"
+
+}
+
+###################################
+& $Main @Args
\ No newline at end of file
diff --git a/authentik/stacks/.env b/authentik/stacks/.env
new file mode 100644
index 0000000..724043f
--- /dev/null
+++ b/authentik/stacks/.env
@@ -0,0 +1,60 @@
+################################################################
+# .env
+# When both env_file and environment are set for a service, values set by environment have precedence.
+# https://docs.docker.com/compose/environment-variables/envvars-precedence/
+#
+# CANNOT MIX ARRAYS (KEY: VAL) AND MAPS (KEY=VAL)
+# Ex: Cannot have .ENV var as TZ=US and then a var here as DB_ENGINE: sqlite, has to be DB_ENGINE=sqlite
+# Otherwise unexpected type map[string]interface {} occurs
+# https://github.com/docker/compose/issues/11567
+#
+################################################################
+APPLICATION_NAME=authentik
+DOCKERDIR=/mnt/SSD1/docker/
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATADIR=${DOCKERDIR}/data/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+PUID=3014
+PGID=3013
+TZ=Africa/Johannesburg
+DOMAINNAME=sthome.org
+WEBUI_PORT=9000
+
+################################################################  
+# Authentik (https://docs.goauthentik.io/docs/)
+# Environment Variables (https://docs.goauthentik.io/docs/installation/configuration)
+################################################################  
+POSTGRES_DB_PORT=5432
+POSTGRES_PASSWORD_FILE=/run/secrets/authentik_postgresql_password
+POSTGRES_USER_FILE=/run/secrets/authentik_postgresql_username
+POSTGRES_DB_FILE=/run/secrets/authentik_postgresql_database
+
+AUTHENTIK_POSTGRESQL__NAME_FILE=file:///run/secrets/authentik_postgresql_database
+AUTHENTIK_POSTGRESQL__USER_FILE=file:///run/secrets/authentik_postgresql_username
+AUTHENTIK_POSTGRESQL__PASSWORD_FILE=file:///run/secrets/authentik_postgresql_password
+AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
+AUTHENTIK_DISABLE_UPDATE_CHECK=false
+AUTHENTIK_ERROR_REPORTING__ENABLED=false
+AUTHENTIK_LOG_LEVEL=info # debug, info, warning, error, trace
+AUTHENTIK_SECRET_KEY_FILE=file:///run/secrets/authentik_secret_key # openssl rand 60 | base64 -w 0
+AUTHENTIK_COOKIE_DOMAIN=${DOMAINNAME}
+AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS: 127.0.0.0/8, 10.0.0.0/24, 172.16.0.0/12, 192.168.2.0/124, fe80::/10, ::1/128
+
+AUTHENTIK_EMAIL__PORT=25
+AUTHENTIK_EMAIL__USE_TLS=false
+AUTHENTIK_EMAIL__USE_SSL=false
+AUTHENTIK_EMAIL__TIMEOUT=10
+AUTHENTIK_EMAIL__HOST_FILE=file:///run/secrets/smtp_host
+AUTHENTIK_EMAIL__USERNAME_FILE=file:///run/secrets/smtp_username
+AUTHENTIK_EMAIL__PASSWORD_FILE=file:///run/secrets/smtp_password
+AUTHENTIK_EMAIL__FROM_FILE=file:///run/secrets/smtp_from
+
+################################################################  
+# GeoIP ( https://github.com/maxmind/geoipupdate)  
+# Environment Variables (https://github.com/maxmind/geoipupdate/blob/main/doc/docker.md)  
+################################################################  
+GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN" # Space seperated 
+GEOIPUPDATE_FREQUENCY=8 # Frequency to check for updates, in hours
+GEOIPUPDATE_ACCOUNT_ID_FILE=/run/secrets/geoip_acccount_id
+GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/geoip_license_key
\ No newline at end of file
diff --git a/authentik/stacks/.postgresql.env b/authentik/stacks/.postgresql.env
new file mode 100644
index 0000000..0d95871
--- /dev/null
+++ b/authentik/stacks/.postgresql.env
@@ -0,0 +1,11 @@
+
+PUID=70
+PGID=70
+TZ=${TZ}
+
+POSTGRES_DB_PORT=${POSTGRES_DB_PORT}
+POSTGRES_DB_FILE=${POSTGRES_DB_FILE}
+POSTGRES_USER_FILE=${POSTGRES_USER_FILE}
+POSTGRES_PASSWORD_FILE=${POSTGRES_PASSWORD_FILE}
+
+
diff --git a/authentik/stacks/.server.env b/authentik/stacks/.server.env
new file mode 100644
index 0000000..bb670d5
--- /dev/null
+++ b/authentik/stacks/.server.env
@@ -0,0 +1,13 @@
+
+TZ=${TZ}
+
+AUTHENTIK_POSTGRESQL__NAME=${AUTHENTIK_POSTGRESQL__NAME_FILE}
+AUTHENTIK_POSTGRESQL__USER=${AUTHENTIK_POSTGRESQL__USER_FILE}
+AUTHENTIK_POSTGRESQL__PASSWORD=${AUTHENTIK_POSTGRESQL__PASSWORD_FILE}
+AUTHENTIK_DISABLE_STARTUP_ANALYTICS=${AUTHENTIK_DISABLE_STARTUP_ANALYTICS}
+AUTHENTIK_DISABLE_UPDATE_CHECK=${AUTHENTIK_DISABLE_UPDATE_CHECK}
+AUTHENTIK_ERROR_REPORTING__ENABLED=${AUTHENTIK_ERROR_REPORTING__ENABLED}
+AUTHENTIK_LOG_LEVEL=${AUTHENTIK_LOG_LEVEL}
+AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY_FILE}
+AUTHENTIK_COOKIE_DOMAIN=${DOMAINNAME}
+# AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS=${AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS}
diff --git a/authentik/stacks/.socket-proxy.env b/authentik/stacks/.socket-proxy.env
new file mode 100644
index 0000000..97691c1
--- /dev/null
+++ b/authentik/stacks/.socket-proxy.env
@@ -0,0 +1,36 @@
+#
+# environment variables for socket-proxy
+#
+
+LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
+
+## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
+### 0 to revoke access.
+### 1 to grant access.
+## Granted by Default
+EVENTS=1
+PING=1
+VERSION=1
+## Revoked by Default
+### Security critical
+AUTH=0
+SECRETS=0
+POST=1          # Watchtower
+### Not always needed
+BUILD=0
+COMMIT=0
+CONFIGS=0
+CONTAINERS=1    # Traefik, portainer, etc.
+DISTRIBUTION=0
+EXEC=0
+IMAGES=1        # Portainer
+INFO=1          # Portainer
+NETWORKS=1      # Portainer
+NODES=0
+PLUGINS=0
+SERVICES=1      # Portainer
+SESSION=0
+SWARM=0
+SYSTEM=0
+TASKS=1         # Portainer
+VOLUMES=1       # Portainer
\ No newline at end of file
diff --git a/authentik/stacks/.worker.env b/authentik/stacks/.worker.env
new file mode 100644
index 0000000..c622ee2
--- /dev/null
+++ b/authentik/stacks/.worker.env
@@ -0,0 +1,21 @@
+
+TZ=${TZ}
+
+AUTHENTIK_POSTGRESQL__NAME=${AUTHENTIK_POSTGRESQL__NAME_FILE}
+AUTHENTIK_POSTGRESQL__USER=${AUTHENTIK_POSTGRESQL__USER_FILE}
+AUTHENTIK_POSTGRESQL__PASSWORD=${AUTHENTIK_POSTGRESQL__PASSWORD_FILE}
+AUTHENTIK_DISABLE_STARTUP_ANALYTICS=${AUTHENTIK_DISABLE_STARTUP_ANALYTICS}
+AUTHENTIK_DISABLE_UPDATE_CHECK=${AUTHENTIK_DISABLE_UPDATE_CHECK}
+AUTHENTIK_ERROR_REPORTING__ENABLED=${AUTHENTIK_ERROR_REPORTING__ENABLED}
+AUTHENTIK_LOG_LEVEL=${AUTHENTIK_LOG_LEVEL}
+AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY_FILE}
+AUTHENTIK_COOKIE_DOMAIN=${DOMAINNAME}
+
+AUTHENTIK_EMAIL__HOST=${AUTHENTIK_EMAIL__HOST_FILE}
+AUTHENTIK_EMAIL__PORT=${AUTHENTIK_EMAIL__PORT}
+AUTHENTIK_EMAIL__USERNAME=${AUTHENTIK_EMAIL__USERNAME_FILE}
+AUTHENTIK_EMAIL__PASSWORD=${AUTHENTIK_EMAIL__PASSWORD_FILE}
+AUTHENTIK_EMAIL__USE_TLS=${AUTHENTIK_EMAIL__USE_TLS}
+AUTHENTIK_EMAIL__USE_SSL=${AUTHENTIK_EMAIL__USE_SSL}
+AUTHENTIK_EMAIL__TIMEOUT=${AUTHENTIK_EMAIL__TIMEOUT}
+AUTHENTIK_EMAIL__FROM=${AUTHENTIK_EMAIL__FROM_FILE}
diff --git a/authentik/stacks/compose.yml b/authentik/stacks/compose.yml
new file mode 100644
index 0000000..9333896
--- /dev/null
+++ b/authentik/stacks/compose.yml
@@ -0,0 +1,248 @@
+###############################################################
+# ------------------------------
+# -- authentik (Identity Provider / SSO)
+# -- Updated/Created 2024-July-02
+# Authentik configuration: https://docs.goauthentik.io/docs/installation/configuration
+# ------------------------------
+name: authentik # Project Name
+
+###############################################################
+# Networks
+###############################################################
+networks:
+  socket_proxy:
+    driver: bridge
+    driver_opts:
+      com.docker.network.bridge.name: "br-authentik_sx"
+  traefik-net:
+    external: true
+  authentik-net:
+    external: true
+    
+###############################################################
+# Docker Secrets
+# Owner (default): root:root
+# Recommend Set Owner to match container user Example: UID=1100, GID=1100
+# Permissions of files & directory on host to: 0400 (-r--)
+###############################################################
+secrets:
+  ## Authentik
+  authentik_postgresql_database:
+    file: ${SECRETSDIR}/authentik_postgresql_database
+  authentik_postgresql_username:
+    file: ${SECRETSDIR}/authentik_postgresql_username
+  authentik_postgresql_password:
+    file: ${SECRETSDIR}/authentik_postgresql_password
+  authentik_secret_key:
+    file: ${SECRETSDIR}/authentik_secret_key
+  smtp_username:
+    file: ${SECRETSDIR}/smtp_username
+  smtp_password:
+    file: ${SECRETSDIR}/smtp_password
+  ## GeoIP
+  geoip_account_id:
+    file: ${SECRETSDIR}/geoip_account_id
+  geoip_license_key:
+    file: ${SECRETSDIR}/geoip_license_key
+
+##############################################################################
+services:
+  # Use the embedded outpost (2021.8.1+) instead of the seperate Forward Auth / Proxy Provider container
+  server:
+    image: ghcr.io/goauthentik/server:latest
+    restart: unless-stopped
+    env_file: .server.env
+    environment:
+      - AUTHENTIK_REDIS__HOST=authentik_redis
+      - AUTHENTIK_POSTGRESQL__HOST=authentik_postgresql
+    command: server
+    user: ${PUID}:${PGID}
+    depends_on:
+      postgresql:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+    networks:
+      socket_proxy: {}
+      authentik-net: {}
+      traefik-net:
+        aliases: ["authentik_server"]    # keep the same as forwardAuth address (hostname) in traefik middlewares "forwardAuth-authentik.yml"
+    secrets:
+      - authentik_postgresql_database
+      - authentik_postgresql_username
+      - authentik_postgresql_password
+      - authentik_secret_key
+    volumes:
+      - "${DATADIR}/appdata/media:/media"
+      - "${DATADIR}/appdata/custom-templates:/templates"
+      - "${DATADIR}/appdata/geoip/data:/geoip"
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      ## HTTP Routers
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)"
+      ## Individual Application forwardAuth regex (catch any subdomain using individual application forwardAuth)  
+      - "traefik.http.routers.${APPLICATION_NAME}-output-rtr.rule=HostRegexp(`{subdomain:[a-z0-9-]+}.${DOMAINNAME}`) && PathPrefix(`/outpost.goauthentik.io/`)"
+      ## HTTP Services
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadBalancer.server.port=${WEBUI_PORT}"
+
+  worker:
+    image: ghcr.io/goauthentik/server:latest
+    restart: unless-stopped
+    env_file: .worker.env
+    environment:
+      - DOCKER_HOST=tcp://authentik_socket-proxy:2375 # Use this if you have Socket Proxy enabled.
+      - AUTHENTIK_REDIS__HOST=authentik_redis
+      - AUTHENTIK_POSTGRESQL__HOST=authentik_postgresql
+    user: ${PUID}:${PGID}
+    command: worker
+    depends_on:
+      postgresql:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+    networks:
+      - authentik-net
+      - socket_proxy
+    secrets:
+      - authentik_postgresql_database
+      - authentik_postgresql_username
+      - authentik_postgresql_password
+      - authentik_secret_key
+      - smtp_username
+      - smtp_password
+    volumes:
+      - "${DATADIR}/appdata/media:/media"
+      - "${DATADIR}/appdata/custom-templates:/templates"
+      - "${DATADIR}/appdata/geoip/data:/geoip"
+      # - /var/run/docker.sock:/var/run/docker.sock # Uncomment if NOT using socket-proxy
+      #- "${DATADIR}/appdata/traefik/cert_export:/certs:ro" # If NOT using reverse proxy, manually map in certificates
+      
+  postgresql:
+    image: postgres:16-alpine
+    shm_size: 128mb # https://hub.docker.com/_/postgres
+    restart: unless-stopped
+    env_file: .postgresql.env
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    networks:
+      authentik-net:
+        aliases: ["authentik_postgresql"]
+    volumes:
+      - "${DATADIR}/pgdata:/var/lib/postgresql/data"
+    secrets:
+      - authentik_postgresql_database
+      - authentik_postgresql_username
+      # Generate the password with openssl rand 36 | base64 -w 0
+      - authentik_postgresql_password
+
+  redis:
+    image: docker.io/library/redis:alpine
+    command: --save 60 1 --loglevel warning
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 3s
+    networks:
+      authentik-net:
+        aliases: ["authentik_redis"]
+    volumes:
+      - "${DATADIR}/appdata/redis/data:/data"
+
+#  geoipupdate:
+#    image: ghcr.io/maxmind/geoipupdate:latest
+#    container_name: geoipupdate
+#    restart: unless-stopped
+#    user: ${PUID}:${PGID}
+#    volumes:
+#      - "${DATADIR}/appdata/geoip/data:/usr/share/GeoIP"
+#    networks:
+#      - authentik-net
+#    secrets:
+#      - geoip_account_id
+#      - geoip_license_key
+#    environment:
+#      - GEOIPUPDATE_EDITION_IDS
+#      - GEOIPUPDATE_FREQUENCY
+#      - GEOIPUPDATE_ACCOUNT_ID_FILE
+#      - GEOIPUPDATE_LICENSE_KEY_FILE
+#      - TZ
+
+  socket-proxy:
+    image: tecnativa/docker-socket-proxy:0.2.0 #0.1.2
+    restart: unless-stopped
+    env_file: .socket-proxy.env
+    security_opt:
+      - no-new-privileges=true
+    networks:
+      socket_proxy:
+        aliases: ["authentik_socket-proxy"]
+    privileged: true  # true for VM.  false for unprivileged LXC container.
+#    ports:
+#      - "127.0.0.1:2375:2375"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+
+  whoami:
+    image: traefik/whoami:latest
+#    container_name: whoami
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges=true
+    networks:
+      - traefik-net
+    environment:
+      - TZ
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      ## HTTP Routers
+      - "traefik.http.routers.whoami-rtr.rule=Host(`whoami.${DOMAINNAME}`)"
+
+  whoami-individual:
+    image: traefik/whoami:latest
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    depends_on:
+      - server
+      - worker
+    networks:
+      - traefik-net
+    environment:
+      - TZ
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      ## HTTP Routers
+      - "traefik.http.routers.whoami-individual-rtr.rule=Host(`whoami-individual.${DOMAINNAME}`)"
+      ## attach AUTHENTIK forwardauth middlewares to router; comment out if not using authentik
+      - "traefik.http.routers.whoami-individual-rtr.middlewares=forwardAuth-authentik@file"
+
+  whoami-catchall:
+    image: traefik/whoami:latest
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    depends_on:
+      - server
+      - worker
+    networks:
+      - traefik-net
+    environment:
+      - TZ
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      ## HTTP Routers
+      - "traefik.http.routers.whoami-catchall-rtr.rule=Host(`whoami-catchall.${DOMAINNAME}`)"
+      ## attach AUTHENTIK forwardauth middlewares to router; comment out if not using authentik
+      - "traefik.http.routers.whoami-catchall-rtr.middlewares=forwardAuth-authentik@file"
diff --git a/authentik/traefik-rules/forwardAuth-authentik.yml b/authentik/traefik-rules/forwardAuth-authentik.yml
new file mode 100644
index 0000000..6af7219
--- /dev/null
+++ b/authentik/traefik-rules/forwardAuth-authentik.yml
@@ -0,0 +1,30 @@
+################################################################
+# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
+# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
+# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
+#
+# Dynamic configuration
+################################################################
+http:
+  middlewares:
+    ################################################################
+    # Forward Authentication - OAUTH / 2FA
+    ################################################################
+    #
+    # https://github.com/goauthentik/authentik/issues/2366
+    forwardAuth-authentik:
+      forwardAuth:
+        address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik"
+        trustForwardHeader: true
+        authResponseHeaders:
+          - X-authentik-username
+          - X-authentik-groups
+          - X-authentik-email
+          - X-authentik-name
+          - X-authentik-uid
+          - X-authentik-jwt
+          - X-authentik-meta-jwks
+          - X-authentik-meta-outpost
+          - X-authentik-meta-provider
+          - X-authentik-meta-app
+          - X-authentik-meta-version
\ No newline at end of file
diff --git a/authentik/try-this-out.txt b/authentik/try-this-out.txt
new file mode 100644
index 0000000..c6c4ac8
--- /dev/null
+++ b/authentik/try-this-out.txt
@@ -0,0 +1,47 @@
+# Seems this is for forward-auth only
+
+# https://docs.goauthentik.io/docs/add-secure-apps/providers/proxy/server_traefik
+#
+services:
+    traefik:
+        image: traefik:v3.0
+        container_name: traefik
+        volumes:
+            - /var/run/docker.sock:/var/run/docker.sock
+        ports:
+            - 80:80
+        command:
+            - "--api"
+            - "--providers.docker=true"
+            - "--providers.docker.exposedByDefault=false"
+            - "--entrypoints.web.address=:80"
+
+    authentik-proxy:
+        image: ghcr.io/goauthentik/proxy
+        ports:
+            - 9000:9000
+            - 9443:9443
+        environment:
+            AUTHENTIK_HOST: https://your-authentik.tld
+            AUTHENTIK_INSECURE: "false"
+            AUTHENTIK_TOKEN: token-generated-by-authentik
+            # Starting with 2021.9, you can optionally set this too
+            # when authentik_host for internal communication doesn't match the public URL
+            # AUTHENTIK_HOST_BROWSER: https://external-domain.tld
+        labels:
+            traefik.enable: true
+            traefik.port: 9000
+            traefik.http.routers.authentik.rule: Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)
+            # `authentik-proxy` refers to the service name in the compose file.
+            traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik
+            traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
+            traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version
+        restart: unless-stopped
+
+    whoami:
+        image: containous/whoami
+        labels:
+            traefik.enable: true
+            traefik.http.routers.whoami.rule: Host(`app.company`)
+            traefik.http.routers.whoami.middlewares: authentik@docker
+        restart: unless-stopped
\ No newline at end of file
diff --git a/calibre/calibre_jm.txt b/calibre/calibre_jm.txt
new file mode 100644
index 0000000..a9160dc
--- /dev/null
+++ b/calibre/calibre_jm.txt
@@ -0,0 +1,61 @@
+# https://github.com/linuxserver/docker-calibre/pkgs/container/calibre
+
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: calibre
+Username: calibre
+Disable Password: <select>
+Email: stuurmcp@telkomsa.net
+UID: (note)
+Create New Primary Group: <select>
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+calibre UID: 3032
+calibre GID: 3031
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*calibre"
+# create following datasets if not present
+zfs create SSD1/docker/data/calibre
+zfs create SSD1/docker/data/calibre/config
+chown -R calibre:calibre /mnt/SSD1/docker/data/calibre
+
+Create folders
+--------------
+mkdir -p /mnt/SSD1/docker/stacks/calibre/secrets
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in calibre folder, enter:
+./cp2nas
+# or
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/calibre/
+
+Create secrets
+--------------
+cd /mnt/SSD1/docker/stacks/calibre/secrets
+echo -n 'your_calibre_password' > /mnt/SSD1/docker/stacks/calibre/secrets/calibre_password
+chown -R calibre:calibre /mnt/SSD1/docker/stacks/calibre/secrets
+chmod -R 400 /mnt/SSD1/docker/stacks/calibre/secrets
+
+Migrating data from old calibre (source) to newly installed one (target)
+------------------------------------------------------------------------
+# stop old/source calibre media server
+heavyscript app --stop calibre
+# verify on Truenas -> Apps that calibre has stopped
+# stop new/target calibre media server (if it was started)
+# on Dockge, select calibre and click stop
+# copy the source to target folder:
+cp -pr /mnt/stpool1/apps/calibre/. /mnt/SSD1/docker/data/calibre/config/
+chown -R calibre:calibre /mnt/SSD1/docker/data/calibre/config
+
+
+
+
+
diff --git a/calibre/stacks/.calibre.env b/calibre/stacks/.calibre.env
new file mode 100644
index 0000000..2b311cc
--- /dev/null
+++ b/calibre/stacks/.calibre.env
@@ -0,0 +1,18 @@
+
+PUID=${PUID}
+PGID=${MEDIA_GID}  # we assign media gid to process gid to enable to access media folders
+TZ=${TZ}
+CUSTOM_USER=admin
+FILE__PASSWORD=/run/secrets/calibre_password
+CLI_ARGS=
+
+CUSTOM_PORT=8080
+CUSTOM_HTTPS_PORT=8181
+SUBFOLDER=
+TITLE="Calibre"
+FM_HOME="/config"
+START_DOCKER=
+DRINODE=
+LC_ALL=
+NO_DECOR=
+NO_FULL=
diff --git a/calibre/stacks/.env b/calibre/stacks/.env
new file mode 100644
index 0000000..58c27c6
--- /dev/null
+++ b/calibre/stacks/.env
@@ -0,0 +1,21 @@
+
+APPLICATION_NAME=calibre
+MEDIADIR=/mnt/stpool1/NData1/Media
+DOCKERDIR=/mnt/SSD1/docker/
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATADIR=${DOCKERDIR}/data/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+CT_DOWNLOADS=/Downloads
+CT_MEDIA=/Media
+DOMAINNAME=sthome.org
+
+
+PUID=3032
+PGID=3031 
+MEDIA_GID=3017
+
+TZ=Africa/Johannesburg
+
+WEBUI_PORT=8080
+WEBUI_SECPORT=8181
diff --git a/calibre/stacks/compose.yml b/calibre/stacks/compose.yml
new file mode 100644
index 0000000..eea0bcf
--- /dev/null
+++ b/calibre/stacks/compose.yml
@@ -0,0 +1,63 @@
+name: calibre
+
+secrets:
+  calibre_password:
+    file: ${SECRETSDIR}/calibre_password
+
+networks:
+  traefik-net:
+    external: true
+
+services:
+  calibre:
+    image: lscr.io/linuxserver/calibre:latest
+    env_file: .calibre.env
+    hostname: calibre
+    group_add:
+      - "${PGID}" 
+    security_opt:
+      - seccomp:unconfined #optional
+    networks:
+      - traefik-net
+    volumes:
+      - "${DATADIR}/config:/config"
+      - "${MEDIADIR}/Books:/Books"
+    restart: unless-stopped
+    secrets:
+      - calibre_password
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      #
+      # http middlewares
+      # ---------------------------
+      - "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.permanent=true"
+      #
+      # http services
+      # -------------
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
+      #
+      # http routers
+      # ------------
+      # limit router to web ":80" entrypoint (Note: web entrypoint http requests are globally redirected to websecure router in traefik.yml)
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # attach middlewares to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=${APPLICATION_NAME}-https-redirect"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      #
+      # limit router to websecure ":443" entrypoint
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # set router to be dedicated to secure requests only for the host specified in match criteria 
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      # generate certificates using following certresolver
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=sthomeresolver"
+      ## attach AUTHENTIK forwardauth middlewares to router; comment out if not using authentik
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=forwardAuth-authentik@file"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
diff --git a/certbot/stacks/compose.yml b/certbot/stacks/compose.yml
new file mode 100644
index 0000000..87803f3
--- /dev/null
+++ b/certbot/stacks/compose.yml
@@ -0,0 +1,11 @@
+services:
+  certbot:
+    stdin_open: true
+    tty: true
+    container_name: certbot
+    volumes:
+      - /etc/letsencrypt:/etc/letsencrypt
+      - /var/lib/letsencrypt:/var/lib/letsencrypt
+    image: certbot/certbot
+    command: certonly
+networks: {}
diff --git a/cloudflareddns/cloudflareddns_jm.txt b/cloudflareddns/cloudflareddns_jm.txt
new file mode 100644
index 0000000..365bf10
--- /dev/null
+++ b/cloudflareddns/cloudflareddns_jm.txt
@@ -0,0 +1,71 @@
+# https://hotio.dev/containers/cloudflareddns/
+
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: cloudflareddns
+Username: cfddns
+Disable Password: <select>
+Email: stuurmcp@telkomsa.net
+UID: (note)
+Create New Primary Group: <select>
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+cfddns UID: 3033
+cfddns GID: 3032
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*cloudflareddns"
+# create following dataset if not present
+zfs create SSD1/docker/data/cloudflareddns/config
+chown -R cfddns:cfddns /mnt/SSD1/docker/data/cloudflareddns
+
+Create folders
+--------------
+mkdir -p /mnt/SSD1/docker/stacks/cloudflareddns/secrets
+
+Create secrets (unfortunately, cloudflareddns doesn't support secrets, so apply the secret values in the .env file)
+-------------------------------------------------------------------------------------------------------------------
+cd /mnt/SSD1/docker/stacks/cloudflareddns/secrets
+echo -n 'your_cf_email' > /mnt/SSD1/docker/stacks/cloudflareddns/secrets/cloudflareddns_cf_user
+# it is assumed that your api token has all zones in scope:
+# we use a scoped api token: 
+echo -n 'your_cf_api_token' > /mnt/SSD1/docker/stacks/cloudflareddns/secrets/cloudflareddns_cf_api_token
+# create secret by concatenating hosts/domains in scope; separate with semicolons (as per hotio guide)
+echo -n 'your_cf_1st_host;your_cf_2nd_host' > /mnt/SSD1/docker/stacks/cloudflareddns/secrets/cloudflareddns_cf_hosts
+# create secret by concatenating zone ids; separate with semicolons 
+echo -n 'your_cf_1st_zone_id;your_cf_2nd_zone_id' > /mnt/SSD1/docker/stacks/cloudflareddns/secrets/cloudflareddns_cf_zones
+
+# restrict access
+cd /mnt/SSD1/docker/stacks/cloudflareddns
+chown -R cfddns:cfddns secrets/
+chmod -R 400 secrets/
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in cloudflareddns folder, enter:
+./cp2nas 192.168.2.2
+# or
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/cloudflareddns/
+# This should copy stacks folder to /mnt/SSD1/docker/stacks/cloudflareddns
+
+Migrating data from old cloudflareddns media server (source) to newly installed one (target)
+----------------------------------------------------------------------------------
+# Stop old/source cloudflareddns media server
+heavyscript app --stop cloudflareddns
+# Stop new/target cloudflareddns media server
+# On Dockge, select cloudflareddns and click stop
+# Copy the source config to target folder:
+cp -vpr /mnt/stpool1/apps/cloudflareddns/* /mnt/SSD1/docker/data/cloudflareddns/config/
+chown -R cfddns:cfddns /mnt/SSD1/docker/data/cloudflareddns/config
+chmod -R 600 /mnt/SSD1/docker/data/cloudflareddns/config/
+
+
+
+
+
diff --git a/cloudflareddns/stacks/.cloudflareddns.env b/cloudflareddns/stacks/.cloudflareddns.env
new file mode 100644
index 0000000..a2270dc
--- /dev/null
+++ b/cloudflareddns/stacks/.cloudflareddns.env
@@ -0,0 +1,25 @@
+#
+# environment variables for cloudflareddns
+# 
+ 
+PUID=3033
+PGID=3032
+UMASK=002
+TZ=Africa/Johannesburg
+INTERVAL=300
+DETECTION_MODE=dig-whoami.cloudflare
+LOG_LEVEL=3
+CF_APIKEY=
+CF_APITOKEN_ZONE=
+CF_RECORDTYPES=A;A
+
+# cloudflareddns doesn't support secrets
+#CF_USER_FILE=${CFDDNS_CF_USER_FILE}
+#CF_APITOKEN_FILE=${CFDDNS_CF_API_TOKEN_FILE}
+#CF_HOSTS_FILE=${CFDDNS_CF_HOSTS_FILE}
+#CF_ZONES_FILE=${CFDDNS_CF_ZONES_FILE}
+
+CF_USER=${CFDDNS_CF_USER}
+CF_APITOKEN=${CFDDNS_CF_API_TOKEN}
+CF_HOSTS=${CFDDNS_CF_HOSTS}
+CF_ZONES=${CFDDNS_CF_ZONES}
diff --git a/cloudflareddns/stacks/.env b/cloudflareddns/stacks/.env
new file mode 100644
index 0000000..71af963
--- /dev/null
+++ b/cloudflareddns/stacks/.env
@@ -0,0 +1,26 @@
+#
+# values to be used for substitution by docker compose in compose.yml AND .*.env files
+#
+
+APPLICATION_NAME=cloudflareddns
+DOCKERDIR=/mnt/SSD1/docker/
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATADIR=${DOCKERDIR}/data/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+DOMAINNAME=sthome.org
+
+# secrets
+#CFDDNS_CF_USER_FILE=/run/secrets/cloudflareddns_cf_user
+#CFDDNS_CF_API_TOKEN_FILE=/run/secrets/cloudflareddns_cf_api_token
+#CFDDNS_CF_HOSTS_FILE=/run/secrets/cloudflareddns_cf_hosts
+#CFDDNS_CF_ZONES_FILE=/run/secrets/cloudflareddns_cf_zones
+
+# cloudflareddns doesn't support secrets, so we have to put it in the clear
+CFDDNS_CF_USER=stuurmcp@telkomsa.net
+CFDDNS_CF_API_TOKEN=cUB02hE0GYC5VnydAHSbPckRrIZ0eN3pJKoCgnIb
+CFDDNS_CF_HOSTS=sthome.org;stokvis.co.za
+CFDDNS_CF_ZONES=d4d41ece44b6eea658b4638b41c4b425;2d4f09713fb66fd7e03eea62d1474b98
+
+
+
diff --git a/cloudflareddns/stacks/compose.yml b/cloudflareddns/stacks/compose.yml
new file mode 100644
index 0000000..bc2234e
--- /dev/null
+++ b/cloudflareddns/stacks/compose.yml
@@ -0,0 +1,33 @@
+# cloudflareddns doesn't support secrets
+#secrets:
+#  cloudflareddns_cf_user:
+#    file: ${SECRETSDIR}/cloudflareddns_cf_user
+#  cloudflareddns_cf_api_token:
+#    file: ${SECRETSDIR}/cloudflareddns_cf_api_token
+#  cloudflareddns_cf_hosts:
+#    file: ${SECRETSDIR}/cloudflareddns_cf_hosts
+#  cloudflareddns_cf_zones:
+#    file: ${SECRETSDIR}/cloudflareddns_cf_zones
+    
+networks:
+  traefik-net:
+    external: true
+    
+services:
+  cloudflareddns:
+    image: ghcr.io/hotio/cloudflareddns
+    container_name: "${APPLICATION_NAME}"
+    networks:
+      - traefik-net
+    env_file: .cloudflareddns.env
+# cloudflareddns doesn't support secrets
+#    secrets:
+#      - cloudflareddns_cf_user
+#      - cloudflareddns_cf_api_token
+#      - cloudflareddns_cf_hosts
+#      - cloudflareddns_cf_zones
+    volumes:
+      - ${DATADIR}/config:/config
+    restart: unless-stopped
+
+
diff --git a/collabora/collabora_jm.txt b/collabora/collabora_jm.txt
new file mode 100644
index 0000000..9dd415f
--- /dev/null
+++ b/collabora/collabora_jm.txt
@@ -0,0 +1,60 @@
+# https://github.com/CollaboraOnline/online
+# https://sdk.collaboraonline.com/docs/installation/CODE_Docker_image.html
+
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: collabor
+Username: collabor
+Disable Password: <select>
+Email: <leave blank>
+UID: (note)
+Create New Primary Group: <select>
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+collabor UID: 3034
+collabor GID: 3033
+
+Once off
+--------
+# if not done already: 
+# add mapping for media: follow steps in "add mapping for media.txt"
+# set ACL permissions for media in "set ACL permissions for media.txt"
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*collabora"
+# create following datasets if not present
+zfs create SSD1/docker/data/collabora
+zfs create SSD1/docker/data/collabora/config
+chown -R collabor:collabor /mnt/SSD1/docker/data/collabora
+
+Create folders
+--------------
+mkdir -p /mnt/SSD1/docker/stacks/collabora/secrets
+
+Create secrets (collabora does not support docker secrets, so you can skip this section)
+--------------
+cd /mnt/SSD1/docker/stacks/collabora/secrets
+echo -n 'your_collabora_username' > /mnt/SSD1/docker/stacks/collabora/secrets/collabora_username
+echo -n 'your_collabora_password' > /mnt/SSD1/docker/stacks/collabora/secrets/collabora_password
+chown -R collabor:collabor /mnt/SSD1/docker/stacks/collabora/secrets
+chmod -R 400 /mnt/SSD1/docker/stacks/collabora/secrets
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in collabora folder, enter:
+./cp2nas
+# or
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/collabora/
+
+Admin console
+-------------
+https://collabora.<domainame>/browser/dist/admin/admin.html
+
+
+
diff --git a/collabora/coolwsd.xml b/collabora/coolwsd.xml
new file mode 100644
index 0000000..212aa33
--- /dev/null
+++ b/collabora/coolwsd.xml
@@ -0,0 +1,350 @@
+<!-- -*- nxml-child-indent: 4; tab-width: 4; indent-tabs-mode: nil -*- -->
+<config>
+
+    <!-- For more detailed documentation on typical configuration options please see:
+         https://sdk.collaboraonline.com/docs/installation/Configuration.html -->
+
+    <!-- Note: 'default' attributes are used to document a setting's default value as well as to use as fallback. -->
+    <!-- Note: When adding a new entry, a default must be set in WSD in case the entry is missing upon deployment. -->
+
+    <accessibility desc="Accessibility settings">
+        <enable type="bool" desc="Controls whether accessibility support should be enabled or not." default="false">false</enable>
+    </accessibility>
+
+    <allowed_languages desc="List of supported languages of Writing Aids (spell checker, grammar checker, thesaurus, hyphenation) on this instance. Allowing too many has negative effect on startup performance." default="de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru">de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru</allowed_languages>
+
+    <!--
+        These are the settings of external (remote) spellchecker and grammar checker services. Currently LanguageTool and Duden Korrekturserver APIs are supported, you can
+        set either of them. By default they are disabled. To turn the support on, please set "enabled" property to true. It works with self hosted or cloud services, free
+        and premium as well. The "base_url" may be https://api.languagetoolplus.com/v2 if the cloud version of LanguageTool is used. Please note that your data in the
+        document e.g. the text part of it will be sent to the cloud API. Please read the respective privacy policies, e.g. https://languagetool.org/legal/privacy.
+    -->
+    <languagetool desc="Remote API settings for spell and grammar checking">
+        <enabled desc="Enable Remote Spell and Grammar Checker" type="bool" default="false"></enabled>
+        <base_url desc="HTTP endpoint for the API server, without /check or /languages postfix at the end." type="string" default=""></base_url>
+        <user_name desc="LanguageTool or Duden account username for premium usage." type="string" default=""></user_name>
+        <api_key desc="API key provided by LanguageTool or Duden account for premium usage." type="string" default=""></api_key>
+        <ssl_verification desc="Enable or disable SSL verification. You may have to disable it in test environments with self-signed certificates." type="string" default="true"></ssl_verification>
+        <rest_protocol desc="REST API protocol. For LanguageTool leave it blank, for Duden Korrekturserver use the string 'duden'." type="string" default=""></rest_protocol>
+    </languagetool>
+
+    <deepl desc="DeepL API settings for translation service">
+        <enabled desc="If true, shows translate option as a menu entry in the compact view and as an icon in the tabbed view." type="bool" default="false">false</enabled>
+        <api_url desc="URL for the API" type="string" default=""></api_url>
+        <auth_key desc="Auth Key generated by your account" type="string" default=""></auth_key>
+    </deepl>
+
+    <sys_template_path desc="Path to a template tree with shared libraries etc to be used as source for chroot jails for child processes." type="path" relative="true" default="systemplate"></sys_template_path>
+    <child_root_path desc="Path to the directory under which the chroot jails for the child processes will be created. Should be on the same file system as systemplate and lotemplate. Must be an empty directory." type="path" relative="true" default="jails"></child_root_path>
+    <mount_jail_tree desc="Controls whether the systemplate and lotemplate contents are mounted or not, which is much faster than the default of linking/copying each file." type="bool" default="true"></mount_jail_tree>
+    <mount_namespaces desc="Use mount namespaces instead of coolmount." type="bool" default="true"></mount_namespaces>
+
+    <server_name desc="External hostname:port of the server running coolwsd. If empty, it's derived from the request (please set it if this doesn't work). May be specified when behind a reverse-proxy or when the hostname is not reachable directly." type="string" default=""></server_name>
+    <file_server_root_path desc="Path to the directory that should be considered root for the file server. This should be the directory containing cool." type="path" relative="true" default="browser/../"></file_server_root_path>
+    <hexify_embedded_urls desc="Enable to protect encoded URLs from getting decoded by intermediate hops. Particularly useful on Azure deployments" type="bool" default="false"></hexify_embedded_urls>
+    <experimental_features desc="Enable/Disable experimental features" type="bool" default="true">true</experimental_features>
+
+    <memproportion desc="The maximum percentage of available memory consumed by all of the Collabora Online Development Edition processes, after which we start cleaning up idle documents. If cgroup memory limits are set, this is the maximum percentage of that limit to consume." type="double" default="80.0"></memproportion>
+    <num_prespawn_children desc="Number of child processes to keep started in advance and waiting for new clients." type="uint" default="4">4</num_prespawn_children>
+    <!-- <fetch_update_check desc="Every number of hours will fetch latest version data. Defaults to 10 hours." type="uint" default="10">10</fetch_update_check> -->
+    <!-- <allow_update_popup desc="Allows notification about an update in the editor" type="bool" default="true">true</allow_update_popup> -->
+    <per_document desc="Document-specific settings, including LO Core settings.">
+        <max_concurrency desc="The maximum number of threads to use while processing a document." type="uint" default="4">4</max_concurrency>
+        <batch_priority desc="A (lower) priority for use by batch eg. convert-to processes to avoid starving interactive ones" type="uint" default="5">5</batch_priority>
+        <bgsave_priority desc="A (lower) priority for use by background save processes to free time for interactive ones" type="uint" default="5">5</bgsave_priority>
+        <redlining_as_comments desc="If true show red-lines as comments" type="bool" default="false">false</redlining_as_comments>
+        <pdf_resolution_dpi desc="The resolution, in DPI, used to render PDF documents as image. Memory consumption grows proportionally. Must be a positive value less than 385. Defaults to 96." type="uint" default="96">96</pdf_resolution_dpi>
+        <idle_timeout_secs desc="The maximum number of seconds before unloading an idle document. Defaults to 1 hour." type="uint" default="3600">3600</idle_timeout_secs>
+        <idlesave_duration_secs desc="The number of idle seconds after which document, if modified, should be saved. Disabled when 0. Defaults to 30 seconds." type="uint" default="30">30</idlesave_duration_secs>
+        <autosave_duration_secs desc="The number of seconds after which document, if modified, should be saved. Disabled when 0. Defaults to 5 minutes." type="uint" default="300">300</autosave_duration_secs>
+        <background_autosave desc="Allow auto-saves to occur in a forked background process where possible." type="bool" default="true">true</background_autosave>
+        <background_manualsave desc="Allow manual save to occur in a forked background process where possible" type="bool" default="true">true</background_manualsave>
+        <always_save_on_exit desc="On exiting the last editor, always perform a save and upload if the document had been modified. This is to allow the storage to store the document, if it had skipped doing so, previously, as an optimization." type="bool" default="false">false</always_save_on_exit>
+        <limit_virt_mem_mb desc="The maximum virtual memory allowed to each document process. 0 for unlimited." type="uint">0</limit_virt_mem_mb>
+        <limit_stack_mem_kb desc="The maximum stack size allowed to each document process. 0 for unlimited." type="uint">8000</limit_stack_mem_kb>
+        <limit_file_size_mb desc="The maximum file size allowed to each document process to write. 0 for unlimited." type="uint">0</limit_file_size_mb>
+        <limit_num_open_files desc="The maximum number of files allowed to each document process to open. 0 for unlimited." type="uint">0</limit_num_open_files>
+        <limit_load_secs desc="Maximum number of seconds to wait for a document load to succeed. 0 for unlimited." type="uint" default="100">100</limit_load_secs>
+        <limit_store_failures desc="Maximum number of consecutive save-and-upload to storage failures when unloading the document. 0 for unlimited (not recommended)." type="uint" default="5">5</limit_store_failures>
+        <limit_convert_secs desc="Maximum number of seconds to wait for a document conversion to succeed. 0 for unlimited." type="uint" default="100">100</limit_convert_secs>
+        <min_time_between_saves_ms desc="Minimum number of milliseconds between saving the document on disk." type="uint" default="500">500</min_time_between_saves_ms>
+        <min_time_between_uploads_ms desc="Minimum number of milliseconds between uploading the document to storage." type="uint" default="5000">5000</min_time_between_uploads_ms>
+        <cleanup desc="Checks for resource consuming (bad) documents and kills associated kit process. A document is considered resource consuming (bad) if is in idle state for idle_time_secs period and memory usage passed limit_dirty_mem_mb or CPU usage passed limit_cpu_per" enable="true">
+            <cleanup_interval_ms desc="Interval between two checks" type="uint" default="10000">10000</cleanup_interval_ms>
+            <bad_behavior_period_secs desc="Minimum time period for a document to be in bad state before associated kit process is killed. If in this period the condition for bad document is not met once then this period is reset" type="uint" default="60">60</bad_behavior_period_secs>
+            <idle_time_secs desc="Minimum idle time for a document to be candidate for bad state" type="uint" default="300">300</idle_time_secs>
+            <limit_dirty_mem_mb desc="Minimum memory usage for a document to be candidate for bad state" type="uint" default="3072">3072</limit_dirty_mem_mb>
+            <limit_cpu_per desc="Minimum CPU usage for a document to be candidate for bad state" type="uint" default="85">85</limit_cpu_per>
+            <lost_kit_grace_period_secs desc="The minimum grace period for a lost kit process (not referenced by coolwsd) to resolve its lost status before it is terminated. To disable the cleanup of lost kits use value 0" default="120">120</lost_kit_grace_period_secs>
+        </cleanup>
+    </per_document>
+
+    <per_view desc="View-specific settings.">
+        <out_of_focus_timeout_secs desc="The maximum number of seconds before dimming and stopping updates when the browser tab is no longer in focus. Defaults to 300 seconds." type="uint" default="300">300</out_of_focus_timeout_secs>
+        <idle_timeout_secs desc="The maximum number of seconds before dimming and stopping updates when the user is no longer active (even if the browser is in focus). Defaults to 15 minutes." type="uint" default="900">900</idle_timeout_secs>
+        <custom_os_info desc="Custom string shown as OS version in About dialog, get from system if empty." type="string" default=""></custom_os_info>
+    </per_view>
+
+    <ver_suffix desc="Appended to etags to allow easy refresh of changed files during development" type="string" default=""></ver_suffix>
+
+    <logging>
+        <color type="bool">true</color>
+        <!--
+             Note to developers: When you do "make run", the logging.level will be set on the
+             coolwsd command line, so if you want to change it for your testing, do it in
+             Makefile.am, not here.
+        -->
+        <level type="string" desc="Can be 0-8 (with the lowest numbers being the least verbose), or none (turns off logging), fatal, critical, error, warning, notice, information, debug, trace" default="warning">warning</level>
+        <level_startup type="string" desc="As for level - but for the initial startup phase which is most problematic, logging reverts to level configured above when startup is complete" default="trace">trace</level_startup>
+        <disabled_areas type="string" desc="High verbosity logging ie. info to trace are disable-able, comma separated: Generic, Pixel, Socket, WebSocket, Http, WebServer, Storage, WOPI, Admin, Javascript" default="Socket,WebSocket,Admin">Socket,WebSocket,Admin,Pixel</disabled_areas>
+        <most_verbose_level_settable_from_client type="string" desc="A loggingleveloverride message from the client can not set a more verbose log level than this" default="notice">notice</most_verbose_level_settable_from_client>
+        <least_verbose_level_settable_from_client type="string" desc="A loggingleveloverride message from a client can not set a less verbose log level than this" default="fatal">fatal</least_verbose_level_settable_from_client>
+        <protocol type="bool" desc="Enable minimal client-site JS protocol logging from the start">false</protocol>
+        <!-- lokit_sal_log example: Log WebDAV-related messages, that is interesting for debugging Insert - Image operation: "+TIMESTAMP+INFO.ucb.ucp.webdav+WARN.ucb.ucp.webdav"
+             See also: https://docs.libreoffice.org/sal/html/sal_log.html -->
+        <lokit_sal_log type="string" desc="Fine tune log messages from LOKit. Default is to suppress log messages from LOKit." default="-INFO-WARN">-INFO-WARN</lokit_sal_log>
+        <file enable="false">
+            <!-- If you use other path than /var/log and you run coolwsd from systemd, make sure that you enable that path in coolwsd.service (ReadWritePaths). -->
+            <property name="path" desc="Log file path.">/var/log/coolwsd.log</property>
+            <property name="rotation" desc="Log file rotation strategy. See Poco FileChannel.">never</property>
+            <property name="archive" desc="Append either timestamp or number to the archived log filename.">timestamp</property>
+            <property name="compress" desc="Enable/disable log file compression.">true</property>
+            <property name="purgeAge" desc="The maximum age of log files to preserve. See Poco FileChannel.">10 days</property>
+            <property name="purgeCount" desc="The maximum number of log archives to preserve. Use 'none' to disable purging. See Poco FileChannel.">10</property>
+            <property name="rotateOnOpen" desc="Enable/disable log file rotation on opening.">true</property>
+            <property name="flush" desc="Enable/disable flushing after logging each line. May harm performance. Note that without flushing after each line, the log lines from the different processes will not appear in chronological order.">false</property>
+        </file>
+        <anonymize>
+            <anonymize_user_data type="bool" desc="Enable to anonymize/obfuscate of user-data in logs. If default is true, it was forced at compile-time and cannot be disabled." default="false">false</anonymize_user_data>
+            <anonymization_salt type="uint" desc="The salt used to anonymize/obfuscate user-data in logs. Use a secret 64-bit random number." default="82589933">82589933</anonymization_salt>
+        </anonymize>
+        <docstats type="bool" desc="Enable to see document handling information in logs." default="false">false</docstats>
+        <userstats desc="Enable user stats. i.e: logs the details of a file and user" type="bool" default="false">false</userstats>
+        <disable_server_audit type="bool" desc="Disabled server audit dialog and notification. Admin will no longer see warnings in the application user interface. This doesn't affect log file." default="false">false</disable_server_audit>
+    </logging>
+
+    <!--
+         Note to developers: When you do "make run", the trace_event[@enable] will be set on the
+         coolwsd command line, so if you want to change it for your testing, do it in Makefile.am,
+         not here.
+    -->
+    <trace_event desc="The possibility to turn on generation of a Chrome Trace Event file" enable="false">
+        <path desc="Output path for the Trace Event file, to which they will be written if turned on at run-time" type="string" default="/var/log/coolwsd.trace.json">/var/log/coolwsd.trace.json</path>
+    </trace_event>
+
+    <browser_logging desc="Logging in the browser console" default="false">false</browser_logging>
+
+    <trace desc="Dump commands and notifications for replay. When 'snapshot' is true, the source file is copied to the path first." enable="false">
+        <path desc="Output path to hold trace file and docs. Use '%' for timestamp to avoid overwriting. For example: /some/path/to/cooltrace-%.gz" compress="true" snapshot="false"></path>
+        <filter>
+            <message desc="Regex pattern of messages to exclude"></message>
+        </filter>
+        <outgoing>
+            <record desc="Whether or not to record outgoing messages" default="false">false</record>
+        </outgoing>
+    </trace>
+
+    <net desc="Network settings">
+      <!-- On systems where localhost resolves to IPv6 [::1] address first, when net.proto is all and net.listen is loopback, coolwsd unexpectedly listens on [::1] only.
+           You need to change net.proto to IPv4, if you want to use 127.0.0.1. -->
+      <proto type="string" default="all" desc="Protocol to use IPv4, IPv6 or all for both">all</proto>
+      <listen type="string" default="any" desc="Listen address that coolwsd binds to. Can be 'any' or 'loopback'.">any</listen>
+      <!-- this allows you to shift all of our URLs into a sub-path from
+           https://my.com/browser/a123... to https://my.com/my/sub/path/browser/a123... -->
+      <service_root type="path" default="" desc="Prefix all the pages, websockets, etc. with this path."></service_root>
+      <post_allow desc="Allow/deny client IP address for POST(REST)." allow="true">
+        <host desc="The IPv4 private 192.168 block as plain IPv4 dotted decimal addresses.">192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host>
+        <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host>
+        <host desc="The IPv4 loopback (localhost) address.">127\.0\.0\.1</host>
+        <host desc="Ditto, but as IPv4-mapped IPv6 address">::ffff:127\.0\.0\.1</host>
+        <host desc="The IPv6 loopback (localhost) address.">::1</host>
+        <host desc="The IPv4 private 172.16.0.0/12 subnet part 1.">172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}</host>
+        <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}</host>
+        <host desc="The IPv4 private 172.16.0.0/12 subnet part 2.">172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}</host>
+        <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}</host>
+        <host desc="The IPv4 private 172.16.0.0/12 subnet part 3.">172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}</host>
+        <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}</host>
+        <host desc="The IPv4 private 10.0.0.0/8 subnet (Podman).">10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host>
+        <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host>
+      </post_allow>
+      <lok_allow desc="Allowed hosts as an external data source inside edited files. All allowed post_allow.host and storage.wopi entries are also considered to be allowed as a data source. Used for example in: PostMessage Action_InsertGraphics, =WEBSERVICE() function, external reference in the cell.">
+        <host desc="The IPv4 private 192.168 block as plain IPv4 dotted decimal addresses.">192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host>
+        <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host>
+        <host desc="The IPv4 loopback (localhost) address.">127\.0\.0\.1</host>
+        <host desc="Ditto, but as IPv4-mapped IPv6 address">::ffff:127\.0\.0\.1</host>
+        <host desc="The IPv6 loopback (localhost) address.">::1</host>
+        <host desc="The IPv4 private 172.16.0.0/12 subnet part 1.">172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}</host>
+        <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}</host>
+        <host desc="The IPv4 private 172.16.0.0/12 subnet part 2.">172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}</host>
+        <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}</host>
+        <host desc="The IPv4 private 172.16.0.0/12 subnet part 3.">172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}</host>
+        <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}</host>
+        <host desc="The IPv4 private 10.0.0.0/8 subnet (Podman).">10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host>
+        <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host>
+        <host desc="Localhost access by name">localhost</host>
+      </lok_allow>
+      <content_security_policy desc="Customize the CSP header by specifying one or more policy-directive, separated by semicolons. See w3.org/TR/CSP2"></content_security_policy>
+      <frame_ancestors desc="OBSOLETE: Use content_security_policy. Specify who is allowed to embed the Collabora Online iframe (coolwsd and WOPI host are always allowed). Separate multiple hosts by space."></frame_ancestors>
+      <connection_timeout_secs desc="Specifies the connection, send, recv timeout in seconds for connections initiated by coolwsd (such as WOPI connections)." type="int" default="30"></connection_timeout_secs>
+
+      <!-- this setting radically changes how online works, it should not be used in a production environment -->
+      <proxy_prefix type="bool" default="false" desc="Enable a ProxyPrefix to be passed int through which to redirect requests"></proxy_prefix>
+    </net>
+
+    <ssl desc="SSL settings">
+        <!-- switches from https:// + wss:// to http:// + ws:// -->
+        <enable type="bool" desc="Controls whether SSL encryption between coolwsd and the network is enabled (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." default="true">true</enable>
+        <!-- SSL off-load can be done in a proxy, if so disable SSL, and enable termination below in production -->
+        <termination desc="Connection via proxy where coolwsd acts as working via https, but actually uses http." type="bool" default="true">false</termination>
+        <cert_file_path desc="Path to the cert file" relative="false">/etc/coolwsd/cert.pem</cert_file_path>
+        <key_file_path desc="Path to the key file" relative="false">/etc/coolwsd/key.pem</key_file_path>
+        <ca_file_path desc="Path to the ca file" relative="false">/etc/coolwsd/ca-chain.cert.pem</ca_file_path>
+        <ssl_verification desc="Enable or disable SSL verification of hosts remote to coolwsd. If true SSL verification will be strict, otherwise certs of hosts will not be verified. You may have to disable it in test environments with self-signed certificates." type="string" default="false">false</ssl_verification>
+        <cipher_list desc="List of OpenSSL ciphers to accept" default="ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"></cipher_list>
+        <hpkp desc="Enable HTTP Public key pinning" enable="false" report_only="false">
+            <max_age desc="HPKP's max-age directive - time in seconds browser should remember the pins" enable="true">1000</max_age>
+            <report_uri desc="HPKP's report-uri directive - pin validation failure are reported at this URL" enable="false"></report_uri>
+            <pins desc="Base64 encoded SPKI fingerprints of keys to be pinned">
+            <pin></pin>
+            </pins>
+        </hpkp>
+        <sts desc="Strict-Transport-Security settings, per rfc6797. Subdomains are always included.">
+            <enabled desc="Whether or not Strict-Transport-Security is enabled. Enable only when ready for production. Cannot be disabled without resetting the browsers." type="bool" default="false">false</enabled>
+            <max_age desc="Strict-Transport-Security max-age directive, in seconds. 0 is allowed; please see rfc6797 for details. Defaults to 1 year." type="int" default="31536000">31536000</max_age>
+        </sts>
+    </ssl>
+
+    <security desc="Altering these defaults potentially opens you to significant risk">
+      <seccomp desc="Should we use the seccomp system call filtering." type="bool" default="true">true</seccomp>
+
+      <!-- deprecated: If capabilities is 'false', coolwsd will assume mount_namespaces of 'true' to achieve
+           this goal, only avoiding chroot for process isolation if linux namespaces are unavailable -->
+      <capabilities desc="Should we require capabilities to isolate processes into chroot jails" type="bool" default="true">true</capabilities>
+
+      <jwt_expiry_secs desc="Time in seconds before the Admin Console's JWT token expires" type="int" default="1800">1800</jwt_expiry_secs>
+      <enable_macros_execution desc="Specifies whether the macro execution is enabled in general. This will enable Basic and Python scripts to execute both installed and from documents. If it is set to false, the macro_security_level is ignored. If it is set to true, the mentioned entry specified the level of macro security." type="bool" default="false">false</enable_macros_execution>
+      <macro_security_level desc="Level of Macro security. 1 (Medium) Confirmation required before executing macros from untrusted sources. 0 (Low, not recommended) All macros will be executed without confirmation." type="int" default="1">1</macro_security_level>
+      <enable_websocket_urp desc="Should we enable URP (UNO remote protocol) communication over the websocket. This allows full control of the Kit child server to anyone with access to the websocket including executing macros without confirmation or running arbitrary shell commands in the jail." type="bool" default="false">false</enable_websocket_urp>
+      <enable_metrics_unauthenticated desc="When enabled, the /cool/getMetrics endpoint will not require authentication." type="bool" default="false">false</enable_metrics_unauthenticated>
+    </security>
+
+    <certificates>
+      <database_path type="string" desc="Path to the NSS certificates that are used for signing documents" default=""></database_path>
+    </certificates>
+
+    <watermark>
+      <opacity desc="Opacity of on-screen watermark from 0.0 to 1.0" type="double" default="0.2"></opacity>
+      <text desc="Watermark text to be displayed on the document if entered" type="string"></text>
+    </watermark>
+
+
+    <user_interface>
+      <mode type="string" desc="Controls the user interface style. The 'default' means: Take the value from ui_defaults, or decide for one of compact or tabbed (default|compact|tabbed)" default="default">default</mode>
+      <use_integration_theme desc="Use theme from the integrator" type="bool" default="true">true</use_integration_theme>
+    </user_interface>
+
+    <storage desc="Backend storage">
+        <filesystem allow="false" />
+        <wopi desc="Allow/deny wopi storage." allow="true">
+            <max_file_size desc="Maximum document size in bytes to load. 0 for unlimited." type="uint">0</max_file_size>
+            <locking desc="Locking settings">
+                <refresh desc="How frequently we should re-acquire a lock with the storage server, in seconds (default 15 mins) or 0 for no refresh" type="int" default="900">900</refresh>
+            </locking>
+
+            <alias_groups desc="default mode is 'first' it allows only the first host when groups are not defined. set mode to 'groups' and define group to allow multiple host and its aliases" mode="first">
+            <!-- If you need to use multiple wopi hosts, please change the mode to "groups" and
+                    add the hosts below.  If one host is accessible under multiple ip addresses
+                    or names, add them as aliases. -->
+            <!--<group>
+                    <host desc="hostname to allow or deny." allow="true">scheme://hostname:port</host>
+                    <alias desc="regex pattern of aliasname">scheme://aliasname1:port</alias>
+                    <alias desc="regex pattern of aliasname">scheme://aliasname2:port</alias>
+
+            </group>-->
+            <!-- More "group"s possible here -->
+            </alias_groups>
+
+            <is_legacy_server desc="Set to true for legacy server that need deprecated headers." type="bool" default="false"></is_legacy_server>
+        </wopi>
+        <ssl desc="SSL settings">
+            <as_scheme type="bool" default="true" desc="When set we exclusively use the WOPI URI's scheme to enable SSL for storage">true</as_scheme>
+            <enable type="bool" desc="If as_scheme is false or not set, this can be set to force SSL encryption between storage and coolwsd. When empty this defaults to following the ssl.enable setting"></enable>
+            <cert_file_path desc="Path to the cert file. When empty this defaults to following the ssl.cert_file_path setting" relative="false"></cert_file_path>
+            <key_file_path desc="Path to the key file. When empty this defaults to following the ssl.key_file_path settinge" relative="false"></key_file_path>
+            <ca_file_path desc="Path to the ca file. When empty this defaults to following the ssl.ca_file_path setting" relative="false"></ca_file_path>
+            <cipher_list desc="List of OpenSSL ciphers to accept. If empty the defaults are used. These can be overridden only if absolutely needed."></cipher_list>
+        </ssl>
+    </storage>
+
+    <admin_console desc="Web admin console settings.">
+        <enable desc="Enable the admin console functionality" type="bool" default="true">true</enable>
+        <enable_pam desc="Enable admin user authentication with PAM" type="bool" default="false">false</enable_pam>
+        <username desc="The username of the admin console. Ignored if PAM is enabled."></username>
+        <password desc="The password of the admin console. Deprecated on most platforms. Instead, use PAM or coolconfig to set up a secure password."></password>
+        <logging desc="Log admin activities irrespective of logging.level">
+            <admin_login desc="log when an admin logged into the console" type="bool" default="true">true</admin_login>
+            <metrics_fetch desc="log when metrics endpoint is accessed and metrics endpoint authentication is enabled" type="bool" default="true">true</metrics_fetch>
+            <monitor_connect desc="log when external monitor gets connected" type="bool" default="true">true</monitor_connect>
+            <admin_action desc="log when admin does some action for example killing a process" type="bool" default="true">true</admin_action>
+        </logging>
+    </admin_console>
+
+    <monitors desc="Addresses of servers we connect to on start for monitoring">
+        <!-- <monitor desc="Address of the monitor and interval after which it should try reconnting after disconnect" retryInterval="20">wss://foobar:234/ws</monitor> -->
+    </monitors>
+
+    <quarantine_files desc="Files are stored here to be examined later in cases of crashes or similar situation." default="false" enable="false">
+        <limit_dir_size_mb desc="Maximum directory size, in MBs. On exceeding the specified limit, older files will be deleted." default="250" type="uint"></limit_dir_size_mb>
+        <max_versions_to_maintain desc="How many versions of the same file to keep." default="5" type="uint"></max_versions_to_maintain>
+        <path desc="Absolute path of the directory under which quarantined files will be stored. Do not use a relative path." type="path" relative="false"></path>
+        <expiry_min desc="Time in mins after quarantined files will be deleted." type="int" default="3000"></expiry_min>
+    </quarantine_files>
+
+    <remote_config>
+        <remote_url desc="remote server to which you will send request to get remote config in response" type="string" default=""></remote_url>
+    </remote_config>
+
+    <stop_on_config_change desc="Stop coolwsd whenever config files change." type="bool" default="false">false</stop_on_config_change>
+
+    <remote_font_config>
+        <url desc="URL of optional JSON file that lists fonts to be included in Online" type="string" default=""></url>
+    </remote_font_config>
+
+    <home_mode>
+        <enable desc="Enable more configuration options for home users" type="bool" default="false">false</enable>
+    </home_mode>
+
+    <fonts_missing>
+        <handling desc="How to handle fonts mising in a document: 'report', 'log', 'both', or 'ignore'" type="string" default="log">log</handling>
+    </fonts_missing>
+
+    <indirection_endpoint>
+      <url desc="URL endpoint to server which servers routeToken in json format" default=""></url>
+      <migration_timeout_secs desc="The maximum number of seconds waiting for shutdown migration message from indirection server before unloading an document. Defaults to 180 second." type="uint" default="180"></migration_timeout_secs>
+      <geolocation_setup>
+        <enable desc="Enable geolocation_setup when using indirection server with geolocation configuration" type="bool" default="false">false</enable>
+        <timezone desc="IANA timezone of server. For example: Europe/Berlin "></timezone>
+      </geolocation_setup>
+      <server_name desc="server name to show in cluster overview admin panel" type="string" default=""></server_name>
+    </indirection_endpoint>
+
+
+
+
+
+    <zotero desc="Zotero plugin configuration. For more details about Zotero visit https://www.zotero.org/">
+        <enable desc="Enable Zotero plugin." type="bool" default="true">true</enable>
+    </zotero>
+
+    <help_url desc="The Help root URL, or empty for no help (hides the Help buttons)" type="string" default="https://help.collaboraoffice.com/help.html?">https://help.collaboraoffice.com/help.html?</help_url>
+
+    <overwrite_mode>
+        <enable desc="Enable overwrite mode (user can use insert key)" type="bool" default="true">true</enable>
+    </overwrite_mode>
+
+    <wasm desc="WASM-specific settings">
+        <enable desc="Enable WASM support" type="bool" default="false"></enable>
+        <force desc="When enabled, all requests are redirected to WASM." type="bool" default="false"></force>
+    </wasm>
+
+</config>
\ No newline at end of file
diff --git a/collabora/stacks/.collabora.env b/collabora/stacks/.collabora.env
new file mode 100644
index 0000000..6bad1ef
--- /dev/null
+++ b/collabora/stacks/.collabora.env
@@ -0,0 +1,28 @@
+# https://www.collabora.org/docs/#env-configuration
+
+PUID=${PUID}
+PGID=${MEDIA_GID}  # we assign media gid to process gid to enable to access media folders
+TZ=${TZ}
+UMASK=0022
+
+username=${USERNAME}
+password=${PASSWORD}
+#DONT_GEN_SSL_CERT=yes
+cert_domain=${DOMAINNAME}
+server_name=${APPLICATION_NAME}.${DOMAINNAME}
+dictionaries="en_ZA en_US en_GB en_Afr"
+# SSL terminates at the proxy
+extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:user_interface.mode=compact --o:net.proto=IPv4 --o:hexify_embedded_urls=true --o:logging.level=warning #--o:welcome.enable=false
+
+#aliasgroup1=${NEXTCLOUD1}
+#aliasgroup2=${NEXTCLOUD2}
+#aliasgroup3=${NEXTCLOUD3}
+
+VIRTUAL_PROTO=http
+VIRTUAL_PORT=9980
+VIRTUAL_HOST=${APPLICATION_NAME}.${DOMAINNAME}
+
+# letsencrypt_host=${APPLICATION_NAME}.${DOMAINNAME}
+
+
+
diff --git a/collabora/stacks/.env b/collabora/stacks/.env
new file mode 100644
index 0000000..4a031b5
--- /dev/null
+++ b/collabora/stacks/.env
@@ -0,0 +1,29 @@
+
+APPLICATION_NAME=collabora
+
+MEDIADIR=/mnt/stpool1/NData1/Media
+DOCKERDIR=/mnt/SSD1/docker/
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATADIR=${DOCKERDIR}/data/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+CT_DOWNLOADS=/Downloads
+CT_MEDIA=/Media
+DOMAINNAME=sthome.org
+
+PUID=3034
+PGID=3033 
+MEDIA_GID=3017
+
+TZ=Africa/Johannesburg
+
+WEBUI_PORT=9980
+
+# collabora does not support docker secrets
+USERNAME=admin
+PASSWORD="Saterdag!32#"
+
+NEXTCLOUD1=
+NEXTCLOUD2=
+NEXTCLOUD3=
\ No newline at end of file
diff --git a/collabora/stacks/compose.yml b/collabora/stacks/compose.yml
new file mode 100644
index 0000000..80200fa
--- /dev/null
+++ b/collabora/stacks/compose.yml
@@ -0,0 +1,69 @@
+# https://sdk.collaboraonline.com/docs/installation/CODE_Docker_image.html
+# https://github.com/CollaboraOnline/online
+
+name: collabora
+
+secrets:
+  collabora_username:
+    file: ${SECRETSDIR}/collabora_username
+  collabora_password:
+    file: ${SECRETSDIR}/collabora_password
+    
+networks:
+  traefik-net:
+    external: true
+
+services:
+  collabora:
+    image: collabora/code #:22.05.10.1.1
+    hostname: collabora
+    env_file: .collabora.env
+    #user: "${PUID}:${PGID}"
+    tty: true
+    group_add:
+      - "${PGID}"
+    cap_add:
+      - MKNOD
+    networks:
+      - traefik-net
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - "${DATADIR}/config:/config"
+    restart: unless-stopped
+    secrets:
+      - collabora_username
+      - collabora_password
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      #
+      # http middlewares
+      # ---------------------------
+      - "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.permanent=true"
+      #
+      # http services
+      # -------------
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
+      #
+      # http routers
+      # ------------
+      # limit router to web ":80" entrypoint (Note: web entrypoint http requests are globally redirected to websecure router in traefik.yml)
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # attach middlewares to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=${APPLICATION_NAME}-https-redirect"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      #
+      # limit router to websecure ":443" entrypoint
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # set router to be dedicated to secure requests only for the host specified in match criteria 
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      # generate certificates using following certresolver
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=sthomeresolver"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
diff --git a/cp2nas.ps1 b/cp2nas.ps1
new file mode 100644
index 0000000..b60c394
--- /dev/null
+++ b/cp2nas.ps1
@@ -0,0 +1,135 @@
+############### CONST ##############
+$destDockerDir="/mnt/SSD1/docker/"
+$stacksfolder="stacks/"
+$datafolder="data/"
+$destStacks=$destDockerDir+$stacksfolder
+$destData=$destDockerDir+$datafolder
+$destTraefikRulesDir=$destStacks+"traefik/rules/"
+$destTraefikUsersDir=$destStacks+"traefik/users/"
+$destDataDir=$destData
+############### MAIN ###############
+# main function
+#
+$Main =
+{
+    [CmdletBinding()]
+    Param(
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $destHost,
+        [Parameter(Mandatory=$false)]
+        [string[]] $apps
+    )
+    $applist=[System.Collections.Generic.List[object]]::new()
+    If($PSBoundParameters.ContainsKey("apps")) {
+        foreach ($appname in $apps)
+        {
+            if ($appname.Contains('*')) {
+                $wclist=Get-ChildItem $appname -Directory |  ForEach-Object { $_.Name }
+                # if wildcard is specified, we only add folders with a 'stacks' subfolder
+                foreach ($wcname in $wclist) {
+                    if ((Test-Path -Path "$wcname\stacks")) {
+                        $applist.Add($wcname)
+                     }
+                }
+            }
+            else {
+                # here we don't have to check for a 'stacks' subfolder as the user specified appname explicitly
+                $applist.Add($appname)
+            }
+        }
+        # remove duplicates
+        $uniqlist=$applist | Sort-Object -Unique
+        foreach ($appname in $uniqlist)
+        {
+            copyfolder $destHost $appname "$appname\"
+        }
+    }
+    else {
+        # we're in the app subfolder, so only one stacks folder to copy
+        $appname="$pwd".Split("\\")[-1]
+        copyfolder $destHost  $appname ".\"
+    }
+}
+#######################################################################
+# copies specified folder to data folder on truenas
+# 
+Function copytosubfolder
+{
+    [CmdletBinding()]
+    Param(
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $destHost,
+
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $folder,
+
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $subfolder,
+
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $srcdir,
+
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $destdir
+    )
+    $date=Get-Date -format "yyyy-MM-ddTHH:mm:ss"
+    if ((Test-Path -Path "$srcdir")) {
+        Write-Host "$date# pscp -P 22 -r ""$srcdir\*.*"" root@${destHost}:""${destdir}""" -ForegroundColor Green
+        Write-Host "Copying to ${destHost}:""${destDockerDir}" -NoNewline 
+        Write-Host "${folder}" -ForegroundColor Cyan  -NoNewline 
+        Write-Host "${subfolder}" -ForegroundColor DarkYellow  -NoNewline 
+        Write-Host """:"
+        pscp -P 22 -r "$srcdir\*.*" root@${destHost}:""${destdir}""
+    }
+}
+#######################################################################
+# copies folder(s) to truenas
+# 
+Function copyfolder
+{
+    [CmdletBinding()]
+    Param(
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $destHost,
+
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $subfolder,
+
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $srcdir
+    )
+    $srcStacksDir=$srcdir+"stacks"
+    $srcTraefikRulesDir=$srcdir+"traefik-rules"
+    $srcTraefikUsersDir=$srcdir+"traefik-users"
+    $srcDataDir=$srcdir+"data"
+    if (-Not(Test-Path -Path $srcStacksDir)) {
+        Write-Host "Source path doesn't exist: ""$PSScriptRoot\$srcStacksDir\*.*"". No files copied!"  -ForegroundColor Red
+        Write-Host "Usage: in app folder       : ./cp2nas DEST|IP"
+        Write-Host "       in app parent folder: ./cp2nas DEST|IP app1, app2, app3, ..."
+        Write-Host "       in app parent folder: ./cp2nas DEST|IP *"
+        Write-Host "       in app parent folder: ./cp2nas DEST|IP wcstring1, wcstring2, ..."
+        return
+    }
+    $destAppStacksDir=$destStacks+$subfolder+"/"
+    # copy app folder destinations
+    copytosubfolder $destHost "${stacksfolder}" "${subfolder}" "${srcStacksDir}"  "${destAppStacksDir}"
+    # copy traefik folder destinations
+    copytosubfolder $destHost "${stacksfolder}" "traefik/rules/" "${srcTraefikRulesDir}"  "${destTraefikRulesDir}"
+    copytosubfolder $destHost "${stacksfolder}" "traefik/users/" "${srcTraefikUsersDir}"  "${destTraefikUsersDir}"
+    # copy data folder destinations
+    copytosubfolder $destHost "${datafolder}" "${subfolder}/" "${srcDataDir}"  "${destDataDir}${subfolder}"
+
+}
+
+###################################
+# we call main proc from here
+& $Main @Args
\ No newline at end of file
diff --git a/dashy/conf.txt b/dashy/conf.txt
new file mode 100644
index 0000000..48c84f7
--- /dev/null
+++ b/dashy/conf.txt
@@ -0,0 +1,85 @@
+appConfig:
+  theme: lissy
+  layout: auto
+  iconSize: medium
+  language: en
+  startingView: default
+  defaultOpeningMethod: newtab
+  statusCheck: true
+  statusCheckInterval: 0
+  faviconApi: allesedv
+  routingMode: history
+  enableMultiTasking: false
+  widgetsAlwaysUseProxy: false
+  webSearch:
+    disableWebSearch: false
+    searchEngine: google
+    openingMethod: newtab
+    searchBangs: {}
+  enableFontAwesome: true
+  enableMaterialDesignIcons: false
+  hideComponents:
+    hideHeading: false
+    hideNav: false
+    hideSearch: false
+    hideSettings: false
+    hideFooter: false
+  showSplashScreen: false
+  preventWriteToDisk: false
+  preventLocalSave: false
+  disableConfiguration: false
+  disableConfigurationForNonAdmin: false
+  allowConfigEdit: true
+  enableServiceWorker: false
+  disableContextMenu: false
+  disableUpdateChecks: false
+  disableSmartSort: false
+  enableErrorReporting: false
+pageInfo:
+  title: Dashy
+  description: Welcome to your new dashboard!
+  navLinks:
+    - title: GitHub
+      path: https://github.com/Lissy93/dashy
+      target: newtab
+    - title: Documentation
+      path: https://dashy.to/docs
+      target: newtab
+  footerText: Dashy © 2023
+sections:
+  - name: Getting Started
+    icon: fas fa-rocket
+    items: []
+  - name: Time
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items: []
+  - name: Docker Containers
+    icon: /icons/dashboard-icons/png/docker-moby.png
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - title: Portainer
+        description: Docker container management
+        icon: >-
+          https://4731999.fs1.hubspotusercontent-na1.net/hubfs/4731999/crane-icon.svg
+        url: https://localhost:9443
+        target: newtab
+        statusCheck: true
+        statusCheckUrl: https://localhost:9443
+        id: 0_1678_portainer
+      - title: Dashy
+        icon: dashy
+        url: http://localhost:4000/
+        target: newtab
+        statusCheck: true
+        statusCheckUrl: http://localhost:4000
+        id: 1_1678_dashy
diff --git a/dashy/dashboard.xlsx b/dashy/dashboard.xlsx
new file mode 100644
index 0000000..6befaa0
Binary files /dev/null and b/dashy/dashboard.xlsx differ
diff --git a/dashy/dashy_conf.yml b/dashy/dashy_conf.yml
new file mode 100644
index 0000000..a0a5e41
--- /dev/null
+++ b/dashy/dashy_conf.yml
@@ -0,0 +1,617 @@
+appConfig:
+  theme: nord-frost
+  layout: auto
+  iconSize: large
+  language: en
+  statusCheck: true
+  statusCheckInterval: 20
+pageInfo:
+  title: sthome lab
+  description: Welcome to the sthome lab!
+  navLinks:
+    - title: GitHub
+      path: https://github.com/Lissy93/dashy
+    - title: DSERVER
+      path: https://dserver.sthome.lan
+  footerText: ''
+sections:
+  - name: System Management
+    icon: fas fa-server
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - &ref_0
+        title: Truenas
+        description: Truenas host
+        icon: dashboard-icons/svg/truenas.svg
+        url: https://truenas.sthome.org:444
+        statusCheck: true
+        target: newtab
+        id: 0_1698_truenas
+      - &ref_1
+        title: Dockge
+        description: Docker stack manager
+        icon: dashboard-icons/svg/dockge-light.svg
+        url: http://dockge.sthome.org:5001
+        statusCheck: true
+        target: newtab
+        id: 1_1698_dockge
+      - &ref_2
+        title: Proxmox
+        description: Proxmox host
+        icon: dashboard-icons/svg/proxmox.svg
+        url: http://10.0.0.22:8006/
+        statusCheck: true
+        target: newtab
+        id: 2_1698_proxmox
+      - &ref_3
+        title: Traefik
+        description: Reverse proxy and load balancer
+        icon: dashboard-icons/svg/traefik.svg
+        url: https://traefik.sthome.org
+        target: newtab
+        statusCheck: true
+        statusCheckUrl: http://traefik.sthome.org:8083/ping
+        id: 3_1698_traefik
+    filteredItems:
+      - *ref_0
+      - *ref_1
+      - *ref_2
+      - *ref_3
+  - name: Media Servers
+    icon: dashboard-icons/svg/media-playback.svg
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - &ref_4
+        title: Plex
+        description: Media server
+        icon: dashboard-icons/svg/plex.svg
+        url: https://plex.sthome.org
+        target: newtab
+        statusCheckUrl: https://plex.sthome.org/identity
+        id: 0_1258_plex
+      - &ref_5
+        title: Jellyfin
+        description: Media server
+        icon: dashboard-icons/svg/jellyfin.svg
+        url: https://jellyfin.sthome.org
+        target: newtab
+        id: 1_1258_jellyfin
+      - &ref_6
+        title: Emby
+        description: Media server
+        icon: dashboard-icons/svg/emby.svg
+        url: https://emby.sthome.org
+        target: newtab
+        id: 2_1258_emby
+    filteredItems:
+      - *ref_4
+      - *ref_5
+      - *ref_6
+  - name: Books
+    icon: dashboard-icons/png/book.png
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - &ref_7
+        title: Audiobookshelf
+        description: Audiobook and podcast server
+        icon: dashboard-icons/svg/audiobookshelf.svg
+        url: https://audiobookshelf.sthome.org
+        target: newtab
+        id: 0_510_audiobookshelf
+      - &ref_8
+        title: Calibre
+        description: E-book manager
+        icon: dashboard-icons/svg/calibre.svg
+        url: https://calibre.sthome.org
+        target: newtab
+        id: 1_510_calibre
+      - &ref_9
+        title: Kavita
+        description: Digital library
+        icon: dashboard-icons/svg/kavita.svg
+        url: https://kavita.sthome.org
+        target: newtab
+        id: 2_510_kavita
+    filteredItems:
+      - *ref_7
+      - *ref_8
+      - *ref_9
+  - name: Home
+    icon: dashboard-icons/svg/home.svg
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - &ref_10
+        title: Home Assistant
+        description: Home automation
+        icon: dashboard-icons/svg/home-assistant.svg
+        url: https://home-assistant.sthome.org
+        target: newtab
+        id: 0_393_homeassistant
+      - &ref_11
+        title: Frigate
+        description: Network Video Recorder
+        icon: dashboard-icons/svg/frigate.svg
+        url: https://frigate.sthome.org
+        target: newtab
+        statusCheck: true
+        statusCheckUrl: https://frigate.sthome.org/stats
+        id: 1_393_frigate
+      - &ref_12
+        title: Mealie
+        description: Recipe manager
+        icon: dashboard-icons/svg/mealie.svg
+        url: https://mealie.sthome.org
+        target: newtab
+        id: 2_393_mealie
+    filteredItems:
+      - *ref_10
+      - *ref_11
+      - *ref_12
+  - name: Security
+    icon: dashboard-icons/svg/security.svg
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - &ref_13
+        title: Authentik
+        description: Identity provider
+        icon: dashboard-icons/png/authentik.png
+        url: https://authentik.sthome.org
+        target: newtab
+        id: 0_856_authentik
+      - &ref_14
+        title: Vaultwarden
+        description: Password manager
+        icon: dashboard-icons/svg/vaultwarden.svg
+        url: https://vaultwarden.sthome.org
+        target: newtab
+        id: 1_856_vaultwarden
+    filteredItems:
+      - *ref_13
+      - *ref_14
+  - name: Video Processing
+    icon: dashboard-icons/svg/video-camera.svg
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - &ref_15
+        title: Handbrake
+        description: Video Transcoder
+        icon: dashboard-icons/svg/handbrake.svg
+        url: https://handbrake.sthome.org
+        target: newtab
+        id: 0_1588_handbrake
+      - &ref_16
+        title: MKVToolNix
+        description: MKV file editor and merger
+        icon: dashboard-icons/png/mkvtoolnix.png
+        url: https://mkvtoolnix.sthome.org
+        target: newtab
+        id: 1_1588_mkvtoolnix
+    filteredItems:
+      - *ref_15
+      - *ref_16
+  - name: Photos
+    icon: dashboard-icons/svg/photos.svg
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - &ref_17
+        title: Digikam
+        description: Image organizer and tag editor
+        icon: dashboard-icons/svg/digikam_oxygen.svg
+        url: https://digikam.sthome.org
+        target: newtab
+        id: 0_637_digikam
+      - &ref_18
+        title: Photoview
+        description: Photo gallery
+        icon: dashboard-icons/svg/photoview.svg
+        url: https://photoview.sthome.org
+        target: newtab
+        id: 1_637_photoview
+    filteredItems:
+      - *ref_17
+      - *ref_18
+  - name: Finance
+    icon: dashboard-icons/svg/financial-services.svg
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - &ref_19
+        title: Firefly III
+        description: Personal finance manager
+        icon: dashboard-icons/png/firefly.png
+        url: https://firefly.sthome.org
+        target: newtab
+        statusCheck: true
+        statusCheckHeaders: https://firefly.sthome.org/health
+        id: 0_692_fireflyiii
+    filteredItems:
+      - *ref_19
+  - name: Development
+    icon: dashboard-icons/png/software-development.png
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - &ref_20
+        title: Gitea
+        description: >-
+          Software development service;  Git hosting, code review, team
+          collaboration, package registry and CI/CD
+        icon: dashboard-icons/svg/gitea.svg
+        url: https://gitea.sthome.org
+        target: newtab
+        id: 0_1155_gitea
+    filteredItems:
+      - *ref_20
+  - name: Performance
+    icon: dashboard-icons/png/data-analysis.png
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - &ref_21
+        title: Grafana
+        description: Analytics & monitoring
+        icon: dashboard-icons/svg/grafana.svg
+        url: https://grafana.sthome.org
+        target: newtab
+        id: 0_1138_grafana
+      - &ref_22
+        title: Prometheus
+        description: Event monitoring and alerting
+        icon: dashboard-icons/svg/prometheus.svg
+        url: https://prometheus.sthome.org
+        target: newtab
+        statusCheck: true
+        statusCheckUrl: https://prometheus.sthome.org/-/healthy
+        id: 1_1138_prometheus
+    filteredItems:
+      - *ref_21
+      - *ref_22
+  - name: Network
+    icon: dashboard-icons/svg/network.svg
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - &ref_23
+        title: Librespeed
+        description: Network speed tester
+        icon: dashboard-icons/svg/librespeed.svg
+        url: https://librespeed.sthome.org
+        target: newtab
+        id: 0_746_librespeed
+      - &ref_24
+        title: Pi-hole
+        description: DNS sinkhole
+        icon: dashboard-icons/svg/pi-hole.svg
+        url: https://pihole.sthome.org/admin
+        target: newtab
+        statusCheckUrl: http://pihole.sthome.org/admin/api.php?status
+        id: 1_746_pihole
+    filteredItems:
+      - *ref_23
+      - *ref_24
+  - name: Web Site
+    icon: dashboard-icons/svg/web-server.svg
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - &ref_25
+        title: Static-Web-Server
+        description: Web server
+        icon: dashboard-icons/png/static-web-server.png
+        url: https://www.sthome.org
+        target: newtab
+        id: 0_723_staticwebserver
+    filteredItems:
+      - *ref_25
+  - name: Music
+    icon: dashboard-icons/svg/music.svg
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - &ref_26
+        title: Sheetable
+        description: Music sheet organiser
+        icon: dashboard-icons/png/sheetable.png
+        url: https://sheetable.sthome.org
+        target: newtab
+        id: 0_513_sheetable
+      - &ref_27
+        title: Songkong
+        description: Music tagger
+        icon: dashboard-icons/png/songkong.png
+        url: https://songkong.sthome.org
+        target: newtab
+        id: 1_513_songkong
+    filteredItems:
+      - *ref_26
+      - *ref_27
+  - name: Collaboration
+    icon: dashboard-icons/png/collaboration.png
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - &ref_28
+        title: Nextcloud
+        description: Content collaboration platform
+        icon: dashboard-icons/svg/nextcloud.svg
+        url: https://nextcloud.sthome.org
+        target: newtab
+        id: 0_1353_nextcloud
+      - &ref_29
+        title: Onlyoffice
+        description: Secure online office suite
+        icon: dashboard-icons/svg/onlyoffice.svg
+        url: https://onlyoffice.sthome.org
+        target: newtab
+        id: 1_1353_onlyoffice
+    filteredItems:
+      - *ref_28
+      - *ref_29
+  - name: Data Analysis
+    icon: dashboard-icons/png/data-analysis.png
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - &ref_30
+        title: Root
+        description: Data analysis framework
+        icon: dashboard-icons/png/root.png
+        url: https://root.sthome.org
+        target: newtab
+        id: 0_1246_root
+    filteredItems:
+      - *ref_30
+  - name: Gaming
+    icon: dashboard-icons/svg/gaming.svg
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - &ref_31
+        title: Minecraft Bedrock
+        description: >-
+          Use https://mc-bedrock.sthome.org to setup minecraft server url in
+          game
+        icon: dashboard-icons/svg/minecraft.svg
+        url: https://mc-bedrock.sthome.org
+        target: newtab
+        id: 0_595_minecraftbedrock
+      - &ref_32
+        title: Minecraft Java
+        description: Use https://mc-java.sthome.org to setup minecraft server url in game
+        icon: dashboard-icons/svg/minecraft.svg
+        url: https://mc-java.sthome.org
+        target: newtab
+        id: 1_595_minecraftjava
+    filteredItems:
+      - *ref_31
+      - *ref_32
+  - name: Media Management
+    icon: dashboard-icons/svg/media.svg
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: true
+      hideForGuests: false
+    items:
+      - &ref_33
+        title: Lidarr
+        description: Music collection manager
+        icon: dashboard-icons/svg/lidarr.svg
+        url: https://lidarr.sthome.org
+        target: newtab
+        id: 0_1533_lidarr
+      - &ref_34
+        title: Mediaelch
+        description: Media manager for Kodi
+        icon: dashboard-icons/png/mediaelch.png
+        url: https://mediaelch.sthome.org
+        target: newtab
+        id: 1_1533_mediaelch
+      - &ref_35
+        title: Overseerr
+        description: Request management and media discovery
+        icon: dashboard-icons/svg/overseerr.svg
+        url: https://overseerr.sthome.org
+        target: newtab
+        id: 2_1533_overseerr
+      - &ref_36
+        title: Prowlarr
+        description: Indexer manager/proxy
+        icon: dashboard-icons/svg/prowlarr.svg
+        url: https://prowlarr.sthome.org
+        target: newtab
+        id: 3_1533_prowlarr
+      - &ref_37
+        title: qBittorrent
+        description: P2P bittorrent client
+        icon: dashboard-icons/svg/qbittorrent.svg
+        url: https://qbittorrent.sthome.org
+        target: newtab
+        id: 4_1533_qbittorrent
+      - &ref_38
+        title: Radarr
+        description: Movie collection manager
+        icon: dashboard-icons/svg/radarr.svg
+        url: https://radarr.sthome.org
+        target: newtab
+        id: 5_1533_radarr
+      - &ref_39
+        title: Readarr
+        description: "\_ebook collection manage"
+        icon: dashboard-icons/svg/readarr.svg
+        url: https://readarr.sthome.org
+        target: newtab
+        id: 6_1533_readarr
+      - &ref_40
+        title: Sonarr
+        description: Internet PVR for Usenet and Torrents
+        icon: dashboard-icons/svg/sonarr.svg
+        url: https://sonarr.sthome.org
+        target: newtab
+        id: 7_1533_sonarr
+      - &ref_41
+        title: Tautulli
+        description: Monitoring, analytics and notifications for Plex
+        icon: dashboard-icons/svg/tautulli.svg
+        url: https://tautulli.sthome.org
+        target: newtab
+        id: 8_1533_tautulli
+    filteredItems:
+      - *ref_33
+      - *ref_34
+      - *ref_35
+      - *ref_36
+      - *ref_37
+      - *ref_38
+      - *ref_39
+      - *ref_40
+      - *ref_41
+  - name: VPN
+    icon: dashboard-icons/svg/shield-user.svg
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: true
+      hideForGuests: false
+    items:
+      - &ref_42
+        title: WG-easy
+        description: VPN server
+        icon: dashboard-icons/svg/wireguard.svg
+        url: https://vpn.sthome.org
+        target: newtab
+        id: 0_244_wgeasy
+      - &ref_43
+        title: jDownloader2
+        description: Download manager
+        icon: dashboard-icons/png/jdownloader2.png
+        url: https://jdownloader2.sthome.org
+        target: newtab
+        id: 1_244_jdownloader
+      - &ref_44
+        title: Firefox
+        description: Browser
+        icon: dashboard-icons/svg/firefox.svg
+        url: https://firefox.sthome.org
+        target: newtab
+        id: 2_244_firefox
+    filteredItems:
+      - *ref_42
+      - *ref_43
+      - *ref_44
+  - name: Data Management
+    icon: dashboard-icons/svg/database.svg
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: true
+      hideForGuests: false
+    items:
+      - &ref_45
+        title: Minio
+        description: Object Storage - S3 compatible
+        icon: dashboard-icons/svg/minio.svg
+        url: https://minio1.sthome.org
+        target: newtab
+        id: 0_1431_minio
+      - &ref_46
+        title: Minio
+        description: Object Storage - S3 compatible
+        icon: dashboard-icons/svg/minio.svg
+        url: https://minio2.sthome.org
+        target: newtab
+        id: 1_1431_minio
+      - &ref_47
+        title: pgAdmin
+        description: Administration and development platform for PostgreSQL
+        icon: dashboard-icons/svg/pgadmin.svg
+        url: https://pgadmin.sthome.org
+        target: newtab
+        statusCheckUrl: 'https://pgadmin.sthome.org/misc/ping '
+        id: 2_1431_pgadmin
+      - &ref_48
+        title: Syncthing
+        description: Continuous file synchronization program
+        icon: dashboard-icons/svg/syncthing.svg
+        url: https://syncthing.sthome.org
+        target: newtab
+        id: 3_1431_syncthing
+    filteredItems:
+      - *ref_45
+      - *ref_46
+      - *ref_47
+      - *ref_48
diff --git a/dashy/data/appdata/icons/dashboard-icons/png/book.png b/dashy/data/appdata/icons/dashboard-icons/png/book.png
new file mode 100644
index 0000000..582fcb1
Binary files /dev/null and b/dashy/data/appdata/icons/dashboard-icons/png/book.png differ
diff --git a/dashy/data/appdata/icons/dashboard-icons/png/collaboration.png b/dashy/data/appdata/icons/dashboard-icons/png/collaboration.png
new file mode 100644
index 0000000..aae7cd7
Binary files /dev/null and b/dashy/data/appdata/icons/dashboard-icons/png/collaboration.png differ
diff --git a/dashy/data/appdata/icons/dashboard-icons/png/data-analysis.png b/dashy/data/appdata/icons/dashboard-icons/png/data-analysis.png
new file mode 100644
index 0000000..614cf0a
Binary files /dev/null and b/dashy/data/appdata/icons/dashboard-icons/png/data-analysis.png differ
diff --git a/dashy/data/appdata/icons/dashboard-icons/png/file-transfer.jpg b/dashy/data/appdata/icons/dashboard-icons/png/file-transfer.jpg
new file mode 100644
index 0000000..42a9722
Binary files /dev/null and b/dashy/data/appdata/icons/dashboard-icons/png/file-transfer.jpg differ
diff --git a/dashy/data/appdata/icons/dashboard-icons/png/file-transfer.png b/dashy/data/appdata/icons/dashboard-icons/png/file-transfer.png
new file mode 100644
index 0000000..608c733
Binary files /dev/null and b/dashy/data/appdata/icons/dashboard-icons/png/file-transfer.png differ
diff --git a/dashy/data/appdata/icons/dashboard-icons/png/mediaelch.png b/dashy/data/appdata/icons/dashboard-icons/png/mediaelch.png
new file mode 100644
index 0000000..f807743
Binary files /dev/null and b/dashy/data/appdata/icons/dashboard-icons/png/mediaelch.png differ
diff --git a/dashy/data/appdata/icons/dashboard-icons/png/root.png b/dashy/data/appdata/icons/dashboard-icons/png/root.png
new file mode 100644
index 0000000..3d4a1cb
Binary files /dev/null and b/dashy/data/appdata/icons/dashboard-icons/png/root.png differ
diff --git a/dashy/data/appdata/icons/dashboard-icons/png/sftpgo.png b/dashy/data/appdata/icons/dashboard-icons/png/sftpgo.png
new file mode 100644
index 0000000..19500d1
Binary files /dev/null and b/dashy/data/appdata/icons/dashboard-icons/png/sftpgo.png differ
diff --git a/dashy/data/appdata/icons/dashboard-icons/png/sheetable.png b/dashy/data/appdata/icons/dashboard-icons/png/sheetable.png
new file mode 100644
index 0000000..d17d177
Binary files /dev/null and b/dashy/data/appdata/icons/dashboard-icons/png/sheetable.png differ
diff --git a/dashy/data/appdata/icons/dashboard-icons/png/software-development.png b/dashy/data/appdata/icons/dashboard-icons/png/software-development.png
new file mode 100644
index 0000000..f44be46
Binary files /dev/null and b/dashy/data/appdata/icons/dashboard-icons/png/software-development.png differ
diff --git a/dashy/data/appdata/icons/dashboard-icons/png/songkong.png b/dashy/data/appdata/icons/dashboard-icons/png/songkong.png
new file mode 100644
index 0000000..fecd58d
Binary files /dev/null and b/dashy/data/appdata/icons/dashboard-icons/png/songkong.png differ
diff --git a/dashy/data/appdata/icons/dashboard-icons/png/static-web-server.png b/dashy/data/appdata/icons/dashboard-icons/png/static-web-server.png
new file mode 100644
index 0000000..0daeb08
Binary files /dev/null and b/dashy/data/appdata/icons/dashboard-icons/png/static-web-server.png differ
diff --git a/dashy/data/appdata/icons/dashboard-icons/svg/database.svg b/dashy/data/appdata/icons/dashboard-icons/svg/database.svg
new file mode 100644
index 0000000..a37eef6
--- /dev/null
+++ b/dashy/data/appdata/icons/dashboard-icons/svg/database.svg
@@ -0,0 +1 @@
+<?xml version="1.0" encoding="utf-8"?><svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 105.07 122.88" style="enable-background:new 0 0 105.07 122.88" xml:space="preserve"><style type="text/css">.st0{fill-rule:evenodd;clip-rule:evenodd;}</style><g><path class="st0" d="M52.53,0c28.87,0,52.27,10.96,52.27,24.46c0,13.51-23.41,24.46-52.27,24.46c-28.86,0-52.27-10.96-52.27-24.46 C0.26,10.96,23.67,0,52.53,0L52.53,0z M0.26,81.83v18.78c9.3,33.03,101.18,26.65,104.55-1.69V80.16 C100.22,111.27,7.61,113.51,0.26,81.83L0.26,81.83L0.26,81.83z M0,32.94v18.34c9.3,32.26,101.69,27.9,105.07,0.23V33.18 C100.47,63.57,7.35,63.88,0,32.94L0,32.94z M0,56.64v18.78c9.3,33.03,101.69,28.57,105.07,0.23V56.89C100.47,88,7.35,88.32,0,56.64 L0,56.64z"/></g></svg>
\ No newline at end of file
diff --git a/dashy/data/appdata/icons/dashboard-icons/svg/digikam.svg b/dashy/data/appdata/icons/dashboard-icons/svg/digikam.svg
new file mode 100644
index 0000000..d0db7eb
--- /dev/null
+++ b/dashy/data/appdata/icons/dashboard-icons/svg/digikam.svg
@@ -0,0 +1,186 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+<svg width="48" version="1.1" xmlns="http://www.w3.org/2000/svg" height="48" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape">
+ <defs id="defs5455">
+  <linearGradient inkscape:collect="always" id="linearGradient5002">
+   <stop style="stop-color:#2e5d89" id="stop5004"/>
+   <stop offset="1" style="stop-color:#1b92f4" id="stop5006"/>
+  </linearGradient>
+  <linearGradient inkscape:collect="always" id="linearGradient4328">
+   <stop style="stop-color:#bec900" id="stop4330"/>
+   <stop offset="0.312499" style="stop-color:#9ec80a" id="stop4332"/>
+   <stop offset="0.562499" style="stop-color:#71b93d" id="stop4334"/>
+   <stop offset="0.75" style="stop-color:#35a48f" id="stop4336"/>
+   <stop offset="1" style="stop-color:#018fca" id="stop4338"/>
+  </linearGradient>
+  <linearGradient inkscape:collect="always" id="linearGradient4316">
+   <stop style="stop-color:#c1cc00" id="stop4318"/>
+   <stop offset="0.312499" style="stop-color:#dfcd00" id="stop4320"/>
+   <stop offset="0.562499" style="stop-color:#f0cc00" id="stop4322"/>
+   <stop offset="0.75" style="stop-color:#fd8c08" id="stop4324"/>
+   <stop offset="1" style="stop-color:#f25c13" id="stop4326"/>
+  </linearGradient>
+  <linearGradient inkscape:collect="always" id="linearGradient4300">
+   <stop style="stop-color:#e51561" id="stop4302"/>
+   <stop offset="0.312499" style="stop-color:#e4156c" id="stop4304"/>
+   <stop offset="0.562499" style="stop-color:#e71e2c" id="stop4306"/>
+   <stop offset="0.75" style="stop-color:#e8301e" id="stop4308"/>
+   <stop offset="1" style="stop-color:#e6320e" id="stop4310"/>
+  </linearGradient>
+  <linearGradient inkscape:collect="always" id="linearGradient4288">
+   <stop style="stop-color:#e81877" id="stop4290"/>
+   <stop offset="0.312499" style="stop-color:#dd1d8c" id="stop4294"/>
+   <stop offset="0.562499" style="stop-color:#6d57b1" id="stop4296"/>
+   <stop offset="0.75" style="stop-color:#2a78c1" id="stop4298"/>
+   <stop offset="1" style="stop-color:#018dcb" id="stop4292"/>
+  </linearGradient>
+  <linearGradient inkscape:collect="always" spreadMethod="reflect" xlink:href="#linearGradient4211" id="linearGradient4174" x1="428.57144" x2="408.57144" gradientUnits="userSpaceOnUse"/>
+  <linearGradient inkscape:collect="always" id="linearGradient4271">
+   <stop style="stop-color:#2a2c2f" id="stop4273"/>
+   <stop offset="1" style="stop-color:#424649" id="stop4275"/>
+  </linearGradient>
+  <clipPath id="clipPath4528">
+   <rect width="31.999989" x="8.00001" y="8" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4532)" id="rect4530"/>
+  </clipPath>
+  <linearGradient inkscape:collect="always" xlink:href="#linearGradient4271" id="linearGradient4532" y1="543.79797" y2="503.798" gradientUnits="userSpaceOnUse" x2="0" gradientTransform="matrix(0.79999996 0 0 0.79999996 -302.85712 -395.03837)"/>
+  <clipPath id="clipPath4534">
+   <rect width="31.999989" x="8.00001" y="8" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4532)" id="rect4536"/>
+  </clipPath>
+  <clipPath id="clipPath4544">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4546"/>
+  </clipPath>
+  <linearGradient inkscape:collect="always" xlink:href="#linearGradient4271" id="linearGradient4548" y1="543.79797" y2="503.798" gradientUnits="userSpaceOnUse" x2="0" gradientTransform="matrix(0.79999995 0 0 0.79999995 81.71431 104.75963)"/>
+  <clipPath id="clipPath4550">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4552"/>
+  </clipPath>
+  <clipPath id="clipPath4562">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4564"/>
+  </clipPath>
+  <clipPath id="clipPath4568">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4570"/>
+  </clipPath>
+  <clipPath id="clipPath4578">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4580"/>
+  </clipPath>
+  <clipPath id="clipPath4584">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4586"/>
+  </clipPath>
+  <linearGradient inkscape:collect="always" id="linearGradient4303">
+   <stop style="stop-color:#989a9b" id="stop4305"/>
+   <stop offset="1" style="stop-color:#f6f6f7" id="stop4307"/>
+  </linearGradient>
+  <linearGradient inkscape:collect="always" id="linearGradient4415" xlink:href="#linearGradient4288" y1="23.999973" y2="8" x1="8" gradientUnits="userSpaceOnUse" x2="24.00001"/>
+  <linearGradient inkscape:collect="always" id="linearGradient4417" xlink:href="#linearGradient4300" y1="24.00003" y2="8" x1="8" x2="24.00001" gradientUnits="userSpaceOnUse" gradientTransform="matrix(1 0 0 -1 384.57143 547.798)"/>
+  <linearGradient inkscape:collect="always" id="linearGradient4419" xlink:href="#linearGradient4328" y1="23.999973" y2="8" x1="8" x2="24.00001" gradientUnits="userSpaceOnUse" gradientTransform="matrix(-1 0 0 1 432.57143 499.798)"/>
+  <linearGradient inkscape:collect="always" id="linearGradient4421" xlink:href="#linearGradient4316" y1="24" y2="8" x1="8" x2="24.00001" gradientUnits="userSpaceOnUse" gradientTransform="matrix(-1 0 0 -1 432.57143 547.798)"/>
+  <linearGradient inkscape:collect="always" id="linearGradient4423" xlink:href="#linearGradient4271" y1="543.79797" y2="503.798" x2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(0.34999981 0 0 0.34999981 265.57152 -707.12715)"/>
+  <clipPath id="clipPath4528-1">
+   <rect width="31.999989" x="8.00001" y="8" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4532)" id="rect4530-7"/>
+  </clipPath>
+  <clipPath id="clipPath4534-1">
+   <rect width="31.999989" x="8.00001" y="8" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4532)" id="rect4536-8"/>
+  </clipPath>
+  <clipPath id="clipPath4544-1">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4546-1"/>
+  </clipPath>
+  <clipPath id="clipPath4550-4">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4552-1"/>
+  </clipPath>
+  <clipPath id="clipPath4562-8">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4564-8"/>
+  </clipPath>
+  <clipPath id="clipPath4568-4">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4570-1"/>
+  </clipPath>
+  <clipPath id="clipPath4578-8">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4580-7"/>
+  </clipPath>
+  <clipPath id="clipPath4584-9">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4586-2"/>
+  </clipPath>
+  <linearGradient inkscape:collect="always" id="linearGradient4472" xlink:href="#linearGradient4303" y1="524.79797" y2="522.79797" gradientUnits="userSpaceOnUse" x2="0" gradientTransform="matrix(2 0 0 2 -408.57143 -523.798)"/>
+  <linearGradient inkscape:collect="always" xlink:href="#linearGradient4191" id="linearGradient4174-0" y1="537.79797" x1="423.57144" y2="510.46463" x2="396.2381" gradientUnits="userSpaceOnUse" gradientTransform="matrix(0.89999986 0 0 0.89999986 -776.28566 -995.21609)"/>
+  <linearGradient inkscape:collect="always" id="linearGradient4143">
+   <stop style="stop-color:#197cf1" id="stop4145"/>
+   <stop offset="1" style="stop-color:#20bcfa" id="stop4147"/>
+  </linearGradient>
+  <clipPath id="clipPath4528-8">
+   <rect width="31.999989" x="8.00001" y="8" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4532)" id="rect4530-3"/>
+  </clipPath>
+  <clipPath id="clipPath4534-4">
+   <rect width="31.999989" x="8.00001" y="8" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4532)" id="rect4536-2"/>
+  </clipPath>
+  <clipPath id="clipPath4544-18">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4546-5"/>
+  </clipPath>
+  <clipPath id="clipPath4550-3">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4552-4"/>
+  </clipPath>
+  <clipPath id="clipPath4562-1">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4564-3"/>
+  </clipPath>
+  <clipPath id="clipPath4568-1">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4570-4"/>
+  </clipPath>
+  <clipPath id="clipPath4578-5">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4580-5"/>
+  </clipPath>
+  <clipPath id="clipPath4584-0">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4586-4"/>
+  </clipPath>
+  <clipPath id="clipPath4528-1-9">
+   <rect width="31.999989" x="8.00001" y="8" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4532)" id="rect4530-7-8"/>
+  </clipPath>
+  <clipPath id="clipPath4534-1-8">
+   <rect width="31.999989" x="8.00001" y="8" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4532)" id="rect4536-8-3"/>
+  </clipPath>
+  <clipPath id="clipPath4544-1-1">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4546-1-0"/>
+  </clipPath>
+  <clipPath id="clipPath4550-4-2">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4552-1-3"/>
+  </clipPath>
+  <clipPath id="clipPath4562-8-2">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4564-8-0"/>
+  </clipPath>
+  <clipPath id="clipPath4568-4-0">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4570-1-3"/>
+  </clipPath>
+  <clipPath id="clipPath4578-8-9">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4580-7-3"/>
+  </clipPath>
+  <clipPath id="clipPath4584-9-8">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4586-2-1"/>
+  </clipPath>
+  <linearGradient inkscape:collect="always" id="linearGradient4211">
+   <stop style="stop-color:#2f3943" id="stop4213"/>
+   <stop offset="1" style="stop-color:#808c9b" id="stop4215"/>
+  </linearGradient>
+  <linearGradient inkscape:collect="always" id="linearGradient4191">
+   <stop style="stop-color:#18222a" id="stop4193"/>
+   <stop offset="1" style="stop-color:#566069" id="stop4195"/>
+  </linearGradient>
+  <linearGradient inkscape:collect="always" xlink:href="#linearGradient5002" id="linearGradient4174-0-2" y1="537.79797" x1="423.57144" y2="510.46463" x2="396.2381" gradientUnits="userSpaceOnUse" gradientTransform="matrix(0.70000184 0 0 0.70000184 -694.57218 -890.45752)"/>
+  <linearGradient inkscape:collect="always" xlink:href="#linearGradient4143" id="linearGradient4710" y1="536.86987" x1="421.64337" y2="511.81882" gradientUnits="userSpaceOnUse" x2="396.59229" gradientTransform="matrix(-1 0 0 -1 817.14288 1047.596)"/>
+  <linearGradient inkscape:collect="always" xlink:href="#linearGradient4143" id="linearGradient4713" y1="532.22949" x1="417.00296" y2="508.72522" gradientUnits="userSpaceOnUse" x2="393.49869" gradientTransform="matrix(-1 0 0 -1 817.14288 1047.596)"/>
+  <linearGradient inkscape:collect="always" xlink:href="#linearGradient4143" id="linearGradient4716" y1="529.62207" x1="414.39551" y2="506.91327" gradientUnits="userSpaceOnUse" x2="391.68671" gradientTransform="matrix(-1 0 0 -1 817.14288 1047.596)"/>
+  <linearGradient inkscape:collect="always" xlink:href="#linearGradient5002" id="linearGradient4174-0-2-0" y1="537.79797" x1="423.57144" y2="488.79782" x2="374.57129" gradientUnits="userSpaceOnUse" gradientTransform="matrix(0.49999779 0 0 0.49999779 -612.85624 -785.69581)"/>
+ </defs>
+ <metadata id="metadata5458"/>
+ <g inkscape:label="Capa 1" inkscape:groupmode="layer" id="layer1" transform="matrix(1 0 0 1 -384.57143 -499.798)">
+  <rect width="39.999989" x="388.57144" y="503.798" rx="19.999985" height="39.999969" style="stroke-opacity:0.550265;fill:url(#linearGradient4174);stroke-width:2.8" id="rect4166"/>
+  <rect width="35.999985" x="-426.57144" y="-541.79797" rx="17.999983" height="35.999966" style="stroke-opacity:0.550265;fill:url(#linearGradient4174-0);stroke-width:2.8" id="rect4166-9" transform="matrix(-1 0 0 -1 0 0)"/>
+  <rect width="29.999992" x="-538.79797" y="-423.57147" rx="14.999989" height="29.999977" style="stroke-opacity:0.550265;fill:#26333a;stroke-width:2.8" id="rect4166-7" transform="matrix(0 -1 -1 0 0 0)"/>
+  <rect width="28.00007" x="-422.5715" y="-537.79797" rx="14.00003" height="28.00005" style="stroke-opacity:0.550265;fill:url(#linearGradient4174-0-2);stroke-width:2.8" id="rect4166-9-6" transform="matrix(-1 0 0 -1 0 0)"/>
+  <rect width="19.999907" x="-418.57141" y="-533.79791" rx="9.999948" height="19.999895" style="stroke-opacity:0.550265;fill:url(#linearGradient4174-0-2-0);stroke-width:2.8" id="rect4166-9-6-7" transform="matrix(-1 0 0 -1 0 0)"/>
+  <g id="g4719">
+   <path inkscape:connector-curvature="0" style="stroke-opacity:0.550265;fill:url(#linearGradient4710);stroke-width:2.8" id="path4708" d="m 408.57143,509.798 c -7.756,0 -14,6.244 -14,14 0,7.756 6.244,14 14,14 7.756,0 14,-6.244 14,-14 0,-7.756 -6.244,-14 -14,-14 z m 0,1 c 7.20199,0 13,5.79801 13,13 0,7.20199 -5.79801,13 -13,13 -7.20199,0 -13,-5.79801 -13,-13 0,-7.20199 5.79801,-13 13,-13 z"/>
+   <path inkscape:connector-curvature="0" style="stroke-opacity:0.550265;fill:url(#linearGradient4713);stroke-width:2.8" id="path4704" d="m 408.57143,511.798 c -6.64799,0 -12,5.35201 -12,12 0,6.64799 5.35201,12 12,12 6.64799,0 12,-5.35201 12,-12 0,-6.64799 -5.35201,-12 -12,-12 z m 0,3 c 4.98598,0 9,4.01402 9,9 0,4.98598 -4.01402,9 -9,9 -4.98598,0 -9,-4.01402 -9,-9 0,-4.98598 4.01402,-9 9,-9 z"/>
+   <path inkscape:connector-curvature="0" style="stroke-opacity:0.550265;fill:url(#linearGradient4716);stroke-width:2.8" id="path4700" d="m 408.57143,515.798 c -1.15437,0 -2.24697,0.24726 -3.23633,0.68359 l 1.86328,4.66016 1.25196,-0.33203 2.04492,-4.77149 c -0.61695,-0.15152 -1.25884,-0.24023 -1.92383,-0.24023 z m 2.88281,0.54102 -1.97656,4.61132 1.125,0.64844 4.81836,-1.92773 c -0.90936,-1.51071 -2.29935,-2.69038 -3.9668,-3.33203 z m -7.00976,0.60937 c -1.5107,0.90936 -2.69038,2.29934 -3.33203,3.9668 l 4.61132,1.97656 0.64844,-1.125 -1.92773,-4.81836 z m 11.44336,3.61328 -4.66016,1.86328 0.33203,1.25196 4.77149,2.04492 c 0.15152,-0.61696 0.24023,-1.25884 0.24023,-1.92383 0,-1.15436 -0.24725,-2.24697 -0.68359,-3.23633 z m -15.07618,1.3125 c -0.15152,0.61696 -0.24023,1.25884 -0.24023,1.92383 0,1.15436 0.24725,2.24697 0.68359,3.23633 l 4.66016,-1.86328 -0.33203,-1.25196 -4.77149,-2.04492 z m 10.60743,2.83008 -0.64844,1.125 1.92773,4.81836 c 1.5107,-0.90936 2.69038,-2.29934 3.33203,-3.9668 l -4.61132,-1.97656 z m -4.87891,1.29297 -4.81836,1.92773 c 0.90936,1.51071 2.29935,2.69038 3.9668,3.33203 l 1.97656,-4.61132 -1.125,-0.64844 z m 3.4043,0.45703 -1.25196,0.33203 -2.04492,4.77149 c 0.61695,0.15152 1.25883,0.24023 1.92383,0.24023 1.15436,0 2.24697,-0.24726 3.23633,-0.68359 l -1.86328,-4.66016 z"/>
+  </g>
+  <circle cx="643.00952" cy="166.83434" r="2" id="path5009" style="fill:#2c3e50;color:#000000;stroke-linecap:round;stroke-linejoin:round;stroke-width:3" transform="matrix(0.79335334 0.60876143 -0.60876143 0.79335334 0 0)"/>
+  <path inkscape:connector-curvature="0" style="fill:#84cbfe;stroke-linecap:round;stroke-linejoin:round;stroke-width:2" id="path4550" d="m 401.57143,513.798 a 2.9999605,2.9999605 0 0 0 -3,3 2.9999605,2.9999605 0 0 0 3,3 2.9999605,2.9999605 0 0 0 3,-3 2.9999605,2.9999605 0 0 0 -3,-3 z"/>
+  <path inkscape:connector-curvature="0" style="fill:#84cbfe;stroke-linecap:round;stroke-linejoin:round;stroke-width:2" id="path4537" d="m 405.57143,519.298 a 1.4999942,1.4999868 0 0 0 -1.5,1.5 1.4999942,1.4999868 0 0 0 1.5,1.5 1.4999942,1.4999868 0 0 0 1.5,-1.5 1.4999942,1.4999868 0 0 0 -1.5,-1.5 z"/>
+ </g>
+</svg>
diff --git a/dashy/data/appdata/icons/dashboard-icons/svg/digikam_oxygen.svg b/dashy/data/appdata/icons/dashboard-icons/svg/digikam_oxygen.svg
new file mode 100644
index 0000000..bbf63d5
--- /dev/null
+++ b/dashy/data/appdata/icons/dashboard-icons/svg/digikam_oxygen.svg
@@ -0,0 +1,102 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+<svg height="128" width="128" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+  <defs>
+    <filter id="a">
+      <feGaussianBlur stdDeviation="1.4771469"/>
+    </filter>
+    <filter id="b">
+      <feGaussianBlur stdDeviation="1.474452"/>
+    </filter>
+    <linearGradient id="c">
+      <stop offset="0"/>
+      <stop offset="1" stop-opacity="0"/>
+    </linearGradient>
+    <filter id="d">
+      <feGaussianBlur stdDeviation="21.031171"/>
+    </filter>
+    <filter id="e">
+      <feGaussianBlur stdDeviation="1.4823768"/>
+    </filter>
+    <filter id="f">
+      <feGaussianBlur stdDeviation="1.4839468"/>
+    </filter>
+    <filter id="g">
+      <feGaussianBlur stdDeviation="10.554463"/>
+    </filter>
+    <radialGradient id="h" cx="442.44681" cy="490.71738" gradientTransform="matrix(.4081281 1.2032645 -.9470078 .3212102 726.58504 -199.28658)" gradientUnits="userSpaceOnUse" r="146.97212">
+      <stop offset="0"/>
+      <stop offset=".5" stop-color="#666"/>
+      <stop offset="1" stop-color="#7f7f7f" stop-opacity="0"/>
+    </radialGradient>
+    <linearGradient id="i" gradientUnits="userSpaceOnUse" x1="447.42792" x2="450.98187" xlink:href="#c" y1="619.26385" y2="328.42789"/>
+    <radialGradient id="j" cx="441.43668" cy="485.6666" gradientTransform="matrix(.4293318 -2.2873523 1.1399055 .213958 -301.70012 1391.4755)" gradientUnits="userSpaceOnUse" r="152.63437">
+      <stop offset="0" stop-color="#afb5ba" stop-opacity=".960784"/>
+      <stop offset="1" stop-opacity=".960784"/>
+    </radialGradient>
+    <linearGradient id="k" gradientUnits="userSpaceOnUse" x1="-385.33765" x2="-385.33765" y1="374.22821" y2="469.18298">
+      <stop offset="0" stop-color="#fff" stop-opacity="0"/>
+      <stop offset="1" stop-color="#c8c8c8"/>
+    </linearGradient>
+    <linearGradient id="l" gradientUnits="userSpaceOnUse" x1="-463.62922929894" x2="-463.22751830196" y1="707.23470550751" y2="636.1315084016">
+      <stop offset="0" stop-color="#1a1a1a"/>
+      <stop offset="1" stop-color="#5c5c5c"/>
+    </linearGradient>
+    <linearGradient id="m" gradientUnits="userSpaceOnUse" x1="-458.30343839782" x2="-455.25985227043" y1="707.30808431942" y2="631.75103622846">
+      <stop offset="0" stop-color="#1a1a1a"/>
+      <stop offset="1" stop-color="#ccc" stop-opacity="0"/>
+    </linearGradient>
+    <radialGradient id="n" cx="-462.15759" cy="669.52954" gradientUnits="userSpaceOnUse" r="37.778519">
+      <stop offset="0" stop-color="#fff"/>
+      <stop offset="1" stop-opacity="0"/>
+    </radialGradient>
+    <radialGradient id="o" cx="521.16754" cy="545.92981" gradientTransform="matrix(.6368706 -.7709707 1.7406734 1.4379065 -761.03424 162.7387)" gradientUnits="userSpaceOnUse" r="146.47212">
+      <stop offset="0" stop-color="#fff"/>
+      <stop offset=".5" stop-color="#7fccff" stop-opacity=".415254"/>
+      <stop offset="1" stop-color="#009aff" stop-opacity="0"/>
+    </radialGradient>
+  </defs>
+  <g transform="translate(1871.0903 656.4282)"/>
+  <g transform="translate(2184.0263 77.704638)">
+    <g>
+      <path d="m4056.7725 1480.6669c0 579.9083-470.6503 1050.5586-1050.5586 1050.5586-579.9084 0-1050.5586-470.6503-1050.5586-1050.5586 0-579.90837 470.6502-1050.55862 1050.5586-1050.55862 579.9083 0 1050.5586 470.65025 1050.5586 1050.55862z" filter="url(#d)" stroke="#000" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" transform="matrix(.05729662 0 0 .05729662 -2292.6127 -98.308685)"/>
+      <path d="m-2184.0261-77.704659h128v127.999993h-128z" fill="#333" opacity="0"/>
+      <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" fill-rule="evenodd" stroke="#000" transform="matrix(.3699421 0 0 .3699421 -2283.5172 -193.18822)"/>
+      <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" fill="url(#h)" fill-rule="evenodd" stroke="#000" transform="matrix(.3699421 0 0 .3699421 -2283.5172 -193.18822)"/>
+      <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" fill="none" stroke="#1a1a1a" stroke-width="4.801973" transform="matrix(.3701369 0 0 .3701369 -2283.6032 -193.28284)"/>
+      <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" fill="none" stroke="#404040" stroke-width="12.324504" transform="matrix(.3902185 0 0 .3902185 -2292.4679 -203.03571)"/>
+      <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" fill="none" filter="url(#b)" stroke="#000" stroke-width="1.946154" transform="matrix(.3751596 0 0 .3751596 -2285.8204 -195.7222)"/>
+      <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" fill="url(#i)" fill-rule="evenodd" transform="matrix(.3012907 0 0 .3012907 -2253.2119 -159.84652)"/>
+      <g fill="none">
+        <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" opacity=".523207" stroke="#000" stroke-width="2.455716" transform="matrix(.03921839 -.2987273 .2987273 .03921839 -2282.6055 99.302466)"/>
+        <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" stroke="#000" stroke-width="3.931944" transform="matrix(.3688687 0 0 .3688687 -2283.0433 -192.66687)"/>
+        <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" opacity=".523207" stroke="#000" stroke-width="2.455716" transform="matrix(.04713063 -.3589952 .3589952 .04713063 -2315.3683 122.06417)"/>
+        <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" stroke="url(#j)" stroke-width="12.324504" transform="matrix(.3902185 0 0 .3902185 -2292.4679 -203.03571)"/>
+        <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" filter="url(#a)" opacity=".523207" stroke="#000" stroke-width="2.455716" transform="matrix(.03963983 -.3019377 .3019377 .03963983 -2284.3507 100.5149)"/>
+        <path d="m4056.7725 1480.6669c0 579.9083-470.6503 1050.5586-1050.5586 1050.5586-579.9084 0-1050.5586-470.6503-1050.5586-1050.5586 0-579.90837 470.6502-1050.55862 1050.5586-1050.55862 579.9083 0 1050.5586 470.65025 1050.5586 1050.55862z" opacity=".592357" stroke="#000" stroke-linecap="round" stroke-linejoin="round" stroke-width="9.774646" transform="matrix(.05708222 0 0 .05708222 -2291.9682 -97.991218)"/>
+        <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" filter="url(#f)" stroke="#000" stroke-linecap="round" stroke-linejoin="round" stroke-width="3.815697" transform="matrix(.02978209 -.2268508 .2268508 .02978209 -2243.2615 71.807214)"/>
+        <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" stroke="#4d4d4d" stroke-linecap="round" stroke-linejoin="round" stroke-width="5.892814" transform="matrix(.03856882 -.2937795 .2937795 .03856882 -2279.6453 97.084569)"/>
+        <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" stroke="#1a1a1a" stroke-linecap="round" stroke-linejoin="round" stroke-width="3.563545" transform="matrix(.03188944 -.2429025 .2429025 .03188944 -2251.9875 77.869536)"/>
+        <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" stroke="#1a1a1a" stroke-linecap="round" stroke-linejoin="round" stroke-width="3.021582" transform="matrix(.03760925 -.2864704 .2864704 .03760925 -2275.672 94.324128)"/>
+        <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" stroke="#1a1a1a" stroke-linecap="round" stroke-linejoin="round" stroke-width="3.142297" transform="matrix(.03616445 -.2754653 .2754653 .03616445 -2269.6894 90.167755)"/>
+        <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" stroke="#1a1a1a" stroke-linecap="round" stroke-linejoin="round" stroke-width="3.273058" transform="matrix(.03471965 -.2644603 .2644603 .03471965 -2263.7068 86.011411)"/>
+      </g>
+      <path d="m-328.63631 403.09064c0 30.02162-25.4022 54.38699-56.70134 54.38699-31.29913 0-56.70133-24.36537-56.70133-54.38699 0-30.02163 25.4022-54.387 56.70133-54.387 31.29914 0 56.70134 24.36537 56.70134 54.387z" fill="url(#k)" transform="matrix(.1746043 0 0 .1746043 -2053.2321 -83.546326)"/>
+      <g transform="matrix(.7029675 0 0 .7029675 -1795.3302 -484.52852)">
+        <path d="m-461.88422 631.48481c-21.27485 0-38.54514 17.27028-38.54512 38.54514 0 21.27487 17.27027 38.53788 38.54512 38.53789 21.27487 0 38.53789-17.26302 38.53789-38.53789 0-21.27486-17.26302-38.54514-38.53789-38.54514zm.66783 27.29374 8.27522 4.26827 2.77295 8.8995-4.27554 8.28249-8.89226 2.76567-8.28247-4.26828-2.76566-8.8995 4.26828-8.28248z" fill-rule="evenodd" stroke="#000" stroke-width="1.250106"/>
+        <path d="m-462.15405 632.2478c-20.85368 0-37.7821 16.92838-37.78206 37.78208 0 12.50466 6.09133 23.59137 15.46147 30.46758l20.18601-17.97317-7.00853-3.41533-27.93455-2.34092-.23481-1.13133 27.54322 2.29112-2.5544-7.42123-18.60641-21.93637.56922-.87518 18.44278 21.52369 3.40109-7.037 2.21997-29.34337 1.05306-.09961-2.09189 28.78837 7.99043-2.75361.07118.03558 21.21539-19.99223c-6.29336-4.56927-13.43001-6.56907-21.94117-6.56907zm22.95472 7.35091-20.98307 19.68 6.43065 3.49235 28.86024.99627c-1.52344-9.53386-7.08817-18.64305-14.30782-24.16862zm-13.9112 24.39031 2.26978 7.85526 19.29661 20.24294c4.72534-6.30708 7.16507-13.57478 7.16507-22.05734 0-1.66863-.11014-3.31206-.3202-4.92376zm1.76486 9.02872-3.05271 6.83121-2.02074 27.52186c9.84218-1.5018 18.29613-6.4516 24.09968-14.01066zm-4.22674 7.20121-7.39276 2.68957-20.59161 18.27201c6.23425 4.53649 13.10842 6.62431 21.40273 6.62432 1.56816 0 3.11401-.0987 4.63205-.28461z" fill="url(#l)" fill-rule="evenodd"/>
+        <path d="m587.9088 485.6666a146.47212 146.47212 0 1 1 -292.94425 0 146.47212 146.47212 0 1 1 292.94425 0z" fill="none" filter="url(#e)" opacity=".821656" stroke="#000" stroke-width="9.675173" transform="matrix(.2567208 0 0 .2567208 -575.48237 545.34865)"/>
+        <g fill-rule="evenodd">
+          <path d="m-462.15405 631.75104c-20.85368 0-37.7821 16.92838-37.78206 37.78208 0 12.50466 6.09133 23.59136 15.46147 30.46758l20.18601-17.97317-7.00853-3.41533-27.93455-2.34092-.23481-1.13133 27.54322 2.29112-2.5544-7.42123-18.60641-21.93638.56922-.87517 18.44278 21.52369 3.40109-7.037 2.21997-29.34337 1.05306-.09962-2.09189 28.78838 7.99043-2.75361.07118.03558 21.21539-19.99224c-6.29336-4.56926-13.43001-6.56906-21.94117-6.56906zm22.95472 7.35091-20.98307 19.68 6.43065 3.49234 28.86024.99628c-1.52344-9.53386-7.08817-18.64306-14.30782-24.16862zm-13.9112 24.3903 2.26978 7.85526 19.29661 20.24294c4.72534-6.30707 7.16507-13.57478 7.16507-22.05733 0-1.66863-.11014-3.31206-.3202-4.92377zm1.76486 9.02872-3.05271 6.83122-2.02074 27.52186c9.84218-1.5018 18.29613-6.4516 24.09968-14.01066zm-4.22674 7.20121-7.39276 2.68957-20.59161 18.27202c6.23425 4.53649 13.10842 6.62431 21.40273 6.62431 1.56816 0 3.11401-.0987 4.63205-.28461z" fill="url(#m)"/>
+          <path d="m-462.15405 631.75104c-20.85368 0-37.7821 16.92838-37.78206 37.78208 0 12.50466 6.09133 23.59136 15.46147 30.46758l20.18601-17.97317-7.00853-3.41533-27.93455-2.34092-.23481-1.13133 27.54322 2.29112-2.5544-7.42123-18.60641-21.93638.56922-.87517 18.44278 21.52369 3.40109-7.037 2.21997-29.34337 1.05306-.09962-2.09189 28.78838 7.99043-2.75361.07118.03558 21.21539-19.99224c-6.29336-4.56926-13.43001-6.56906-21.94117-6.56906zm22.95472 7.35091-20.98307 19.68 6.43065 3.49234 28.86024.99628c-1.52344-9.53386-7.08817-18.64306-14.30782-24.16862zm-13.9112 24.3903 2.26978 7.85526 19.29661 20.24294c4.72534-6.30707 7.16507-13.57478 7.16507-22.05733 0-1.66863-.11014-3.31206-.3202-4.92377zm1.76486 9.02872-3.05271 6.83122-2.02074 27.52186c9.84218-1.5018 18.29613-6.4516 24.09968-14.01066zm-4.22674 7.20121-7.39276 2.68957-20.59161 18.27202c6.23425 4.53649 13.10842 6.62431 21.40273 6.62431 1.56816 0 3.11401-.0987 4.63205-.28461z" fill="url(#n)"/>
+        </g>
+      </g>
+      <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" fill="none" stroke="#1a1a1a" stroke-linecap="round" stroke-linejoin="round" stroke-width="3.415175" transform="matrix(.03327485 -.2534553 .2534553 .03327485 -2257.7242 81.855066)"/>
+      <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" fill="url(#o)" fill-rule="evenodd" transform="matrix(-.01682102 -.2879784 -.2879784 .01682102 -1972.6538 104.93929)"/>
+      <path d="m-2161.4863 9.0770959-.4967.2521772-.5917-1.1654952-3.5192 1.7866389 1.261.6582462-.5519.280193-1.2923-.703647-.2736-.5389156 4.0776-2.0701311-.5653-1.1135424.4967-.2521722zm-4.7885-2.5839957-.693.2961931-.2791-.652851.6931-.2961932zm2.9294-1.2520242-.693.2961932-.279-.652851.693-.2961932zm-.7659-1.7998997-.5257.1844188-.4327-1.2333799-3.7242 1.3066186 1.1632.8189005-.5841.2049104-1.1881-.8680243-.2001-.5703094 4.3151-1.5139368-.4134-1.17841018.5256-.18442254zm-2.2966-4.5296637.5894-.163561c.124-.034401.2379-.0597077.3417-.0759214.1055-.0192047.2048-.0291205.2978-.0297475.0954-.0012755.1865.0049249.2734.0185838.0863.0113291.1733.029995.2612.0560054l.1197.43152091c-.1812-.06305884-.3568-.10123765-.5268-.11453518-.1706-.01563115-.3319-.00235738-.4839.03983373l.0857.30873037-.7683.21321867zm-1.6191-4.3023674c.214-.0442192.4184-.0505298.6133-.018944.192.0297092.3679.1011753.5276.2143896.1593.1108459.2981.2668097.4165.4678867.1184.2010819.208.4489908.269.7437402.0609.2947582.0769.5578988.0479.789443-.0295.2291583-.0937.428321-.1925.5974708-.1018.1672684-.2347.3037976-.3987.4095791-.1669.1039-.3561.1777117-.5677.221444-.183.0378308-.3515.0441497-.5054.0189577-.1544-.0275691-.2923-.0771391-.4137-.1487173-.1242-.0734598-.2295-.1632283-.3159-.2693094-.0892-.1079576-.1578-.2239095-.2058-.3478482l-.0142.0029494c-.0043.1471217-.0317.2841616-.0823.4111135-.0511.1245747-.1199.2354585-.2064.3326503-.0894.0953016-.1928.1761812-.3105.2426338-.1181.0640755-.2473.1106033-.3875.1395908-.1759.0363611-.348.0372321-.5163.0026079-.1711-.0365006-.3287-.1092726-.4727-.2183123-.1463-.1085464-.2732-.2545874-.3805-.4381216-.1097-.1830459-.1914-.4041148-.2449-.6632115-.0565-.2733573-.0709-.5169972-.0433-.7309196.0272-.2162896.0867-.4020892.1785-.5573939.089-.1571848.2053-.2840862.3489-.3806978.1436-.0966067.3034-.1630837.4793-.1994498.1378-.0284956.2739-.0355588.4083-.0211897.1338.0119881.2609.045212.3812.099653.1174.0525658.2245.1270885.3213.2235781.0939.0945995.1701.2114551.2286.3505581l.0143-.0029532c-.0062-.1499069.01-.2932983.0486-.4301743.0363-.1363742.0974-.2605371.1833-.3724877.0835-.1114499.1912-.208066.323-.2898448.1318-.0817688.2881-.141327.4687-.1786709m-2.2039 1.2809195c-.1259.0260443-.2378.0665106-.3355.1214063-.0982.0525235-.1765.1232406-.235.2121613-.0608.0894089-.0992.1977173-.115.3249179-.0182.1276975-.0094.2783066.0265.4518272.0349.1687713.0857.3069668.1526.4146005.0645.1081181.1426.1923527.2344.2526926.0889.0584584.1891.0935179.3006.105177.1114.0116605.2302.0044661.3561-.0215745.0999-.0206324.1994-.0548344.2986-.1026023.0992-.047763.1844-.11496.2557-.2015838.0714-.0866175.1218-.1961905.1514-.3287226.0297-.1325272.0248-.2938743-.0145-.4840365-.0418-.2020456-.1025-.358033-.1822-.467966-.0803-.1123015-.1698-.1916965-.2686-.2381913-.0994-.0488669-.2033-.071999-.3118-.0694013-.109.0002292-.2134.0106581-.3133.0312955m2.2811-.6016338c-.1212.0250566-.2342.0657707-.3391.1221412-.1072.0568624-.1952.1345497-.2641.2330519-.0712.0990041-.1188.2228389-.1426.3715144-.0266.1467952-.0188.3223993.0234.5268233.0388.1877887.0993.3425832.1815.4643996.0793.1199225.1716.2123964.2767.2774116.1047.0626431.2192.100937.3435.1148944.122.0144505.2448.0088984.3684-.0166502.1545-.0319369.292-.080186.4125-.1447535.1181-.0640705.2149-.1472859.2904-.249645.0731-.1018683.1207-.2257032.1426-.3715107.0219-.1458112.0129-.3149797-.0269-.507524-.0403-.1949128-.0991-.3537694-.1765-.4765698-.0775-.1227905-.1697-.2152644-.2767-.2774117-.1095-.0616553-.2318-.0958569-.367-.1026025-.1381-.0086307-.2868.0035113-.4461.036431m-2.2999-15.4131919 3.4342.442083-.0837.650001-3.4341-.442083-.0707.54889-.473-.060895.0706-.54889-.4405-.056715c-.1421-.018284-.2716-.048409-.3885-.090388-.1194-.042288-.2191-.10407-.2992-.185357-.0822-.083994-.1407-.190637-.1754-.319921-.0372-.129598-.0432-.291894-.0181-.486897.0099-.077032.0238-.156014.0415-.236936.0181-.083327.0384-.155359.0609-.216096l.4947.063687c-.0125.039998-.0247.087372-.0367.142115-.014.052036-.0238.099725-.0294.143054-.0124.096297-.0094.177447.009.243446.0188.0636.0511.116702.097.15932.0438.039906.1009.071726.1713.095466.0706.021337.1529.038045.2468.050132l.3503.04509.0981-.761947.473.060898zm.5064-1.27745-.5286-.105017.7061-3.553242.5285.105016zm1.8284.363301-.5285-.105016.706-3.553243.5285.105016zm1.4906-7.821265c.2468.072647.4617.176382.6447.311197.183.134824.3274.297519.4332.48807.1036.189874.1639.406245.1809.64911.0178.240542-.0155.504013-.0998.790418-.076.258467-.1728.475426-.2902.650869-.1167.173122-.247.310625-.3909.412507-.1462.101205-.3019.170489-.4673.207847-.1646.035037-.3332.044868-.5058.029494l.1137-.657273c.1007.001803.2021-.007564.3043-.028093.0999-.021211.1964-.061122.2896-.119734.0915-.06162.1753-.144475.2515-.248572.0745-.107096.1365-.244474.1858-.412133.048-.162991.0671-.318048.0572-.465171-.0121-.1478-.0534-.282663-.1238-.404588-.0697-.124247-.168-.232891-.295-.325929-.127-.09303-.2824-.166612-.4664-.22076-.1513-.044541-.2971-.060872-.4372-.048981-.1425.011208-.2725.048854-.39.112932-.1199.063405-.2249.153929-.3152.271573-.0896.115317-.1591.256806-.2085.424456-.0308.104788-.0499.20416-.0573.298125-.0075.09397-.0062.184172.0038.270602.0107.084113.0289.164111.0546.239997.0241.07288.0516.142948.0824.210209l-.181.61473-2.5992-.943377.8235-2.797716.5344.157286-.6549 2.224897 1.5335.553818c-.0532-.137128-.0854-.298424-.0966-.483895-.0136-.186158.0136-.394496.0814-.62502.072-.244495.174-.453572.3061-.627239.1321-.173663.287-.308968.4648-.405921.1755-.09763.3685-.155946.5791-.174952.2105-.018997.4287.004745.6546.071217m.7136-4.361743c.4586.18011.8277.375884 1.1071.587318.2781.208298.4845.426285.6194.653956.1335.224528.2021.454878.2058.691038.0038.236172-.0396.469478-.1301.699927-.0914.232707-.2184.433188-.3809.601438-.1626.16825-.3692.289226-.6197.362923-.2498.071444-.5474.088868-.8929.052282-.3468-.039727-.7507-.150094-1.2116-.331094-.4813-.188977-.8625-.38693-1.1437-.593846-.2826-.210067-.4884-.426479-.6173-.649233-.129-.222757-.1908-.450443-.1855-.683061.003-.233498.0515-.469992.1456-.709483.0896-.228183.2119-.426608.3667-.595266.1536-.171794.3534-.295427.5994-.370908.2461-.075471.5442-.094026.8942-.055674.3478.037475.7622.150701 1.2435.339683m-.2436.620176c-.3795-.149053-.7036-.250226-.9721-.303528-.2708-.054178-.498-.066494-.6818-.036941-.1859.028674-.3347.095419-.4463.20024-.1129.101681-.2013.233856-.2652.396525-.0674.171706-.0953.3355-.0835.491383.0118.155884.0757.308731.1916.458549.1145.146672.2894.292284.5247.436838.233.143674.5382.289591.9155.437757.366.143732.6833.242249.9518.295547.2694.051037.4982.062665.6865.034887.1868-.030929.3394-.097475.4578-.199641.1161-.103048.2065-.237038.2713-.401969.063-.160408.087-.317871.0721-.472384-.0173-.155393-.0842-.306868-.201-.454433-.1182-.150699-.2933-.299018-.5255-.444945-.2312-.148187-.5299-.294149-.8959-.437885m3.9928-2.459593-2.2103-1.163071c-.1697-.089288-.3171-.153152-.4423-.191582-.1251-.038421-.2356-.04994-.3315-.034561-.0969.012107-.1807.051629-.2516.118557-.073.065806-.1406.157779-.2028.275916-.0644.12244-.0979.246061-.1005.370865-.0048.123679.0204.245268.0755.36475.054.116209.1385.229255.2535.339125.114.106598.258.20567.4319.297225l2.0203 1.063041-.3035.576749-2.742-1.442824c-.073-.038424-.1498-.077479-.2304-.117152-.0817-.042947-.1585-.081996-.2305-.117153-.0742-.036284-.1376-.066915-.1903-.091893-.0527-.024979-.0871-.040346-.1032-.046114l.2882-.547753c.0118.00351.042.016618.0904.039335.0484.02272.1043.049396.1677.080022.0624.027358.1264.056912.1919.088669.0635.030636.1167.05725.1596.079859l.0051-.00967c-.0738-.104677-.1357-.208561-.1857-.311661-.05-.103095-.082-.209069-.096-.317942-.0151-.112141-.0105-.227677.0137-.346612.0232-.122203.0709-.252042.1432-.389524.1391-.264206.3013-.444874.4868-.542006.1867-.099265.4107-.118507.6722-.057712l.0051-.00967c-.0738-.104673-.1346-.210703-.1823-.318102-.0477-.107389-.0769-.218738-.0875-.334056-.0128-.116431-.006-.236265.0204-.359494.0243-.124355.0727-.255271.145-.392753.0927-.17613.196-.315135.3099-.41701.1151-.104009.2435-.170834.3853-.200471.1418-.02963.3012-.022516.4784.021321.175.04272.3699.120597.5847.23362l2.3231 1.22241-.3018.573528-2.2103-1.163071c-.1697-.089288-.3172-.153146-.4423-.191577-.1252-.038417-.2357-.04994-.3315-.03456-.0969.012111-.1808.051628-.2517.118551-.073.065806-.1406.15778-.2027.275917-.0645.122444-.0991.245503-.1038.369172-.0069.122551.0161.243001.0691.361356.054.116213.1385.22926.2535.339125.1161.107728.2633.208503.4416.302312l2.0202 1.06304zm3.2164-5.317179-2.0368-1.445578c-.1564-.110984-.294-.193803-.413-.24847-.119-.054658-.227-.080715-.324-.078167-.0977-.000826-.186.027235-.2652.084184-.081.055554-.1602.137765-.2375.246625-.0801.112831-.1297.230926-.1488.354286-.021.121965-.0122.245809.0266.371535.0382.122351.1069.24559.2064.369719.0988.120753.2284.238021.3887.351814l1.8617 1.321247-.3772.531476-2.5268-1.793278c-.0673-.04776-.1382-.096641-.2129-.146645-.0752-.053382-.1462-.10226-.2129-.146649-.0687-.045781-.1275-.084538-.1764-.11628-.0489-.031734-.081-.05153-.0963-.059384l.3583-.504751c.0113.005049.0394.022031.0843.050956.045.028928.0969.062776.1557.101533.0582.035378.1177.073147.1785.113308.0588.038766.108.072196.1476.100291l.0063-.008909c-.0593-.113528-.1069-.2247-.1428-.333511-.0358-.108806-.0535-.218093-.053-.327855-.0001-.11315.0198-.227064.0595-.341744.0391-.11806.1037-.240436.1936-.367122.1728-.243465.3575-.401047.5543-.472756.1981-.073674.4227-.063067.6739.03182l.0063-.008903c-.0593-.113528-.1055-.226679-.1386-.339452-.0331-.112761-.0472-.226993-.0425-.342702.0027-.117104.0254-.23498.0679-.353619.0406-.120038.1058-.243398.1957-.370087.1152-.162309.236-.286403.3624-.372289.1279-.087857.264-.137082.4084-.147681.1445-.010586.3016.017573.4714.084492.1678.065527.3507.168527.5486.309001l2.1407 1.519336-.3751.528501-2.0368-1.445578c-.1563-.110976-.294-.193795-.413-.248466-.1189-.054653-.2269-.08071-.324-.078166-.0976-.000827-.186.027234-.2651.084183-.0811.055554-.1603.137765-.2376.246629-.08.11283-.1306.230222-.1517.352178-.023.120558-.0162.242999.0206.367315.0382.122352.107.245591.2064.369723.1008.122159.2334.24154.3977.358133l1.8616 1.321252zm10.4285-10.725817c-.017-.013454-.0446-.038608-.083-.075471-.0378-.040536-.0807-.085485-.1287-.134845-.0459-.050955-.0926-.102955-.1401-.155997-.0454-.054646-.0849-.103846-.1186-.1476l-.0125.009626c.0664.297375.0448.564568-.0647.801583-.1091.233341-.2907.447873-.5449.643608-.2125.163644-.4306.261882-.6542.294707-.2216.031223-.4435.008017-.666-.069623-.2203-.079241-.4373-.205865-.6509-.379864-.2132-.177685-.4168-.392575-.611-.644667-.1973-.256251-.3536-.510927-.4689-.76402-.1131-.254694-.1759-.500042-.1884-.736037-.0141-.238074.0264-.463434.1215-.676085.0973-.214241.2584-.408004.4834-.581279.1104-.085029.2255-.155391.3452-.211098.1197-.055688.2418-.093274.3662-.112743.1244-.019461.2509-.018971.3795.001478.1286.020458.2588.064562.3906.132302l.0063-.004817c-.0161-.020828-.0404-.050234-.073-.088219-.032-.041662-.0681-.088539-.1082-.140625-.0402-.05208-.0829-.105447-.1283-.160102-.0433-.056244-.085-.110413-.1252-.162502l-.9506-1.234404.8782-.676245 3.0034 3.900088c.1267.164589.243.30906.3487.433412.1041.122281.1855.217227.2442.284855zm-1.357-1.678126c-.1717-.222917-.3345-.391255-.4885-.505004-.1555-.115829-.3006-.189985-.4351-.222463-.1341-.036156-.2577-.037212-.3709-.003166-.1127.030368-.2138.08004-.3034.149027-.1125.08664-.1956.185523-.2494.296657-.0518.109531-.0717.234439-.06.374711.0139.138683.0614.292969.1424.462868.0832.1683.2041.355575.363.561828.5904.766687 1.1158.972745 1.5762.618174.0875-.067383.1606-.153514.2192-.258402.0586-.104884.0878-.22859.0876-.371124-.0002-.14253-.0373-.304835-.1111-.486933-.0734-.185772-.1967-.391167-.37-.616173m.3758-3.785219-.4473-.683032.9272-.607233.4473.683038zm2.7596 4.213691-2.3382-3.570251.9272-.607236 2.3382 3.570255zm4.2633-.599932c-.2464.135939-.4779.230679-.6947.284207-.2131.054558-.4112.073792-.5943.057697-.1795-.015068-.3439-.062528-.4931-.142389-.1456-.07882-.274-.183646-.3852-.314473l.9075-.64947c.1171.130586.2556.207345.4154.230275.1621.021658.3352-.018329.5194-.119971.1151-.063524.211-.137448.2876-.221765.0789-.085592.1301-.185953.1537-.301074.0272-.114088.0242-.244608-.0088-.39156-.0308-.148221-.0976-.315575-.2005-.502055-.0356-.064466-.0718-.130078-.1086-.196845-.0369-.066764-.0694-.128406-.0976-.184937-.0333-.065727-.0664-.128524-.0994-.188389l-.0069.003813c.0205.303995-.0418.566628-.1869.787906-.1429.220012-.3548.407512-.6357.562514-.2371.13086-.4674.197889-.6909.201081-.2225-.000369-.4358-.052315-.6401-.155821-.2056-.105814-.3995-.258587-.5818-.458316-.1813-.20331-.3488-.444248-.5025-.722821-.1588-.28778-.2736-.563814-.3444-.828107-.072-.266591-.0957-.516316-.071-.749179.0269-.234125.1055-.445636.2355-.634522.131-.192457.3209-.357291.5695-.494513.2487-.137206.5001-.206853.7542-.208951.2564-.003351.5053.083045.7467.259185l.0173-.009525c-.0267-.04834-.0561-.104231-.0881-.167668-.0309-.066997-.06-.130549-.0871-.190651-.0285-.062393-.0531-.11789-.0739-.166482-.0185-.049847-.0299-.084104-.0342-.102768l.9186-.506922c.0411.085423.1007.204232.1787.356414.078.152192.1703.324982.277.518365l1.5227 2.75925c.1499.271666.241.52925.2733.77274.0335.245795.0111.477385-.0671.694767-.076.216111-.2061.418536-.3902.607265-.1819.187465-.4133.358693-.6941.513695m-1.0752-3.866696c-.1296-.234825-.2606-.417811-.393-.548963-.1325-.131139-.2616-.223579-.3873-.277316-.1258-.053736-.2478-.073494-.3661-.059275-.116.012959-.2223.046112-.319.099472-.1243.068607-.2215.153765-.2915.255467-.0677.100443-.107.219735-.1179.357874-.0109.138145.0096.295022.0615.47063.0519.175613.1375.371622.2569.588033.2224.4029.4545.67122.6965.804972s.4908.130123.7464-.010909c.0966-.053359.182-.124502.2561-.213429.0751-.092494.1246-.206902.1485-.343223.0226-.138624.0131-.30006-.0285-.484333-.0417-.184261-.1292-.397259-.2626-.639m.9578-3.653556-.3393-.74264 1.0081-.460573.3393.74264zm2.093 4.581421-1.7734-3.88183 1.0081-.460573 1.7735 3.881829zm5.6294-2.242042-2.7366-1.733946-.4704.724535.6805 1.909744-1.096.390588-1.8656-5.235079 1.0961-.390587.846 2.374178 1.5133-3.214934 1.2781-.455465-1.4476 3.011477 3.4952 2.158728zm2.9097-.732064c-.1996.047037-.3851.06237-.5565.046009-.1694-.019521-.3215-.068786-.4563-.147795-.1353-.081566-.2509-.193484-.3465-.335739-.0957-.142255-.167-.313207-.214-.512845-.0579-.24571-.0642-.461699-.019-.647963.0472-.189425.133-.352812.2574-.490174.1237-.139906.2799-.256417.4687-.349526.1882-.095668.3946-.171312.6192-.226941l.8909-.226111-.0497-.211154c-.0356-.151006-.0792-.273102-.1309-.366293-.0497-.096349-.1077-.170481-.1739-.222416-.0663-.051922-.1409-.081633-.2237-.089141-.0808-.010662-.1699-.004542-.2671.018371-.0896.021112-.1681.049063-.2356.083864-.0649.034198-.1175.080365-.1578.138491-.0409.055577-.069.125672-.0842.21029-.0132.081464-.0127.181291.0017.299479l-1.1376.211281c-.0121-.188959.0053-.367312.0523-.535059.0463-.1703.1282-.327365.2456-.471198.1199-.144428.2779-.270798.4739-.379119.198-.111472.439-.200675.7231-.267617.2585-.060903.4964-.083182.7137-.066833.2172.016353.4113.071928.5823.166726.1703.092256.3143.221775.4319.388563.1176.1668.2051.371772.2624.614916l.3564 1.512646c.0229.097267.0472.183384.073.258357.0283.074374.0604.135718.0961.184038.0376.045158.0815.076693.1317.094592.052.014745.1139.013672.1856-.003218.0819-.01929.1594-.045664.2326-.079112l.1375.583559c-.0604.030433-.1147.058077-.1628.082934-.0482.024855-.097.047161-.1464.066893-.0493.019739-.1029.039103-.1605.058094-.0551.018383-.1211.036622-.1978.054714-.2714.063918-.4879.04471-.6498-.057628-.1594-.102938-.2823-.280648-.3688-.533126l-.023.005428c-.0824.292272-.2194.536608-.4108.733008-.189.195795-.4434.331378-.7633.406755m.7841-2.296009-.551.137932c-.114.032258-.2216.068427-.3229.108505-.0994.036918-.1833.087763-.2518.152523-.0665.061603-.1129.140065-.1391.235376-.0261.09532-.022.215921.0123.361811.0465.197083.1259.333696.2384.409851.1145.072994.2472.091697.3982.056121.1382-.032567.2567-.091545.3555-.176949.0987-.085398.1753-.184494.2298-.297287.0564-.11595.0916-.241762.1056-.377428.0139-.135665.0056-.268762-.0252-.399296zm5.1185 1.134267-.2532-2.380777c-.0176-.164731-.0453-.313829-.0833-.447297-.0357-.136358-.0848-.250126-.1474-.341316-.0602-.094075-.1351-.16412-.2246-.210133-.0869-.046291-.1892-.063175-.3069-.050664-.1124.011965-.2112.05288-.2963.12275-.0854.06726-.1563.159418-.2126.276469-.0539.11416-.0912.249017-.1116.404566-.0208.152939-.0216.319618-.0024.500036l.242 2.274877-1.1022.117223-.3504-3.294642c-.0097-.091517-.021-.185508-.0339-.281981-.0103-.096748-.0227-.187983-.0371-.273725-.0121-.088622-.023-.166785-.0329-.234497-.0101-.070317-.0196-.122192-.0284-.155637l1.0511-.111799c.0086.030827.0193.081256.032.151293.0125.067437.0257.14271.0399.225821.0141.083123.0269.16638.0384.24977.0142.083123.0243.153441.0304.210965l.0157-.001667c.1015-.338694.2451-.591967.4309-.75981.1884-.168119.4237-.267197.7061-.297238.3243-.03448.5929.017594.806.156238.2154.135753.3731.350364.4731.643834l.0235-.002507c.0572-.183252.1227-.3383.1965-.465147.0763-.127119.1631-.231541.2602-.313271.0994-.084616.2089-.149143.3284-.193601.1222-.044721.2565-.074867.4029-.090449.2328-.024748.4333-.003766.6017.062935.171.066436.314.167582.429.303437.1175.135586.2091.300378.2747.494367.0682.193725.1145.405636.139.635734l.2866 2.694548-1.0943.116388-.2532-2.380772c-.0176-.164728-.0453-.31383-.0833-.447298-.0357-.136354-.0848-.25013-.1474-.341315-.0602-.094076-.1351-.164121-.2246-.210134-.0869-.046287-.1892-.063176-.3069-.050664-.1098.011684-.2074.051155-.2928.118411-.0831.064372-.153.152466-.2099.264285-.0545.108933-.0924.237252-.1137.384959-.0214.147708-.0253.309434-.0119.485181l.2474 2.325862zm17.1039 1.151157.6346-2.415717c.0487-.185458.0776-.343487.0868-.474082.0093-.130586-.0045-.240842-.0411-.330774-.0336-.09165-.091-.164454-.1722-.218408-.0806-.056299-.1854-.101408-.3146-.135325-.1338-.035151-.2618-.03991-.3839-.014283-.1216.023287-.2344.075222-.3384.155819-.101.07887-.1921.186701-.2732.323502-.0781.135074-.1422.297685-.1921.48784l-.58 2.207954-.6303-.165577.7872-2.996755c.0209-.079817.0416-.163469.0621-.25095.0234-.089208.0442-.172855.0622-.250947.0186-.080435.0341-.149127.0466-.206093.0124-.056952.0196-.09396.0216-.111016l.5987.157253c-.0008.012358-.0068.044668-.018.096928-.0112.052269-.0246.112746-.0401.181442-.0126.066975-.0269.135976-.0431.207021-.0155.068701-.0295.126525-.0418.173474l.0106.002774c.0853-.09553.1725-.179273.2617-.25122.0892-.07194.1852-.127023.2881-.165248.1059-.039947.2194-.06156.3408-.06483.1242-.004996.2615.012242.4118.051703.2887.075852.5013.193189.6378.352.1388.159443.2081.373391.2078.641847l.0106.002778c.0853-.095538.1749-.178664.2688-.249374.0939-.070708.1958-.124249.3057-.160623.1105-.038716.2288-.059096.3548-.061129.1267-.004378.2651.013168.4154.05263.1925.050568.3512.119867.4761.207896.1273.08865.2214.19869.2823.330109.0608.131425.0898.288379.0871.470853-.0022.180131-.0341.387577-.0957.622341l-.667 2.538967-.6268-.164655.6346-2.415714c.0487-.185457.0776-.343486.0868-.474081.0093-.130587-.0044-.240846-.0411-.330774-.0336-.091655-.091-.164459-.1722-.218412-.0806-.056295-.1854-.101408-.3146-.135325-.1338-.035147-.2615-.041084-.383-.017804-.121.020938-.2331.070529-.3365.148781-.101.078865-.1921.186701-.2732.323502-.0787.137419-.1437.303551-.1949.498404l-.58 2.207949zm4.6787 1.53353c-.3693-.141858-.6094-.345908-.7204-.612138-.1109-.266239-.1011-.569288.0294-.909173.0931-.242444.2146-.423308.3644-.542572.153-.120659.3201-.19689.5013-.228689.1835-.030927.3769-.02683.5803.012289.2034.039123.4045.094275.6034.165464l.8311.30364.0771-.200528c.0583-.151814.092-.287063.1012-.405745.0092-.118678-.0065-.223493-.0469-.314441-.0405-.090953-.1049-.170299-.1933-.238054-.0853-.069146-.1947-.129395-.3284-.180748-.1178-.045256-.2278-.077093-.33-.095527-.1012-.020685-.1957-.021867-.2833-.003528-.0868.016071-.1665.054357-.2391.11486-.0718.058239-.1367.142526-.1947.252863l-.6168-.303215c.0784-.136309.1724-.252328.2819-.348053.1105-.097985.2405-.168969.39-.212954.1517-.043111.324-.054946.5167-.035516.1959.018034.4185.07492.6677.170653.4623.177556.7692.417647.9208.720281.1524.300372.1516.651085-.0025 1.052147l-.6083 1.583844c-.0697.181269-.0985.327492-.0866.438672.0128.108906.086.189038.2197.240388.034.013059.0688.023845.1045.032372.0358.008518.0708.015476.1051.020862l-.1462.380669c-.084-.011464-.1662-.027464-.2468-.047987-.0782-.019659-.1604-.046029-.2465-.079099-.1156-.044388-.2096-.097407-.2821-.159064-.0694-.063058-.1184-.135183-.147-.216379-.0278-.083461-.0378-.175733-.0302-.276809.0085-.10335.0328-.217503.073-.342469l-.0204-.007835c-.1109.092584-.2243.17123-.3402.235938-.1136.065572-.2356.112328-.3659.140273-.1295.025671-.268.030963-.4156.015869-.1454-.014228-.3042-.054416-.4764-.120561m.3156-.40531c.1949.074849.3783.105001.5503.090462.1752-.015935.3316-.061142.4694-.135612.1401-.073607.2592-.166981.3573-.280126.098-.113142.1701-.229759.2162-.349851l.1162-.302493-.6748-.243588c-.1504-.055174-.2975-.098678-.4413-.130504-.1406-.033221-.2728-.041094-.3965-.023609-.1237.017481-.2358.065451-.3361.143917-.0981.079334-.1789.201709-.2424.367118-.0766.199397-.0826.37393-.0178.523595.0669.150537.2001.264102.3995.340691m5.1442 2.030252c-.2199.173447-.4444.264976-.6733.274586-.2268.010678-.4732-.049037-.7393-.179135-.447-.218614-.7026-.53009-.767-.934437-.0621-.40328.0561-.910184.3547-1.520716.6036-1.234142 1.3393-1.638999 2.2071-1.214573.2682.131167.4677.289531.5985.475099.1308.185566.1985.411848.203.678857l.0065.003195c.0107-.021801.0261-.056128.0464-.102989.0234-.047969.0463-.097562.0687-.148782.0256-.05233.0496-.101386.072-.147181.0223-.045786.0383-.078495.0479-.09812l.6703-1.370423.5887.287924-2.0171 4.12436c-.0416.085038-.0816.166807-.12.245301-.0362.079564-.0692.152585-.099.219067-.0298.066477-.0554.124241-.0766.173275-.0203.046856-.0341.080629-.0415.101325l-.5625-.275136c.0063-.023939.0168-.056599.0317-.097976.018-.0425.0377-.090979.0589-.145443.0234-.053395.0479-.108973.0735-.166732.0266-.059938.0537-.118258.0815-.174948zm-1.1972-2.077c-.1194.24421-.2065.461002-.2613.650366-.0548.189368-.0761.357276-.064.503716.0133.144265.0594.268152.1385.371672.079.103518.1938.192072.3442.265647.1549.075718.3034.117293.4457.124725.1444.008505.2831-.023655.416-.096466.1361-.073929.2691-.191252.3991-.351966.1299-.160716.2589-.371905.3868-.633562.1227-.25075.2054-.472387.2482-.664906.0439-.194698.0516-.365199.0232-.511501-.0284-.146295-.0903-.271134-.1856-.374511-.0922-.104488-.2145-.194059-.3672-.268707-.1439-.070381-.2804-.10609-.4096-.107131-.1292-.001033-.2559.036988-.38.114064-.1242.07708-.2474.196489-.3698.358225-.1191.160623-.2405.367403-.3642.620335m3.7717 2.109358c-.1067.176607-.1876.350376-.2426.52131-.0517.170103-.0727.331767-.0632.484982.0129.152394.0603.294484.1424.426262.0833.129706.208.24475.3743.345136.2431.146819.4668.21532.6712.205505.2065-.008562.3809-.071957.5232-.190179l.4077.43764c-.0918.072165-.1987.136591-.3208.193265-.1188.055853-.2544.09022-.4068.1031-.1512.010802-.3218-.007177-.5119-.053933-.1868-.047581-.3924-.139134-.6167-.274653-.4987-.301166-.7892-.679359-.8716-1.134586-.0802-.453976.0566-.97392.4104-1.559845.1908-.315819.3915-.558964.6022-.72945.212-.172554.4279-.285986.6479-.340302.2199-.054308.4395-.056375.6587-.006209.2205.048095.4347.134887.6424.260371.2826.170658.4908.358793.6247.564402.1359.206868.2121.42584.2285.656922.0197.230256-.0124.468897-.0964.715926-.0819.248277-.1994.49916-.3524.752642l-.0452.0748zm2.086.672912c.1835-.374118.2493-.687382.1976-.939798-.0505-.254489-.216-.466433-.4965-.635837-.0935-.056466-.2016-.100489-.3243-.13207-.1193-.032398-.2459-.036511-.3796-.012337s-.2708.084557-.4114.181138c-.1393.094513-.2746.241062-.4059.439661zm2.4889 4.708315c-.3085-.247701-.475-.515243-.4995-.802628-.0245-.287386.0772-.573029.3051-.856936.1627-.202519.3335-.337735.5125-.405655.1825-.068287.3648-.089954.5471-.064993.1842.026483.3672.089352.549.188611s.3565.213103.5242.341528l.699.542551.1345-.167503c.1018-.126809.1752-.24533.2201-.355563.045-.110234.062-.214832.0512-.313784-.0108-.098959-.048-.194178-.1115-.285643-.0601-.091841-.146-.182596-.2577-.272257-.0984-.079015-.1935-.142867-.2851-.191555-.0901-.050576-.1797-.080492-.2688-.089746-.0875-.011149-.1751.001016-.2628.036494-.0861.033589-.1736.094086-.2624.181497l-.495-.476807c.1162-.105932.241-.187781.3746-.245551.135-.059649.2805-.087634.4363-.083952.1576.005209.3253.046445.503.123711.181.076895.3756.198923.5839.366076.3861.310014.6052.632236.6573.966671.0536.332547-.0541.66632-.3231 1.001328l-1.0622 1.323004c-.1216.151415-.1936.281879-.2162.391397-.021.107616.0243.206262.136.29592.0283.022793.0583.043695.0897.062706.0314.019005.0627.036311.0937.051904l-.2553.317978c-.0765-.03653-.15-.076837-.2204-.120937-.0685-.042575-.1388-.09274-.2107-.150482-.0965-.077508-.1699-.15667-.2202-.237502-.0469-.081208-.0715-.164839-.074-.250891-.001-.08795.0175-.178896.0556-.272836.0396-.095837.0976-.19714.174-.303906l-.0171-.013676c-.1339.054353-.2659.094675-.3959.120985-.1282.027826-.2586.035175-.3913.022053-.1311-.015015-.2647-.052211-.4007-.111587-.1341-.057856-.273-.144531-.4169-.260024m.4242-.289811c.1627.130686.3282.215326.4965.253909.1716.038208.3344.042856.4884.013939.1558-.027402.2977-.080027.4256-.157894.1279-.077864.2321-.166954.3126-.267264l.2029-.25268-.5684-.437695c-.1264-.098405-.2533-.18468-.3805-.258823-.1238-.07452-.2473-.122311-.3705-.14338-.1232-.021065-.2445-.009527-.364.034612-.1176.045665-.2318.137576-.3428.275744-.1337.166558-.1926.330977-.1765.493249.0179.163792.1101.312554.2767.446283m4.9337 3.493798c-.1272.133564-.2674.227953-.4206.283168-.1498.055133-.3082.071843-.4752.050142-.1654-.023469-.3386-.084513-.5195-.183138-.1775-.098718-.3585-.23597-.5431-.41177-.1652-.15738-.302-.312878-.4104-.46648-.1084-.150176-.1859-.301099-.2325-.452767-.0466-.151674-.0606-.305848-.0421-.462527.022-.156767.0808-.316998.1764-.480701l.497.317598c-.1053.191402-.129.383402-.0711.576005.0596.190845.2018.393424.4268.607728.1019.097107.2018.178814.2995.245125.0995.067977.1959.114574.2893.139782.0949.02345.1859.022965.2729-.001461.0904-.024507.1758-.07894.2561-.163299.0821-.086109.1288-.175657.1403-.268647.0132-.094746.0013-.194896-.0356-.300447-.0369-.105547-.0946-.220895-.1732-.346041-.0751-.125226-.1583-.26313-.2495-.413726-.0858-.1387-.1673-.280081-.2446-.424141s-.1332-.289494-.1677-.43631c-.031-.146896-.0319-.291948-.0028-.435153.0292-.143201.1082-.282467.2371-.417782.2478-.260094.5284-.369903.8419-.329426.3168.040401.6528.229695 1.0078.567902.3145.299695.5114.5928.5904.879315.0808.288193.0295.577864-.1541.869026l-.4772-.354129c.0545-.088882.0841-.178014.0888-.267407.0063-.091145-.0061-.180119-.0374-.266924-.0296-.088556-.0763-.174981-.1402-.25928-.0604-.084376-.131-.165075-.2119-.242091-.2144-.204261-.4035-.322436-.5674-.354521-.1639-.032082-.3086.017776-.4342.149582-.0736.077324-.1163.159049-.1279.245173-.0083.086044.0043.178448.0376.27722.0367.098683.09.206418.1597.323186.0715.115017.151.240998.2384.377944.0571.091325.1144.186081.1717.28427.059.09643.1103.195622.154.297577.0471.101869.0831.204867.1079.30899.0283.104044.0394.208507.0334.313377-.0061.104873-.0319.209367-.0774.31348-.0438.105792-.1143.209649-.2114.311578m8.632 8.840836c-.3361.217816-.6733.366939-1.0116.447385-.3371.082471-.6628.095413-.9771.038822-.3144-.056597-.6103-.182967-.8878-.379118-.2776-.196162-.5252-.462283-.743-.79837-.2297-.354428-.3761-.700698-.439-1.038815-.0609-.339447-.05-.661794.0328-.967053.0847-.30658.2345-.593128.4494-.859646.2149-.266514.4842-.50472.8081-.714619.3361-.217809.6699-.367654 1.0016-.44953.3316-.081873.6509-.093553.9578-.035032.309.057198.6002.185193.8736.383984.2769.199516.5268.471389.7499.815629.2218.342198.3665.679365.4343 1.01149.069.334157.0659.652904-.0094.956244-.074.305373-.2161.592693-.4263.861965-.2102.269269-.4813.511487-.8133.726664m-.3861-.595795c.2587-.167655.4722-.353734.6404-.55824.1696-.202473.2876-.417727.3538-.645779.0676-.226016.08-.461156.0374-.705432-.0426-.244268-.1451-.491674-.3074-.742221-.1664-.256647-.353-.455325-.5599-.596029-.2068-.140705-.4279-.22739-.6631-.260073-.2339-.030634-.4779-.009901-.732.062203-.2527.074147-.5085.195045-.7672.362695-.2586.167654-.4748.354032-.6485.559147-.1703.205823-.2923.423724-.366.653697-.0703.23069-.0872.470153-.0507.718388.0399.248949.141.498691.3033.749236.1743.268869.3679.471679.5809.608425.2143.138775.4391.220131.6745.244058.2387.024638.4851-.003471.7393-.084329.2555-.078819.5106-.200735.7652-.365746m3.6393 4.820865c-.2.099438-.4036.15871-.611.177807-.2041.020186-.4033-.004116-.5974-.072917-.1909-.067712-.3725-.182072-.5448-.343094-.1722-.161027-.3238-.37302-.4545-.635994l-.6713-1.349636-1.7897.890103-.3097-.622655 4.5934-2.284446.9614 1.933173c.1351.27167.2192.525311.2524.76094.0353.234543.0256.449458-.0291.644735-.0525.194195-.1478.367673-.286.520438-.136.151675-.3073.27886-.5137.381546m-.3179-.622673c.2913-.144843.4675-.343657.5289-.596452.0635-.253871.0066-.559024-.1707-.915452l-.6144-1.235533-1.8126.901458.6274 1.261613c.1784.358601.3885.58212.6304.670564.2429.090612.5133.061878.811-.086198m-2.4993 3.155744 4.8092-1.785889 1.3549 3.648672-.5324.19773-1.1129-2.99676-1.5427.572902 1.0368 2.791972-.5257.195192-1.0368-2.791972-1.6758.622337 1.1648 3.136697-.5325.19773zm2.4866 7.919936 3.5754-3.720501c-.1143.033482-.227.067839-.3383.10309-.0954.02878-.197.057851-.3047.08721-.1048.031131-.1985.056972-.2809.077518l-3.3067.824276-.1497-.600576 4.9777-1.240816.1955.784279-3.5966 3.755813c0-.000009.1137-.035843.341-.107501.0977-.029373.2037-.060798.3179-.094271.1166-.034071.2279-.064311.3339-.090725l3.2643-.813713.1515.607643-4.9778 1.240821zm2.4984 7.944417c-.2152.019086-.4172-.005643-.6061-.074174-.1886-.066127-.3571-.180327-.5055-.342608-.146-.162502-.2683-.373408-.3669-.632708-.0959-.257112-.1599-.566995-.1921-.929659-.0564-.635879.0109-1.141386.2018-1.516531.1909-.375144.4924-.629733.9045-.763762l.1937.659032c-.13.045647-.2462.108351-.3488.188117-.1026.079767-.1885.182427-.2578.307976-.0666.127751-.1139.281803-.1418.462166-.0278.180353-.0308.393841-.0089.640455.0182.205508.0518.392597.1009.561259.0515.16844.119.311101.2025.427979.0834.11687.185.204111.3046.261734.1223.059816.2632.08265.4228.0685.1668-.014805.2988-.065499.3959-.152086.0973-.084174.1737-.198168.2292-.341983.0554-.143824.0977-.313272.1267-.50835.029-.195079.0598-.411035.0924-.647859.0187-.145437.0398-.292296.0632-.440576.0261-.146082.0586-.287864.0975-.425347.0417-.135279.0924-.264056.1522-.386326.0598-.122275.1343-.230013.2235-.32321.0917-.093417.1994-.169986.3233-.229707.1262-.059938.274-.097413.4432-.112422.2418-.021451.4528.008567.633.090054.1829.083686.3377.207636.4644.371855.1266.164214.2258.362538.2976.594979.0718.23244.1199.48647.1444.7621.0281.31673.0267.589769-.0041.81913-.0284.229139-.0853.425479-.1707.589013-.0854.163528-.1978.297768-.3371.402731-.1367.107159-.2993.197118-.4878.269891l-.1802-.6712c.1203-.044788.2259-.104111.3168-.177966.0912-.071443.1648-.162042.2208-.271795.0561-.109758.0944-.241088.115-.393988.0207-.150494.0222-.326074.0044-.526744-.021-.236946-.0605-.434483-.1184-.59261-.0552-.155934-.1235-.280243-.2048-.372938-.0811-.090278-.1732-.152781-.2762-.187502-.1003-.032526-.2073-.043749-.321-.033667-.1523.013509-.2747.062134-.3672.145878-.0898.085947-.1616.197101-.2153.333448-.0537.136353-.0947.292287-.123.467813-.0283.175521-.0556.361925-.082.559206-.0223.160376-.0459.319645-.0709.477814-.0223.160375-.0538.314244-.0943.461611-.0381.147151-.0868.285489-.1459.415019-.059.131943-.1352.248355-.2286.349246-.0934.100878-.2067.182816-.34.245817-.1331.065413-.2928.10638-.4789.122895m1.0855 5.9890801c-.4004-.0107157-.7628-.0786895-1.0872-.2039212-.3245-.1228083-.6003-.2965149-.8274-.5211199-.2271-.224613-.3995-.496328-.5173-.81513-.1177-.318815-.1712-.678393-.1605-1.078751.0113-.422195.0867-.790471.2262-1.104819.142-.31429.3335-.573832.5745-.778634.2434-.204733.5292-.356129.8572-.45419.3279-.098062.6848-.141932 1.0706-.131608.4004.010711.7604.076196 1.0802.196446.3197.120249.5895.291366.8094.51336.2223.222049.3899.492416.5027.811096.1153.321171.1674.686789.1564 1.096853-.0109.40763-.0824.767509-.2146 1.079632-.1323.314549-.3153.575531-.5491.782954-.2338.209841-.5136.3662546-.8393.4692373-.3257.1029765-.6863.1491735-1.0818.1385948m.019-.7097221c.3081.008243.5894-.024295.8439-.09761.2545-.070898.4735-.181589.6572-.332064.1837-.148063.3271-.33484.4302-.560318.1032-.225491.1588-.487453.1668-.785895.0081-.305734-.0332-.575151-.1241-.808251-.0909-.233109-.224-.429713-.3994-.589802-.1755-.157672-.3884-.278701-.6386-.363098-.2504-.081974-.5296-.127083-.8378-.13533-.3081-.008244-.5918.023013-.8511.093779-.2569.073249-.4808.183809-.6718.331673-.1885.150353-.338.338179-.4485.563469-.108.227781-.1661.490894-.1741.789345-.0085.320284.0363.597075.1344.830377.0981.235726.2374.43006.4179.583008.1828.155433.4018.271779.6571.349031.2553.079669.5346.123562.8379.131686m-3.0878 3.6217514c.0409-.2785796.1169-.5372874.228-.776116.1111-.2388372.2586-.4416611.4425-.6084715.186-.1640598.4072-.2837033.6636-.3589267.2588-.0748716.5538-.0879896.8853-.0393489l3.2312.4742407-.1009.6880435-3.1737-.4657767c-.2569-.03772-.4804-.0361741-.6704.0046389-.1879.0435623-.3473.1182973-.4782.2242101-.1308.1059166-.2348.2378467-.312.3958041-.0751.160703-.1273.3407191-.1565.5400472-.0289.1969244-.0298.3869225-.0027.5699941.0271.1830629.0886.3490989.1845.498107.0959.1489993.2308.2742935.4048.3758876.176.1043359.3973.1760657.6639.215198l3.1268.4589047-.1004.6844393-3.1665-.4647236c-.3386-.0496974-.6245-.1493099-.8577-.2988375-.2311-.146782-.4143-.3282146-.5494-.5442977-.1351-.2161004-.2232-.4596392-.2644-.7306349-.0416-.2685995-.0408-.549395.0022-.8423817m-1.4146 6.81006442 2.4009-.74033558.4108-1.54465634-2.0584-.5474707.1788-.672049 4.9577 1.3186043-.6205 2.33281744c-.0749.28148096-.1738.5213926-.2969.71973617-.1214.20130309-.2627.35962559-.424.47496759-.1613.1153371-.3401.1883114-.5367.2189318-.1965.0306104-.405.0165974-.6255-.042044-.1572-.0418049-.3057-.106441-.4457-.1939044-.1406-.0851254-.2612-.1937906-.3616-.3259993-.1005-.13221372-.1762-.28672158-.2271-.46351991-.051-.17680702-.0668-.3769333-.0476-.60037014l-2.5101.83937587zm3.5589.84106069c.1501.03992296.2871.04875052.4111.02647273.124-.02229145.2354-.07302153.3343-.15219521.1013-.07856082.1883-.18353002.2609-.31490881.0749-.13076595.1361-.28528845.1836-.46355881l.4239-1.59391441-1.8297-.4866397-.4314 1.62206527c-.0512.19234763-.072.36513136-.0625.51835988.0118.15383639.0481.28655936.1088.39816021.0601.11394251.1421.20730846.2458.28010903.103.07513353.2214.13048388.3552.16604982m-.5926 4.65580149c.1064-.2711259.1557-.529492.1478-.7750923-.0087-.2433491-.0688-.4690162-.1801-.6769963-.1122-.2057277-.2716-.3908684-.4781-.5554246-.2066-.1645661-.4534-.3031735-.7403-.4158333-.287-.1126623-.5653-.1776027-.8349-.1948186-.2683-.014065-.5167.0174865-.7452.0946693-.2293.0794389-.4327.2055888-.6101.3784496-.1783.1751219-.3193.3948555-.4231.6592009-.0728.1852639-.1151.3629043-.1271.5329089-.0106.1731518.0042.3380325.0444.4946334.0393.1588619.0998.3103755.1814.4545483.0838.1450492.1845.2836903.3021.4159135l-.4719.4249013c-.1448-.1559425-.2692-.3273357-.3731-.5141785-.104-.1868514-.1787-.3883052-.2243-.6043687-.0464-.2138111-.0598-.442025-.0402-.6846491.0211-.239478.0839-.4925227.1886-.7591253.1517-.3863511.3457-.7012999.5822-.9448541.2378-.2404069.5049-.415868.8012-.5263857.2977-.1073667.617-.1501904.9579-.1284749.3409.0217192.691.1031068 1.0502.2441565.3728.1463713.6895.3293827.9501.5490442.2597.2219139.456.4723996.5889.7514719.1343.2822048.2012.5900888.2006.9236446.0017.3344359-.0702.6869234-.2157 1.0574636-.1996.5083517-.4658.8940807-.7985 1.1571782-.3328.2630964-.7261.3981164-1.18.4050676l.0375-.6932513c.1307-.0008407.262-.0197055.3938-.0566018.1341-.0360163.2633-.0961076.3876-.1802839.1244-.084185.2409-.1949069.3495-.3321657.1078-.1350152.2007-.3019302.2788-.5007477m-5.5301 1.1779811 4.5401 2.3885327-1.8122 3.4445262-.5026-.26445 1.4883-2.8290914-1.4564-.7662287-1.3867 2.6357581-.4962-.261062 1.3867-2.6357524-1.5821-.8323468-1.5579 2.9611982-.5027-.264446zm-18.0565 19.9216229.6377-.415122 1.9143 1.786268c.052.044329.1137.101226.1849.170681.0693.070773.1372.139515.2038.206231.0786.076261.1582.156244.2387.23994-.0413-.103464-.0809-.206569-.1188-.309314-.034-.087899-.068-.180171-.102-.276813-.0359-.095328-.0663-.179816-.0911-.25347l-.8353-2.471227.6347-.413137 3.0737 2.699801-.5432.353548-2.0183-1.879306c-.0447-.037525-.0966-.086232-.1559-.146126-.0579-.057864-.1152-.114705-.1718-.170534-.0632-.066002-.1288-.133369-.1967-.202116.034.087899.0657.174422.0951.259571.0247.07366.0502.148332.0763.224022s.0469.138866.0625.18953l.8777 2.656503-.5889.383345-2.0525-1.891805c-.0487-.043625-.103-.093708-.1629-.150241-.06-.056542-.1163-.109669-.169-.159394-.0613-.058572-.1232-.118166-.1858-.178769.034.087894.0667.173753.0981.257586.0268.072325.055.146693.0844.223096.0288.079759.0532.150716.0734.21288l.8771 2.62216-.5371.349576zm-4.7624 2.521612.6807-.340218 1.6996 1.991605c.0467.049939.1015.113447.1644.190531.0608.078164.1205.154151.1791.22798.0695.084673.1395.173152.21.265436-.0293-.107473-.0569-.214401-.083-.32078-.0238-.09119-.0472-.186718-.0699-.286581-.025-.09879-.0456-.186175-.0619-.262161l-.55-2.549938.6774-.338588 2.7481 3.030582-.5797.289753-1.7924-2.095827c-.0402-.042346-.0863-.096624-.1384-.162848-.051-.064053-.1015-.127018-.1514-.188897-.0554-.072741-.1129-.147104-.1726-.223095.0239.091185.0456.180739.0651.268674.0163.075986.0331.153061.0505.231221.0173.078155.0309.14329.0406.195394l.5712 2.738823-.6286.314166-1.825-2.11211c-.0434-.048858-.0917-.104767-.1448-.167729-.0532-.062973-.1032-.122137-.1498-.177504-.0543-.065138-.1091-.131362-.1645-.198671.0239.091182.0467.180202.0684.267044.0184.074901.038.151972.0586.231225.0195.082499.0358.155769.0488.219823l.5744 2.704625-.5732.286495zm-5.0161 1.96952.714-.263241 1.4701 2.166545c.0409.054771.0884.123928.1425.207468.0518.084375.1028.166477.1529.246307.0597.091803.1195.187449.1795.286937-.0173-.110046-.033-.21937-.0472-.327966-.0137-.093268-.0263-.190781-.038-.292548-.0139-.100936-.0248-.190057-.0326-.267373l-.2661-2.594977.7106-.261983 2.3979 3.314596-.6081.224201-1.5509-2.280353c-.0352-.046503-.0751-.105532-.1196-.177081-.0437-.069281-.0869-.137416-.1297-.204416-.047-.078388-.096-.158633-.147-.24073.0137.093259.0254.184658.0352.274202.0078.077316.016.15577.0247.23537.0086.079592.0149.14582.0189.198684l.2663 2.785041-.6593.243091-1.5815-2.300125c-.0378-.053337-.0796-.114218-.1256-.182657-.0459-.068438-.089-.132738-.1293-.192905-.0468-.070715-.094-.142568-.1416-.215556.0137.093256.0266.184235.0386.27294.0101.076478.021.155231.0328.236265.0103.084145.0184.158769.0243.223863l.2733 2.751412-.6013.221677zm-1.3361.379331.2186.766823-.6828.194602-.2186-.766819zm-4.1172 1.659204c.0659-.27224.1859-.482844.36-.631806.1718-.148455.4025-.253663.6921-.315619.4866-.104112.88-.017028 1.1803.261257.298.278795.518.75049.6602 1.415086.2875 1.343425-.0411 2.116199-.9858 2.318337-.2919.062466-.5466.061117-.7641-.004042-.2175-.065172-.4105-.20136-.5789-.408574l-.0072.001524c.0051.023736.0142.060269.0272.109613.0112.052209.0238.105363.0379.159454.0122.056956.0236.110363.0342.160208.0107.049846.0183.085447.0229.106814l.3192 1.491777-.6409.13712-.9606-4.489567c-.0198-.092568-.0388-.181579-.0571-.267021-.0207-.084945-.0398-.162763-.0574-.233458-.0176-.070704-.0332-.131905-.0468-.183613-.013-.049339-.023-.084434-.0299-.105284l.6123-.13103c.0099.022715.0217.05493.0356.096637.012.04459.0265.094863.0434.150807.0146.056459.0297.115288.0453.176494.016.063577.0307.126226.0439.187936zm2.2243.894259c-.0569-.265841-.1222-.490146-.1961-.672917-.0739-.182774-.1608-.328003-.2608-.435681-.0994-.105311-.2122-.174257-.3384-.206842-.1261-.032591-.271-.031362-.4348.00368-.1685.036062-.311.095098-.4275.177118-.1189.082521-.2081.193449-.2676.332783-.0615.142215-.0936.316651-.0966.523307-.0029.206652.0261.452389.087.737217.0584.272959.1302.498364.2155.676231.0857.180231.1849.319102.2976.41662.1127.097507.2385.157475.3773.179902.137.02529.2886.020166.4547-.015378.1567-.033521.2861-.08977.3884-.168736.1022-.07897.1784-.187106.2284-.324401.0501-.137309.0733-.307339.0696-.510094-.0056-.199875-.0378-.437479-.0967-.712809m-3.2879 3.489314.0926.619362-.6482.09685-.0925-.619362zm-.7059-4.724428.5822 3.896209-.6482.096854-.5822-3.896212zm-3.2659-1.160099c.225-.019384.4264-.013608.6045.017335.1781.030944.3326.084629.4634.161053.1306.074014.2397.166934.3273.278764.0876.111825.1546.238831.201.38101l-.6485.150898c-.0591-.177619-.1666-.308438-.3225-.392458-.1585-.086231-.3586-.11892-.6005-.098081-.1475.012717-.2799.044844-.3973.096372-.1174.051535-.2144.126892-.2911.226083-.077.096773-.1321.219691-.1656.368746-.0334.14906-.0412.327577-.0233.535553l.0544.631177.0073-.000622c.0398-.103322.092-.204057.1567-.302201.0624-.095524.1426-.182834.2405-.261925.0955-.078885.2091-.14593.3408-.20113.1319-.052782.2849-.086678.459-.101683.2491-.02147.4667.001199.6527.067997.1838.069424.3398.182672.4678.339737.1256.157273.2257.356952.3001.59904.0723.244707.1225.530294.1506.856768.0271.314382.0261.59951-.003.855393-.0315.256083-.0978.476189-.1989.660316-.1033.186751-.2441.334095-.4224.442044-.1805.110564-.4049.177422-.6734.200558-.2781.023966-.5242-.019381-.7384-.130036-.2164-.108045-.3903-.274555-.5218-.499542l-.0072.000628c.0052.060453.0098.12827.0139.20345.0016.075379.004.145824.0072.21133.001.068127.0012.126583.0005.175369-.0007.048779-.0031.077008-.0073.084685l-.6203.053459c.0005-.021975-.0003-.059669-.0024-.113075-.002-.050998-.0049-.112875-.0087-.185629-.0039-.072764-.0084-.153984-.0137-.243665-.0075-.087061-.0153-.17775-.0235-.272056l-.2585-2.999916c-.0473-.548954.0525-.972946.2996-1.27198.2445-.301243.6448-.475832 1.201-.523766m-.6919 3.589794c.0236.273264.0739.504022.1511.692282.0749.190875.166.343819.2734.458817.1073.114991.2264.196092.3572.243295.1283.047406.2578.065485.3883.054232.1669-.014382.3083-.055803.4242-.124263.1135-.068253.2047-.168698.2737-.301325.0668-.130008.111-.294612.1329-.493828.0196-.196593.0177-.430316-.0057-.701163-.0243-.282946-.063-.519587-.116-.70992-.0551-.187715-.1265-.337484-.2141-.44931-.0876-.11183-.1928-.18803-.3157-.228599-.1229-.04057-.2665-.053772-.431-.039601-.1306.011257-.2551.05001-.3737.116261-.1209.066459-.2258.16442-.3145.293878-.0887.129462-.1551.292321-.1991.488582-.044.196255-.0543.429807-.031.700662m-1.7109 2.885647.0149.626061-.6552.015565-.0149-.626055zm-.1135-4.775527.0936 3.938353-.6552.01557-.0936-3.938357zm-4.1313-.043009 1.2711 1.842556.4938-.380418.0473-1.40095.655.022114-.1824 5.400036-.655-.022114.1139-3.3732-1.7929 1.852026-.7678-.025922 1.6546-1.638126-1.6054-2.301924zm-2.2482-.266187c.3929.046413.6759.184949.8491.415603.1732.230655.2384.526763.1957.888346-.0305.257922-.1036.463146-.2194.615674-.1184.154647-.2616.269723-.4294.345229-.1702.075216-.3586.118938-.5654.131181-.2067.012236-.4153.00838-.6256-.011568l-.8803-.089332-.0252.21333c-.0191.1615-.0184.300892.0019.41818.0204.11728.0614.214997.123.293161.0617.078164.1437.13918.2461.183045.0996.045991.2206.077388.3628.094189.1253.014803.2398.018542.3433.011224.1032-.004918.1951-.027068.2755-.066447.0801-.036975.1479-.093737.2034-.170282.0552-.074135.0973-.171817.1263-.293046l.6725.14177c-.0424.151426-.1048.287025-.1874.406817-.0829.122189-.1913.223031-.3254.30252-.1364.079205-.3004.133149-.492.161848-.1943.030819-.424.030565-.6892-.000754-.4917-.058093-.8484-.215095-1.0699-.471007-.2218-.253515-.3075-.593595-.2571-1.020254l.1991-1.68495c.0227-.192842.0147-.341669-.0243-.446478-.0392-.102399-.1299-.161998-.2722-.1788-.0361-.004273-.0726-.006133-.1093-.005581-.0367.000545-.0724.002448-.107.005692l.0479-.40497c.0842-.009597.1679-.01438.251-.014345.0806-.000241.1668.005043.2584.015866.1229.014523.2271.04272.3126.084592.0828.043997.1481.101812.1958.173444.0475.074042.08.160985.0975.260823.0173.102249.0218.218888.0137.349905l.0217.002565c.0847-.117093.1752-.221273.2716-.312546.0939-.091563.2005-.166949.32-.226169.1191-.056802.2521-.09609.3988-.11786.1444-.02205.3082-.022257.4914-.000615m-.2059.470617c-.2073-.024492-.3925-.008483-.5556.048016-.1658.058628-.3063.141024-.4215.247177-.1176.105872-.21.225719-.2771.359551-.0672.133829-.1083.264625-.1234.392381l-.038.321803.714.069681c.1594.016383.3127.022271.4599.017661.1445-.002486.2745-.02745.3901-.074896.1156-.047455.2124-.121573.2903-.222354.0755-.101071.1236-.239588.1444-.415557.025-.212122-.0123-.38273-.1119-.511815-.102-.129374-.2591-.206592-.4712-.231648m-5.1668-1.284297-.5634 2.433285c-.0433.186807-.0676.345613-.073.476425-.0053.1308.0116.240609.0508.329424.0364.090628.0959.161717.1786.213264.0822.053914.1883.095929.3184.126045.1348.03121.2629.032214.3842.003019.1209-.026836.2321-.082061.3336-.165673.0987-.081797.1866-.192253.2636-.33137.0742-.137304.1334-.301729.1778-.493267l.515-2.224002.6349.147022-.699 3.018544c-.0186.080401-.0368.164616-.0547.252663-.0209.089853-.0391.174077-.0548.25266-.0163.080946-.0298.150067-.0406.207374-.0107.057297-.0169.094496-.0183.1116l-.603-.139628c.0004-.012373.0054-.04485.0151-.097417.0096-.052572.0212-.113419.0348-.18254.0106-.067313.0229-.13671.037-.20819.0135-.06913.0257-.127343.0367-.17463l-.0107-.002461c-.0825.097993-.1672.184252-.2543.258787-.087.074522-.1813.132393-.2831.173623-.1046.043032-.2175.067964-.3387.074792-.1241.008637-.2618-.004567-.4131-.039608-.2909-.067355-.5069-.178405-.6479-.333149-.1434-.155296-.219-.367121-.2266-.635476l-.0106-.002466c-.0825.097998-.1696.183712-.2614.257147-.0917.073432-.192.129932-.3009.169519-.1093.041941-.227.065773-.3529.071506-.1264.008088-.2653-.005387-.4166-.040428-.194-.044905-.3546-.10952-.4821-.193849-.1298-.084881-.2271-.192108-.2918-.321692-.0646-.129588-.0983-.28562-.1009-.468097-.0031-.180116.0227-.388406.0775-.624874l.5922-2.557431.6313.146202-.5634 2.43328c-.0433.186812-.0676.345618-.073.476425-.0053.130805.0116.240614.0508.329423.0363.090633.0959.161723.1786.213273.0822.053907.1883.095922.3184.126042.1348.03121.2626.0334.3834.006567.1203-.024472.2309-.07733.332-.158578.0986-.081797.1865-.192258.2636-.331372.0747-.13967.1347-.30764.1802-.503908l.515-2.224002zm-3.9596-1.071682-.2473.758044-.675-.220175.2473-.758049zm-5.6245.006944c.2565-.639859.5883-1.059927.9955-1.260201.4072-.200282.8788-.192951 1.415.021984.2546.102056.4668.231569.6367.388547.1698.156977.2929.342322.3694.556025.0742.2128.1011.452386.0806.718751-.0236.267717-.1.562669-.2292.884851-.5057 1.261681-1.3049 1.673519-2.3977 1.235518-.2838-.113796-.5125-.251208-.6859-.412245-.1757-.161947-.2972-.347959-.3647-.55805-.0697-.210995-.0887-.44742-.0569-.70927.0317-.261858.1108-.550492.2372-.86591m.6388.256028c-.1138.283879-.1852.527221-.2142.730034-.0313.201903-.0262.375214.0151.519928.0392.143814.111.261508.2155.353087.1036.093822.232.171443.3852.232859.1554.06231.3057.095098.4509.09836.1419.004608.2794-.031802.4125-.109226.1321-.075184.2588-.195656.3802-.361436.1191-.16669.2342-.38859.3453-.665709.1138-.283879.1834-.529253.2088-.736122.0245-.204613.016-.37928-.0253-.523995-.0437-.145617-.115-.264441-.2141-.356463-.1014-.092923-.2219-.167383-.3616-.223378-.1554-.062309-.3048-.097352-.4481-.10512-.1443-.005513-.2824.029318-.4146.104491-.1321.07518-.2593.196783-.3815.364816-.1223.168038-.2403.393995-.3541.677874m-.6532-2.458536-1.3192 2.718811c-.036.074247-.0715.150118-.1064.22761-.0381.078613-.0736.154486-.1064.227609-.0327.073124-.0634.141881-.0919.206275-.0286.064385-.054.12222-.0761.173517l-.5569-.270198c.0222-.051292.0481-.110223.0777-.176792.0263-.065455.0549-.132556.0855-.201313.0285-.069813.0581-.136387.0888-.199716.0275-.06221.0519-.115149.073-.158826l-.0131-.006357c-.1071.11526-.2075.210902-.301.286923-.0968.07714-.1923.132016-.2863.164616-.0951.034784-.1938.046274-.296.034466-.1032-.009632-.2171-.044644-.3416-.105041-.048-.023314-.0917-.049932-.1312-.079855-.0405-.027748-.0711-.05072-.092-.068924l.2623-.540489c.034.02999.0761.059886.1264.089686.0493.031979.1066.063866.1721.095656.1354.065688.266.091275.3918.076755.1235-.015584.2424-.063135.3565-.142656.1109-.078398.2171-.18605.3186-.322953.1004-.134722.1936-.290528.2794-.467413l.8964-1.847486zm-2.7472-3.1727c.1956.11265.3576.23256.486.359738.1285.127181.2245.259516.2882.397013.0649.135397.1013.274012.1093.415839.0079.141835-.0097.284328-.053.427494l-.6183-.24683c.053-.179559.0396-.348351-.0403-.506381-.0807-.161334-.2263-.302572-.4366-.423699-.1283-.073889-.2554-.123236-.3811-.148044-.1258-.024804-.2485-.018434-.3682.019097-.1184.03544-.2339.104751-.3466.207939-.1126.103193-.221.245236-.3252.426135l-.3161.548996.0063.003633c.0917-.062014.1921-.114815.3013-.15841.1058-.0427.2215-.068504.347-.077422.1235-.010131.2551-.000203.3946.029761.1384.032078.2833.091719.4348.178928.2167.124765.3822.267721.4967.428872.1111.162042.1744.344101.1896.546167.0132.200852-.0188.421885-.0961.663084-.0806.242091-.2026.505119-.3662.78908-.1574.273448-.3212.506832-.4914.700159-.1722.192105-.3524.334815-.5406.428122-.1915.094198-.3913.134624-.5992.121292-.2113-.01245-.4337-.085897-.6672-.220346-.2419-.139298-.4191-.315562-.5316-.52879-.1158-.21234-.1634-.448383-.1426-.708134l-.0063-.003633c-.0303.052582-.0653.110874-.1049.17487-.0418.062785-.0801.121967-.1149.17755-.0381.056472-.0714.10453-.0998.144179-.0284.039646-.0466.061411-.0544.065305l-.5396-.3107c.0131-.017715.0339-.049107.0627-.094171.0275-.042962.0605-.095389.099-.157283.0384-.061892.0811-.131144.128-.207763.0436-.075723.089-.154601.1363-.236634l1.5026-2.609321c.2749-.477476.5992-.768282.9729-.872414.3728-.10744.8011-.021871 1.2849.256722m-2.6197 2.550052c-.1369.23769-.2275.455813-.2718.654373-.0476.199446-.0602.377032-.0379.532764.0224.155724.0737.29032.154.403792.0782.112255.1741.201087.2877.266501.1452.083572.2848.130406.4191.140484.1321.00887.2644-.021397.3968-.090802.1291-.068514.2595-.178272.3913-.32927.1284-.150111.2605-.342954.3961-.578538.1418-.246102.2453-.462375.3106-.648823.0621-.185554.0891-.349239.0812-.491071-.008-.141827-.0508-.264506-.1284-.368029-.0776-.103527-.188-.196474-.331-.278837-.1136-.065409-.238-.104811-.3731-.118212-.1372-.014605-.2793.005848-.4261.061357s-.2943.151211-.4426.287098-.2902.321629-.4259.557213" fill="#fff"/>
+      <path d="m4056.7725 1480.6669c0 579.9083-470.6503 1050.5586-1050.5586 1050.5586-579.9084 0-1050.5586-470.6503-1050.5586-1050.5586 0-579.90837 470.6502-1050.55862 1050.5586-1050.55862 579.9083 0 1050.5586 470.65025 1050.5586 1050.55862z" style="opacity:.3;fill:none;stroke:#fff;stroke-width:9.774646;stroke-linecap:round;stroke-linejoin:round;filter:url(#g)" transform="matrix(.05674937 0 0 .056649 -2291.1082 -96.892916)"/>
+      <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" fill="url(#o)" fill-rule="evenodd" opacity=".6" transform="matrix(.2879784 -.01682102 -.01682102 -.2879784 -2238.8955 133.27137)"/>
+    </g>
+  </g>
+  <g transform="translate(53.74013 .000004)"/>
+</svg>
diff --git a/dashy/data/appdata/icons/dashboard-icons/svg/financial-services.svg b/dashy/data/appdata/icons/dashboard-icons/svg/financial-services.svg
new file mode 100644
index 0000000..0d20d8a
--- /dev/null
+++ b/dashy/data/appdata/icons/dashboard-icons/svg/financial-services.svg
@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg fill="#000000" width="800px" height="800px" viewBox="0 0 1024 1024" xmlns="http://www.w3.org/2000/svg"><path d="M385.707 436.152c0-35.468-75.779-71.68-172.37-71.68-96.6 0-172.38 36.211-172.38 71.68s75.78 71.68 172.38 71.68c96.591 0 172.37-36.212 172.37-71.68zm40.96 0c0 66.334-96.901 112.64-213.33 112.64-116.438 0-213.34-46.305-213.34-112.64s96.903-112.64 213.34-112.64c116.429 0 213.33 46.306 213.33 112.64zm-40.96 371.371c0 35.468-75.779 71.68-172.37 71.68-96.6 0-172.38-36.211-172.38-71.68H-.003c0 66.335 96.903 112.64 213.34 112.64 116.429 0 213.33-46.306 213.33-112.64h-40.96zm0-124.928c0 35.468-75.779 71.68-172.37 71.68-96.6 0-172.38-36.211-172.38-71.68H-.003c0 66.335 96.903 112.64 213.34 112.64 116.429 0 213.33-46.306 213.33-112.64h-40.96zm0-122.88c0 35.468-75.779 71.68-172.37 71.68-96.6 0-172.38-36.211-172.38-71.68H-.003c0 66.335 96.903 112.64 213.34 112.64 116.429 0 213.33-46.306 213.33-112.64h-40.96z"/><path d="M0 436.152v374.784c0 11.311 9.169 20.48 20.48 20.48s20.48-9.169 20.48-20.48V436.152c0-11.311-9.169-20.48-20.48-20.48S0 424.841 0 436.152zm385.707 0V806.84c0 11.311 9.169 20.48 20.48 20.48s20.48-9.169 20.48-20.48V436.152c0-11.311-9.169-20.48-20.48-20.48s-20.48 9.169-20.48 20.48zm566.335 443.051c16.962 0 30.72-13.758 30.72-30.72V184.317c0-16.962-13.758-30.72-30.72-30.72H546.405c-16.962 0-30.72 13.758-30.72 30.72v664.166c0 16.962 13.758 30.72 30.72 30.72h405.637zm0 40.96H546.405c-39.583 0-71.68-32.097-71.68-71.68V184.317c0-39.583 32.097-71.68 71.68-71.68h405.637c39.583 0 71.68 32.097 71.68 71.68v664.166c0 39.583-32.097 71.68-71.68 71.68z"/><path d="M892.446 293.421H606.002v60.652h286.444v-60.652zm10.24 101.612H595.762c-16.963 0-30.72-13.757-30.72-30.72v-81.132c0-16.963 13.757-30.72 30.72-30.72h306.924c16.963 0 30.72 13.757 30.72 30.72v81.132c0 16.963-13.757 30.72-30.72 30.72zM653.265 503.018c0 18.708-15.165 33.864-33.874 33.864-18.698 0-33.864-15.155-33.864-33.864s15.165-33.864 33.864-33.864c18.708 0 33.874 15.155 33.874 33.864zm129.831 0c0 18.708-15.165 33.864-33.864 33.864-18.708 0-33.874-15.155-33.874-33.864s15.165-33.864 33.874-33.864c18.698 0 33.864 15.155 33.864 33.864zm129.83-2.822c0 18.708-15.165 33.864-33.874 33.864-18.698 0-33.864-15.155-33.864-33.864s15.165-33.874 33.864-33.874c18.708 0 33.874 15.165 33.874 33.874zM653.265 624.382c0 18.708-15.165 33.864-33.874 33.864-18.698 0-33.864-15.155-33.864-33.864s15.165-33.874 33.864-33.874c18.708 0 33.874 15.165 33.874 33.874zm129.831 0c0 18.708-15.165 33.864-33.864 33.864-18.708 0-33.874-15.155-33.874-33.864s15.165-33.874 33.874-33.874c18.698 0 33.864 15.165 33.864 33.874zm129.83 0c0 18.708-15.165 33.864-33.874 33.864-18.698 0-33.864-15.155-33.864-33.864s15.165-33.874 33.864-33.874c18.708 0 33.874 15.165 33.874 33.874zM653.265 748.568c0 18.708-15.165 33.864-33.874 33.864-18.698 0-33.864-15.155-33.864-33.864s15.165-33.874 33.864-33.874c18.708 0 33.874 15.165 33.874 33.874zm129.831 0c0 18.708-15.165 33.864-33.864 33.864-18.708 0-33.874-15.155-33.874-33.864s15.165-33.874 33.874-33.874c18.698 0 33.864 15.165 33.864 33.874zm129.83 0c0 18.708-15.165 33.864-33.874 33.864-18.698 0-33.864-15.155-33.864-33.864s15.165-33.874 33.864-33.874c18.708 0 33.874 15.165 33.874 33.874z"/></svg>
\ No newline at end of file
diff --git a/dashy/data/appdata/icons/dashboard-icons/svg/gaming.svg b/dashy/data/appdata/icons/dashboard-icons/svg/gaming.svg
new file mode 100644
index 0000000..c792bc3
--- /dev/null
+++ b/dashy/data/appdata/icons/dashboard-icons/svg/gaming.svg
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg fill="#000000" version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" 
+	 width="800px" height="800px" viewBox="0 0 92 92" enable-background="new 0 0 92 92" xml:space="preserve">
+<path id="XMLID_1173_" d="M60.8,30.9c0.8,0.8,1.3,2,1.3,3.2c0,1.2-0.5,2.3-1.3,3.2c-0.8,0.8-2,1.3-3.2,1.3c-1.2,0-2.4-0.5-3.2-1.3
+	c-0.8-0.8-1.3-2-1.3-3.2s0.5-2.3,1.3-3.2c0.8-0.8,2-1.3,3.2-1.3C58.8,29.6,60,30.1,60.8,30.9z M67.8,37.2c-1.2,0-2.3,0.5-3.2,1.3
+	c-0.8,0.8-1.3,2-1.3,3.2c0,1.2,0.5,2.4,1.3,3.2c0.8,0.8,2,1.3,3.2,1.3c1.2,0,2.4-0.5,3.2-1.3c0.8-0.8,1.3-2,1.3-3.2
+	c0-1.2-0.5-2.3-1.3-3.2C70.2,37.7,69,37.2,67.8,37.2z M33.8,35H31v-2.6c0-1.4-1.1-2.5-2.5-2.5S26,31,26,32.4V35h-2.6
+	c-1.4,0-2.5,1.1-2.5,2.5s1.1,2.5,2.5,2.5H26v2.6c0,1.4,1.1,2.5,2.5,2.5S31,44,31,42.6V40h2.8c1.4,0,2.5-1.1,2.5-2.5S35.2,35,33.8,35
+	z M92,66.1c0,4.3-2.4,7.8-6.2,9.3c-3.8,1.4-9.8,0.8-15.2-5.3c-2.6-3-7-8.4-9.4-11.4c-12.8,3-25,1.1-30.3,0c-2.4,3-6.8,8.4-9.4,11.4
+	c-3.9,4.4-8.1,6-11.6,6c-1.4,0-2.6-0.2-3.7-0.6c-3.8-1.4-6.2-5-6.2-9.3c0-11.8,7.6-30.3,10-35.8c-0.8-2.8-0.5-5.7,1-8.3
+	c1.9-3.3,5.3-5.8,8.3-6c2.6-0.2,6.1,1.3,8.4,2.4c4.5-0.8,18.7-2.9,36.6,0c2.2-1.1,5.8-2.6,8.4-2.4c2.9,0.2,6.4,2.7,8.3,6
+	c1.5,2.6,1.9,5.5,1,8.3C84.4,35.8,92,54.3,92,66.1z M84,66.1c0-11.9-9.9-33.9-10-34.1c-0.5-1.1-0.5-2.4,0.1-3.5
+	c0.4-0.8,0.4-1.5,0.1-2.2c-0.5-1.2-1.7-2.1-2.2-2.3c-0.9,0.1-3.3,1.1-5.2,2.1c-0.8,0.4-1.7,0.6-2.6,0.4c-20.5-3.6-36.2-0.1-36.3,0
+	c-0.9,0.2-1.9,0.1-2.8-0.4c-1.9-1-4.3-2-5.2-2.1c-0.5,0.3-1.7,1.1-2.2,2.3c-0.3,0.8-0.3,1.4,0.1,2.2c0.5,1.1,0.6,2.4,0.1,3.5
+	C17.9,32.2,8,54.2,8,66.1c0,0.9,0.4,1.5,1,1.8c1.4,0.5,3.9-0.3,6.4-3.1c3.5-4,10.7-13,10.8-13.1c1-1.3,2.7-1.8,4.2-1.3
+	c0.2,0,15.8,4.4,31.1,0c0.4-0.1,0.7-0.2,1.1-0.2c1.2,0,2.4,0.5,3.1,1.5c0.1,0.1,7.3,9.1,10.8,13.1c2.5,2.9,5,3.7,6.4,3.1
+	C83.6,67.6,84,67,84,66.1z"/>
+</svg>
\ No newline at end of file
diff --git a/dashy/data/appdata/icons/dashboard-icons/svg/home.svg b/dashy/data/appdata/icons/dashboard-icons/svg/home.svg
new file mode 100644
index 0000000..09ebbb3
--- /dev/null
+++ b/dashy/data/appdata/icons/dashboard-icons/svg/home.svg
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Generator: Adobe Illustrator 25.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="Capa_1" x="0px" y="0px" viewBox="0 0 512 512" style="enable-background:new 0 0 512 512;" xml:space="preserve" width="512" height="512">
+<g>
+	<path d="M256,319.841c-35.346,0-64,28.654-64,64v128h128v-128C320,348.495,291.346,319.841,256,319.841z"/>
+	<g>
+		<path d="M362.667,383.841v128H448c35.346,0,64-28.654,64-64V253.26c0.005-11.083-4.302-21.733-12.011-29.696l-181.29-195.99    c-31.988-34.61-85.976-36.735-120.586-4.747c-1.644,1.52-3.228,3.103-4.747,4.747L12.395,223.5    C4.453,231.496-0.003,242.31,0,253.58v194.261c0,35.346,28.654,64,64,64h85.333v-128c0.399-58.172,47.366-105.676,104.073-107.044    C312.01,275.383,362.22,323.696,362.667,383.841z"/>
+		<path d="M256,319.841c-35.346,0-64,28.654-64,64v128h128v-128C320,348.495,291.346,319.841,256,319.841z"/>
+	</g>
+</g>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+</svg>
diff --git a/dashy/data/appdata/icons/dashboard-icons/svg/home2.svg b/dashy/data/appdata/icons/dashboard-icons/svg/home2.svg
new file mode 100644
index 0000000..45379a7
--- /dev/null
+++ b/dashy/data/appdata/icons/dashboard-icons/svg/home2.svg
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg width="800px" height="800px" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path fill-rule="evenodd" clip-rule="evenodd" d="M8 0L0 6V8H1V15H4V10H7V15H15V8H16V6L14 4.5V1H11V2.25L8 0ZM9 10H12V13H9V10Z" fill="#000000"/>
+</svg>
\ No newline at end of file
diff --git a/dashy/data/appdata/icons/dashboard-icons/svg/media-playback.svg b/dashy/data/appdata/icons/dashboard-icons/svg/media-playback.svg
new file mode 100644
index 0000000..0e8473e
--- /dev/null
+++ b/dashy/data/appdata/icons/dashboard-icons/svg/media-playback.svg
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg width="800px" height="800px" viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
+    <path d="m 2 2.5 v 11 c 0 1.5 1.269531 1.492188 1.269531 1.492188 h 0.128907 c 0.246093 0.003906 0.488281 -0.050782 0.699218 -0.171876 l 9.796875 -5.597656 c 0.433594 -0.242187 0.65625 -0.734375 0.65625 -1.226562 c 0 -0.492188 -0.222656 -0.984375 -0.65625 -1.222656 l -9.796875 -5.597657 c -0.210937 -0.121093 -0.453125 -0.175781 -0.699218 -0.175781 h -0.128907 s -1.269531 0 -1.269531 1.5 z m 0 0" fill="#2e3436"/>
+</svg>
\ No newline at end of file
diff --git a/dashy/data/appdata/icons/dashboard-icons/svg/media.svg b/dashy/data/appdata/icons/dashboard-icons/svg/media.svg
new file mode 100644
index 0000000..20dcd1c
--- /dev/null
+++ b/dashy/data/appdata/icons/dashboard-icons/svg/media.svg
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg fill="#000000" height="800px" width="800px" version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" 
+	 viewBox="0 0 512 512" enable-background="new 0 0 512 512" xml:space="preserve">
+<path d="M244.4,69.8L174.5,0h-58.2l69.8,69.8H244.4z M395.6,69.8L325.8,0h-58.2l69.8,69.8H395.6z M418.9,0l69.8,69.8H512V0H418.9z
+	 M418.9,162.9h-93.1l69.8-69.8h-58.2l-69.8,69.8h-93.1l69.8-69.8h-58.2l-69.8,69.8H23.3l69.8-69.8H0v372.4
+	C0,491.1,20.9,512,46.5,512h418.9c25.7,0,46.5-20.9,46.5-46.5V93.1h-23.3L418.9,162.9z M23.3,0H0v69.8h93.1L23.3,0z"/>
+</svg>
\ No newline at end of file
diff --git a/dashy/data/appdata/icons/dashboard-icons/svg/music.svg b/dashy/data/appdata/icons/dashboard-icons/svg/music.svg
new file mode 100644
index 0000000..6617c47
--- /dev/null
+++ b/dashy/data/appdata/icons/dashboard-icons/svg/music.svg
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg width="800px" height="800px" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M15 1H4V9H3C1.34315 9 0 10.3431 0 12C0 13.6569 1.34315 15 3 15C4.65685 15 6 13.6569 6 12V5H13V9H12C10.3431 9 9 10.3431 9 12C9 13.6569 10.3431 15 12 15C13.6569 15 15 13.6569 15 12V1Z" fill="#000000"/>
+</svg>
\ No newline at end of file
diff --git a/dashy/data/appdata/icons/dashboard-icons/svg/network.svg b/dashy/data/appdata/icons/dashboard-icons/svg/network.svg
new file mode 100644
index 0000000..ba7b330
--- /dev/null
+++ b/dashy/data/appdata/icons/dashboard-icons/svg/network.svg
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg width="800px" height="800px" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M3 12H21M12 8V12M6.5 12V16M17.5 12V16M10.1 8H13.9C14.4601 8 14.7401 8 14.954 7.89101C15.1422 7.79513 15.2951 7.64215 15.391 7.45399C15.5 7.24008 15.5 6.96005 15.5 6.4V4.6C15.5 4.03995 15.5 3.75992 15.391 3.54601C15.2951 3.35785 15.1422 3.20487 14.954 3.10899C14.7401 3 14.4601 3 13.9 3H10.1C9.53995 3 9.25992 3 9.04601 3.10899C8.85785 3.20487 8.70487 3.35785 8.60899 3.54601C8.5 3.75992 8.5 4.03995 8.5 4.6V6.4C8.5 6.96005 8.5 7.24008 8.60899 7.45399C8.70487 7.64215 8.85785 7.79513 9.04601 7.89101C9.25992 8 9.53995 8 10.1 8ZM15.6 21H19.4C19.9601 21 20.2401 21 20.454 20.891C20.6422 20.7951 20.7951 20.6422 20.891 20.454C21 20.2401 21 19.9601 21 19.4V17.6C21 17.0399 21 16.7599 20.891 16.546C20.7951 16.3578 20.6422 16.2049 20.454 16.109C20.2401 16 19.9601 16 19.4 16H15.6C15.0399 16 14.7599 16 14.546 16.109C14.3578 16.2049 14.2049 16.3578 14.109 16.546C14 16.7599 14 17.0399 14 17.6V19.4C14 19.9601 14 20.2401 14.109 20.454C14.2049 20.6422 14.3578 20.7951 14.546 20.891C14.7599 21 15.0399 21 15.6 21ZM4.6 21H8.4C8.96005 21 9.24008 21 9.45399 20.891C9.64215 20.7951 9.79513 20.6422 9.89101 20.454C10 20.2401 10 19.9601 10 19.4V17.6C10 17.0399 10 16.7599 9.89101 16.546C9.79513 16.3578 9.64215 16.2049 9.45399 16.109C9.24008 16 8.96005 16 8.4 16H4.6C4.03995 16 3.75992 16 3.54601 16.109C3.35785 16.2049 3.20487 16.3578 3.10899 16.546C3 16.7599 3 17.0399 3 17.6V19.4C3 19.9601 3 20.2401 3.10899 20.454C3.20487 20.6422 3.35785 20.7951 3.54601 20.891C3.75992 21 4.03995 21 4.6 21Z" stroke="#000000" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+</svg>
\ No newline at end of file
diff --git a/dashy/data/appdata/icons/dashboard-icons/svg/photos.svg b/dashy/data/appdata/icons/dashboard-icons/svg/photos.svg
new file mode 100644
index 0000000..58a8799
--- /dev/null
+++ b/dashy/data/appdata/icons/dashboard-icons/svg/photos.svg
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg fill="#000000" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"  width="800px"
+	 height="800px" viewBox="0 0 31.06 32.001" xml:space="preserve">
+<g id="photos">
+	<path d="M29.341,11.405L13.213,7.383c-1.21-0.301-2.447,0.441-2.748,1.652L6.443,25.163c-0.303,1.211,0.44,2.445,1.65,2.748
+		l16.127,4.023c1.21,0.301,2.447-0.443,2.748-1.652l4.023-16.127C31.293,12.944,30.551,11.708,29.341,11.405z M28.609,14.338
+		l-2.926,11.731c-0.1,0.402-0.513,0.65-0.915,0.549l-14.662-3.656c-0.403-0.1-0.651-0.512-0.551-0.916l2.926-11.729
+		c0.1-0.404,0.513-0.65,0.916-0.551l14.661,3.658C28.462,13.522,28.71,13.936,28.609,14.338z"/>
+	<circle cx="15.926" cy="13.832" r="2.052"/>
+	<path d="M22.253,16.813c-0.136-0.418-0.505-0.51-0.82-0.205l-2.943,2.842c-0.315,0.303-0.759,0.244-0.985-0.133l-0.471-0.781
+		c-0.227-0.377-0.719-0.5-1.095-0.273l-4.782,2.852c-0.377,0.225-0.329,0.469,0.096,0.576l3.099,0.771
+		c0.426,0.107,1.122,0.281,1.549,0.389l3.661,0.912c0.426,0.105,1.123,0.279,1.549,0.385l3.098,0.773
+		c0.426,0.107,0.657-0.121,0.521-0.539L22.253,16.813z"/>
+	<path d="M2.971,7.978l14.098-5.439c0.388-0.149,0.828,0.045,0.977,0.432l1.506,3.933l2.686,0.67l-2.348-6.122
+		c-0.449-1.163-1.768-1.748-2.931-1.299L1.45,6.133C0.287,6.583-0.298,7.902,0.151,9.065L5.156,22.06l0.954-3.827L2.537,8.954
+		C2.389,8.565,2.583,8.126,2.971,7.978z"/>
+</g>
+<g id="Layer_1">
+</g>
+</svg>
\ No newline at end of file
diff --git a/dashy/data/appdata/icons/dashboard-icons/svg/security.svg b/dashy/data/appdata/icons/dashboard-icons/svg/security.svg
new file mode 100644
index 0000000..c803155
--- /dev/null
+++ b/dashy/data/appdata/icons/dashboard-icons/svg/security.svg
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg width="800px" height="800px" viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
+    <path d="m 2 0 c -0.550781 0 -1 0.449219 -1 1 v 8 c 0 2.5 1.816406 4.246094 3.445312 5.332031 c 1.628907 1.085938 3.238282 1.617188 3.238282 1.617188 c 0.207031 0.070312 0.425781 0.070312 0.632812 0 c 0 0 1.609375 -0.53125 3.238282 -1.617188 c 1.628906 -1.085937 3.445312 -2.832031 3.445312 -5.332031 v -8 c 0 -0.550781 -0.449219 -1 -1 -1 z m 1 2 h 10 v 7 c 0 1.5 -1.183594 2.753906 -2.554688 3.667969 c -1.214843 0.808593 -2.179687 1.128906 -2.445312 1.226562 c -0.265625 -0.097656 -1.230469 -0.417969 -2.445312 -1.226562 c -1.371094 -0.914063 -2.554688 -2.167969 -2.554688 -3.667969 z m 1 1 v 6 c 0 1 0.867188 2.007812 2.109375 2.835938 c 0.933594 0.621093 1.472656 0.785156 1.890625 0.949218 v -9.785156 z m 0 0" fill="#2e3436"/>
+</svg>
\ No newline at end of file
diff --git a/dashy/data/appdata/icons/dashboard-icons/svg/shield-user.svg b/dashy/data/appdata/icons/dashboard-icons/svg/shield-user.svg
new file mode 100644
index 0000000..82fa67d
--- /dev/null
+++ b/dashy/data/appdata/icons/dashboard-icons/svg/shield-user.svg
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg width="800px" height="800px" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path fill-rule="evenodd" clip-rule="evenodd" d="M3 10.4167C3 7.21907 3 5.62028 3.37752 5.08241C3.75503 4.54454 5.25832 4.02996 8.26491 3.00079L8.83772 2.80472C10.405 2.26824 11.1886 2 12 2C12.8114 2 13.595 2.26824 15.1623 2.80472L15.7351 3.00079C18.7417 4.02996 20.245 4.54454 20.6225 5.08241C21 5.62028 21 7.21907 21 10.4167V11.9914C21 17.6294 16.761 20.3655 14.1014 21.5273C13.38 21.8424 13.0193 22 12 22C10.9807 22 10.62 21.8424 9.89856 21.5273C7.23896 20.3655 3 17.6294 3 11.9914V10.4167ZM14 9C14 10.1046 13.1046 11 12 11C10.8954 11 10 10.1046 10 9C10 7.89543 10.8954 7 12 7C13.1046 7 14 7.89543 14 9ZM12 17C16 17 16 16.1046 16 15C16 13.8954 14.2091 13 12 13C9.79086 13 8 13.8954 8 15C8 16.1046 8 17 12 17Z" fill="#1C274C"/>
+</svg>
\ No newline at end of file
diff --git a/dashy/data/appdata/icons/dashboard-icons/svg/traffic-cone.svg b/dashy/data/appdata/icons/dashboard-icons/svg/traffic-cone.svg
new file mode 100644
index 0000000..d04ea31
--- /dev/null
+++ b/dashy/data/appdata/icons/dashboard-icons/svg/traffic-cone.svg
@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg width="800px" height="800px" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M22 20h-3.278l-1.014-3.646c-.081.043-.17.076-.265.095-1.758.364-3.576.551-5.443.551-1.868 0-3.767-.197-5.564-.571a.999.999 0 0 1-.153-.045L5.278 20H2a1 1 0 1 0 0 2h20a1 1 0 1 0 0-2ZM6.817 14.466l.027.005C8.507 14.817 10.268 15 12 15c1.733 0 3.415-.173 5.037-.51a.995.995 0 0 1 .148-.019l-1.087-3.912a1.001 1.001 0 0 1-.275.094A20.875 20.875 0 0 1 12 11a21.351 21.351 0 0 1-4.108-.404l-1.075 3.87ZM8.43 8.665A19.33 19.33 0 0 0 12 9c1.181 0 2.34-.105 3.457-.313.039-.007.077-.012.116-.015L14.16 3.59a.801.801 0 0 0-.77-.59h-2.78c-.36 0-.67.24-.77.59L8.43 8.665Z" fill="#000000"/></svg>
\ No newline at end of file
diff --git a/dashy/data/appdata/icons/dashboard-icons/svg/video-camera.svg b/dashy/data/appdata/icons/dashboard-icons/svg/video-camera.svg
new file mode 100644
index 0000000..e7b8f45
--- /dev/null
+++ b/dashy/data/appdata/icons/dashboard-icons/svg/video-camera.svg
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg width="800px" height="800px" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M10 3H0V13H10V3Z" fill="#000000"/>
+<path d="M15 3L12 6V10L15 13H16V3H15Z" fill="#000000"/>
+</svg>
\ No newline at end of file
diff --git a/dashy/data/appdata/icons/dashboard-icons/svg/web-server.svg b/dashy/data/appdata/icons/dashboard-icons/svg/web-server.svg
new file mode 100644
index 0000000..2636aea
--- /dev/null
+++ b/dashy/data/appdata/icons/dashboard-icons/svg/web-server.svg
@@ -0,0 +1 @@
+<svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 98.54 122.88"><title>web-server</title><path d="M89,67.53h0c.21-.44.4-.87.58-1.28l.07-.14c.27-.64.53-1.29.76-1.94s.47-1.32.67-2h0c.21-.67.4-1.35.57-2s.33-1.39.47-2.09.21-1.12.29-1.65.17-1.09.24-1.67h0c.06-.49.11-1,.16-1.5s.06-.81.08-1.21H80.83a39,39,0,0,1-.52,4.7c-.1.62-.22,1.23-.36,1.84H74.27c.17-.68.32-1.37.46-2.06A33.59,33.59,0,0,0,75.28,52H52v6.51H46.49V52H23.25a33.64,33.64,0,0,0,.57,4.45c.13.69.28,1.38.46,2.06h-5.7c-.13-.61-.25-1.23-.36-1.85A40.5,40.5,0,0,1,17.7,52H5.64l.09,1.2c0,.53.1,1,.16,1.53s.14,1.12.23,1.66.18,1.08.29,1.64v0c.14.68.29,1.38.47,2.07s.37,1.39.58,2.06.44,1.36.69,2,.52,1.33.8,2v0l.55,1.24V78.47c-.39-.52-.76-1.06-1.11-1.6s-.87-1.32-1.28-2S6.35,73.51,6,72.8s-.74-1.41-1.09-2.13-.69-1.46-1-2.19S3.25,67,3,66.21s-.55-1.54-.79-2.32-.46-1.56-.65-2.33S1.14,60,1,59.17.67,57.54.55,56.74.33,55.13.25,54.3.1,52.63.06,51.79,0,50.1,0,49.27a49,49,0,0,1,.25-5Q.37,43,.55,41.8c.12-.79.26-1.6.43-2.43s.33-1.56.52-2.34.42-1.55.65-2.32.49-1.52.77-2.27.56-1.48.87-2.21l.07-.17,0-.06c.31-.73.64-1.45,1-2.16S5.59,26.42,6,25.73s.78-1.4,1.19-2.06.82-1.34,1.26-2,.87-1.28,1.34-1.91.94-1.24,1.44-1.84,1-1.21,1.55-1.8S13.84,15,14.4,14.39l0,0c.55-.55,1.11-1.09,1.68-1.61s1.16-1,1.78-1.54,1.23-1,1.85-1.44l0,0c.64-.47,1.28-.91,1.91-1.33s1.33-.87,2-1.28S25,6.34,25.74,6s1.4-.74,2.13-1.09,1.45-.68,2.19-1h0q1.13-.5,2.25-.9c.76-.28,1.53-.55,2.32-.79s1.56-.46,2.34-.66,1.57-.38,2.38-.54h0C40.19.81,41,.67,41.8.55s1.61-.22,2.44-.3S45.91.1,46.74.06,48.43,0,49.27,0a49.14,49.14,0,0,1,5,.25q1.24.12,2.46.3c.79.12,1.6.26,2.43.43s1.56.33,2.34.52,1.55.42,2.32.65,1.52.49,2.27.77,1.48.56,2.22.88a.88.88,0,0,1,.22.1c.7.3,1.4.62,2.11,1s1.42.72,2.1,1.09h0c.7.38,1.39.78,2.06,1.19h0c.69.41,1.36.84,2,1.27s1.27.87,1.9,1.33,1.24.95,1.85,1.45,1.2,1,1.79,1.55,1.18,1.09,1.73,1.64l0,0c.55.54,1.09,1.1,1.61,1.68s1,1.17,1.54,1.78,1,1.21,1.44,1.85.92,1.28,1.36,1.94h0c.45.66.87,1.33,1.27,2s.8,1.36,1.19,2.07.73,1.4,1.08,2.12.69,1.47,1,2.2.63,1.5.91,2.27.54,1.54.79,2.32.46,1.56.66,2.34.38,1.57.54,2.38.31,1.61.43,2.41.22,1.62.3,2.46.14,1.67.19,2.5.06,1.69.06,2.53,0,1.68-.06,2.52-.11,1.66-.19,2.49-.18,1.66-.3,2.46v0c-.12.79-.27,1.59-.43,2.4s-.33,1.57-.52,2.35-.42,1.55-.65,2.32-.5,1.52-.77,2.27-.57,1.48-.88,2.21a.82.82,0,0,1-.11.23c-.3.73-.63,1.45-1,2.16s-.71,1.42-1.08,2.11-.79,1.4-1.19,2.06-.83,1.34-1.26,2-.73,1.07-1.12,1.6V67.53ZM78.17,68.74H21.82A1.27,1.27,0,0,0,20.5,70V85.77a1.33,1.33,0,0,0,1.32,1.32H78.17a1.33,1.33,0,0,0,1.32-1.32V70a1.26,1.26,0,0,0-1.32-1.29Zm-42,44.92v9.22H28.57v-9.22Zm35.3,0v9.22H63.87v-9.22ZM68.56,74.35a3.94,3.94,0,1,1-3.94,3.93,3.93,3.93,0,0,1,3.94-3.93Zm9.61,17H21.82a1.27,1.27,0,0,0-1.32,1.29v15.74a1.33,1.33,0,0,0,1.32,1.32H78.17a1.33,1.33,0,0,0,1.32-1.32V92.63a1.26,1.26,0,0,0-1.32-1.29Zm-52,4.88h3.3v8.56h-3.3V96.22Zm9.15,0h3.31v8.56H35.27V96.22Zm9.15,0h3.31v8.56H44.42V96.22Zm-18.3-22.6h3.3v8.56h-3.3V73.62Zm9.15,0h3.31v8.56H35.27V73.62Zm9.15,0h3.31v8.56H44.42V73.62ZM5.63,46.49H17.82a39.31,39.31,0,0,1,.68-4.62,45,45,0,0,1,1.33-4.93v0a49.35,49.35,0,0,1,1.89-4.81q1-2.19,2.22-4.38H11.2c-.18.31-.35.62-.51.92s-.39.74-.58,1.13h0c-.2.41-.4.81-.58,1.22s-.38.84-.55,1.25l0,.08,0,.07c-.27.65-.52,1.29-.76,1.94s-.46,1.32-.67,2-.4,1.35-.57,2.05-.33,1.38-.47,2.08-.21,1.12-.3,1.65-.16,1.1-.23,1.67-.12,1-.16,1.51-.07.81-.09,1.2Zm9.24-24.32h12.6Q29,20.06,30.65,18c1.17-1.46,2.41-2.91,3.74-4.36s2.54-2.71,3.91-4.07Q40,7.84,41.85,6.16l-.52.09-.88.16q-1,.21-2.1.48c-.7.18-1.39.37-2.07.58s-1.35.44-2,.69-1.34.52-2,.8-1.35.6-2,.91-1.28.64-1.91,1-1.26.69-1.86,1.06-1.19.73-1.76,1.11-1.16.79-1.72,1.2-1.1.84-1.63,1.28-1.06.89-1.58,1.36-1,.95-1.51,1.45l0,0c-.38.37-.75.75-1.1,1.14s-.73.79-1.08,1.19-.56.66-.83,1l-.41.51Zm41.87-16q1.84,1.68,3.54,3.34,2.05,2,3.89,4.05,2,2.17,3.74,4.36t3.16,4.22H83.65l-.4-.5-.82-1c-.35-.4-.71-.79-1.07-1.19s-.73-.76-1.13-1.16-1-1-1.52-1.45-1-.93-1.57-1.36-1.08-.86-1.64-1.28-1.13-.81-1.71-1.2-1.16-.76-1.76-1.13-1.22-.72-1.84-1.05-1.27-.67-1.91-1-1.3-.61-2-.9l-.15-.09c-.64-.27-1.29-.52-1.94-.75s-1.32-.47-2-.68h0c-.67-.21-1.34-.4-2-.57s-1.38-.33-2.08-.47l-.88-.17-.46-.07Zm30.6,21.52H74.59q1.23,2.18,2.22,4.37a47.57,47.57,0,0,1,1.89,4.85A45.11,45.11,0,0,1,80,41.87a39.31,39.31,0,0,1,.68,4.62H92.9c0-.39-.06-.79-.1-1.2s-.09-1-.15-1.52-.15-1.12-.23-1.66-.18-1.08-.29-1.64v0c-.14-.68-.3-1.37-.47-2.07s-.37-1.39-.58-2.07-.44-1.35-.69-2-.52-1.33-.79-2l0,0c-.17-.41-.36-.82-.55-1.24v0c-.18-.38-.37-.79-.58-1.21S88,29,87.85,28.65s-.33-.62-.51-.93ZM52,9.42V22.17H64.21c-.75-1-1.55-1.92-2.37-2.89q-1.47-1.7-3.09-3.4t-3.46-3.46c-1-1-2.12-2-3.25-3Zm0,18.3V46.49H75.16a35.26,35.26,0,0,0-.73-4.35A39.84,39.84,0,0,0,73,37.4a46.88,46.88,0,0,0-2.14-4.89,54.44,54.44,0,0,0-2.73-4.79ZM46.49,46.49V27.72H30.4q-1.53,2.4-2.74,4.79a46.77,46.77,0,0,0-2.13,4.89,39.84,39.84,0,0,0-1.42,4.74,35.31,35.31,0,0,0-.74,4.35Zm0-24.32V9.42c-1.12,1-2.2,2-3.24,3q-1.81,1.74-3.46,3.47t-3.09,3.4c-.83,1-1.62,1.93-2.37,2.89Z"/></svg>
\ No newline at end of file
diff --git a/dashy/data/config/config.yml b/dashy/data/config/config.yml
new file mode 100644
index 0000000..c90d34a
--- /dev/null
+++ b/dashy/data/config/config.yml
@@ -0,0 +1,551 @@
+pages:
+  - name: Widgets
+    path: 'widgets.yml'
+appConfig:
+  theme: one-dark
+  layout: auto
+  iconSize: large
+  language: en
+  statusCheck: true
+  statusCheckInterval: 20
+pageInfo:
+  title: sthome lab
+  description: Welcome to the sthome lab!
+  navLinks:
+    - title: Google
+      path: https://google.co.za
+#    - title: GitHub
+#      path: https://github.com/Lissy93/dashy
+#    - title: DSERVER
+#      path: https://dserver.sthome.lan
+    - title: "Phone GUI"
+      path: https://w60b.sthome.org
+    - title: "Router"
+      path: https://10.0.0.2
+    - title: "FANART"
+      path: https://fanart.tv/
+    - title: "MusicBrainz"
+      path: https://musicbrainz.org/
+#    - title: "TheAudioDB"
+#      path: https://www.theaudiodb.com/
+    - title: "Cloudflare"
+      path: https://dash.cloudflare.com/login
+  footerText: ''
+sections:
+  - name: System Management
+    icon: fas fa-server
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - title: Truenas
+        description: Truenas host
+        icon: dashboard-icons/svg/truenas.svg
+        url: https://truenas.sthome.org:444
+        statusCheck: true
+        statusCheckUrl: https://truenas.sthome.org:444
+        target: newtab
+      - title: Dockge
+        description: Docker stack manager
+        icon: dashboard-icons/svg/dockge-light.svg
+        url: http://dockge.sthome.org:5001
+        statusCheck: true
+        target: newtab
+      - title: Proxmox
+        description: Proxmox host
+        icon: dashboard-icons/svg/proxmox.svg
+        url: https://pve.sthome.org:8006
+        statusCheck: true
+        statusCheckUrl: https://pve.sthome.org:8006
+        target: newtab
+      - title: Traefik
+        description: Reverse proxy and load balancer
+        icon: dashboard-icons/svg/traefik.svg
+        url: https://traefik.sthome.org
+        statusCheck: true
+        statusCheckUrl: http://traefik.sthome.org:8083/ping
+        target: newtab
+  - name: Media Servers
+    icon: dashboard-icons/svg/media-playback.svg
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - title: Plex
+        description: Media server
+        icon: dashboard-icons/svg/plex.svg
+        url: https://plex.sthome.org
+        statusCheck: true
+        statusCheckUrl: https://plex.sthome.org/identity
+        target: newtab
+        tags: [ movies, videos, music ]
+      - title: Jellyfin
+        description: Media server
+        icon: dashboard-icons/svg/jellyfin.svg
+        url: https://jellyfin.sthome.org
+        target: newtab
+      - title: Emby
+        description: Media server
+        icon: dashboard-icons/svg/emby.svg
+        url: https://emby.sthome.org
+        target: newtab
+  - name: Books
+    icon: dashboard-icons/png/book.png
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - title: Audiobookshelf
+        description: Audiobook and podcast server
+        icon: dashboard-icons/svg/audiobookshelf.svg
+        url: https://audiobookshelf.sthome.org
+        target: newtab
+      - title: Calibre
+        description: E-book manager
+        icon: dashboard-icons/svg/calibre.svg
+        url: https://calibre.sthome.org
+        target: newtab
+      - title: Kavita
+        description: Digital library
+        icon: dashboard-icons/svg/kavita.svg
+        url: https://kavita.sthome.org
+        target: newtab    
+  - name: Home
+    icon: dashboard-icons/svg/home.svg
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - title: Home Assistant
+        description: Home automation
+        icon: dashboard-icons/svg/home-assistant.svg
+        url: https://home-assistant.sthome.org
+        target: newtab
+      - title: Frigate
+        description: Network video recorder
+        icon: dashboard-icons/svg/frigate.svg
+        url: https://frigate.sthome.org
+        statusCheck: true
+        statusCheckUrl: https://frigate.sthome.org/stats
+        target: newtab
+      - title: Mealie
+        description: Recipe manager
+        icon: dashboard-icons/svg/mealie.svg
+        url: https://mealie.sthome.org
+        target: newtab
+#
+  - name: Security
+    icon: dashboard-icons/svg/security.svg
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - title: Authentik
+        description: Identity provider
+        icon: dashboard-icons/png/authentik.png
+        url: http://authentik.sthome.org
+        target: newtab
+      - title: Vaultwarden
+        description: Password manager
+        icon: dashboard-icons/svg/vaultwarden.svg
+        url: https://vaultwarden.sthome.org
+        target: newtab
+  - name: Video Processing
+    icon: dashboard-icons/svg/video-camera.svg
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - title: Handbrake
+        description: Video Transcoder
+        icon: dashboard-icons/svg/handbrake.svg
+        url: https://handbrake.sthome.org
+        target: newtab
+      - title: MKVToolNix
+        description: MKV file editor and merger
+        icon: dashboard-icons/png/mkvtoolnix.png
+        url: https://mkvtoolnix.sthome.org
+        target: newtab
+  - name: Photos
+    icon: dashboard-icons/svg/photos.svg
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - title: Digikam
+        description: Image organizer and tag editor 
+        icon: dashboard-icons/svg/digikam_oxygen.svg
+        url: https://digikam.sthome.org
+        target: newtab
+      - title: Photoview
+        description: Photo gallery
+        icon: dashboard-icons/svg/photoview.svg
+        url: https://photoview.sthome.org
+        target: newtab
+
+  - name: Finance
+    icon: dashboard-icons/svg/financial-services.svg
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - title: Firefly III
+        description: Personal finance manager
+        icon: dashboard-icons/png/firefly.png
+        url: https://firefly.sthome.org
+        statusCheck: true
+        statusCheckUrl: https://firefly.sthome.org/health
+        target: newtab
+#
+  - name: Development
+    icon: dashboard-icons/png/software-development.png
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - title: Gitea
+        description: Software development service;  Git hosting, code review, team collaboration, package registry and CI/CD
+        icon: dashboard-icons/svg/gitea.svg
+        url: https://gitea.sthome.org
+        target: newtab
+  - name: Performance
+    icon: dashboard-icons/png/data-analysis.png
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - title: Grafana
+        description: Analytics & monitoring
+        icon: dashboard-icons/svg/grafana.svg
+        url: https://grafana.sthome.org
+        target: newtab
+      - title: Prometheus
+        description: Event monitoring and alerting
+        icon: dashboard-icons/svg/prometheus.svg
+        url: https://prometheus.sthome.org
+        statusCheck: true
+        statusCheckUrl: https://prometheus.sthome.org/-/healthy
+        target: newtab
+  - name: Network
+    icon: dashboard-icons/svg/network.svg
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - title: Librespeed
+        description: Network speed tester
+        icon: dashboard-icons/svg/librespeed.svg
+        url: https://librespeed.sthome.org
+        target: newtab
+      - title: Pi-hole
+        description: DNS sinkhole
+        icon: dashboard-icons/svg/pi-hole.svg
+        url: https://pihole.sthome.org/admin
+        statusCheck: true
+        statusCheckUrl: https://pihole.sthome.org/admin/api.php?status
+        target: newtab
+  - name: Web Site
+    icon: dashboard-icons/svg/web-server.svg
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - title: Static-Web-Server
+        description: Web server
+        icon: dashboard-icons/png/static-web-server.png
+        url: https://www.sthome.org
+        target: newtab
+      - title: Uptime-kuma
+        description: Uptime monitoring
+        icon: dashboard-icons/svg/uptime-kuma.svg
+        url: https://uptime-kuma.sthome.org
+        statusCheck: true
+        statusCheckUrl: https://uptime-kuma.sthome.org
+        target: newtab
+
+  - name: Music
+    icon: dashboard-icons/svg/music.svg
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - title: Sheetable
+        description: Music sheet organiser
+        icon: dashboard-icons/png/sheetable.png
+        url: https://sheetable.sthome.org
+        target: newtab
+      - title: Songkong
+        description: Music tagger
+        icon: dashboard-icons/png/songkong.png
+        url: https://songkong.sthome.org
+        target: newtab
+
+  - name: Collaboration
+    icon: dashboard-icons/png/collaboration.png
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - title: Nextcloud
+        description: Content collaboration platform
+        icon: dashboard-icons/svg/nextcloud.svg
+        url: https://nextcloud.sthome.org
+        target: newtab
+      - title: Onlyoffice
+        description: Secure online office suite
+        icon: dashboard-icons/svg/onlyoffice.svg
+        url: https://onlyoffice.sthome.org
+        target: newtab
+  - name: Data Analysis
+    icon: dashboard-icons/png/data-analysis.png
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - title: Root
+        description: Data analysis framework
+        icon: dashboard-icons/png/root.png
+        url: https://root.sthome.org
+        target: newtab
+# - name: Gaming
+#   icon: dashboard-icons/svg/gaming.svg
+#   displayData:
+#     sortBy: default
+#     rows: 1
+#     cols: 1
+#     collapsed: false
+#     hideForGuests: false
+#   items:
+#     - title: Minecraft Bedrock
+#       description: Use port 19132
+#       icon: dashboard-icons/svg/minecraft.svg
+#       url: https://minecraft.sthome.org
+#       statusCheck: true
+#       statusCheckUrl: udp://minecraft.sthome.org:19132
+#       target: newtab
+#     - title: Minecraft Java
+#       description: Use port 25565
+#       icon: dashboard-icons/svg/minecraft.svg
+#       url: https://minecraft.sthome.org
+#       statusCheck: true
+#       statusCheckUrl: udp://minecraft.sthome.org:25565
+#       target: newtab
+  - name: File Transfer
+    icon: dashboard-icons/png/file-transfer.png
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - title: SFTPGo
+        description: SFTP, FTP/S, HTTP/S and WebDAV server
+        icon: dashboard-icons/png/sftpgo.png
+        url: https://sftpgo.sthome.org/web/admin/login
+        statusCheck: true
+        statusCheckUrl: https://sftpgo.sthome.org
+        target: newtab
+
+#
+  - name: Media Management
+    icon: dashboard-icons/svg/media.svg
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - title: Lidarr
+        description: Music collection manager
+        icon: dashboard-icons/svg/lidarr.svg
+        url: https://lidarr.sthome.org
+        target: newtab
+      - title: Mediaelch
+        description: Media manager for Kodi
+        icon: dashboard-icons/png/mediaelch.png
+        url: https://mediaelch.sthome.org
+        target: newtab
+      - title: Overseerr
+        description: Request management and media discovery
+        icon: dashboard-icons/svg/overseerr.svg
+        url: https://overseerr.sthome.org
+        target: newtab
+      - title: Prowlarr
+        description: Indexer manager/proxy
+        icon: dashboard-icons/svg/prowlarr.svg
+        url: https://prowlarr.sthome.org
+        target: newtab
+      - title: qBittorrent
+        description: P2P bittorrent client
+        icon: dashboard-icons/svg/qbittorrent.svg
+        url: https://qbittorrent.sthome.org
+        target: newtab
+      - title: Radarr
+        description: Movie collection manager
+        icon: dashboard-icons/svg/radarr.svg
+        url: https://radarr.sthome.org
+        target: newtab
+      - title: Readarr
+        description:  ebook collection manage
+        icon: dashboard-icons/svg/readarr.svg
+        url: https://readarr.sthome.org
+        target: newtab
+      - title: Sonarr
+        description: Internet PVR for Usenet and Torrents
+        icon: dashboard-icons/svg/sonarr.svg
+        url: https://sonarr.sthome.org
+        target: newtab
+      - title: Tautulli
+        description: Monitoring, analytics and notifications for Plex
+        icon: dashboard-icons/svg/tautulli.svg
+        url: https://tautulli.sthome.org
+        target: newtab
+    widgets:
+      - type: public-holidays
+        options:
+          country: ZA
+          region: ZA-GP
+          holidayType: all
+          monthsToShow: 12
+          lang: en
+  - name: VPN
+    icon: dashboard-icons/svg/shield-user.svg
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - title: WG-easy
+        description: VPN server
+        icon: dashboard-icons/svg/wireguard.svg
+        url: https://vpn.sthome.org
+        target: newtab
+      - title: jDownloader2
+        description: Download manager
+        icon: dashboard-icons/png/jdownloader2.png
+        url: https://jdownloader2.sthome.org
+        target: newtab
+      - title: Firefox
+        description: Browser
+        icon: dashboard-icons/svg/firefox.svg
+        url: https://firefox.sthome.org
+        target: newtab
+    widgets:
+      - type: gluetun-status
+        useProxy: true
+        options:
+          hostname: https://gluetun-arr:8000
+          #visibleFields: public_ip,region,country,city,location,organisation,postal_code,timezone
+          visibleFields: public_ip,city,region,country
+      - type: gluetun-status
+        useProxy: true
+        options:
+          hostname: https://gluetun-bw:8000
+          visibleFields: public_ip,city,region,country
+      - type: public-ip
+        options:
+          provider: ipgeolocation
+          apiKey: 1760272ad3194398a0f9715323a12a90
+  - name: Data Management
+    icon: dashboard-icons/svg/database.svg
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - title: Minio
+        description: Object Storage - S3 compatible
+        icon: dashboard-icons/svg/minio.svg
+        url: https://minio1.sthome.org
+        target: newtab
+      - title: Minio
+        description: Object Storage - S3 compatible
+        icon: dashboard-icons/svg/minio.svg
+        url: https://minio2.sthome.org
+        target: newtab
+      - title: pgAdmin
+        description: Administration and development platform for PostgreSQL
+        icon: dashboard-icons/svg/pgadmin.svg
+        url: https://pgadmin.sthome.org
+        statusCheck: true
+        statusCheckUrl: https://pgadmin.sthome.org/misc/ping 
+        target: newtab
+      - title: Syncthing
+        description: Continuous file synchronization program
+        icon: dashboard-icons/svg/syncthing.svg
+        url: https://syncthing.sthome.org
+        target: newtab  
+    widgets:
+      - type: clock
+        options:
+          timeZone: Africa/Johannesburg
+          format: en-ZA
+          customCityName: Pretoria
+          hideDate: false
+          hideSeconds: false
+      - type: domain-monitor
+        options:
+          domain: sthome.org
+          apiKey: bdbab262b92d2f6857852973343aa62c
+      - type: domain-monitor
+        options:
+          domain: stokvis.co.za
+          apiKey: bdbab262b92d2f6857852973343aa62c 
+#
+  - name: News
+    widgets:
+      - type: news-headlines
+        options:
+          apiKey: MQts_PB-VrTD7a-xjNQ6EBxeoJIcKRLlsyPdmKT8yWrJcMZT
+          category: world
\ No newline at end of file
diff --git a/dashy/data/config/widgets.yml b/dashy/data/config/widgets.yml
new file mode 100644
index 0000000..6dee06d
--- /dev/null
+++ b/dashy/data/config/widgets.yml
@@ -0,0 +1,116 @@
+#appConfig:
+#  theme: one-dark
+#  layout: auto
+#  iconSize: large
+#  language: en
+#  statusCheck: true
+#  statusCheckInterval: 20 
+pageInfo:
+  title: sthome lab
+  footerText: ''
+sections:
+  - name: Picture of the day
+    widgets:
+    - type: apod
+  - name: Info
+    widgets:
+    - type: crypto-watch-list
+      options:
+        currency: ZAR
+        sortBy: marketCap
+        assets:
+        - bitcoin
+        - ethereum
+    - type: crypto-price-chart
+      options:
+        asset: bitcoin
+        currency: ZAR
+        numDays: 7
+    - type: exchange-rates
+      options:
+        apiKey: 275e8fe7e74067617a0eb2be
+        inputCurrency: USD
+        outputCurrencies:
+          - ZAR
+   
+    - type: exchange-rates
+      options:
+        apiKey: 275e8fe7e74067617a0eb2be
+        inputCurrency: GBP
+        outputCurrencies:
+          - ZAR
+          - USD
+
+  - name: Misc
+    widgets:
+    - type: joke
+      options:
+        safeMode: true
+        language: en
+        category: Any
+    - type: xkcd-comic
+      options:
+        comic: latest
+
+    - type: github-profile-stats
+      options:
+        username: stuurmcp
+        hideLanguagesCard: true
+        #repos:
+        #- stuurmcp/cert-manager-webhook-sthome
+
+
+#    - type: cve-vulnerabilities
+#      options:
+#        sortBy: publish-date
+#        vendorId: 26
+#        hasExploit: false
+#        minScore: 5
+#        limit: 30
+#    - type: sports-scores
+#      options:
+#        teamId: 133636
+#    - type: cve-vulnerabilities
+#      options:
+#        sortBy: publish-date
+#        productId: 28125
+#        hasExploit: false
+#        minScore: 5
+#        limit: 30
+#    - type: stock-price-chart
+#      options:
+#        stock: TKG
+#        apiKey: N3WSQJ9OODXXYFT6
+#    - type: github-trending-repos
+#      options:
+#        limit: 8
+#        since: weekly 
+#    - type: pi-hole-stats
+#      options:
+#        hostname: http://pihole.sthome.org/admin/api.php?status
+#        apiKey: 48ab5845603098040b5d2455c2600cf14b643424f508d5aa30bb884ac11f55c3
+#    - type: pi-hole-top-queries
+#      options:
+#        hostname: http://pihole.sthome.org
+#        apiKey: 48ab5845603098040b5d2455c2600cf14b643424f508d5aa30bb884ac11f55c3
+#    - type: proxmox-lists
+#      useProxy: true 
+#      options:
+#        cluster_url: http://10.0.0.22:8006
+#        user_name: root@pam
+#        token_name: dashy
+#        token_uuid: e94ec098-8367-44d9-8818-49f20a56801d
+##        node: proxmox
+##        node_data: qemu
+##        title: Proxmox VMs
+##        title_as_link: false
+##        footer: Proxmox
+##        footer_as_link: true
+##        hide_templates: 1
+
+#  - name: News
+#    widgets:
+#    - type: news-headlines
+#      options:
+#        apiKey: MQts_PB-VrTD7a-xjNQ6EBxeoJIcKRLlsyPdmKT8yWrJcMZT
+#        category: world
diff --git a/dashy/icons-temp/book-black.png b/dashy/icons-temp/book-black.png
new file mode 100644
index 0000000..582fcb1
Binary files /dev/null and b/dashy/icons-temp/book-black.png differ
diff --git a/dashy/icons-temp/book-black.psd b/dashy/icons-temp/book-black.psd
new file mode 100644
index 0000000..b2ea57c
Binary files /dev/null and b/dashy/icons-temp/book-black.psd differ
diff --git a/dashy/icons-temp/book-white.png b/dashy/icons-temp/book-white.png
new file mode 100644
index 0000000..ca19a53
Binary files /dev/null and b/dashy/icons-temp/book-white.png differ
diff --git a/dashy/icons-temp/book-white.psd b/dashy/icons-temp/book-white.psd
new file mode 100644
index 0000000..84fd987
Binary files /dev/null and b/dashy/icons-temp/book-white.psd differ
diff --git a/dashy/icons-temp/book.psd b/dashy/icons-temp/book.psd
new file mode 100644
index 0000000..fb7e596
Binary files /dev/null and b/dashy/icons-temp/book.psd differ
diff --git a/dashy/icons-temp/collaboration.png b/dashy/icons-temp/collaboration.png
new file mode 100644
index 0000000..aae7cd7
Binary files /dev/null and b/dashy/icons-temp/collaboration.png differ
diff --git a/dashy/icons-temp/collaboration.psd b/dashy/icons-temp/collaboration.psd
new file mode 100644
index 0000000..3404da6
Binary files /dev/null and b/dashy/icons-temp/collaboration.psd differ
diff --git a/dashy/icons-temp/data-analysis.png b/dashy/icons-temp/data-analysis.png
new file mode 100644
index 0000000..614cf0a
Binary files /dev/null and b/dashy/icons-temp/data-analysis.png differ
diff --git a/dashy/icons-temp/data-analysis.psd b/dashy/icons-temp/data-analysis.psd
new file mode 100644
index 0000000..dab37eb
Binary files /dev/null and b/dashy/icons-temp/data-analysis.psd differ
diff --git a/dashy/icons-temp/data-update.svg b/dashy/icons-temp/data-update.svg
new file mode 100644
index 0000000..6757737
--- /dev/null
+++ b/dashy/icons-temp/data-update.svg
@@ -0,0 +1 @@
+<svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 120.09 122.88"><title>data-update</title><path d="M16.83,25.39C24.55,28,35.28,29.55,47.2,29.55S69.86,28,77.57,25.39c6.77-2.26,11-5,11-7.68s-4.19-5.41-11-7.67C69.86,7.47,59.13,5.88,47.2,5.88S24.55,7.47,16.83,10c-14.36,4.8-14.75,10.42,0,15.35Zm70.1,31.17a33.09,33.09,0,0,1,23.44,9.71v0a33.12,33.12,0,0,1,0,46.86l0,0a33.12,33.12,0,0,1-46.86,0l0,0a33.12,33.12,0,0,1,0-46.86l0,0a33.06,33.06,0,0,1,23.43-9.71Zm1.88,17.52L86,88.12l-2.8-4.22c-6,2.42-9.42,6.42-9.92,12.56-5-8.66-1.95-16.43,4.33-21l-2.86-4.3,14,2.9Zm-4.49,32.13,2.76-14,2.81,4.22c6-2.42,9.42-6.42,9.92-12.56,5,8.66,2,16.43-4.33,21l2.86,4.3-14-2.9ZM106.7,70a28,28,0,1,0,8.19,19.77A27.84,27.84,0,0,0,106.7,70ZM43.92,91C32.69,90.77,22.55,89.12,15,86.6a37.06,37.06,0,0,1-9-4.26v19.18c.53,2.49,4.59,5,10.89,7.11,7.72,2.58,18.45,4.17,30.37,4.17,1.15,0,2.29,0,3.42,0a43.68,43.68,0,0,0,4.32,5.69q-3.78.22-7.74.22c-12.52,0-23.92-1.71-32.23-4.48-4.38-1.47-14.91-6.27-14.91-12V100.3C.06,74.09,0,43.92,0,17.71,0,12.23,5.72,7.58,15,4.49,23.28,1.71,34.68,0,47.2,0S71.12,1.71,79.43,4.49s13.92,6.92,14.84,11.77a2.93,2.93,0,0,1,.17,1V47.35a42.18,42.18,0,0,0-6.08-.64,2.77,2.77,0,0,0,.17-.93h0V26.62a37,37,0,0,1-9.13,4.32c-8.31,2.77-19.71,4.49-32.23,4.49S23.28,33.71,15,30.94a37.44,37.44,0,0,1-9-4.25V46.34c.53,2.49,4.59,5,10.89,7.11C24.55,56,35.28,57.62,47.2,57.62c4.08,0,8-.19,11.74-.54-.62.53-1.22,1.08-1.8,1.64-.22.18-.42.37-.62.56l0,0,0,0,0,0a43.9,43.9,0,0,0-3.55,4c-1.89.08-3.8.12-5.75.12C34.68,63.49,23.28,61.78,15,59a37.06,37.06,0,0,1-9-4.25V73.93c.53,2.49,4.59,5,10.89,7.11,7.05,2.35,16.61,3.88,27.31,4.13a42.92,42.92,0,0,0-.24,4.55c0,.44,0,.88,0,1.32Z"/></svg>
\ No newline at end of file
diff --git a/dashy/icons-temp/database.svg b/dashy/icons-temp/database.svg
new file mode 100644
index 0000000..a37eef6
--- /dev/null
+++ b/dashy/icons-temp/database.svg
@@ -0,0 +1 @@
+<?xml version="1.0" encoding="utf-8"?><svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 105.07 122.88" style="enable-background:new 0 0 105.07 122.88" xml:space="preserve"><style type="text/css">.st0{fill-rule:evenodd;clip-rule:evenodd;}</style><g><path class="st0" d="M52.53,0c28.87,0,52.27,10.96,52.27,24.46c0,13.51-23.41,24.46-52.27,24.46c-28.86,0-52.27-10.96-52.27-24.46 C0.26,10.96,23.67,0,52.53,0L52.53,0z M0.26,81.83v18.78c9.3,33.03,101.18,26.65,104.55-1.69V80.16 C100.22,111.27,7.61,113.51,0.26,81.83L0.26,81.83L0.26,81.83z M0,32.94v18.34c9.3,32.26,101.69,27.9,105.07,0.23V33.18 C100.47,63.57,7.35,63.88,0,32.94L0,32.94z M0,56.64v18.78c9.3,33.03,101.69,28.57,105.07,0.23V56.89C100.47,88,7.35,88.32,0,56.64 L0,56.64z"/></g></svg>
\ No newline at end of file
diff --git a/dashy/icons-temp/digikam.svg b/dashy/icons-temp/digikam.svg
new file mode 100644
index 0000000..d0db7eb
--- /dev/null
+++ b/dashy/icons-temp/digikam.svg
@@ -0,0 +1,186 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+<svg width="48" version="1.1" xmlns="http://www.w3.org/2000/svg" height="48" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape">
+ <defs id="defs5455">
+  <linearGradient inkscape:collect="always" id="linearGradient5002">
+   <stop style="stop-color:#2e5d89" id="stop5004"/>
+   <stop offset="1" style="stop-color:#1b92f4" id="stop5006"/>
+  </linearGradient>
+  <linearGradient inkscape:collect="always" id="linearGradient4328">
+   <stop style="stop-color:#bec900" id="stop4330"/>
+   <stop offset="0.312499" style="stop-color:#9ec80a" id="stop4332"/>
+   <stop offset="0.562499" style="stop-color:#71b93d" id="stop4334"/>
+   <stop offset="0.75" style="stop-color:#35a48f" id="stop4336"/>
+   <stop offset="1" style="stop-color:#018fca" id="stop4338"/>
+  </linearGradient>
+  <linearGradient inkscape:collect="always" id="linearGradient4316">
+   <stop style="stop-color:#c1cc00" id="stop4318"/>
+   <stop offset="0.312499" style="stop-color:#dfcd00" id="stop4320"/>
+   <stop offset="0.562499" style="stop-color:#f0cc00" id="stop4322"/>
+   <stop offset="0.75" style="stop-color:#fd8c08" id="stop4324"/>
+   <stop offset="1" style="stop-color:#f25c13" id="stop4326"/>
+  </linearGradient>
+  <linearGradient inkscape:collect="always" id="linearGradient4300">
+   <stop style="stop-color:#e51561" id="stop4302"/>
+   <stop offset="0.312499" style="stop-color:#e4156c" id="stop4304"/>
+   <stop offset="0.562499" style="stop-color:#e71e2c" id="stop4306"/>
+   <stop offset="0.75" style="stop-color:#e8301e" id="stop4308"/>
+   <stop offset="1" style="stop-color:#e6320e" id="stop4310"/>
+  </linearGradient>
+  <linearGradient inkscape:collect="always" id="linearGradient4288">
+   <stop style="stop-color:#e81877" id="stop4290"/>
+   <stop offset="0.312499" style="stop-color:#dd1d8c" id="stop4294"/>
+   <stop offset="0.562499" style="stop-color:#6d57b1" id="stop4296"/>
+   <stop offset="0.75" style="stop-color:#2a78c1" id="stop4298"/>
+   <stop offset="1" style="stop-color:#018dcb" id="stop4292"/>
+  </linearGradient>
+  <linearGradient inkscape:collect="always" spreadMethod="reflect" xlink:href="#linearGradient4211" id="linearGradient4174" x1="428.57144" x2="408.57144" gradientUnits="userSpaceOnUse"/>
+  <linearGradient inkscape:collect="always" id="linearGradient4271">
+   <stop style="stop-color:#2a2c2f" id="stop4273"/>
+   <stop offset="1" style="stop-color:#424649" id="stop4275"/>
+  </linearGradient>
+  <clipPath id="clipPath4528">
+   <rect width="31.999989" x="8.00001" y="8" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4532)" id="rect4530"/>
+  </clipPath>
+  <linearGradient inkscape:collect="always" xlink:href="#linearGradient4271" id="linearGradient4532" y1="543.79797" y2="503.798" gradientUnits="userSpaceOnUse" x2="0" gradientTransform="matrix(0.79999996 0 0 0.79999996 -302.85712 -395.03837)"/>
+  <clipPath id="clipPath4534">
+   <rect width="31.999989" x="8.00001" y="8" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4532)" id="rect4536"/>
+  </clipPath>
+  <clipPath id="clipPath4544">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4546"/>
+  </clipPath>
+  <linearGradient inkscape:collect="always" xlink:href="#linearGradient4271" id="linearGradient4548" y1="543.79797" y2="503.798" gradientUnits="userSpaceOnUse" x2="0" gradientTransform="matrix(0.79999995 0 0 0.79999995 81.71431 104.75963)"/>
+  <clipPath id="clipPath4550">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4552"/>
+  </clipPath>
+  <clipPath id="clipPath4562">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4564"/>
+  </clipPath>
+  <clipPath id="clipPath4568">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4570"/>
+  </clipPath>
+  <clipPath id="clipPath4578">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4580"/>
+  </clipPath>
+  <clipPath id="clipPath4584">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4586"/>
+  </clipPath>
+  <linearGradient inkscape:collect="always" id="linearGradient4303">
+   <stop style="stop-color:#989a9b" id="stop4305"/>
+   <stop offset="1" style="stop-color:#f6f6f7" id="stop4307"/>
+  </linearGradient>
+  <linearGradient inkscape:collect="always" id="linearGradient4415" xlink:href="#linearGradient4288" y1="23.999973" y2="8" x1="8" gradientUnits="userSpaceOnUse" x2="24.00001"/>
+  <linearGradient inkscape:collect="always" id="linearGradient4417" xlink:href="#linearGradient4300" y1="24.00003" y2="8" x1="8" x2="24.00001" gradientUnits="userSpaceOnUse" gradientTransform="matrix(1 0 0 -1 384.57143 547.798)"/>
+  <linearGradient inkscape:collect="always" id="linearGradient4419" xlink:href="#linearGradient4328" y1="23.999973" y2="8" x1="8" x2="24.00001" gradientUnits="userSpaceOnUse" gradientTransform="matrix(-1 0 0 1 432.57143 499.798)"/>
+  <linearGradient inkscape:collect="always" id="linearGradient4421" xlink:href="#linearGradient4316" y1="24" y2="8" x1="8" x2="24.00001" gradientUnits="userSpaceOnUse" gradientTransform="matrix(-1 0 0 -1 432.57143 547.798)"/>
+  <linearGradient inkscape:collect="always" id="linearGradient4423" xlink:href="#linearGradient4271" y1="543.79797" y2="503.798" x2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(0.34999981 0 0 0.34999981 265.57152 -707.12715)"/>
+  <clipPath id="clipPath4528-1">
+   <rect width="31.999989" x="8.00001" y="8" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4532)" id="rect4530-7"/>
+  </clipPath>
+  <clipPath id="clipPath4534-1">
+   <rect width="31.999989" x="8.00001" y="8" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4532)" id="rect4536-8"/>
+  </clipPath>
+  <clipPath id="clipPath4544-1">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4546-1"/>
+  </clipPath>
+  <clipPath id="clipPath4550-4">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4552-1"/>
+  </clipPath>
+  <clipPath id="clipPath4562-8">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4564-8"/>
+  </clipPath>
+  <clipPath id="clipPath4568-4">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4570-1"/>
+  </clipPath>
+  <clipPath id="clipPath4578-8">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4580-7"/>
+  </clipPath>
+  <clipPath id="clipPath4584-9">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4586-2"/>
+  </clipPath>
+  <linearGradient inkscape:collect="always" id="linearGradient4472" xlink:href="#linearGradient4303" y1="524.79797" y2="522.79797" gradientUnits="userSpaceOnUse" x2="0" gradientTransform="matrix(2 0 0 2 -408.57143 -523.798)"/>
+  <linearGradient inkscape:collect="always" xlink:href="#linearGradient4191" id="linearGradient4174-0" y1="537.79797" x1="423.57144" y2="510.46463" x2="396.2381" gradientUnits="userSpaceOnUse" gradientTransform="matrix(0.89999986 0 0 0.89999986 -776.28566 -995.21609)"/>
+  <linearGradient inkscape:collect="always" id="linearGradient4143">
+   <stop style="stop-color:#197cf1" id="stop4145"/>
+   <stop offset="1" style="stop-color:#20bcfa" id="stop4147"/>
+  </linearGradient>
+  <clipPath id="clipPath4528-8">
+   <rect width="31.999989" x="8.00001" y="8" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4532)" id="rect4530-3"/>
+  </clipPath>
+  <clipPath id="clipPath4534-4">
+   <rect width="31.999989" x="8.00001" y="8" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4532)" id="rect4536-2"/>
+  </clipPath>
+  <clipPath id="clipPath4544-18">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4546-5"/>
+  </clipPath>
+  <clipPath id="clipPath4550-3">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4552-4"/>
+  </clipPath>
+  <clipPath id="clipPath4562-1">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4564-3"/>
+  </clipPath>
+  <clipPath id="clipPath4568-1">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4570-4"/>
+  </clipPath>
+  <clipPath id="clipPath4578-5">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4580-5"/>
+  </clipPath>
+  <clipPath id="clipPath4584-0">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4586-4"/>
+  </clipPath>
+  <clipPath id="clipPath4528-1-9">
+   <rect width="31.999989" x="8.00001" y="8" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4532)" id="rect4530-7-8"/>
+  </clipPath>
+  <clipPath id="clipPath4534-1-8">
+   <rect width="31.999989" x="8.00001" y="8" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4532)" id="rect4536-8-3"/>
+  </clipPath>
+  <clipPath id="clipPath4544-1-1">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4546-1-0"/>
+  </clipPath>
+  <clipPath id="clipPath4550-4-2">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4552-1-3"/>
+  </clipPath>
+  <clipPath id="clipPath4562-8-2">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4564-8-0"/>
+  </clipPath>
+  <clipPath id="clipPath4568-4-0">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4570-1-3"/>
+  </clipPath>
+  <clipPath id="clipPath4578-8-9">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4580-7-3"/>
+  </clipPath>
+  <clipPath id="clipPath4584-9-8">
+   <rect width="31.999989" x="392.57144" y="507.798" rx="15.999986" height="31.999971" style="fill:url(#linearGradient4548)" id="rect4586-2-1"/>
+  </clipPath>
+  <linearGradient inkscape:collect="always" id="linearGradient4211">
+   <stop style="stop-color:#2f3943" id="stop4213"/>
+   <stop offset="1" style="stop-color:#808c9b" id="stop4215"/>
+  </linearGradient>
+  <linearGradient inkscape:collect="always" id="linearGradient4191">
+   <stop style="stop-color:#18222a" id="stop4193"/>
+   <stop offset="1" style="stop-color:#566069" id="stop4195"/>
+  </linearGradient>
+  <linearGradient inkscape:collect="always" xlink:href="#linearGradient5002" id="linearGradient4174-0-2" y1="537.79797" x1="423.57144" y2="510.46463" x2="396.2381" gradientUnits="userSpaceOnUse" gradientTransform="matrix(0.70000184 0 0 0.70000184 -694.57218 -890.45752)"/>
+  <linearGradient inkscape:collect="always" xlink:href="#linearGradient4143" id="linearGradient4710" y1="536.86987" x1="421.64337" y2="511.81882" gradientUnits="userSpaceOnUse" x2="396.59229" gradientTransform="matrix(-1 0 0 -1 817.14288 1047.596)"/>
+  <linearGradient inkscape:collect="always" xlink:href="#linearGradient4143" id="linearGradient4713" y1="532.22949" x1="417.00296" y2="508.72522" gradientUnits="userSpaceOnUse" x2="393.49869" gradientTransform="matrix(-1 0 0 -1 817.14288 1047.596)"/>
+  <linearGradient inkscape:collect="always" xlink:href="#linearGradient4143" id="linearGradient4716" y1="529.62207" x1="414.39551" y2="506.91327" gradientUnits="userSpaceOnUse" x2="391.68671" gradientTransform="matrix(-1 0 0 -1 817.14288 1047.596)"/>
+  <linearGradient inkscape:collect="always" xlink:href="#linearGradient5002" id="linearGradient4174-0-2-0" y1="537.79797" x1="423.57144" y2="488.79782" x2="374.57129" gradientUnits="userSpaceOnUse" gradientTransform="matrix(0.49999779 0 0 0.49999779 -612.85624 -785.69581)"/>
+ </defs>
+ <metadata id="metadata5458"/>
+ <g inkscape:label="Capa 1" inkscape:groupmode="layer" id="layer1" transform="matrix(1 0 0 1 -384.57143 -499.798)">
+  <rect width="39.999989" x="388.57144" y="503.798" rx="19.999985" height="39.999969" style="stroke-opacity:0.550265;fill:url(#linearGradient4174);stroke-width:2.8" id="rect4166"/>
+  <rect width="35.999985" x="-426.57144" y="-541.79797" rx="17.999983" height="35.999966" style="stroke-opacity:0.550265;fill:url(#linearGradient4174-0);stroke-width:2.8" id="rect4166-9" transform="matrix(-1 0 0 -1 0 0)"/>
+  <rect width="29.999992" x="-538.79797" y="-423.57147" rx="14.999989" height="29.999977" style="stroke-opacity:0.550265;fill:#26333a;stroke-width:2.8" id="rect4166-7" transform="matrix(0 -1 -1 0 0 0)"/>
+  <rect width="28.00007" x="-422.5715" y="-537.79797" rx="14.00003" height="28.00005" style="stroke-opacity:0.550265;fill:url(#linearGradient4174-0-2);stroke-width:2.8" id="rect4166-9-6" transform="matrix(-1 0 0 -1 0 0)"/>
+  <rect width="19.999907" x="-418.57141" y="-533.79791" rx="9.999948" height="19.999895" style="stroke-opacity:0.550265;fill:url(#linearGradient4174-0-2-0);stroke-width:2.8" id="rect4166-9-6-7" transform="matrix(-1 0 0 -1 0 0)"/>
+  <g id="g4719">
+   <path inkscape:connector-curvature="0" style="stroke-opacity:0.550265;fill:url(#linearGradient4710);stroke-width:2.8" id="path4708" d="m 408.57143,509.798 c -7.756,0 -14,6.244 -14,14 0,7.756 6.244,14 14,14 7.756,0 14,-6.244 14,-14 0,-7.756 -6.244,-14 -14,-14 z m 0,1 c 7.20199,0 13,5.79801 13,13 0,7.20199 -5.79801,13 -13,13 -7.20199,0 -13,-5.79801 -13,-13 0,-7.20199 5.79801,-13 13,-13 z"/>
+   <path inkscape:connector-curvature="0" style="stroke-opacity:0.550265;fill:url(#linearGradient4713);stroke-width:2.8" id="path4704" d="m 408.57143,511.798 c -6.64799,0 -12,5.35201 -12,12 0,6.64799 5.35201,12 12,12 6.64799,0 12,-5.35201 12,-12 0,-6.64799 -5.35201,-12 -12,-12 z m 0,3 c 4.98598,0 9,4.01402 9,9 0,4.98598 -4.01402,9 -9,9 -4.98598,0 -9,-4.01402 -9,-9 0,-4.98598 4.01402,-9 9,-9 z"/>
+   <path inkscape:connector-curvature="0" style="stroke-opacity:0.550265;fill:url(#linearGradient4716);stroke-width:2.8" id="path4700" d="m 408.57143,515.798 c -1.15437,0 -2.24697,0.24726 -3.23633,0.68359 l 1.86328,4.66016 1.25196,-0.33203 2.04492,-4.77149 c -0.61695,-0.15152 -1.25884,-0.24023 -1.92383,-0.24023 z m 2.88281,0.54102 -1.97656,4.61132 1.125,0.64844 4.81836,-1.92773 c -0.90936,-1.51071 -2.29935,-2.69038 -3.9668,-3.33203 z m -7.00976,0.60937 c -1.5107,0.90936 -2.69038,2.29934 -3.33203,3.9668 l 4.61132,1.97656 0.64844,-1.125 -1.92773,-4.81836 z m 11.44336,3.61328 -4.66016,1.86328 0.33203,1.25196 4.77149,2.04492 c 0.15152,-0.61696 0.24023,-1.25884 0.24023,-1.92383 0,-1.15436 -0.24725,-2.24697 -0.68359,-3.23633 z m -15.07618,1.3125 c -0.15152,0.61696 -0.24023,1.25884 -0.24023,1.92383 0,1.15436 0.24725,2.24697 0.68359,3.23633 l 4.66016,-1.86328 -0.33203,-1.25196 -4.77149,-2.04492 z m 10.60743,2.83008 -0.64844,1.125 1.92773,4.81836 c 1.5107,-0.90936 2.69038,-2.29934 3.33203,-3.9668 l -4.61132,-1.97656 z m -4.87891,1.29297 -4.81836,1.92773 c 0.90936,1.51071 2.29935,2.69038 3.9668,3.33203 l 1.97656,-4.61132 -1.125,-0.64844 z m 3.4043,0.45703 -1.25196,0.33203 -2.04492,4.77149 c 0.61695,0.15152 1.25883,0.24023 1.92383,0.24023 1.15436,0 2.24697,-0.24726 3.23633,-0.68359 l -1.86328,-4.66016 z"/>
+  </g>
+  <circle cx="643.00952" cy="166.83434" r="2" id="path5009" style="fill:#2c3e50;color:#000000;stroke-linecap:round;stroke-linejoin:round;stroke-width:3" transform="matrix(0.79335334 0.60876143 -0.60876143 0.79335334 0 0)"/>
+  <path inkscape:connector-curvature="0" style="fill:#84cbfe;stroke-linecap:round;stroke-linejoin:round;stroke-width:2" id="path4550" d="m 401.57143,513.798 a 2.9999605,2.9999605 0 0 0 -3,3 2.9999605,2.9999605 0 0 0 3,3 2.9999605,2.9999605 0 0 0 3,-3 2.9999605,2.9999605 0 0 0 -3,-3 z"/>
+  <path inkscape:connector-curvature="0" style="fill:#84cbfe;stroke-linecap:round;stroke-linejoin:round;stroke-width:2" id="path4537" d="m 405.57143,519.298 a 1.4999942,1.4999868 0 0 0 -1.5,1.5 1.4999942,1.4999868 0 0 0 1.5,1.5 1.4999942,1.4999868 0 0 0 1.5,-1.5 1.4999942,1.4999868 0 0 0 -1.5,-1.5 z"/>
+ </g>
+</svg>
diff --git a/dashy/icons-temp/digikam_oxygen.svg b/dashy/icons-temp/digikam_oxygen.svg
new file mode 100644
index 0000000..bbf63d5
--- /dev/null
+++ b/dashy/icons-temp/digikam_oxygen.svg
@@ -0,0 +1,102 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+<svg height="128" width="128" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+  <defs>
+    <filter id="a">
+      <feGaussianBlur stdDeviation="1.4771469"/>
+    </filter>
+    <filter id="b">
+      <feGaussianBlur stdDeviation="1.474452"/>
+    </filter>
+    <linearGradient id="c">
+      <stop offset="0"/>
+      <stop offset="1" stop-opacity="0"/>
+    </linearGradient>
+    <filter id="d">
+      <feGaussianBlur stdDeviation="21.031171"/>
+    </filter>
+    <filter id="e">
+      <feGaussianBlur stdDeviation="1.4823768"/>
+    </filter>
+    <filter id="f">
+      <feGaussianBlur stdDeviation="1.4839468"/>
+    </filter>
+    <filter id="g">
+      <feGaussianBlur stdDeviation="10.554463"/>
+    </filter>
+    <radialGradient id="h" cx="442.44681" cy="490.71738" gradientTransform="matrix(.4081281 1.2032645 -.9470078 .3212102 726.58504 -199.28658)" gradientUnits="userSpaceOnUse" r="146.97212">
+      <stop offset="0"/>
+      <stop offset=".5" stop-color="#666"/>
+      <stop offset="1" stop-color="#7f7f7f" stop-opacity="0"/>
+    </radialGradient>
+    <linearGradient id="i" gradientUnits="userSpaceOnUse" x1="447.42792" x2="450.98187" xlink:href="#c" y1="619.26385" y2="328.42789"/>
+    <radialGradient id="j" cx="441.43668" cy="485.6666" gradientTransform="matrix(.4293318 -2.2873523 1.1399055 .213958 -301.70012 1391.4755)" gradientUnits="userSpaceOnUse" r="152.63437">
+      <stop offset="0" stop-color="#afb5ba" stop-opacity=".960784"/>
+      <stop offset="1" stop-opacity=".960784"/>
+    </radialGradient>
+    <linearGradient id="k" gradientUnits="userSpaceOnUse" x1="-385.33765" x2="-385.33765" y1="374.22821" y2="469.18298">
+      <stop offset="0" stop-color="#fff" stop-opacity="0"/>
+      <stop offset="1" stop-color="#c8c8c8"/>
+    </linearGradient>
+    <linearGradient id="l" gradientUnits="userSpaceOnUse" x1="-463.62922929894" x2="-463.22751830196" y1="707.23470550751" y2="636.1315084016">
+      <stop offset="0" stop-color="#1a1a1a"/>
+      <stop offset="1" stop-color="#5c5c5c"/>
+    </linearGradient>
+    <linearGradient id="m" gradientUnits="userSpaceOnUse" x1="-458.30343839782" x2="-455.25985227043" y1="707.30808431942" y2="631.75103622846">
+      <stop offset="0" stop-color="#1a1a1a"/>
+      <stop offset="1" stop-color="#ccc" stop-opacity="0"/>
+    </linearGradient>
+    <radialGradient id="n" cx="-462.15759" cy="669.52954" gradientUnits="userSpaceOnUse" r="37.778519">
+      <stop offset="0" stop-color="#fff"/>
+      <stop offset="1" stop-opacity="0"/>
+    </radialGradient>
+    <radialGradient id="o" cx="521.16754" cy="545.92981" gradientTransform="matrix(.6368706 -.7709707 1.7406734 1.4379065 -761.03424 162.7387)" gradientUnits="userSpaceOnUse" r="146.47212">
+      <stop offset="0" stop-color="#fff"/>
+      <stop offset=".5" stop-color="#7fccff" stop-opacity=".415254"/>
+      <stop offset="1" stop-color="#009aff" stop-opacity="0"/>
+    </radialGradient>
+  </defs>
+  <g transform="translate(1871.0903 656.4282)"/>
+  <g transform="translate(2184.0263 77.704638)">
+    <g>
+      <path d="m4056.7725 1480.6669c0 579.9083-470.6503 1050.5586-1050.5586 1050.5586-579.9084 0-1050.5586-470.6503-1050.5586-1050.5586 0-579.90837 470.6502-1050.55862 1050.5586-1050.55862 579.9083 0 1050.5586 470.65025 1050.5586 1050.55862z" filter="url(#d)" stroke="#000" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" transform="matrix(.05729662 0 0 .05729662 -2292.6127 -98.308685)"/>
+      <path d="m-2184.0261-77.704659h128v127.999993h-128z" fill="#333" opacity="0"/>
+      <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" fill-rule="evenodd" stroke="#000" transform="matrix(.3699421 0 0 .3699421 -2283.5172 -193.18822)"/>
+      <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" fill="url(#h)" fill-rule="evenodd" stroke="#000" transform="matrix(.3699421 0 0 .3699421 -2283.5172 -193.18822)"/>
+      <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" fill="none" stroke="#1a1a1a" stroke-width="4.801973" transform="matrix(.3701369 0 0 .3701369 -2283.6032 -193.28284)"/>
+      <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" fill="none" stroke="#404040" stroke-width="12.324504" transform="matrix(.3902185 0 0 .3902185 -2292.4679 -203.03571)"/>
+      <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" fill="none" filter="url(#b)" stroke="#000" stroke-width="1.946154" transform="matrix(.3751596 0 0 .3751596 -2285.8204 -195.7222)"/>
+      <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" fill="url(#i)" fill-rule="evenodd" transform="matrix(.3012907 0 0 .3012907 -2253.2119 -159.84652)"/>
+      <g fill="none">
+        <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" opacity=".523207" stroke="#000" stroke-width="2.455716" transform="matrix(.03921839 -.2987273 .2987273 .03921839 -2282.6055 99.302466)"/>
+        <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" stroke="#000" stroke-width="3.931944" transform="matrix(.3688687 0 0 .3688687 -2283.0433 -192.66687)"/>
+        <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" opacity=".523207" stroke="#000" stroke-width="2.455716" transform="matrix(.04713063 -.3589952 .3589952 .04713063 -2315.3683 122.06417)"/>
+        <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" stroke="url(#j)" stroke-width="12.324504" transform="matrix(.3902185 0 0 .3902185 -2292.4679 -203.03571)"/>
+        <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" filter="url(#a)" opacity=".523207" stroke="#000" stroke-width="2.455716" transform="matrix(.03963983 -.3019377 .3019377 .03963983 -2284.3507 100.5149)"/>
+        <path d="m4056.7725 1480.6669c0 579.9083-470.6503 1050.5586-1050.5586 1050.5586-579.9084 0-1050.5586-470.6503-1050.5586-1050.5586 0-579.90837 470.6502-1050.55862 1050.5586-1050.55862 579.9083 0 1050.5586 470.65025 1050.5586 1050.55862z" opacity=".592357" stroke="#000" stroke-linecap="round" stroke-linejoin="round" stroke-width="9.774646" transform="matrix(.05708222 0 0 .05708222 -2291.9682 -97.991218)"/>
+        <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" filter="url(#f)" stroke="#000" stroke-linecap="round" stroke-linejoin="round" stroke-width="3.815697" transform="matrix(.02978209 -.2268508 .2268508 .02978209 -2243.2615 71.807214)"/>
+        <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" stroke="#4d4d4d" stroke-linecap="round" stroke-linejoin="round" stroke-width="5.892814" transform="matrix(.03856882 -.2937795 .2937795 .03856882 -2279.6453 97.084569)"/>
+        <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" stroke="#1a1a1a" stroke-linecap="round" stroke-linejoin="round" stroke-width="3.563545" transform="matrix(.03188944 -.2429025 .2429025 .03188944 -2251.9875 77.869536)"/>
+        <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" stroke="#1a1a1a" stroke-linecap="round" stroke-linejoin="round" stroke-width="3.021582" transform="matrix(.03760925 -.2864704 .2864704 .03760925 -2275.672 94.324128)"/>
+        <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" stroke="#1a1a1a" stroke-linecap="round" stroke-linejoin="round" stroke-width="3.142297" transform="matrix(.03616445 -.2754653 .2754653 .03616445 -2269.6894 90.167755)"/>
+        <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" stroke="#1a1a1a" stroke-linecap="round" stroke-linejoin="round" stroke-width="3.273058" transform="matrix(.03471965 -.2644603 .2644603 .03471965 -2263.7068 86.011411)"/>
+      </g>
+      <path d="m-328.63631 403.09064c0 30.02162-25.4022 54.38699-56.70134 54.38699-31.29913 0-56.70133-24.36537-56.70133-54.38699 0-30.02163 25.4022-54.387 56.70133-54.387 31.29914 0 56.70134 24.36537 56.70134 54.387z" fill="url(#k)" transform="matrix(.1746043 0 0 .1746043 -2053.2321 -83.546326)"/>
+      <g transform="matrix(.7029675 0 0 .7029675 -1795.3302 -484.52852)">
+        <path d="m-461.88422 631.48481c-21.27485 0-38.54514 17.27028-38.54512 38.54514 0 21.27487 17.27027 38.53788 38.54512 38.53789 21.27487 0 38.53789-17.26302 38.53789-38.53789 0-21.27486-17.26302-38.54514-38.53789-38.54514zm.66783 27.29374 8.27522 4.26827 2.77295 8.8995-4.27554 8.28249-8.89226 2.76567-8.28247-4.26828-2.76566-8.8995 4.26828-8.28248z" fill-rule="evenodd" stroke="#000" stroke-width="1.250106"/>
+        <path d="m-462.15405 632.2478c-20.85368 0-37.7821 16.92838-37.78206 37.78208 0 12.50466 6.09133 23.59137 15.46147 30.46758l20.18601-17.97317-7.00853-3.41533-27.93455-2.34092-.23481-1.13133 27.54322 2.29112-2.5544-7.42123-18.60641-21.93637.56922-.87518 18.44278 21.52369 3.40109-7.037 2.21997-29.34337 1.05306-.09961-2.09189 28.78837 7.99043-2.75361.07118.03558 21.21539-19.99223c-6.29336-4.56927-13.43001-6.56907-21.94117-6.56907zm22.95472 7.35091-20.98307 19.68 6.43065 3.49235 28.86024.99627c-1.52344-9.53386-7.08817-18.64305-14.30782-24.16862zm-13.9112 24.39031 2.26978 7.85526 19.29661 20.24294c4.72534-6.30708 7.16507-13.57478 7.16507-22.05734 0-1.66863-.11014-3.31206-.3202-4.92376zm1.76486 9.02872-3.05271 6.83121-2.02074 27.52186c9.84218-1.5018 18.29613-6.4516 24.09968-14.01066zm-4.22674 7.20121-7.39276 2.68957-20.59161 18.27201c6.23425 4.53649 13.10842 6.62431 21.40273 6.62432 1.56816 0 3.11401-.0987 4.63205-.28461z" fill="url(#l)" fill-rule="evenodd"/>
+        <path d="m587.9088 485.6666a146.47212 146.47212 0 1 1 -292.94425 0 146.47212 146.47212 0 1 1 292.94425 0z" fill="none" filter="url(#e)" opacity=".821656" stroke="#000" stroke-width="9.675173" transform="matrix(.2567208 0 0 .2567208 -575.48237 545.34865)"/>
+        <g fill-rule="evenodd">
+          <path d="m-462.15405 631.75104c-20.85368 0-37.7821 16.92838-37.78206 37.78208 0 12.50466 6.09133 23.59136 15.46147 30.46758l20.18601-17.97317-7.00853-3.41533-27.93455-2.34092-.23481-1.13133 27.54322 2.29112-2.5544-7.42123-18.60641-21.93638.56922-.87517 18.44278 21.52369 3.40109-7.037 2.21997-29.34337 1.05306-.09962-2.09189 28.78838 7.99043-2.75361.07118.03558 21.21539-19.99224c-6.29336-4.56926-13.43001-6.56906-21.94117-6.56906zm22.95472 7.35091-20.98307 19.68 6.43065 3.49234 28.86024.99628c-1.52344-9.53386-7.08817-18.64306-14.30782-24.16862zm-13.9112 24.3903 2.26978 7.85526 19.29661 20.24294c4.72534-6.30707 7.16507-13.57478 7.16507-22.05733 0-1.66863-.11014-3.31206-.3202-4.92377zm1.76486 9.02872-3.05271 6.83122-2.02074 27.52186c9.84218-1.5018 18.29613-6.4516 24.09968-14.01066zm-4.22674 7.20121-7.39276 2.68957-20.59161 18.27202c6.23425 4.53649 13.10842 6.62431 21.40273 6.62431 1.56816 0 3.11401-.0987 4.63205-.28461z" fill="url(#m)"/>
+          <path d="m-462.15405 631.75104c-20.85368 0-37.7821 16.92838-37.78206 37.78208 0 12.50466 6.09133 23.59136 15.46147 30.46758l20.18601-17.97317-7.00853-3.41533-27.93455-2.34092-.23481-1.13133 27.54322 2.29112-2.5544-7.42123-18.60641-21.93638.56922-.87517 18.44278 21.52369 3.40109-7.037 2.21997-29.34337 1.05306-.09962-2.09189 28.78838 7.99043-2.75361.07118.03558 21.21539-19.99224c-6.29336-4.56926-13.43001-6.56906-21.94117-6.56906zm22.95472 7.35091-20.98307 19.68 6.43065 3.49234 28.86024.99628c-1.52344-9.53386-7.08817-18.64306-14.30782-24.16862zm-13.9112 24.3903 2.26978 7.85526 19.29661 20.24294c4.72534-6.30707 7.16507-13.57478 7.16507-22.05733 0-1.66863-.11014-3.31206-.3202-4.92377zm1.76486 9.02872-3.05271 6.83122-2.02074 27.52186c9.84218-1.5018 18.29613-6.4516 24.09968-14.01066zm-4.22674 7.20121-7.39276 2.68957-20.59161 18.27202c6.23425 4.53649 13.10842 6.62431 21.40273 6.62431 1.56816 0 3.11401-.0987 4.63205-.28461z" fill="url(#n)"/>
+        </g>
+      </g>
+      <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" fill="none" stroke="#1a1a1a" stroke-linecap="round" stroke-linejoin="round" stroke-width="3.415175" transform="matrix(.03327485 -.2534553 .2534553 .03327485 -2257.7242 81.855066)"/>
+      <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" fill="url(#o)" fill-rule="evenodd" transform="matrix(-.01682102 -.2879784 -.2879784 .01682102 -1972.6538 104.93929)"/>
+      <path d="m-2161.4863 9.0770959-.4967.2521772-.5917-1.1654952-3.5192 1.7866389 1.261.6582462-.5519.280193-1.2923-.703647-.2736-.5389156 4.0776-2.0701311-.5653-1.1135424.4967-.2521722zm-4.7885-2.5839957-.693.2961931-.2791-.652851.6931-.2961932zm2.9294-1.2520242-.693.2961932-.279-.652851.693-.2961932zm-.7659-1.7998997-.5257.1844188-.4327-1.2333799-3.7242 1.3066186 1.1632.8189005-.5841.2049104-1.1881-.8680243-.2001-.5703094 4.3151-1.5139368-.4134-1.17841018.5256-.18442254zm-2.2966-4.5296637.5894-.163561c.124-.034401.2379-.0597077.3417-.0759214.1055-.0192047.2048-.0291205.2978-.0297475.0954-.0012755.1865.0049249.2734.0185838.0863.0113291.1733.029995.2612.0560054l.1197.43152091c-.1812-.06305884-.3568-.10123765-.5268-.11453518-.1706-.01563115-.3319-.00235738-.4839.03983373l.0857.30873037-.7683.21321867zm-1.6191-4.3023674c.214-.0442192.4184-.0505298.6133-.018944.192.0297092.3679.1011753.5276.2143896.1593.1108459.2981.2668097.4165.4678867.1184.2010819.208.4489908.269.7437402.0609.2947582.0769.5578988.0479.789443-.0295.2291583-.0937.428321-.1925.5974708-.1018.1672684-.2347.3037976-.3987.4095791-.1669.1039-.3561.1777117-.5677.221444-.183.0378308-.3515.0441497-.5054.0189577-.1544-.0275691-.2923-.0771391-.4137-.1487173-.1242-.0734598-.2295-.1632283-.3159-.2693094-.0892-.1079576-.1578-.2239095-.2058-.3478482l-.0142.0029494c-.0043.1471217-.0317.2841616-.0823.4111135-.0511.1245747-.1199.2354585-.2064.3326503-.0894.0953016-.1928.1761812-.3105.2426338-.1181.0640755-.2473.1106033-.3875.1395908-.1759.0363611-.348.0372321-.5163.0026079-.1711-.0365006-.3287-.1092726-.4727-.2183123-.1463-.1085464-.2732-.2545874-.3805-.4381216-.1097-.1830459-.1914-.4041148-.2449-.6632115-.0565-.2733573-.0709-.5169972-.0433-.7309196.0272-.2162896.0867-.4020892.1785-.5573939.089-.1571848.2053-.2840862.3489-.3806978.1436-.0966067.3034-.1630837.4793-.1994498.1378-.0284956.2739-.0355588.4083-.0211897.1338.0119881.2609.045212.3812.099653.1174.0525658.2245.1270885.3213.2235781.0939.0945995.1701.2114551.2286.3505581l.0143-.0029532c-.0062-.1499069.01-.2932983.0486-.4301743.0363-.1363742.0974-.2605371.1833-.3724877.0835-.1114499.1912-.208066.323-.2898448.1318-.0817688.2881-.141327.4687-.1786709m-2.2039 1.2809195c-.1259.0260443-.2378.0665106-.3355.1214063-.0982.0525235-.1765.1232406-.235.2121613-.0608.0894089-.0992.1977173-.115.3249179-.0182.1276975-.0094.2783066.0265.4518272.0349.1687713.0857.3069668.1526.4146005.0645.1081181.1426.1923527.2344.2526926.0889.0584584.1891.0935179.3006.105177.1114.0116605.2302.0044661.3561-.0215745.0999-.0206324.1994-.0548344.2986-.1026023.0992-.047763.1844-.11496.2557-.2015838.0714-.0866175.1218-.1961905.1514-.3287226.0297-.1325272.0248-.2938743-.0145-.4840365-.0418-.2020456-.1025-.358033-.1822-.467966-.0803-.1123015-.1698-.1916965-.2686-.2381913-.0994-.0488669-.2033-.071999-.3118-.0694013-.109.0002292-.2134.0106581-.3133.0312955m2.2811-.6016338c-.1212.0250566-.2342.0657707-.3391.1221412-.1072.0568624-.1952.1345497-.2641.2330519-.0712.0990041-.1188.2228389-.1426.3715144-.0266.1467952-.0188.3223993.0234.5268233.0388.1877887.0993.3425832.1815.4643996.0793.1199225.1716.2123964.2767.2774116.1047.0626431.2192.100937.3435.1148944.122.0144505.2448.0088984.3684-.0166502.1545-.0319369.292-.080186.4125-.1447535.1181-.0640705.2149-.1472859.2904-.249645.0731-.1018683.1207-.2257032.1426-.3715107.0219-.1458112.0129-.3149797-.0269-.507524-.0403-.1949128-.0991-.3537694-.1765-.4765698-.0775-.1227905-.1697-.2152644-.2767-.2774117-.1095-.0616553-.2318-.0958569-.367-.1026025-.1381-.0086307-.2868.0035113-.4461.036431m-2.2999-15.4131919 3.4342.442083-.0837.650001-3.4341-.442083-.0707.54889-.473-.060895.0706-.54889-.4405-.056715c-.1421-.018284-.2716-.048409-.3885-.090388-.1194-.042288-.2191-.10407-.2992-.185357-.0822-.083994-.1407-.190637-.1754-.319921-.0372-.129598-.0432-.291894-.0181-.486897.0099-.077032.0238-.156014.0415-.236936.0181-.083327.0384-.155359.0609-.216096l.4947.063687c-.0125.039998-.0247.087372-.0367.142115-.014.052036-.0238.099725-.0294.143054-.0124.096297-.0094.177447.009.243446.0188.0636.0511.116702.097.15932.0438.039906.1009.071726.1713.095466.0706.021337.1529.038045.2468.050132l.3503.04509.0981-.761947.473.060898zm.5064-1.27745-.5286-.105017.7061-3.553242.5285.105016zm1.8284.363301-.5285-.105016.706-3.553243.5285.105016zm1.4906-7.821265c.2468.072647.4617.176382.6447.311197.183.134824.3274.297519.4332.48807.1036.189874.1639.406245.1809.64911.0178.240542-.0155.504013-.0998.790418-.076.258467-.1728.475426-.2902.650869-.1167.173122-.247.310625-.3909.412507-.1462.101205-.3019.170489-.4673.207847-.1646.035037-.3332.044868-.5058.029494l.1137-.657273c.1007.001803.2021-.007564.3043-.028093.0999-.021211.1964-.061122.2896-.119734.0915-.06162.1753-.144475.2515-.248572.0745-.107096.1365-.244474.1858-.412133.048-.162991.0671-.318048.0572-.465171-.0121-.1478-.0534-.282663-.1238-.404588-.0697-.124247-.168-.232891-.295-.325929-.127-.09303-.2824-.166612-.4664-.22076-.1513-.044541-.2971-.060872-.4372-.048981-.1425.011208-.2725.048854-.39.112932-.1199.063405-.2249.153929-.3152.271573-.0896.115317-.1591.256806-.2085.424456-.0308.104788-.0499.20416-.0573.298125-.0075.09397-.0062.184172.0038.270602.0107.084113.0289.164111.0546.239997.0241.07288.0516.142948.0824.210209l-.181.61473-2.5992-.943377.8235-2.797716.5344.157286-.6549 2.224897 1.5335.553818c-.0532-.137128-.0854-.298424-.0966-.483895-.0136-.186158.0136-.394496.0814-.62502.072-.244495.174-.453572.3061-.627239.1321-.173663.287-.308968.4648-.405921.1755-.09763.3685-.155946.5791-.174952.2105-.018997.4287.004745.6546.071217m.7136-4.361743c.4586.18011.8277.375884 1.1071.587318.2781.208298.4845.426285.6194.653956.1335.224528.2021.454878.2058.691038.0038.236172-.0396.469478-.1301.699927-.0914.232707-.2184.433188-.3809.601438-.1626.16825-.3692.289226-.6197.362923-.2498.071444-.5474.088868-.8929.052282-.3468-.039727-.7507-.150094-1.2116-.331094-.4813-.188977-.8625-.38693-1.1437-.593846-.2826-.210067-.4884-.426479-.6173-.649233-.129-.222757-.1908-.450443-.1855-.683061.003-.233498.0515-.469992.1456-.709483.0896-.228183.2119-.426608.3667-.595266.1536-.171794.3534-.295427.5994-.370908.2461-.075471.5442-.094026.8942-.055674.3478.037475.7622.150701 1.2435.339683m-.2436.620176c-.3795-.149053-.7036-.250226-.9721-.303528-.2708-.054178-.498-.066494-.6818-.036941-.1859.028674-.3347.095419-.4463.20024-.1129.101681-.2013.233856-.2652.396525-.0674.171706-.0953.3355-.0835.491383.0118.155884.0757.308731.1916.458549.1145.146672.2894.292284.5247.436838.233.143674.5382.289591.9155.437757.366.143732.6833.242249.9518.295547.2694.051037.4982.062665.6865.034887.1868-.030929.3394-.097475.4578-.199641.1161-.103048.2065-.237038.2713-.401969.063-.160408.087-.317871.0721-.472384-.0173-.155393-.0842-.306868-.201-.454433-.1182-.150699-.2933-.299018-.5255-.444945-.2312-.148187-.5299-.294149-.8959-.437885m3.9928-2.459593-2.2103-1.163071c-.1697-.089288-.3171-.153152-.4423-.191582-.1251-.038421-.2356-.04994-.3315-.034561-.0969.012107-.1807.051629-.2516.118557-.073.065806-.1406.157779-.2028.275916-.0644.12244-.0979.246061-.1005.370865-.0048.123679.0204.245268.0755.36475.054.116209.1385.229255.2535.339125.114.106598.258.20567.4319.297225l2.0203 1.063041-.3035.576749-2.742-1.442824c-.073-.038424-.1498-.077479-.2304-.117152-.0817-.042947-.1585-.081996-.2305-.117153-.0742-.036284-.1376-.066915-.1903-.091893-.0527-.024979-.0871-.040346-.1032-.046114l.2882-.547753c.0118.00351.042.016618.0904.039335.0484.02272.1043.049396.1677.080022.0624.027358.1264.056912.1919.088669.0635.030636.1167.05725.1596.079859l.0051-.00967c-.0738-.104677-.1357-.208561-.1857-.311661-.05-.103095-.082-.209069-.096-.317942-.0151-.112141-.0105-.227677.0137-.346612.0232-.122203.0709-.252042.1432-.389524.1391-.264206.3013-.444874.4868-.542006.1867-.099265.4107-.118507.6722-.057712l.0051-.00967c-.0738-.104673-.1346-.210703-.1823-.318102-.0477-.107389-.0769-.218738-.0875-.334056-.0128-.116431-.006-.236265.0204-.359494.0243-.124355.0727-.255271.145-.392753.0927-.17613.196-.315135.3099-.41701.1151-.104009.2435-.170834.3853-.200471.1418-.02963.3012-.022516.4784.021321.175.04272.3699.120597.5847.23362l2.3231 1.22241-.3018.573528-2.2103-1.163071c-.1697-.089288-.3172-.153146-.4423-.191577-.1252-.038417-.2357-.04994-.3315-.03456-.0969.012111-.1808.051628-.2517.118551-.073.065806-.1406.15778-.2027.275917-.0645.122444-.0991.245503-.1038.369172-.0069.122551.0161.243001.0691.361356.054.116213.1385.22926.2535.339125.1161.107728.2633.208503.4416.302312l2.0202 1.06304zm3.2164-5.317179-2.0368-1.445578c-.1564-.110984-.294-.193803-.413-.24847-.119-.054658-.227-.080715-.324-.078167-.0977-.000826-.186.027235-.2652.084184-.081.055554-.1602.137765-.2375.246625-.0801.112831-.1297.230926-.1488.354286-.021.121965-.0122.245809.0266.371535.0382.122351.1069.24559.2064.369719.0988.120753.2284.238021.3887.351814l1.8617 1.321247-.3772.531476-2.5268-1.793278c-.0673-.04776-.1382-.096641-.2129-.146645-.0752-.053382-.1462-.10226-.2129-.146649-.0687-.045781-.1275-.084538-.1764-.11628-.0489-.031734-.081-.05153-.0963-.059384l.3583-.504751c.0113.005049.0394.022031.0843.050956.045.028928.0969.062776.1557.101533.0582.035378.1177.073147.1785.113308.0588.038766.108.072196.1476.100291l.0063-.008909c-.0593-.113528-.1069-.2247-.1428-.333511-.0358-.108806-.0535-.218093-.053-.327855-.0001-.11315.0198-.227064.0595-.341744.0391-.11806.1037-.240436.1936-.367122.1728-.243465.3575-.401047.5543-.472756.1981-.073674.4227-.063067.6739.03182l.0063-.008903c-.0593-.113528-.1055-.226679-.1386-.339452-.0331-.112761-.0472-.226993-.0425-.342702.0027-.117104.0254-.23498.0679-.353619.0406-.120038.1058-.243398.1957-.370087.1152-.162309.236-.286403.3624-.372289.1279-.087857.264-.137082.4084-.147681.1445-.010586.3016.017573.4714.084492.1678.065527.3507.168527.5486.309001l2.1407 1.519336-.3751.528501-2.0368-1.445578c-.1563-.110976-.294-.193795-.413-.248466-.1189-.054653-.2269-.08071-.324-.078166-.0976-.000827-.186.027234-.2651.084183-.0811.055554-.1603.137765-.2376.246629-.08.11283-.1306.230222-.1517.352178-.023.120558-.0162.242999.0206.367315.0382.122352.107.245591.2064.369723.1008.122159.2334.24154.3977.358133l1.8616 1.321252zm10.4285-10.725817c-.017-.013454-.0446-.038608-.083-.075471-.0378-.040536-.0807-.085485-.1287-.134845-.0459-.050955-.0926-.102955-.1401-.155997-.0454-.054646-.0849-.103846-.1186-.1476l-.0125.009626c.0664.297375.0448.564568-.0647.801583-.1091.233341-.2907.447873-.5449.643608-.2125.163644-.4306.261882-.6542.294707-.2216.031223-.4435.008017-.666-.069623-.2203-.079241-.4373-.205865-.6509-.379864-.2132-.177685-.4168-.392575-.611-.644667-.1973-.256251-.3536-.510927-.4689-.76402-.1131-.254694-.1759-.500042-.1884-.736037-.0141-.238074.0264-.463434.1215-.676085.0973-.214241.2584-.408004.4834-.581279.1104-.085029.2255-.155391.3452-.211098.1197-.055688.2418-.093274.3662-.112743.1244-.019461.2509-.018971.3795.001478.1286.020458.2588.064562.3906.132302l.0063-.004817c-.0161-.020828-.0404-.050234-.073-.088219-.032-.041662-.0681-.088539-.1082-.140625-.0402-.05208-.0829-.105447-.1283-.160102-.0433-.056244-.085-.110413-.1252-.162502l-.9506-1.234404.8782-.676245 3.0034 3.900088c.1267.164589.243.30906.3487.433412.1041.122281.1855.217227.2442.284855zm-1.357-1.678126c-.1717-.222917-.3345-.391255-.4885-.505004-.1555-.115829-.3006-.189985-.4351-.222463-.1341-.036156-.2577-.037212-.3709-.003166-.1127.030368-.2138.08004-.3034.149027-.1125.08664-.1956.185523-.2494.296657-.0518.109531-.0717.234439-.06.374711.0139.138683.0614.292969.1424.462868.0832.1683.2041.355575.363.561828.5904.766687 1.1158.972745 1.5762.618174.0875-.067383.1606-.153514.2192-.258402.0586-.104884.0878-.22859.0876-.371124-.0002-.14253-.0373-.304835-.1111-.486933-.0734-.185772-.1967-.391167-.37-.616173m.3758-3.785219-.4473-.683032.9272-.607233.4473.683038zm2.7596 4.213691-2.3382-3.570251.9272-.607236 2.3382 3.570255zm4.2633-.599932c-.2464.135939-.4779.230679-.6947.284207-.2131.054558-.4112.073792-.5943.057697-.1795-.015068-.3439-.062528-.4931-.142389-.1456-.07882-.274-.183646-.3852-.314473l.9075-.64947c.1171.130586.2556.207345.4154.230275.1621.021658.3352-.018329.5194-.119971.1151-.063524.211-.137448.2876-.221765.0789-.085592.1301-.185953.1537-.301074.0272-.114088.0242-.244608-.0088-.39156-.0308-.148221-.0976-.315575-.2005-.502055-.0356-.064466-.0718-.130078-.1086-.196845-.0369-.066764-.0694-.128406-.0976-.184937-.0333-.065727-.0664-.128524-.0994-.188389l-.0069.003813c.0205.303995-.0418.566628-.1869.787906-.1429.220012-.3548.407512-.6357.562514-.2371.13086-.4674.197889-.6909.201081-.2225-.000369-.4358-.052315-.6401-.155821-.2056-.105814-.3995-.258587-.5818-.458316-.1813-.20331-.3488-.444248-.5025-.722821-.1588-.28778-.2736-.563814-.3444-.828107-.072-.266591-.0957-.516316-.071-.749179.0269-.234125.1055-.445636.2355-.634522.131-.192457.3209-.357291.5695-.494513.2487-.137206.5001-.206853.7542-.208951.2564-.003351.5053.083045.7467.259185l.0173-.009525c-.0267-.04834-.0561-.104231-.0881-.167668-.0309-.066997-.06-.130549-.0871-.190651-.0285-.062393-.0531-.11789-.0739-.166482-.0185-.049847-.0299-.084104-.0342-.102768l.9186-.506922c.0411.085423.1007.204232.1787.356414.078.152192.1703.324982.277.518365l1.5227 2.75925c.1499.271666.241.52925.2733.77274.0335.245795.0111.477385-.0671.694767-.076.216111-.2061.418536-.3902.607265-.1819.187465-.4133.358693-.6941.513695m-1.0752-3.866696c-.1296-.234825-.2606-.417811-.393-.548963-.1325-.131139-.2616-.223579-.3873-.277316-.1258-.053736-.2478-.073494-.3661-.059275-.116.012959-.2223.046112-.319.099472-.1243.068607-.2215.153765-.2915.255467-.0677.100443-.107.219735-.1179.357874-.0109.138145.0096.295022.0615.47063.0519.175613.1375.371622.2569.588033.2224.4029.4545.67122.6965.804972s.4908.130123.7464-.010909c.0966-.053359.182-.124502.2561-.213429.0751-.092494.1246-.206902.1485-.343223.0226-.138624.0131-.30006-.0285-.484333-.0417-.184261-.1292-.397259-.2626-.639m.9578-3.653556-.3393-.74264 1.0081-.460573.3393.74264zm2.093 4.581421-1.7734-3.88183 1.0081-.460573 1.7735 3.881829zm5.6294-2.242042-2.7366-1.733946-.4704.724535.6805 1.909744-1.096.390588-1.8656-5.235079 1.0961-.390587.846 2.374178 1.5133-3.214934 1.2781-.455465-1.4476 3.011477 3.4952 2.158728zm2.9097-.732064c-.1996.047037-.3851.06237-.5565.046009-.1694-.019521-.3215-.068786-.4563-.147795-.1353-.081566-.2509-.193484-.3465-.335739-.0957-.142255-.167-.313207-.214-.512845-.0579-.24571-.0642-.461699-.019-.647963.0472-.189425.133-.352812.2574-.490174.1237-.139906.2799-.256417.4687-.349526.1882-.095668.3946-.171312.6192-.226941l.8909-.226111-.0497-.211154c-.0356-.151006-.0792-.273102-.1309-.366293-.0497-.096349-.1077-.170481-.1739-.222416-.0663-.051922-.1409-.081633-.2237-.089141-.0808-.010662-.1699-.004542-.2671.018371-.0896.021112-.1681.049063-.2356.083864-.0649.034198-.1175.080365-.1578.138491-.0409.055577-.069.125672-.0842.21029-.0132.081464-.0127.181291.0017.299479l-1.1376.211281c-.0121-.188959.0053-.367312.0523-.535059.0463-.1703.1282-.327365.2456-.471198.1199-.144428.2779-.270798.4739-.379119.198-.111472.439-.200675.7231-.267617.2585-.060903.4964-.083182.7137-.066833.2172.016353.4113.071928.5823.166726.1703.092256.3143.221775.4319.388563.1176.1668.2051.371772.2624.614916l.3564 1.512646c.0229.097267.0472.183384.073.258357.0283.074374.0604.135718.0961.184038.0376.045158.0815.076693.1317.094592.052.014745.1139.013672.1856-.003218.0819-.01929.1594-.045664.2326-.079112l.1375.583559c-.0604.030433-.1147.058077-.1628.082934-.0482.024855-.097.047161-.1464.066893-.0493.019739-.1029.039103-.1605.058094-.0551.018383-.1211.036622-.1978.054714-.2714.063918-.4879.04471-.6498-.057628-.1594-.102938-.2823-.280648-.3688-.533126l-.023.005428c-.0824.292272-.2194.536608-.4108.733008-.189.195795-.4434.331378-.7633.406755m.7841-2.296009-.551.137932c-.114.032258-.2216.068427-.3229.108505-.0994.036918-.1833.087763-.2518.152523-.0665.061603-.1129.140065-.1391.235376-.0261.09532-.022.215921.0123.361811.0465.197083.1259.333696.2384.409851.1145.072994.2472.091697.3982.056121.1382-.032567.2567-.091545.3555-.176949.0987-.085398.1753-.184494.2298-.297287.0564-.11595.0916-.241762.1056-.377428.0139-.135665.0056-.268762-.0252-.399296zm5.1185 1.134267-.2532-2.380777c-.0176-.164731-.0453-.313829-.0833-.447297-.0357-.136358-.0848-.250126-.1474-.341316-.0602-.094075-.1351-.16412-.2246-.210133-.0869-.046291-.1892-.063175-.3069-.050664-.1124.011965-.2112.05288-.2963.12275-.0854.06726-.1563.159418-.2126.276469-.0539.11416-.0912.249017-.1116.404566-.0208.152939-.0216.319618-.0024.500036l.242 2.274877-1.1022.117223-.3504-3.294642c-.0097-.091517-.021-.185508-.0339-.281981-.0103-.096748-.0227-.187983-.0371-.273725-.0121-.088622-.023-.166785-.0329-.234497-.0101-.070317-.0196-.122192-.0284-.155637l1.0511-.111799c.0086.030827.0193.081256.032.151293.0125.067437.0257.14271.0399.225821.0141.083123.0269.16638.0384.24977.0142.083123.0243.153441.0304.210965l.0157-.001667c.1015-.338694.2451-.591967.4309-.75981.1884-.168119.4237-.267197.7061-.297238.3243-.03448.5929.017594.806.156238.2154.135753.3731.350364.4731.643834l.0235-.002507c.0572-.183252.1227-.3383.1965-.465147.0763-.127119.1631-.231541.2602-.313271.0994-.084616.2089-.149143.3284-.193601.1222-.044721.2565-.074867.4029-.090449.2328-.024748.4333-.003766.6017.062935.171.066436.314.167582.429.303437.1175.135586.2091.300378.2747.494367.0682.193725.1145.405636.139.635734l.2866 2.694548-1.0943.116388-.2532-2.380772c-.0176-.164728-.0453-.31383-.0833-.447298-.0357-.136354-.0848-.25013-.1474-.341315-.0602-.094076-.1351-.164121-.2246-.210134-.0869-.046287-.1892-.063176-.3069-.050664-.1098.011684-.2074.051155-.2928.118411-.0831.064372-.153.152466-.2099.264285-.0545.108933-.0924.237252-.1137.384959-.0214.147708-.0253.309434-.0119.485181l.2474 2.325862zm17.1039 1.151157.6346-2.415717c.0487-.185458.0776-.343487.0868-.474082.0093-.130586-.0045-.240842-.0411-.330774-.0336-.09165-.091-.164454-.1722-.218408-.0806-.056299-.1854-.101408-.3146-.135325-.1338-.035151-.2618-.03991-.3839-.014283-.1216.023287-.2344.075222-.3384.155819-.101.07887-.1921.186701-.2732.323502-.0781.135074-.1422.297685-.1921.48784l-.58 2.207954-.6303-.165577.7872-2.996755c.0209-.079817.0416-.163469.0621-.25095.0234-.089208.0442-.172855.0622-.250947.0186-.080435.0341-.149127.0466-.206093.0124-.056952.0196-.09396.0216-.111016l.5987.157253c-.0008.012358-.0068.044668-.018.096928-.0112.052269-.0246.112746-.0401.181442-.0126.066975-.0269.135976-.0431.207021-.0155.068701-.0295.126525-.0418.173474l.0106.002774c.0853-.09553.1725-.179273.2617-.25122.0892-.07194.1852-.127023.2881-.165248.1059-.039947.2194-.06156.3408-.06483.1242-.004996.2615.012242.4118.051703.2887.075852.5013.193189.6378.352.1388.159443.2081.373391.2078.641847l.0106.002778c.0853-.095538.1749-.178664.2688-.249374.0939-.070708.1958-.124249.3057-.160623.1105-.038716.2288-.059096.3548-.061129.1267-.004378.2651.013168.4154.05263.1925.050568.3512.119867.4761.207896.1273.08865.2214.19869.2823.330109.0608.131425.0898.288379.0871.470853-.0022.180131-.0341.387577-.0957.622341l-.667 2.538967-.6268-.164655.6346-2.415714c.0487-.185457.0776-.343486.0868-.474081.0093-.130587-.0044-.240846-.0411-.330774-.0336-.091655-.091-.164459-.1722-.218412-.0806-.056295-.1854-.101408-.3146-.135325-.1338-.035147-.2615-.041084-.383-.017804-.121.020938-.2331.070529-.3365.148781-.101.078865-.1921.186701-.2732.323502-.0787.137419-.1437.303551-.1949.498404l-.58 2.207949zm4.6787 1.53353c-.3693-.141858-.6094-.345908-.7204-.612138-.1109-.266239-.1011-.569288.0294-.909173.0931-.242444.2146-.423308.3644-.542572.153-.120659.3201-.19689.5013-.228689.1835-.030927.3769-.02683.5803.012289.2034.039123.4045.094275.6034.165464l.8311.30364.0771-.200528c.0583-.151814.092-.287063.1012-.405745.0092-.118678-.0065-.223493-.0469-.314441-.0405-.090953-.1049-.170299-.1933-.238054-.0853-.069146-.1947-.129395-.3284-.180748-.1178-.045256-.2278-.077093-.33-.095527-.1012-.020685-.1957-.021867-.2833-.003528-.0868.016071-.1665.054357-.2391.11486-.0718.058239-.1367.142526-.1947.252863l-.6168-.303215c.0784-.136309.1724-.252328.2819-.348053.1105-.097985.2405-.168969.39-.212954.1517-.043111.324-.054946.5167-.035516.1959.018034.4185.07492.6677.170653.4623.177556.7692.417647.9208.720281.1524.300372.1516.651085-.0025 1.052147l-.6083 1.583844c-.0697.181269-.0985.327492-.0866.438672.0128.108906.086.189038.2197.240388.034.013059.0688.023845.1045.032372.0358.008518.0708.015476.1051.020862l-.1462.380669c-.084-.011464-.1662-.027464-.2468-.047987-.0782-.019659-.1604-.046029-.2465-.079099-.1156-.044388-.2096-.097407-.2821-.159064-.0694-.063058-.1184-.135183-.147-.216379-.0278-.083461-.0378-.175733-.0302-.276809.0085-.10335.0328-.217503.073-.342469l-.0204-.007835c-.1109.092584-.2243.17123-.3402.235938-.1136.065572-.2356.112328-.3659.140273-.1295.025671-.268.030963-.4156.015869-.1454-.014228-.3042-.054416-.4764-.120561m.3156-.40531c.1949.074849.3783.105001.5503.090462.1752-.015935.3316-.061142.4694-.135612.1401-.073607.2592-.166981.3573-.280126.098-.113142.1701-.229759.2162-.349851l.1162-.302493-.6748-.243588c-.1504-.055174-.2975-.098678-.4413-.130504-.1406-.033221-.2728-.041094-.3965-.023609-.1237.017481-.2358.065451-.3361.143917-.0981.079334-.1789.201709-.2424.367118-.0766.199397-.0826.37393-.0178.523595.0669.150537.2001.264102.3995.340691m5.1442 2.030252c-.2199.173447-.4444.264976-.6733.274586-.2268.010678-.4732-.049037-.7393-.179135-.447-.218614-.7026-.53009-.767-.934437-.0621-.40328.0561-.910184.3547-1.520716.6036-1.234142 1.3393-1.638999 2.2071-1.214573.2682.131167.4677.289531.5985.475099.1308.185566.1985.411848.203.678857l.0065.003195c.0107-.021801.0261-.056128.0464-.102989.0234-.047969.0463-.097562.0687-.148782.0256-.05233.0496-.101386.072-.147181.0223-.045786.0383-.078495.0479-.09812l.6703-1.370423.5887.287924-2.0171 4.12436c-.0416.085038-.0816.166807-.12.245301-.0362.079564-.0692.152585-.099.219067-.0298.066477-.0554.124241-.0766.173275-.0203.046856-.0341.080629-.0415.101325l-.5625-.275136c.0063-.023939.0168-.056599.0317-.097976.018-.0425.0377-.090979.0589-.145443.0234-.053395.0479-.108973.0735-.166732.0266-.059938.0537-.118258.0815-.174948zm-1.1972-2.077c-.1194.24421-.2065.461002-.2613.650366-.0548.189368-.0761.357276-.064.503716.0133.144265.0594.268152.1385.371672.079.103518.1938.192072.3442.265647.1549.075718.3034.117293.4457.124725.1444.008505.2831-.023655.416-.096466.1361-.073929.2691-.191252.3991-.351966.1299-.160716.2589-.371905.3868-.633562.1227-.25075.2054-.472387.2482-.664906.0439-.194698.0516-.365199.0232-.511501-.0284-.146295-.0903-.271134-.1856-.374511-.0922-.104488-.2145-.194059-.3672-.268707-.1439-.070381-.2804-.10609-.4096-.107131-.1292-.001033-.2559.036988-.38.114064-.1242.07708-.2474.196489-.3698.358225-.1191.160623-.2405.367403-.3642.620335m3.7717 2.109358c-.1067.176607-.1876.350376-.2426.52131-.0517.170103-.0727.331767-.0632.484982.0129.152394.0603.294484.1424.426262.0833.129706.208.24475.3743.345136.2431.146819.4668.21532.6712.205505.2065-.008562.3809-.071957.5232-.190179l.4077.43764c-.0918.072165-.1987.136591-.3208.193265-.1188.055853-.2544.09022-.4068.1031-.1512.010802-.3218-.007177-.5119-.053933-.1868-.047581-.3924-.139134-.6167-.274653-.4987-.301166-.7892-.679359-.8716-1.134586-.0802-.453976.0566-.97392.4104-1.559845.1908-.315819.3915-.558964.6022-.72945.212-.172554.4279-.285986.6479-.340302.2199-.054308.4395-.056375.6587-.006209.2205.048095.4347.134887.6424.260371.2826.170658.4908.358793.6247.564402.1359.206868.2121.42584.2285.656922.0197.230256-.0124.468897-.0964.715926-.0819.248277-.1994.49916-.3524.752642l-.0452.0748zm2.086.672912c.1835-.374118.2493-.687382.1976-.939798-.0505-.254489-.216-.466433-.4965-.635837-.0935-.056466-.2016-.100489-.3243-.13207-.1193-.032398-.2459-.036511-.3796-.012337s-.2708.084557-.4114.181138c-.1393.094513-.2746.241062-.4059.439661zm2.4889 4.708315c-.3085-.247701-.475-.515243-.4995-.802628-.0245-.287386.0772-.573029.3051-.856936.1627-.202519.3335-.337735.5125-.405655.1825-.068287.3648-.089954.5471-.064993.1842.026483.3672.089352.549.188611s.3565.213103.5242.341528l.699.542551.1345-.167503c.1018-.126809.1752-.24533.2201-.355563.045-.110234.062-.214832.0512-.313784-.0108-.098959-.048-.194178-.1115-.285643-.0601-.091841-.146-.182596-.2577-.272257-.0984-.079015-.1935-.142867-.2851-.191555-.0901-.050576-.1797-.080492-.2688-.089746-.0875-.011149-.1751.001016-.2628.036494-.0861.033589-.1736.094086-.2624.181497l-.495-.476807c.1162-.105932.241-.187781.3746-.245551.135-.059649.2805-.087634.4363-.083952.1576.005209.3253.046445.503.123711.181.076895.3756.198923.5839.366076.3861.310014.6052.632236.6573.966671.0536.332547-.0541.66632-.3231 1.001328l-1.0622 1.323004c-.1216.151415-.1936.281879-.2162.391397-.021.107616.0243.206262.136.29592.0283.022793.0583.043695.0897.062706.0314.019005.0627.036311.0937.051904l-.2553.317978c-.0765-.03653-.15-.076837-.2204-.120937-.0685-.042575-.1388-.09274-.2107-.150482-.0965-.077508-.1699-.15667-.2202-.237502-.0469-.081208-.0715-.164839-.074-.250891-.001-.08795.0175-.178896.0556-.272836.0396-.095837.0976-.19714.174-.303906l-.0171-.013676c-.1339.054353-.2659.094675-.3959.120985-.1282.027826-.2586.035175-.3913.022053-.1311-.015015-.2647-.052211-.4007-.111587-.1341-.057856-.273-.144531-.4169-.260024m.4242-.289811c.1627.130686.3282.215326.4965.253909.1716.038208.3344.042856.4884.013939.1558-.027402.2977-.080027.4256-.157894.1279-.077864.2321-.166954.3126-.267264l.2029-.25268-.5684-.437695c-.1264-.098405-.2533-.18468-.3805-.258823-.1238-.07452-.2473-.122311-.3705-.14338-.1232-.021065-.2445-.009527-.364.034612-.1176.045665-.2318.137576-.3428.275744-.1337.166558-.1926.330977-.1765.493249.0179.163792.1101.312554.2767.446283m4.9337 3.493798c-.1272.133564-.2674.227953-.4206.283168-.1498.055133-.3082.071843-.4752.050142-.1654-.023469-.3386-.084513-.5195-.183138-.1775-.098718-.3585-.23597-.5431-.41177-.1652-.15738-.302-.312878-.4104-.46648-.1084-.150176-.1859-.301099-.2325-.452767-.0466-.151674-.0606-.305848-.0421-.462527.022-.156767.0808-.316998.1764-.480701l.497.317598c-.1053.191402-.129.383402-.0711.576005.0596.190845.2018.393424.4268.607728.1019.097107.2018.178814.2995.245125.0995.067977.1959.114574.2893.139782.0949.02345.1859.022965.2729-.001461.0904-.024507.1758-.07894.2561-.163299.0821-.086109.1288-.175657.1403-.268647.0132-.094746.0013-.194896-.0356-.300447-.0369-.105547-.0946-.220895-.1732-.346041-.0751-.125226-.1583-.26313-.2495-.413726-.0858-.1387-.1673-.280081-.2446-.424141s-.1332-.289494-.1677-.43631c-.031-.146896-.0319-.291948-.0028-.435153.0292-.143201.1082-.282467.2371-.417782.2478-.260094.5284-.369903.8419-.329426.3168.040401.6528.229695 1.0078.567902.3145.299695.5114.5928.5904.879315.0808.288193.0295.577864-.1541.869026l-.4772-.354129c.0545-.088882.0841-.178014.0888-.267407.0063-.091145-.0061-.180119-.0374-.266924-.0296-.088556-.0763-.174981-.1402-.25928-.0604-.084376-.131-.165075-.2119-.242091-.2144-.204261-.4035-.322436-.5674-.354521-.1639-.032082-.3086.017776-.4342.149582-.0736.077324-.1163.159049-.1279.245173-.0083.086044.0043.178448.0376.27722.0367.098683.09.206418.1597.323186.0715.115017.151.240998.2384.377944.0571.091325.1144.186081.1717.28427.059.09643.1103.195622.154.297577.0471.101869.0831.204867.1079.30899.0283.104044.0394.208507.0334.313377-.0061.104873-.0319.209367-.0774.31348-.0438.105792-.1143.209649-.2114.311578m8.632 8.840836c-.3361.217816-.6733.366939-1.0116.447385-.3371.082471-.6628.095413-.9771.038822-.3144-.056597-.6103-.182967-.8878-.379118-.2776-.196162-.5252-.462283-.743-.79837-.2297-.354428-.3761-.700698-.439-1.038815-.0609-.339447-.05-.661794.0328-.967053.0847-.30658.2345-.593128.4494-.859646.2149-.266514.4842-.50472.8081-.714619.3361-.217809.6699-.367654 1.0016-.44953.3316-.081873.6509-.093553.9578-.035032.309.057198.6002.185193.8736.383984.2769.199516.5268.471389.7499.815629.2218.342198.3665.679365.4343 1.01149.069.334157.0659.652904-.0094.956244-.074.305373-.2161.592693-.4263.861965-.2102.269269-.4813.511487-.8133.726664m-.3861-.595795c.2587-.167655.4722-.353734.6404-.55824.1696-.202473.2876-.417727.3538-.645779.0676-.226016.08-.461156.0374-.705432-.0426-.244268-.1451-.491674-.3074-.742221-.1664-.256647-.353-.455325-.5599-.596029-.2068-.140705-.4279-.22739-.6631-.260073-.2339-.030634-.4779-.009901-.732.062203-.2527.074147-.5085.195045-.7672.362695-.2586.167654-.4748.354032-.6485.559147-.1703.205823-.2923.423724-.366.653697-.0703.23069-.0872.470153-.0507.718388.0399.248949.141.498691.3033.749236.1743.268869.3679.471679.5809.608425.2143.138775.4391.220131.6745.244058.2387.024638.4851-.003471.7393-.084329.2555-.078819.5106-.200735.7652-.365746m3.6393 4.820865c-.2.099438-.4036.15871-.611.177807-.2041.020186-.4033-.004116-.5974-.072917-.1909-.067712-.3725-.182072-.5448-.343094-.1722-.161027-.3238-.37302-.4545-.635994l-.6713-1.349636-1.7897.890103-.3097-.622655 4.5934-2.284446.9614 1.933173c.1351.27167.2192.525311.2524.76094.0353.234543.0256.449458-.0291.644735-.0525.194195-.1478.367673-.286.520438-.136.151675-.3073.27886-.5137.381546m-.3179-.622673c.2913-.144843.4675-.343657.5289-.596452.0635-.253871.0066-.559024-.1707-.915452l-.6144-1.235533-1.8126.901458.6274 1.261613c.1784.358601.3885.58212.6304.670564.2429.090612.5133.061878.811-.086198m-2.4993 3.155744 4.8092-1.785889 1.3549 3.648672-.5324.19773-1.1129-2.99676-1.5427.572902 1.0368 2.791972-.5257.195192-1.0368-2.791972-1.6758.622337 1.1648 3.136697-.5325.19773zm2.4866 7.919936 3.5754-3.720501c-.1143.033482-.227.067839-.3383.10309-.0954.02878-.197.057851-.3047.08721-.1048.031131-.1985.056972-.2809.077518l-3.3067.824276-.1497-.600576 4.9777-1.240816.1955.784279-3.5966 3.755813c0-.000009.1137-.035843.341-.107501.0977-.029373.2037-.060798.3179-.094271.1166-.034071.2279-.064311.3339-.090725l3.2643-.813713.1515.607643-4.9778 1.240821zm2.4984 7.944417c-.2152.019086-.4172-.005643-.6061-.074174-.1886-.066127-.3571-.180327-.5055-.342608-.146-.162502-.2683-.373408-.3669-.632708-.0959-.257112-.1599-.566995-.1921-.929659-.0564-.635879.0109-1.141386.2018-1.516531.1909-.375144.4924-.629733.9045-.763762l.1937.659032c-.13.045647-.2462.108351-.3488.188117-.1026.079767-.1885.182427-.2578.307976-.0666.127751-.1139.281803-.1418.462166-.0278.180353-.0308.393841-.0089.640455.0182.205508.0518.392597.1009.561259.0515.16844.119.311101.2025.427979.0834.11687.185.204111.3046.261734.1223.059816.2632.08265.4228.0685.1668-.014805.2988-.065499.3959-.152086.0973-.084174.1737-.198168.2292-.341983.0554-.143824.0977-.313272.1267-.50835.029-.195079.0598-.411035.0924-.647859.0187-.145437.0398-.292296.0632-.440576.0261-.146082.0586-.287864.0975-.425347.0417-.135279.0924-.264056.1522-.386326.0598-.122275.1343-.230013.2235-.32321.0917-.093417.1994-.169986.3233-.229707.1262-.059938.274-.097413.4432-.112422.2418-.021451.4528.008567.633.090054.1829.083686.3377.207636.4644.371855.1266.164214.2258.362538.2976.594979.0718.23244.1199.48647.1444.7621.0281.31673.0267.589769-.0041.81913-.0284.229139-.0853.425479-.1707.589013-.0854.163528-.1978.297768-.3371.402731-.1367.107159-.2993.197118-.4878.269891l-.1802-.6712c.1203-.044788.2259-.104111.3168-.177966.0912-.071443.1648-.162042.2208-.271795.0561-.109758.0944-.241088.115-.393988.0207-.150494.0222-.326074.0044-.526744-.021-.236946-.0605-.434483-.1184-.59261-.0552-.155934-.1235-.280243-.2048-.372938-.0811-.090278-.1732-.152781-.2762-.187502-.1003-.032526-.2073-.043749-.321-.033667-.1523.013509-.2747.062134-.3672.145878-.0898.085947-.1616.197101-.2153.333448-.0537.136353-.0947.292287-.123.467813-.0283.175521-.0556.361925-.082.559206-.0223.160376-.0459.319645-.0709.477814-.0223.160375-.0538.314244-.0943.461611-.0381.147151-.0868.285489-.1459.415019-.059.131943-.1352.248355-.2286.349246-.0934.100878-.2067.182816-.34.245817-.1331.065413-.2928.10638-.4789.122895m1.0855 5.9890801c-.4004-.0107157-.7628-.0786895-1.0872-.2039212-.3245-.1228083-.6003-.2965149-.8274-.5211199-.2271-.224613-.3995-.496328-.5173-.81513-.1177-.318815-.1712-.678393-.1605-1.078751.0113-.422195.0867-.790471.2262-1.104819.142-.31429.3335-.573832.5745-.778634.2434-.204733.5292-.356129.8572-.45419.3279-.098062.6848-.141932 1.0706-.131608.4004.010711.7604.076196 1.0802.196446.3197.120249.5895.291366.8094.51336.2223.222049.3899.492416.5027.811096.1153.321171.1674.686789.1564 1.096853-.0109.40763-.0824.767509-.2146 1.079632-.1323.314549-.3153.575531-.5491.782954-.2338.209841-.5136.3662546-.8393.4692373-.3257.1029765-.6863.1491735-1.0818.1385948m.019-.7097221c.3081.008243.5894-.024295.8439-.09761.2545-.070898.4735-.181589.6572-.332064.1837-.148063.3271-.33484.4302-.560318.1032-.225491.1588-.487453.1668-.785895.0081-.305734-.0332-.575151-.1241-.808251-.0909-.233109-.224-.429713-.3994-.589802-.1755-.157672-.3884-.278701-.6386-.363098-.2504-.081974-.5296-.127083-.8378-.13533-.3081-.008244-.5918.023013-.8511.093779-.2569.073249-.4808.183809-.6718.331673-.1885.150353-.338.338179-.4485.563469-.108.227781-.1661.490894-.1741.789345-.0085.320284.0363.597075.1344.830377.0981.235726.2374.43006.4179.583008.1828.155433.4018.271779.6571.349031.2553.079669.5346.123562.8379.131686m-3.0878 3.6217514c.0409-.2785796.1169-.5372874.228-.776116.1111-.2388372.2586-.4416611.4425-.6084715.186-.1640598.4072-.2837033.6636-.3589267.2588-.0748716.5538-.0879896.8853-.0393489l3.2312.4742407-.1009.6880435-3.1737-.4657767c-.2569-.03772-.4804-.0361741-.6704.0046389-.1879.0435623-.3473.1182973-.4782.2242101-.1308.1059166-.2348.2378467-.312.3958041-.0751.160703-.1273.3407191-.1565.5400472-.0289.1969244-.0298.3869225-.0027.5699941.0271.1830629.0886.3490989.1845.498107.0959.1489993.2308.2742935.4048.3758876.176.1043359.3973.1760657.6639.215198l3.1268.4589047-.1004.6844393-3.1665-.4647236c-.3386-.0496974-.6245-.1493099-.8577-.2988375-.2311-.146782-.4143-.3282146-.5494-.5442977-.1351-.2161004-.2232-.4596392-.2644-.7306349-.0416-.2685995-.0408-.549395.0022-.8423817m-1.4146 6.81006442 2.4009-.74033558.4108-1.54465634-2.0584-.5474707.1788-.672049 4.9577 1.3186043-.6205 2.33281744c-.0749.28148096-.1738.5213926-.2969.71973617-.1214.20130309-.2627.35962559-.424.47496759-.1613.1153371-.3401.1883114-.5367.2189318-.1965.0306104-.405.0165974-.6255-.042044-.1572-.0418049-.3057-.106441-.4457-.1939044-.1406-.0851254-.2612-.1937906-.3616-.3259993-.1005-.13221372-.1762-.28672158-.2271-.46351991-.051-.17680702-.0668-.3769333-.0476-.60037014l-2.5101.83937587zm3.5589.84106069c.1501.03992296.2871.04875052.4111.02647273.124-.02229145.2354-.07302153.3343-.15219521.1013-.07856082.1883-.18353002.2609-.31490881.0749-.13076595.1361-.28528845.1836-.46355881l.4239-1.59391441-1.8297-.4866397-.4314 1.62206527c-.0512.19234763-.072.36513136-.0625.51835988.0118.15383639.0481.28655936.1088.39816021.0601.11394251.1421.20730846.2458.28010903.103.07513353.2214.13048388.3552.16604982m-.5926 4.65580149c.1064-.2711259.1557-.529492.1478-.7750923-.0087-.2433491-.0688-.4690162-.1801-.6769963-.1122-.2057277-.2716-.3908684-.4781-.5554246-.2066-.1645661-.4534-.3031735-.7403-.4158333-.287-.1126623-.5653-.1776027-.8349-.1948186-.2683-.014065-.5167.0174865-.7452.0946693-.2293.0794389-.4327.2055888-.6101.3784496-.1783.1751219-.3193.3948555-.4231.6592009-.0728.1852639-.1151.3629043-.1271.5329089-.0106.1731518.0042.3380325.0444.4946334.0393.1588619.0998.3103755.1814.4545483.0838.1450492.1845.2836903.3021.4159135l-.4719.4249013c-.1448-.1559425-.2692-.3273357-.3731-.5141785-.104-.1868514-.1787-.3883052-.2243-.6043687-.0464-.2138111-.0598-.442025-.0402-.6846491.0211-.239478.0839-.4925227.1886-.7591253.1517-.3863511.3457-.7012999.5822-.9448541.2378-.2404069.5049-.415868.8012-.5263857.2977-.1073667.617-.1501904.9579-.1284749.3409.0217192.691.1031068 1.0502.2441565.3728.1463713.6895.3293827.9501.5490442.2597.2219139.456.4723996.5889.7514719.1343.2822048.2012.5900888.2006.9236446.0017.3344359-.0702.6869234-.2157 1.0574636-.1996.5083517-.4658.8940807-.7985 1.1571782-.3328.2630964-.7261.3981164-1.18.4050676l.0375-.6932513c.1307-.0008407.262-.0197055.3938-.0566018.1341-.0360163.2633-.0961076.3876-.1802839.1244-.084185.2409-.1949069.3495-.3321657.1078-.1350152.2007-.3019302.2788-.5007477m-5.5301 1.1779811 4.5401 2.3885327-1.8122 3.4445262-.5026-.26445 1.4883-2.8290914-1.4564-.7662287-1.3867 2.6357581-.4962-.261062 1.3867-2.6357524-1.5821-.8323468-1.5579 2.9611982-.5027-.264446zm-18.0565 19.9216229.6377-.415122 1.9143 1.786268c.052.044329.1137.101226.1849.170681.0693.070773.1372.139515.2038.206231.0786.076261.1582.156244.2387.23994-.0413-.103464-.0809-.206569-.1188-.309314-.034-.087899-.068-.180171-.102-.276813-.0359-.095328-.0663-.179816-.0911-.25347l-.8353-2.471227.6347-.413137 3.0737 2.699801-.5432.353548-2.0183-1.879306c-.0447-.037525-.0966-.086232-.1559-.146126-.0579-.057864-.1152-.114705-.1718-.170534-.0632-.066002-.1288-.133369-.1967-.202116.034.087899.0657.174422.0951.259571.0247.07366.0502.148332.0763.224022s.0469.138866.0625.18953l.8777 2.656503-.5889.383345-2.0525-1.891805c-.0487-.043625-.103-.093708-.1629-.150241-.06-.056542-.1163-.109669-.169-.159394-.0613-.058572-.1232-.118166-.1858-.178769.034.087894.0667.173753.0981.257586.0268.072325.055.146693.0844.223096.0288.079759.0532.150716.0734.21288l.8771 2.62216-.5371.349576zm-4.7624 2.521612.6807-.340218 1.6996 1.991605c.0467.049939.1015.113447.1644.190531.0608.078164.1205.154151.1791.22798.0695.084673.1395.173152.21.265436-.0293-.107473-.0569-.214401-.083-.32078-.0238-.09119-.0472-.186718-.0699-.286581-.025-.09879-.0456-.186175-.0619-.262161l-.55-2.549938.6774-.338588 2.7481 3.030582-.5797.289753-1.7924-2.095827c-.0402-.042346-.0863-.096624-.1384-.162848-.051-.064053-.1015-.127018-.1514-.188897-.0554-.072741-.1129-.147104-.1726-.223095.0239.091185.0456.180739.0651.268674.0163.075986.0331.153061.0505.231221.0173.078155.0309.14329.0406.195394l.5712 2.738823-.6286.314166-1.825-2.11211c-.0434-.048858-.0917-.104767-.1448-.167729-.0532-.062973-.1032-.122137-.1498-.177504-.0543-.065138-.1091-.131362-.1645-.198671.0239.091182.0467.180202.0684.267044.0184.074901.038.151972.0586.231225.0195.082499.0358.155769.0488.219823l.5744 2.704625-.5732.286495zm-5.0161 1.96952.714-.263241 1.4701 2.166545c.0409.054771.0884.123928.1425.207468.0518.084375.1028.166477.1529.246307.0597.091803.1195.187449.1795.286937-.0173-.110046-.033-.21937-.0472-.327966-.0137-.093268-.0263-.190781-.038-.292548-.0139-.100936-.0248-.190057-.0326-.267373l-.2661-2.594977.7106-.261983 2.3979 3.314596-.6081.224201-1.5509-2.280353c-.0352-.046503-.0751-.105532-.1196-.177081-.0437-.069281-.0869-.137416-.1297-.204416-.047-.078388-.096-.158633-.147-.24073.0137.093259.0254.184658.0352.274202.0078.077316.016.15577.0247.23537.0086.079592.0149.14582.0189.198684l.2663 2.785041-.6593.243091-1.5815-2.300125c-.0378-.053337-.0796-.114218-.1256-.182657-.0459-.068438-.089-.132738-.1293-.192905-.0468-.070715-.094-.142568-.1416-.215556.0137.093256.0266.184235.0386.27294.0101.076478.021.155231.0328.236265.0103.084145.0184.158769.0243.223863l.2733 2.751412-.6013.221677zm-1.3361.379331.2186.766823-.6828.194602-.2186-.766819zm-4.1172 1.659204c.0659-.27224.1859-.482844.36-.631806.1718-.148455.4025-.253663.6921-.315619.4866-.104112.88-.017028 1.1803.261257.298.278795.518.75049.6602 1.415086.2875 1.343425-.0411 2.116199-.9858 2.318337-.2919.062466-.5466.061117-.7641-.004042-.2175-.065172-.4105-.20136-.5789-.408574l-.0072.001524c.0051.023736.0142.060269.0272.109613.0112.052209.0238.105363.0379.159454.0122.056956.0236.110363.0342.160208.0107.049846.0183.085447.0229.106814l.3192 1.491777-.6409.13712-.9606-4.489567c-.0198-.092568-.0388-.181579-.0571-.267021-.0207-.084945-.0398-.162763-.0574-.233458-.0176-.070704-.0332-.131905-.0468-.183613-.013-.049339-.023-.084434-.0299-.105284l.6123-.13103c.0099.022715.0217.05493.0356.096637.012.04459.0265.094863.0434.150807.0146.056459.0297.115288.0453.176494.016.063577.0307.126226.0439.187936zm2.2243.894259c-.0569-.265841-.1222-.490146-.1961-.672917-.0739-.182774-.1608-.328003-.2608-.435681-.0994-.105311-.2122-.174257-.3384-.206842-.1261-.032591-.271-.031362-.4348.00368-.1685.036062-.311.095098-.4275.177118-.1189.082521-.2081.193449-.2676.332783-.0615.142215-.0936.316651-.0966.523307-.0029.206652.0261.452389.087.737217.0584.272959.1302.498364.2155.676231.0857.180231.1849.319102.2976.41662.1127.097507.2385.157475.3773.179902.137.02529.2886.020166.4547-.015378.1567-.033521.2861-.08977.3884-.168736.1022-.07897.1784-.187106.2284-.324401.0501-.137309.0733-.307339.0696-.510094-.0056-.199875-.0378-.437479-.0967-.712809m-3.2879 3.489314.0926.619362-.6482.09685-.0925-.619362zm-.7059-4.724428.5822 3.896209-.6482.096854-.5822-3.896212zm-3.2659-1.160099c.225-.019384.4264-.013608.6045.017335.1781.030944.3326.084629.4634.161053.1306.074014.2397.166934.3273.278764.0876.111825.1546.238831.201.38101l-.6485.150898c-.0591-.177619-.1666-.308438-.3225-.392458-.1585-.086231-.3586-.11892-.6005-.098081-.1475.012717-.2799.044844-.3973.096372-.1174.051535-.2144.126892-.2911.226083-.077.096773-.1321.219691-.1656.368746-.0334.14906-.0412.327577-.0233.535553l.0544.631177.0073-.000622c.0398-.103322.092-.204057.1567-.302201.0624-.095524.1426-.182834.2405-.261925.0955-.078885.2091-.14593.3408-.20113.1319-.052782.2849-.086678.459-.101683.2491-.02147.4667.001199.6527.067997.1838.069424.3398.182672.4678.339737.1256.157273.2257.356952.3001.59904.0723.244707.1225.530294.1506.856768.0271.314382.0261.59951-.003.855393-.0315.256083-.0978.476189-.1989.660316-.1033.186751-.2441.334095-.4224.442044-.1805.110564-.4049.177422-.6734.200558-.2781.023966-.5242-.019381-.7384-.130036-.2164-.108045-.3903-.274555-.5218-.499542l-.0072.000628c.0052.060453.0098.12827.0139.20345.0016.075379.004.145824.0072.21133.001.068127.0012.126583.0005.175369-.0007.048779-.0031.077008-.0073.084685l-.6203.053459c.0005-.021975-.0003-.059669-.0024-.113075-.002-.050998-.0049-.112875-.0087-.185629-.0039-.072764-.0084-.153984-.0137-.243665-.0075-.087061-.0153-.17775-.0235-.272056l-.2585-2.999916c-.0473-.548954.0525-.972946.2996-1.27198.2445-.301243.6448-.475832 1.201-.523766m-.6919 3.589794c.0236.273264.0739.504022.1511.692282.0749.190875.166.343819.2734.458817.1073.114991.2264.196092.3572.243295.1283.047406.2578.065485.3883.054232.1669-.014382.3083-.055803.4242-.124263.1135-.068253.2047-.168698.2737-.301325.0668-.130008.111-.294612.1329-.493828.0196-.196593.0177-.430316-.0057-.701163-.0243-.282946-.063-.519587-.116-.70992-.0551-.187715-.1265-.337484-.2141-.44931-.0876-.11183-.1928-.18803-.3157-.228599-.1229-.04057-.2665-.053772-.431-.039601-.1306.011257-.2551.05001-.3737.116261-.1209.066459-.2258.16442-.3145.293878-.0887.129462-.1551.292321-.1991.488582-.044.196255-.0543.429807-.031.700662m-1.7109 2.885647.0149.626061-.6552.015565-.0149-.626055zm-.1135-4.775527.0936 3.938353-.6552.01557-.0936-3.938357zm-4.1313-.043009 1.2711 1.842556.4938-.380418.0473-1.40095.655.022114-.1824 5.400036-.655-.022114.1139-3.3732-1.7929 1.852026-.7678-.025922 1.6546-1.638126-1.6054-2.301924zm-2.2482-.266187c.3929.046413.6759.184949.8491.415603.1732.230655.2384.526763.1957.888346-.0305.257922-.1036.463146-.2194.615674-.1184.154647-.2616.269723-.4294.345229-.1702.075216-.3586.118938-.5654.131181-.2067.012236-.4153.00838-.6256-.011568l-.8803-.089332-.0252.21333c-.0191.1615-.0184.300892.0019.41818.0204.11728.0614.214997.123.293161.0617.078164.1437.13918.2461.183045.0996.045991.2206.077388.3628.094189.1253.014803.2398.018542.3433.011224.1032-.004918.1951-.027068.2755-.066447.0801-.036975.1479-.093737.2034-.170282.0552-.074135.0973-.171817.1263-.293046l.6725.14177c-.0424.151426-.1048.287025-.1874.406817-.0829.122189-.1913.223031-.3254.30252-.1364.079205-.3004.133149-.492.161848-.1943.030819-.424.030565-.6892-.000754-.4917-.058093-.8484-.215095-1.0699-.471007-.2218-.253515-.3075-.593595-.2571-1.020254l.1991-1.68495c.0227-.192842.0147-.341669-.0243-.446478-.0392-.102399-.1299-.161998-.2722-.1788-.0361-.004273-.0726-.006133-.1093-.005581-.0367.000545-.0724.002448-.107.005692l.0479-.40497c.0842-.009597.1679-.01438.251-.014345.0806-.000241.1668.005043.2584.015866.1229.014523.2271.04272.3126.084592.0828.043997.1481.101812.1958.173444.0475.074042.08.160985.0975.260823.0173.102249.0218.218888.0137.349905l.0217.002565c.0847-.117093.1752-.221273.2716-.312546.0939-.091563.2005-.166949.32-.226169.1191-.056802.2521-.09609.3988-.11786.1444-.02205.3082-.022257.4914-.000615m-.2059.470617c-.2073-.024492-.3925-.008483-.5556.048016-.1658.058628-.3063.141024-.4215.247177-.1176.105872-.21.225719-.2771.359551-.0672.133829-.1083.264625-.1234.392381l-.038.321803.714.069681c.1594.016383.3127.022271.4599.017661.1445-.002486.2745-.02745.3901-.074896.1156-.047455.2124-.121573.2903-.222354.0755-.101071.1236-.239588.1444-.415557.025-.212122-.0123-.38273-.1119-.511815-.102-.129374-.2591-.206592-.4712-.231648m-5.1668-1.284297-.5634 2.433285c-.0433.186807-.0676.345613-.073.476425-.0053.1308.0116.240609.0508.329424.0364.090628.0959.161717.1786.213264.0822.053914.1883.095929.3184.126045.1348.03121.2629.032214.3842.003019.1209-.026836.2321-.082061.3336-.165673.0987-.081797.1866-.192253.2636-.33137.0742-.137304.1334-.301729.1778-.493267l.515-2.224002.6349.147022-.699 3.018544c-.0186.080401-.0368.164616-.0547.252663-.0209.089853-.0391.174077-.0548.25266-.0163.080946-.0298.150067-.0406.207374-.0107.057297-.0169.094496-.0183.1116l-.603-.139628c.0004-.012373.0054-.04485.0151-.097417.0096-.052572.0212-.113419.0348-.18254.0106-.067313.0229-.13671.037-.20819.0135-.06913.0257-.127343.0367-.17463l-.0107-.002461c-.0825.097993-.1672.184252-.2543.258787-.087.074522-.1813.132393-.2831.173623-.1046.043032-.2175.067964-.3387.074792-.1241.008637-.2618-.004567-.4131-.039608-.2909-.067355-.5069-.178405-.6479-.333149-.1434-.155296-.219-.367121-.2266-.635476l-.0106-.002466c-.0825.097998-.1696.183712-.2614.257147-.0917.073432-.192.129932-.3009.169519-.1093.041941-.227.065773-.3529.071506-.1264.008088-.2653-.005387-.4166-.040428-.194-.044905-.3546-.10952-.4821-.193849-.1298-.084881-.2271-.192108-.2918-.321692-.0646-.129588-.0983-.28562-.1009-.468097-.0031-.180116.0227-.388406.0775-.624874l.5922-2.557431.6313.146202-.5634 2.43328c-.0433.186812-.0676.345618-.073.476425-.0053.130805.0116.240614.0508.329423.0363.090633.0959.161723.1786.213273.0822.053907.1883.095922.3184.126042.1348.03121.2626.0334.3834.006567.1203-.024472.2309-.07733.332-.158578.0986-.081797.1865-.192258.2636-.331372.0747-.13967.1347-.30764.1802-.503908l.515-2.224002zm-3.9596-1.071682-.2473.758044-.675-.220175.2473-.758049zm-5.6245.006944c.2565-.639859.5883-1.059927.9955-1.260201.4072-.200282.8788-.192951 1.415.021984.2546.102056.4668.231569.6367.388547.1698.156977.2929.342322.3694.556025.0742.2128.1011.452386.0806.718751-.0236.267717-.1.562669-.2292.884851-.5057 1.261681-1.3049 1.673519-2.3977 1.235518-.2838-.113796-.5125-.251208-.6859-.412245-.1757-.161947-.2972-.347959-.3647-.55805-.0697-.210995-.0887-.44742-.0569-.70927.0317-.261858.1108-.550492.2372-.86591m.6388.256028c-.1138.283879-.1852.527221-.2142.730034-.0313.201903-.0262.375214.0151.519928.0392.143814.111.261508.2155.353087.1036.093822.232.171443.3852.232859.1554.06231.3057.095098.4509.09836.1419.004608.2794-.031802.4125-.109226.1321-.075184.2588-.195656.3802-.361436.1191-.16669.2342-.38859.3453-.665709.1138-.283879.1834-.529253.2088-.736122.0245-.204613.016-.37928-.0253-.523995-.0437-.145617-.115-.264441-.2141-.356463-.1014-.092923-.2219-.167383-.3616-.223378-.1554-.062309-.3048-.097352-.4481-.10512-.1443-.005513-.2824.029318-.4146.104491-.1321.07518-.2593.196783-.3815.364816-.1223.168038-.2403.393995-.3541.677874m-.6532-2.458536-1.3192 2.718811c-.036.074247-.0715.150118-.1064.22761-.0381.078613-.0736.154486-.1064.227609-.0327.073124-.0634.141881-.0919.206275-.0286.064385-.054.12222-.0761.173517l-.5569-.270198c.0222-.051292.0481-.110223.0777-.176792.0263-.065455.0549-.132556.0855-.201313.0285-.069813.0581-.136387.0888-.199716.0275-.06221.0519-.115149.073-.158826l-.0131-.006357c-.1071.11526-.2075.210902-.301.286923-.0968.07714-.1923.132016-.2863.164616-.0951.034784-.1938.046274-.296.034466-.1032-.009632-.2171-.044644-.3416-.105041-.048-.023314-.0917-.049932-.1312-.079855-.0405-.027748-.0711-.05072-.092-.068924l.2623-.540489c.034.02999.0761.059886.1264.089686.0493.031979.1066.063866.1721.095656.1354.065688.266.091275.3918.076755.1235-.015584.2424-.063135.3565-.142656.1109-.078398.2171-.18605.3186-.322953.1004-.134722.1936-.290528.2794-.467413l.8964-1.847486zm-2.7472-3.1727c.1956.11265.3576.23256.486.359738.1285.127181.2245.259516.2882.397013.0649.135397.1013.274012.1093.415839.0079.141835-.0097.284328-.053.427494l-.6183-.24683c.053-.179559.0396-.348351-.0403-.506381-.0807-.161334-.2263-.302572-.4366-.423699-.1283-.073889-.2554-.123236-.3811-.148044-.1258-.024804-.2485-.018434-.3682.019097-.1184.03544-.2339.104751-.3466.207939-.1126.103193-.221.245236-.3252.426135l-.3161.548996.0063.003633c.0917-.062014.1921-.114815.3013-.15841.1058-.0427.2215-.068504.347-.077422.1235-.010131.2551-.000203.3946.029761.1384.032078.2833.091719.4348.178928.2167.124765.3822.267721.4967.428872.1111.162042.1744.344101.1896.546167.0132.200852-.0188.421885-.0961.663084-.0806.242091-.2026.505119-.3662.78908-.1574.273448-.3212.506832-.4914.700159-.1722.192105-.3524.334815-.5406.428122-.1915.094198-.3913.134624-.5992.121292-.2113-.01245-.4337-.085897-.6672-.220346-.2419-.139298-.4191-.315562-.5316-.52879-.1158-.21234-.1634-.448383-.1426-.708134l-.0063-.003633c-.0303.052582-.0653.110874-.1049.17487-.0418.062785-.0801.121967-.1149.17755-.0381.056472-.0714.10453-.0998.144179-.0284.039646-.0466.061411-.0544.065305l-.5396-.3107c.0131-.017715.0339-.049107.0627-.094171.0275-.042962.0605-.095389.099-.157283.0384-.061892.0811-.131144.128-.207763.0436-.075723.089-.154601.1363-.236634l1.5026-2.609321c.2749-.477476.5992-.768282.9729-.872414.3728-.10744.8011-.021871 1.2849.256722m-2.6197 2.550052c-.1369.23769-.2275.455813-.2718.654373-.0476.199446-.0602.377032-.0379.532764.0224.155724.0737.29032.154.403792.0782.112255.1741.201087.2877.266501.1452.083572.2848.130406.4191.140484.1321.00887.2644-.021397.3968-.090802.1291-.068514.2595-.178272.3913-.32927.1284-.150111.2605-.342954.3961-.578538.1418-.246102.2453-.462375.3106-.648823.0621-.185554.0891-.349239.0812-.491071-.008-.141827-.0508-.264506-.1284-.368029-.0776-.103527-.188-.196474-.331-.278837-.1136-.065409-.238-.104811-.3731-.118212-.1372-.014605-.2793.005848-.4261.061357s-.2943.151211-.4426.287098-.2902.321629-.4259.557213" fill="#fff"/>
+      <path d="m4056.7725 1480.6669c0 579.9083-470.6503 1050.5586-1050.5586 1050.5586-579.9084 0-1050.5586-470.6503-1050.5586-1050.5586 0-579.90837 470.6502-1050.55862 1050.5586-1050.55862 579.9083 0 1050.5586 470.65025 1050.5586 1050.55862z" style="opacity:.3;fill:none;stroke:#fff;stroke-width:9.774646;stroke-linecap:round;stroke-linejoin:round;filter:url(#g)" transform="matrix(.05674937 0 0 .056649 -2291.1082 -96.892916)"/>
+      <path d="m587.9088 485.6666c0 80.85261-65.61951 146.47212-146.47212 146.47212-80.85262 0-146.47213-65.61951-146.47213-146.47212 0-80.85262 65.61951-146.47213 146.47213-146.47213 80.85261 0 146.47212 65.61951 146.47212 146.47213z" fill="url(#o)" fill-rule="evenodd" opacity=".6" transform="matrix(.2879784 -.01682102 -.01682102 -.2879784 -2238.8955 133.27137)"/>
+    </g>
+  </g>
+  <g transform="translate(53.74013 .000004)"/>
+</svg>
diff --git a/dashy/icons-temp/financial-services.svg b/dashy/icons-temp/financial-services.svg
new file mode 100644
index 0000000..0d20d8a
--- /dev/null
+++ b/dashy/icons-temp/financial-services.svg
@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg fill="#000000" width="800px" height="800px" viewBox="0 0 1024 1024" xmlns="http://www.w3.org/2000/svg"><path d="M385.707 436.152c0-35.468-75.779-71.68-172.37-71.68-96.6 0-172.38 36.211-172.38 71.68s75.78 71.68 172.38 71.68c96.591 0 172.37-36.212 172.37-71.68zm40.96 0c0 66.334-96.901 112.64-213.33 112.64-116.438 0-213.34-46.305-213.34-112.64s96.903-112.64 213.34-112.64c116.429 0 213.33 46.306 213.33 112.64zm-40.96 371.371c0 35.468-75.779 71.68-172.37 71.68-96.6 0-172.38-36.211-172.38-71.68H-.003c0 66.335 96.903 112.64 213.34 112.64 116.429 0 213.33-46.306 213.33-112.64h-40.96zm0-124.928c0 35.468-75.779 71.68-172.37 71.68-96.6 0-172.38-36.211-172.38-71.68H-.003c0 66.335 96.903 112.64 213.34 112.64 116.429 0 213.33-46.306 213.33-112.64h-40.96zm0-122.88c0 35.468-75.779 71.68-172.37 71.68-96.6 0-172.38-36.211-172.38-71.68H-.003c0 66.335 96.903 112.64 213.34 112.64 116.429 0 213.33-46.306 213.33-112.64h-40.96z"/><path d="M0 436.152v374.784c0 11.311 9.169 20.48 20.48 20.48s20.48-9.169 20.48-20.48V436.152c0-11.311-9.169-20.48-20.48-20.48S0 424.841 0 436.152zm385.707 0V806.84c0 11.311 9.169 20.48 20.48 20.48s20.48-9.169 20.48-20.48V436.152c0-11.311-9.169-20.48-20.48-20.48s-20.48 9.169-20.48 20.48zm566.335 443.051c16.962 0 30.72-13.758 30.72-30.72V184.317c0-16.962-13.758-30.72-30.72-30.72H546.405c-16.962 0-30.72 13.758-30.72 30.72v664.166c0 16.962 13.758 30.72 30.72 30.72h405.637zm0 40.96H546.405c-39.583 0-71.68-32.097-71.68-71.68V184.317c0-39.583 32.097-71.68 71.68-71.68h405.637c39.583 0 71.68 32.097 71.68 71.68v664.166c0 39.583-32.097 71.68-71.68 71.68z"/><path d="M892.446 293.421H606.002v60.652h286.444v-60.652zm10.24 101.612H595.762c-16.963 0-30.72-13.757-30.72-30.72v-81.132c0-16.963 13.757-30.72 30.72-30.72h306.924c16.963 0 30.72 13.757 30.72 30.72v81.132c0 16.963-13.757 30.72-30.72 30.72zM653.265 503.018c0 18.708-15.165 33.864-33.874 33.864-18.698 0-33.864-15.155-33.864-33.864s15.165-33.864 33.864-33.864c18.708 0 33.874 15.155 33.874 33.864zm129.831 0c0 18.708-15.165 33.864-33.864 33.864-18.708 0-33.874-15.155-33.874-33.864s15.165-33.864 33.874-33.864c18.698 0 33.864 15.155 33.864 33.864zm129.83-2.822c0 18.708-15.165 33.864-33.874 33.864-18.698 0-33.864-15.155-33.864-33.864s15.165-33.874 33.864-33.874c18.708 0 33.874 15.165 33.874 33.874zM653.265 624.382c0 18.708-15.165 33.864-33.874 33.864-18.698 0-33.864-15.155-33.864-33.864s15.165-33.874 33.864-33.874c18.708 0 33.874 15.165 33.874 33.874zm129.831 0c0 18.708-15.165 33.864-33.864 33.864-18.708 0-33.874-15.155-33.874-33.864s15.165-33.874 33.874-33.874c18.698 0 33.864 15.165 33.864 33.874zm129.83 0c0 18.708-15.165 33.864-33.874 33.864-18.698 0-33.864-15.155-33.864-33.864s15.165-33.874 33.864-33.874c18.708 0 33.874 15.165 33.874 33.874zM653.265 748.568c0 18.708-15.165 33.864-33.874 33.864-18.698 0-33.864-15.155-33.864-33.864s15.165-33.874 33.864-33.874c18.708 0 33.874 15.165 33.874 33.874zm129.831 0c0 18.708-15.165 33.864-33.864 33.864-18.708 0-33.874-15.155-33.874-33.864s15.165-33.874 33.874-33.874c18.698 0 33.864 15.165 33.864 33.874zm129.83 0c0 18.708-15.165 33.864-33.874 33.864-18.698 0-33.864-15.155-33.864-33.864s15.165-33.874 33.864-33.874c18.708 0 33.874 15.165 33.874 33.874z"/></svg>
\ No newline at end of file
diff --git a/dashy/icons-temp/gaming.svg b/dashy/icons-temp/gaming.svg
new file mode 100644
index 0000000..c792bc3
--- /dev/null
+++ b/dashy/icons-temp/gaming.svg
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg fill="#000000" version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" 
+	 width="800px" height="800px" viewBox="0 0 92 92" enable-background="new 0 0 92 92" xml:space="preserve">
+<path id="XMLID_1173_" d="M60.8,30.9c0.8,0.8,1.3,2,1.3,3.2c0,1.2-0.5,2.3-1.3,3.2c-0.8,0.8-2,1.3-3.2,1.3c-1.2,0-2.4-0.5-3.2-1.3
+	c-0.8-0.8-1.3-2-1.3-3.2s0.5-2.3,1.3-3.2c0.8-0.8,2-1.3,3.2-1.3C58.8,29.6,60,30.1,60.8,30.9z M67.8,37.2c-1.2,0-2.3,0.5-3.2,1.3
+	c-0.8,0.8-1.3,2-1.3,3.2c0,1.2,0.5,2.4,1.3,3.2c0.8,0.8,2,1.3,3.2,1.3c1.2,0,2.4-0.5,3.2-1.3c0.8-0.8,1.3-2,1.3-3.2
+	c0-1.2-0.5-2.3-1.3-3.2C70.2,37.7,69,37.2,67.8,37.2z M33.8,35H31v-2.6c0-1.4-1.1-2.5-2.5-2.5S26,31,26,32.4V35h-2.6
+	c-1.4,0-2.5,1.1-2.5,2.5s1.1,2.5,2.5,2.5H26v2.6c0,1.4,1.1,2.5,2.5,2.5S31,44,31,42.6V40h2.8c1.4,0,2.5-1.1,2.5-2.5S35.2,35,33.8,35
+	z M92,66.1c0,4.3-2.4,7.8-6.2,9.3c-3.8,1.4-9.8,0.8-15.2-5.3c-2.6-3-7-8.4-9.4-11.4c-12.8,3-25,1.1-30.3,0c-2.4,3-6.8,8.4-9.4,11.4
+	c-3.9,4.4-8.1,6-11.6,6c-1.4,0-2.6-0.2-3.7-0.6c-3.8-1.4-6.2-5-6.2-9.3c0-11.8,7.6-30.3,10-35.8c-0.8-2.8-0.5-5.7,1-8.3
+	c1.9-3.3,5.3-5.8,8.3-6c2.6-0.2,6.1,1.3,8.4,2.4c4.5-0.8,18.7-2.9,36.6,0c2.2-1.1,5.8-2.6,8.4-2.4c2.9,0.2,6.4,2.7,8.3,6
+	c1.5,2.6,1.9,5.5,1,8.3C84.4,35.8,92,54.3,92,66.1z M84,66.1c0-11.9-9.9-33.9-10-34.1c-0.5-1.1-0.5-2.4,0.1-3.5
+	c0.4-0.8,0.4-1.5,0.1-2.2c-0.5-1.2-1.7-2.1-2.2-2.3c-0.9,0.1-3.3,1.1-5.2,2.1c-0.8,0.4-1.7,0.6-2.6,0.4c-20.5-3.6-36.2-0.1-36.3,0
+	c-0.9,0.2-1.9,0.1-2.8-0.4c-1.9-1-4.3-2-5.2-2.1c-0.5,0.3-1.7,1.1-2.2,2.3c-0.3,0.8-0.3,1.4,0.1,2.2c0.5,1.1,0.6,2.4,0.1,3.5
+	C17.9,32.2,8,54.2,8,66.1c0,0.9,0.4,1.5,1,1.8c1.4,0.5,3.9-0.3,6.4-3.1c3.5-4,10.7-13,10.8-13.1c1-1.3,2.7-1.8,4.2-1.3
+	c0.2,0,15.8,4.4,31.1,0c0.4-0.1,0.7-0.2,1.1-0.2c1.2,0,2.4,0.5,3.1,1.5c0.1,0.1,7.3,9.1,10.8,13.1c2.5,2.9,5,3.7,6.4,3.1
+	C83.6,67.6,84,67,84,66.1z"/>
+</svg>
\ No newline at end of file
diff --git a/dashy/icons-temp/generic-logo-black-512.png b/dashy/icons-temp/generic-logo-black-512.png
new file mode 100644
index 0000000..c2ed827
Binary files /dev/null and b/dashy/icons-temp/generic-logo-black-512.png differ
diff --git a/dashy/icons-temp/generic-logo-color-shadowed-512.png b/dashy/icons-temp/generic-logo-color-shadowed-512.png
new file mode 100644
index 0000000..aa87382
Binary files /dev/null and b/dashy/icons-temp/generic-logo-color-shadowed-512.png differ
diff --git a/dashy/icons-temp/generic-logo-cyan-512.png b/dashy/icons-temp/generic-logo-cyan-512.png
new file mode 100644
index 0000000..8da1bbf
Binary files /dev/null and b/dashy/icons-temp/generic-logo-cyan-512.png differ
diff --git a/dashy/icons-temp/home.svg b/dashy/icons-temp/home.svg
new file mode 100644
index 0000000..45379a7
--- /dev/null
+++ b/dashy/icons-temp/home.svg
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg width="800px" height="800px" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path fill-rule="evenodd" clip-rule="evenodd" d="M8 0L0 6V8H1V15H4V10H7V15H15V8H16V6L14 4.5V1H11V2.25L8 0ZM9 10H12V13H9V10Z" fill="#000000"/>
+</svg>
\ No newline at end of file
diff --git a/dashy/icons-temp/media-playback.svg b/dashy/icons-temp/media-playback.svg
new file mode 100644
index 0000000..0e8473e
--- /dev/null
+++ b/dashy/icons-temp/media-playback.svg
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg width="800px" height="800px" viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
+    <path d="m 2 2.5 v 11 c 0 1.5 1.269531 1.492188 1.269531 1.492188 h 0.128907 c 0.246093 0.003906 0.488281 -0.050782 0.699218 -0.171876 l 9.796875 -5.597656 c 0.433594 -0.242187 0.65625 -0.734375 0.65625 -1.226562 c 0 -0.492188 -0.222656 -0.984375 -0.65625 -1.222656 l -9.796875 -5.597657 c -0.210937 -0.121093 -0.453125 -0.175781 -0.699218 -0.175781 h -0.128907 s -1.269531 0 -1.269531 1.5 z m 0 0" fill="#2e3436"/>
+</svg>
\ No newline at end of file
diff --git a/dashy/icons-temp/media.svg b/dashy/icons-temp/media.svg
new file mode 100644
index 0000000..20dcd1c
--- /dev/null
+++ b/dashy/icons-temp/media.svg
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg fill="#000000" height="800px" width="800px" version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" 
+	 viewBox="0 0 512 512" enable-background="new 0 0 512 512" xml:space="preserve">
+<path d="M244.4,69.8L174.5,0h-58.2l69.8,69.8H244.4z M395.6,69.8L325.8,0h-58.2l69.8,69.8H395.6z M418.9,0l69.8,69.8H512V0H418.9z
+	 M418.9,162.9h-93.1l69.8-69.8h-58.2l-69.8,69.8h-93.1l69.8-69.8h-58.2l-69.8,69.8H23.3l69.8-69.8H0v372.4
+	C0,491.1,20.9,512,46.5,512h418.9c25.7,0,46.5-20.9,46.5-46.5V93.1h-23.3L418.9,162.9z M23.3,0H0v69.8h93.1L23.3,0z"/>
+</svg>
\ No newline at end of file
diff --git a/dashy/icons-temp/mediaelch.png b/dashy/icons-temp/mediaelch.png
new file mode 100644
index 0000000..f807743
Binary files /dev/null and b/dashy/icons-temp/mediaelch.png differ
diff --git a/dashy/icons-temp/music.svg b/dashy/icons-temp/music.svg
new file mode 100644
index 0000000..6617c47
--- /dev/null
+++ b/dashy/icons-temp/music.svg
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg width="800px" height="800px" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M15 1H4V9H3C1.34315 9 0 10.3431 0 12C0 13.6569 1.34315 15 3 15C4.65685 15 6 13.6569 6 12V5H13V9H12C10.3431 9 9 10.3431 9 12C9 13.6569 10.3431 15 12 15C13.6569 15 15 13.6569 15 12V1Z" fill="#000000"/>
+</svg>
\ No newline at end of file
diff --git a/dashy/icons-temp/network.svg b/dashy/icons-temp/network.svg
new file mode 100644
index 0000000..ba7b330
--- /dev/null
+++ b/dashy/icons-temp/network.svg
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg width="800px" height="800px" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M3 12H21M12 8V12M6.5 12V16M17.5 12V16M10.1 8H13.9C14.4601 8 14.7401 8 14.954 7.89101C15.1422 7.79513 15.2951 7.64215 15.391 7.45399C15.5 7.24008 15.5 6.96005 15.5 6.4V4.6C15.5 4.03995 15.5 3.75992 15.391 3.54601C15.2951 3.35785 15.1422 3.20487 14.954 3.10899C14.7401 3 14.4601 3 13.9 3H10.1C9.53995 3 9.25992 3 9.04601 3.10899C8.85785 3.20487 8.70487 3.35785 8.60899 3.54601C8.5 3.75992 8.5 4.03995 8.5 4.6V6.4C8.5 6.96005 8.5 7.24008 8.60899 7.45399C8.70487 7.64215 8.85785 7.79513 9.04601 7.89101C9.25992 8 9.53995 8 10.1 8ZM15.6 21H19.4C19.9601 21 20.2401 21 20.454 20.891C20.6422 20.7951 20.7951 20.6422 20.891 20.454C21 20.2401 21 19.9601 21 19.4V17.6C21 17.0399 21 16.7599 20.891 16.546C20.7951 16.3578 20.6422 16.2049 20.454 16.109C20.2401 16 19.9601 16 19.4 16H15.6C15.0399 16 14.7599 16 14.546 16.109C14.3578 16.2049 14.2049 16.3578 14.109 16.546C14 16.7599 14 17.0399 14 17.6V19.4C14 19.9601 14 20.2401 14.109 20.454C14.2049 20.6422 14.3578 20.7951 14.546 20.891C14.7599 21 15.0399 21 15.6 21ZM4.6 21H8.4C8.96005 21 9.24008 21 9.45399 20.891C9.64215 20.7951 9.79513 20.6422 9.89101 20.454C10 20.2401 10 19.9601 10 19.4V17.6C10 17.0399 10 16.7599 9.89101 16.546C9.79513 16.3578 9.64215 16.2049 9.45399 16.109C9.24008 16 8.96005 16 8.4 16H4.6C4.03995 16 3.75992 16 3.54601 16.109C3.35785 16.2049 3.20487 16.3578 3.10899 16.546C3 16.7599 3 17.0399 3 17.6V19.4C3 19.9601 3 20.2401 3.10899 20.454C3.20487 20.6422 3.35785 20.7951 3.54601 20.891C3.75992 21 4.03995 21 4.6 21Z" stroke="#000000" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+</svg>
\ No newline at end of file
diff --git a/dashy/icons-temp/photos.svg b/dashy/icons-temp/photos.svg
new file mode 100644
index 0000000..58a8799
--- /dev/null
+++ b/dashy/icons-temp/photos.svg
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg fill="#000000" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"  width="800px"
+	 height="800px" viewBox="0 0 31.06 32.001" xml:space="preserve">
+<g id="photos">
+	<path d="M29.341,11.405L13.213,7.383c-1.21-0.301-2.447,0.441-2.748,1.652L6.443,25.163c-0.303,1.211,0.44,2.445,1.65,2.748
+		l16.127,4.023c1.21,0.301,2.447-0.443,2.748-1.652l4.023-16.127C31.293,12.944,30.551,11.708,29.341,11.405z M28.609,14.338
+		l-2.926,11.731c-0.1,0.402-0.513,0.65-0.915,0.549l-14.662-3.656c-0.403-0.1-0.651-0.512-0.551-0.916l2.926-11.729
+		c0.1-0.404,0.513-0.65,0.916-0.551l14.661,3.658C28.462,13.522,28.71,13.936,28.609,14.338z"/>
+	<circle cx="15.926" cy="13.832" r="2.052"/>
+	<path d="M22.253,16.813c-0.136-0.418-0.505-0.51-0.82-0.205l-2.943,2.842c-0.315,0.303-0.759,0.244-0.985-0.133l-0.471-0.781
+		c-0.227-0.377-0.719-0.5-1.095-0.273l-4.782,2.852c-0.377,0.225-0.329,0.469,0.096,0.576l3.099,0.771
+		c0.426,0.107,1.122,0.281,1.549,0.389l3.661,0.912c0.426,0.105,1.123,0.279,1.549,0.385l3.098,0.773
+		c0.426,0.107,0.657-0.121,0.521-0.539L22.253,16.813z"/>
+	<path d="M2.971,7.978l14.098-5.439c0.388-0.149,0.828,0.045,0.977,0.432l1.506,3.933l2.686,0.67l-2.348-6.122
+		c-0.449-1.163-1.768-1.748-2.931-1.299L1.45,6.133C0.287,6.583-0.298,7.902,0.151,9.065L5.156,22.06l0.954-3.827L2.537,8.954
+		C2.389,8.565,2.583,8.126,2.971,7.978z"/>
+</g>
+<g id="Layer_1">
+</g>
+</svg>
\ No newline at end of file
diff --git a/dashy/icons-temp/policeman.svg b/dashy/icons-temp/policeman.svg
new file mode 100644
index 0000000..87419ab
--- /dev/null
+++ b/dashy/icons-temp/policeman.svg
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg fill="#000000" version="1.1" id="Capa_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" 
+	 width="800px" height="800px" viewBox="0 0 459.934 459.934"
+	 xml:space="preserve">
+<g>
+	<g>
+		<polygon points="316.348,17.225 281.897,0 178.545,0 144.094,17.225 144.094,51.676 316.348,51.676 		"/>
+		<path d="M230.221,178.233c47.572,0,86.127-38.555,86.127-86.128c0-5.958,0-17.226,0-17.226H144.094
+			c-1.143,5.599,0,11.267,0,17.226C144.094,139.677,182.649,178.233,230.221,178.233z"/>
+		<polygon points="313.568,196.977 146.363,196.977 112.623,230.718 112.623,428.478 328.846,212.254 		"/>
+		<polygon points="347.311,241.507 128.885,459.934 347.311,459.934 		"/>
+	</g>
+</g>
+</svg>
\ No newline at end of file
diff --git a/dashy/icons-temp/root.png b/dashy/icons-temp/root.png
new file mode 100644
index 0000000..3d4a1cb
Binary files /dev/null and b/dashy/icons-temp/root.png differ
diff --git a/dashy/icons-temp/security.svg b/dashy/icons-temp/security.svg
new file mode 100644
index 0000000..c803155
--- /dev/null
+++ b/dashy/icons-temp/security.svg
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg width="800px" height="800px" viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
+    <path d="m 2 0 c -0.550781 0 -1 0.449219 -1 1 v 8 c 0 2.5 1.816406 4.246094 3.445312 5.332031 c 1.628907 1.085938 3.238282 1.617188 3.238282 1.617188 c 0.207031 0.070312 0.425781 0.070312 0.632812 0 c 0 0 1.609375 -0.53125 3.238282 -1.617188 c 1.628906 -1.085937 3.445312 -2.832031 3.445312 -5.332031 v -8 c 0 -0.550781 -0.449219 -1 -1 -1 z m 1 2 h 10 v 7 c 0 1.5 -1.183594 2.753906 -2.554688 3.667969 c -1.214843 0.808593 -2.179687 1.128906 -2.445312 1.226562 c -0.265625 -0.097656 -1.230469 -0.417969 -2.445312 -1.226562 c -1.371094 -0.914063 -2.554688 -2.167969 -2.554688 -3.667969 z m 1 1 v 6 c 0 1 0.867188 2.007812 2.109375 2.835938 c 0.933594 0.621093 1.472656 0.785156 1.890625 0.949218 v -9.785156 z m 0 0" fill="#2e3436"/>
+</svg>
\ No newline at end of file
diff --git a/dashy/icons-temp/sheetable.jpeg b/dashy/icons-temp/sheetable.jpeg
new file mode 100644
index 0000000..e618949
Binary files /dev/null and b/dashy/icons-temp/sheetable.jpeg differ
diff --git a/dashy/icons-temp/sheetable.png b/dashy/icons-temp/sheetable.png
new file mode 100644
index 0000000..d17d177
Binary files /dev/null and b/dashy/icons-temp/sheetable.png differ
diff --git a/dashy/icons-temp/shield-user.svg b/dashy/icons-temp/shield-user.svg
new file mode 100644
index 0000000..82fa67d
--- /dev/null
+++ b/dashy/icons-temp/shield-user.svg
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg width="800px" height="800px" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path fill-rule="evenodd" clip-rule="evenodd" d="M3 10.4167C3 7.21907 3 5.62028 3.37752 5.08241C3.75503 4.54454 5.25832 4.02996 8.26491 3.00079L8.83772 2.80472C10.405 2.26824 11.1886 2 12 2C12.8114 2 13.595 2.26824 15.1623 2.80472L15.7351 3.00079C18.7417 4.02996 20.245 4.54454 20.6225 5.08241C21 5.62028 21 7.21907 21 10.4167V11.9914C21 17.6294 16.761 20.3655 14.1014 21.5273C13.38 21.8424 13.0193 22 12 22C10.9807 22 10.62 21.8424 9.89856 21.5273C7.23896 20.3655 3 17.6294 3 11.9914V10.4167ZM14 9C14 10.1046 13.1046 11 12 11C10.8954 11 10 10.1046 10 9C10 7.89543 10.8954 7 12 7C13.1046 7 14 7.89543 14 9ZM12 17C16 17 16 16.1046 16 15C16 13.8954 14.2091 13 12 13C9.79086 13 8 13.8954 8 15C8 16.1046 8 17 12 17Z" fill="#1C274C"/>
+</svg>
\ No newline at end of file
diff --git a/dashy/icons-temp/software-development.png b/dashy/icons-temp/software-development.png
new file mode 100644
index 0000000..f44be46
Binary files /dev/null and b/dashy/icons-temp/software-development.png differ
diff --git a/dashy/icons-temp/software-development.psd b/dashy/icons-temp/software-development.psd
new file mode 100644
index 0000000..a39f6e0
Binary files /dev/null and b/dashy/icons-temp/software-development.psd differ
diff --git a/dashy/icons-temp/songkong.jpeg b/dashy/icons-temp/songkong.jpeg
new file mode 100644
index 0000000..d6add58
Binary files /dev/null and b/dashy/icons-temp/songkong.jpeg differ
diff --git a/dashy/icons-temp/songkong.png b/dashy/icons-temp/songkong.png
new file mode 100644
index 0000000..fecd58d
Binary files /dev/null and b/dashy/icons-temp/songkong.png differ
diff --git a/dashy/icons-temp/static-web-server.png b/dashy/icons-temp/static-web-server.png
new file mode 100644
index 0000000..0daeb08
Binary files /dev/null and b/dashy/icons-temp/static-web-server.png differ
diff --git a/dashy/icons-temp/static-web-server.psd b/dashy/icons-temp/static-web-server.psd
new file mode 100644
index 0000000..a42b588
Binary files /dev/null and b/dashy/icons-temp/static-web-server.psd differ
diff --git a/dashy/icons-temp/traffic-cone.svg b/dashy/icons-temp/traffic-cone.svg
new file mode 100644
index 0000000..d04ea31
--- /dev/null
+++ b/dashy/icons-temp/traffic-cone.svg
@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg width="800px" height="800px" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M22 20h-3.278l-1.014-3.646c-.081.043-.17.076-.265.095-1.758.364-3.576.551-5.443.551-1.868 0-3.767-.197-5.564-.571a.999.999 0 0 1-.153-.045L5.278 20H2a1 1 0 1 0 0 2h20a1 1 0 1 0 0-2ZM6.817 14.466l.027.005C8.507 14.817 10.268 15 12 15c1.733 0 3.415-.173 5.037-.51a.995.995 0 0 1 .148-.019l-1.087-3.912a1.001 1.001 0 0 1-.275.094A20.875 20.875 0 0 1 12 11a21.351 21.351 0 0 1-4.108-.404l-1.075 3.87ZM8.43 8.665A19.33 19.33 0 0 0 12 9c1.181 0 2.34-.105 3.457-.313.039-.007.077-.012.116-.015L14.16 3.59a.801.801 0 0 0-.77-.59h-2.78c-.36 0-.67.24-.77.59L8.43 8.665Z" fill="#000000"/></svg>
\ No newline at end of file
diff --git a/dashy/icons-temp/video-camera.svg b/dashy/icons-temp/video-camera.svg
new file mode 100644
index 0000000..e7b8f45
--- /dev/null
+++ b/dashy/icons-temp/video-camera.svg
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg width="800px" height="800px" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M10 3H0V13H10V3Z" fill="#000000"/>
+<path d="M15 3L12 6V10L15 13H16V3H15Z" fill="#000000"/>
+</svg>
\ No newline at end of file
diff --git a/dashy/icons-temp/web-server.svg b/dashy/icons-temp/web-server.svg
new file mode 100644
index 0000000..2636aea
--- /dev/null
+++ b/dashy/icons-temp/web-server.svg
@@ -0,0 +1 @@
+<svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 98.54 122.88"><title>web-server</title><path d="M89,67.53h0c.21-.44.4-.87.58-1.28l.07-.14c.27-.64.53-1.29.76-1.94s.47-1.32.67-2h0c.21-.67.4-1.35.57-2s.33-1.39.47-2.09.21-1.12.29-1.65.17-1.09.24-1.67h0c.06-.49.11-1,.16-1.5s.06-.81.08-1.21H80.83a39,39,0,0,1-.52,4.7c-.1.62-.22,1.23-.36,1.84H74.27c.17-.68.32-1.37.46-2.06A33.59,33.59,0,0,0,75.28,52H52v6.51H46.49V52H23.25a33.64,33.64,0,0,0,.57,4.45c.13.69.28,1.38.46,2.06h-5.7c-.13-.61-.25-1.23-.36-1.85A40.5,40.5,0,0,1,17.7,52H5.64l.09,1.2c0,.53.1,1,.16,1.53s.14,1.12.23,1.66.18,1.08.29,1.64v0c.14.68.29,1.38.47,2.07s.37,1.39.58,2.06.44,1.36.69,2,.52,1.33.8,2v0l.55,1.24V78.47c-.39-.52-.76-1.06-1.11-1.6s-.87-1.32-1.28-2S6.35,73.51,6,72.8s-.74-1.41-1.09-2.13-.69-1.46-1-2.19S3.25,67,3,66.21s-.55-1.54-.79-2.32-.46-1.56-.65-2.33S1.14,60,1,59.17.67,57.54.55,56.74.33,55.13.25,54.3.1,52.63.06,51.79,0,50.1,0,49.27a49,49,0,0,1,.25-5Q.37,43,.55,41.8c.12-.79.26-1.6.43-2.43s.33-1.56.52-2.34.42-1.55.65-2.32.49-1.52.77-2.27.56-1.48.87-2.21l.07-.17,0-.06c.31-.73.64-1.45,1-2.16S5.59,26.42,6,25.73s.78-1.4,1.19-2.06.82-1.34,1.26-2,.87-1.28,1.34-1.91.94-1.24,1.44-1.84,1-1.21,1.55-1.8S13.84,15,14.4,14.39l0,0c.55-.55,1.11-1.09,1.68-1.61s1.16-1,1.78-1.54,1.23-1,1.85-1.44l0,0c.64-.47,1.28-.91,1.91-1.33s1.33-.87,2-1.28S25,6.34,25.74,6s1.4-.74,2.13-1.09,1.45-.68,2.19-1h0q1.13-.5,2.25-.9c.76-.28,1.53-.55,2.32-.79s1.56-.46,2.34-.66,1.57-.38,2.38-.54h0C40.19.81,41,.67,41.8.55s1.61-.22,2.44-.3S45.91.1,46.74.06,48.43,0,49.27,0a49.14,49.14,0,0,1,5,.25q1.24.12,2.46.3c.79.12,1.6.26,2.43.43s1.56.33,2.34.52,1.55.42,2.32.65,1.52.49,2.27.77,1.48.56,2.22.88a.88.88,0,0,1,.22.1c.7.3,1.4.62,2.11,1s1.42.72,2.1,1.09h0c.7.38,1.39.78,2.06,1.19h0c.69.41,1.36.84,2,1.27s1.27.87,1.9,1.33,1.24.95,1.85,1.45,1.2,1,1.79,1.55,1.18,1.09,1.73,1.64l0,0c.55.54,1.09,1.1,1.61,1.68s1,1.17,1.54,1.78,1,1.21,1.44,1.85.92,1.28,1.36,1.94h0c.45.66.87,1.33,1.27,2s.8,1.36,1.19,2.07.73,1.4,1.08,2.12.69,1.47,1,2.2.63,1.5.91,2.27.54,1.54.79,2.32.46,1.56.66,2.34.38,1.57.54,2.38.31,1.61.43,2.41.22,1.62.3,2.46.14,1.67.19,2.5.06,1.69.06,2.53,0,1.68-.06,2.52-.11,1.66-.19,2.49-.18,1.66-.3,2.46v0c-.12.79-.27,1.59-.43,2.4s-.33,1.57-.52,2.35-.42,1.55-.65,2.32-.5,1.52-.77,2.27-.57,1.48-.88,2.21a.82.82,0,0,1-.11.23c-.3.73-.63,1.45-1,2.16s-.71,1.42-1.08,2.11-.79,1.4-1.19,2.06-.83,1.34-1.26,2-.73,1.07-1.12,1.6V67.53ZM78.17,68.74H21.82A1.27,1.27,0,0,0,20.5,70V85.77a1.33,1.33,0,0,0,1.32,1.32H78.17a1.33,1.33,0,0,0,1.32-1.32V70a1.26,1.26,0,0,0-1.32-1.29Zm-42,44.92v9.22H28.57v-9.22Zm35.3,0v9.22H63.87v-9.22ZM68.56,74.35a3.94,3.94,0,1,1-3.94,3.93,3.93,3.93,0,0,1,3.94-3.93Zm9.61,17H21.82a1.27,1.27,0,0,0-1.32,1.29v15.74a1.33,1.33,0,0,0,1.32,1.32H78.17a1.33,1.33,0,0,0,1.32-1.32V92.63a1.26,1.26,0,0,0-1.32-1.29Zm-52,4.88h3.3v8.56h-3.3V96.22Zm9.15,0h3.31v8.56H35.27V96.22Zm9.15,0h3.31v8.56H44.42V96.22Zm-18.3-22.6h3.3v8.56h-3.3V73.62Zm9.15,0h3.31v8.56H35.27V73.62Zm9.15,0h3.31v8.56H44.42V73.62ZM5.63,46.49H17.82a39.31,39.31,0,0,1,.68-4.62,45,45,0,0,1,1.33-4.93v0a49.35,49.35,0,0,1,1.89-4.81q1-2.19,2.22-4.38H11.2c-.18.31-.35.62-.51.92s-.39.74-.58,1.13h0c-.2.41-.4.81-.58,1.22s-.38.84-.55,1.25l0,.08,0,.07c-.27.65-.52,1.29-.76,1.94s-.46,1.32-.67,2-.4,1.35-.57,2.05-.33,1.38-.47,2.08-.21,1.12-.3,1.65-.16,1.1-.23,1.67-.12,1-.16,1.51-.07.81-.09,1.2Zm9.24-24.32h12.6Q29,20.06,30.65,18c1.17-1.46,2.41-2.91,3.74-4.36s2.54-2.71,3.91-4.07Q40,7.84,41.85,6.16l-.52.09-.88.16q-1,.21-2.1.48c-.7.18-1.39.37-2.07.58s-1.35.44-2,.69-1.34.52-2,.8-1.35.6-2,.91-1.28.64-1.91,1-1.26.69-1.86,1.06-1.19.73-1.76,1.11-1.16.79-1.72,1.2-1.1.84-1.63,1.28-1.06.89-1.58,1.36-1,.95-1.51,1.45l0,0c-.38.37-.75.75-1.1,1.14s-.73.79-1.08,1.19-.56.66-.83,1l-.41.51Zm41.87-16q1.84,1.68,3.54,3.34,2.05,2,3.89,4.05,2,2.17,3.74,4.36t3.16,4.22H83.65l-.4-.5-.82-1c-.35-.4-.71-.79-1.07-1.19s-.73-.76-1.13-1.16-1-1-1.52-1.45-1-.93-1.57-1.36-1.08-.86-1.64-1.28-1.13-.81-1.71-1.2-1.16-.76-1.76-1.13-1.22-.72-1.84-1.05-1.27-.67-1.91-1-1.3-.61-2-.9l-.15-.09c-.64-.27-1.29-.52-1.94-.75s-1.32-.47-2-.68h0c-.67-.21-1.34-.4-2-.57s-1.38-.33-2.08-.47l-.88-.17-.46-.07Zm30.6,21.52H74.59q1.23,2.18,2.22,4.37a47.57,47.57,0,0,1,1.89,4.85A45.11,45.11,0,0,1,80,41.87a39.31,39.31,0,0,1,.68,4.62H92.9c0-.39-.06-.79-.1-1.2s-.09-1-.15-1.52-.15-1.12-.23-1.66-.18-1.08-.29-1.64v0c-.14-.68-.3-1.37-.47-2.07s-.37-1.39-.58-2.07-.44-1.35-.69-2-.52-1.33-.79-2l0,0c-.17-.41-.36-.82-.55-1.24v0c-.18-.38-.37-.79-.58-1.21S88,29,87.85,28.65s-.33-.62-.51-.93ZM52,9.42V22.17H64.21c-.75-1-1.55-1.92-2.37-2.89q-1.47-1.7-3.09-3.4t-3.46-3.46c-1-1-2.12-2-3.25-3Zm0,18.3V46.49H75.16a35.26,35.26,0,0,0-.73-4.35A39.84,39.84,0,0,0,73,37.4a46.88,46.88,0,0,0-2.14-4.89,54.44,54.44,0,0,0-2.73-4.79ZM46.49,46.49V27.72H30.4q-1.53,2.4-2.74,4.79a46.77,46.77,0,0,0-2.13,4.89,39.84,39.84,0,0,0-1.42,4.74,35.31,35.31,0,0,0-.74,4.35Zm0-24.32V9.42c-1.12,1-2.2,2-3.24,3q-1.81,1.74-3.46,3.47t-3.09,3.4c-.83,1-1.62,1.93-2.37,2.89Z"/></svg>
\ No newline at end of file
diff --git a/dashy/stacks/.dashy.env b/dashy/stacks/.dashy.env
new file mode 100644
index 0000000..804e3e4
--- /dev/null
+++ b/dashy/stacks/.dashy.env
@@ -0,0 +1,7 @@
+
+NODE_ENV=production
+PUID=${PUID}
+PGID=${PGID}
+
+VUE_APP_pihole_ip=${VUE_APP_pihole_ip}
+VUE_APP_pihole_key=${VUE_APP_pihole_key}
\ No newline at end of file
diff --git a/dashy/stacks/.env b/dashy/stacks/.env
new file mode 100644
index 0000000..c3d73c0
--- /dev/null
+++ b/dashy/stacks/.env
@@ -0,0 +1,22 @@
+################################################################
+APPLICATION_NAME=dashy
+
+DOCKERDIR=/mnt/SSD1/docker/
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+CERTSDIR=${DATAROOT}/traefik/certs
+
+PUID=3057
+PGID=3058
+DOMAINNAME=sthome.org
+DNS_RESOLVER=sthomeresolver
+
+################################################################
+
+WEBUI_PORT=8080
+
+VUE_APP_pihole_ip=https://pihole.sthome.org
+VUE_APP_pihole_key=48ab5845603098040b5d2455c2600cf14b643424f508d5aa30bb884ac11f55c3
\ No newline at end of file
diff --git a/dashy/stacks/compose.yml b/dashy/stacks/compose.yml
new file mode 100644
index 0000000..16c3df0
--- /dev/null
+++ b/dashy/stacks/compose.yml
@@ -0,0 +1,52 @@
+networks:
+  traefik-net:
+    external: true
+    
+services:
+  dashy:
+    image: lissy93/dashy
+    # To build from source, replace 'image: lissy93/dashy' with 'build: .'
+    # build: .
+    env_file: .dashy.env
+    restart: unless-stopped
+    healthcheck:
+      test: ['CMD', 'node', '/app/services/healthcheck']
+      interval: 1m30s
+      timeout: 10s
+      retries: 3
+      start_period: 40s
+    volumes:
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+      - "${DATADIR}/config/config.yml:/app/user-data/conf.yml"
+      - "${DATADIR}/config:/app/user-data"
+      - "${DATADIR}/appdata/icons:/app/user-data/item-icons/"
+    networks:
+      - traefik-net
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      #
+      # http service
+      # ------------
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
+      #
+      # http middlewares
+      # ----------------
+      #- "traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.usersfile=/mnt/users/${APPLICATION_NAME}.txt"
+      #
+      # http routers
+      # ------------
+      # http://appname.domainname/
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-redirect@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      # https://appname.domainname/
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders@file"
+    # - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=${APPLICATION_NAME}-auth"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
\ No newline at end of file
diff --git a/dashy/~$dashboard.xlsx b/dashy/~$dashboard.xlsx
new file mode 100644
index 0000000..9b25dc2
Binary files /dev/null and b/dashy/~$dashboard.xlsx differ
diff --git a/digikam/digikam_jm.txt b/digikam/digikam_jm.txt
new file mode 100644
index 0000000..c347655
--- /dev/null
+++ b/digikam/digikam_jm.txt
@@ -0,0 +1,94 @@
+
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: digikam
+Username: digikam
+Disable Password: <select>
+Email: <leave blank>
+UID: (note)
+Create New Primary Group: <select>
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+digikam UID: 3044
+digikam GID: 3043
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*digikam"
+# create following dataset if not present
+zfs create SSD1/docker/data/digikam
+zfs create SSD1/docker/data/digikam/config
+zfs create SSD1/docker/data/digikam/mariadb
+chown -R digikam:digikam /mnt/SSD1/docker/data/digikam
+chown -R mariadb:mariadb /mnt/SSD1/docker/data/digikam/mariadb
+
+Create foldera
+--------------
+mkdir -p /mnt/SSD1/docker/stacks/digikam/secrets
+
+If not done already, add mapping for media in jail config
+---------------------------------------------------------
+In this example: the folder where media is stored is /mnt/stpool1/NData1/Media
+On Truenas shell:
+jlmkr edit docker
+Add the following args to "systemd_nspawn_user_args": 
+--bind='/mnt/stpool1/NData1/Media:/mnt/media'
+
+If not done already, set ACL permissions for media to be accessible by media group
+----------------------------------------------------------------------------------
+On Truenas shell:
+# read and note acl entries
+getfacl /mnt/stpool1/NData1
+getfacl /mnt/stpool1/NData1/Media
+# set read and execute permissions for media group on parent folder
+setfacl -m g:media:5 /mnt/stpool1/NData1
+# set full permissions for media group on Media folder recursively
+setfacl -R -m g:media:7 /mnt/stpool1/NData1/Media
+# modify defaults recursively
+setfacl -R -d -m g:media:7 /mnt/stpool1/NData1/Media
+# NB! if you want to remove all acl entries from a folder recursively, use setfacl -b -R <foldername>
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in digikam folder, enter:
+./cp2nas 192.168.2.2
+# or
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/digikam/
+# This should copy stacks folder to /mnt/SSD1/docker/stacks/digikam
+
+Create secrets
+--------------
+In Truenas shell:
+cd /mnt/SSD1/docker/stacks/digikam/secrets
+echo -n 'your_postgresql_database_name' > /mnt/SSD1/docker/stacks/digikam/secrets/digikam_mariadb_database_name
+echo -n 'your_postgresql_username' > /mnt/SSD1/docker/stacks/digikam/secrets/digikam_mariadb_username
+openssl rand 36 | base64 -w 0 | sed 's/[\$,\#,/,+,=]//g' | cut -c -32  | tr -d '\n' > /mnt/SSD1/docker/stacks/digikam/secrets/digikam_mariadb_password
+openssl rand 60 | base64 -w 0 | sed 's/[\$,\#,/,+,=]//g' | cut -c -56  | tr -d '\n' > /mnt/SSD1/docker/stacks/digikam/secrets/digikam_mariadb_root_password
+chown -R digikam:digikam /mnt/SSD1/docker/stacks/digikam/secrets/
+chmod -R 400 /mnt/SSD1/docker/stacks/digikam/secrets/
+# read existing acl permissions, if any
+getfacl /mnt/SSD1/docker/stacks/digikam/secrets
+# set acl permissions
+setfacl -m u:mariadb:4 /mnt/SSD1/docker/stacks/digikam/secrets
+setfacl -m u:mariadb:4 /mnt/SSD1/docker/stacks/digikam/secrets/digikam_mariadb_root_password
+setfacl -m u:mariadb:4 /mnt/SSD1/docker/stacks/digikam/secrets/digikam_mariadb_password
+setfacl -m u:mariadb:4 /mnt/SSD1/docker/stacks/digikam/secrets/digikam_mariadb_username
+setfacl -m u:mariadb:4 /mnt/SSD1/docker/stacks/digikam/secrets/digikam_mariadb_database_name
+# NB! if you want to remove all acl entries from a folder recursively, use setfacl -b -R <foldername>
+# to list secrets in secrets dir
+cd /mnt/SSD1/docker/stacks/digikam/secrets
+for i in $(ls -1); do echo $i = `cat $i`; done | sort
+
+To open container shell
+------------------------
+docker exec -it digikam-mariadb-1 bash
+
+To log into database from container shell
+-----------------------------------------
+mariadb -u root -p digikam
+# Enter root password
diff --git a/digikam/stacks/.digikam.env b/digikam/stacks/.digikam.env
new file mode 100644
index 0000000..bf3b8ea
--- /dev/null
+++ b/digikam/stacks/.digikam.env
@@ -0,0 +1,12 @@
+
+PUID=${PUID}
+PGID=${MEDIA_PGID}
+TZ=${TZ}
+
+# POSTGRES_HOST=${POSTGRES_DB_HOST}
+# POSTGRES_DB_PORT=${POSTGRES_DB_PORT}
+# POSTGRES_DB_FILE=${POSTGRES_DB_FILE}
+# POSTGRES_USER_FILE=${POSTGRES_USER_FILE}
+# POSTGRES_PASSWORD_FILE=${POSTGRES_PASSWORD_FILE}
+# DIGIKAM_ADMIN_PASSWORD_FILE=/run/secrets/digikam_admin_password
+# DIGIKAM_ADMIN_USER_FILE=/run/secrets/digikam_admin_username
diff --git a/digikam/stacks/.env b/digikam/stacks/.env
new file mode 100644
index 0000000..816fb6d
--- /dev/null
+++ b/digikam/stacks/.env
@@ -0,0 +1,27 @@
+
+APPLICATION_NAME=digikam
+
+MEDIADIR=/mnt/stpool1/NData1/Media
+DOCKERDIR=/mnt/SSD1/docker/
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATADIR=${DOCKERDIR}/data/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+PUID=3044
+PGID=3043
+MEDIA_PGID=3017
+MDB_PUID=3059
+MDB_PGID=3060
+
+TZ=Africa/Johannesburg
+DOMAINNAME=sthome.org
+WEBUI_PORT=3000
+
+MARIADB_DB_PORT=3306
+# MARIADB_DB_HOST=digikam_mariadb
+MARIADB_DB_NAME_FILE=/run/secrets/digikam_mariadb_database_name
+MARIADB_USER_FILE=/run/secrets/digikam_mariadb_username
+MARIADB_PASSWORD_FILE=/run/secrets/digikam_mariadb_password
+MARIADB_ROOT_PASSWORD_FILE=/run/secrets/digikam_mariadb_root_password
+
diff --git a/digikam/stacks/.mariadb.env b/digikam/stacks/.mariadb.env
new file mode 100644
index 0000000..f3701a5
--- /dev/null
+++ b/digikam/stacks/.mariadb.env
@@ -0,0 +1,12 @@
+
+PUID=${MDB_PUID}
+PGID=${MDB_PGID}
+TZ=${TZ}
+
+MARIADB_ROOT_PASSWORD_FILE=${MARIADB_ROOT_PASSWORD_FILE}
+MARIADB_DATABASE_FILE=${MARIADB_DB_NAME_FILE}
+MARIADB_USER_FILE=${MARIADB_USER_FILE}
+MARIADB_PASSWORD_FILE=${MARIADB_PASSWORD_FILE}
+
+# REMOTE_SQL=http://URL1/your.sql,https://URL2/your.sql
+
diff --git a/digikam/stacks/compose.yml b/digikam/stacks/compose.yml
new file mode 100644
index 0000000..f8a9f45
--- /dev/null
+++ b/digikam/stacks/compose.yml
@@ -0,0 +1,99 @@
+name: digikam
+
+secrets:
+  digikam_mariadb_database_name:
+    file: ${SECRETSDIR}/digikam_mariadb_database_name
+  digikam_mariadb_username:
+    file: ${SECRETSDIR}/digikam_mariadb_username
+  digikam_mariadb_password:
+    file: ${SECRETSDIR}/digikam_mariadb_password
+  digikam_mariadb_root_password:
+    file: ${SECRETSDIR}/digikam_mariadb_root_password
+    
+networks:
+  traefik-net:
+    external: true
+  digikam-net:
+    external: true
+
+services:
+  digikam:
+    image: lscr.io/linuxserver/digikam:latest
+    hostname: ${APPLICATION_NAME}
+    env_file: .digikam.env
+    restart: unless-stopped
+    depends_on:
+      - mariadb
+    # https://github.com/linuxserver/docker-baseimage-kasmvnc
+#    deploy:
+#      resources:
+#        reservations:
+#          devices:
+#            - driver: nvidia
+#              count: 1
+#              #device_ids:
+#              #  - "GPU-b9bf37c1-f8c9-201c-3456-0aa35381be42"
+#              capabilities: [compute,video,graphics,utility]
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - "${DATADIR}/config:/config"
+      - "${MEDIADIR}/Pictures:/config/Pictures"
+    networks:
+      - traefik-net
+      - digikam-net
+
+# https://github.com/linuxserver/docker-baseimage-kasmvnc#lossless
+# nginx config
+# add_header 'Cross-Origin-Embedder-Policy' 'require-corp';
+# add_header 'Cross-Origin-Opener-Policy' 'same-origin';
+# add_header 'Cross-Origin-Resource-Policy' 'same-site';
+#
+# trying out following to see if they are working traefik equivalents with inspiration from https://community.traefik.io/t/setting-cross-origin-headers/22239/2
+# https://doc.traefik.io/traefik/middlewares/http/headers/
+#    labels:
+#      - "traefik.http.middlewares.middleware-cross-origin.headers.customResponseHeaders.Cross-Origin-Embedder-Policy=require-corp"
+#      - "traefik.http.middlewares.middleware-cross-origin.headers.customResponseHeaders.Cross-Origin-Opener-Policy=same-origin"
+#      - "traefik.http.middlewares.middleware-cross-origin.headers.customResponseHeaders.Cross-Origin-Resource-Policy=same-site"
+
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      #
+      - "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.permanent=true"
+      - "traefik.http.middlewares.${APPLICATION_NAME}-cross-origin.headers.customResponseHeaders.Cross-Origin-Embedder-Policy=require-corp"
+      - "traefik.http.middlewares.${APPLICATION_NAME}-cross-origin.headers.customResponseHeaders.Cross-Origin-Opener-Policy=same-origin"
+      - "traefik.http.middlewares.${APPLICATION_NAME}-cross-origin.headers.customResponseHeaders.Cross-Origin-Resource-Policy=same-site"
+      #
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
+      #
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=${APPLICATION_NAME}-https-redirect"
+      #
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      #
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=sthomeresolver"
+      #
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=${APPLICATION_NAME}-cross-origin"
+      #
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
+   
+  mariadb:
+    image: mariadb:latest
+    restart: unless-stopped
+    env_file: .mariadb.env
+    hostname: mariadb
+    volumes:
+      - "${DATADIR}/mariadb:/config"
+    secrets:
+      - digikam_mariadb_database_name
+      - digikam_mariadb_username
+      - digikam_mariadb_password
+      - digikam_mariadb_root_password
+    networks:
+      - digikam-net
+     
diff --git a/diun/stacks/.diun.env b/diun/stacks/.diun.env
new file mode 100644
index 0000000..dd520e1
--- /dev/null
+++ b/diun/stacks/.diun.env
@@ -0,0 +1,34 @@
+PUID=${PUID}
+PGID=${PGID}
+TZ=${TZ}
+DIUN_WATCH_WORKERS=20
+DIUN_WATCH_SCHEDULE="0 */6 * * *"
+DIUN_WATCH_JITTER=30s
+DIUN_PROVIDERS_DOCKER=true
+
+
+DIUN_NOTIF_MQTT_SCHEME=mqtt
+DIUN_NOTIF_MQTT_HOST=mqtt.sthome.org
+DIUN_NOTIF_MQTT_PORT=1883
+DIUN_NOTIF_MQTT_USERNAME=mqtt_user
+# DIUN_NOTIF_MQTT_USERNAMEFILE
+DIUN_NOTIF_MQTT_PASSWORD=Saterdag!32#
+# DIUN_NOTIF_MQTT_PASSWORDFILE
+DIUN_NOTIF_MQTT_CLIENT=diun
+DIUN_NOTIF_MQTT_TOPIC=docker/diun
+DIUN_NOTIF_MQTT_QOS=0
+
+
+# DIUN_NOTIF_MAIL_HOST=
+# DIUN_NOTIF_MAIL_PORT=
+# DIUN_NOTIF_MAIL_SSL=
+# DIUN_NOTIF_MAIL_INSECURESKIPVERIFY=
+# DIUN_NOTIF_MAIL_LOCALNAME=
+# DIUN_NOTIF_MAIL_USERNAME=
+# DIUN_NOTIF_MAIL_USERNAMEFILE=
+# DIUN_NOTIF_MAIL_PASSWORD=
+# DIUN_NOTIF_MAIL_PASSWORDFILE=
+# DIUN_NOTIF_MAIL_FROM=
+# DIUN_NOTIF_MAIL_TO=  # comma separated
+# DIUN_NOTIF_MAIL_TEMPLATETITLE={{ .Entry.Image }} {{ if (eq .Entry.Status "new") }}is available{{ else }}has been updated{{ end }}
+# DIUN_NOTIF_MAIL_TEMPLATEBODY=
diff --git a/diun/stacks/.env b/diun/stacks/.env
new file mode 100644
index 0000000..79bc7d1
--- /dev/null
+++ b/diun/stacks/.env
@@ -0,0 +1,18 @@
+################################################################
+APPLICATION_NAME=diun
+
+DOCKERDIR=/mnt/SSD1/docker
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+CERTSDIR=${DATAROOT}/traefik/certs
+
+PUID=3062
+PGID=3063
+DOMAINNAME=sthome.org
+DNS_RESOLVER=sthomeresolver
+
+################################################################
+
diff --git a/diun/stacks/.socket-proxy.env b/diun/stacks/.socket-proxy.env
new file mode 100644
index 0000000..97691c1
--- /dev/null
+++ b/diun/stacks/.socket-proxy.env
@@ -0,0 +1,36 @@
+#
+# environment variables for socket-proxy
+#
+
+LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
+
+## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
+### 0 to revoke access.
+### 1 to grant access.
+## Granted by Default
+EVENTS=1
+PING=1
+VERSION=1
+## Revoked by Default
+### Security critical
+AUTH=0
+SECRETS=0
+POST=1          # Watchtower
+### Not always needed
+BUILD=0
+COMMIT=0
+CONFIGS=0
+CONTAINERS=1    # Traefik, portainer, etc.
+DISTRIBUTION=0
+EXEC=0
+IMAGES=1        # Portainer
+INFO=1          # Portainer
+NETWORKS=1      # Portainer
+NODES=0
+PLUGINS=0
+SERVICES=1      # Portainer
+SESSION=0
+SWARM=0
+SYSTEM=0
+TASKS=1         # Portainer
+VOLUMES=1       # Portainer
\ No newline at end of file
diff --git a/diun/stacks/compose.yml b/diun/stacks/compose.yml
new file mode 100644
index 0000000..ba5e30c
--- /dev/null
+++ b/diun/stacks/compose.yml
@@ -0,0 +1,50 @@
+name: diun
+
+networks:
+#  socket_proxy:
+#    driver: bridge
+#    driver_opts:
+#      com.docker.network.bridge.name: "br-diun_sx"
+  traefik-net:
+    external: true
+    
+services:
+  diun:
+    image: crazymax/diun:latest
+    command: serve
+    env_file: .diun.env
+#    depends_on:
+#      - socket-proxy  # Comment out if not using socket-proxy
+#    environment:
+#      - DOCKER_HOST=tcp://diun_socket-proxy:2375
+    networks:
+      - traefik-net
+#      - socket_proxy
+    volumes:
+      - "${DATADIR}/appdata:/data"
+      - "/var/run/docker.sock:/var/run/docker.sock"
+    labels:
+      - "diun.enable=true"
+    restart: always
+
+###############################################################
+#  socket-proxy:
+#    image: tecnativa/docker-socket-proxy:0.2.0 #0.1.2
+#    hostname: diun_socket-proxy
+#    restart: unless-stopped
+#    env_file: .socket-proxy.env
+#    security_opt:
+#      - no-new-privileges=true
+#    networks:
+#      - socket_proxy
+#    privileged: true  # true for VM.  false for unprivileged LXC container.
+#    #depends_on:
+#    #  - traefik
+##    ports:
+##      - "127.0.0.1:2375:2375"
+#    volumes:
+#      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+#      # the following bind is to persist the non-zero setting of backend docker-events.timeout server
+##      - type: bind
+##        source: "${DATADIR}/haproxy/haproxy.cfg.template"
+##        target: /usr/local/etc/haproxy/haproxy.cfg.template
\ No newline at end of file
diff --git a/emby/emby_jm.txt b/emby/emby_jm.txt
new file mode 100644
index 0000000..f28f959
--- /dev/null
+++ b/emby/emby_jm.txt
@@ -0,0 +1,83 @@
+
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: emby
+Username: emby
+Disable Password: <select>
+Email: <leave blank>
+UID: (note)
+Create New Primary Group: <select>
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+emby UID: 3017
+emby GID: 3016
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*emby"
+# create following dataset if not present
+zfs create SSD1/docker/data/emby/config
+chown -R emby:emby /mnt/SSD1/docker/data/emby
+
+Create stacks folder
+---------------------
+mkdir -p /mnt/SSD1/docker/stacks/emby
+
+If not done already, add mapping for media in jail config
+---------------------------------------------------------
+In this example: the folder where media is stored is /mnt/stpool1/NData1/Media
+On Truenas shell:
+jlmkr edit docker
+Add the following args to "systemd_nspawn_user_args": 
+--bind='/mnt/stpool1/NData1/Media:/mnt/media'
+
+If not done already, set ACL permissions for media to be accessible by media group
+----------------------------------------------------------------------------------
+On Truenas shell:
+# read and note acl entries
+getfacl /mnt/stpool1/NData1
+getfacl /mnt/stpool1/NData1/Media
+# set read and execute permissions for media group on parent folder
+setfacl -m g:media:5 /mnt/stpool1/NData1
+# set full permissions for media group on Media folder recursively
+setfacl -R -m g:media:7 /mnt/stpool1/NData1/Media
+# modify defaults recursively
+setfacl -R -d -m g:media:7 /mnt/stpool1/NData1/Media
+# NB! if you want to remove all acl entries from a folder recursively, use setfacl -b -R <foldername>
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in emby folder, enter:
+./cp2nas 192.168.2.2
+# or
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/emby/
+# This should copy stacks folder to /mnt/SSD1/docker/stacks/emby
+
+Migrating data from old emby media server (source) to newly installed one (target)
+----------------------------------------------------------------------------------
+# Stop old/source emby media server
+heavyscript app --stop emby
+# Stop new/target emby media server
+# On Dockge, select emby and click stop
+# Copy the source Library to target folder (this might take a while):
+cp -pr /mnt/stpool1/apps/emby/* /mnt/SSD1/docker/data/emby/config/
+chown -R emby:emby /mnt/SSD1/docker/data/emby/config
+
+Managing library files
+----------------------
+Try and keep the mount folders for the media the same as that of the old media server
+However, if you choose to have a different mount:
+For example,
+If the old media server mapped to /Media and the new one now maps to /data, then you will have to modify the media folders in emby settings to reflect the new mount.
+Open emby, click on the spanner/wrench and select Manage->Libraries
+Go through all the libraries items, adding new media folders and removing those that were replaced
+This may take some time (depends on library size)
+
+
+
+
diff --git a/emby/stacks/.emby.env b/emby/stacks/.emby.env
new file mode 100644
index 0000000..da5109e
--- /dev/null
+++ b/emby/stacks/.emby.env
@@ -0,0 +1,14 @@
+#
+# environment variables for emby
+# 
+PUID=${PUID}
+PGID=${MEDIA_GID}
+TZ=Africa/Johannesburg
+PORT=${WEBUI_PORT}
+
+NVIDIA_VISIBLE_DEVICES=all
+
+
+
+
+
diff --git a/emby/stacks/.env b/emby/stacks/.env
new file mode 100644
index 0000000..11a02a2
--- /dev/null
+++ b/emby/stacks/.env
@@ -0,0 +1,23 @@
+#
+# values to be used for substitution by docker compose in compose.yml AND .*.env files
+#
+APPLICATION_NAME=emby
+
+MEDIADIR=/mnt/stpool1/NData1/Media
+DOCKERDIR=/mnt/SSD1/docker/
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATADIR=${DOCKERDIR}/data/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+CT_MEDIA=/Media
+
+MEDIA_GID=3017
+PUID=3017
+PGID=3016
+DOMAINNAME=sthome.org
+WEBUI_PORT=8096
+
+GPU_DEVICE_ID=GPU-b9bf37c1-f8c9-201c-3456-0aa35381be42
+
+
diff --git a/emby/stacks/compose.yml b/emby/stacks/compose.yml
new file mode 100644
index 0000000..36377f0
--- /dev/null
+++ b/emby/stacks/compose.yml
@@ -0,0 +1,66 @@
+name: emby
+
+networks:
+  traefik-net:
+    external: true
+
+services:
+  emby:
+    image: lscr.io/linuxserver/emby:latest
+    hostname: "${APPLICATION_NAME}"
+    env_file: .emby.env
+    group_add:
+      - "${MEDIA_GID}" # not really needed if we have it as the primary gid
+    restart: unless-stopped
+    # this deploy section requires the installation of the nvidia-container-toolkit; comment out if the toolkit is not installed
+    deploy:
+      resources:
+        reservations:
+          devices:
+            - driver: nvidia
+              #count: 1
+              device_ids:
+                - "${GPU_DEVICE_ID}"
+              capabilities: [gpu]
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - ${DATADIR}/config:/config
+      - ${MEDIADIR}:${CT_MEDIA}
+    networks:
+      - traefik-net
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      #
+      # http services
+      # -------------
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
+      #
+      # http routers
+      # ------------
+      # limit router to web ":80" entrypoint
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # attach middlewares to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-redirect@file"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      #
+      # limit router to websecure ":443" entrypoint
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # attach middlewares to router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders@file"
+      # tls 
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      # apply tls options
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file"
+      # generate certificates using following certresolver
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
+
+
+
diff --git a/external/ext-proxmox.yml b/external/ext-proxmox.yml
new file mode 100644
index 0000000..188e5ec
--- /dev/null
+++ b/external/ext-proxmox.yml
@@ -0,0 +1,57 @@
+# NOT WORKING
+# pve.sthome.org returns HTTP 500 - Internal Server Error
+# Use http://proxmox-local.sthome.org:8006 to access pve
+#
+#
+# external service
+# https://doc.traefik.io/traefik/providers/file/
+
+#http:
+#  #
+#  # http routers
+#  # ------------
+#  routers:
+#    proxmox-rtr:
+#      entryPoints: ["web"]
+#      rule: "Host(`proxmox.sthome.org`)&& PathPrefix(`/`) || Host(`pve.sthome.org`)"
+#      middlewares:
+##        - proxmox-auth
+#        - http-mw-rateLimit-secureHeaders-redirect@file # proxmox-https-redirect
+#      service: "ext-proxmox-svc"
+#
+#    proxmox-secure-rtr:
+#      entryPoints: ["websecure"]
+#      rule: "Host(`proxmox.sthome.org`)&& PathPrefix(`/`) || Host(`pve.sthome.org`)"
+#      tls:
+#        certresolver: "solver-dns"
+#        domains:
+#          - main: "sthome.org"
+#            sans:
+#              - "*.sthome.org"
+##      middlewares:
+##        - proxmox-auth
+#        - http-mw-rateLimit-secureHeaders@file #
+ #      service: "ext-proxmox-svc"
+#  #
+#  # http middlewares
+#  # ----------------
+#  middlewares:
+##    proxmox-auth:
+##      basicauth:
+##        usersfile: "/mnt/users/cctv.txt"
+#    proxmox-https-redirect:
+#      redirectscheme:
+#        scheme: https
+#        permanent: true
+#  #
+#  # http service
+#  # ------------
+#  # https://doc.traefik.io/traefik/routing/services/
+#  services:
+#    ext-proxmox-svc:
+#      loadBalancer:
+#        servers:
+##          - url: "https://proxmox-local.sthome.org:8006" # requires local dns, i.e. 10.0.0.1, to be first nameserver in truenas and in docker /etc/resolv.conf
+#          - url: "https://10.0.0.22:8006" # safest to use ip address, with reservation in dhcp server
+##          - url: "http://10.0.0.30:80"  # test with WSTAT
+#        passHostHeader: true
\ No newline at end of file
diff --git a/external/ext-truenas.yml b/external/ext-truenas.yml
new file mode 100644
index 0000000..012ac49
--- /dev/null
+++ b/external/ext-truenas.yml
@@ -0,0 +1,50 @@
+# external service
+# https://doc.traefik.io/traefik/providers/file/
+# not working
+#http:
+#  #
+#  # http routers
+#  # ------------
+#  routers:
+#    truenas-rtr:
+#      entryPoints:
+#        - "web"
+#      rule: "Host(`truenas.sthome.org`)&& PathPrefix(`/`)"
+#      tls:
+#        certresolver: "solver-dns"
+#      middlewares:
+#        - http-mw-rateLimit-secureHeaders-redirect@file # truenas-https-redirect
+#      service: "ext-truenas-svc"
+#
+#    truenas-secure-rtr:
+#      entryPoints:
+#        - "websecure"
+#      rule: "Host(`truenas.sthome.org`)&& PathPrefix(`/`)"
+#      tls:
+#        certresolver: "solver-dns"
+#        domains:
+#          - main: "sthome.org"
+#            sans:
+#              - "*.sthome.org"
+#              - "truenas.sthome.org"
+#      middlewares:
+#        - http-mw-rateLimit-secureHeaders@file
+#      service: "ext-truenas-svc"
+#  #
+#  # http middlewares
+#  # ----------------
+#  middlewares:
+#    truenas-https-redirect:
+#      redirectscheme:
+#        scheme: https
+#        permanent: true
+#  #
+#  # http service
+#  # ------------
+#  # https://doc.traefik.io/traefik/routing/services/
+#  services:
+#    ext-truenas-svc:
+#      loadBalancer:
+#        servers:
+#          - url: "http://10.0.0.20:443" 
+#        passHostHeader: true
\ No newline at end of file
diff --git a/external/traefik-rules/ext-cctv.yml b/external/traefik-rules/ext-cctv.yml
new file mode 100644
index 0000000..ce8014e
--- /dev/null
+++ b/external/traefik-rules/ext-cctv.yml
@@ -0,0 +1,38 @@
+# external service
+# https://doc.traefik.io/traefik/providers/file/
+
+http:
+#
+# http routers
+# ------------
+  routers:
+    cctv-rtr:
+      entryPoints:
+        - "web"
+      rule: "Host(`cctv.sthome.org`)&& PathPrefix(`/`)"
+      middlewares:
+
+        - http-mw-rateLimit-secureHeaders-redirect@file
+      service: "ext-cctv-svc"
+
+    cctv-secure-rtr:
+      entryPoints:
+        - "websecure"
+      rule: "Host(`cctv.sthome.org`)&& PathPrefix(`/`)"
+      tls:
+        certresolver: "solver-dns"
+        options: tls-options@file
+      middlewares:
+
+        - http-mw-rateLimit-secureHeaders@file
+      service: "ext-cctv-svc"
+  #
+# http service
+# ------------
+# https://doc.traefik.io/traefik/routing/services/
+  services:
+    ext-cctv-svc:
+      loadBalancer:
+        servers:
+          - url: "http://10.0.0.10:80" # safest to use ip address, with reservation in dhcp server
+        passHostHeader: true
\ No newline at end of file
diff --git a/external/traefik-rules/ext-frigate.yml b/external/traefik-rules/ext-frigate.yml
new file mode 100644
index 0000000..e5e9adf
--- /dev/null
+++ b/external/traefik-rules/ext-frigate.yml
@@ -0,0 +1,59 @@
+# external service
+# https://doc.traefik.io/traefik/providers/file/
+
+http:
+#
+# http routers
+# ------------
+  routers:
+    frigate-rtr:
+      entryPoints:
+        - "web"
+      rule: "Host(`frigate.sthome.org`)&& PathPrefix(`/`)"
+      middlewares:
+        - frigate-auth
+        - http-mw-rateLimit-secureHeaders-redirect@file
+      service: "ext-frigate-svc"
+
+    frigate-secure-rtr:
+      entryPoints:
+        - "websecure"
+      rule: "Host(`frigate.sthome.org`)&& PathPrefix(`/`)"
+      tls:
+        certresolver: "solver-dns"
+        options: tls-options@file
+      middlewares:
+        - frigate-auth
+        - http-mw-rateLimit-secureHeaders@file
+      service: "ext-frigate-svc"
+      
+    frigate-secure-status-rtr:
+      entryPoints:
+        - "websecure"
+      rule: "Host(`frigate.sthome.org`)&& PathPrefix(`/stats`)"
+      tls:
+        certresolver: "solver-dns"
+        options: tls-options@file
+      service: "ext-frigate-svc"  
+#
+# http middlewares
+# ----------------
+  middlewares:
+    frigate-auth:
+      basicauth:
+        usersfile: "/mnt/users/frigate.txt"
+#    frigate-https-redirect:
+#      redirectscheme:
+#        scheme: https
+#        permanent: true
+
+#
+# http service
+# ------------
+# https://doc.traefik.io/traefik/routing/services/
+  services:
+    ext-frigate-svc:
+      loadBalancer:
+        servers:
+          - url: "http://10.0.0.51:5000" # safest to use ip address, with reservation in dhcp server
+        passHostHeader: true
\ No newline at end of file
diff --git a/external/traefik-users/cctv.txt b/external/traefik-users/cctv.txt
new file mode 100644
index 0000000..2084684
--- /dev/null
+++ b/external/traefik-users/cctv.txt
@@ -0,0 +1,5 @@
+admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
+chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
+Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC
+home:$2y$05$VjkUjMGVdxMn3N/rMK8nBuh1jAUfezo8i4167enEg7i9Xl45cVQGi
+Home:$2y$05$JP8tB1nkPA8tbhEnhGV6teke.X87eFX4V9hi9qa2ArLISJ4Ksf2ca
\ No newline at end of file
diff --git a/external/traefik-users/frigate.txt b/external/traefik-users/frigate.txt
new file mode 100644
index 0000000..2084684
--- /dev/null
+++ b/external/traefik-users/frigate.txt
@@ -0,0 +1,5 @@
+admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
+chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
+Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC
+home:$2y$05$VjkUjMGVdxMn3N/rMK8nBuh1jAUfezo8i4167enEg7i9Xl45cVQGi
+Home:$2y$05$JP8tB1nkPA8tbhEnhGV6teke.X87eFX4V9hi9qa2ArLISJ4Ksf2ca
\ No newline at end of file
diff --git a/fireflyiii/fireflyiii_jm.txt b/fireflyiii/fireflyiii_jm.txt
new file mode 100644
index 0000000..3a049a4
--- /dev/null
+++ b/fireflyiii/fireflyiii_jm.txt
@@ -0,0 +1,152 @@
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: fireflyiii
+Username: firefly3
+Disable Password: <select>
+Email: stuurmcp@telkomsa.net
+UID: (note)
+Create New Primary Group: <unselect>
+Primary Group: media
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+firefly3 UID: 3035
+firefly3 GID: 3034
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*fireflyiii"
+# create following dataset if not present
+zfs create SSD1/docker/data/fireflyiii
+zfs create SSD1/docker/data/fireflyiii/config
+zfs create SSD1/docker/data/fireflyiii/appdata
+zfs create SSD1/docker/data/fireflyiii/pgdata
+zfs create SSD1/docker/data/fireflyiii/pgbackups
+# chown -R firefly3:firefly3 /mnt/SSD1/docker/data/fireflyiii
+chown -R 33:33 /mnt/SSD1/docker/data/fireflyiii   # seems like fireflyiii lately fails if not using www-data uid and gid
+chown -R postgres:postgres /mnt/SSD1/docker/data/fireflyiii/pgdata
+chown -R postgres:postgres /mnt/SSD1/docker/data/fireflyiii/pgbackups
+
+Copy folder to docker stacks
+----------------------------
+In Windows cmd shell in fireflyiii folder, enter:
+./cp2nas
+# or
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/fireflyiii/
+
+Create data folders
+-------------------
+mkdir /mnt/data/fireflyiii/config
+mkdir /mnt/data/fireflyiii/transcodes
+cd /mnt/data/fireflyiii
+
+Create secrets folder
+---------------------
+mkdir -p /opt/stacks/fireflyiii/secrets
+
+Create secrets
+--------------
+In Truenas shell:
+cd /mnt/SSD1/docker/stacks/fireflyiii/secrets
+echo -n 'your_mail_host' > /mnt/SSD1/docker/stacks/fireflyiii/secrets/fireflyiii_mail_host
+echo -n 'your_sender_addr' > /mnt/SSD1/docker/stacks/fireflyiii/secrets/fireflyiii_mail_from
+echo -n 'your_mail_username' > /mnt/SSD1/docker/stacks/fireflyiii/secrets/fireflyiii_mail_username
+echo -n 'your_mail_password' > /mnt/SSD1/docker/stacks/fireflyiii/secrets/fireflyiii_mail_password
+echo -n 'your_site_owner' > /mnt/SSD1/docker/stacks/fireflyiii/secrets/fireflyiii_site_owner
+# WARNING: Do not regenerate/change db password after starting firefly, as firefly will fail on authentication to database
+echo -n 'your_db_database' > /mnt/SSD1/docker/stacks/fireflyiii/secrets/fireflyiii_postgresql_database
+echo -n 'your_db_username' > /mnt/SSD1/docker/stacks/fireflyiii/secrets/fireflyiii_postgresql_username
+openssl rand 36 | base64 -w 0 > /mnt/SSD1/docker/stacks/fireflyiii/secrets/fireflyiii_postgresql_password
+# The next two secrets must be trimmed to exactly 32 characters:
+openssl rand 32 | base64 -w 0 | sed 's/[\$,\#,/,+,=]//g' | cut -c -32  | tr -d '\n' > /mnt/SSD1/docker/stacks/fireflyiii/secrets/fireflyiii_app_key 
+openssl rand 32 | base64 -w 0 | sed 's/[\$,\#,/,+,=]//g' | cut -c -32  | tr -d '\n' > /mnt/SSD1/docker/stacks/fireflyiii/secrets/fireflyiii_static_cron_token
+# restrict access
+cd /mnt/SSD1/docker/stacks/fireflyiii
+# chown -R firefly3:firefly3 /mnt/SSD1/docker/stacks/fireflyiii/secrets/
+chown -R 33:33 /mnt/SSD1/docker/stacks/fireflyiii/secrets/ # seems like fireflyiii lately fails if not using www-data uid and gid
+chmod -R 400 secrets/
+# read existing acl permissions, if any
+getfacl /mnt/SSD1/docker/stacks/fireflyiii/secrets
+# set acl permissions
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/fireflyiii/secrets
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/fireflyiii/secrets/fireflyiii_postgresql_password
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/fireflyiii/secrets/fireflyiii_postgresql_username
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/fireflyiii/secrets/fireflyiii_postgresql_database
+# NB! if you want to remove all acl entries from a folder recursively, use setfacl -b -R <foldername>
+
+Backup fireflyiii database
+-------------------------- 
+In truenas shell:
+mkdir /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/$(date -I)
+chown pgadmin:pgadmin /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/$(date -I)
+Using browser, log in to pgAdmin on truenas
+Connect to servers; refer to "connecting to servers.txt", which also explains how to obtain db passwords
+To perform plain text backup:
+Navigate to Servers => fireflyiii -> Databases -> fireflyiii
+Right click on fireflyiii database and select Backup...
+Enter the following on the different tabs of dialog box that opened:
+General:
+Replace ##### with today's date in YYYY-MM-DD format
+Filename: /#####/fireflyiii-backup.sql (this maps to: /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/#####/fireflyiii-backup.sql on truenas)
+Format: Plain
+Encoding: UTF8
+Role name: firefly
+Data Options:
+Sections:
+Pre-data: <select>
+Data: <select>
+Post-data: <select>
+Objects:
+Check public to select all objects
+Click Backup
+After successfull backup, close pgAdmin on truenas
+
+Migrating database
+------------------
+# Refresh Dockge window/tab and start fireflyiii in Dockge
+# After successfull startup of fireflyiii and postgress, stop fireflyiii from docker cmd line
+docker stop firefly
+# In truenas shell
+# copy back up file(s) to fireflyiii backups folder
+cp -vr /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/$(date -I) /mnt/SSD1/docker/data/fireflyiii/pgbackups #replace $(date -I) with date when backup was made if not today
+jlmkr shell docker
+cd /mnt/data/fireflyiii
+# remove all files/folders from pgdata; if any are already in this folder, move it to another folder before executing next command
+rm -r /mnt/data/fireflyiii/pgdata/*
+# Start fireflyiii with Dockge, then:
+docker stop firefly
+docker exec firefly_postgresql psql -U firefly -d postgres -c "DROP DATABASE \"firefly\";"
+docker exec firefly_postgresql psql -U firefly -d postgres -c "CREATE DATABASE \"firefly\";"
+docker exec firefly_postgresql psql -U firefly -d firefly -f /mnt/backups/$(date -I)/fireflyiii-backup.sql
+docker start firefly
+
+Post startup if no migration was performed
+-------------------------------------------
+# https://docs.firefly-iii.org/references/faq/install/
+# The documentation mentions the following to initialise / seed the database on a clean install:
+# In docker shell:
+docker exec firefly php artisan migrate:refresh --seed --force
+docker exec firefly php artisan firefly-iii:upgrade-database
+
+Stop truenas fireflyiii
+-----------------------
+# In truenas shell
+heavyscript app --stop fireflyiii
+# NB: Do NOT stop fireflyiii with truenas gui
+
+Troubleshooting
+---------------
+# If you get persistent db authentication errors:
+Ensure that the service name (name of the stanza), host name and container name of the postgresql container in the compose.yml file and the DB_HOST value in the .env file are all the same
+
+If you need to log into db
+--------------------------
+docker exec -it firefly_postgresql bash
+psql -U firefly -d firefly
+
+
+
diff --git a/fireflyiii/stacks/.env b/fireflyiii/stacks/.env
new file mode 100644
index 0000000..46c5d34
--- /dev/null
+++ b/fireflyiii/stacks/.env
@@ -0,0 +1,41 @@
+PROJECT_NAME=fireflyiii       # distinguish between fireflyiii and firefly
+APPLICATION_NAME=firefly
+
+IMPORTER_NAME=firefly-importer
+
+MEDIADIR=/mnt/stpool1/NData1/Media
+DOCKERDIR=/mnt/SSD1/docker
+
+STACKSDIR=${DOCKERDIR}/stacks/${PROJECT_NAME}
+DATADIR=${DOCKERDIR}/data/${PROJECT_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+DOMAINNAME=sthome.org
+WEBUI_PORT=8080
+IMPORTER_WEBUI_PORT=8080
+
+PUID=3035
+PGID=3034
+TZ=Africa/Johannesburg
+
+FFIII_MAIL_PORT=25
+FFIII_FQDN=${APPLICATION_NAME}.${DOMAINNAME}
+FFIII_IMPORTER_FQDN=${IMPORTER_NAME}.${DOMAINNAME}
+
+# secrets
+FFIII_ACCESS_TOKEN_FILE=/run/secrets/fireflyiii_access_token
+FFIII_APP_KEY_FILE=/run/secrets/fireflyiii_app_key
+FFIII_MAP_DEFAULT_LAT_FILE=/run/secrets/fireflyiii_default_lat
+FFIII_MAP_DEFAULT_LONG_FILE=/run/secrets/fireflyiii_default_long
+FFIII_MAIL_DESTINATION_FILE=/run/secrets/fireflyiii_mail_destination
+FFIII_MAIL_FROM_FILE=/run/secrets/fireflyiii_mail_from
+FFIII_MAIL_HOST_FILE=/run/secrets/fireflyiii_mail_host
+FFIII_MAIL_PASSWORD_FILE=/run/secrets/fireflyiii_mail_password
+FFIII_MAIL_USERNAME_FILE=/run/secrets/fireflyiii_mail_username
+FFIII_DB_NAME_FILE=/run/secrets/fireflyiii_postgresql_database
+FFIII_DB_PASSWORD_FILE=/run/secrets/fireflyiii_postgresql_password
+FFIII_DB_USER_FILE=/run/secrets/fireflyiii_postgresql_username
+FFIII_SITE_OWNER_FILE=/run/secrets/fireflyiii_site_owner
+FFIII_STATIC_CRON_TOKEN_FILE=/run/secrets/fireflyiii_static_cron_token
+
+
diff --git a/fireflyiii/stacks/.firefly.env b/fireflyiii/stacks/.firefly.env
new file mode 100644
index 0000000..5ec34dc
--- /dev/null
+++ b/fireflyiii/stacks/.firefly.env
@@ -0,0 +1,325 @@
+
+PUID=${PUID}
+PGID=${PGID}
+TZ=${TZ}
+
+# You can leave this on "local". If you change it to production most console commands will ask for extra confirmation.
+# Never set it to "testing".
+APP_ENV=local
+
+# Set to true if you want to see debug information in error screens.
+APP_DEBUG=false
+
+# This should be your email address.
+# If you use Docker or similar, you can set this variable from a file by using SITE_OWNER_FILE
+# The variable is used in some errors shown to users who aren't admin.
+SITE_OWNER_FILE=${FFIII_SITE_OWNER_FILE}
+
+# The encryption key for your sessions. Keep this very secure.
+# Change it to a string of exactly 32 chars or use something like `php artisan key:generate` to generate it.
+# If you use Docker or similar, you can set this variable from a file by using APP_KEY_FILE
+#
+# Avoid the "#" character in your APP_KEY, it may break things.
+#
+APP_KEY_FILE=${FFIII_APP_KEY_FILE}
+
+# Firefly III will launch using this language (for new users and unauthenticated visitors)
+# For a list of available languages: https://github.com/firefly-iii/firefly-iii/tree/main/resources/lang
+#
+# If text is still in English, remember that not everything may have been translated.
+DEFAULT_LANGUAGE=en_US
+
+# The locale defines how numbers are formatted.
+# by default this value is the same as whatever the language is.
+DEFAULT_LOCALE=equal
+
+# TRUSTED_PROXIES is a useful variable when using Docker and/or a reverse proxy.
+# Set it to ** and reverse proxies work just fine.
+TRUSTED_PROXIES=**
+
+# The log channel defines where your log entries go to.
+# Several other options exist. You can use 'single' for one big fat error log (not recommended).
+# Also available are 'syslog', 'errorlog' and 'stdout' which will log to the system itself.
+# A rotating log option is 'daily', creates 5 files that (surprise) rotate.
+# A cool option is 'papertrail' for cloud logging
+# Default setting 'stack' will log to 'daily' and to 'stdout' at the same time.
+LOG_CHANNEL=stack
+
+# Log level. You can set this from least severe to most severe:
+# debug, info, notice, warning, error, critical, alert, emergency
+# If you set it to debug your logs will grow large, and fast. If you set it to emergency probably
+# nothing will get logged, ever.
+APP_LOG_LEVEL=notice
+
+# Audit log level.
+# The audit log is used to log notable Firefly III events on a separate channel.
+# These log entries may contain sensitive financial information.
+# The audit log is disabled by default.
+#
+# To enable it, set AUDIT_LOG_LEVEL to "info"
+# To disable it, set AUDIT_LOG_LEVEL to "emergency"
+AUDIT_LOG_LEVEL=emergency
+
+#
+# If you want, you can redirect the audit logs to another channel.
+# Set 'audit_stdout', 'audit_syslog', 'audit_errorlog' to log to the system itself.
+# Use audit_daily to log to a rotating file.
+# Use audit_papertrail to log to papertrail.
+#
+# If you do this, the audit logs may be mixed with normal logs because the settings for these channels
+# are often the same as the settings for the normal logs.
+AUDIT_LOG_CHANNEL=
+
+#
+# Used when logging to papertrail:
+# Also used when audit logs log to papertrail:
+#
+PAPERTRAIL_HOST=
+PAPERTRAIL_PORT=
+
+# Database credentials. Make sure the database exists. I recommend a dedicated user for Firefly III
+# For other database types, please see the FAQ: https://docs.firefly-iii.org/references/faq/install/#i-want-to-use-sqlite
+# If you use Docker or similar, you can set these variables from a file by appending them with _FILE
+# Use "pgsql" for PostgreSQL
+# Use "mysql" for MySQL and MariaDB.
+# Use "sqlite" for SQLite.
+DB_CONNECTION=pgsql
+DB_HOST=firefly_postgresql
+DB_PORT=5432
+DB_DATABASE_FILE=${FFIII_DB_NAME_FILE}
+DB_USERNAME_FILE=${FFIII_DB_USER_FILE}
+DB_PASSWORD_FILE=${FFIII_DB_PASSWORD_FILE}
+# leave empty or omit when not using a socket connection
+DB_SOCKET=
+
+# MySQL supports SSL. You can configure it here.
+# If you use Docker or similar, you can set these variables from a file by appending them with _FILE
+MYSQL_USE_SSL=false
+MYSQL_SSL_VERIFY_SERVER_CERT=true
+# You need to set at least of these options
+MYSQL_SSL_CAPATH=/etc/ssl/certs/
+MYSQL_SSL_CA=
+MYSQL_SSL_CERT=
+MYSQL_SSL_KEY=
+MYSQL_SSL_CIPHER=
+
+# PostgreSQL supports SSL. You can configure it here.
+# If you use Docker or similar, you can set these variables from a file by appending them with _FILE
+PGSQL_SSL_MODE=prefer
+PGSQL_SSL_ROOT_CERT=null
+PGSQL_SSL_CERT=null
+PGSQL_SSL_KEY=null
+PGSQL_SSL_CRL_FILE=null
+
+# For postgresql 15 and up, setting this to public will no longer work as expected, because the
+# 'public' schema is without grants. This can be worked around by having a super user grant those
+# necessary privileges, but in security conscious setups that's not viable.
+# You will need to set this to the schema you want to use.
+PGSQL_SCHEMA=public
+
+# If you're looking for performance improvements, you could install memcached or redis
+CACHE_DRIVER=file
+SESSION_DRIVER=file
+
+# If you set either of the options above to 'redis', you might want to update these settings too
+# If you use Docker or similar, you can set REDIS_HOST_FILE, REDIS_PASSWORD_FILE or
+# REDIS_PORT_FILE to set the value from a file instead of from an environment variable
+
+# can be tcp or unix. http is not supported
+REDIS_SCHEME=tcp
+
+# use only when using 'unix' for REDIS_SCHEME. Leave empty otherwise.
+REDIS_PATH=
+
+# use only when using 'tcp' or 'http' for REDIS_SCHEME. Leave empty otherwise.
+REDIS_HOST=127.0.0.1
+REDIS_PORT=6379
+
+# Use only with Redis 6+ with proper ACL set. Leave empty otherwise.
+REDIS_USERNAME=
+REDIS_PASSWORD=
+
+# always use quotes and make sure redis db "0" and "1" exists. Otherwise change accordingly.
+REDIS_DB="0"
+REDIS_CACHE_DB="1"
+
+# Cookie settings. Should not be necessary to change these.
+# If you use Docker or similar, you can set COOKIE_DOMAIN_FILE to set
+# the value from a file instead of from an environment variable
+# Setting samesite to "strict" may give you trouble logging in.
+COOKIE_PATH="/"
+COOKIE_DOMAIN=
+COOKIE_SECURE=false
+COOKIE_SAMESITE=lax
+
+# If you want Firefly III to email you, update these settings
+# For instructions, see: https://docs.firefly-iii.org/how-to/firefly-iii/advanced/notifications/#email
+# If you use Docker or similar, you can set these variables from a file by appending them with _FILE
+MAIL_MAILER=log
+MAIL_HOST_FILE=${FFIII_MAIL_HOST_FILE}
+MAIL_PORT=${FFIII_MAIL_PORT}
+MAIL_FROM_FILE=${FFIII_MAIL_FROM_FILE}
+MAIL_USERNAME_FILE=${FFIII_MAIL_USERNAME_FILE}
+MAIL_PASSWORD_FILE=${FFIII_MAIL_PASSWORD_FILE}
+MAIL_ENCRYPTION=null
+#MAIL_SENDMAIL_COMMAND=
+
+# Other mail drivers:
+# If you use Docker or similar, you can set these variables from a file by appending them with _FILE
+MAILGUN_DOMAIN=
+MAILGUN_SECRET=
+
+# If you are on EU region in mailgun, use api.eu.mailgun.net, otherwise use api.mailgun.net
+# If you use Docker or similar, you can set this variable from a file by appending it with _FILE
+#MAILGUN_ENDPOINT=api.mailgun.net
+
+# If you use Docker or similar, you can set these variables from a file by appending them with _FILE
+MANDRILL_SECRET=
+SPARKPOST_SECRET=
+
+# Firefly III can send you the following messages.
+SEND_ERROR_MESSAGE=true
+
+# These messages contain (sensitive) transaction information:
+SEND_REPORT_JOURNALS=true
+
+# Set this value to true if you want to set the location of certain things, like transactions.
+# Since this involves an external service, it's optional and disabled by default.
+ENABLE_EXTERNAL_MAP=false
+
+#
+# Enable or disable exchange rate conversion. This function isn't used yet by Firefly III
+#
+ENABLE_EXCHANGE_RATES=false
+
+# Set this value to true if you want Firefly III to download currency exchange rates
+# from the internet. These rates are hosted by the creator of Firefly III inside
+# an Azure Storage Container.
+# Not all currencies may be available. Rates may be wrong.
+ENABLE_EXTERNAL_RATES=false
+
+# The map will default to this location:
+MAP_DEFAULT_LAT_FILE=${FFIII_MAP_DEFAULT_LAT_FILE}
+MAP_DEFAULT_LONG_FILE=${FFIII_MAP_DEFAULT_LONG_FILE}
+MAP_DEFAULT_ZOOM=6
+
+#
+# Some objects have room for an URL, like transactions and webhooks.
+# By default, the following protocols are allowed:
+# http, https, ftp, ftps, mailto
+#
+# To change this, set your preferred comma separated set below.
+# Be sure to include http, https and other default ones if you need to.
+#
+VALID_URL_PROTOCOLS=
+
+#
+# Firefly III authentication settings
+#
+
+#
+# Firefly III supports a few authentication methods:
+# - 'web' (default, uses built in DB)
+# - 'remote_user_guard' for Authelia etc
+# Read more about these settings in the documentation.
+# https://docs.firefly-iii.org/how-to/firefly-iii/advanced/authentication/
+#
+# LDAP is no longer supported :(
+#
+AUTHENTICATION_GUARD=web
+
+#
+# Remote user guard settings
+#
+AUTHENTICATION_GUARD_HEADER=REMOTE_USER
+AUTHENTICATION_GUARD_EMAIL=
+
+#
+# Firefly III generates a basic keypair for your OAuth tokens.
+# If you want, you can overrule the key with your own (secure) value.
+# It's also possible to set PASSPORT_PUBLIC_KEY_FILE or PASSPORT_PRIVATE_KEY_FILE
+# if you're using Docker secrets or similar solutions for secret management
+#
+PASSPORT_PRIVATE_KEY=
+PASSPORT_PUBLIC_KEY=
+
+#
+# Extra authentication settings
+#
+CUSTOM_LOGOUT_URL=
+
+# You can disable the X-Frame-Options header if it interferes with tools like
+# Organizr. This is at your own risk. Applications running in frames run the risk
+# of leaking information to their parent frame.
+DISABLE_FRAME_HEADER=false
+
+# You can disable the Content Security Policy header when you're using an ancient browser
+# or any version of Microsoft Edge / Internet Explorer (which amounts to the same thing really)
+# This leaves you with the risk of not being able to stop XSS bugs should they ever surface.
+# This is at your own risk.
+DISABLE_CSP_HEADER=false
+
+# If you wish to track your own behavior over Firefly III, set valid analytics tracker information here.
+# Nobody uses this except for me on the demo site. But hey, feel free to use this if you want to.
+# Do not prepend the TRACKER_URL with http:// or https://
+# The only tracker supported is Matomo.
+# You can set the following variables from a file by appending them with _FILE:
+#TRACKER_SITE_ID=
+#TRACKER_URL=
+
+#
+# Firefly III supports webhooks. These are security sensitive and must be enabled manually first.
+#
+ALLOW_WEBHOOKS=false
+
+#
+# The static cron job token can be useful when you use Docker and wish to manage cron jobs.
+# 1. Set this token to any 32-character value (this is important!).
+# 2. Use this token in the cron URL instead of a user's command line token that you can find in /profile
+#
+# For more info: https://docs.firefly-iii.org/how-to/firefly-iii/advanced/cron/
+#
+# You can set this variable from a file by appending it with _FILE
+#
+STATIC_CRON_TOKEN_FILE=${FFIII_STATIC_CRON_TOKEN_FILE}
+
+# You can fine tune the start-up of a Docker container by editing these environment variables.
+# Use this at your own risk. Disabling certain checks and features may result in lots of inconsistent data.
+# However if you know what you're doing you can significantly speed up container start times.
+# Set each value to true to enable, or false to disable.
+
+# Set this to true to build all locales supported by Firefly III.
+# This may take quite some time (several minutes) and is generally not recommended.
+# If you wish to change or alter the list of locales, start your Docker container with
+# `docker run -v locale.gen:/etc/locale.gen -e DKR_BUILD_LOCALE=true`
+# and make sure your preferred locales are in your own locale.gen.
+DKR_BUILD_LOCALE=false
+
+# Check if the SQLite database exists. Can be skipped if you're not using SQLite.
+# Won't significantly speed up things.
+#DKR_CHECK_SQLITE=true
+
+# Leave the following configuration vars as is.
+# Unless you like to tinker and know what you're doing.
+APP_NAME=FireflyIII
+BROADCAST_DRIVER=log
+QUEUE_DRIVER=sync
+CACHE_PREFIX=firefly
+PUSHER_KEY=
+IPINFO_TOKEN=
+PUSHER_SECRET=
+PUSHER_ID=
+DEMO_USERNAME=
+DEMO_PASSWORD=
+
+#
+# The v2 layout is very experimental. If it breaks you get to keep both parts.
+# Be wary of data loss.
+#
+FIREFLY_III_LAYOUT=v1
+
+#
+# Please make sure this URL matches the external URL of your Firefly III installation.
+# It is used to validate specific requests and to generate URLs in emails.
+#
+APP_URL=https://${FFIII_FQDN}
\ No newline at end of file
diff --git a/fireflyiii/stacks/.importer.env b/fireflyiii/stacks/.importer.env
new file mode 100644
index 0000000..7bf4f8c
--- /dev/null
+++ b/fireflyiii/stacks/.importer.env
@@ -0,0 +1,292 @@
+PUID=3035
+PGID=3034
+TZ=Africa/Johannesburg
+
+# Firefly Data Importer (FIDI) configuration file
+
+# Where is Firefly III?
+#
+# 1) Make sure you ADD http:// or https://
+# 2) Make sure you REMOVE any trailing slash from the end of the URL.
+# 3) In case of Docker, refer to the internal IP of your Firefly III installation.
+#
+# Setting this value is not mandatory. But it is very useful.
+#
+# This variable can be set from a file if you append it with _FILE
+#
+FIREFLY_III_URL=https://${FFIII_FQDN}   # connects via traefik websecure entrypoint
+
+#
+# Imagine Firefly III can be reached at "http://172.16.0.2:8082" (internal Docker network or something).
+# But you have a fancy URL: "https://personal-finances.bill.microsoft.com/"
+#
+# In those cases, you can overrule the URL so when the data importer links back to Firefly III, it uses the correct URL.
+#
+# 1) Make sure you ADD http:// or https://
+# 2) Make sure you REMOVE any trailing slash from the end of the URL.
+#
+# IF YOU SET THIS VALUE, YOU MUST ALSO SET THE FIREFLY_III_URL
+#
+# This variable can be set from a file if you append it with _FILE
+#
+VANITY_URL=https://${FFIII_FQDN} # connects via traefik websecure entrypoint
+
+#
+# Set your Firefly III Personal Access Token (OAuth)
+# You can create a Personal Access Token on the /profile page:
+# go to the OAuth tab, then Personal Access Token and "Create token".
+#
+# - Do not use the "command line token". That's the WRONG one.
+# - Do not use "APP_KEY" value from your Firefly III installation. That's the WRONG one.
+#
+# Setting this value is not mandatory. Instructions will follow if you omit this field.
+#
+# This variable can be set from a file if you append it with _FILE
+#
+FIREFLY_III_ACCESS_TOKEN_FILE=${FFIII_ACCESS_TOKEN_FILE}
+
+#
+# You can also use a public client ID. This is available in Firefly III 5.4.0-alpha.3 and higher.
+# This is a number (1, 2, 3). If you use the client ID, you can leave the access token empty and vice versa.
+#
+# This value is not mandatory to set. Instructions will follow if you omit this field.
+#
+# This variable can be set from a file if you append it with _FILE
+#
+FIREFLY_III_CLIENT_ID=
+
+#
+# GoCardless information.
+# The key and ID can be set from a file if you append it with _FILE
+#
+NORDIGEN_ID=
+NORDIGEN_KEY=
+
+#
+# If you want to use the GoCardless sandbox, set this to true.
+#
+NORDIGEN_SANDBOX=false
+
+#
+# GoCardless has a rate limit in place. The data importer can wait it out, or exit.
+# Valid values are "wait" or "exit"
+#
+RESPOND_TO_GOCARDLESS_LIMIT=wait
+
+#
+# The data importer collects account details, which are currently unused.
+# This is disabled, since it costs a lot of API calls.
+# You can enable it if you want to.
+#
+GOCARDLESS_GET_ACCOUNT_DETAILS=false
+
+#
+# The data importer also collects balances, which can be used for (manual)
+# balance verification ("did the import go well?").
+# This is disabled by default, since it costs a lot of API calls.
+# You can enable it if you want to.
+#
+GOCARDLESS_GET_BALANCE_DETAILS=false
+
+#
+# Spectre information
+#
+# The ID and secret can be set from a file if you append it with _FILE
+SPECTRE_APP_ID=
+SPECTRE_SECRET=
+
+#
+# Use cache. No need to do this.
+#
+USE_CACHE=false
+
+#
+# If set to true, the data import will not complain about running into duplicates.
+# This will give you cleaner import mails if you run regular imports.
+#
+# This means that the data importer will not import duplicates, but it will not complain about them either.
+#
+# This setting has no influence on the settings in your configuration(.json).
+#
+# Of course, if something goes wrong *because* the transaction is a duplicate you will
+# NEVER know unless you start digging in your log files. So be careful with this.
+#
+IGNORE_DUPLICATE_ERRORS=false
+
+#
+# If you set this to true, the importer will not complain about transactions that can't be found after they've
+# been imported. This happens when rule on the Firefly III side deletes the transaction immediately after creating it.
+# This can be useful when you have a rule that immediately deletes GoCardless' "pending" transactions. Setting this
+# to true reduces some noise.
+#
+IGNORE_NOT_FOUND_TRANSACTIONS=false
+
+#
+# Auto import settings. Due to security constraints, you MUST enable each feature individually.
+# You must also set a secret. The secret is used for the web routes.
+#
+# The auto-import secret must be a string of at least 16 characters.
+# Visit this page for inspiration: https://www.random.org/passwords/?num=1&len=16&format=html&rnd=new
+#
+# Submit it using ?secret=X
+#
+# This variable can be set from a file if you append it with _FILE
+#
+AUTO_IMPORT_SECRET=
+
+#
+# Is the /autoimport even endpoint enabled?
+# By default it's disabled, and the secret alone will not enable it.
+#
+CAN_POST_AUTOIMPORT=false
+
+#
+# Is the /autoupload endpoint enabled?
+# By default it's disabled, and the secret alone will not enable it.
+#
+CAN_POST_FILES=false
+
+#
+# Import directory white list. You need to set this before the auto importer will accept a directory to import from.
+#
+# This variable can be set from a file if you append it with _FILE
+#
+IMPORT_DIR_ALLOWLIST=
+
+#
+# If you import from a directory, you can save a fallback configuration file in the directory.
+# This file must be called "_fallback.json" and will be used when your CSV or CAMT.053 file is not accompanied
+# by a configuration file.
+#
+# This fallback configuration will only be used if this variable is set to true.
+# https://docs.firefly-iii.org/how-to/data-importer/advanced/post/#importing-a-local-directory
+#
+FALLBACK_IN_DIR=false
+
+#
+# When you're running Firefly III under a (self-signed) certificate,
+# the data importer may have trouble verifying the TLS connection.
+#
+# You have a few options to make sure the data importer can connect
+# to Firefly III:
+# - 'true': will verify all certificates. The most secure option and the default.
+# - 'file.pem': refer to a file (you must provide it) to your custom root or intermediate certificates.
+# - 'false': will verify NO certificates. Not very secure.
+VERIFY_TLS_SECURITY=true
+
+#
+# If you want, you can set a directory here where the data importer will look for import configurations.
+# This is a separate setting from the /import directory that the auto-import uses.
+# Setting this variable isn't necessary. The default value is "storage/configurations".
+#
+# This variable can be set from a file if you append it with _FILE
+#
+JSON_CONFIGURATION_DIR=
+
+#
+# Time out when connecting with Firefly III.
+# π*10 seconds is usually fine.
+#
+CONNECTION_TIMEOUT=31.41
+
+# The following variables can be useful when debugging the application
+APP_ENV=local
+APP_DEBUG=false
+LOG_CHANNEL=stack
+
+#
+# If you turn this on, expect massive logs with lots of privacy sensitive data
+#
+LOG_RETURN_JSON=false
+
+# Log level. You can set this from least severe to most severe:
+# debug, info, notice, warning, error, critical, alert, emergency
+# If you set it to debug your logs will grow large, and fast. If you set it to emergency probably
+# nothing will get logged, ever.
+LOG_LEVEL=info
+
+# TRUSTED_PROXIES is a useful variable when using Docker and/or a reverse proxy.
+# Set it to ** and reverse proxies work just fine.
+TRUSTED_PROXIES=**
+
+#
+# Email settings.
+# The data importer can send you a message with all errors, warnings and messages
+# after a successful import. This is disabled by default
+#
+ENABLE_MAIL_REPORT=false
+
+#
+# Force Firefly III URL to be secure?
+#
+#
+EXPECT_SECURE_URL=false
+
+# If enabled, define which mailer you want to use.
+# Options include: smtp, mailgun, postmark, sendmail, log, array
+# Amazon SES is not supported.
+# log = drop mails in the logs instead of sending them
+# array = debug mailer that does nothing.
+MAIL_MAILER=
+
+# where to send the report?
+MAIL_DESTINATION=${FFIII_MAIL_DESTINATION_FILE}
+
+# other mail settings
+# These variables can be set from a file if you append it with _FILE
+MAIL_FROM_ADDRESS_FILE=${FFIII_MAIL_FROM_FILE}
+MAIL_HOST_FILE=${FFIII_MAIL_HOST_FILE}
+MAIL_PORT=${FFIII_MAIL_PORT}
+MAIL_USERNAME_FILE=${FFIII_MAIL_USERNAME_FILE}
+MAIL_PASSWORD_FILE=${FFIII_MAIL_PASSWORD_FILE}
+MAIL_ENCRYPTION=null
+
+# Extra settings depending on your mail configuration above.
+# These variables can be set from a file if you append it with _FILE
+MAILGUN_DOMAIN=
+MAILGUN_SECRET=
+MAILGUN_ENDPOINT=
+POSTMARK_TOKEN=
+
+#
+# You probably won't need to change these settings.
+#
+BROADCAST_DRIVER=log
+CACHE_DRIVER=file
+QUEUE_CONNECTION=sync
+SESSION_DRIVER=file
+SESSION_LIFETIME=120
+IS_EXTERNAL=false
+
+REDIS_HOST=127.0.0.1
+REDIS_PASSWORD=null
+REDIS_PORT=6379
+
+# always use quotes
+REDIS_DB="0"
+REDIS_CACHE_DB="1"
+
+#
+# Use ASSET_URL when your data importer webpages are served from a URL with a subfolder path
+# This pre-appends the subfolder path in front of URLs for browser-side assets such as CSS Files.
+# Example: If your webserver (i.e. NGINX) is configured to serve the data importer webpages from
+#    http://localhost/ff3di, set ASSET_URL = /ff3di
+#    and it will pre-append that value to any requests for browser-side assets
+# 1) Make sure you REMOVE any trailing slash from the end of the URL.
+#
+ASSET_URL=
+
+# The only tracker supported is Matomo.
+# This is used on the public instance over at https://data-importer.firefly-iii.org
+TRACKER_SITE_ID=
+TRACKER_URL=
+
+APP_NAME=DataImporter
+
+#
+# The APP_URL environment variable is NOT used anywhere.
+# Don't bother setting it to fix your reverse proxy problems. It won't help.
+# Don't open issues telling me it doesn't help because it's not supposed to.
+# Laravel uses this to generate links on the command line, which is a feature the data importer does not use.
+#
+APP_URL=http://localhost
\ No newline at end of file
diff --git a/fireflyiii/stacks/.postgresql.env b/fireflyiii/stacks/.postgresql.env
new file mode 100644
index 0000000..7f6469b
--- /dev/null
+++ b/fireflyiii/stacks/.postgresql.env
@@ -0,0 +1,8 @@
+
+PUID=70
+PGID=70
+TZ=Africa/Johannesburg
+
+POSTGRES_DB_FILE=${FFIII_DB_NAME_FILE}
+POSTGRES_USER_FILE=${FFIII_DB_USER_FILE}
+POSTGRES_PASSWORD_FILE=${FFIII_DB_PASSWORD_FILE}
diff --git a/fireflyiii/stacks/compose.yml b/fireflyiii/stacks/compose.yml
new file mode 100644
index 0000000..8febddf
--- /dev/null
+++ b/fireflyiii/stacks/compose.yml
@@ -0,0 +1,183 @@
+# https://docs.firefly-iii.org/how-to/firefly-iii/installation/docker/
+#
+# The Firefly III Data Importer will ask you for the Firefly III URL and a "Client ID".
+# You can generate the Client ID at http://localhost/profile (after registering)
+# The Firefly III URL is: http://app:8080
+#
+# Other URL's will give 500 | Server Error
+#
+name: fireflyiii
+
+networks:
+  traefik-net:
+    external: true
+  fireflyiii-net:
+    external: true
+    
+secrets:
+  fireflyiii_access_token:
+    file: ${SECRETSDIR}/fireflyiii_access_token
+  fireflyiii_app_key:
+    file: ${SECRETSDIR}/fireflyiii_app_key
+  fireflyiii_default_lat:
+    file: ${SECRETSDIR}/fireflyiii_default_lat
+  fireflyiii_default_long:
+    file: ${SECRETSDIR}/fireflyiii_default_long
+  fireflyiii_mail_destination:
+    file: ${SECRETSDIR}/fireflyiii_mail_destination
+  fireflyiii_mail_from:
+    file: ${SECRETSDIR}/fireflyiii_mail_from
+  fireflyiii_mail_host:
+    file: ${SECRETSDIR}/fireflyiii_mail_host
+  fireflyiii_mail_password:
+    file: ${SECRETSDIR}/fireflyiii_mail_password
+  fireflyiii_mail_username:
+    file: ${SECRETSDIR}/fireflyiii_mail_username
+  fireflyiii_postgresql_database:
+    file: ${SECRETSDIR}/fireflyiii_postgresql_database
+  fireflyiii_postgresql_password:
+    file: ${SECRETSDIR}/fireflyiii_postgresql_password
+  fireflyiii_postgresql_username:
+    file: ${SECRETSDIR}/fireflyiii_postgresql_username
+  fireflyiii_site_owner:
+    file: ${SECRETSDIR}/fireflyiii_site_owner
+  fireflyiii_static_cron_token:
+    file: ${SECRETSDIR}/fireflyiii_static_cron_token
+
+services:
+  firefly:
+    image: fireflyiii/core:latest
+    #image: fireflyiii/core:version-6.1.16
+    hostname: "${APPLICATION_NAME}"
+#    user: ${PUID}:${PGID}
+    volumes:
+      - ${DATADIR}/appdata:/var/www/html/storage/upload
+      - ${DATADIR}/config:/config
+    restart: unless-stopped
+    env_file: .firefly.env
+    networks:
+      fireflyiii-net: 
+        aliases: ["fireflyiii", "${FFIII_FQDN}"]
+      traefik-net: {}
+    depends_on:
+      postgresql:
+        condition: service_healthy
+    secrets:
+      - fireflyiii_app_key
+      - fireflyiii_default_lat
+      - fireflyiii_default_long
+      - fireflyiii_mail_from
+      - fireflyiii_mail_host
+      - fireflyiii_mail_password
+      - fireflyiii_mail_username
+      - fireflyiii_postgresql_database
+      - fireflyiii_postgresql_password
+      - fireflyiii_postgresql_username
+      - fireflyiii_site_owner
+      - fireflyiii_static_cron_token
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      #
+      # http services
+      # -------------
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
+      #
+      # http routers
+      # ------------
+      # limit router to web ":80" entrypoint
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${FFIII_FQDN}`)&& PathPrefix(`/`)"
+      # attach middlewares to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      #
+      # limit router to websecure ":443" entrypoint
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${FFIII_FQDN}`)&& PathPrefix(`/`)"
+      # set router to be dedicated to secure requests only for the host specified in match criteria
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      # apply tls options
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file"
+      # generate certificates using following certresolver
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
+      # attach middlewares to router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
+
+  importer:
+    image: fireflyiii/data-importer:latest
+    hostname: "${IMPORTER_NAME}"
+    restart: unless-stopped
+    env_file: .importer.env
+#    user: ${PUID}:${PGID}
+    networks:
+      traefik-net: {}
+#        ipv4_address: ${FFIII_IMPORTER_IPV4_ADDRESS}
+#        aliases: ["${FFIII_IMPORTER_FQDN}"]
+    depends_on:
+      - firefly
+    secrets:
+      - fireflyiii_access_token
+      - fireflyiii_mail_from
+      - fireflyiii_mail_host
+      - fireflyiii_mail_password
+      - fireflyiii_mail_username
+      - fireflyiii_mail_destination
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      - "traefik.http.services.${IMPORTER_NAME}-svc.loadbalancer.server.port=${IMPORTER_WEBUI_PORT}"
+      - "traefik.http.routers.${IMPORTER_NAME}-rtr.entrypoints=web"
+      - "traefik.http.routers.${IMPORTER_NAME}-rtr.rule=Host(`${FFIII_IMPORTER_FQDN}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${IMPORTER_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
+      - "traefik.http.routers.${IMPORTER_NAME}-rtr.service=${IMPORTER_NAME}-svc"
+      - "traefik.http.routers.${IMPORTER_NAME}-secure-rtr.entrypoints=websecure"
+      - "traefik.http.routers.${IMPORTER_NAME}-secure-rtr.rule=Host(`${FFIII_IMPORTER_FQDN}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${IMPORTER_NAME}-secure-rtr.tls=true"
+      - "traefik.http.routers.${IMPORTER_NAME}-secure-rtr.tls.options=tls-options@file"
+      - "traefik.http.routers.${IMPORTER_NAME}-secure-rtr.tls.certresolver=solver-dns"
+      - "traefik.http.routers.${IMPORTER_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+      - "traefik.http.routers.${IMPORTER_NAME}-secure-rtr.service=${IMPORTER_NAME}-svc"
+
+  postgresql:
+    image: postgres:16-alpine
+    hostname: "firefly_postgresql"
+    shm_size: 128mb # https://hub.docker.com/_/postgres
+    restart: unless-stopped
+    env_file: .postgresql.env
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    networks:
+      fireflyiii-net:
+        aliases: ["fireflyiii_postgresql"]
+    secrets:
+      - fireflyiii_postgresql_database
+      - fireflyiii_postgresql_password
+      - fireflyiii_postgresql_username
+    volumes:
+      - "${DATADIR}/pgdata:/var/lib/postgresql/data"
+      - "${DATADIR}/pgbackups:/mnt/backups"
+
+  cron:
+    #
+    # To make this work, set STATIC_CRON_TOKEN in your .env file or as an environment variable
+    # The STATIC_CRON_TOKEN must be *exactly* 32 characters long
+    # Generate the token with
+    #      openssl rand 32 | base64 -w 0 | sed 's/[\$,\#,/,+,=]//g' | cut -c -32
+    #
+    image: alpine
+    restart: always
+    secrets:
+      - fireflyiii_static_cron_token
+    command: sh -c "echo \"0 3 * * * wget -qO- http://fireflyiii:8080/api/v1/cron/$${STATIC_CRON_TOKEN}\" | crontab - && crond -f -L /dev/stdout"
+    networks:
+      - fireflyiii-net
diff --git a/folders.txt b/folders.txt
new file mode 100644
index 0000000..982736b
--- /dev/null
+++ b/folders.txt
@@ -0,0 +1,34 @@
+APPLICATION_NAME=
+
+DOCKERDIR=/mnt/SSD1/docker/
+MEDIADIR=/mnt/stpool1/NData1/Media
+DOWNLOADSDIR=/mnt/stpool1/Downloads
+
+STAGINGDIR=/mnt/stpool1/NData1/staging
+SHAREDDATADIR=/mnt/stpool1/Shared_Data
+BULKSTOREDIR=/mnt/stpool1/NData2/bulkstore
+SYNCHEDDIR=/mnt/stpool1/synched
+OBJECTSTOREDIR=/mnt/stpool1/objectstore
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+CERTSDIR=${DATAROOT}/traefik/certs
+
+
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+
+
+
+        --bind='/mnt/SSD1/docker/data:/mnt/data'
+        --bind='/mnt/SSD1/docker/stacks:/opt/stacks'
+        --bind='/mnt/stpool1/NData1/Media:/mnt/media'
+        --bind='/mnt/stpool1/NData1/staging:/mnt/staging'
+        --bind='/mnt/stpool1/NData2/bulkstore:/mnt/bulkstore'
+        --bind='/mnt/stpool1/Downloads:/mnt/downloads'
+        --bind='/mnt/stpool1/Shared_Data:/mnt/shared'
+        --bind='/mnt/stpool1/synched:/mnt/synched'
+        --bind='/mnt/stpool1/objectstore:/mnt/objectstore'
+#        --bind='/mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net:/mnt/migrate'
\ No newline at end of file
diff --git a/gitea/app.ini.rar b/gitea/app.ini.rar
new file mode 100644
index 0000000..596b4a8
Binary files /dev/null and b/gitea/app.ini.rar differ
diff --git a/gitea/cp2nas.ps1 b/gitea/cp2nas.ps1
new file mode 100644
index 0000000..6778989
--- /dev/null
+++ b/gitea/cp2nas.ps1
@@ -0,0 +1,57 @@
+############### MAIN ###############
+$Main =
+{
+    [CmdletBinding()]
+    Param(
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $destHost,
+        [Parameter(Mandatory=$false)]
+        [string[]] $apps
+    )
+    If($PSBoundParameters.ContainsKey("apps")) {
+        foreach ($appname in $apps)
+        {
+            copyfolder $destHost "$appname\stacks" $appname
+        }
+    }
+    else {
+        $appname="$pwd".Split("\\")[-1]
+        copyfolder $destHost "stacks" $appname
+    }
+}
+
+###################################
+Function copyfolder
+{
+    [CmdletBinding()]
+    Param(
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $destHost,
+        
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $srcdir,
+
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $appname
+    )
+    if (-Not(Test-Path -Path $srcdir)) {
+        Write-Host "Source path doesn't exist: ""$PSScriptRoot\$srcdir\*.*"". No files copied!"  -ForegroundColor Red
+        Write-Host "Usage: in app folder       : ./cp2nas DEST|IP"
+        Write-Host "       in app parent folder: ./cp2nas DEST|IP app1, app2, app3, ..."
+        return
+    }
+    $destStacks="/mnt/SSD1/docker/stacks/"
+    $destDir=$destStacks+$appname+"/"
+    Write-Host "pscp -P 22 -r ""$srcdir\*.*"" root@${destHost}:""${destDir}""" -ForegroundColor Green
+    Write-Host "Copying to ${destHost}:""${destStacks}" -NoNewline 
+    Write-Host "${appname}/" -ForegroundColor DarkYellow  -NoNewline 
+    Write-Host """:"
+    pscp -P 22 -r "$srcdir\*.*" root@${destHost}:""${destDir}""
+}
+
+###################################
+& $Main @Args
\ No newline at end of file
diff --git a/gitea/gitea_jm.txt b/gitea/gitea_jm.txt
new file mode 100644
index 0000000..a6f7b7d
--- /dev/null
+++ b/gitea/gitea_jm.txt
@@ -0,0 +1,264 @@
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: git
+Username: git
+Disable Password: <selected>
+Email: <leave blank>
+UID: 1000
+Create New Primary Group: <unselected>
+Create Home Directory: <unchecked>
+Samba Authentication: <unchecked>
+Save
+Credentials -> Local Groups -> Add
+Name: git
+GID: 1000
+
+PUID: 1000
+PGID: 1000
+Update .env file accordingly (PUID, PGID)
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*gitea"
+# create following datasets if not present
+zfs create SSD1/docker/data/gitea
+zfs create SSD1/docker/data/gitea/appdata
+zfs create SSD1/docker/data/gitea/backups
+zfs create SSD1/docker/data/gitea/pgdata
+zfs create SSD1/docker/data/gitea/pgbackups
+chown -R git:git /mnt/SSD1/docker/data/gitea
+chown -R postgres:postgres /mnt/SSD1/docker/data/gitea/pgdata
+chown -R postgres:postgres /mnt/SSD1/docker/data/gitea/pgbackups
+
+Create folder
+-------------
+# In Truenas shell:
+mkdir -p /mnt/SSD1/docker/stacks/gitea/secrets
+
+Create secrets
+--------------
+In Truenas shell:
+cd /mnt/SSD1/docker/stacks/gitea/secrets/
+# database secrets
+echo -n 'gitea' > /mnt/SSD1/docker/stacks/gitea/secrets/gitea_postgresql_database
+echo -n 'gitea' > /mnt/SSD1/docker/stacks/gitea/secrets/gitea_postgresql_username
+openssl rand 36 | base64 -w 0 > /mnt/SSD1/docker/stacks/gitea/secrets/gitea_postgresql_password
+# smtp email secrets
+echo -n 'your_smtp_destination' > /mnt/SSD1/docker/stacks/gitea/secrets/smtp_destination
+echo -n 'your_smtp_from' > /mnt/SSD1/docker/stacks/gitea/secrets/smtp_from
+echo -n 'your_smtp_host' > /mnt/SSD1/docker/stacks/gitea/secrets/smtp_host
+echo -n 'your_smtp_username' > /mnt/SSD1/docker/stacks/gitea/secrets/smtp_username
+echo -n 'your_smtp_password' > /mnt/SSD1/docker/stacks/gitea/secrets/smtp_password
+# restrict access
+chown -R git:git /mnt/SSD1/docker/stacks/gitea/secrets/
+chmod -R 400 /mnt/SSD1/docker/stacks/gitea/secrets/
+# read existing acl permissions, if any
+getfacl /mnt/SSD1/docker/stacks/gitea/secrets
+# set acl permissions
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/gitea/secrets
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/gitea/secrets/gitea_postgresql_password
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/gitea/secrets/gitea_postgresql_username
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/gitea/secrets/gitea_postgresql_database
+# NB! if you want to remove all acl entries from a folder recursively, use setfacl -b -R <foldername>
+# to list secrets in secrets dir
+cd /mnt/SSD1/docker/stacks/gitea/secrets
+for i in $(ls -1); do echo $i = `cat $i`; done | sort
+
+Copy folder to docker stacks
+----------------------------
+In Windows cmd shell in gitea parent (apps) folder, enter:
+./cp2nas 10.0.0.20 gitea
+# or
+pscp -P 22 -r gitea/stacks/*.* root@10.0.0.20:/mnt/SSD1/docker/stacks/gitea/
+
+Backup gitea database
+---------------------  
+In truenas shell:
+mkdir /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/$(date -I)
+chown pgadmin:pgadmin /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/$(date -I)
+
+Using browser log in to pgAdmin
+Connect to servers; refer to "connecting to servers.txt", which also explains how to obtain db passwords
+To perform plain text backup:
+Navigate to Servers => gitea -> Databases -> gitea
+Right click on gitea database and select Backup...
+Enter the following on the different tabs of dialog box that opened:
+General:
+Replace ##### with today's date in YYYY-MM-DD format
+Filename: /#####/gitea-backup.sql (this maps to: /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/#####/gitea-backup.sql on truenas)
+Format: Plain
+Encoding: UTF8
+Role name: gitea
+Data Options:
+Sections:
+Pre-data: <select>
+Data: <select>
+Post-data: <select>
+Objects:
+Check public to select all objects
+Click Backup
+
+Copy archive to pgbackup folder:
+cp -vr /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/$(date -I) /mnt/SSD1/docker/data/gitea/pgbackups/
+
+Migrating database
+------------------
+docker stop gitea
+# copy back up file(s) to gitea backups folder
+cp -vr /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/$(date -I) /mnt/SSD1/docker/data/gitea/backups #replace $(date -I) with date when backup was made if not today
+jlmkr shell docker
+docker exec -it gitea_postgresql sh
+psql -U gitea -d gitea < /mnt/backups/$(date -I)/gitea-backup.sql #replace $(date -I) with date when backup was made if not today
+exit
+
+Backup data folder
+------------------
+Is is advisable to also backup the data folder. We'll do it before the gitea data dump
+Stop gitea app:
+heavyscript app --stop gitea
+Use tar to backup:
+cd /mnt/stpool1/appdata/gitea/
+tar -zcf $shared/Chris/gitea/backup-$(date -I).tar.gz ./
+heavyscript app --start gitea
+
+Dumping gitea data
+------------------
+List gitea pods to check if they are running. If not, wait for the container to start:
+k3s kubectl get pods -n ix-gitea
+If all are ok, the listed containers should resemble the following:
+NAME                               READY   STATUS    RESTARTS   AGE
+gitea-cnpg-main-1                  1/1     Running   0          3h44m
+gitea-memcached-6555987b5c-cl5l6   1/1     Running   0          3h44m
+gitea-5d578f4988-8ht9r             1/1     Running   0          3h44m
+
+Perform gitea dump using namespace, pod name and container name:
+k3s kubectl exec -n ix-gitea gitea-5d578f4988-8ht9r -c gitea -it -- gitea dump -c /data/gitea/conf/app.ini -f /tmp/gitea-dump-$(date -I) --type zip 
+Copy backup archive from container to backup folder:
+k3s kubectl cp -c gitea ix-gitea/gitea-5d578f4988-8ht9r:/tmp/gitea-dump-$(date -I).zip /mnt/SSD1/docker/data/gitea/backups/gitea-dump-$(date -I).zip 
+k3s kubectl exec -n ix-gitea gitea-5d578f4988-8ht9r -c gitea -it -- rm -v /tmp/gitea-dump-$(date -I).zip
+
+Restore to new gitea(Docker rootless)
+-------------------------------------
+Refer to: https://docs.gitea.com/administration/backup-and-restore
+jlmkr shell docker
+cd /mnt/data/gitea/backups
+# copy container app.ini, if required later
+docker cp gitea:/etc/gitea/app.ini ./app-new.ini  # container api.ini should be the file in /mnt/data/gitea/config
+
+chown 1000:1000 gitea-dump-2024-09-04.zip
+# with newly installed gitea running, unzip backup in container
+docker exec --user git -it gitea unzip /mnt/backups/gitea-dump-$(date -I).zip -d /mnt/backups/temp/
+# since we have nano in docker shell, we will edit app.ini here 
+nano /mnt/data/gitea/backups/temp/app.ini
+# change the work path to match the folder in the gitea container that ${DATADIR}/appdata is mapped to, i.e. /var/lib/gitea	
+# change all paths to relative paths (inside work path)
+# change tmp path to relative path (inside work path)
+# the result should resemble following:
+WORK_PATH = /var/lib/gitea
+[repository]
+ROOT = git/gitea-repositories
+[server]
+APP_DATA_PATH = /var/lib/gitea
+CERT_FILE = gitea/https/gitea-sthome_org_cert.pem
+KEY_FILE = gitea/https/gitea-sthome_org_key.pem
+ACME_CA_ROOT = gitea/https/ca-cert-sthome_ca2.pem
+[log]
+ROOT_PATH = log
+# change database password and host, after editing, the database stanza host line should resemble the following:
+[database]
+HOST = gitea_postgresql:5432
+PASSWD = ioZ7lrzzMNcqLEr54sd5XMCe52E5OD7fD9BgS/MCh1DHNwH7
+# change server domains,urls, etc.; after editing, the relevant server stanza lines should resemble the following:
+[server]
+DOMAIN = gitea.sthome.org
+ROOT_URL = https://gitea.sthome.org/
+SSH_DOMAIN = gitea.sthome.org
+CERT_FILE = /data/gitea/https/gitea-sthome_org_cert.pem
+KEY_FILE = /data/gitea/https/gitea-sthome_org_key.pem
+ACME_URL = https://acme-v02.api.letsencrypt.org/directory
+# add mailer stanza:
+[mailer]
+ENABLED        = true
+FROM           = stuurman30@telkomsa.net
+PROTOCOL       = smtp
+SMTP_ADDR      = smtp.telkomsa.net
+SMTP_PORT      = 25
+USER           = stuurman30@telkomsa.net
+PASSWD         = UltraM3!2024#
+# save and exit
+
+# ensure correct permissions for app.ini
+chown 1000:1000 /mnt/data/gitea/backups/temp/app.ini
+chmod 600 /mnt/data/gitea/backups/temp/app.ini
+# open bash session in container
+docker exec --user git -it gitea bash
+cd /mnt/backups/temp
+# restore the app.ini
+cp -vp app.ini /etc/gitea/app.ini
+# restore the gitea data
+cp -vpr data/* /var/lib/gitea
+# restore the repositories itself
+cp -vpr repos/* /var/lib/gitea/git/repositories
+# adjust file permissions
+chown -R git:git /etc/gitea/app.ini /var/lib/gitea
+# Regenerate Git Hooks
+/usr/local/bin/gitea -c '/etc/gitea/app.ini' admin regenerate hooks
+
+Starting up new gitea
+---------------------
+If gitea and postgresql containers are healthy in Dockge, browse to gitea.sthome.org
+An Initial Configuration page will open
+To get postgress and smtp passwords:
+cat /opt/stacks/gitea/secrets/gitea_postgresql_password && echo && cat /opt/stacks/gitea/secrets/smtp_password && echo
+Enter the db password under Database Settings 
+Enter smtp password under Optional Settings -> Email Settings
+Complete Administrator Account Settings
+Click Install Gitea at the bottom
+If it complains about You are trying to install into an existing Gitea database
+Check the three checkboxes and click Install Gitea
+
+If your avatars are missing, you can go to Settings and click on Delete Current Avatar to reset avatar to generated one
+
+
+[repository.local]
+LOCAL_COPY_PATH = /tmp/gitea/local-repo
+
+[repository.upload]
+TEMP_PATH = /tmp/gitea/uploads
+
+Troubleshooting
+---------------
+# To check gitea log (if logging to file), enter:
+tail -n50 /mnt/data/gitea/appdata/data/log/gitea.log -f
+# note the time of the last entry
+# If gitea is logging persistent "Error: pq: password authentication failed for user "gitea"":
+# In docker shell, enter:
+docker exec gitea-gitea-1 gitea doctor check
+# this should display if user with wrong type exist
+# If it shows an error, do the following to double check gitea instance of postgresql:
+# In docker shell, exec into gitea postgresql container:
+docker exec -it gitea-postgresql-1 bash
+# In postgresql container shell, enter:
+psql -U gitea -d gitea
+# See if you get gitea prompt; if you do, then gitea user and gitea db is ok
+# In gitea db shell list schemas (it should show "public"), enter:
+\dn
+# and to list roles, enter:
+\du
+# exit twice to get back to docker shell
+# if anything appears wrong, rectify. However, if schemas and roles are ok, you need to check further...
+# BTW, a subsequent doctor check now might show that the error is gone, but don't be fooled; it will return if gitea is restarted
+# One other problem might be that there could be a clash with postgresql hostnames on the docker network. 
+# Check whether the GITEA__database__HOST setting in the compose.yml points to a unique postgresql instance. 
+# Fix it if it looks suspect. Restart gitea with updated compose.yml and check log again for errors (from the above noted time onwards)
+tail -n50 /mnt/data/gitea/appdata/data/log/gitea.log -f
+
+
+
+
+
+
+
diff --git a/gitea/stacks/.env b/gitea/stacks/.env
new file mode 100644
index 0000000..b8cfb47
--- /dev/null
+++ b/gitea/stacks/.env
@@ -0,0 +1,28 @@
+################################################################
+APPLICATION_NAME=gitea
+
+MEDIADIR=/mnt/stpool1/NData1/Media
+DOCKERDIR=/mnt/SSD1/docker/
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATADIR=${DOCKERDIR}/data/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+PUID=1000
+PGID=1000
+TZ=Africa/Johannesburg
+DOMAINNAME=sthome.org
+WEBUI_PORT=3000
+################################################################
+
+DB_TYPE=postgres
+POSTGRES_DB_PORT=5432
+POSTGRES_DB_FILE=/run/secrets/gitea_postgresql_database
+POSTGRES_USER_FILE=/run/secrets/gitea_postgresql_username
+POSTGRES_PASSWORD_FILE=/run/secrets/gitea_postgresql_password
+
+
+
+
+
+
diff --git a/gitea/stacks/.gitea.env b/gitea/stacks/.gitea.env
new file mode 100644
index 0000000..39541c4
--- /dev/null
+++ b/gitea/stacks/.gitea.env
@@ -0,0 +1,36 @@
+################################################################
+
+PUID=${PUID}
+PGID=${PGID}
+TZ=${TZ}
+
+GIT_DISCOVERY_ACROSS_FILESYSTEM=1
+
+# Database (database)
+GITEA__database__DB_TYPE=${DB_TYPE}
+GITEA__database__NAME__FILE=${POSTGRES_DB_FILE}
+GITEA__database__USER__FILE=${POSTGRES_USER_FILE}
+GITEA__database__PASSWD__FILE=${POSTGRES_PASSWORD_FILE}
+
+# Mailer (mailer)
+GITEA__mailer__ENABLED=true
+GITEA__mailer__PROTOCOL=smtp
+GITEA__mailer__SMTP_PORT=25
+GITEA__mailer__SMTP_ADDR__FILE=/run/secrets/smtp_host
+GITEA__mailer__FROM__FILE=/run/secrets/smtp_from
+GITEA__mailer__USER__FILE=/run/secrets/smtp_username
+GITEA__mailer__PASSWD__FILE=/run/secrets/smtp_password
+
+# OAuth2 Client (oauth2_client)
+# see authentik_setup_jm.txt
+GITEA__oauth2_client__ENABLE_AUTO_REGISTRATION=true
+GITEA__oauth2_client__ACCOUNT_LINKING=login
+GITEA__oauth2_client__OPENID_CONNECT_SCOPES="email profile gitea"
+GITEA__oauth2_client__USERNAME=nickname
+GITEA__oauth2_client__UPDATE_AVATAR=true
+
+
+################################################################
+# If required:
+#GITEA__mailer__PASSWD    # enter the password when accessing gitea for the first time at Initial Configuration page
+#GITEA__database__PASSWD__FILE   # enter the password when accessing gitea for the first time at Initial Configuration page, must be same as the content of /opt/stacks/gitea/secrets/gitea_postgresql_password
\ No newline at end of file
diff --git a/gitea/stacks/.postgresql.env b/gitea/stacks/.postgresql.env
new file mode 100644
index 0000000..0d95871
--- /dev/null
+++ b/gitea/stacks/.postgresql.env
@@ -0,0 +1,11 @@
+
+PUID=70
+PGID=70
+TZ=${TZ}
+
+POSTGRES_DB_PORT=${POSTGRES_DB_PORT}
+POSTGRES_DB_FILE=${POSTGRES_DB_FILE}
+POSTGRES_USER_FILE=${POSTGRES_USER_FILE}
+POSTGRES_PASSWORD_FILE=${POSTGRES_PASSWORD_FILE}
+
+
diff --git a/gitea/stacks/compose.yml b/gitea/stacks/compose.yml
new file mode 100644
index 0000000..0e0a881
--- /dev/null
+++ b/gitea/stacks/compose.yml
@@ -0,0 +1,90 @@
+name: gitea
+
+secrets:
+  gitea_postgresql_database:
+    file: "${SECRETSDIR}/gitea_postgresql_database"
+  gitea_postgresql_username:
+    file: "${SECRETSDIR}/gitea_postgresql_username"
+  gitea_postgresql_password:
+    file: "${SECRETSDIR}/gitea_postgresql_password"
+  smtp_from:
+    file: "${SECRETSDIR}/smtp_from"
+  smtp_username:
+    file: "${SECRETSDIR}/smtp_username"
+  smtp_password:
+    file: "${SECRETSDIR}/smtp_password"
+  smtp_host:
+    file: "${SECRETSDIR}/smtp_host"
+    
+networks:
+  traefik-net:
+    external: true
+  postgres-net:
+    external: true
+
+services:
+  gitea:
+    image: gitea/gitea:1.22.3-rootless
+    hostname: "${APPLICATION_NAME}"
+    networks:
+      - postgres-net
+      - traefik-net
+    env_file: .gitea.env
+    environment:
+      GITEA__database__HOST: "gitea_postgresql:${POSTGRES_DB_PORT}"
+    secrets:
+      - gitea_postgresql_database
+      - gitea_postgresql_username
+      - gitea_postgresql_password
+      - smtp_from
+      - smtp_username
+      - smtp_password
+      - smtp_host
+    volumes:
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+      - "${DATADIR}/config:/etc/gitea"
+      - "${DATADIR}/appdata:/var/lib/gitea"
+      - "${DATADIR}/backups:/mnt/backups"
+    restart: unless-stopped
+    depends_on:
+      postgresql:
+        condition: service_healthy
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
+
+
+  postgresql:
+    image: postgres:16-alpine
+    env_file: .postgresql.env
+    shm_size: 128mb # https://hub.docker.com/_/postgres
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    networks:
+      postgres-net:
+          aliases: ["gitea_postgresql"]
+    secrets:
+      - ${APPLICATION_NAME}_postgresql_database
+      - ${APPLICATION_NAME}_postgresql_username
+      - ${APPLICATION_NAME}_postgresql_password
+    volumes:
+      - "${DATADIR}/pgdata:/var/lib/postgresql/data"
+      - "${DATADIR}/pgbackups:/mnt/backups"
\ No newline at end of file
diff --git a/gluetun-arr/gluetun-arr_jm.txt b/gluetun-arr/gluetun-arr_jm.txt
new file mode 100644
index 0000000..88a2488
--- /dev/null
+++ b/gluetun-arr/gluetun-arr_jm.txt
@@ -0,0 +1,103 @@
+https://github.com/qdm12/gluetun-wiki
+https://www.youtube.com/watch?v=0F6I03LQcI4
+
+# all services in this project will make use of the gluetun VPN
+
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: gluetun
+Username: gluetun
+Disable Password: <selected>
+Email:
+UID: 3029
+Create New Primary Group: <selected>
+Create Home Directory: <unchecked>
+Samba Authentication: <unchecked>
+Save
+Check Credentials -> Local Groups for GID
+Name: gluetun
+GID: 3028
+
+gluetun UID: 3029
+gluetun GID: 3028
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*gluetun-arr"
+# create following datasets if not present
+zfs create SSD1/docker/data/gluetun-arr
+zfs create SSD1/docker/data/gluetun-arr/appdata
+chown -R gluetun:gluetun /mnt/SSD1/docker/data/gluetun-arr
+
+Create folder
+-------------
+mkdir /mnt/SSD1/docker/stacks/gluetun-arr
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in gluetun-arr folder, enter:
+./cp2nas 10.0.0.20
+# OR
+pscp -P 22 -r stacks/*.* root@10.0.0.20:/mnt/SSD1/docker/stacks/gluetun-arr/
+# The above should copy compose.yaml, .env and secrets folder to /mnt/SSD1/docker/stacks/gluetun-arr
+
+Creating secrets
+----------------
+In Truenas shell:
+cd /mnt/SSD1/docker/stacks/gluetun-arr/secrets
+echo -n 'nordvpn private key' > wireguard_private_key
+cd /mnt/SSD1/docker/stacks/gluetun-arr
+chown -R gluetun:gluetun secrets/
+chmod -R 400 secrets/
+
+Creating user password hash strings for user authorisation using traefik basic-auth
+-----------------------------------------------------------------------------------
+# If not installed, install htpasswd:
+jlmkr shell docker
+apt update & apt install apache2-utils
+# The user credentials can be applied as a label entry in the compose.yml file or as a line entry in a text file
+# When used as a label entry, all '$' needs to be escaped with a second '$'; sed can be used for this purpose:
+# To create user list textfile line item
+echo $(htpasswd -nB admin)  > /opt/stacks/traefik/users/<appname>.txt
+# To create string to be used in compose file label 
+echo $(htpasswd -nB admin) | sed -e s/\\$/\\$\\$/g
+# See traefik_jm.txt for more detailed instructions
+
+gluetun folder mappings
+----------------------
+# To avoid problems setting up new app, it is recommended that the mount path for downloads inside the container be kept exactly the same as what the old app use to have
+# As we did not migrate data from old app to new, on initial import, all tvshows will default to being monitored. Make changes accordingly.
+
+Check gluetun ip
+----------------
+# Exec into any of the apps' container using gluetun
+docker exec -it <app-container-name> sh
+# Check remote ip
+curl ifconfig.me # or curl http://whatismyip.akamai.com
+
+Update .env and compose.yml for app
+-----------------------------------
+# The gluetun .env file requires the following entries for each app using the gluetun VPN, e.g. for radarr:
+RADARR_APP=radarr
+RADARR_PORT=7878
+
+# The gluetun compose.yml file requires the following label entries for each app using the gluetun VPN, e.g. for radarr:
+      #- "traefik.http.middlewares.${RADARR_APP}-auth.basicauth.users=${ADMIN_CREDENTIALS}, ${USER_CREDENTIALS}" # uncomment to use common credentials
+      #- "traefik.http.middlewares.${RADARR_APP}-auth.basicauth.usersfile=/mnt/users/${RADARR_APP}.txt"          # uncomment to use credentials stored in /opt/stacks/traefik/users/<appname>.txt
+      - "traefik.http.services.${RADARR_APP}-gt-svc.loadbalancer.server.port=${RADARR_PORT}"
+      - "traefik.http.routers.${RADARR_APP}.entrypoints=web"
+      - "traefik.http.routers.${RADARR_APP}.rule=Host(`${RADARR_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${RADARR_APP}-secure.entrypoints=websecure"
+      - "traefik.http.routers.${RADARR_APP}-secure.rule=Host(`${RADARR_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${RADARR_APP}-secure.tls=true"
+      - "traefik.http.routers.${RADARR_APP}-secure.tls.certresolver=sthomeresolver"
+      #- "traefik.http.routers.${RADARR_APP}-secure.middlewares=${RADARR_APP}-auth"          # uncomment to use basic-auth; requires one or both of above basicauth middlewares to be uncommented
+      - "traefik.http.routers.${RADARR_APP}-secure.service=${RADARR_APP}-gt-svc"
+
+Troubleshooting
+---------------
+If dockge / docker compose up complains about "parsing /opt/stacks/.../compose.yml: yaml: line ##: did not find expected '-' indicator", where ## is the "labels:" line number in compose.yml:
+ - look for missing trailing '"' amongst the labels
diff --git a/gluetun-arr/stacks/.env b/gluetun-arr/stacks/.env
new file mode 100644
index 0000000..6c7aae1
--- /dev/null
+++ b/gluetun-arr/stacks/.env
@@ -0,0 +1,62 @@
+##############################################################################################
+# Values to be used for substitution by docker compose in compose.yml AND .*.env files
+##############################################################################################
+
+APPLICATION_NAME=gluetun-arr
+
+DOCKERDIR=/mnt/SSD1/docker
+MEDIADIR=/mnt/stpool1/NData1/Media
+DOWNLOADSDIR=/mnt/stpool1/Downloads
+RECYCLINGDIR=/mnt/stpool1/Recycling
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+
+CT_DOWNLOADS=/Downloads
+CT_MEDIA=/Media
+CT_RECYCLINGBIN=/Recycling
+
+
+DOMAINNAME=sthome.org
+PG_PUID=70
+PG_PGID=70
+
+# SHARED CREDENTIALS
+# ------------------
+ADMIN_CREDENTIALS=admin:$$2y$$05$$0tm.eTBAEy0O6BOzsIPqnuBv6MD64w9Uf.XZZXkBTmLr5D5azrHEu
+USER_CREDENTIALS=Chris:$$2y$$05$$QXxyPnW2IrfemjVkAkdHCO2a/OmXnVRijESfbrTyxAy21xD2l8BAC
+
+# APPLICATIONS USING SHARED GLUETUN
+# ---------------------------------
+QBIT_APP=qbittorrent
+QBIT_PORT=10095
+
+# prowlarr uses qbittorrent, so install qbittorrent before prowlarr
+PROWLARR_APP=prowlarr
+PROWLARR_PORT=9696
+
+# radarr uses prowlarr, so install prowlarr before radarr
+RADARR_APP=radarr
+RADARR_PORT=7878
+
+# lidarr uses prowlarr, so install prowlarr before lidarr
+LIDARR_APP=lidarr
+LIDARR_PORT=8686
+
+# readarr uses prowlarr, so install prowlarr before readarr
+READARR_APP=readarr
+READARR_PORT=8787
+
+# sonarr uses prowlarr, so install prowlarr before sonarr
+SONARR_APP=sonarr
+SONARR_PORT=8989
+
+FLARESOLVERR_APP=flaresolverr
+FLARESOLVERR_PORT=8191
+
+
+
+
diff --git a/gluetun-arr/stacks/.flaresolverr.env b/gluetun-arr/stacks/.flaresolverr.env
new file mode 100644
index 0000000..88681c2
--- /dev/null
+++ b/gluetun-arr/stacks/.flaresolverr.env
@@ -0,0 +1,17 @@
+##############################################################################################
+# Environment variables for flaresolverr
+##############################################################################################
+
+PUID=3063
+PGID=3064
+TZ=Africa/Johannesburg
+
+# LOG_LEVEL=${LOG_LEVEL:-info}
+# LOG_HTML=${LOG_HTML:-false}
+# CAPTCHA_SOLVER=${CAPTCHA_SOLVER:-none}
+
+LOG_LEVEL=info
+LOG_HTML=false
+CAPTCHA_SOLVER=none
+
+
diff --git a/gluetun-arr/stacks/.gluetun.env b/gluetun-arr/stacks/.gluetun.env
new file mode 100644
index 0000000..3db2c67
--- /dev/null
+++ b/gluetun-arr/stacks/.gluetun.env
@@ -0,0 +1,37 @@
+##############################################################################################
+# Environment variables for gluetun
+##############################################################################################
+PUID=3029
+PGID=3028
+TZ=Africa/Johannesburg
+
+# VPN
+
+VPN_SERVICE_PROVIDER=nordvpn
+VPN_TYPE=wireguard
+WIREGUARD_PRIVATE_KEY=file:///run/secrets/wireguard_private_key
+#SERVER_COUNTRIES=  # Comma separated list of countries
+#SERVER_REGIONS=  # Comma separated list of regions
+#SERVER_CITIES=  # Comma separated list of server cities
+#SERVER_HOSTNAMES=  # Comma separated list of server hostnames
+#SERVER_CATEGORIES=  # Comma separated list of server categories
+#WIREGUARD_PRESHARED_KEY=
+#WIREGUARD_ADDRESSES=
+WIREGUARD_MTU=1400
+WIREGUARD_PERSISTENT_KEEPALIVE_INTERVAL=30s
+HTTP_CONTROL_SERVER_LOG=off
+DOT=on
+DOT_PROVIDERS=quad9
+DOT_CACHING=off
+DNS_UPDATE_PERIOD=24h
+BLOCK_MALICIOUS=false
+BLOCK_SURVEILLANCE=false
+BLOCK_ADS=false
+SHADOWSOCKS=off
+#FIREWALL_VPN_INPUT_PORTS=
+#FIREWALL_OUTBOUND_SUBNETS=10.0.0.0/20
+HEALTH_TARGET_ADDRESS=9.9.9.9:443 #quad9.net:443 
+HEALTH_VPN_DURATION_INITIAL=120s
+UPDATER_PERIOD=24h
+
+
diff --git a/gluetun-arr/stacks/.lidarr.env b/gluetun-arr/stacks/.lidarr.env
new file mode 100644
index 0000000..e454c88
--- /dev/null
+++ b/gluetun-arr/stacks/.lidarr.env
@@ -0,0 +1,9 @@
+##############################################################################################
+# Environment variables for lidarr
+##############################################################################################
+
+PUID=3026
+PGID=3017  #3025
+TZ=Africa/Johannesburg
+
+
diff --git a/gluetun-arr/stacks/.overseerr.env b/gluetun-arr/stacks/.overseerr.env
new file mode 100644
index 0000000..65c32ad
--- /dev/null
+++ b/gluetun-arr/stacks/.overseerr.env
@@ -0,0 +1,9 @@
+##############################################################################################
+# Environment variables for overseerr
+##############################################################################################
+
+PUID=3031
+PGID=3030 
+TZ=Africa/Johannesburg
+
+
diff --git a/gluetun-arr/stacks/.prowlarr.env b/gluetun-arr/stacks/.prowlarr.env
new file mode 100644
index 0000000..83cbe14
--- /dev/null
+++ b/gluetun-arr/stacks/.prowlarr.env
@@ -0,0 +1,9 @@
+##############################################################################################
+# Environment variables for prowlarr
+##############################################################################################
+
+PUID=3024
+PGID=3017  #3023
+TZ=Africa/Johannesburg
+
+
diff --git a/gluetun-arr/stacks/.qbittorrent.env b/gluetun-arr/stacks/.qbittorrent.env
new file mode 100644
index 0000000..bb7d683
--- /dev/null
+++ b/gluetun-arr/stacks/.qbittorrent.env
@@ -0,0 +1,16 @@
+##############################################################################################
+# Environment variables for qbittorrent
+##############################################################################################
+
+PUID=3028
+PGID=3017  #3027
+TZ=Africa/Johannesburg
+UMASK=0002
+WEBUI_PORT=10095  # ensure this is the same as the port for qbittorrent specified in .env file
+TORRENTING_PORT=6881
+
+
+
+
+
+
diff --git a/gluetun-arr/stacks/.radarr.env b/gluetun-arr/stacks/.radarr.env
new file mode 100644
index 0000000..078d9e1
--- /dev/null
+++ b/gluetun-arr/stacks/.radarr.env
@@ -0,0 +1,9 @@
+##############################################################################################
+# Environment variables for radarr
+##############################################################################################
+
+PUID=3025
+PGID=3017  #3024
+TZ=Africa/Johannesburg
+
+
diff --git a/gluetun-arr/stacks/.readarr.env b/gluetun-arr/stacks/.readarr.env
new file mode 100644
index 0000000..941fe43
--- /dev/null
+++ b/gluetun-arr/stacks/.readarr.env
@@ -0,0 +1,9 @@
+##############################################################################################
+# Environment variables for readarr
+##############################################################################################
+
+PUID=3023
+PGID=3017  #3022
+TZ=Africa/Johannesburg
+
+
diff --git a/gluetun-arr/stacks/.sonarr.env b/gluetun-arr/stacks/.sonarr.env
new file mode 100644
index 0000000..5a8f926
--- /dev/null
+++ b/gluetun-arr/stacks/.sonarr.env
@@ -0,0 +1,8 @@
+##############################################################################################
+# Environment variables for sonarr
+##############################################################################################
+
+PUID=3023
+PGID=3017  #3022
+TZ=Africa/Johannesburg
+
diff --git a/gluetun-arr/stacks/.tautulli.env b/gluetun-arr/stacks/.tautulli.env
new file mode 100644
index 0000000..8e62e1d
--- /dev/null
+++ b/gluetun-arr/stacks/.tautulli.env
@@ -0,0 +1,10 @@
+##############################################################################################
+# Environment variables for tautulli
+##############################################################################################
+
+PUID=3055
+PGID=3054
+TZ=Africa/Johannesburg
+
+
+
diff --git a/gluetun-arr/stacks/compose.yml b/gluetun-arr/stacks/compose.yml
new file mode 100644
index 0000000..2f05eb9
--- /dev/null
+++ b/gluetun-arr/stacks/compose.yml
@@ -0,0 +1,271 @@
+# gluetun for arr apps
+# to use gluetun from apps in other projects, use network_mode: "container:gluetun-arr"
+# access apps in this project with 127.0.0.1:PORT, e.g. to access qbittorrent use localhost:10095
+# NB: Start gluetun-arr first, before starting depending apps in other projects
+#     Stop & inactivate depending apps in other projects first, before stopping this gluetun-arr
+
+# we will use 10.255.239.0/24 block of the traefik subnet for containers that have to connect to arr apps
+# See .static-ips.yml for static ip addresses
+
+name: gluetun-arr
+
+networks:
+  traefik-net:
+    external: true
+
+secrets:
+  wireguard_private_key:
+    file: ${SECRETSDIR}/wireguard_private_key
+
+services:
+#  qbittorrent:
+#    image: lscr.io/linuxserver/qbittorrent:latest
+#    env_file: .${QBIT_APP}.env
+#    network_mode: "service:gluetun"
+#    volumes:
+#      - "${DATAROOT}/${QBIT_APP}/config:/config"
+#      - "${DOWNLOADSDIR}:${CT_DOWNLOADS}"
+#      - "${RECYCLINGDIR}/${QBIT_APP}:${CT_RECYCLINGBIN}:rw"
+#    restart: unless-stopped
+#    depends_on:
+#      gluetun:
+#        condition: service_healthy
+#
+#  flaresolverr:
+#    # DockerHub mirror flaresolverr/flaresolverr:latest
+#    image: ghcr.io/flaresolverr/flaresolverr:latest
+##    container_name: flaresolverr
+#    env_file: .${FLARESOLVERR_APP}.env
+#    network_mode: "service:gluetun"
+#    restart: unless-stopped
+
+  prowlarr:
+    image: lscr.io/linuxserver/prowlarr:latest
+    env_file: .${PROWLARR_APP}.env
+    network_mode: "service:gluetun"
+    volumes:
+      - "${DATAROOT}/${PROWLARR_APP}/config:/config"
+      - "${DOWNLOADSDIR}:${CT_DOWNLOADS}"
+      - "${MEDIADIR}:${CT_MEDIA}"
+      - "${RECYCLINGDIR}/${PROWLARR_APP}:${CT_RECYCLINGBIN}:rw"
+    restart: unless-stopped
+#    depends_on:
+#      qbittorrent:
+#        condition: service_started
+
+  radarr:
+    image: lscr.io/linuxserver/radarr:latest
+    env_file: .${RADARR_APP}.env
+    network_mode: "service:gluetun"
+    volumes:
+      - "${DATAROOT}/${RADARR_APP}/config:/config"
+      - "${DOWNLOADSDIR}:${CT_DOWNLOADS}"
+      - "${MEDIADIR}:${CT_MEDIA}"
+      - "${RECYCLINGDIR}/${RADARR_APP}:${CT_RECYCLINGBIN}:rw"
+    restart: unless-stopped
+    depends_on:
+      prowlarr:
+        condition: service_started
+
+  lidarr:
+    image: lscr.io/linuxserver/lidarr:latest
+    env_file: .${LIDARR_APP}.env
+    network_mode: "service:gluetun"
+    volumes:
+      - "${DATAROOT}/${LIDARR_APP}/config:/config"
+      - "${DOWNLOADSDIR}:${CT_DOWNLOADS}"
+      - "${MEDIADIR}:${CT_MEDIA}"
+      - "${RECYCLINGDIR}/${LIDARR_APP}:${CT_RECYCLINGBIN}:rw"
+    restart: unless-stopped
+    depends_on:
+      prowlarr:
+        condition: service_started
+
+  sonarr:
+    image: lscr.io/linuxserver/sonarr:latest
+    env_file: .${SONARR_APP}.env
+    network_mode: "service:gluetun"
+    volumes:
+      - "${DATAROOT}/${SONARR_APP}/config:/config"
+      - "${DOWNLOADSDIR}:${CT_DOWNLOADS}"
+      - "${MEDIADIR}:${CT_MEDIA}"
+      - "${RECYCLINGDIR}/${SONARR_APP}:${CT_RECYCLINGBIN}:rw"
+    restart: unless-stopped
+    depends_on:
+      prowlarr:
+        condition: service_started
+
+  readarr:
+    image: lscr.io/linuxserver/readarr:develop
+    env_file: .${READARR_APP}.env
+    network_mode: "service:gluetun"
+    volumes:
+      - "${DATAROOT}/${READARR_APP}/config:/config"
+      - "${DOWNLOADSDIR}:${CT_DOWNLOADS}"
+      - "${MEDIADIR}:${CT_MEDIA}"
+      - "${RECYCLINGDIR}/${READARR_APP}:${CT_RECYCLINGBIN}:rw"
+    restart: unless-stopped
+    depends_on:
+      prowlarr:
+        condition: service_started
+
+  gluetun:
+    image: qmcgaw/gluetun:latest
+    hostname: gluetun-arr # overseerr "Settings->Services->radarr/sonarr->Edit->Hostname or IP Address" should be set to this value
+    env_file: .gluetun.env
+    cap_add:
+      - NET_ADMIN
+    devices:
+      - /dev/net/tun
+    volumes:
+      - "${DATADIR}/appdata:/gluetun"
+    secrets:
+      - wireguard_private_key
+    networks:
+      traefik-net:
+        ipv4_address: 10.255.239.1  # to access services in this project from other containers; hostnames and aliases will not work
+    restart: always
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      ##################################################################################
+      ################################# QBIT_APP ##################################
+      #
+      # http services
+      # -------------
+      - "traefik.http.services.${QBIT_APP}-gt-svc.loadbalancer.server.port=${QBIT_PORT}"
+      #
+      # http routers
+      # ------------
+#      # limit router to web ":80" entrypoint (Note: web entrypoint http requests are globally redirected to websecure router in traefik.yml)
+#      - "traefik.http.routers.${QBIT_APP}-rtr.entrypoints=web"
+#      # set match criteria for router
+#      - "traefik.http.routers.${QBIT_APP}-rtr.rule=Host(`${QBIT_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+#      # attach middlewares to router
+#      - "traefik.http.routers.${QBIT_APP}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
+#       # assign svc target to router
+#      - "traefik.http.routers.${QBIT_APP}-rtr.service=${QBIT_APP}-gt-svc"
+#      #
+#      # limit router to websecure ":443" entrypoint
+#      - "traefik.http.routers.${QBIT_APP}-secure-rtr.entrypoints=websecure"
+#      # set match criteria for router
+#      - "traefik.http.routers.${QBIT_APP}-secure-rtr.rule=Host(`${QBIT_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+#      # set router to be dedicated to secure requests only for the host specified in match criteria 
+#      - "traefik.http.routers.${QBIT_APP}-secure-rtr.tls=true"
+#      # apply tls options
+#      - "traefik.http.routers.${QBIT_APP}-secure-rtr.tls.options=tls-options@file"
+#      # generate certificates using following certresolver
+#      - "traefik.http.routers.${QBIT_APP}-secure-rtr.tls.certresolver=solver-dns"
+#      # attach middlewares to routers
+#      #- "traefik.http.routers.${QBIT_APP}-secure-rtr.middlewares=${QBIT_APP}-auth"
+#      - "traefik.http.routers.${QBIT_APP}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+#      # assign svc target to router
+#      - "traefik.http.routers.${QBIT_APP}-secure-rtr.service=${QBIT_APP}-gt-svc"
+      
+      ##################################################################################
+      ################################# PROWLARR_APP ##################################
+      #- "traefik.http.middlewares.${PROWLARR_APP}-auth.basicauth.users=${ADMIN_CREDENTIALS}, ${USER_CREDENTIALS}"
+      #- "traefik.http.middlewares.${PROWLARR_APP}-auth.basicauth.usersfile=/mnt/users/${PROWLARR_APP}.txt"
+      - "traefik.http.services.${PROWLARR_APP}-gt-svc.loadbalancer.server.port=${PROWLARR_PORT}"
+      - "traefik.http.routers.${PROWLARR_APP}-rtr.entrypoints=web"
+      - "traefik.http.routers.${PROWLARR_APP}-rtr.rule=Host(`${PROWLARR_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${PROWLARR_APP}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
+      - "traefik.http.routers.${PROWLARR_APP}-rtr.service=${PROWLARR_APP}-gt-svc"
+      - "traefik.http.routers.${PROWLARR_APP}-secure-rtr.entrypoints=websecure"
+      - "traefik.http.routers.${PROWLARR_APP}-secure-rtr.rule=Host(`${PROWLARR_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${PROWLARR_APP}-secure-rtr.tls=true"
+      - "traefik.http.routers.${PROWLARR_APP}-secure-rtr.tls.options=tls-options@file"
+      - "traefik.http.routers.${PROWLARR_APP}-secure-rtr.tls.certresolver=solver-dns"
+      #- "traefik.http.routers.${PROWLARR_APP}-secure-rtr.middlewares=${PROWLARR_APP}-auth"
+      - "traefik.http.routers.${PROWLARR_APP}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+      - "traefik.http.routers.${PROWLARR_APP}-secure-rtr.service=${PROWLARR_APP}-gt-svc"
+      
+      ##################################################################################
+      ################################# RADARR_APP ##################################
+      #- "traefik.http.middlewares.${RADARR_APP}-auth.basicauth.users=${ADMIN_CREDENTIALS}, ${USER_CREDENTIALS}"
+      #- "traefik.http.middlewares.${RADARR_APP}-auth.basicauth.usersfile=/mnt/users/${RADARR_APP}.txt"
+      - "traefik.http.services.${RADARR_APP}-gt-svc.loadbalancer.server.port=${RADARR_PORT}"
+      - "traefik.http.routers.${RADARR_APP}-rtr.entrypoints=web"
+      - "traefik.http.routers.${RADARR_APP}-rtr.rule=Host(`${RADARR_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${RADARR_APP}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
+      - "traefik.http.routers.${RADARR_APP}-rtr.service=${RADARR_APP}-gt-svc"
+      - "traefik.http.routers.${RADARR_APP}-secure-rtr.entrypoints=websecure"
+      - "traefik.http.routers.${RADARR_APP}-secure-rtr.rule=Host(`${RADARR_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${RADARR_APP}-secure-rtr.tls=true"
+      - "traefik.http.routers.${RADARR_APP}-secure-rtr.tls.options=tls-options@file"
+      - "traefik.http.routers.${RADARR_APP}-secure-rtr.tls.certresolver=solver-dns"
+      #- "traefik.http.routers.${RADARR_APP}-secure-rtr.middlewares=${RADARR_APP}-auth"
+      - "traefik.http.routers.${RADARR_APP}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+      - "traefik.http.routers.${RADARR_APP}-secure-rtr.service=${RADARR_APP}-gt-svc"
+      
+      ##################################################################################
+      ################################# LIDARR_APP ##################################
+      #- "traefik.http.middlewares.${LIDARR_APP}-auth.basicauth.users=${ADMIN_CREDENTIALS}, ${USER_CREDENTIALS}"
+      #- "traefik.http.middlewares.${LIDARR_APP}-auth.basicauth.usersfile=/mnt/users/${LIDARR_APP}.txt"
+      - "traefik.http.services.${LIDARR_APP}-gt-svc.loadbalancer.server.port=${LIDARR_PORT}"
+      - "traefik.http.routers.${LIDARR_APP}-rtr.entrypoints=web"
+      - "traefik.http.routers.${LIDARR_APP}-rtr.rule=Host(`${LIDARR_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${LIDARR_APP}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
+      - "traefik.http.routers.${LIDARR_APP}-rtr.service=${LIDARR_APP}-gt-svc"
+      - "traefik.http.routers.${LIDARR_APP}-secure-rtr.entrypoints=websecure"
+      - "traefik.http.routers.${LIDARR_APP}-secure-rtr.rule=Host(`${LIDARR_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${LIDARR_APP}-secure-rtr.tls=true"
+      - "traefik.http.routers.${LIDARR_APP}-secure-rtr.tls.options=tls-options@file"
+      - "traefik.http.routers.${LIDARR_APP}-secure-rtr.tls.certresolver=solver-dns"
+      #- "traefik.http.routers.${LIDARR_APP}-secure-rtr.middlewares=${LIDARR_APP}-auth"
+      - "traefik.http.routers.${LIDARR_APP}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+      - "traefik.http.routers.${LIDARR_APP}-secure-rtr.service=${LIDARR_APP}-gt-svc"
+      
+      ##################################################################################
+      ################################# SONARR_APP ##################################
+      #- "traefik.http.middlewares.${SONARR_APP}-auth.basicauth.users=${ADMIN_CREDENTIALS}, ${USER_CREDENTIALS}"
+      #- "traefik.http.middlewares.${SONARR_APP}-auth.basicauth.usersfile=/mnt/users/${SONARR_APP}.txt"
+      - "traefik.http.services.${SONARR_APP}-gt-svc.loadbalancer.server.port=${SONARR_PORT}"
+      - "traefik.http.routers.${SONARR_APP}-rtr.entrypoints=web"
+      - "traefik.http.routers.${SONARR_APP}-rtr.rule=Host(`${SONARR_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${SONARR_APP}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
+      - "traefik.http.routers.${SONARR_APP}-rtr.service=${SONARR_APP}-gt-svc"
+      - "traefik.http.routers.${SONARR_APP}-secure-rtr.entrypoints=websecure"
+      - "traefik.http.routers.${SONARR_APP}-secure-rtr.rule=Host(`${SONARR_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${SONARR_APP}-secure-rtr.tls=true"
+      - "traefik.http.routers.${SONARR_APP}-secure-rtr.tls.options=tls-options@file"
+      - "traefik.http.routers.${SONARR_APP}-secure-rtr.tls.certresolver=solver-dns"
+      #- "traefik.http.routers.${SONARR_APP}-secure-rtr.middlewares=${SONARR_APP}-auth"
+      - "traefik.http.routers.${SONARR_APP}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+      - "traefik.http.routers.${SONARR_APP}-secure-rtr.service=${SONARR_APP}-gt-svc"
+      
+      ##################################################################################
+      ################################# READARR_APP ##################################
+      #- "traefik.http.middlewares.${READARR_APP}-auth.basicauth.users=${ADMIN_CREDENTIALS}, ${USER_CREDENTIALS}"
+      #- "traefik.http.middlewares.${READARR_APP}-auth.basicauth.usersfile=/mnt/users/${READARR_APP}.txt"
+      - "traefik.http.services.${READARR_APP}-gt-svc.loadbalancer.server.port=${READARR_PORT}"
+      - "traefik.http.routers.${READARR_APP}-rtr.entrypoints=web"
+      - "traefik.http.routers.${READARR_APP}-rtr.rule=Host(`${READARR_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${READARR_APP}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
+      - "traefik.http.routers.${READARR_APP}-rtr.service=${READARR_APP}-gt-svc"
+      - "traefik.http.routers.${READARR_APP}-secure-rtr.entrypoints=websecure"
+      - "traefik.http.routers.${READARR_APP}-secure-rtr.rule=Host(`${READARR_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${READARR_APP}-secure-rtr.tls=true"
+      - "traefik.http.routers.${READARR_APP}-secure-rtr.tls.options=tls-options@file"
+      - "traefik.http.routers.${READARR_APP}-secure-rtr.tls.certresolver=solver-dns"
+      #- "traefik.http.routers.${READARR_APP}-secure-rtr.middlewares=${READARR_APP}-auth"
+      - "traefik.http.routers.${READARR_APP}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+      - "traefik.http.routers.${READARR_APP}-secure-rtr.service=${READARR_APP}-gt-svc"
+      
+      ##################################################################################
+      ################################# FLARESOLVERR_APP ##################################
+#      - "traefik.http.services.${FLARESOLVERR_APP}-gt-svc.loadbalancer.server.port=${FLARESOLVERR_PORT}"
+#      - "traefik.http.routers.${FLARESOLVERR_APP}-rtr.entrypoints=web"
+#      - "traefik.http.routers.${FLARESOLVERR_APP}-rtr.rule=Host(`${FLARESOLVERR_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+#      - "traefik.http.routers.${FLARESOLVERR_APP}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
+#      - "traefik.http.routers.${FLARESOLVERR_APP}-rtr.service=${FLARESOLVERR_APP}-gt-svc"
+#      - "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.entrypoints=websecure"
+#      - "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.rule=Host(`${FLARESOLVERR_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+#      - "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.tls=true"
+#      - "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.tls.options=tls-options@file"
+#      - "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.tls.certresolver=solver-dns"
+#      #- "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.middlewares=${FLARESOLVERR_APP}-auth"
+#      - "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+#      - "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.service=${FLARESOLVERR_APP}-gt-svc"
+#      
+      ##################################################################################
\ No newline at end of file
diff --git a/gluetun-arr/traefik-users/lidarr.txt b/gluetun-arr/traefik-users/lidarr.txt
new file mode 100644
index 0000000..0b6a9a2
--- /dev/null
+++ b/gluetun-arr/traefik-users/lidarr.txt
@@ -0,0 +1,3 @@
+admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
+chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
+Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC
\ No newline at end of file
diff --git a/gluetun-arr/traefik-users/prowlarr.txt b/gluetun-arr/traefik-users/prowlarr.txt
new file mode 100644
index 0000000..0b6a9a2
--- /dev/null
+++ b/gluetun-arr/traefik-users/prowlarr.txt
@@ -0,0 +1,3 @@
+admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
+chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
+Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC
\ No newline at end of file
diff --git a/gluetun-arr/traefik-users/qbittorrent.txt b/gluetun-arr/traefik-users/qbittorrent.txt
new file mode 100644
index 0000000..0b6a9a2
--- /dev/null
+++ b/gluetun-arr/traefik-users/qbittorrent.txt
@@ -0,0 +1,3 @@
+admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
+chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
+Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC
\ No newline at end of file
diff --git a/gluetun-arr/traefik-users/radarr.txt b/gluetun-arr/traefik-users/radarr.txt
new file mode 100644
index 0000000..0b6a9a2
--- /dev/null
+++ b/gluetun-arr/traefik-users/radarr.txt
@@ -0,0 +1,3 @@
+admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
+chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
+Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC
\ No newline at end of file
diff --git a/gluetun-arr/traefik-users/readarr.txt b/gluetun-arr/traefik-users/readarr.txt
new file mode 100644
index 0000000..0b6a9a2
--- /dev/null
+++ b/gluetun-arr/traefik-users/readarr.txt
@@ -0,0 +1,3 @@
+admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
+chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
+Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC
\ No newline at end of file
diff --git a/gluetun-arr/traefik-users/sonarr.txt b/gluetun-arr/traefik-users/sonarr.txt
new file mode 100644
index 0000000..0b6a9a2
--- /dev/null
+++ b/gluetun-arr/traefik-users/sonarr.txt
@@ -0,0 +1,3 @@
+admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
+chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
+Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC
\ No newline at end of file
diff --git a/gluetun-bw/firefox_jm.txt b/gluetun-bw/firefox_jm.txt
new file mode 100644
index 0000000..420722e
--- /dev/null
+++ b/gluetun-bw/firefox_jm.txt
@@ -0,0 +1,36 @@
+# INSTALLED AS PART OF GLUETUN-BW PROJECT
+
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: firefox
+Username: firefox
+Disable Password: <select>
+Email: stuurmcp@telkomsa.net
+UID: (note)
+Create New Primary Group: <select>
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+firefox UID: 3036
+firefox GID: 3035
+
+Create datasets
+---------------
+# While firefox container will be created as part of gluetun-bw project, we will persist the data in a separate folder
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*firefox"
+# create following datasets if not present
+zfs create SSD1/docker/data/firefox
+zfs create SSD1/docker/data/firefox/appdata
+chown -R firefox:firefox /mnt/SSD1/docker/data/firefox
+
+Ensure group access to Downloads folder
+---------------------------------------
+# In Truenas shell:
+chmod -R g+rwx /mnt/stpool1/Downloads/firefox
+# the group of the firefox folder should be "apps". We will run the firefox container with "apps" group.
+
+
diff --git a/gluetun-bw/gluetun-bw_jm.txt b/gluetun-bw/gluetun-bw_jm.txt
new file mode 100644
index 0000000..ff75cba
--- /dev/null
+++ b/gluetun-bw/gluetun-bw_jm.txt
@@ -0,0 +1,100 @@
+https://github.com/qdm12/gluetun-wiki
+https://www.youtube.com/watch?v=0F6I03LQcI4
+
+# all services in this project will make use of the gluetun VPN
+# project name: gluetun-bw
+
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: gluetun
+Username: gluetun
+Disable Password: <selected>
+Email:
+UID: 3029
+Create New Primary Group: <selected>
+Create Home Directory: <unchecked>
+Samba Authentication: <unchecked>
+Save
+Check Credentials -> Local Groups for GID
+Name: gluetun
+GID: 3028
+
+gluetun UID: 3029
+gluetun GID: 3028
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*gluetun-bw"
+# create following datasets if not present
+zfs create SSD1/docker/data/gluetun-bw
+zfs create SSD1/docker/data/gluetun-bw/appdata
+chown -R gluetun:gluetun /mnt/SSD1/docker/data/gluetun-bw
+
+Create folder
+-------------
+# In Truenas shell:
+mkdir -p /mnt/SSD1/docker/stacks/gluetun-bw/secrets
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in gluetun-bw folder, enter:
+./cp2nas
+# or
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/gluetun-bw/
+# This should copy gluetun-bw stacks folder to /mnt/SSD1/docker/stacks/gluetun-bw
+
+Creating secrets
+----------------
+In Truenas shell:
+cd /mnt/SSD1/docker/stacks/gluetun-bw/secrets
+echo -n 'nordvpn private key' > wireguard_private_key
+cd /mnt/SSD1/docker/stacks/gluetun-bw
+chown -R gluetun:gluetun secrets/
+chmod -R 400 secrets/
+
+Creating user password hash strings for user authorisation using traefik basic-auth
+-----------------------------------------------------------------------------------
+# If not installed, install htpasswd:
+jlmkr shell docker
+apt update & apt install apache2-utils
+# The user credentials can be applied as a label entry in the compose.yml file or as a line entry in a text file
+# When used as a label entry, all '$' needs to be escaped with a second '$'; sed can be used for this purpose:
+# To create user list textfile line item
+echo $(htpasswd -nB admin)  > /opt/stacks/traefik/users/<appname>.txt
+# To create string to be used in compose file label 
+echo $(htpasswd -nB admin) | sed -e s/\\$/\\$\\$/g
+# See traefik_jm.txt for more detailed instructions
+
+Check gluetun ip
+----------------
+# Exec into any of the apps' container using gluetun
+docker exec -it <app-container-name> sh
+# Check remote ip
+curl ifconfig.me # or curl http://whatismyip.akamai.com
+
+Update .env and compose.yml for app
+-----------------------------------
+# The gluetun .env file requires the following entries for each app using the gluetun VPN, e.g. for firefox:
+FIREFOX_APP=firefox
+FIREFOX_PORT=3000
+
+# The gluetun compose.yml file requires the following label entries for each app using the gluetun VPN, e.g. for firefox:
+      #- "traefik.http.middlewares.${FIREFOX_APP}-auth.basicauth.users=${ADMIN_CREDENTIALS}, ${USER_CREDENTIALS}" # uncomment to use common credentials
+      #- "traefik.http.middlewares.${FIREFOX_APP}-auth.basicauth.usersfile=/mnt/users/${FIREFOX_APP}.txt"          # uncomment to use credentials stored in /opt/stacks/traefik/users/<appname>.txt
+      - "traefik.http.services.${FIREFOX_APP}-gt-svc.loadbalancer.server.port=${FIREFOX_PORT}"
+      - "traefik.http.routers.${FIREFOX_APP}.entrypoints=web"
+      - "traefik.http.routers.${FIREFOX_APP}.rule=Host(`${FIREFOX_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${FIREFOX_APP}-secure.entrypoints=websecure"
+      - "traefik.http.routers.${FIREFOX_APP}-secure.rule=Host(`${FIREFOX_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${FIREFOX_APP}-secure.tls=true"
+      - "traefik.http.routers.${FIREFOX_APP}-secure.tls.certresolver=sthomeresolver"
+      #- "traefik.http.routers.${FIREFOX_APP}-secure.middlewares=${FIREFOX_APP}-auth"          # uncomment to use basic-auth; requires one or both of above basicauth middlewares to be uncommented
+      - "traefik.http.routers.${FIREFOX_APP}-secure.service=${FIREFOX_APP}-gt-svc"
+
+Troubleshooting
+---------------
+If dockge / docker compose up complains about "parsing /opt/stacks/.../compose.yml: yaml: line ##: did not find expected '-' indicator", where ## is the "labels:" line number in compose.yml:
+ - look for missing trailing '"' amongst the labels
diff --git a/gluetun-bw/jdownloader2_jm.txt b/gluetun-bw/jdownloader2_jm.txt
new file mode 100644
index 0000000..461aa2c
--- /dev/null
+++ b/gluetun-bw/jdownloader2_jm.txt
@@ -0,0 +1,34 @@
+# INSTALLED AS PART OF GLUETUN-BW PROJECT
+
+Credentials -> Local Users -> Add
+Full Name: jdownloader2
+Username: jdownldr2
+Disable Password: <select>
+Email: stuurmcp@telkomsa.net
+UID: (note)
+Create New Primary Group: <select>
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+jdownldr2 UID: 3039
+jdownldr2 GID: 3038
+
+Create datasets
+---------------
+# While jdownloader2 container will be created as part of gluetun-bw project, we will persist the data in a separate folder
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*jdownloader2"
+# create following datasets if not present
+zfs create SSD1/docker/data/jdownloader2
+zfs create SSD1/docker/data/jdownloader2/appdata
+chown -R jdownldr2:jdownldr2 /mnt/SSD1/docker/data/jdownloader2
+
+Ensure group access to Downloads folder
+---------------------------------------
+# In Truenas shell:
+chmod -R g+rwx /mnt/stpool1/Downloads/jdownloader2
+# the group of the jdownloader2 folder should be "apps". We will run the jdownloader2 container with "apps" group.
+
+
diff --git a/gluetun-bw/stacks/.env b/gluetun-bw/stacks/.env
new file mode 100644
index 0000000..4eec123
--- /dev/null
+++ b/gluetun-bw/stacks/.env
@@ -0,0 +1,42 @@
+##############################################################################################
+# Values to be used for substitution by docker compose in compose.yml AND .*.env files
+##############################################################################################
+
+APPLICATION_NAME=gluetun-bw
+
+DOCKERDIR=/mnt/SSD1/docker/
+MEDIADIR=/mnt/stpool1/NData1/Media
+DOWNLOADSDIR=/mnt/stpool1/Downloads
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+CT_DOWNLOADS=/Downloads
+
+DOMAINNAME=sthome.org
+APPS_GID=568
+MEDIA_GID=3017
+PG_PUID=70
+PG_PGID=70
+
+# SHARED CREDENTIALS
+# ------------------
+ADMIN_CREDENTIALS=admin:$$2y$$05$$0tm.eTBAEy0O6BOzsIPqnuBv6MD64w9Uf.XZZXkBTmLr5D5azrHEu
+USER_CREDENTIALS=Chris:$$2y$$05$$QXxyPnW2IrfemjVkAkdHCO2a/OmXnVRijESfbrTyxAy21xD2l8BAC
+
+# APPLICATIONS USING SHARED GLUETUN
+# ---------------------------------
+
+FIREFOX_APP=firefox
+FIREFOX_PORT=3000
+FIREFOX_SECURE_PORT=3001
+
+JDOWNLOADER2_APP=jdownloader2
+JDOWNLOADER2_PORT=5800
+
+
+
+
+
diff --git a/gluetun-bw/stacks/.firefox.env b/gluetun-bw/stacks/.firefox.env
new file mode 100644
index 0000000..322f120
--- /dev/null
+++ b/gluetun-bw/stacks/.firefox.env
@@ -0,0 +1,12 @@
+##############################################################################################
+# Environment variables for firefox
+##############################################################################################
+
+PUID=3036
+PGID=${APPS_GID} #3035
+UMASK=0007  # allow user and group full access, other no access
+
+TZ=Africa/Johannesburg
+FIREFOX_CLI=https://www.google.com/ #optional
+
+
diff --git a/gluetun-bw/stacks/.gluetun.env b/gluetun-bw/stacks/.gluetun.env
new file mode 100644
index 0000000..b54862e
--- /dev/null
+++ b/gluetun-bw/stacks/.gluetun.env
@@ -0,0 +1,37 @@
+##############################################################################################
+# Environment variables for gluetun
+##############################################################################################
+PUID=3029
+PGID=3028
+TZ=Africa/Johannesburg
+
+# VPN
+
+VPN_SERVICE_PROVIDER=nordvpn
+VPN_TYPE=wireguard
+WIREGUARD_PRIVATE_KEY=file:///run/secrets/wireguard_private_key
+#SERVER_COUNTRIES=  # Comma separated list of countries
+#SERVER_REGIONS=  # Comma separated list of regions
+#SERVER_CITIES=  # Comma separated list of server cities
+#SERVER_HOSTNAMES=  # Comma separated list of server hostnames
+#SERVER_CATEGORIES=  # Comma separated list of server categories
+#WIREGUARD_PRESHARED_KEY=
+#WIREGUARD_ADDRESSES=
+WIREGUARD_MTU=1400
+WIREGUARD_PERSISTENT_KEEPALIVE_INTERVAL=30s
+HTTP_CONTROL_SERVER_LOG=off
+DOT=on
+DOT_PROVIDERS=quad9
+DOT_CACHING=off
+DNS_UPDATE_PERIOD=24h
+BLOCK_MALICIOUS=false
+BLOCK_SURVEILLANCE=false
+BLOCK_ADS=false
+SHADOWSOCKS=off
+#FIREWALL_VPN_INPUT_PORTS=
+#FIREWALL_OUTBOUND_SUBNETS=10.0.0.0/24
+HEALTH_TARGET_ADDRESS=9.9.9.9:443 #quad9.net:443 
+HEALTH_VPN_DURATION_INITIAL=120s
+UPDATER_PERIOD=24h
+
+
diff --git a/gluetun-bw/stacks/.jdownloader2.env b/gluetun-bw/stacks/.jdownloader2.env
new file mode 100644
index 0000000..88f3eb8
--- /dev/null
+++ b/gluetun-bw/stacks/.jdownloader2.env
@@ -0,0 +1,11 @@
+##############################################################################################
+# Environment variables for jdownloader2
+##############################################################################################
+
+PUID=3039
+PGID=${APPS_GID} #3038
+UMASK=0007  # allow user and group full access, other no access
+TZ=Africa/Johannesburg
+
+
+
diff --git a/gluetun-bw/stacks/compose.yml b/gluetun-bw/stacks/compose.yml
new file mode 100644
index 0000000..15e90a6
--- /dev/null
+++ b/gluetun-bw/stacks/compose.yml
@@ -0,0 +1,123 @@
+# gluetun for browser apps
+# to use gluetun from apps in other projects, use network_mode: "container:gluetun-bw"
+# NB: Start gluetun-bw first, before starting depending apps in other projects
+#     Stop & inactivate depending apps in other projects first, before stopping this gluetun-bw
+
+# we will use 10.255.239.0/24 block of the traefik subnet for containers that have to connect to bw apps
+
+# See .static-ips.yml for static ip addresses if needed
+
+name: gluetun-bw
+
+networks:
+  traefik-net:
+    external: true
+
+secrets:
+  wireguard_private_key:
+    file: ${SECRETSDIR}/wireguard_private_key
+
+services:
+  firefox:
+    image: lscr.io/linuxserver/firefox:latest
+    env_file: .${FIREFOX_APP}.env
+    network_mode: "service:gluetun"
+    security_opt:
+      - seccomp:unconfined #optional
+    shm_size: "1gb"
+    volumes:
+      - "${DATAROOT}/${FIREFOX_APP}/config:/config"
+#      - "${DATAROOT}/${FIREFOX_APP}/themes:/mnt/themes"
+      - "${DOWNLOADSDIR}/firefox:${CT_DOWNLOADS}"
+    restart: unless-stopped
+    depends_on:
+      gluetun:
+        condition: service_healthy
+
+  jdownloader2:
+    image: jlesage/jdownloader-2
+    env_file: .${JDOWNLOADER2_APP}.env
+    network_mode: "service:gluetun"
+    volumes:
+      - "${DATAROOT}/${JDOWNLOADER2_APP}/config:/config"
+      - "${DOWNLOADSDIR}/${JDOWNLOADER2_APP}:/output"
+    restart: unless-stopped
+    depends_on:
+      gluetun:
+        condition: service_healthy
+
+  gluetun:
+    image: qmcgaw/gluetun:latest
+    hostname: gluetun-bw
+    env_file: .gluetun.env
+    cap_add:
+      - NET_ADMIN
+    devices:
+      - /dev/net/tun
+    volumes:
+      - "${DATADIR}/appdata:/gluetun"
+    secrets:
+      - wireguard_private_key
+    networks:
+      traefik-net:
+        ipv4_address: 10.255.239.2  # to access services in this project from other containers; hostnames and aliases will not work
+    restart: always
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      ##################################################################################
+      ################################# FIREFOX_APP ##################################
+      # http middlewares
+      # ---------------------------
+      #- "traefik.http.middlewares.${FIREFOX_APP}-auth.basicauth.users=${ADMIN_CREDENTIALS}, ${USER_CREDENTIALS}"
+      #- "traefik.http.middlewares.${FIREFOX_APP}-auth.basicauth.usersfile=/mnt/users/${FIREFOX_APP}.txt"
+      #
+      # http services
+      # -------------
+      - "traefik.http.services.${FIREFOX_APP}-gt-svc.loadbalancer.server.port=${FIREFOX_PORT}"
+      #
+      # http routers
+      # ------------
+      # limit router to web ":80" entrypoint (Note: web entrypoint http requests are globally redirected to websecure router in traefik.yml)
+      - "traefik.http.routers.${FIREFOX_APP}-rtr.entrypoints=web"
+      # set match criteria for router
+      - "traefik.http.routers.${FIREFOX_APP}-rtr.rule=Host(`${FIREFOX_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # attach middlewares to router
+      - "traefik.http.routers.${FIREFOX_APP}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
+      # assign svc target to router
+      - "traefik.http.routers.${FIREFOX_APP}-rtr.service=${FIREFOX_APP}-gt-svc"
+      #
+      # limit router to websecure ":443" entrypoint
+      - "traefik.http.routers.${FIREFOX_APP}-secure-rtr.entrypoints=websecure"
+      # set match criteria for router
+      - "traefik.http.routers.${FIREFOX_APP}-secure-rtr.rule=Host(`${FIREFOX_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # set router to be dedicated to secure requests only for the host specified in match criteria 
+      - "traefik.http.routers.${FIREFOX_APP}-secure-rtr.tls=true"
+      # apply tls options
+      - "traefik.http.routers.${FIREFOX_APP}-secure-rtr.tls.options=tls-options@file"
+      # generate certificates using following certresolver
+      - "traefik.http.routers.${FIREFOX_APP}-secure-rtr.tls.certresolver=solver-dns"
+      # attach middlewares to routers
+      #- "traefik.http.routers.${FIREFOX_APP}-secure-rtr.middlewares=${FIREFOX_APP}-auth"
+      - "traefik.http.routers.${FIREFOX_APP}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+      # assign svc target to router
+      - "traefik.http.routers.${FIREFOX_APP}-secure-rtr.service=${FIREFOX_APP}-gt-svc"
+      
+      ##################################################################################
+      ################################# JDOWNLOADER2_APP ##################################
+      #- "traefik.http.middlewares.${JDOWNLOADER2_APP}-auth.basicauth.users=${ADMIN_CREDENTIALS}, ${USER_CREDENTIALS}"
+      #- "traefik.http.middlewares.${JDOWNLOADER2_APP}-auth.basicauth.usersfile=/mnt/users/${JDOWNLOADER2_APP}.txt"
+      - "traefik.http.services.${JDOWNLOADER2_APP}-gt-svc.loadbalancer.server.port=${JDOWNLOADER2_PORT}"
+      - "traefik.http.routers.${JDOWNLOADER2_APP}-rtr.entrypoints=web"
+      - "traefik.http.routers.${JDOWNLOADER2_APP}-rtr.rule=Host(`${JDOWNLOADER2_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${JDOWNLOADER2_APP}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
+      - "traefik.http.routers.${JDOWNLOADER2_APP}-rtr.service=${JDOWNLOADER2_APP}-gt-svc"
+      - "traefik.http.routers.${JDOWNLOADER2_APP}-secure-rtr.entrypoints=websecure"
+      - "traefik.http.routers.${JDOWNLOADER2_APP}-secure-rtr.rule=Host(`${JDOWNLOADER2_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${JDOWNLOADER2_APP}-secure-rtr.tls=true"
+      - "traefik.http.routers.${JDOWNLOADER2_APP}-secure-rtr.tls.options=tls-options@file"
+      - "traefik.http.routers.${JDOWNLOADER2_APP}-secure-rtr.tls.certresolver=solver-dns"
+      #- "traefik.http.routers.${JDOWNLOADER2_APP}-secure-rtr.middlewares=${JDOWNLOADER2_APP}-auth"
+      - "traefik.http.routers.${JDOWNLOADER2_APP}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+      - "traefik.http.routers.${JDOWNLOADER2_APP}-secure-rtr.service=${JDOWNLOADER2_APP}-gt-svc"
+      
diff --git a/gluetun-qb/gluetun-qb_jm.txt b/gluetun-qb/gluetun-qb_jm.txt
new file mode 100644
index 0000000..237d497
--- /dev/null
+++ b/gluetun-qb/gluetun-qb_jm.txt
@@ -0,0 +1,106 @@
+https://github.com/qdm12/gluetun-wiki
+https://www.youtube.com/watch?v=0F6I03LQcI4
+
+# all services in this project will make use of the gluetun VPN
+
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: gluetun
+Username: gluetun
+Disable Password: <selected>
+Email:
+UID: 3029
+Create New Primary Group: <selected>
+Create Home Directory: <unchecked>
+Samba Authentication: <unchecked>
+Save
+Check Credentials -> Local Groups for GID
+Name: gluetun
+GID: 3028
+
+gluetun UID: 3029
+gluetun GID: 3028
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*gluetun-qb"
+# create following datasets if not present
+zfs create SSD1/docker/data/gluetun-qb
+zfs create SSD1/docker/data/gluetun-qb/appdata
+zfs create SSD1/docker/data/qbittorrent
+zfs create SSD1/docker/data/qbittorrent/config
+zfs create SSD1/docker/data/qbittorrent/themes
+chown -R gluetun:gluetun /mnt/SSD1/docker/data/gluetun-qb
+
+Create folder
+-------------
+mkdir /mnt/SSD1/docker/stacks/gluetun-qb
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in gluetun-qb folder, enter:
+./cp2nas 10.0.0.20
+# OR
+pscp -P 22 -r stacks/*.* root@10.0.0.20:/mnt/SSD1/docker/stacks/gluetun-qb/
+# The above should copy compose.yaml, .env and secrets folder to /mnt/SSD1/docker/stacks/gluetun-qb
+
+Creating secrets
+----------------
+In Truenas shell:
+cd /mnt/SSD1/docker/stacks/gluetun-qb/secrets
+echo -n 'nordvpn private key' > wireguard_private_key
+cd /mnt/SSD1/docker/stacks/gluetun-qb
+chown -R gluetun:gluetun secrets/
+chmod -R 400 secrets/
+
+Creating user password hash strings for user authorisation using traefik basic-auth
+-----------------------------------------------------------------------------------
+# If not installed, install htpasswd:
+jlmkr shell docker
+apt update & apt install apache2-utils
+# The user credentials can be applied as a label entry in the compose.yml file or as a line entry in a text file
+# When used as a label entry, all '$' needs to be escaped with a second '$'; sed can be used for this purpose:
+# To create user list textfile line item
+echo $(htpasswd -nB admin)  > /opt/stacks/traefik/users/<appname>.txt
+# To create string to be used in compose file label 
+echo $(htpasswd -nB admin) | sed -e s/\\$/\\$\\$/g
+# See traefik_jm.txt for more detailed instructions
+
+gluetun folder mappings
+----------------------
+# To avoid problems setting up new app, it is recommended that the mount path for downloads inside the container be kept exactly the same as what the old app use to have
+# As we did not migrate data from old app to new, on initial import, all tvshows will default to being monitored. Make changes accordingly.
+
+Check gluetun ip
+----------------
+# Exec into any of the apps' container using gluetun
+docker exec -it <app-container-name> sh
+# Check remote ip
+curl ifconfig.me # or curl http://whatismyip.akamai.com
+
+Update .env and compose.yml for app
+-----------------------------------
+# The gluetun .env file requires the following entries for each app using the gluetun VPN, e.g. for radarr:
+RADARR_APP=radarr
+RADARR_PORT=7878
+
+# The gluetun compose.yml file requires the following label entries for each app using the gluetun VPN, e.g. for radarr:
+      #- "traefik.http.middlewares.${RADARR_APP}-auth.basicauth.users=${ADMIN_CREDENTIALS}, ${USER_CREDENTIALS}" # uncomment to use common credentials
+      #- "traefik.http.middlewares.${RADARR_APP}-auth.basicauth.usersfile=/mnt/users/${RADARR_APP}.txt"          # uncomment to use credentials stored in /opt/stacks/traefik/users/<appname>.txt
+      - "traefik.http.services.${RADARR_APP}-gt-svc.loadbalancer.server.port=${RADARR_PORT}"
+      - "traefik.http.routers.${RADARR_APP}.entrypoints=web"
+      - "traefik.http.routers.${RADARR_APP}.rule=Host(`${RADARR_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${RADARR_APP}-secure.entrypoints=websecure"
+      - "traefik.http.routers.${RADARR_APP}-secure.rule=Host(`${RADARR_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${RADARR_APP}-secure.tls=true"
+      - "traefik.http.routers.${RADARR_APP}-secure.tls.certresolver=sthomeresolver"
+      #- "traefik.http.routers.${RADARR_APP}-secure.middlewares=${RADARR_APP}-auth"          # uncomment to use basic-auth; requires one or both of above basicauth middlewares to be uncommented
+      - "traefik.http.routers.${RADARR_APP}-secure.service=${RADARR_APP}-gt-svc"
+
+Troubleshooting
+---------------
+If dockge / docker compose up complains about "parsing /opt/stacks/.../compose.yml: yaml: line ##: did not find expected '-' indicator", where ## is the "labels:" line number in compose.yml:
+ - look for missing trailing '"' amongst the labels
diff --git a/gluetun-qb/stacks/.env b/gluetun-qb/stacks/.env
new file mode 100644
index 0000000..7d83058
--- /dev/null
+++ b/gluetun-qb/stacks/.env
@@ -0,0 +1,40 @@
+##############################################################################################
+# Values to be used for substitution by docker compose in compose.yml AND .*.env files
+##############################################################################################
+
+APPLICATION_NAME=gluetun-qb
+
+DOCKERDIR=/mnt/SSD1/docker
+MEDIADIR=/mnt/stpool1/NData1/Media
+DOWNLOADSDIR=/mnt/stpool1/Downloads
+RECYCLINGDIR=/mnt/stpool1/Recycling
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+
+CT_DOWNLOADS=/Downloads
+CT_MEDIA=/Media
+CT_RECYCLINGBIN=/Recycling
+
+
+DOMAINNAME=sthome.org
+PG_PUID=70
+PG_PGID=70
+
+# SHARED CREDENTIALS
+# ------------------
+ADMIN_CREDENTIALS=admin:$$2y$$05$$0tm.eTBAEy0O6BOzsIPqnuBv6MD64w9Uf.XZZXkBTmLr5D5azrHEu
+USER_CREDENTIALS=Chris:$$2y$$05$$QXxyPnW2IrfemjVkAkdHCO2a/OmXnVRijESfbrTyxAy21xD2l8BAC
+
+# APPLICATIONS USING SHARED GLUETUN
+# ---------------------------------
+QBIT_APP=qbittorrent2
+QBIT_URL=qbittorrent.${DOMAINNAME}
+QBIT_PORT=10095
+
+FLARESOLVERR_APP=flaresolverr2
+FLARESOLVERR_URL=flaresolverr.${DOMAINNAME}
+FLARESOLVERR_PORT=8191
\ No newline at end of file
diff --git a/gluetun-qb/stacks/.flaresolverr2.env b/gluetun-qb/stacks/.flaresolverr2.env
new file mode 100644
index 0000000..88681c2
--- /dev/null
+++ b/gluetun-qb/stacks/.flaresolverr2.env
@@ -0,0 +1,17 @@
+##############################################################################################
+# Environment variables for flaresolverr
+##############################################################################################
+
+PUID=3063
+PGID=3064
+TZ=Africa/Johannesburg
+
+# LOG_LEVEL=${LOG_LEVEL:-info}
+# LOG_HTML=${LOG_HTML:-false}
+# CAPTCHA_SOLVER=${CAPTCHA_SOLVER:-none}
+
+LOG_LEVEL=info
+LOG_HTML=false
+CAPTCHA_SOLVER=none
+
+
diff --git a/gluetun-qb/stacks/.gluetun.env b/gluetun-qb/stacks/.gluetun.env
new file mode 100644
index 0000000..3db2c67
--- /dev/null
+++ b/gluetun-qb/stacks/.gluetun.env
@@ -0,0 +1,37 @@
+##############################################################################################
+# Environment variables for gluetun
+##############################################################################################
+PUID=3029
+PGID=3028
+TZ=Africa/Johannesburg
+
+# VPN
+
+VPN_SERVICE_PROVIDER=nordvpn
+VPN_TYPE=wireguard
+WIREGUARD_PRIVATE_KEY=file:///run/secrets/wireguard_private_key
+#SERVER_COUNTRIES=  # Comma separated list of countries
+#SERVER_REGIONS=  # Comma separated list of regions
+#SERVER_CITIES=  # Comma separated list of server cities
+#SERVER_HOSTNAMES=  # Comma separated list of server hostnames
+#SERVER_CATEGORIES=  # Comma separated list of server categories
+#WIREGUARD_PRESHARED_KEY=
+#WIREGUARD_ADDRESSES=
+WIREGUARD_MTU=1400
+WIREGUARD_PERSISTENT_KEEPALIVE_INTERVAL=30s
+HTTP_CONTROL_SERVER_LOG=off
+DOT=on
+DOT_PROVIDERS=quad9
+DOT_CACHING=off
+DNS_UPDATE_PERIOD=24h
+BLOCK_MALICIOUS=false
+BLOCK_SURVEILLANCE=false
+BLOCK_ADS=false
+SHADOWSOCKS=off
+#FIREWALL_VPN_INPUT_PORTS=
+#FIREWALL_OUTBOUND_SUBNETS=10.0.0.0/20
+HEALTH_TARGET_ADDRESS=9.9.9.9:443 #quad9.net:443 
+HEALTH_VPN_DURATION_INITIAL=120s
+UPDATER_PERIOD=24h
+
+
diff --git a/gluetun-qb/stacks/.qbittorrent2.env b/gluetun-qb/stacks/.qbittorrent2.env
new file mode 100644
index 0000000..bb7d683
--- /dev/null
+++ b/gluetun-qb/stacks/.qbittorrent2.env
@@ -0,0 +1,16 @@
+##############################################################################################
+# Environment variables for qbittorrent
+##############################################################################################
+
+PUID=3028
+PGID=3017  #3027
+TZ=Africa/Johannesburg
+UMASK=0002
+WEBUI_PORT=10095  # ensure this is the same as the port for qbittorrent specified in .env file
+TORRENTING_PORT=6881
+
+
+
+
+
+
diff --git a/gluetun-qb/stacks/compose.yml b/gluetun-qb/stacks/compose.yml
new file mode 100644
index 0000000..e4f2f4f
--- /dev/null
+++ b/gluetun-qb/stacks/compose.yml
@@ -0,0 +1,111 @@
+# gluetun for arr apps
+# to use gluetun from apps in other projects, use network_mode: "container:gluetun-arr"
+# access apps in this project with 127.0.0.1:PORT, e.g. to access qbittorrent use localhost:10095
+# NB: Start gluetun-arr first, before starting depending apps in other projects
+#     Stop & inactivate depending apps in other projects first, before stopping this gluetun-arr
+
+# we will use 10.255.239.0/24 block of the traefik subnet for containers that have to connect to arr apps
+# See .static-ips.yml for static ip addresses
+
+name: gluetun-qb
+
+networks:
+  traefik-net:
+    external: true
+
+secrets:
+  wireguard_private_key:
+    file: ${SECRETSDIR}/wireguard_private_key
+
+services:
+  qbittorrent:
+    image: lscr.io/linuxserver/qbittorrent:latest
+    env_file: .${QBIT_APP}.env
+    network_mode: "service:gluetun"
+    volumes:
+      - "${DATAROOT}/${QBIT_APP}/config:/config"
+      - "${DOWNLOADSDIR}:${CT_DOWNLOADS}"
+      - "${RECYCLINGDIR}/${QBIT_APP}:${CT_RECYCLINGBIN}:rw"
+    restart: unless-stopped
+    depends_on:
+      gluetun:
+        condition: service_healthy
+
+  flaresolverr:
+    # DockerHub mirror flaresolverr/flaresolverr:latest
+    image: ghcr.io/flaresolverr/flaresolverr:latest
+#    container_name: flaresolverr
+    env_file: .${FLARESOLVERR_APP}.env
+    network_mode: "service:gluetun"
+    restart: unless-stopped
+
+  gluetun:
+    image: qmcgaw/gluetun:latest
+    #hostname: gluetun-qb
+    env_file: .gluetun.env
+    cap_add:
+      - NET_ADMIN
+    devices:
+      - /dev/net/tun
+    volumes:
+      - "${DATADIR}/appdata:/gluetun"
+    secrets:
+      - wireguard_private_key
+    networks:
+      traefik-net:
+        ipv4_address: 10.255.239.3  # to access services in this project from other containers; hostnames and aliases will not work
+    restart: always
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      ##################################################################################
+      ################################# QBIT_APP ##################################
+      #
+      # http services
+      # -------------
+      - "traefik.http.services.${QBIT_APP}-gt-svc.loadbalancer.server.port=${QBIT_PORT}"
+      #
+      # http routers
+      # ------------
+      # limit router to web ":80" entrypoint (Note: web entrypoint http requests are globally redirected to websecure router in traefik.yml)
+      - "traefik.http.routers.${QBIT_APP}-rtr.entrypoints=web"
+      # set match criteria for router
+      - "traefik.http.routers.${QBIT_APP}-rtr.rule=Host(`${QBIT_URL}`)&& PathPrefix(`/`)"
+      # attach middlewares to router
+      - "traefik.http.routers.${QBIT_APP}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
+       # assign svc target to router
+      - "traefik.http.routers.${QBIT_APP}-rtr.service=${QBIT_APP}-gt-svc"
+      #
+      # limit router to websecure ":443" entrypoint
+      - "traefik.http.routers.${QBIT_APP}-secure-rtr.entrypoints=websecure"
+      # set match criteria for router
+      - "traefik.http.routers.${QBIT_APP}-secure-rtr.rule=Host(`${QBIT_URL}`)&& PathPrefix(`/`)"
+      # set router to be dedicated to secure requests only for the host specified in match criteria 
+      - "traefik.http.routers.${QBIT_APP}-secure-rtr.tls=true"
+      # apply tls options
+      - "traefik.http.routers.${QBIT_APP}-secure-rtr.tls.options=tls-options@file"
+      # generate certificates using following certresolver
+      - "traefik.http.routers.${QBIT_APP}-secure-rtr.tls.certresolver=solver-dns"
+      # attach middlewares to routers
+      #- "traefik.http.routers.${QBIT_APP}-secure-rtr.middlewares=${QBIT_APP}-auth"
+      - "traefik.http.routers.${QBIT_APP}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+      # assign svc target to router
+      - "traefik.http.routers.${QBIT_APP}-secure-rtr.service=${QBIT_APP}-gt-svc"
+      
+      ##################################################################################
+      ################################# FLARESOLVERR_APP ##################################
+      - "traefik.http.services.${FLARESOLVERR_APP}-gt-svc.loadbalancer.server.port=${FLARESOLVERR_PORT}"
+      - "traefik.http.routers.${FLARESOLVERR_APP}-rtr.entrypoints=web"
+      - "traefik.http.routers.${FLARESOLVERR_APP}-rtr.rule=Host(`${FLARESOLVERR_URL}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${FLARESOLVERR_APP}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
+      - "traefik.http.routers.${FLARESOLVERR_APP}-rtr.service=${FLARESOLVERR_APP}-gt-svc"
+      - "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.entrypoints=websecure"
+      - "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.rule=Host(`${FLARESOLVERR_URL}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.tls=true"
+      - "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.tls.options=tls-options@file"
+      - "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.tls.certresolver=solver-dns"
+      #- "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.middlewares=${FLARESOLVERR_APP}-auth"
+      - "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+      - "traefik.http.routers.${FLARESOLVERR_APP}-secure-rtr.service=${FLARESOLVERR_APP}-gt-svc"
+      
+      ##################################################################################
\ No newline at end of file
diff --git a/grafana/cp2nas.ps1 b/grafana/cp2nas.ps1
new file mode 100644
index 0000000..6778989
--- /dev/null
+++ b/grafana/cp2nas.ps1
@@ -0,0 +1,57 @@
+############### MAIN ###############
+$Main =
+{
+    [CmdletBinding()]
+    Param(
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $destHost,
+        [Parameter(Mandatory=$false)]
+        [string[]] $apps
+    )
+    If($PSBoundParameters.ContainsKey("apps")) {
+        foreach ($appname in $apps)
+        {
+            copyfolder $destHost "$appname\stacks" $appname
+        }
+    }
+    else {
+        $appname="$pwd".Split("\\")[-1]
+        copyfolder $destHost "stacks" $appname
+    }
+}
+
+###################################
+Function copyfolder
+{
+    [CmdletBinding()]
+    Param(
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $destHost,
+        
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $srcdir,
+
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $appname
+    )
+    if (-Not(Test-Path -Path $srcdir)) {
+        Write-Host "Source path doesn't exist: ""$PSScriptRoot\$srcdir\*.*"". No files copied!"  -ForegroundColor Red
+        Write-Host "Usage: in app folder       : ./cp2nas DEST|IP"
+        Write-Host "       in app parent folder: ./cp2nas DEST|IP app1, app2, app3, ..."
+        return
+    }
+    $destStacks="/mnt/SSD1/docker/stacks/"
+    $destDir=$destStacks+$appname+"/"
+    Write-Host "pscp -P 22 -r ""$srcdir\*.*"" root@${destHost}:""${destDir}""" -ForegroundColor Green
+    Write-Host "Copying to ${destHost}:""${destStacks}" -NoNewline 
+    Write-Host "${appname}/" -ForegroundColor DarkYellow  -NoNewline 
+    Write-Host """:"
+    pscp -P 22 -r "$srcdir\*.*" root@${destHost}:""${destDir}""
+}
+
+###################################
+& $Main @Args
\ No newline at end of file
diff --git a/grafana/dashboards/21787_rev1.json b/grafana/dashboards/21787_rev1.json
new file mode 100644
index 0000000..561ae3b
--- /dev/null
+++ b/grafana/dashboards/21787_rev1.json
@@ -0,0 +1,860 @@
+{
+  "__inputs": [
+    {
+      "name": "DS_PROMETHEUS",
+      "label": "Prometheus",
+      "description": "",
+      "type": "datasource",
+      "pluginId": "prometheus",
+      "pluginName": "Prometheus"
+    }
+  ],
+  "__elements": {},
+  "__requires": [
+    {
+      "type": "grafana",
+      "id": "grafana",
+      "name": "Grafana",
+      "version": "11.1.3"
+    },
+    {
+      "type": "datasource",
+      "id": "prometheus",
+      "name": "Prometheus",
+      "version": "1.0.0"
+    },
+    {
+      "type": "panel",
+      "id": "stat",
+      "name": "Stat",
+      "version": ""
+    },
+    {
+      "type": "panel",
+      "id": "table",
+      "name": "Table",
+      "version": ""
+    },
+    {
+      "type": "panel",
+      "id": "timeseries",
+      "name": "Time series",
+      "version": ""
+    }
+  ],
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "datasource",
+          "uid": "grafana"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "type": "dashboard"
+      }
+    ]
+  },
+  "description": "Dashboard for wg-easy exporter\r\nhttps://github.com/wg-easy/wg-easy",
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 0,
+  "id": null,
+  "links": [],
+  "panels": [
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "description": "",
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 5,
+        "w": 8,
+        "x": 0,
+        "y": 0
+      },
+      "id": 9,
+      "options": {
+        "colorMode": "value",
+        "graphMode": "none",
+        "justifyMode": "center",
+        "orientation": "auto",
+        "percentChangeColorMode": "standard",
+        "reduceOptions": {
+          "calcs": [
+            "lastNotNull"
+          ],
+          "fields": "",
+          "values": false
+        },
+        "showPercentChange": false,
+        "textMode": "auto",
+        "wideLayout": true
+      },
+      "pluginVersion": "11.1.3",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "disableTextWrap": false,
+          "editorMode": "builder",
+          "expr": "wireguard_configured_peers{job=\"$job\", instance=\"$node\"}",
+          "fullMetaSearch": false,
+          "includeNullMetadata": true,
+          "instant": false,
+          "legendFormat": "__auto",
+          "range": true,
+          "refId": "A",
+          "useBackend": false
+        }
+      ],
+      "title": "Configured Peers",
+      "type": "stat"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "description": "",
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 5,
+        "w": 8,
+        "x": 8,
+        "y": 0
+      },
+      "id": 10,
+      "options": {
+        "colorMode": "value",
+        "graphMode": "none",
+        "justifyMode": "center",
+        "orientation": "auto",
+        "percentChangeColorMode": "standard",
+        "reduceOptions": {
+          "calcs": [
+            "lastNotNull"
+          ],
+          "fields": "",
+          "values": false
+        },
+        "showPercentChange": false,
+        "textMode": "auto",
+        "wideLayout": true
+      },
+      "pluginVersion": "11.1.3",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "disableTextWrap": false,
+          "editorMode": "builder",
+          "expr": "wireguard_enabled_peers{job=\"$job\", instance=\"$node\"}",
+          "fullMetaSearch": false,
+          "includeNullMetadata": true,
+          "instant": false,
+          "legendFormat": "__auto",
+          "range": true,
+          "refId": "A",
+          "useBackend": false
+        }
+      ],
+      "title": "Enabled Peers",
+      "type": "stat"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "description": "",
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 5,
+        "w": 8,
+        "x": 16,
+        "y": 0
+      },
+      "id": 11,
+      "options": {
+        "colorMode": "value",
+        "graphMode": "none",
+        "justifyMode": "center",
+        "orientation": "auto",
+        "percentChangeColorMode": "standard",
+        "reduceOptions": {
+          "calcs": [
+            "lastNotNull"
+          ],
+          "fields": "",
+          "values": false
+        },
+        "showPercentChange": false,
+        "textMode": "auto",
+        "wideLayout": true
+      },
+      "pluginVersion": "11.1.3",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "disableTextWrap": false,
+          "editorMode": "builder",
+          "expr": "wireguard_connected_peers{job=\"$job\", instance=\"$node\"}",
+          "fullMetaSearch": false,
+          "includeNullMetadata": true,
+          "instant": false,
+          "legendFormat": "__auto",
+          "range": true,
+          "refId": "A",
+          "useBackend": false
+        }
+      ],
+      "title": "Connected Peers",
+      "type": "stat"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "description": "",
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "continuous-GrYlRd"
+          },
+          "custom": {
+            "align": "auto",
+            "cellOptions": {
+              "type": "auto"
+            },
+            "inspect": false
+          },
+          "decimals": 0,
+          "fieldMinMax": false,
+          "mappings": [],
+          "min": 1,
+          "noValue": "0",
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          },
+          "unit": "s"
+        },
+        "overrides": [
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "Last *"
+            },
+            "properties": [
+              {
+                "id": "displayName",
+                "value": "Online"
+              }
+            ]
+          },
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "Field"
+            },
+            "properties": [
+              {
+                "id": "displayName",
+                "value": "Client"
+              }
+            ]
+          }
+        ]
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 0,
+        "y": 5
+      },
+      "id": 7,
+      "options": {
+        "cellHeight": "sm",
+        "footer": {
+          "countRows": false,
+          "fields": "",
+          "reducer": [
+            "sum"
+          ],
+          "show": false
+        },
+        "showHeader": true
+      },
+      "pluginVersion": "11.1.3",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "disableTextWrap": false,
+          "editorMode": "builder",
+          "exemplar": false,
+          "expr": "wireguard_latest_handshake_seconds{job=\"$job\", instance=\"$node\"}",
+          "format": "time_series",
+          "fullMetaSearch": false,
+          "includeNullMetadata": true,
+          "instant": false,
+          "interval": "",
+          "intervalFactor": 1,
+          "legendFormat": "{{name}}",
+          "range": true,
+          "refId": "A",
+          "useBackend": false
+        }
+      ],
+      "title": "Online Clients",
+      "transformations": [
+        {
+          "id": "reduce",
+          "options": {
+            "reducers": [
+              "lastNotNull"
+            ]
+          }
+        },
+        {
+          "id": "filterByValue",
+          "options": {
+            "filters": [
+              {
+                "config": {
+                  "id": "equal",
+                  "options": {
+                    "value": ""
+                  }
+                },
+                "fieldName": "Last *"
+              }
+            ],
+            "match": "any",
+            "type": "exclude"
+          }
+        }
+      ],
+      "type": "table"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "custom": {
+            "align": "auto",
+            "cellOptions": {
+              "type": "auto"
+            },
+            "inspect": false
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          },
+          "unit": "bytes"
+        },
+        "overrides": [
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "Value #RX"
+            },
+            "properties": [
+              {
+                "id": "displayName",
+                "value": "Upload"
+              }
+            ]
+          },
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "Value #TX"
+            },
+            "properties": [
+              {
+                "id": "displayName",
+                "value": "Download"
+              }
+            ]
+          },
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "Time"
+            },
+            "properties": [
+              {
+                "id": "custom.hidden",
+                "value": true
+              }
+            ]
+          },
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "name"
+            },
+            "properties": [
+              {
+                "id": "displayName",
+                "value": "Client"
+              }
+            ]
+          }
+        ]
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 12,
+        "y": 5
+      },
+      "id": 12,
+      "options": {
+        "cellHeight": "sm",
+        "footer": {
+          "countRows": false,
+          "fields": "",
+          "reducer": [
+            "sum"
+          ],
+          "show": false
+        },
+        "showHeader": true,
+        "sortBy": [
+          {
+            "desc": true,
+            "displayName": "Tx"
+          }
+        ]
+      },
+      "pluginVersion": "11.1.3",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "disableTextWrap": false,
+          "editorMode": "builder",
+          "exemplar": false,
+          "expr": "sum by(name) (wireguard_received_bytes{job=\"$job\", instance=\"$node\"})",
+          "format": "table",
+          "fullMetaSearch": false,
+          "includeNullMetadata": false,
+          "instant": true,
+          "legendFormat": "{{name}}",
+          "range": false,
+          "refId": "RX",
+          "useBackend": false
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "disableTextWrap": false,
+          "editorMode": "builder",
+          "exemplar": false,
+          "expr": "sum by(name) (wireguard_sent_bytes{job=\"$job\", instance=\"$node\"})",
+          "format": "table",
+          "fullMetaSearch": false,
+          "hide": false,
+          "includeNullMetadata": true,
+          "instant": true,
+          "interval": "",
+          "legendFormat": "{{name}}",
+          "range": false,
+          "refId": "TX",
+          "useBackend": false
+        }
+      ],
+      "title": "Panel Title",
+      "transformations": [
+        {
+          "id": "merge",
+          "options": {}
+        }
+      ],
+      "type": "table"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "drawStyle": "line",
+            "fillOpacity": 10,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "never",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          },
+          "unit": "Bps"
+        },
+        "overrides": [
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "sent 10.70.0.2"
+            },
+            "properties": [
+              {
+                "id": "color",
+                "value": {
+                  "fixedColor": "green",
+                  "mode": "fixed"
+                }
+              }
+            ]
+          },
+          {
+            "matcher": {
+              "id": "byValue",
+              "options": {
+                "op": "gte",
+                "reducer": "allIsZero",
+                "value": 0
+              }
+            },
+            "properties": [
+              {
+                "id": "custom.hideFrom",
+                "value": {
+                  "legend": true,
+                  "tooltip": true,
+                  "viz": false
+                }
+              }
+            ]
+          },
+          {
+            "matcher": {
+              "id": "byValue",
+              "options": {
+                "op": "gte",
+                "reducer": "allIsNull",
+                "value": 0
+              }
+            },
+            "properties": [
+              {
+                "id": "custom.hideFrom",
+                "value": {
+                  "legend": true,
+                  "tooltip": true,
+                  "viz": false
+                }
+              }
+            ]
+          }
+        ]
+      },
+      "gridPos": {
+        "h": 13,
+        "w": 24,
+        "x": 0,
+        "y": 15
+      },
+      "id": 4,
+      "options": {
+        "legend": {
+          "calcs": [
+            "mean",
+            "max",
+            "min"
+          ],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "mode": "multi",
+          "sort": "none"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "disableTextWrap": false,
+          "editorMode": "builder",
+          "expr": "irate(wireguard_received_bytes{job=\"$job\", instance=\"$node\"}[5m])",
+          "format": "time_series",
+          "fullMetaSearch": false,
+          "includeNullMetadata": true,
+          "instant": false,
+          "intervalFactor": 1,
+          "legendFormat": "received {{name}}",
+          "refId": "A",
+          "useBackend": false
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "disableTextWrap": false,
+          "editorMode": "builder",
+          "expr": "irate(wireguard_sent_bytes{job=\"$job\", instance=\"$node\"}[5m])",
+          "format": "time_series",
+          "fullMetaSearch": false,
+          "includeNullMetadata": true,
+          "intervalFactor": 1,
+          "legendFormat": "sent {{name}}",
+          "range": true,
+          "refId": "B",
+          "useBackend": false
+        }
+      ],
+      "title": "Throughput",
+      "type": "timeseries"
+    }
+  ],
+  "refresh": "10s",
+  "schemaVersion": 39,
+  "tags": [
+    "prometheus",
+    "network",
+    "Wireguard",
+    "wg-easy"
+  ],
+  "templating": {
+    "list": [
+      {
+        "current": {},
+        "datasource": {
+          "type": "prometheus",
+          "uid": "${DS_PROMETHEUS}"
+        },
+        "definition": "label_values(wireguard_configured_peers,job)",
+        "hide": 0,
+        "includeAll": false,
+        "label": "Job",
+        "multi": false,
+        "name": "job",
+        "options": [],
+        "query": {
+          "qryType": 1,
+          "query": "label_values(wireguard_configured_peers,job)",
+          "refId": "PrometheusVariableQueryEditor-VariableQuery"
+        },
+        "refresh": 1,
+        "regex": "",
+        "skipUrlSync": false,
+        "sort": 1,
+        "type": "query"
+      },
+      {
+        "current": {},
+        "datasource": {
+          "type": "prometheus",
+          "uid": "${DS_PROMETHEUS}"
+        },
+        "definition": "label_values(wireguard_configured_peers{job=\"$job\"},instance)",
+        "hide": 0,
+        "includeAll": false,
+        "label": "Node",
+        "multi": false,
+        "name": "node",
+        "options": [],
+        "query": {
+          "qryType": 1,
+          "query": "label_values(wireguard_configured_peers{job=\"$job\"},instance)",
+          "refId": "PrometheusVariableQueryEditor-VariableQuery"
+        },
+        "refresh": 1,
+        "regex": "",
+        "skipUrlSync": false,
+        "sort": 0,
+        "type": "query"
+      }
+    ]
+  },
+  "time": {
+    "from": "now-15m",
+    "to": "now"
+  },
+  "timepicker": {
+    "refresh_intervals": [
+      "10s",
+      "30s",
+      "1m",
+      "5m",
+      "15m",
+      "30m",
+      "1h",
+      "2h",
+      "1d"
+    ],
+    "time_options": [
+      "5m",
+      "15m",
+      "1h",
+      "6h",
+      "12h",
+      "24h",
+      "2d",
+      "7d",
+      "30d"
+    ]
+  },
+  "timezone": "Europe/Moscow",
+  "title": "WireGuard wg-easy",
+  "uid": "c0T_8RkZz",
+  "version": 15,
+  "weekStart": "monday",
+  "gnetId": 21787
+}
\ No newline at end of file
diff --git a/grafana/grafana_jm.txt b/grafana/grafana_jm.txt
new file mode 100644
index 0000000..2e2ef85
--- /dev/null
+++ b/grafana/grafana_jm.txt
@@ -0,0 +1,80 @@
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: grafana
+Username: grafana
+Disable Password: <selected>
+Email: <leave empty>
+Create New Primary Group: <selected>
+Create Home Directory: <unchecked>
+Samba Authentication: <unchecked>
+Save
+
+grafana UID: 3022
+grafana GID: 3021
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*grafana"
+# create following datasets if not present
+zfs create SSD1/docker/data/grafana
+zfs create SSD1/docker/data/grafana/appdata
+chown -R git:git /mnt/SSD1/docker/data/grafana
+
+Create folder
+-------------
+# In Truenas shell:
+mkdir /mnt/SSD1/docker/stacks/grafana
+
+Copy folder to docker stacks
+----------------------------
+In Windows cmd shell in grafana parent (apps) folder, enter:
+./cp2nas 10.0.0.20 grafana
+# or
+pscp -P 22 -r grafana/stacks/*.* root@10.0.0.20:/mnt/SSD1/docker/stacks/grafana/
+
+Creating secrets
+----------------
+# This can be skipped, but if skipped it requires commenting out ADMIN_PASSWORD and GF_USERS_ALLOW_SIGN_UP in .env file as well as sign on as user:admin/pw:admin at first access of grafana
+In Truenas shell:
+cd /mnt/SSD1/docker/stacks/grafana/secrets/
+echo -n 'your_admin_password' > /mnt/SSD1/docker/stacks/grafana/secrets/grafana_admin_password
+# restrict access
+chown -R grafana:grafana /mnt/SSD1/docker/stacks/grafana/secrets/
+chmod -R 400 /mnt/SSD1/docker/stacks/grafana/secrets/
+# NB! if you want to remove all acl entries from a folder recursively, use setfacl -b -R <foldername>
+# to list secrets in secrets dir
+cd /mnt/SSD1/docker/stacks/grafana/secrets
+for i in $(ls -1); do echo $i = `cat $i`; done | sort
+#
+# NB! this is not a means to change the admin password after grafana was accessed. 
+# To force admin password change by means of the above, you will have to clear the contents /mnt/data/grafana/appdata folder whilst grafana is down/stopped.
+# WARNING: Deleting contents of /mnt/data/grafana/appdata folder will also remove the grafana database
+
+Start Grafana
+-------------
+Refresh Dockge
+Start Grafana
+Log in to grafana at https://grafana.sthome.org
+Enter username: admin / password: (if creating secrets was skipped, pw=admin)
+Change login password if requested
+Go to Connections->Data sources
+Add new data source
+Click on Prometheus
+Enter prometheus server URL: http://prometheus:9090
+Under Authentication, select appropriate type, e.g. Basic authentication
+Enter authentication detail
+Click on Save & test
+Open another tab and browse to https://grafana.com/grafana/dashboards/
+Search for desired dashboard
+Select dashboard
+Scroll down to grab ID and copy to clipboard
+On grafana, click on Dashboards in left pane
+Click down arrow next to New, then Import
+Paste ID into field left of "Load" then click on Load
+Click on down arrow in InfluxDB textbox and select Prometheus
+Click on Import
+
+
diff --git a/grafana/stacks/.env b/grafana/stacks/.env
new file mode 100644
index 0000000..3423055
--- /dev/null
+++ b/grafana/stacks/.env
@@ -0,0 +1,26 @@
+
+APPLICATION_NAME=grafana
+
+DOCKERDIR=/mnt/SSD1/docker/
+MEDIADIR=/mnt/stpool1/NData1/Media
+DOWNLOADSDIR=/mnt/stpool1/Downloads
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+PUID=3022
+PGID=3021
+DOMAINNAME=sthome.org
+WEBUI_PORT=3000
+
+
+
+
+
+
+
+
+
+
diff --git a/grafana/stacks/.grafana.env b/grafana/stacks/.grafana.env
new file mode 100644
index 0000000..e1a3a5e
--- /dev/null
+++ b/grafana/stacks/.grafana.env
@@ -0,0 +1,12 @@
+
+PUID=${PUID}
+PGID=${PGID}
+
+################################################################
+
+GF_SECURITY_ADMIN_USER=admin
+GF_SECURITY_ADMIN_PASSWORD=file:///run/secrets/grafana_admin_password
+GF_USERS_ALLOW_SIGN_UP=false
+
+
+
diff --git a/grafana/stacks/compose.yml b/grafana/stacks/compose.yml
new file mode 100644
index 0000000..1f9fbce
--- /dev/null
+++ b/grafana/stacks/compose.yml
@@ -0,0 +1,41 @@
+
+name: grafana
+
+networks:
+  traefik-net:
+    external: true
+    
+secrets:
+  grafana_admin_password:
+    file: ${SECRETSDIR}/grafana_admin_password
+    
+services:
+  grafana:
+    image: grafana/grafana:latest
+    networks:
+      - traefik-net
+    restart: unless-stopped
+    env_file: .grafana.env
+    user: "${PUID}:${PGID}"
+    volumes:
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+      - "${DATADIR}/appdata:/var/lib/grafana"
+    secrets:
+      - grafana_admin_password
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
+      # HTTP Routers
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
diff --git a/handbrake/hanbrake auto conv.xlsx b/handbrake/hanbrake auto conv.xlsx
new file mode 100644
index 0000000..8dead74
Binary files /dev/null and b/handbrake/hanbrake auto conv.xlsx differ
diff --git a/handbrake/handbrake_jm.txt b/handbrake/handbrake_jm.txt
new file mode 100644
index 0000000..a38ec9d
--- /dev/null
+++ b/handbrake/handbrake_jm.txt
@@ -0,0 +1,62 @@
+# https://github.com/jlesage/docker-handbrake?tab=readme-ov-file
+
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: handbrake
+Username: handbrake
+Disable Password: <select>
+Email: stuurmcp@telkomsa.net
+UID: (note)
+Create New Primary Group: <select>
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+handbrk UID: 3037
+handbrk GID: 3036
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*handbrake"
+# create following datasets if not present
+zfs create SSD1/docker/data/handbrake
+zfs create SSD1/docker/data/handbrake/config
+zfs create SSD1/docker/data/handbrake/appdata
+chown -R handbrk:handbrk /mnt/SSD1/docker/data/handbrake
+
+Create folders
+--------------
+# In Truenas shell:
+mkdir /mnt/SSD1/docker/stacks/handbrake
+# it is advisable to create handbrake data folders in the media pool
+# create source folder for manual conversions, preset imports, etc.
+mkdir /mnt/stpool1/Downloads/handbrake/source
+# create output and trash folders
+mkdir /mnt/stpool1/NData1/staging/handbrake/output
+mkdir /mnt/stpool1/NData1/staging/handbrake/trash
+# create watch folders
+mkdir /mnt/stpool1/NData1/staging/handbrake/watch
+mkdir /mnt/stpool1/NData1/staging/handbrake/watch-4K
+mkdir /mnt/stpool1/Downloads/handbrake/watch
+mkdir /mnt/stpool1/Downloads/handbrake/watch-4K
+chown -R handbrk:handbrk /mnt/SSD1/docker/data/handbrake
+chown -R handbrk:handbrk /mnt/stpool1/NData1/staging/handbrake
+chown -R handbrk:handbrk /mnt/stpool1/Downloads/handbrake
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in handbrake folder, enter:
+./cp2nas
+# or
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/handbrake/
+# This should copy handbrake stacks folder to /mnt/SSD1/docker/stacks/handbrake
+
+Copy presets to source folder
+-----------------------------
+# In Windows cmd shell in handbrake folder, enter:
+pscp -P 22 -r presets/*.* root@192.168.2.2:/mnt/stpool1/Downloads/handbrake/source/
+# In Truenas shell:
+chown -R handbrk:handbrk /mnt/stpool1/Downloads/handbrake/source
diff --git a/handbrake/presets/custom.json b/handbrake/presets/custom.json
new file mode 100644
index 0000000..c2459ba
--- /dev/null
+++ b/handbrake/presets/custom.json
@@ -0,0 +1,793 @@
+{
+  "PresetList": [
+    {
+      "ChildrenArray": [
+        {
+          "AlignAVStart": true,
+          "AudioCopyMask": [
+            "copy:aac",
+            "copy:ac3",
+            "copy:dtshd",
+            "copy:dts",
+            "copy:mp3",
+            "copy:truehd",
+            "copy:flac",
+            "copy:eac3"
+          ],
+          "AudioEncoderFallback": "ac3",
+          "AudioLanguageList": [],
+          "AudioList": [
+            {
+              "AudioBitrate": 160,
+              "AudioCompressionLevel": 0,
+              "AudioEncoder": "av_aac",
+              "AudioMixdown": "stereo",
+              "AudioNormalizeMixLevel": false,
+              "AudioSamplerate": "auto",
+              "AudioTrackQualityEnable": false,
+              "AudioTrackQuality": -1,
+              "AudioTrackGainSlider": 0,
+              "AudioTrackDRCSlider": 0
+            },
+            {
+              "AudioBitrate": 640,
+              "AudioCompressionLevel": 0,
+              "AudioEncoder": "copy:ac3",
+              "AudioMixdown": "5point1",
+              "AudioNormalizeMixLevel": false,
+              "AudioSamplerate": "auto",
+              "AudioTrackQualityEnable": false,
+              "AudioTrackQuality": -1,
+              "AudioTrackGainSlider": 0,
+              "AudioTrackDRCSlider": 0
+            }
+          ],
+          "AudioSecondaryEncoderMode": true,
+          "AudioTrackSelectionBehavior": "first",
+          "ChapterMarkers": true,
+          "ChildrenArray": [],
+          "Default": false,
+          "FileFormat": "av_mp4",
+          "Folder": false,
+          "FolderOpen": false,
+          "Optimize": false,
+          "Mp4iPodCompatible": false,
+          "PictureCropMode": 0,
+          "PictureBottomCrop": 0,
+          "PictureLeftCrop": 0,
+          "PictureRightCrop": 0,
+          "PictureTopCrop": 0,
+          "PictureDARWidth": 0,
+          "PictureDeblockPreset": "off",
+          "PictureDeblockTune": "medium",
+          "PictureDeblockCustom": "strength=strong:thresh=20:blocksize=8",
+          "PictureDeinterlaceFilter": "off",
+          "PictureCombDetectPreset": "off",
+          "PictureCombDetectCustom": "",
+          "PictureDenoiseCustom": "",
+          "PictureDenoiseFilter": "off",
+          "PictureSharpenCustom": "",
+          "PictureSharpenFilter": "off",
+          "PictureSharpenPreset": "medium",
+          "PictureSharpenTune": "none",
+          "PictureDetelecine": "off",
+          "PictureDetelecineCustom": "",
+          "PictureColorspacePreset": "off",
+          "PictureColorspaceCustom": "",
+          "PictureChromaSmoothPreset": "off",
+          "PictureChromaSmoothTune": "none",
+          "PictureChromaSmoothCustom": "",
+          "PictureItuPAR": false,
+          "PictureKeepRatio": true,
+          "PicturePAR": "auto",
+          "PicturePARWidth": 0,
+          "PicturePARHeight": 0,
+          "PictureUseMaximumSize": true,
+          "PictureAllowUpscaling": false,
+          "PictureForceHeight": 0,
+          "PictureForceWidth": 0,
+          "PicturePadMode": "none",
+          "PicturePadTop": 0,
+          "PicturePadBottom": 0,
+          "PicturePadLeft": 0,
+          "PicturePadRight": 0,
+          "PicturePadColor": "black",
+          "PresetDescription": "",
+          "PresetName": "Church - Portrait",
+          "Type": 1,
+          "SubtitleAddCC": false,
+          "SubtitleAddForeignAudioSearch": true,
+          "SubtitleAddForeignAudioSubtitle": false,
+          "SubtitleBurnBehavior": "foreign",
+          "SubtitleBurnBDSub": false,
+          "SubtitleBurnDVDSub": false,
+          "SubtitleLanguageList": [],
+          "SubtitleTrackSelectionBehavior": "none",
+          "VideoAvgBitrate": 0,
+          "VideoColorMatrixCode": 0,
+          "VideoEncoder": "x264",
+          "VideoFramerate": "30",
+          "VideoFramerateMode": "pfr",
+          "VideoGrayScale": false,
+          "VideoScaler": "swscale",
+          "VideoPreset": "veryslow",
+          "VideoTune": "",
+          "VideoProfile": "high",
+          "VideoLevel": "4.1",
+          "VideoOptionExtra": "ref=5:bframes=5",
+          "VideoQualityType": 2,
+          "VideoQualitySlider": 17,
+          "VideoMultiPass": true,
+          "VideoTurboMultiPass": false,
+          "x264UseAdvancedOptions": false,
+          "PresetDisabled": false,
+          "MetadataPassthrough": true
+        },
+        {
+          "AlignAVStart": true,
+          "AudioCopyMask": [
+            "copy:aac",
+            "copy:ac3",
+            "copy:dtshd",
+            "copy:dts",
+            "copy:mp3",
+            "copy:truehd",
+            "copy:flac",
+            "copy:eac3"
+          ],
+          "AudioEncoderFallback": "ac3",
+          "AudioLanguageList": [],
+          "AudioList": [
+            {
+              "AudioBitrate": 160,
+              "AudioCompressionLevel": 0,
+              "AudioEncoder": "av_aac",
+              "AudioMixdown": "stereo",
+              "AudioNormalizeMixLevel": false,
+              "AudioSamplerate": "auto",
+              "AudioTrackQualityEnable": false,
+              "AudioTrackQuality": -1,
+              "AudioTrackGainSlider": 0,
+              "AudioTrackDRCSlider": 0
+            },
+            {
+              "AudioBitrate": 640,
+              "AudioCompressionLevel": 0,
+              "AudioEncoder": "copy:ac3",
+              "AudioMixdown": "5point1",
+              "AudioNormalizeMixLevel": false,
+              "AudioSamplerate": "auto",
+              "AudioTrackQualityEnable": false,
+              "AudioTrackQuality": -1,
+              "AudioTrackGainSlider": 0,
+              "AudioTrackDRCSlider": 0
+            }
+          ],
+          "AudioSecondaryEncoderMode": true,
+          "AudioTrackSelectionBehavior": "first",
+          "ChapterMarkers": true,
+          "ChildrenArray": [],
+          "Default": false,
+          "FileFormat": "av_mp4",
+          "Folder": false,
+          "FolderOpen": false,
+          "Optimize": false,
+          "Mp4iPodCompatible": false,
+          "PictureCropMode": 0,
+          "PictureBottomCrop": 0,
+          "PictureLeftCrop": 0,
+          "PictureRightCrop": 0,
+          "PictureTopCrop": 0,
+          "PictureDARWidth": 1080,
+          "PictureDeblockPreset": "off",
+          "PictureDeblockTune": "medium",
+          "PictureDeblockCustom": "strength=strong:thresh=20:blocksize=8",
+          "PictureDeinterlaceFilter": "off",
+          "PictureCombDetectPreset": "off",
+          "PictureCombDetectCustom": "",
+          "PictureDenoiseCustom": "",
+          "PictureDenoiseFilter": "off",
+          "PictureSharpenCustom": "",
+          "PictureSharpenFilter": "off",
+          "PictureSharpenPreset": "medium",
+          "PictureSharpenTune": "none",
+          "PictureDetelecine": "off",
+          "PictureDetelecineCustom": "",
+          "PictureColorspacePreset": "off",
+          "PictureColorspaceCustom": "",
+          "PictureChromaSmoothPreset": "off",
+          "PictureChromaSmoothTune": "none",
+          "PictureChromaSmoothCustom": "",
+          "PictureItuPAR": false,
+          "PictureKeepRatio": true,
+          "PicturePAR": "custom",
+          "PicturePARWidth": 1,
+          "PicturePARHeight": 1,
+          "PictureWidth": 1080,
+          "PictureHeight": 1920,
+          "PictureUseMaximumSize": true,
+          "PictureAllowUpscaling": false,
+          "PictureForceHeight": 0,
+          "PictureForceWidth": 0,
+          "PicturePadMode": "none",
+          "PicturePadTop": 0,
+          "PicturePadBottom": 0,
+          "PicturePadLeft": 0,
+          "PicturePadRight": 0,
+          "PicturePadColor": "black",
+          "PresetDescription": "",
+          "PresetName": "Church Portrait 1080 x 1920",
+          "Type": 1,
+          "SubtitleAddCC": false,
+          "SubtitleAddForeignAudioSearch": true,
+          "SubtitleAddForeignAudioSubtitle": false,
+          "SubtitleBurnBehavior": "foreign",
+          "SubtitleBurnBDSub": false,
+          "SubtitleBurnDVDSub": false,
+          "SubtitleLanguageList": [],
+          "SubtitleTrackSelectionBehavior": "none",
+          "VideoAvgBitrate": 0,
+          "VideoColorMatrixCode": 0,
+          "VideoEncoder": "x264",
+          "VideoFramerate": "30",
+          "VideoFramerateMode": "pfr",
+          "VideoGrayScale": false,
+          "VideoScaler": "swscale",
+          "VideoPreset": "veryslow",
+          "VideoTune": "",
+          "VideoProfile": "high",
+          "VideoLevel": "4.1",
+          "VideoOptionExtra": "ref=5:bframes=5",
+          "VideoQualityType": 2,
+          "VideoQualitySlider": 17,
+          "VideoMultiPass": true,
+          "VideoTurboMultiPass": false,
+          "x264UseAdvancedOptions": false,
+          "PresetDisabled": false,
+          "MetadataPassthrough": true
+        },
+        {
+          "AlignAVStart": true,
+          "AudioCopyMask": [
+            "copy:aac",
+            "copy:ac3",
+            "copy:eac3",
+            "copy:truehd",
+            "copy:dts",
+            "copy:dtshd",
+            "copy:mp3",
+            "copy:flac"
+          ],
+          "AudioEncoderFallback": "ac3",
+          "AudioLanguageList": [
+            "eng"
+          ],
+          "AudioList": [
+            {
+              "AudioBitrate": 640,
+              "AudioCompressionLevel": 0,
+              "AudioEncoder": "copy:ac3",
+              "AudioMixdown": "5point1",
+              "AudioNormalizeMixLevel": false,
+              "AudioSamplerate": "auto",
+              "AudioTrackQualityEnable": false,
+              "AudioTrackQuality": -1,
+              "AudioTrackGainSlider": 0,
+              "AudioTrackDRCSlider": 0
+            },
+            {
+              "AudioBitrate": 640,
+              "AudioCompressionLevel": 0,
+              "AudioEncoder": "copy:eac3",
+              "AudioMixdown": "5point1",
+              "AudioNormalizeMixLevel": false,
+              "AudioSamplerate": "auto",
+              "AudioTrackQualityEnable": false,
+              "AudioTrackQuality": -1,
+              "AudioTrackGainSlider": 0,
+              "AudioTrackDRCSlider": 0
+            },
+            {
+              "AudioBitrate": 640,
+              "AudioCompressionLevel": 0,
+              "AudioEncoder": "copy:dts",
+              "AudioMixdown": "5point1",
+              "AudioNormalizeMixLevel": false,
+              "AudioSamplerate": "48",
+              "AudioTrackQualityEnable": false,
+              "AudioTrackQuality": 0,
+              "AudioTrackGainSlider": 0,
+              "AudioTrackDRCSlider": 0
+            },
+            {
+              "AudioBitrate": 640,
+              "AudioCompressionLevel": 0,
+              "AudioEncoder": "copy:dtshd",
+              "AudioMixdown": "5point1",
+              "AudioNormalizeMixLevel": false,
+              "AudioSamplerate": "48",
+              "AudioTrackQualityEnable": false,
+              "AudioTrackQuality": 0,
+              "AudioTrackGainSlider": 0,
+              "AudioTrackDRCSlider": 0
+            },
+            {
+              "AudioBitrate": 640,
+              "AudioCompressionLevel": 0,
+              "AudioEncoder": "copy:truehd",
+              "AudioMixdown": "5point1",
+              "AudioNormalizeMixLevel": false,
+              "AudioSamplerate": "48",
+              "AudioTrackQualityEnable": false,
+              "AudioTrackQuality": 0,
+              "AudioTrackGainSlider": 0,
+              "AudioTrackDRCSlider": 0
+            },
+            {
+              "AudioBitrate": 640,
+              "AudioCompressionLevel": 0,
+              "AudioEncoder": "copy:eac3",
+              "AudioMixdown": "5point1",
+              "AudioNormalizeMixLevel": false,
+              "AudioSamplerate": "48",
+              "AudioTrackQualityEnable": false,
+              "AudioTrackQuality": 0,
+              "AudioTrackGainSlider": 0,
+              "AudioTrackDRCSlider": 0
+            }
+          ],
+          "AudioSecondaryEncoderMode": true,
+          "AudioTrackSelectionBehavior": "all",
+          "ChapterMarkers": true,
+          "ChildrenArray": [],
+          "Default": false,
+          "FileFormat": "av_mp4",
+          "Folder": false,
+          "FolderOpen": false,
+          "Optimize": false,
+          "Mp4iPodCompatible": false,
+          "PictureCropMode": 0,
+          "PictureBottomCrop": 140,
+          "PictureLeftCrop": 0,
+          "PictureRightCrop": 0,
+          "PictureTopCrop": 140,
+          "PictureDARWidth": 0,
+          "PictureDeblockPreset": "off",
+          "PictureDeblockTune": "medium",
+          "PictureDeblockCustom": "strength=strong:thresh=20:blocksize=8",
+          "PictureDeinterlaceFilter": "decomb",
+          "PictureCombDetectPreset": "default",
+          "PictureCombDetectCustom": "",
+          "PictureDeinterlacePreset": "default",
+          "PictureDeinterlaceCustom": "",
+          "PictureDenoiseCustom": "",
+          "PictureDenoiseFilter": "off",
+          "PictureSharpenCustom": "",
+          "PictureSharpenFilter": "off",
+          "PictureSharpenPreset": "medium",
+          "PictureSharpenTune": "none",
+          "PictureDetelecine": "off",
+          "PictureDetelecineCustom": "",
+          "PictureColorspacePreset": "off",
+          "PictureColorspaceCustom": "",
+          "PictureChromaSmoothPreset": "off",
+          "PictureChromaSmoothTune": "none",
+          "PictureChromaSmoothCustom": "",
+          "PictureItuPAR": false,
+          "PictureKeepRatio": true,
+          "PicturePAR": "auto",
+          "PicturePARWidth": 0,
+          "PicturePARHeight": 0,
+          "PictureWidth": 1920,
+          "PictureHeight": 1080,
+          "PictureUseMaximumSize": true,
+          "PictureAllowUpscaling": false,
+          "PictureForceHeight": 0,
+          "PictureForceWidth": 0,
+          "PicturePadMode": "none",
+          "PicturePadTop": 0,
+          "PicturePadBottom": 0,
+          "PicturePadLeft": 0,
+          "PicturePadRight": 0,
+          "PicturePadColor": "black",
+          "PresetDescription": "",
+          "PresetName": "Super HQ 23.976",
+          "Type": 1,
+          "SubtitleAddCC": false,
+          "SubtitleAddForeignAudioSearch": true,
+          "SubtitleAddForeignAudioSubtitle": false,
+          "SubtitleBurnBehavior": "none",
+          "SubtitleBurnBDSub": false,
+          "SubtitleBurnDVDSub": false,
+          "SubtitleLanguageList": [
+            "eng"
+          ],
+          "SubtitleTrackSelectionBehavior": "all",
+          "VideoAvgBitrate": 0,
+          "VideoColorMatrixCode": 0,
+          "VideoEncoder": "x264",
+          "VideoFramerate": "23.976",
+          "VideoFramerateMode": "pfr",
+          "VideoGrayScale": false,
+          "VideoScaler": "swscale",
+          "VideoPreset": "veryslow",
+          "VideoTune": "",
+          "VideoProfile": "high",
+          "VideoLevel": "4.1",
+          "VideoOptionExtra": "ref=5:bframes=5",
+          "VideoQualityType": 2,
+          "VideoQualitySlider": 18,
+          "VideoMultiPass": true,
+          "VideoTurboMultiPass": false,
+          "x264UseAdvancedOptions": false,
+          "PresetDisabled": false,
+          "MetadataPassthrough": true
+        },
+        {
+          "AlignAVStart": false,
+          "AudioCopyMask": [
+            "copy:aac",
+            "copy:ac3",
+            "copy:eac3",
+            "copy:truehd",
+            "copy:dts",
+            "copy:dtshd",
+            "copy:mp3",
+            "copy:flac"
+          ],
+          "AudioEncoderFallback": "ac3",
+          "AudioLanguageList": [
+            "eng",
+            "afr",
+            "und"
+          ],
+          "AudioList": [
+            {
+              "AudioBitrate": 640,
+              "AudioCompressionLevel": 0,
+              "AudioEncoder": "copy",
+              "AudioMixdown": "5point1",
+              "AudioNormalizeMixLevel": false,
+              "AudioSamplerate": "48",
+              "AudioTrackQualityEnable": false,
+              "AudioTrackQuality": 0,
+              "AudioTrackGainSlider": 0,
+              "AudioTrackDRCSlider": 0
+            }
+          ],
+          "AudioSecondaryEncoderMode": true,
+          "AudioTrackSelectionBehavior": "all",
+          "ChapterMarkers": true,
+          "ChildrenArray": [],
+          "Default": false,
+          "FileFormat": "av_mkv",
+          "Folder": false,
+          "FolderOpen": false,
+          "Optimize": false,
+          "Mp4iPodCompatible": false,
+          "PictureCropMode": 0,
+          "PictureBottomCrop": 68,
+          "PictureLeftCrop": 0,
+          "PictureRightCrop": 0,
+          "PictureTopCrop": 68,
+          "PictureDARWidth": 0,
+          "PictureDeblockPreset": "off",
+          "PictureDeblockTune": "medium",
+          "PictureDeblockCustom": "strength=strong:thresh=20:blocksize=8",
+          "PictureDeinterlaceFilter": "decomb",
+          "PictureCombDetectPreset": "default",
+          "PictureCombDetectCustom": "",
+          "PictureDeinterlacePreset": "default",
+          "PictureDeinterlaceCustom": "",
+          "PictureDenoiseCustom": "",
+          "PictureDenoiseFilter": "off",
+          "PictureSharpenCustom": "",
+          "PictureSharpenFilter": "off",
+          "PictureSharpenPreset": "medium",
+          "PictureSharpenTune": "none",
+          "PictureDetelecine": "off",
+          "PictureDetelecineCustom": "",
+          "PictureColorspacePreset": "off",
+          "PictureColorspaceCustom": "",
+          "PictureChromaSmoothPreset": "off",
+          "PictureChromaSmoothTune": "none",
+          "PictureChromaSmoothCustom": "",
+          "PictureItuPAR": false,
+          "PictureKeepRatio": true,
+          "PicturePAR": "auto",
+          "PicturePARWidth": 0,
+          "PicturePARHeight": 0,
+          "PictureWidth": 3840,
+          "PictureHeight": 2160,
+          "PictureUseMaximumSize": true,
+          "PictureAllowUpscaling": false,
+          "PictureForceHeight": 0,
+          "PictureForceWidth": 0,
+          "PicturePadMode": "none",
+          "PicturePadTop": 0,
+          "PicturePadBottom": 0,
+          "PicturePadLeft": 0,
+          "PicturePadRight": 0,
+          "PicturePadColor": "black",
+          "PresetDescription": "",
+          "PresetName": "4K HDR",
+          "Type": 1,
+          "SubtitleAddCC": true,
+          "SubtitleAddForeignAudioSearch": true,
+          "SubtitleAddForeignAudioSubtitle": false,
+          "SubtitleBurnBehavior": "none",
+          "SubtitleBurnBDSub": false,
+          "SubtitleBurnDVDSub": false,
+          "SubtitleLanguageList": [
+            "afr",
+            "eng",
+            "und"
+          ],
+          "SubtitleTrackSelectionBehavior": "all",
+          "VideoAvgBitrate": 0,
+          "VideoColorMatrixCode": 0,
+          "VideoEncoder": "x265_10bit",
+          "VideoFramerateMode": "cfr",
+          "VideoGrayScale": false,
+          "VideoScaler": "swscale",
+          "VideoPreset": "slow",
+          "VideoTune": "",
+          "VideoProfile": "main10",
+          "VideoLevel": "5.1",
+          "VideoOptionExtra": "strong-intra-smoothing=0:rect=0:aq-mode=1:rd=4:psy-rd=0.75:psy-rdoq=4.0:rdoq-level=1:rskip=2",
+          "VideoQualityType": 2,
+          "VideoQualitySlider": 18,
+          "VideoMultiPass": true,
+          "VideoTurboMultiPass": false,
+          "x264UseAdvancedOptions": false,
+          "PresetDisabled": false,
+          "MetadataPassthrough": true
+        },
+        {
+          "AlignAVStart": false,
+          "AudioCopyMask": [
+            "copy:aac",
+            "copy:ac3",
+            "copy:eac3",
+            "copy:truehd",
+            "copy:dts",
+            "copy:dtshd",
+            "copy:mp3",
+            "copy:flac"
+          ],
+          "AudioEncoderFallback": "ac3",
+          "AudioLanguageList": [
+            "eng",
+            "afr"
+          ],
+          "AudioList": [
+            {
+              "AudioBitrate": 640,
+              "AudioCompressionLevel": 0,
+              "AudioEncoder": "copy",
+              "AudioMixdown": "5point1",
+              "AudioNormalizeMixLevel": false,
+              "AudioSamplerate": "auto",
+              "AudioTrackQualityEnable": false,
+              "AudioTrackQuality": -1,
+              "AudioTrackGainSlider": 0,
+              "AudioTrackDRCSlider": 0
+            }
+          ],
+          "AudioSecondaryEncoderMode": true,
+          "AudioTrackSelectionBehavior": "all",
+          "ChapterMarkers": true,
+          "ChildrenArray": [],
+          "Default": false,
+          "FileFormat": "av_mkv",
+          "Folder": false,
+          "FolderOpen": false,
+          "Optimize": false,
+          "Mp4iPodCompatible": false,
+          "PictureCropMode": 0,
+          "PictureBottomCrop": 0,
+          "PictureLeftCrop": 12,
+          "PictureRightCrop": 4,
+          "PictureTopCrop": 10,
+          "PictureDARWidth": 0,
+          "PictureDeblockPreset": "off",
+          "PictureDeblockTune": "medium",
+          "PictureDeblockCustom": "strength=strong:thresh=20:blocksize=8",
+          "PictureDeinterlaceFilter": "decomb",
+          "PictureCombDetectPreset": "default",
+          "PictureCombDetectCustom": "",
+          "PictureDeinterlacePreset": "default",
+          "PictureDeinterlaceCustom": "",
+          "PictureDenoiseCustom": "",
+          "PictureDenoiseFilter": "off",
+          "PictureSharpenCustom": "",
+          "PictureSharpenFilter": "off",
+          "PictureSharpenPreset": "medium",
+          "PictureSharpenTune": "none",
+          "PictureDetelecine": "off",
+          "PictureDetelecineCustom": "",
+          "PictureColorspacePreset": "off",
+          "PictureColorspaceCustom": "",
+          "PictureChromaSmoothPreset": "off",
+          "PictureChromaSmoothTune": "none",
+          "PictureChromaSmoothCustom": "",
+          "PictureItuPAR": false,
+          "PictureKeepRatio": true,
+          "PicturePAR": "auto",
+          "PicturePARWidth": 0,
+          "PicturePARHeight": 0,
+          "PictureWidth": 1920,
+          "PictureHeight": 1080,
+          "PictureUseMaximumSize": true,
+          "PictureAllowUpscaling": true,
+          "PictureForceHeight": 0,
+          "PictureForceWidth": 0,
+          "PicturePadMode": "none",
+          "PicturePadTop": 0,
+          "PicturePadBottom": 0,
+          "PicturePadLeft": 0,
+          "PicturePadRight": 0,
+          "PicturePadColor": "black",
+          "PresetDescription": "",
+          "PresetName": "DVD H265",
+          "Type": 1,
+          "SubtitleAddCC": false,
+          "SubtitleAddForeignAudioSearch": true,
+          "SubtitleAddForeignAudioSubtitle": false,
+          "SubtitleBurnBehavior": "none",
+          "SubtitleBurnBDSub": false,
+          "SubtitleBurnDVDSub": false,
+          "SubtitleLanguageList": [
+            "afr",
+            "eng"
+          ],
+          "SubtitleTrackSelectionBehavior": "all",
+          "VideoAvgBitrate": 0,
+          "VideoColorMatrixCode": 0,
+          "VideoEncoder": "x265_10bit",
+          "VideoFramerateMode": "cfr",
+          "VideoGrayScale": false,
+          "VideoScaler": "swscale",
+          "VideoPreset": "slow",
+          "VideoTune": "",
+          "VideoProfile": "main10",
+          "VideoLevel": "5.1",
+          "VideoOptionExtra": "strong-intra-smoothing=0:rect=0:aq-mode=1:rd=4:psy-rd=0.75:psy-rdoq=4.0:rdoq-level=1:rskip=2",
+          "VideoQualityType": 2,
+          "VideoQualitySlider": 18,
+          "VideoMultiPass": true,
+          "VideoTurboMultiPass": false,
+          "x264UseAdvancedOptions": false,
+          "PresetDisabled": false,
+          "MetadataPassthrough": true
+        },
+        {
+          "AlignAVStart": false,
+          "AudioCopyMask": [
+            "copy:aac",
+            "copy:ac3",
+            "copy:eac3",
+            "copy:truehd",
+            "copy:dts",
+            "copy:dtshd",
+            "copy:mp3",
+            "copy:flac"
+          ],
+          "AudioEncoderFallback": "ac3",
+          "AudioLanguageList": [
+            "eng",
+            "afr",
+            "und"
+          ],
+          "AudioList": [
+            {
+              "AudioBitrate": 640,
+              "AudioCompressionLevel": 0,
+              "AudioEncoder": "copy",
+              "AudioMixdown": "5point1",
+              "AudioNormalizeMixLevel": false,
+              "AudioSamplerate": "auto",
+              "AudioTrackQualityEnable": false,
+              "AudioTrackQuality": -1,
+              "AudioTrackGainSlider": 0,
+              "AudioTrackDRCSlider": 0
+            }
+          ],
+          "AudioSecondaryEncoderMode": true,
+          "AudioTrackSelectionBehavior": "all",
+          "ChapterMarkers": true,
+          "ChildrenArray": [],
+          "Default": false,
+          "FileFormat": "av_mkv",
+          "Folder": false,
+          "FolderOpen": false,
+          "Optimize": false,
+          "Mp4iPodCompatible": false,
+          "PictureCropMode": 0,
+          "PictureBottomCrop": 0,
+          "PictureLeftCrop": 0,
+          "PictureRightCrop": 0,
+          "PictureTopCrop": 0,
+          "PictureDARWidth": 0,
+          "PictureDeblockPreset": "off",
+          "PictureDeblockTune": "medium",
+          "PictureDeblockCustom": "strength=strong:thresh=20:blocksize=8",
+          "PictureDeinterlaceFilter": "decomb",
+          "PictureCombDetectPreset": "default",
+          "PictureCombDetectCustom": "",
+          "PictureDeinterlacePreset": "default",
+          "PictureDeinterlaceCustom": "",
+          "PictureDenoiseCustom": "",
+          "PictureDenoiseFilter": "off",
+          "PictureSharpenCustom": "",
+          "PictureSharpenFilter": "off",
+          "PictureSharpenPreset": "medium",
+          "PictureSharpenTune": "none",
+          "PictureDetelecine": "off",
+          "PictureDetelecineCustom": "",
+          "PictureColorspacePreset": "off",
+          "PictureColorspaceCustom": "",
+          "PictureChromaSmoothPreset": "off",
+          "PictureChromaSmoothTune": "none",
+          "PictureChromaSmoothCustom": "",
+          "PictureItuPAR": false,
+          "PictureKeepRatio": true,
+          "PicturePAR": "auto",
+          "PicturePARWidth": 0,
+          "PicturePARHeight": 0,
+          "PictureWidth": 1920,
+          "PictureHeight": 1080,
+          "PictureUseMaximumSize": true,
+          "PictureAllowUpscaling": false,
+          "PictureForceHeight": 0,
+          "PictureForceWidth": 0,
+          "PicturePadMode": "none",
+          "PicturePadTop": 0,
+          "PicturePadBottom": 0,
+          "PicturePadLeft": 0,
+          "PicturePadRight": 0,
+          "PicturePadColor": "black",
+          "PresetDescription": "",
+          "PresetName": "DVD h265",
+          "Type": 1,
+          "SubtitleAddCC": false,
+          "SubtitleAddForeignAudioSearch": true,
+          "SubtitleAddForeignAudioSubtitle": false,
+          "SubtitleBurnBehavior": "none",
+          "SubtitleBurnBDSub": false,
+          "SubtitleBurnDVDSub": false,
+          "SubtitleLanguageList": [
+            "afr",
+            "eng"
+          ],
+          "SubtitleTrackSelectionBehavior": "all",
+          "VideoAvgBitrate": 0,
+          "VideoColorMatrixCode": 0,
+          "VideoEncoder": "x265_10bit",
+          "VideoFramerateMode": "cfr",
+          "VideoGrayScale": false,
+          "VideoScaler": "swscale",
+          "VideoPreset": "slow",
+          "VideoTune": "",
+          "VideoProfile": "main10",
+          "VideoLevel": "5.1",
+          "VideoOptionExtra": "strong-intra-smoothing=0:rect=0:aq-mode=1:rd=4:psy-rd=0.75:psy-rdoq=4.0:rdoq-level=1:rskip=2",
+          "VideoQualityType": 2,
+          "VideoQualitySlider": 17,
+          "VideoMultiPass": true,
+          "VideoTurboMultiPass": false,
+          "x264UseAdvancedOptions": false,
+          "PresetDisabled": false,
+          "MetadataPassthrough": true
+        }
+      ],
+      "Folder": true,
+      "PresetName": "Custom Presets",
+      "PresetDescription": "",
+      "Type": 0
+    }
+  ],
+  "VersionMajor": 56,
+  "VersionMicro": 0,
+  "VersionMinor": 0
+}
\ No newline at end of file
diff --git a/handbrake/stacks/.env b/handbrake/stacks/.env
new file mode 100644
index 0000000..5a497e9
--- /dev/null
+++ b/handbrake/stacks/.env
@@ -0,0 +1,18 @@
+
+APPLICATION_NAME=handbrake
+
+DOCKERDIR=/mnt/SSD1/docker/
+MEDIADIR=/mnt/stpool1/NData1/Media
+DOWNLOADSDIR=/mnt/stpool1/Downloads
+STAGINGDIR=/mnt/stpool1/NData1/staging
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+DOMAINNAME=sthome.org
+SERVICE_PORT=5800
+PUID=3037
+PGID=3036
+MEDIA_GID=3017
\ No newline at end of file
diff --git a/handbrake/stacks/.handbrake.env b/handbrake/stacks/.handbrake.env
new file mode 100644
index 0000000..77ab5b5
--- /dev/null
+++ b/handbrake/stacks/.handbrake.env
@@ -0,0 +1,104 @@
+# https://github.com/jlesage/docker-handbrake?tab=readme-ov-file
+
+USER_ID=${PUID}
+GROUP_ID=${PGID}
+SUP_GROUP_IDS=${MEDIA_GID}
+UMASK=0022
+TZ=Africa/Johannesburg
+DARK_MODE=1
+HANDBRAKE_GUI=1
+# SECURE_CONNECTION=1
+# WEB_AUTHENTICATION=1
+# WEB_AUTHENTICATION_USERNAME=
+# WEB_AUTHENTICATION_PASSWORD=
+# SECURE_CONNECTION_VNC_METHOD=
+# SECURE_CONNECTION_CERTS_CHECK_INTERVAL=
+# VNC_PASSWORD=
+
+# Automated conversion settings
+# -----------------------------
+AUTOMATED_CONVERSION=1
+
+# 1080/HD (watch1)
+AUTOMATED_CONVERSION_PRESET_1="Custom Presets/DVD h265"
+AUTOMATED_CONVERSION_FORMAT_1=mkv
+AUTOMATED_CONVERSION_KEEP_SOURCE_1=0
+# AUTOMATED_CONVERSION_VIDEO_FILE_EXTENSIONS_1=
+AUTOMATED_CONVERSION_NON_VIDEO_FILE_ACTION_1=ignore
+AUTOMATED_CONVERSION_NON_VIDEO_FILE_EXTENSIONS_1="jpg jpeg bmp png gif txt nfo"
+AUTOMATED_CONVERSION_OUTPUT_DIR_1=/output
+AUTOMATED_CONVERSION_OUTPUT_SUBDIR_1=dvd
+AUTOMATED_CONVERSION_OVERWRITE_OUTPUT_1=0
+AUTOMATED_CONVERSION_SOURCE_STABLE_TIME_1=5
+AUTOMATED_CONVERSION_SOURCE_MIN_DURATION_1=10
+AUTOMATED_CONVERSION_SOURCE_MAIN_TITLE_DETECTION_1=1
+AUTOMATED_CONVERSION_CHECK_INTERVAL_1=5
+AUTOMATED_CONVERSION_MAX_WATCH_FOLDERS_1=5
+AUTOMATED_CONVERSION_NO_GUI_PROGRESS_1=0
+AUTOMATED_CONVERSION_HANDBRAKE_CUSTOM_ARGS_1=
+AUTOMATED_CONVERSION_INSTALL_PKGS_1=
+AUTOMATED_CONVERSION_USE_TRASH_1=1
+
+# 1080/HD (watch2)
+AUTOMATED_CONVERSION_PRESET_2="Custom Presets/DVD h265"
+AUTOMATED_CONVERSION_FORMAT_2=mkv
+AUTOMATED_CONVERSION_KEEP_SOURCE_2=0
+# AUTOMATED_CONVERSION_VIDEO_FILE_EXTENSIONS_2=
+AUTOMATED_CONVERSION_NON_VIDEO_FILE_ACTION_2=ignore
+AUTOMATED_CONVERSION_NON_VIDEO_FILE_EXTENSIONS_2="jpg jpeg bmp png gif txt nfo"
+AUTOMATED_CONVERSION_OUTPUT_DIR_2=/output
+AUTOMATED_CONVERSION_OUTPUT_SUBDIR_2=dvd
+AUTOMATED_CONVERSION_OVERWRITE_OUTPUT_2=0
+AUTOMATED_CONVERSION_SOURCE_STABLE_TIME_2=5
+AUTOMATED_CONVERSION_SOURCE_MIN_DURATION_2=10
+AUTOMATED_CONVERSION_SOURCE_MAIN_TITLE_DETECTION_2=0
+AUTOMATED_CONVERSION_CHECK_INTERVAL_2=5
+AUTOMATED_CONVERSION_MAX_WATCH_FOLDERS_2=5
+AUTOMATED_CONVERSION_NO_GUI_PROGRESS_2=0
+AUTOMATED_CONVERSION_HANDBRAKE_CUSTOM_ARGS_2=
+AUTOMATED_CONVERSION_INSTALL_PKGS_2=
+AUTOMATED_CONVERSION_USE_TRASH_2=1
+
+# 2160/4k (watch3)
+AUTOMATED_CONVERSION_PRESET_3="Custom Presets/4K HDR"
+AUTOMATED_CONVERSION_FORMAT_3=mkv
+AUTOMATED_CONVERSION_KEEP_SOURCE_3=0
+AUTOMATED_CONVERSION_VIDEO_FILE_EXTENSIONS_3=
+AUTOMATED_CONVERSION_NON_VIDEO_FILE_ACTION_3=ignore
+AUTOMATED_CONVERSION_NON_VIDEO_FILE_EXTENSIONS_3="jpg jpeg bmp png gif txt nfo"
+AUTOMATED_CONVERSION_OUTPUT_DIR_3=/output
+AUTOMATED_CONVERSION_OUTPUT_SUBDIR_3=4k
+AUTOMATED_CONVERSION_OVERWRITE_OUTPUT_3=0
+AUTOMATED_CONVERSION_SOURCE_STABLE_TIME_3=5
+AUTOMATED_CONVERSION_SOURCE_MIN_DURATION_3=10
+AUTOMATED_CONVERSION_SOURCE_MAIN_TITLE_DETECTION_3=0
+AUTOMATED_CONVERSION_CHECK_INTERVAL_3=5
+AUTOMATED_CONVERSION_MAX_WATCH_FOLDERS_3=5
+AUTOMATED_CONVERSION_NO_GUI_PROGRESS_3=0
+AUTOMATED_CONVERSION_HANDBRAKE_CUSTOM_ARGS_3=
+AUTOMATED_CONVERSION_INSTALL_PKGS_3=
+AUTOMATED_CONVERSION_USE_TRASH_3=1
+
+# 2160/4k (watch4)
+AUTOMATED_CONVERSION_PRESET_4="Custom Presets/4K HDR"
+AUTOMATED_CONVERSION_FORMAT_4=mkv
+AUTOMATED_CONVERSION_KEEP_SOURCE_4=0
+AUTOMATED_CONVERSION_VIDEO_FILE_EXTENSIONS_4=
+AUTOMATED_CONVERSION_NON_VIDEO_FILE_ACTION_4=ignore
+AUTOMATED_CONVERSION_NON_VIDEO_FILE_EXTENSIONS_4="jpg jpeg bmp png gif txt nfo"
+AUTOMATED_CONVERSION_OUTPUT_DIR_4=/output
+AUTOMATED_CONVERSION_OUTPUT_SUBDIR_4=4k
+AUTOMATED_CONVERSION_OVERWRITE_OUTPUT_4=0
+AUTOMATED_CONVERSION_SOURCE_STABLE_TIME_4=5
+AUTOMATED_CONVERSION_SOURCE_MIN_DURATION_4=10
+AUTOMATED_CONVERSION_SOURCE_MAIN_TITLE_DETECTION_4=0
+AUTOMATED_CONVERSION_CHECK_INTERVAL_4=5
+AUTOMATED_CONVERSION_MAX_WATCH_FOLDERS_4=5
+AUTOMATED_CONVERSION_NO_GUI_PROGRESS_4=0
+AUTOMATED_CONVERSION_HANDBRAKE_CUSTOM_ARGS_4=
+AUTOMATED_CONVERSION_INSTALL_PKGS_4=
+AUTOMATED_CONVERSION_USE_TRASH_4=1
+
+
+
+
diff --git a/handbrake/stacks/compose.yml b/handbrake/stacks/compose.yml
new file mode 100644
index 0000000..49ff175
--- /dev/null
+++ b/handbrake/stacks/compose.yml
@@ -0,0 +1,64 @@
+
+name: handbrake
+
+networks:
+  traefik-net:
+    external: true
+    
+services:
+  handbrake:
+    image: jlesage/handbrake
+    restart: unless-stopped
+    env_file: .handbrake.env
+    hostname: handbrake
+    networks:
+      - traefik-net
+    volumes:
+      - ${DATADIR}/config:/config
+      - ${DOWNLOADSDIR}:/storage:ro
+      - ${DOWNLOADSDIR}/handbrake/watch:/watch1:rw
+      - ${DOWNLOADSDIR}/handbrake/watch-4K:/watch3:rw
+      - ${STAGINGDIR}/handbrake/watch:/watch2:rw
+      - ${STAGINGDIR}/handbrake/watch-4K:/watch4:rw
+      - ${STAGINGDIR}/handbrake/output:/output:rw
+      - ${STAGINGDIR}/handbrake/trash:/trash:rw
+
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      # http middlewares
+      # ---------------------------
+      #- "traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.users=${ADMIN_CREDENTIALS}, ${USER_CREDENTIALS}"
+      #- "traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.usersfile=/mnt/users/${APPLICATION_NAME}.txt"
+      #
+      # http services
+      # -------------
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${SERVICE_PORT}"
+      #
+      # http routers
+      # ------------
+      # limit router to web ":80" entrypoint (Note: web entrypoint http requests are globally redirected to websecure router in traefik.yml)
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # assign middlewares
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      #
+      # limit router to websecure ":443" entrypoint
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # set router to be dedicated to secure requests only for the host specified in match criteria 
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      # apply tls options
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file"
+      # generate certificates using following certresolver
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
+      # attach middlewares to routers
+      # assign middlewares
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+      #- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=${APPLICATION_NAME}-auth"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
diff --git a/home-assistant/home-assistant_jm.txt b/home-assistant/home-assistant_jm.txt
new file mode 100644
index 0000000..fd58746
--- /dev/null
+++ b/home-assistant/home-assistant_jm.txt
@@ -0,0 +1,179 @@
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: home-assistant
+Username: hmeassist
+Disable Password: <select>
+Email: stuurmcp@telkomsa.net
+UID: (note)
+Create New Primary Group: <select>
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+hmeassist UID: 3038
+hmeassist GID: 3037
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*home-assistant"
+# create following datasets if not present
+zfs create SSD1/docker/data/home-assistant/config
+zfs create SSD1/docker/data/home-assistant/pgbackups
+zfs create SSD1/docker/data/home-assistant/pgdata
+chown -R hmeassist:hmeassist /mnt/SSD1/docker/data/home-assistant
+chown pguser:pguser /mnt/SSD1/docker/data/home-assistant/pgbackups
+chown pguser:pguser /mnt/SSD1/docker/data/home-assistant/pgdata
+
+Create folders
+--------------
+# In Truenas shell:
+mkdir -p /mnt/SSD1/docker/stacks/home-assistant/secrets
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in home-assistant folder, enter:
+./cp2nas
+# or
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/home-assistant/
+# This should copy home-assistant stacks folder to /mnt/SSD1/docker/stacks/home-assistant
+
+Create secrets
+--------------
+# In Truenas shell:
+cd /mnt/SSD1/docker/stacks/home-assistant/secrets
+echo -n 'your_db_name' > /mnt/SSD1/docker/stacks/home-assistant/secrets/home-assistant_postgresql_database
+echo -n 'your_db_user' > /mnt/SSD1/docker/stacks/home-assistant/secrets/home-assistant_postgresql_username
+openssl rand 36 | base64 -w 0 > /mnt/SSD1/docker/stacks/home-assistant/secrets/home-assistant_postgresql_password
+# restrict access
+cd /mnt/SSD1/docker/stacks/home-assistant
+chown -R hmeassist:hmeassist secrets/
+chmod -R 400 secrets/
+# read existing acl permissions, if any
+getfacl /mnt/SSD1/docker/stacks/home-assistant/secrets
+# set acl permissions
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/home-assistant/secrets
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/home-assistant/secrets/home-assistant_postgresql_password
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/home-assistant/secrets/home-assistant_postgresql_username
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/home-assistant/secrets/home-assistant_postgresql_database
+# NB! if you want to remove all acl entries from a folder recursively, use setfacl -b -R <foldername>
+
+Backup home-assistant database
+-------------------------- 
+# In truenas shell:
+mkdir /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/$(date -I)
+chown pgadmin:pgadmin /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/$(date -I)
+# Using browser, log in to pgAdmin on truenas
+# Connect to servers; refer to "connecting to servers.txt", which also explains how to obtain db passwords
+# To perform plain text backup:
+# Navigate to Servers => home-assistant -> Databases -> home-assistant
+# Right click on home-assistant database and select Backup...
+# Enter the following on the different tabs of dialog box that opened:
+General:
+# Replace ##### with date in YYYY-MM-DD format when backup is being made
+Filename: /#####/home-assistant-backup.sql (this maps to: /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/#####/home-assistant-backup.sql on truenas)
+# Or click on folder icon and navigate to the folder that was created above. Enter home-assistant-backup.sql in Save As field, then click on Create
+Format: Plain
+Encoding: UTF8
+Role name: home-assistant
+Data Options:
+Sections:
+Pre-data: <select>
+Data: <select>
+Post-data: <select>
+Objects:
+Check public to select all objects
+Click Backup
+# After backup, verify presence of backup file:
+ls -al /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/$(date -I)
+# copy backup file(s) to home-assistant backups folder, replacing $(date -I) with date when backup was made if not today
+cp -vr /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/$(date -I) /mnt/SSD1/docker/data/home-assistant/pgbackups 
+
+Migrating config storage (not effective)
+------------------------
+# Stop home-assistant on truenas, in truenas shell
+heavyscript app --stop home-assistant
+# copy config storage to new install data folder
+cp -pr /mnt/stpool1/apps/home-assistant/* /mnt/SSD1/docker/data/home-assistant/config/
+chown -R hmeassist:hmeassist /mnt/SSD1/docker/data/home-assistant/config/
+# edit configuration.yml to apply values for new app
+nano /mnt/SSD1/docker/data/home-assistant/config/configuration.yaml
+# under recorder heading, change db_url to reflect the following, replacing <db_password> with actual password:
+db_url: "postgresql://<your_db_user>:<db_password>@home-assistant_postgresql:5432/<your_db_name>?client_encoding=utf8"
+        "postgresql://home-assistant:M1ykv2TSzPD4c7lq4ixyBIl/q9kf4NyVIziQ3Yzansst4kZx@home-assistant_postgresql:5432/home-assistant?client_encoding=utf8"
+# change http.trusted_proxies to reflect the traefik network:
+  trusted_proxies:
+    - 10.255.224.0/20
+
+Migrating database (not effective)
+------------------
+# In truenas shell
+jlmkr shell docker
+cd /opt/stacks/home-assistant
+docker compose down
+# remove all files/folders from pgdata; if any are already in this folder with data to be retained, move it to another folder before executing next command
+rm -r /mnt/data/home-assistant/pgdata/*
+docker compose up -d
+# After successfull startup of home-assistant and postgres, stop home-assistant from docker cmd line
+docker stop home-assistant
+docker exec home-assistant_postgresql psql -U <your_db_user> -d postgres -c "DROP DATABASE \"<your_db_name>\";"
+docker exec home-assistant_postgresql psql -U <your_db_user> -d postgres -c "CREATE DATABASE \"<your_db_name>\";"
+docker exec home-assistant_postgresql psql -U <your_db_user> -d <your_db_name> -f /mnt/backups/$(date -I)/home-assistant-backup.sql   # replace $(date -I) with the appropriate date
+docker start home-assistant
+
+Stop truenas home-assistant
+---------------------------
+# In truenas shell
+heavyscript app --stop home-assistant
+# NB: Do NOT stop home-assistant with truenas gui
+
+Setup MQTT integration
+----------------------
+# on home-assistant browser tab
+# go to Settings -> Devices & services
+# Click on ADD INTEGRATION
+# Select MQTT
+# Enter mosquitto info as per mosquitto installation
+
+
+# IF DO NOT HAVE FRIGATE RUNNING BY ITSELF, YOU CAN INSTALL WITH HOME-ASSISTANT
+Installing HACS
+---------------
+docker exec -it home-assistant bash
+cd ~
+wget -O - https://get.hacs.xyz | bash -
+exit
+docker restart home-assistant
+#
+Setup HACS integration
+----------------------
+# https://hacs.xyz/docs/use/configuration/basic/#to-set-up-the-hacs-integration
+# after downloading HACS and restarting home-assistant:
+# on home-assistant browser tab, press ctrl-F5
+# go to Settings -> Devices & services
+# Click on ADD INTEGRATION
+# Select HACS
+# Acknowledge the statements and select Submit
+# Copy the device code and select the link https://github.com/login/device
+# if required, sign up or sign in to github to continue the setup
+# Enter the device code you copied in the previous step and select Continue
+# Select Authorize HACS
+# Once you see the confirmation screen, you can close the tab and go back to Home Assistant
+# Assign HACS to an area and select Finish.
+#
+Setup Frigate on home-assistant
+-------------------------------
+# open home-assistant and select HACS
+# type frigate in search text box
+# select Frigate Hass Integration
+# download and configure
+
+
+If you need to log into db
+--------------------------
+docker exec -it home-assistant_postgresql bash
+psql -U <your_db_user> -d <your_db_name>
+
+
diff --git a/home-assistant/stacks/.env b/home-assistant/stacks/.env
new file mode 100644
index 0000000..bbe8634
--- /dev/null
+++ b/home-assistant/stacks/.env
@@ -0,0 +1,25 @@
+#
+# values to be used for substitution by docker compose in compose.yml AND .*.env files
+#
+APPLICATION_NAME=home-assistant 
+DOCKERDIR=/mnt/SSD1/docker/
+MEDIADIR=/mnt/stpool1/NData1/Media
+DOWNLOADSDIR=/mnt/stpool1/Downloads
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+DOMAINNAME=sthome.org
+WEBUI_PORT=8123
+
+#
+# Generate DB_PASSWORD with:
+# openssl rand 36 | base64 -w 0 > /mnt/SSD1/docker/stacks/home-assistant/secrets/home-assistant_postgresql_password
+
+POSTGRES_DB_PORT=5432
+POSTGRES_DB_HOST=home-assistant_postgresql
+POSTGRES_DB_NAME=/run/secrets/home-assistant_postgresql_database
+POSTGRES_DB_USER=/run/secrets/home-assistant_postgresql_username
+POSTGRES_DB_PASSWORD=/run/secrets/home-assistant_postgresql_password
diff --git a/home-assistant/stacks/.home-assistant.env b/home-assistant/stacks/.home-assistant.env
new file mode 100644
index 0000000..8a721e2
--- /dev/null
+++ b/home-assistant/stacks/.home-assistant.env
@@ -0,0 +1,12 @@
+#
+# environment variables for home-assistant
+# 
+PUID=3035
+PGID=3034
+TZ=Africa/Johannesburg
+PORT=${WEBUI_PORT} #8123
+
+
+
+
+
diff --git a/home-assistant/stacks/.postgresql.env b/home-assistant/stacks/.postgresql.env
new file mode 100644
index 0000000..be0e2f1
--- /dev/null
+++ b/home-assistant/stacks/.postgresql.env
@@ -0,0 +1,9 @@
+PUID=70
+PGID=70
+TZ=Africa/Johannesburg
+
+DB_HOST=${POSTGRES_DB_HOST}
+DB_PORT=${POSTGRES_DB_PORT}
+POSTGRES_DB_FILE=${POSTGRES_DB_NAME}
+POSTGRES_USER_FILE=${POSTGRES_DB_USER}
+POSTGRES_PASSWORD_FILE=${POSTGRES_DB_PASSWORD}
diff --git a/home-assistant/stacks/compose.yml b/home-assistant/stacks/compose.yml
new file mode 100644
index 0000000..36830f7
--- /dev/null
+++ b/home-assistant/stacks/compose.yml
@@ -0,0 +1,96 @@
+
+name: home-assistant
+
+secrets:
+  home-assistant_postgresql_database:
+    file: ${SECRETSDIR}/home-assistant_postgresql_database
+  home-assistant_postgresql_password:
+    file: ${SECRETSDIR}/home-assistant_postgresql_password
+  home-assistant_postgresql_username:
+    file: ${SECRETSDIR}/home-assistant_postgresql_username
+
+networks:
+  traefik-net:
+    external: true
+  postgres-net:
+    external: true
+
+services:
+  home-assistant:
+    image: "ghcr.io/home-assistant/home-assistant:stable"
+    hostname: home-assistant
+    privileged: true
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - "${DATADIR}/config:/config"
+      - /run/dbus:/run/dbus:ro
+    restart: unless-stopped
+    env_file: .home-assistant.env
+    networks:
+      - traefik-net
+      - postgres-net
+    depends_on:
+      postgresql:
+        condition: service_healthy
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      # http middlewares
+      # ---------------------------
+      #- "traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.users=${ADMIN_CREDENTIALS}, ${USER_CREDENTIALS}"
+      #- "traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.usersfile=/mnt/users/common.txt"
+      - "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.permanent=true"
+      #
+      # http services
+      # -------------
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
+      #
+      # http routers
+      # ------------
+      # limit router to web ":80" entrypoint
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # attach middlewares to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=${APPLICATION_NAME}-https-redirect"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      #
+      # limit router to websecure ":443" entrypoint
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # set router to be dedicated to secure requests only for the host specified in match criteria 
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      # generate certificates using following certresolver
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=sthomeresolver"
+      # attach middlewares to router
+      #- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=${APPLICATION_NAME}-auth"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
+
+  postgresql:
+    image: postgres:16-alpine
+    hostname: "${APPLICATION_NAME}_postgresql"
+    shm_size: 128mb # https://hub.docker.com/_/postgres
+    restart: unless-stopped
+    env_file: .postgresql.env
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    networks:
+      postgres-net:
+          aliases: ["home-assistant_postgresql"]
+    secrets:
+      - home-assistant_postgresql_database
+      - home-assistant_postgresql_password
+      - home-assistant_postgresql_username
+    volumes:
+      - "${DATADIR}/pgdata:/var/lib/postgresql/data"
+      - "${DATADIR}/pgbackups:/mnt/backups"
+
+
diff --git a/jellyfin/jellyfin_jm.txt b/jellyfin/jellyfin_jm.txt
new file mode 100644
index 0000000..b7f82fc
--- /dev/null
+++ b/jellyfin/jellyfin_jm.txt
@@ -0,0 +1,65 @@
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: jellyfin
+Username: jellyfin
+Disable Password: <select>
+Email: stuurmcp@telkomsa.net
+UID: (note)
+Create New Primary Group: <unselect>
+Primary Group: jellyfin
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+jellyfin UID: 3009
+jellyfin GID: 3008
+
+If not done already, add mapping for media on container config
+--------------------------------------------------------------
+In this example: the folder where media is stored is /mnt/stpool1/NData1/Media
+On Truenas shell:
+jlmkr edit docker
+Add the following args to "systemd_nspawn_user_args": 
+--bind='/mnt/stpool1/NData1/Media:/mnt/media'
+
+If not done already, set ACL permissions for media to be accessible by media group
+----------------------------------------------------------------------------------
+On Truenas shell:
+# read and note acl entries
+getfacl /mnt/stpool1/NData1
+getfacl /mnt/stpool1/NData1/Media
+# set read and execute permissions for media group on parent folder
+setfacl -m g:media:5 /mnt/stpool1/NData1
+# set full permissions for media group on Media folder recursively
+setfacl -R -m g:media:7 /mnt/stpool1/NData1/Media
+# modify defaults recursively
+setfacl -R -d -m g:media:7 /mnt/stpool1/NData1/Media
+# NB! if you want to remove all acl entries from a folder recursively, use setfacl -b -R <foldername>
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*jellyfin"
+# create following datasets if not present
+zfs create SSD1/docker/data/jellyfin/config
+zfs create SSD1/docker/data/jellyfin/transcodes
+chown -R jellyfin:jellyfin /mnt/SSD1/docker/data/jellyfin
+
+Create folders
+--------------
+# In Truenas shell:
+mkdir -p /mnt/SSD1/docker/stacks/jellyfin/secrets
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in jellyfin folder, enter:
+./cp2nas
+# or
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/jellyfin/
+# This should copy jellyfin stacks folder to /mnt/SSD1/docker/stacks/jellyfin
+
+
+
+
diff --git a/jellyfin/plugins/imvdb_4.0.0.0.zip b/jellyfin/plugins/imvdb_4.0.0.0.zip
new file mode 100644
index 0000000..3770d69
Binary files /dev/null and b/jellyfin/plugins/imvdb_4.0.0.0.zip differ
diff --git a/jellyfin/stacks/.env b/jellyfin/stacks/.env
new file mode 100644
index 0000000..f8e57d3
--- /dev/null
+++ b/jellyfin/stacks/.env
@@ -0,0 +1,13 @@
+
+APPLICATION_NAME=jellyfin
+
+DOCKERDIR=/mnt/SSD1/docker/
+MEDIADIR=/mnt/stpool1/NData1/Media
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+DOMAINNAME=sthome.org
+SERVICE_PORT=8096
diff --git a/jellyfin/stacks/.jellyfin.env b/jellyfin/stacks/.jellyfin.env
new file mode 100644
index 0000000..8e26899
--- /dev/null
+++ b/jellyfin/stacks/.jellyfin.env
@@ -0,0 +1,6 @@
+
+VERSION=docker
+PUID=3009
+PGID=3017
+TZ=Africa/Johannesburg
+JELLYFIN_PublishedServerUrl=jellyfin.sthome.org #optional
diff --git a/jellyfin/stacks/compose.yml b/jellyfin/stacks/compose.yml
new file mode 100644
index 0000000..da3ca41
--- /dev/null
+++ b/jellyfin/stacks/compose.yml
@@ -0,0 +1,47 @@
+
+name: jellyfin
+
+networks:
+  traefik-net:
+    external: true
+    
+services:
+  jellyfin:
+    image: lscr.io/linuxserver/jellyfin:latest
+    hostname: ${APPLICATION_NAME}
+    env_file: .jellyfin.env
+    restart: unless-stopped
+    networks:
+      - traefik-net
+    # this deploy section requires the installation of the nvidia-container-toolkit; comment out if the toolkit is not installed
+    deploy:
+      resources:
+        reservations:
+          devices:
+            - driver: nvidia
+              #count: 1
+              device_ids:
+                - "GPU-b9bf37c1-f8c9-201c-3456-0aa35381be42"
+              capabilities: [gpu]
+    volumes:
+      - "${DATADIR}/config:/config"
+      - "${DATADIR}/transcodes:/config/data/transcodes"
+      - "${MEDIADIR}:/data"
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${SERVICE_PORT}"
+      
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-secureHeaders-redirect@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-secureHeaders@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
diff --git a/kavita/kavita_jm.txt b/kavita/kavita_jm.txt
new file mode 100644
index 0000000..553b5f1
--- /dev/null
+++ b/kavita/kavita_jm.txt
@@ -0,0 +1,61 @@
+https://wiki.kavitareader.com/installation/docker
+
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: kavita
+Username: kavita
+Disable Password: <select>
+Email: <leave blank>
+UID: (note)
+Create New Primary Group: <select>
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+kavita UID: 3040
+kavita GID: 3039
+
+Once off
+--------
+# if not done already: 
+# add mapping for media: follow steps in "add mapping for media.txt"
+# set ACL permissions for media in "set ACL permissions for media.txt"
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*kavita"
+# create following datasets if not present
+zfs create SSD1/docker/data/kavita
+zfs create SSD1/docker/data/kavita/config
+chown -R kavita:kavita /mnt/SSD1/docker/data/kavita
+
+Create folders
+--------------
+mkdir /mnt/SSD1/docker/stacks/kavita
+
+
+Migrating data from old kavita (source) to newly installed one (target)
+------------------------------------------------------------------------
+# stop old/source kavita media server
+heavyscript app --stop kavita
+# verify on Truenas -> Apps that kavita has stopped
+# stop new/target kavita media server (if it was started)
+# on Dockge, select kavita and click stop
+# copy the source to target folder:
+cp -pr /mnt/stpool1/apps/kavita/. /mnt/SSD1/docker/data/kavita/config/
+chown -R kavita:kavita /mnt/SSD1/docker/data/kavita/config
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in kavita folder, enter:
+./cp2nas
+# or
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/kavita/
+
+
+
+
+
diff --git a/kavita/stacks/.env b/kavita/stacks/.env
new file mode 100644
index 0000000..05a35c4
--- /dev/null
+++ b/kavita/stacks/.env
@@ -0,0 +1,19 @@
+
+APPLICATION_NAME=kavita
+
+DOCKERDIR=/mnt/SSD1/docker/
+MEDIADIR=/mnt/stpool1/NData1/Media
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+PUID=3040
+PGID=3039
+MEDIA_GID=3017
+
+TZ=Africa/Johannesburg
+DOMAINNAME=sthome.org
+WEBUI_PORT=5000
+
diff --git a/kavita/stacks/.kavita.env b/kavita/stacks/.kavita.env
new file mode 100644
index 0000000..9a65fa6
--- /dev/null
+++ b/kavita/stacks/.kavita.env
@@ -0,0 +1,7 @@
+
+
+PUID=${PUID}
+PGID=${MEDIA_GID}
+TZ=${TZ}
+
+
diff --git a/kavita/stacks/compose.yml b/kavita/stacks/compose.yml
new file mode 100644
index 0000000..5a0c87b
--- /dev/null
+++ b/kavita/stacks/compose.yml
@@ -0,0 +1,56 @@
+
+name: kavita
+
+networks:
+  traefik-net:
+    external: true
+
+services:
+  kavita:
+    image: lscr.io/linuxserver/kavita:latest
+    env_file: .kavita.env
+    hostname: ${APPLICATION_NAME}
+    group_add:
+      - "${PGID}"
+    networks:
+      - traefik-net
+    volumes:
+      - "${DATADIR}/config:/config"
+      - "${MEDIADIR}/Books/manga:/manga"
+      - "${MEDIADIR}/Books/comics:/comics"
+      - "${MEDIADIR}/Books/ebooks:/ebooks"
+    restart: unless-stopped
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      #
+      # http middlewares
+      # ---------------------------
+      - "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.permanent=true"
+      #
+      # http services
+      # -------------
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
+      #
+      # http routers
+      # ------------
+      # limit router to web ":80" entrypoint (Note: web entrypoint http requests are globally redirected to websecure router in traefik.yml)
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # attach middlewares to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=${APPLICATION_NAME}-https-redirect"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      #
+      # limit router to websecure ":443" entrypoint
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # set router to be dedicated to secure requests only for the host specified in match criteria 
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      # generate certificates using following certresolver
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=sthomeresolver"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
diff --git a/librespeed/librespeed_jm.txt b/librespeed/librespeed_jm.txt
new file mode 100644
index 0000000..8328a6a
--- /dev/null
+++ b/librespeed/librespeed_jm.txt
@@ -0,0 +1,42 @@
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: librespeed
+Username: librespd
+Disable Password: <select>
+Email: <leave blank>
+UID: (note)
+Create New Primary Group: <select>
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+librespd UID: 3041
+librespd GID: 3040
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*librespeed"
+# create following datasets if not present
+zfs create SSD1/docker/data/librespeed
+zfs create SSD1/docker/data/librespeed/config
+chown -R librespd:librespd /mnt/SSD1/docker/data/librespeed
+
+Create folders
+--------------
+# In Truenas shell:
+mkdir /mnt/SSD1/docker/stacks/librespeed
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in librespeed folder, enter:
+./cp2nas
+# or
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/librespeed/
+# This should copy librespeed stacks folder to /mnt/SSD1/docker/stacks/librespeed
+
+
+
+
diff --git a/librespeed/stacks/.env b/librespeed/stacks/.env
new file mode 100644
index 0000000..11b6318
--- /dev/null
+++ b/librespeed/stacks/.env
@@ -0,0 +1,18 @@
+##############################################################################################
+# Values to be used for substitution by docker compose in compose.yml AND .*.env files
+##############################################################################################
+
+APPLICATION_NAME=librespeed
+
+DOCKERDIR=/mnt/SSD1/docker/
+MEDIADIR=/mnt/stpool1/NData1/Media
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+DOMAINNAME=sthome.org
+
+SERVICE_PORT=80
+
diff --git a/librespeed/stacks/.librespeed.env b/librespeed/stacks/.librespeed.env
new file mode 100644
index 0000000..fb2391b
--- /dev/null
+++ b/librespeed/stacks/.librespeed.env
@@ -0,0 +1,18 @@
+##############################################################################################
+# Environment variables for librespeed
+############################################################################################## 
+
+PUID=3041
+PGID=3040
+TZ=Africa/Johannesburg
+
+# PASSWORD=PASSWORD
+# CUSTOM_RESULTS=false #optional
+# DB_TYPE=sqlite #optional
+# DB_NAME=DB_NAME #optional
+# DB_HOSTNAME=DB_HOSTNAME #optional
+# DB_USERNAME=DB_USERNAME #optional
+# DB_PASSWORD=DB_PASSWORD #optional
+# DB_PORT=DB_PORT #optional
+# IPINFO_APIKEY=ACCESS_TOKEN #optional
+
diff --git a/librespeed/stacks/compose.yml b/librespeed/stacks/compose.yml
new file mode 100644
index 0000000..f9379d4
--- /dev/null
+++ b/librespeed/stacks/compose.yml
@@ -0,0 +1,48 @@
+name: librespeed
+
+networks:
+  traefik-net:
+    external: true
+    
+services:
+  librespeed:
+    image: lscr.io/linuxserver/librespeed:latest
+    env_file: .librespeed.env
+    hostname: librespeed
+    networks:
+      - traefik-net
+    volumes:
+      - "${DATADIR}/config:/config"
+    restart: unless-stopped
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      #
+      # http services
+      # -------------
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${SERVICE_PORT}"
+      #
+      # http routers
+      # ------------
+      # limit router to web ":80" entrypoint (Note: web entrypoint http requests are globally redirected to websecure router in traefik.yml)
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # attach middlewares to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      #
+      # limit router to websecure ":443" entrypoint
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+      # set router to be dedicated to secure requests only for the host specified in match criteria 
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      # set tls options
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file"
+     # generate certificates using following certresolver
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
+      # assign svc target to routers
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
diff --git a/mariadb/mariadb.txt b/mariadb/mariadb.txt
new file mode 100644
index 0000000..499bf0f
--- /dev/null
+++ b/mariadb/mariadb.txt
@@ -0,0 +1,61 @@
+
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: mariadb
+Username: mariadb
+Disable Password: <select>
+Email: <leave blank>
+UID: (note)
+Create New Primary Group: <select>
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+mariadb PUID=3059
+mariadb PGID=3060
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*mariadb"
+# create following dataset if not present
+zfs create SSD1/docker/data/mariadb
+zfs create SSD1/docker/data/mariadb/config
+chown -R mariadb:mariadb /mnt/SSD1/docker/data/mariadb
+
+Create foldera
+--------------
+mkdir -p /mnt/SSD1/docker/stacks/mariadb/secrets
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in mariadb folder, enter:
+./cp2nas 192.168.2.2
+# or
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/mariadb/
+# This should copy stacks folder to /mnt/SSD1/docker/stacks/mariadb
+
+Create secrets
+--------------
+In Truenas shell:
+cd /mnt/SSD1/docker/stacks/mariadb/secrets
+# echo -n 'your_mariadb_database_name' > /mnt/SSD1/docker/stacks/mariadb/secrets/mariadb_database_name
+# echo -n 'your_mariadb_username' > /mnt/SSD1/docker/stacks/mariadb/secrets/mariadb_username
+# openssl rand 36 | base64 -w 0 | sed 's/[\$,\#,/,+,=]//g' | cut -c -32  | tr -d '\n' > /mnt/SSD1/docker/stacks/mariadb/secrets/mariadb_password
+openssl rand 60 | base64 -w 0 | sed 's/[\$,\#,/,+,=]//g' | cut -c -56  | tr -d '\n' > /mnt/SSD1/docker/stacks/mariadb/secrets/mariadb_root_password
+chown -R mariadb:mariadb /mnt/SSD1/docker/stacks/mariadb/secrets/
+chmod -R 400 /mnt/SSD1/docker/stacks/mariadb/secrets/
+# to list secrets in secrets dir
+cd /mnt/SSD1/docker/stacks/mariadb/secrets
+for i in $(ls -1); do echo $i = `cat $i`; done | sort
+
+To open container shell
+------------------------
+docker exec -it mariadb-mariadb-1 bash
+
+To log into database as root from container shell
+-------------------------------------------------
+mariadb -u root -p <database-name>
+# Enter root password
diff --git a/mariadb/stacks/.env b/mariadb/stacks/.env
new file mode 100644
index 0000000..063071d
--- /dev/null
+++ b/mariadb/stacks/.env
@@ -0,0 +1,20 @@
+
+APPLICATION_NAME=mariadb
+
+MEDIADIR=/mnt/stpool1/NData1/Media
+DOCKERDIR=/mnt/SSD1/docker/
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATADIR=${DOCKERDIR}/data/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+PUID=3059
+PGID=3060
+MEDIA_PGID=3017
+
+TZ=Africa/Johannesburg
+DOMAINNAME=sthome.org
+
+SERVICE_PORT=3306
+MARIADB_ROOT_PASSWORD_FILE=/run/secrets/mariadb_root_password
+
diff --git a/mariadb/stacks/.mariadb.env b/mariadb/stacks/.mariadb.env
new file mode 100644
index 0000000..99ae36c
--- /dev/null
+++ b/mariadb/stacks/.mariadb.env
@@ -0,0 +1,9 @@
+
+PUID=${PUID}
+PGID=${PGID}
+TZ=${TZ}
+
+MARIADB_ROOT_PASSWORD_FILE=${MARIADB_ROOT_PASSWORD_FILE}
+
+# REMOTE_SQL=http://URL1/your.sql,https://URL2/your.sql
+
diff --git a/mariadb/stacks/compose.yml b/mariadb/stacks/compose.yml
new file mode 100644
index 0000000..e7e07c3
--- /dev/null
+++ b/mariadb/stacks/compose.yml
@@ -0,0 +1,57 @@
+name: mariadb
+
+secrets:
+  mariadb_root_password:
+    file: ${SECRETSDIR}/mariadb_root_password
+    
+networks:
+  mariadb-net:
+    external: true
+  traefik-net:
+    external: true
+    
+services:
+  mariadb:
+    image: mariadb:latest
+    restart: unless-stopped
+    env_file: .mariadb.env
+    hostname: mariadb
+    user: ${PUID}:${PGID}
+    volumes:
+      - "${DATADIR}/appdata:/var/lib/mysql"
+    secrets:
+      - mariadb_root_password
+    networks:
+      - mariadb-net
+      - traefik-net
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      #
+      # tcp service
+      # -----------
+      - "traefik.tcp.services.${APPLICATION_NAME}-tcp-svc.loadbalancer.server.port=${SERVICE_PORT}"
+      #
+      # tcp routers
+      # -----------
+      # limit router to mariadb ":8306" entrypoint
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr.entrypoints=mariadb"
+      # set match criteria for router, since this is not tls, header might not contain hostsni field; we're forced to use wildcard
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr.rule=HostSNI(`*`)"
+      # assign svc target to router
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr.service=${APPLICATION_NAME}-tcp-svc" 
+###### mysql with tls via traefik not working
+#      #
+#      # limit router to mariadb ":8306" entrypoint
+#      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.entrypoints=mariadb"
+#      # set match criteria for router
+#      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.rule=HostSNI(`${APPLICATION_NAME}.${DOMAINNAME}`)"
+#      # set router to be dedicated to secure requests only for the hosts specified in match criteria
+#      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.tls=true"
+#      # forward requests "as is" keeping all data encrypted.
+#      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.tls.passthrough=true"
+#      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.tls.options=tls-opts@file"
+#      # generate certificates using following certresolver
+#      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.tls.certresolver=sthomeresolver"
+#      # assign svc target to router
+#      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.service=${APPLICATION_NAME}-tcp-svc" 
\ No newline at end of file
diff --git a/mealie/mealie_jm.txt b/mealie/mealie_jm.txt
new file mode 100644
index 0000000..9891753
--- /dev/null
+++ b/mealie/mealie_jm.txt
@@ -0,0 +1,157 @@
+# https://docs.mealie.io/documentation/getting-started/installation/postgres/
+
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: mealie
+Username: mealie
+Disable Password: <select>
+Email: <leave blank>
+UID: (note)
+Create New Primary Group: <select>
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+mealie UID: 3011
+mealie GID: 3010
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*mealie"
+zfs list | grep -i "NData2.*mealie"
+# create following datasets if not present
+zfs create SSD1/docker/data/mealie
+zfs create SSD1/docker/data/mealie/appdata
+zfs create SSD1/docker/data/mealie/pgdata
+zfs create SSD1/docker/data/mealie/pgbackups
+chown -R mealie:mealie /mnt/SSD1/docker/data/mealie
+chown -R postgres:postgres /mnt/SSD1/docker/data/mealie/pgdata
+chown -R postgres:postgres /mnt/SSD1/docker/data/mealie/pgbackups
+	  
+Create folders
+--------------
+mkdir -p /mnt/SSD1/docker/stacks/mealie/secrets
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in mealie folder, enter:
+./cp2nas 10.0.0.20
+# or
+pscp -P 22 -r stacks/*.* root@10.0.0.20:/mnt/SSD1/docker/stacks/mealie/
+
+Create secrets
+--------------
+# In Truenas shell:
+cd /mnt/SSD1/docker/stacks/mealie/secrets
+# database secrets
+echo -n 'your_postgresql_database_name' > /mnt/SSD1/docker/stacks/mealie/secrets/mealie_postgresql_database
+echo -n 'your_postgresql_username' > /mnt/SSD1/docker/stacks/mealie/secrets/mealie_postgresql_username
+openssl rand 36 | base64 -w 0 > /mnt/SSD1/docker/stacks/mealie/secrets/mealie_postgresql_password
+# smtp email secrets
+echo -n 'your_smtp_destination' > /mnt/SSD1/docker/stacks/mealie/secrets/smtp_destination
+echo -n 'your_smtp_from' > /mnt/SSD1/docker/stacks/mealie/secrets/smtp_from
+echo -n 'your_smtp_host' > /mnt/SSD1/docker/stacks/mealie/secrets/smtp_host
+echo -n 'your_smtp_password' > /mnt/SSD1/docker/stacks/mealie/secrets/smtp_password
+echo -n 'your_smtp_username' > /mnt/SSD1/docker/stacks/mealie/secrets/smtp_username
+# restrict access
+chown -R mealie:mealie /mnt/SSD1/docker/stacks/mealie/secrets/
+chmod -R 400 /mnt/SSD1/docker/stacks/mealie/secrets/
+# read existing acl permissions, if any
+getfacl /mnt/SSD1/docker/stacks/mealie/secrets
+# set acl permissions
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/mealie/secrets
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/mealie/secrets/mealie_postgresql_password
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/mealie/secrets/mealie_postgresql_username
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/mealie/secrets/mealie_postgresql_database
+# NB! if you want to remove all acl entries from a folder recursively, use setfacl -b -R <foldername>
+# to list secrets in secrets dir
+cd /mnt/SSD1/docker/stacks/mealie/secrets
+for i in $(ls -1); do echo $i = `cat $i`; done | sort
+
+Backup mealie database
+----------------------
+# In truenas shell:
+mkdir /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/$(date -I)
+chown pgadmin:pgadmin /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/$(date -I)
+# Using browser, log in to pgAdmin on truenas
+# Connect to servers; refer to "connecting to servers.txt", which also explains how to obtain db passwords
+# To perform plain text backup:
+# Navigate to Servers => mealie -> Databases -> mealie
+# Right click on mealie database and select Backup...
+# Enter the following on the different tabs of dialog box that opened:
+General:
+# Replace ##### with date in YYYY-MM-DD format when backup is being made
+Filename: /#####/mealie-backup.sql (this maps to: /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/#####/mealie-backup.sql on truenas)
+# Or click on folder icon and navigate to the folder that was created above. Enter mealie-backup.sql in Save As field, then click on Create
+Format: Plain
+Encoding: UTF8
+Role name: mealie
+Data Options:
+Sections:
+Pre-data: <select>
+Data: <select>
+Post-data: <select>
+Objects:
+Check public to select all objects
+Click Backup
+# After backup, verify presence of backup file:
+ls -al /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/$(date -I)
+# copy backup file(s) to mealie backups folder, replacing $(date -I) with date when backup was made if not today
+mkdir /mnt/SSD1/docker/data/mealie/pgbackups/$(date -I)/
+cp -vr /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/$(date -I)/mealie-backup.sql /mnt/SSD1/docker/data/mealie/pgbackups/$(date -I)/ 
+chown -R postgres:postgres /mnt/SSD1/docker/data/mealie/pgbackups/
+
+Migrating database
+------------------
+# In truenas shell
+jlmkr shell docker
+cd /opt/stacks/mealie
+docker compose down
+# remove all files/folders from pgdata; if any are already in this folder with data to be retained, move it to another folder before executing next command
+rm -r /mnt/data/mealie/pgdata/*
+# for some reason, mealie interferes with the database if it starts up with postgresql the first time, therefore we need to treat mealie a bit differently
+# in Windows, comment out the complete mealie service in the compose.yml file (if you use notepad++, left click on start of the first row of the mealie service, hold in ALT and SHIFT and drag mouse down in the same column to the last row of the service; release ALT, SHIFT and mouse button and type in #; then hit ESC)
+# transfer the mealie stack with the modified compose.yml file to truenas; in mealie folder, execute:
+./cp2nas 10.0.0.20
+# or
+pscp -P 22 -r stacks/*.* root@10.0.0.20:/mnt/SSD1/docker/stacks/mealie/
+# start, this time only postgresql will start
+docker compose up -d
+# After successfull startup of postgres:
+docker exec mealie-postgresql-1 psql -U <your_db_user> -d postgres -c "DROP DATABASE \"<your_db_name>\";"
+docker exec mealie-postgresql-1 psql -U <your_db_user> -d postgres -c "CREATE DATABASE \"<your_db_name>\";"
+docker exec mealie-postgresql-1 psql -U <your_db_user> -d <your_db_name> -f /mnt/backups/$(date -I)/mealie-backup.sql   # replace $(date -I) with the appropriate date
+# stop postgresql
+docker compose down
+# now undo the comment out of the mealie service in the compose.yml file  (if you use notepad++, you can remove the # using the same steps as described above, except this time, press delete to delete the column of #'s)
+# transfer the mealie stack with the restored compose.yml file to truenas; in mealie folder, execute:
+./cp2nas 10.0.0.20
+# or
+pscp -P 22 -r stacks/*.* root@10.0.0.20:/mnt/SSD1/docker/stacks/mealie/
+# start mealie and postgresql
+docker compose up -d
+
+docker stop mealie-mealie-1
+docker exec mealie-postgresql-1 psql -U mealie -d postgres -c "DROP DATABASE \"mealie\";"
+docker exec mealie-postgresql-1 psql -U mealie -d postgres -c "CREATE DATABASE \"mealie\";"
+docker exec mealie-postgresql-1 psql -U mealie -d mealie -f /mnt/backups/2024-09-01/mealie-backup.sql
+docker start mealie-mealie-1
+
+Stop truenas mealie
+---------------------------
+# In truenas shell
+heavyscript app --stop mealie
+# NB: Do NOT stop mealie with truenas gui
+
+If you need to log into db
+--------------------------
+docker exec -it mealie_postgresql bash
+psql -U <your_db_user> -d <your_db_name>
+
+
+
+
+
diff --git a/mealie/stacks/.env b/mealie/stacks/.env
new file mode 100644
index 0000000..27d51ef
--- /dev/null
+++ b/mealie/stacks/.env
@@ -0,0 +1,44 @@
+
+APPLICATION_NAME=mealie
+
+DOCKERDIR=/mnt/SSD1/docker/
+MEDIADIR=/mnt/stpool1/NData1/Media
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+PUID=3011
+PGID=3010
+PG_UID=70
+PG_GID=70
+
+TZ=Africa/Johannesburg
+DOMAINNAME=sthome.org
+WEBUI_PORT=9000
+
+MEALIE_DB_PORT=5432
+MEALIE_DB_FILE=/run/secrets/mealie_postgresql_database
+MEALIE_DB_USER_FILE=/run/secrets/mealie_postgresql_username
+MEALIE_DB_PASSWORD_FILE=/run/secrets/mealie_postgresql_password
+
+SMTP_PORT=25
+SMTP_SSL=true
+SMTP_FROM_FILE=/run/secrets/mealie_smtp_from
+SMTP_HOST_FILE=/run/secrets/mealie_smtp_host
+SMTP_PASSWORD_FILE=/run/secrets/mealie_smtp_password
+SMTP_USERNAME_FILE=/run/secrets/mealie_smtp_username
+SMTP_AUTH_STRATEGY=NONE # Options: 'TLS', 'SSL', 'NONE'
+
+################################################################
+# unfortunately, couldn't get mealie to work with docker secrets
+MEALIE_DB=mealie
+MEALIE_DB_USER=mealie
+MEALIE_DB_PASSWORD="jVaGsWdohfnAVYn7hIxSh94qAzLi6G2BYd9TnaeS" 
+SMTP_HOST=smtp.telkomsa.net
+SMTP_FROM=stuurman30@telkomsa.net
+SMTP_USERNAME=stuurman30@telkomsa.net
+SMTP_PASSWORD=UltraM3!2024#
+
+
diff --git a/mealie/stacks/.mealie.env b/mealie/stacks/.mealie.env
new file mode 100644
index 0000000..e000f5b
--- /dev/null
+++ b/mealie/stacks/.mealie.env
@@ -0,0 +1,42 @@
+
+PUID=${PUID}
+PGID=${PGID}
+TZ=${TZ}
+
+BASE_URL=https://${APPLICATION_NAME}.${DOMAINNAME}
+DOMAIN=https://${APPLICATION_NAME}.${DOMAINNAME}
+
+SIGNUPS_ALLOWED=false ##change to false once the admin account is created
+ALLOW_SIGNUP=false
+WEBSOCKET_ENABLED=true
+MAX_WORKERS=1
+WEB_CONCURRENCY=1
+
+# Database Configuration
+DB_ENGINE=postgres
+POSTGRES_SERVER=mealie_postgresql
+POSTGRES_PORT=${MEALIE_DB_PORT}
+# secrets
+POSTGRES_DB_FILE=${MEALIE_DB_FILE}
+POSTGRES_USER_FILE=${MEALIE_DB_USER_FILE}
+POSTGRES_PASSWORD_FILE=${MEALIE_DB_PASSWORD_FILE}
+
+# Email Configuration
+SMTP_PORT=${SMTP_PORT}
+SMTP_AUTH_STRATEGY=${SMTP_AUTH_STRATEGY} 
+# secrets
+SMTP_FROM_FILE=${SMTP_FROM_FILE}
+SMTP_HOST_FILE=${SMTP_HOST_FILE}
+SMTP_PASSWORD_FILE=${SMTP_PASSWORD_FILE}
+SMTP_USERNAME_FILE=${SMTP_USERNAME_FILE}
+
+################################################################################
+# unfortunately, couldn't get mealie to work with docker secrets, so we need to override above with clear text "secrets"
+POSTGRES_DB=${MEALIE_DB}
+POSTGRES_USER=${MEALIE_DB_USER}
+POSTGRES_PASSWORD=${MEALIE_DB_PASSWORD}
+SMTP_FROM=${SMTP_FROM}
+SMTP_HOST=${SMTP_HOST}
+SMTP_PASSWORD=${SMTP_PASSWORD}
+SMTP_USERNAME=${SMTP_USERNAME}
+
diff --git a/mealie/stacks/.postgresql.env b/mealie/stacks/.postgresql.env
new file mode 100644
index 0000000..4c548df
--- /dev/null
+++ b/mealie/stacks/.postgresql.env
@@ -0,0 +1,10 @@
+
+PUID=70
+PGID=70
+TZ=Africa/Johannesburg
+
+POSTGRES_DB_PORT=${MEALIE_DB_PORT}
+POSTGRES_DB_FILE=${MEALIE_DB_FILE}
+POSTGRES_USER_FILE=${MEALIE_DB_USER_FILE}
+POSTGRES_PASSWORD_FILE=${MEALIE_DB_PASSWORD_FILE}
+
diff --git a/mealie/stacks/compose.yml b/mealie/stacks/compose.yml
new file mode 100644
index 0000000..f0ab4ca
--- /dev/null
+++ b/mealie/stacks/compose.yml
@@ -0,0 +1,97 @@
+# https://github.com/mealie-recipes/mealie/pkgs/container/mealie
+# https://docs.mealie.io/documentation/getting-started/installation/postgres/
+
+name: mealie
+
+secrets:
+  mealie_postgresql_password:
+    file: ${SECRETSDIR}/mealie_postgresql_password
+  mealie_postgresql_database:
+    file: ${SECRETSDIR}/mealie_postgresql_database
+  mealie_postgresql_username:
+    file: ${SECRETSDIR}/mealie_postgresql_username
+  smtp_destination:
+    file: ${SECRETSDIR}/smtp_destination
+  smtp_from:
+    file: ${SECRETSDIR}/smtp_from
+  smtp_host:
+    file: ${SECRETSDIR}/smtp_host
+  smtp_password:
+    file: ${SECRETSDIR}/smtp_password
+  smtp_username:
+    file: ${SECRETSDIR}/smtp_username
+  
+networks:
+  traefik-net:
+    external: true
+  postgres-net:
+    external: true
+
+services:
+  mealie:
+    image: ghcr.io/mealie-recipes/mealie:v2.2.0   # v1.12.0
+    hostname: mealie
+    env_file: .mealie.env
+    restart: unless-stopped
+    deploy:
+      resources:
+        limits:
+          memory: 1000M 
+    volumes:
+      - "${DATADIR}/appdata:/app/data"
+    depends_on:
+      postgresql:
+        condition: service_healthy
+    secrets:
+      - mealie_postgresql_database
+      - mealie_postgresql_password
+      - mealie_postgresql_username
+      - smtp_destination
+      - smtp_from
+      - smtp_host
+      - smtp_password
+      - smtp_username
+    networks:
+      - postgres-net
+      - traefik-net
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      #
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
+      #
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      #
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"      
+
+  postgresql:
+    image: postgres:16-alpine
+    hostname: "mealie_postgresql"
+    shm_size: 128mb
+    restart: unless-stopped
+    env_file: .postgresql.env
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    networks:
+      postgres-net:
+          aliases: ["mealie_postgresql"]
+    secrets:
+      - mealie_postgresql_database
+      - mealie_postgresql_password
+      - mealie_postgresql_username
+    volumes:
+      - "${DATADIR}/pgdata:/var/lib/postgresql/data"
+      - "${DATADIR}/pgbackups:/mnt/backups"
diff --git a/mediaelch/mediaelch_jm.txt b/mediaelch/mediaelch_jm.txt
new file mode 100644
index 0000000..dfde70a
--- /dev/null
+++ b/mediaelch/mediaelch_jm.txt
@@ -0,0 +1,64 @@
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: mediaelch
+Username: mediaelc
+Disable Password: <select>
+Email: stuurmcp@telkomsa.net
+UID: (note)
+Create New Primary Group: <select>
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+mediaelc UID: 3042
+mediaelc GID: 3017 #3041
+
+If not done already, add mapping for media on container config
+--------------------------------------------------------------
+In this example: the folder where media is stored is /mnt/stpool1/NData1/Media
+On Truenas shell:
+jlmkr edit docker
+Add the following args to "systemd_nspawn_user_args": 
+--bind='/mnt/stpool1/NData1/Media:/mnt/media'
+
+If not done already, set ACL permissions for media to be accessible by media group
+----------------------------------------------------------------------------------
+On Truenas shell:
+# read and note acl entries
+getfacl /mnt/stpool1/NData1
+getfacl /mnt/stpool1/NData1/Media
+# set read and execute permissions for media group on parent folder
+setfacl -m g:media:5 /mnt/stpool1/NData1
+# set full permissions for media group on Media folder recursively
+setfacl -R -m g:media:7 /mnt/stpool1/NData1/Media
+# modify defaults recursively
+setfacl -R -d -m g:media:7 /mnt/stpool1/NData1/Media
+# NB! if you want to remove all acl entries from a folder recursively, use setfacl -b -R <foldername>
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*mediaelch"
+# create following datasets if not present
+zfs create SSD1/docker/data/mediaelch
+zfs create SSD1/docker/data/mediaelch/config
+chown -R mediaelc:mediaelc /mnt/SSD1/docker/data/mediaelch
+
+Create folder
+-------------
+# In Truenas shell:
+mkdir -p /mnt/SSD1/docker/stacks/mediaelch
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in mediaelch folder, enter:
+./cp2nas
+# or
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/mediaelch/
+# This should copy mediaelch stacks folder to /mnt/SSD1/docker/stacks/mediaelch
+
+
+
+
diff --git a/mediaelch/stacks/.env b/mediaelch/stacks/.env
new file mode 100644
index 0000000..a4f0d21
--- /dev/null
+++ b/mediaelch/stacks/.env
@@ -0,0 +1,23 @@
+
+APPLICATION_NAME=mediaelch
+
+DOCKERDIR=/mnt/SSD1/docker/
+MEDIADIR=/mnt/stpool1/NData1/Media
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+CT_DOWNLOADS=/Downloads
+CT_MEDIA=/Media
+MEDIA_GID=3017
+PUID=3042
+PGID=3041
+DOMAINNAME=sthome.org
+
+WEBUI_PORT=3000
+SECURE_WEBUI_PORT=3001
+
+
+
diff --git a/mediaelch/stacks/.mediaelch.env b/mediaelch/stacks/.mediaelch.env
new file mode 100644
index 0000000..29d699c
--- /dev/null
+++ b/mediaelch/stacks/.mediaelch.env
@@ -0,0 +1,4 @@
+
+PUID=${PUID}
+PGID=${MEDIA_GID}
+TZ=Africa/Johannesburg
diff --git a/mediaelch/stacks/compose.yml b/mediaelch/stacks/compose.yml
new file mode 100644
index 0000000..854b2cd
--- /dev/null
+++ b/mediaelch/stacks/compose.yml
@@ -0,0 +1,60 @@
+
+name: mediaelch
+
+networks:
+  traefik-net:
+    external: true
+    
+services:
+  mediaelch:
+    image: lscr.io/linuxserver/mediaelch:latest
+    env_file: .mediaelch.env
+    #user: "${PUID}:${PGID}"
+    group_add:
+      - "${MEDIA_GID}"  # not really needed if we have it as the primary gid
+    security_opt:
+      - seccomp:unconfined #optional
+    networks:
+      - traefik-net
+    volumes:
+      - "${DATADIR}/config:/config"
+      - "${MEDIADIR}:${CT_MEDIA}"
+    restart: unless-stopped
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      # http middlewares
+      # ---------------------------
+      #- "traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.users=${ADMIN_CREDENTIALS}, ${USER_CREDENTIALS}"
+      #- "traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.usersfile=/mnt/users/${APPLICATION_NAME}.txt"
+      #
+      # http services
+      # -------------
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
+      #
+      # http routers
+      # ------------
+      # limit router to web ":80" entrypoint (Note: web entrypoint http requests are globally redirected to websecure router in traefik.yml)
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # assign middlewares
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      #
+      # limit router to websecure ":443" entrypoint
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # set router to be dedicated to secure requests only for the host specified in match criteria 
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      # apply tls options
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file"
+      # generate certificates using following certresolver
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
+      # attach middlewares to routers
+      #- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=${APPLICATION_NAME}-auth"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
diff --git a/minecraft/mcrcon/LICENSE.txt b/minecraft/mcrcon/LICENSE.txt
new file mode 100644
index 0000000..ed733cd
--- /dev/null
+++ b/minecraft/mcrcon/LICENSE.txt
@@ -0,0 +1,21 @@
+Copyright (c) 2012-2021, Tiiffi <tiiffi at gmail>
+
+This software is provided 'as-is', without any express or implied
+warranty. In no event will the authors be held liable for any damages
+arising from the use of this software.
+
+Permission is granted to anyone to use this software for any purpose,
+including commercial applications, and to alter it and redistribute it
+freely, subject to the following restrictions:
+
+  1. The origin of this software must not be misrepresented; you must not
+  claim that you wrote the original software. If you use this software
+  in a product, an acknowledgment in the product documentation would be
+  appreciated but is not required.
+
+  2. Altered source versions must be plainly marked as such, and must not be
+  misrepresented as being the original software.
+
+  3. This notice may not be removed or altered from any source
+  distribution.
+  
diff --git a/minecraft/mcrcon/README.txt b/minecraft/mcrcon/README.txt
new file mode 100644
index 0000000..de95daf
--- /dev/null
+++ b/minecraft/mcrcon/README.txt
@@ -0,0 +1,79 @@
+Name:     mcrcon (minecraft rcon)
+Version:  0.7.2
+Date:     31.10.2021
+
+Description:
+    mcrcon is console based Minecraft rcon client for remote administration and server maintenance scripts.
+
+License:
+    zlib/libpng License
+
+Contact:
+    WWW:  https://github.com/Tiiffi/mcrcon/
+    MAIL: tiiffi+mcrcon at gmail
+
+===================================================================================
+
+Batch (.bat) scripts included in Windows binary package:
+
+ launch.bat:
+   Prompts user for server information and starts "mcrcon.exe" in terminal mode.
+   
+ create_shortcut.bat:
+   Prompts user for server infromation and creates .bat launch script.
+
+===================================================================================
+
+Usage:
+    mcrcon [OPTIONS] [COMMANDS]
+
+    Send rcon commands to Minecraft server.
+
+    Options:
+      -H		Server address (default: localhost)
+      -P		Port (default: 25575)
+      -p		Rcon password
+      -t		Terminal mode
+      -s		Silent mode
+      -c		Disable colors
+      -r		Output raw packets
+      -w		Wait for specified duration (seconds) between each command (1 - 600s)
+      -h		Print usage
+      -v		Version information
+
+    Server address, port and password can be set with following environment variables:
+      MCRCON_HOST
+      MCRCON_PORT
+      MCRCON_PASS
+
+    - mcrcon will start in terminal mode if no commands are given
+    - Command-line options will override environment variables
+    - Rcon commands with spaces must be enclosed in quotes
+
+    Example:
+	    mcrcon -H my.minecraft.server -p password -w 5 "say Server is restarting!" save-all stop
+
+===================================================================================
+
+Changelog:
+
+    0.7.2
+     - Quit gracefully when Ctrl-D or Ctrl+C is pressed
+     - Remove "exit" and "quit" as quitting commands
+        * these are actual rcon commands on some servers
+     - Suppress compiler warning (strncpy)
+     - fix erroneous string length in packet building function
+     - Fix typo in ANSI escape sequence for LCYAN
+     - Make stdout and stderr unbuffered
+
+    0.7.1
+     - Deprecate `-i` flag for invoking terminal mode
+     - Add workaround to prevent server-side bug.
+       * https://bugs.mojang.com/browse/MC-154617
+
+    0.7.0
+     - Add `-w` option for rcon command throttling
+       * Thanks HorlogeSkynet @ Github
+
+    For more details: https://github.com/Tiiffi/mcrcon/blob/master/CHANGELOG.md
+
diff --git a/minecraft/mcrcon/create_shortcut.bat b/minecraft/mcrcon/create_shortcut.bat
new file mode 100644
index 0000000..bc65353
--- /dev/null
+++ b/minecraft/mcrcon/create_shortcut.bat
@@ -0,0 +1,31 @@
+@echo off
+@cls
+
+@set /p host="Enter host (default: "127.0.0.1"): "
+@if "%host%"=="" set host=127.0.0.1
+
+@set /p port="Enter port (default: 25575): "
+@if "%port%"=="" set port=25575
+
+@set /p passwd="Enter password: "
+@if "%passwd%"=="" set passwd=
+
+set name=connect_%host%-%port%
+
+@set /p name="Enter shortcut name (default: "%name%.bat"): "
+@if "%name%"=="" set name=connect_%host%-%port%
+
+set command=@mcrcon.exe -t -H %host% -P %port% -p %passwd%
+
+@echo %command% >> %name%.bat
+@echo.
+@echo Command: "%command%"
+@echo.
+@echo Shortcut "%name%.bat" created!
+@echo.
+
+@set "host="
+@set "port="
+@set "passwd="
+
+@pause
diff --git a/minecraft/mcrcon/launch.bat b/minecraft/mcrcon/launch.bat
new file mode 100644
index 0000000..b88abb4
--- /dev/null
+++ b/minecraft/mcrcon/launch.bat
@@ -0,0 +1,29 @@
+@echo off
+@cls
+
+@if not exist mcrcon.exe (
+  @echo ERROR: Cannot find "mcrcon.exe". Bailing out!
+  @echo.
+  @pause
+  @exit
+)
+
+@set /p host="Enter host (default: 127.0.0.1): "
+@if "%host%"=="" set host=127.0.0.1
+
+@set /p port="Enter port (default: 25575): "
+@if "%port%"=="" set port=25575
+
+@set /p passwd="Enter password: "
+@if "%passwd%"=="" set passwd=
+
+@echo.
+mcrcon.exe -t -H %host% -P %port% -p %passwd%
+@echo.
+
+@set "host="
+@set "port="
+@set "passwd="
+
+@pause
+
diff --git a/minecraft/mcrcon/mcrcon-0.7.2-windows-x86-64.zip b/minecraft/mcrcon/mcrcon-0.7.2-windows-x86-64.zip
new file mode 100644
index 0000000..b4ce91c
Binary files /dev/null and b/minecraft/mcrcon/mcrcon-0.7.2-windows-x86-64.zip differ
diff --git a/minecraft/mcrcon/mcrcon.exe b/minecraft/mcrcon/mcrcon.exe
new file mode 100644
index 0000000..b80160a
Binary files /dev/null and b/minecraft/mcrcon/mcrcon.exe differ
diff --git a/minecraft/minecraft_jm.txt b/minecraft/minecraft_jm.txt
new file mode 100644
index 0000000..e04ee11
--- /dev/null
+++ b/minecraft/minecraft_jm.txt
@@ -0,0 +1,61 @@
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: minecraft
+Username: minecraft
+Disable Password: <select>
+Email: <leave blank>
+UID: (note)
+Create New Primary Group: <select>
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+minecraft UID: 3043
+minecraft GID: 3042
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*minecraft"
+# create following datasets if not present
+zfs create SSD1/docker/data/minecraft
+zfs create SSD1/docker/data/minecraft/bedrock
+zfs create SSD1/docker/data/minecraft/java
+chown -R minecraft:minecraft /mnt/SSD1/docker/data/minecraft
+
+Create folders
+--------------
+# In Truenas shell:
+mkdir -p /mnt/SSD1/docker/stacks/minecraft/secrets
+
+Create secrets
+--------------
+# In Truenas shell:
+cd /mnt/SSD1/docker/stacks/minecraft/secrets
+echo -n 'your_mcjava_rcon_password' > /mnt/SSD1/docker/stacks/minecraft/secrets/mcjava_rcon_password
+chown -R minecraft:minecraft /mnt/SSD1/docker/stacks/minecraft/secrets
+chmod -R 400 /mnt/SSD1/docker/stacks/minecraft/secrets
+# NB! rcon is disabled in env_file. To enable rcon, uncomment ENABLE_RCON in compose.yml environment settings for minecraft-java
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in minecraft folder, enter:
+./cp2nas
+# or
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/minecraft/
+# This should copy minecraft stacks folder to /mnt/SSD1/docker/stacks/minecraft
+
+Migrating data from old minecraft-bedrock server (source) to newly installed one (target)
+-----------------------------------------------------------------------------------------
+# Stop old/source minecraft-bedrock server
+# heavyscript app --stop minecraft-bedrock
+# Stop new/target minecraft-bedrock server
+# On Dockge, select minecraft-bedrock and click stop
+cp -pr /mnt/stpool1/apps/minecraft/bedrock/* /mnt/SSD1/docker/data/minecraft/bedrock/
+cp -pr /mnt/stpool1/apps/minecraft/java/* /mnt/SSD1/docker/data/minecraft/java/
+chown -R minecraft:minecraft /mnt/SSD1/docker/data/minecraft
+
+
+
diff --git a/minecraft/stacks/.env b/minecraft/stacks/.env
new file mode 100644
index 0000000..d36f9a1
--- /dev/null
+++ b/minecraft/stacks/.env
@@ -0,0 +1,37 @@
+##############################################################################################
+# Values to be used for substitution by docker compose in compose.yml AND .*.env files
+##############################################################################################
+
+APPLICATION_NAME=minecraft
+
+DOCKERDIR=/mnt/SSD1/docker/
+MEDIADIR=/mnt/stpool1/NData1/Media
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+DOMAINNAME=sthome.org
+
+SERVICE_PORT=80
+PUID=3043
+PGID=3042
+TZ=Africa/Johannesburg
+DOMAINNAME=sthome.org
+
+# MINECRAFT EDITIONS
+# ------------------
+# ensure that traefik has the entry points below
+
+# Minecraft Bedrock
+MCBEDROCK_APP=minecraft-bedrock
+MCBEDROCK_PORT=19132 # udp 
+
+# Minecraft Java
+MCJAVA_APP=minecraft-java
+MCJAVA_PORT=25565 # udp 
+#
+MCJAVA_RCON_PORT=25575
+MCJAVA_RCON_PASSWORD_FILE=/run/secrets/mcjava_rcon_password
+
diff --git a/minecraft/stacks/.minecraft-bedrock.env b/minecraft/stacks/.minecraft-bedrock.env
new file mode 100644
index 0000000..d88c183
--- /dev/null
+++ b/minecraft/stacks/.minecraft-bedrock.env
@@ -0,0 +1,78 @@
+# https://github.com/itzg/docker-minecraft-bedrock-server?tab=readme-ov-file
+# https://minecraft.wiki/w/Server.properties#Option_keys
+##############################################################################################
+# Environment variables for minecraft-bedrock servers
+##############################################################################################
+
+# Ensure that UID/GID is the owner/group of bedrock folder otherwise container startup will fail with permission error. "bedrock" folder is mapped to container /data 
+UID=${PUID}
+GID=${PGID}
+UMASK=0022
+TZ={TZ}
+
+EULA=TRUE
+VERSION=LATEST  # LATEST, PREVIEW or specific version
+PACKAGE_BACKUP_KEEP=2
+
+# Server Properties
+# -----------------
+ONLINE_MODE=true
+GAMEMODE=survival             # survival, creative, adventure, spectator
+DIFFICULTY=easy               # easy, normal, hard
+SERVER_NAME="Dedicated Server on Truenas Scale"
+# FORCE_GAMEMODE=
+ALLOW_CHEATS=false
+MAX_PLAYERS=10
+# WHITE_LIST=
+# ALLOW_LIST=
+# SERVER_PORT=
+# SERVER_PORT_V6=
+# ENABLE_LAN_VISIBILITY=
+VIEW_DISTANCE=32
+TICK_DISTANCE=4
+PLAYER_IDLE_TIMEOUT=30
+MAX_THREADS=8
+LEVEL_NAME="Bedrock level"
+# LEVEL_SEED=
+# LEVEL_TYPE=Default
+DEFAULT_PLAYER_PERMISSION_LEVEL=member
+# TEXTUREPACK_REQUIRED=
+# CONTENT_LOG_FILE_ENABLED=
+# CONTENT_LOG_LEVEL=
+# CONTENT_LOG_CONSOLE_OUTPUT_ENABLED=
+# COMPRESSION_THRESHOLD=
+# COMPRESSION_ALGORITHM=
+SERVER_AUTHORITATIVE_MOVEMENT=server-auth
+# PLAYER_POSITION_ACCEPTANCE_THRESHOLD=
+PLAYER_MOVEMENT_SCORE_THRESHOLD=20
+# PLAYER_MOVEMENT_ACTION_DIRECTION_THRESHOLD=
+PLAYER_MOVEMENT_DISTANCE_THRESHOLD=0.3
+PLAYER_MOVEMENT_DURATION_THRESHOLD_IN_MS=500
+# CORRECT_PLAYER_MOVEMENT=
+# SERVER_AUTHORITATIVE_BLOCK_BREAKING=
+# SERVER_AUTHORITATIVE_BLOCK_BREAKING_PICK_RANGE_SCALAR=
+# CHAT_RESTRICTION=
+# DISABLE_PLAYER_INTERACTION=
+# CLIENT_SIDE_CHUNK_GENERATION_ENABLED=
+# BLOCK_NETWORK_IDS_ARE_HASHES=
+# DISABLE_PERSONA=
+# DISABLE_CUSTOM_SKINS=
+# SERVER_BUILD_RADIUS_RATIO=
+# ALLOW_OUTBOUND_SCRIPT_DEBUGGING=
+# ALLOW_INBOUND_SCRIPT_DEBUGGING=
+# FORCE_INBOUND_DEBUG_PORT=
+# SCRIPT_DEBUGGER_AUTO_ATTACH=
+# SCRIPT_DEBUGGER_AUTO_ATTACH_CONNECT_ADDRESS=
+# SCRIPT_WATCHDOG_ENABLE=
+# SCRIPT_WATCHDOG_ENABLE_EXCEPTION_HANDLING=
+# SCRIPT_WATCHDOG_ENABLE_SHUTDOWN=
+# SCRIPT_WATCHDOG_HANG_EXCEPTION=
+# SCRIPT_WATCHDOG_HANG_THRESHOLD=
+# SCRIPT_WATCHDOG_SPIKE_THRESHOLD=
+# SCRIPT_WATCHDOG_SLOW_THRESHOLD=
+# SCRIPT_WATCHDOG_MEMORY_WARNING=
+# SCRIPT_WATCHDOG_MEMORY_LIMIT=
+# OP_PERMISSION_LEVEL=
+# EMIT_SERVER_TELEMETRY=
+# MSA_GAMERTAGS_ONLY=
+# ITEM_TRANSACTION_LOGGING_ENABLED=
diff --git a/minecraft/stacks/.minecraft-java.env b/minecraft/stacks/.minecraft-java.env
new file mode 100644
index 0000000..064a53e
--- /dev/null
+++ b/minecraft/stacks/.minecraft-java.env
@@ -0,0 +1,65 @@
+##############################################################################################
+# Environment variables for minecraft-java servers
+############################################################################################## 
+
+UID=${PUID}
+GID=${PGID}
+UMASK=0022
+TZ=${TZ}
+
+EULA=TRUE
+VERSION=LATEST
+PREVIEW=FALSE
+QUERY_PORT=${MCJAVA_PORT}
+SERVER_PORT=${MCJAVA_PORT}
+# we are not exposing rcon port externally, i.e. no port forwarding on rcon port configured on router
+RCON_PASSWORD_FILE=${MCJAVA_RCON_PASSWORD_FILE}
+RCON_PORT=${MCJAVA_RCON_PORT}
+ENABLE_RCON=false
+
+# Server Properties
+# -----------------
+ONLINE_MODE=true
+MODE=survival               # survival, creative, adventure, spectator
+DIFFICULTY=easy             # easy, normal, hard
+TYPE=VANILLA                # VANILLA, FORGE, NEOFORGE, FABRIC, SPIGOT, BUKKIT
+ALLOW_NETHER=true
+ANNOUNCE_PLAYER_ACHIEVEMENTS=true
+ENABLE_COMMAND_BLOCK=false
+FORCE_GAMEMODE=false
+FORCE_REDOWNLOAD=false
+GENERATE_STRUCTURES=true
+GENERATOR_SETTINGS=
+HARDCORE=false
+LEVEL=world
+LEVEL_TYPE=DEFAULT
+MAX_BUILD_HEIGHT=256
+MAX_PLAYERS=20
+MAX_TICK_TIME=60000
+MAX_WORLD_SIZE=10000
+MEMORY=2048M
+MOTD="Welcome to Minecraft on TrueNAS Scale!"
+OPS=
+PVP=false
+SEED=
+SPAWN_ANIMALS=true
+SPAWN_MONSTERS=true
+SPAWN_NPCS=true
+USE_AIKAR_FLAGS=true
+USE_FLARE_FLAGS=false
+USE_SIMD_FLAGS=false
+VIEW_DISTANCE=10
+WHITELIST=
+WORLD=
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/minecraft/stacks/compose.yml b/minecraft/stacks/compose.yml
new file mode 100644
index 0000000..75502c9
--- /dev/null
+++ b/minecraft/stacks/compose.yml
@@ -0,0 +1,72 @@
+# NB! since udp routing cannot be made on hostnames, minecraft will have to be accessed as follows:
+# minecraft-bedrock: minecraft.sthome.org:19132
+# minecraft-java: minecraft.sthome.org:25565
+
+name: minecraft
+
+secrets:
+  mcjava_rcon_password:
+    file: ${SECRETSDIR}/mcjava_rcon_password
+
+networks:
+  traefik-net:
+    external: true
+    
+services:
+  minecraft-bedrock:
+    image: itzg/minecraft-bedrock-server
+    hostname: ${MCBEDROCK_APP}
+    env_file: .minecraft-bedrock.env
+    tty: true
+    stdin_open: true
+    networks:
+      - traefik-net
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - "${DATADIR}/bedrock:/data"
+    restart: unless-stopped
+    # environment variables specified here overrides env_file
+    environment:
+      - GAMEMODE=survival
+      - DIFFICULTY=peaceful
+      #- DIFFICULTY=easy
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      - "traefik.udp.services.${MCBEDROCK_APP}-svc.loadbalancer.server.port=${MCBEDROCK_PORT}"
+      - "traefik.udp.routers.${MCBEDROCK_APP}-rtr.entrypoints=mc-bedrock"
+      - "traefik.udp.routers.${MCBEDROCK_APP}-rtr.service=${MCBEDROCK_APP}-svc"
+
+  minecraft-java:
+    image: itzg/minecraft-server
+    hostname: ${MCJAVA_APP}
+    env_file: .minecraft-java.env
+    tty: true
+    stdin_open: true
+    networks:
+      - traefik-net
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - "${DATADIR}/java:/data"
+    restart: unless-stopped
+    secrets:
+      - mcjava_rcon_password
+    # environment variables specified here override env_file
+    environment:
+      - SERVER_NAME=mc-java
+      - MODE=survival
+      - DIFFICULTY=easy
+    #  - ENABLE_RCON=true   # uncomment to enable RCON
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      # udp entrypoint routed to service port
+      - "traefik.udp.services.${MCJAVA_APP}-svc.loadbalancer.server.port=${MCJAVA_PORT}"
+      - "traefik.udp.routers.${MCJAVA_APP}-rtr.entrypoints=mc-java"
+      - "traefik.udp.routers.${MCJAVA_APP}-rtr.service=${MCJAVA_APP}-svc"
+
+      # tcp entrypoint routed to rcon port - unencrypted (unsafe, do not port forward router)
+      - "traefik.tcp.services.${MCJAVA_APP}-rcon-svc.loadbalancer.server.port=${MCJAVA_RCON_PORT}"
+      - "traefik.tcp.routers.${MCJAVA_APP}-rcon-rtr.rule=HostSNI(`*`)"  # no matching possible without tls
+      - "traefik.tcp.routers.${MCJAVA_APP}-rcon-rtr.entrypoints=mc-java-rcon"
+      - "traefik.tcp.routers.${MCJAVA_APP}-rcon-rtr.service=${MCJAVA_APP}-rcon-svc" 
diff --git a/minio/minio_jm.txt b/minio/minio_jm.txt
new file mode 100644
index 0000000..b62e936
--- /dev/null
+++ b/minio/minio_jm.txt
@@ -0,0 +1,55 @@
+# https://github.com/jlesage/docker-minio?tab=readme-ov-file
+
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: minio
+Username: minio
+Disable Password: <select>
+Email: stuurmcp@telkomsa.net
+UID: (note)
+Create New Primary Group: <select>
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+minio UID: 3045
+minio GID: 3044
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*minio"
+# create following datasets if not present
+zfs create SSD1/docker/data/minio
+zfs create SSD1/docker/data/minio/config
+chown -R minio:minio /mnt/SSD1/docker/data/minio
+
+Create folders
+--------------
+# In Truenas shell:
+mkdir -p /mnt/SSD1/docker/stacks/minio/secrets
+mkdir /mnt/stpool1/objectstore/minio/data1-1
+mkdir /mnt/stpool1/objectstore/minio/data1-2
+mkdir /mnt/stpool1/objectstore/minio/data2-1
+mkdir /mnt/stpool1/objectstore/minio/data2-2
+chown -R minio:minio /mnt/stpool1/objectstore/minio
+
+Create secrets
+--------------
+cd /mnt/SSD1/docker/stacks/minio/secrets
+echo -n 'your_minio_root_user' > minio_root_user
+echo -n 'your_minio_root_password' > minio_root_password
+chown -R minio:minio /mnt/SSD1/docker/stacks/minio/secrets
+chmod -R 400 /mnt/SSD1/docker/stacks/minio/secrets
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in minio folder, enter:
+./cp2nas
+# or
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/minio/
+# This should copy minio stacks folder to /mnt/SSD1/docker/stacks/minio
+
+
diff --git a/minio/stacks/.env b/minio/stacks/.env
new file mode 100644
index 0000000..eebee5c
--- /dev/null
+++ b/minio/stacks/.env
@@ -0,0 +1,19 @@
+APPLICATION_NAME=minio
+
+DOCKERDIR=/mnt/SSD1/docker/
+MEDIADIR=/mnt/stpool1/NData1/Media
+
+OBJECTSTOREDIR=/mnt/stpool1/objectstore
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+TZ=Africa/Johannesburg
+
+DOMAINNAME=sthome.org
+API_PORT=9000
+WEBUI_PORT=9001
+PUID=3045
+PGID=3044
diff --git a/minio/stacks/.minio.env b/minio/stacks/.minio.env
new file mode 100644
index 0000000..ae1af57
--- /dev/null
+++ b/minio/stacks/.minio.env
@@ -0,0 +1,13 @@
+
+USER_ID=${PUID}
+GROUP_ID=${PGID}
+PUID=${PUID}
+PGID=${PGID}
+UMASK=0022
+TZ=${TZ}
+DARK_MODE=1
+
+MINIO_ROOT_USER_FILE=/run/secrets/minio_root_user
+MINIO_ROOT_PASSWORD_FILE=/run/secrets/minio_root_password
+
+
diff --git a/minio/stacks/compose.yml b/minio/stacks/compose.yml
new file mode 100644
index 0000000..815fcb8
--- /dev/null
+++ b/minio/stacks/compose.yml
@@ -0,0 +1,75 @@
+# https://quay.io/repository/minio/minio?tab=tags
+
+name: minio
+
+secrets:
+  minio_root_user:
+    file: ${SECRETSDIR}/minio_root_user
+  minio_root_password:
+    file: ${SECRETSDIR}/minio_root_password
+
+networks:
+  traefik-net:
+    external: true
+   
+x-minio-common: &minio-common
+  image: quay.io/minio/minio:RELEASE.2024-09-22T00-33-43Z
+  user: ${PUID}:${PGID}
+  command: server --console-address ":9001" http://minio{1...2}/data{1...2}
+  env_file: .minio.env
+  secrets:
+    - minio_root_user
+    - minio_root_password
+  restart: unless-stopped
+  healthcheck:
+    test: ["CMD", "mc", "ready", "local"]
+    interval: 5s
+    timeout: 5s
+    retries: 5
+
+services:
+  minio1: 
+    <<: *minio-common
+    hostname: minio1
+    networks:
+      - traefik-net
+    volumes:
+      - "${OBJECTSTOREDIR}/minio/data1-1:/data1"
+      - "${OBJECTSTOREDIR}/minio/data1-2:/data2"
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      - "traefik.http.services.minio1-svc.loadbalancer.server.port=${WEBUI_PORT}"
+      - "traefik.http.middlewares.minio1-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.routers.minio1-rtr.entrypoints=web"
+      - "traefik.http.routers.minio1-rtr.rule=Host(`minio1.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.minio1-rtr.middlewares=minio1-https-redirect"
+      - "traefik.http.routers.minio1-rtr.service=minio1-svc"
+      - "traefik.http.routers.minio1-secure-rtr.entrypoints=websecure"
+      - "traefik.http.routers.minio1-secure-rtr.rule=Host(`minio1.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.minio1-secure-rtr.tls=true"
+      - "traefik.http.routers.minio1-secure-rtr.tls.certresolver=sthomeresolver"
+      - "traefik.http.routers.minio1-secure-rtr.service=minio1-svc"
+    
+  minio2: 
+    <<: *minio-common
+    hostname: minio2
+    networks:
+      - traefik-net
+    volumes:
+      - "${OBJECTSTOREDIR}/minio/data2-1:/data1"
+      - "${OBJECTSTOREDIR}/minio/data2-2:/data2"
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      - "traefik.http.services.minio2-svc.loadbalancer.server.port=${WEBUI_PORT}"
+      - "traefik.http.middlewares.minio2-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.routers.minio2-rtr.entrypoints=web"
+      - "traefik.http.routers.minio2-rtr.rule=Host(`minio2.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.minio2-rtr.middlewares=minio2-https-redirect"
+      - "traefik.http.routers.minio2-rtr.service=minio2-svc"
+      - "traefik.http.routers.minio2-secure-rtr.entrypoints=websecure"
+      - "traefik.http.routers.minio2-secure-rtr.rule=Host(`minio2.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.minio2-secure-rtr.tls=true"
+      - "traefik.http.routers.minio2-secure-rtr.tls.certresolver=sthomeresolver"
+      - "traefik.http.routers.minio2-secure-rtr.service=minio2-svc"
diff --git a/mkvtoolnix/mkvtoolnix_jm.txt b/mkvtoolnix/mkvtoolnix_jm.txt
new file mode 100644
index 0000000..ccf2e93
--- /dev/null
+++ b/mkvtoolnix/mkvtoolnix_jm.txt
@@ -0,0 +1,49 @@
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: mkvtoolnix
+Username: mkvtlnix
+Disable Password: <select>
+Email: stuurmcp@telkomsa.net
+UID: (note)
+Create New Primary Group: <unselect>
+Primary Group: mkvtlnix
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+mkvtlnix UID: 3046
+mkvtlnix GID: 3045
+
+Enable access to media folders
+------------------------------
+If not done already, step through instructions in "Enable access to media folder.txt"
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*mkvtoolnix"
+# create following datasets if not present
+zfs create SSD1/docker/data/mkvtoolnix
+zfs create SSD1/docker/data/mkvtoolnix/appdata
+zfs create SSD1/docker/data/mkvtoolnix/config
+chown -R mkvtlnix:mkvtlnix /mnt/SSD1/docker/data/mkvtoolnix
+
+Create folder
+-------------
+# In Truenas shell:
+mkdir -p /mnt/SSD1/docker/stacks/mkvtoolnix
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in mkvtoolnix folder, enter:
+./cp2nas
+# or
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/mkvtoolnix/
+# This should copy mkvtoolnix stacks folder to /mnt/SSD1/docker/stacks/mkvtoolnix
+
+
+
+
+
diff --git a/mkvtoolnix/stacks/.env b/mkvtoolnix/stacks/.env
new file mode 100644
index 0000000..4c074ca
--- /dev/null
+++ b/mkvtoolnix/stacks/.env
@@ -0,0 +1,26 @@
+
+APPLICATION_NAME=mkvtoolnix
+
+DOCKERDIR=/mnt/SSD1/docker/
+MEDIADIR=/mnt/stpool1/NData1/Media
+DOWNLOADSDIR=/mnt/stpool1/Downloads
+STAGINGDIR=/mnt/stpool1/NData1/staging
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+TZ=Africa/Johannesburg
+
+CT_DOWNLOADS=/Downloads
+CT_MEDIA=/Media
+MEDIA_GID=3017
+PUID=3046
+PGID=3045
+DOMAINNAME=sthome.org
+WEBUI_PORT=5800
+
+
+
+
diff --git a/mkvtoolnix/stacks/.mkvtoolnix.env b/mkvtoolnix/stacks/.mkvtoolnix.env
new file mode 100644
index 0000000..1a49a3c
--- /dev/null
+++ b/mkvtoolnix/stacks/.mkvtoolnix.env
@@ -0,0 +1,15 @@
+
+USER_ID=${PUID}
+GROUP_ID=${PGID}
+SUP_GROUP_IDS=${MEDIA_GID}
+UMASK=0022
+TZ=$TZ}
+
+DARK_MODE=1
+# SECURE_CONNECTION=1
+# WEB_AUTHENTICATION=1
+# WEB_AUTHENTICATION_USERNAME=
+# WEB_AUTHENTICATION_PASSWORD=
+# SECURE_CONNECTION_VNC_METHOD=
+# SECURE_CONNECTION_CERTS_CHECK_INTERVAL=
+# VNC_PASSWORD=
\ No newline at end of file
diff --git a/mkvtoolnix/stacks/compose.yml b/mkvtoolnix/stacks/compose.yml
new file mode 100644
index 0000000..f306603
--- /dev/null
+++ b/mkvtoolnix/stacks/compose.yml
@@ -0,0 +1,61 @@
+
+name: mkvtoolnix
+
+networks:
+  traefik-net:
+    external: true
+    
+services:
+  mkvtoolnix:
+    image: jlesage/mkvtoolnix
+    hostname: "${APPLICATION_NAME}"
+    env_file: .mkvtoolnix.env
+    #user: "${PUID}:${MEDIA_GID}"
+    #group_add:
+    #  - "${MEDIA_GID}"  # not needed, covered by SUP_GROUP_IDS in env
+    networks:
+      - traefik-net
+    volumes:
+      - "${DATADIR}/config:/config"
+      - "${DATADIR}/appdata:/storage"
+      - "${MEDIADIR}:${CT_MEDIA}"
+      - "${MEDIADIR}:${CT_DOWNLOADS}"
+    restart: unless-stopped
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      # http middlewares
+      # ---------------------------
+      #- "traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.users=${ADMIN_CREDENTIALS}, ${USER_CREDENTIALS}"
+      #- "traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.usersfile=/mnt/users/${APPLICATION_NAME}.txt"
+      #
+      # http services
+      # -------------
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
+      #
+      # http routers
+      # ------------
+      # limit router to web ":80" entrypoint (Note: web entrypoint http requests are globally redirected to websecure router in traefik.yml)
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # assign middlewares
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      #
+      # limit router to websecure ":443" entrypoint
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # set router to be dedicated to secure requests only for the host specified in match criteria 
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      # apply tls options
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file"
+      # generate certificates using following certresolver
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=sthomeresolver"
+      # attach middlewares to routers
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+      #- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=${APPLICATION_NAME}-auth"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
diff --git a/mosquitto/MQTT-Explorer-0.4.0-beta.6.exe b/mosquitto/MQTT-Explorer-0.4.0-beta.6.exe
new file mode 100644
index 0000000..318dede
Binary files /dev/null and b/mosquitto/MQTT-Explorer-0.4.0-beta.6.exe differ
diff --git a/mosquitto/MQTT-Explorer-Setup-0.4.0-beta.6.exe b/mosquitto/MQTT-Explorer-Setup-0.4.0-beta.6.exe
new file mode 100644
index 0000000..e8cf220
Binary files /dev/null and b/mosquitto/MQTT-Explorer-Setup-0.4.0-beta.6.exe differ
diff --git a/mosquitto/mosquitto_jm.txt b/mosquitto/mosquitto_jm.txt
new file mode 100644
index 0000000..7a8c44f
--- /dev/null
+++ b/mosquitto/mosquitto_jm.txt
@@ -0,0 +1,76 @@
+# https://cedalo.com/blog/mosquitto-docker-configuration-ultimate-guide/
+
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: mosquitto
+Username: mosquitt
+Disable Password: <select>
+Email: stuurmcp@telkomsa.net
+UID: (note)
+Create New Primary Group: <unselect>
+Primary Group: mosquitt
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+mosquitt UID: 3047
+mosquitt GID: 3046
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*mosquitto"
+# create following datasets if not present
+zfs create SSD1/docker/data/mosquitto
+zfs create SSD1/docker/data/mosquitto/appdata
+zfs create SSD1/docker/data/mosquitto/config
+zfs create SSD1/docker/data/mosquitto/logs
+# create the following dataset if you want the default folder for password.txt to be mapped outside the container
+zfs create SSD1/docker/data/mosquitto/configinc
+chown -R mosquitt:mosquitt /mnt/SSD1/docker/data/mosquitto
+
+Create folder
+-------------
+# In Truenas shell:
+mkdir -p /mnt/SSD1/docker/stacks/mosquitto
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in mosquitto folder, enter:
+./cp2nas
+# or
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/mosquitto/
+# This should copy mosquitto stacks folder to /mnt/SSD1/docker/stacks/mosquitto
+
+Migrating data
+--------------
+# example mosquitto.conf:
+# https://github.com/eclipse/mosquitto/blob/master/mosquitto.conf
+# since config file was not persisted outside container, we will have to copy it from the container
+# get fullname of pod:
+k3s kubectl get pods -n ix-mosquitto
+# select and copy the pod name to clipboard to use it in copy command hereafter
+# copy the the config file from the container
+k3s kubectl cp -c mosquitto ix-mosquitto/<podname>:/mosquitto/config/mosquitto.conf /mnt/SSD1/docker/data/mosquitto/config/config/mosquitto.conf
+# now for the  rest of the files:
+# Stop mosquitto on truenas, in truenas shell
+heavyscript app --stop mosquitto
+cp -pr /mnt/stpool1/appdata/mosquitto/* /mnt/SSD1/docker/data/mosquitto/config/data
+# if you have mapped the default folder for password.txt to be outside the container
+cp -pr /mnt/stpool1/apps/mosquitto/* /mnt/SSD1/docker/data/mosquitto/config/configinc
+chown -R mosquitt:mosquitt /mnt/SSD1/docker/data/mosquitto/
+chmod -R 700 /mnt/SSD1/docker/data/mosquitto/
+
+Test mosquitto
+--------------
+# TODO
+
+Setting up certbot to renew certificate
+---------------------------------------
+# TODO
+
+
+
+
diff --git a/mosquitto/stacks/.env b/mosquitto/stacks/.env
new file mode 100644
index 0000000..0c34951
--- /dev/null
+++ b/mosquitto/stacks/.env
@@ -0,0 +1,18 @@
+
+APPLICATION_NAME=mosquitto
+
+DOCKERDIR=/mnt/SSD1/docker/
+MEDIADIR=/mnt/stpool1/NData1/Media
+DOWNLOADSDIR=/mnt/stpool1/Downloads
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+DOMAINNAME=sthome.org
+SERVICE_PORT=1883
+SECURE_SERVICE_PORT=8883
+
+PUID=3047
+PGID=3046
diff --git a/mosquitto/stacks/.mosquitto.env b/mosquitto/stacks/.mosquitto.env
new file mode 100644
index 0000000..a463818
--- /dev/null
+++ b/mosquitto/stacks/.mosquitto.env
@@ -0,0 +1,6 @@
+
+PUID=${PUID}
+PGID=${PGID}
+TZ=Africa/Johannesburg
+
+
diff --git a/mosquitto/stacks/compose.yml b/mosquitto/stacks/compose.yml
new file mode 100644
index 0000000..f9dd0d6
--- /dev/null
+++ b/mosquitto/stacks/compose.yml
@@ -0,0 +1,53 @@
+name: mosquitto
+
+networks:
+  traefik-net:
+    external: true
+
+services:
+  mosquitto:
+    image: eclipse-mosquitto
+    hostname: mosquitto
+    env_file: .mosquitto.env
+    user: "${PUID}:${PGID}"
+    networks:
+      traefik-net:
+        aliases: ["mqtt"]
+    volumes:
+      - "${DATADIR}/appdata:/mosquitto/data"
+      - "${DATADIR}/config:/mosquitto/config"
+      - "${DATADIR}/logs:/mosquitto/log"
+      - "${DATADIR}/configinc:/mosquitto/configinc"  # maps the default folder for password.txt file
+    restart: unless-stopped
+    # ports 1883, 8883 and 9001
+    # 9001 not implemented
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      #
+      # tcp services
+      # -------------
+      - "traefik.tcp.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${SERVICE_PORT}"
+      - "traefik.tcp.services.${APPLICATION_NAME}-secure-svc.loadbalancer.server.port=${SECURE_SERVICE_PORT}"
+      #
+      # tcp routers
+      # ------------
+      # limit router to mqtt ":1883" entrypoint
+      - "traefik.tcp.routers.${APPLICATION_NAME}-rtr.entrypoints=mqtt"
+      # set match criteria for router
+      - "traefik.tcp.routers.${APPLICATION_NAME}-rtr.rule=HostSNI(`*`)"
+      # assign svc target to routers
+      - "traefik.tcp.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      #
+      # limit router to mqttsecure ":8883" entrypoint
+      - "traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=mqttsecure"
+      # set match criteria for router
+      - "traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.rule=HostSNI(`${APPLICATION_NAME}.${DOMAINNAME}`) || HostSNI(`mqtt.${DOMAINNAME}`)"
+      # set router to be dedicated to secure requests only for the host specified in match criteria 
+      - "traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      # passthrough tls
+      - "traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.tls.passthrough=true"
+      # generate certificates using following certresolver
+      - "traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=sthomeresolver"
+      # assign svc target to routers
+      - "traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-secure-svc"
diff --git a/mysql-workbench/mysql-workbench.txt b/mysql-workbench/mysql-workbench.txt
new file mode 100644
index 0000000..b28d817
--- /dev/null
+++ b/mysql-workbench/mysql-workbench.txt
@@ -0,0 +1,58 @@
+
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: mysql-workbench
+Username: mysql-wb
+Disable Password: <select>
+Email: <leave blank>
+UID: (note)
+Create New Primary Group: <select>
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+mysql-wb PUID=3060
+mysql-wb PGID=3061
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*mysql-workbench"
+# create following dataset if not present
+zfs create SSD1/docker/data/mysql-workbench
+zfs create SSD1/docker/data/mysql-workbench/config
+chown -R mysql-wb:mysql-wb /mnt/SSD1/docker/data/mysql-workbench
+
+Create foldera
+--------------
+mkdir -p /mnt/SSD1/docker/stacks/mysql-workbench/secrets
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in mysql-workbench folder, enter:
+./cp2nas 192.168.2.2
+# or
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/mysql-workbench/
+# This should copy stacks folder to /mnt/SSD1/docker/stacks/mysql-workbench
+
+Create secrets
+--------------
+In Truenas shell:
+# assuming you have already created secrets in mariab stacks folder:
+cat /mnt/SSD1/docker/stacks/mariadb/secrets/mariadb_root_password > /mnt/SSD1/docker/stacks/mysql-workbench/secrets/mariadb_root_password
+chown -R mysql-wb:mysql-wb /mnt/SSD1/docker/stacks/mysql-workbench/secrets/
+chmod -R 400 /mnt/SSD1/docker/stacks/mysql-workbench/secrets/
+# to list secrets in secrets dir
+cd /mnt/SSD1/docker/stacks/mysql-workbench/secrets
+for i in $(ls -1); do echo $i = `cat $i`; done | sort
+
+To open container shell
+------------------------
+docker exec -it mysql-workbench-mysql-workbench-1 bash
+
+To log into database as root from container shell
+-------------------------------------------------
+mysql-workbench -u root -p <database-name>
+# Enter root password
diff --git a/mysql-workbench/stacks/.env b/mysql-workbench/stacks/.env
new file mode 100644
index 0000000..0174141
--- /dev/null
+++ b/mysql-workbench/stacks/.env
@@ -0,0 +1,22 @@
+
+APPLICATION_NAME=mysql-workbench
+
+MEDIADIR=/mnt/stpool1/NData1/Media
+DOCKERDIR=/mnt/SSD1/docker/
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATADIR=${DOCKERDIR}/data/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+PUID=3060
+PGID=3061
+MEDIA_PGID=3017
+
+
+TZ=Africa/Johannesburg
+DOMAINNAME=sthome.org
+WEBUI_PORT=3000
+
+MARIADB_DB_PORT=3306
+MARIADB_ROOT_PASSWORD_FILE=/run/secrets/mariadb_root_password
+
diff --git a/mysql-workbench/stacks/.mysql-workbench.env b/mysql-workbench/stacks/.mysql-workbench.env
new file mode 100644
index 0000000..ffc445f
--- /dev/null
+++ b/mysql-workbench/stacks/.mysql-workbench.env
@@ -0,0 +1,8 @@
+
+PUID=${PUID}
+PGID=${PGID}
+TZ=${TZ}
+
+MARIADB_ROOT_PASSWORD_FILE=${MARIADB_ROOT_PASSWORD_FILE}
+
+
diff --git a/mysql-workbench/stacks/compose.yml b/mysql-workbench/stacks/compose.yml
new file mode 100644
index 0000000..8398682
--- /dev/null
+++ b/mysql-workbench/stacks/compose.yml
@@ -0,0 +1,63 @@
+name: mysql-workbench
+
+secrets:
+#  mariadb_database_name:
+#    file: ${SECRETSDIR}/mariadb_database_name
+#  mariadb_username:
+#    file: ${SECRETSDIR}/mariadb_username
+#  mariadb_password:
+#    file: ${SECRETSDIR}/mariadb_password
+  mariadb_root_password:
+    file: ${SECRETSDIR}/mariadb_root_password
+    
+networks:
+  traefik-net:
+    external: true
+  mariadb-net:
+    external: true
+    
+services:
+  mysql-workbench:
+    image: lscr.io/linuxserver/mysql-workbench:latest
+    hostname: mysql-workbench
+    deploy:
+      resources:
+        reservations:
+          devices:
+            - driver: nvidia
+              count: 1
+              capabilities: [compute,video,graphics,utility]
+    cap_add:
+      - IPC_LOCK
+    volumes:
+      - "${DATADIR}/config:/config"
+#    ports:
+#      - 3000:3000
+#      - 3001:3001
+    restart: unless-stopped
+    env_file: .mysql-workbench.env
+    networks:
+      - traefik-net
+      - mariadb-net
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      #
+      - "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.permanent=true"
+      #
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
+      #
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=${APPLICATION_NAME}-https-redirect"
+      #
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      #
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=sthomeresolver"
+      #
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
+
diff --git a/mysql/mysql.txt b/mysql/mysql.txt
new file mode 100644
index 0000000..33a9af4
--- /dev/null
+++ b/mysql/mysql.txt
@@ -0,0 +1,61 @@
+
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: mysql
+Username: mysql
+Disable Password: <select>
+Email: <leave blank>
+UID: (note)
+Create New Primary Group: <select>
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+mysql PUID=3061
+mysql PGID=3062
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*mysql"
+# create following datasets if not present
+zfs create SSD1/docker/data/mysql
+zfs create SSD1/docker/data/mysql/appdata
+chown -R mysql:mysql /mnt/SSD1/docker/data/mysql
+
+Create folders
+--------------
+mkdir -p /mnt/SSD1/docker/stacks/mysql/secrets
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in mysql folder, enter:
+./cp2nas 192.168.2.2
+# or
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/mysql/
+# This should copy stacks folder to /mnt/SSD1/docker/stacks/mysql
+
+Create secrets
+--------------
+In Truenas shell:
+cd /mnt/SSD1/docker/stacks/mysql/secrets
+# echo -n 'your_mysql_database_name' > /mnt/SSD1/docker/stacks/mysql/secrets/mysql_database_name
+# echo -n 'your_mysql_username' > /mnt/SSD1/docker/stacks/mysql/secrets/mysql_username
+# openssl rand 36 | base64 -w 0 | sed 's/[\$,\#,/,+,=]//g' | cut -c -32  | tr -d '\n' > /mnt/SSD1/docker/stacks/mysql/secrets/mysql_password
+openssl rand 60 | base64 -w 0 | sed 's/[\$,\#,/,+,=]//g' | cut -c -56  | tr -d '\n' > /mnt/SSD1/docker/stacks/mysql/secrets/mysql_root_password
+chown -R mysql:mysql /mnt/SSD1/docker/stacks/mysql/secrets/
+chmod -R 400 /mnt/SSD1/docker/stacks/mysql/secrets/
+# to list secrets in secrets dir
+cd /mnt/SSD1/docker/stacks/mysql/secrets
+for i in $(ls -1); do echo $i = `cat $i`; done | sort
+
+To open container shell
+------------------------
+docker exec -it mysql-mysql-1 bash
+
+To log into database as root from container shell
+-------------------------------------------------
+mysql -u root -p <database-name>
+# Enter root password
diff --git a/mysql/stacks/.env b/mysql/stacks/.env
new file mode 100644
index 0000000..cc3892f
--- /dev/null
+++ b/mysql/stacks/.env
@@ -0,0 +1,20 @@
+
+APPLICATION_NAME=mysql
+
+MEDIADIR=/mnt/stpool1/NData1/Media
+DOCKERDIR=/mnt/SSD1/docker/
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATADIR=${DOCKERDIR}/data/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+PUID=3061
+PGID=3062
+MEDIA_PGID=3017
+
+TZ=Africa/Johannesburg
+DOMAINNAME=sthome.org
+
+SERVICE_PORT=3306
+MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password
+
diff --git a/mysql/stacks/.mysql.env b/mysql/stacks/.mysql.env
new file mode 100644
index 0000000..bc92c91
--- /dev/null
+++ b/mysql/stacks/.mysql.env
@@ -0,0 +1,16 @@
+
+PUID=${PUID}
+PGID=${PGID}
+TZ=${TZ}
+
+MYSQL_ROOT_PASSWORD_FILE=${MYSQL_ROOT_PASSWORD_FILE}
+
+# REMOTE_SQL=http://URL1/your.sql,https://URL2/your.sql
+
+# MYSQL_DATABASE: 'db'
+# # So you don't have to use root, but you can if you like
+# MYSQL_USER: 'user'
+# # You can use whatever password you like
+# MYSQL_PASSWORD: 'password'
+# # Password for root access
+# MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
\ No newline at end of file
diff --git a/mysql/stacks/compose.yml b/mysql/stacks/compose.yml
new file mode 100644
index 0000000..f5cd504
--- /dev/null
+++ b/mysql/stacks/compose.yml
@@ -0,0 +1,56 @@
+name: mysql
+
+secrets:
+  mysql_root_password:
+    file: ${SECRETSDIR}/mysql_root_password
+    
+networks:
+  mysql-net:
+    external: true
+  traefik-net:
+    external: true
+
+services:
+  mysql:
+    image: mysql:latest # mysql:5.7
+    restart: always
+    env_file: .mysql.env
+    user: ${PUID}:${PGID}
+    volumes:
+      - "${DATADIR}/appdata:/var/lib/mysql"
+    secrets:
+      - mysql_root_password
+    networks:
+      - mysql-net
+      - traefik-net
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      #
+      # tcp service
+      # -----------
+      - "traefik.tcp.services.${APPLICATION_NAME}-tcp-svc.loadbalancer.server.port=${SERVICE_PORT}"
+      #
+      # tcp routers
+      # -----------
+      # limit router to mysql ":9306" entrypoint
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr.entrypoints=mysql"
+      # set match criteria for router, since this is not tls, header might not contain hostsni field; we're forced to use wildcard
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr.rule=HostSNI(`*`)"
+      # assign svc target to router
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr.service=${APPLICATION_NAME}-tcp-svc" 
+###### mysql with tls via traefik not working
+#      #
+#      # limit router to mysql ":9306" entrypoint
+#      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.entrypoints=mysql"
+#      # set match criteria for router
+#      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.rule=HostSNI(`${APPLICATION_NAME}.${DOMAINNAME}`)"
+#      # set router to be dedicated to secure requests only for the hosts specified in match criteria
+#      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.tls=true"
+#      # forward requests "as is" keeping all data encrypted.
+#      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.tls.passthrough=true"
+#      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.tls.options=tls-opts@file"
+#      # generate certificates using following certresolver
+#      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.tls.certresolver=sthomeresolver"
+#      # assign svc target to router
+#      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.service=${APPLICATION_NAME}-tcp-svc" 
\ No newline at end of file
diff --git a/networks/stacks/compose.yml b/networks/stacks/compose.yml
new file mode 100644
index 0000000..1d81869
--- /dev/null
+++ b/networks/stacks/compose.yml
@@ -0,0 +1,88 @@
+
+name: networks
+
+networks:
+  macvlan0:
+    name: macvlan0
+    driver: macvlan
+    driver_opts:
+      parent: br1
+      com.docker.network.macvlan.mode: bridge
+      com.docker.network.bridge.name: "br-locallan"
+    ipam:
+      config:
+        - subnet: 192.168.2.0/24 
+          gateway: 192.168.2.1
+      
+  traefik-net:
+    name: traefik-net
+    attachable: true
+    driver: bridge
+    ipam:
+      config:
+        - subnet: 10.255.224.0/20 # Range: 10.255.224.1 - 10.255.239.254
+    driver_opts:
+      # NB! bridge name should be 15 characters or less 
+      com.docker.network.bridge.name: "br-traefik"
+  postgres-net:
+    name: postgres-net
+    driver: bridge
+    internal: true
+    driver_opts:
+      com.docker.network.bridge.name: "br-postgres"
+  mariadb-net:
+    name: mariadb-net
+    driver: bridge
+    internal: true
+    driver_opts:
+      com.docker.network.bridge.name: "br-mariadb"
+  mysql-net:
+    name: mysql-net
+    driver: bridge
+    internal: true
+    driver_opts:
+      com.docker.network.bridge.name: "br-mysql"
+  authentik-net:
+    name: authentik-net
+    driver: bridge
+    internal: true
+    driver_opts:
+      com.docker.network.bridge.name: "br-authentik"
+  fireflyiii-net:
+    name: fireflyiii-net
+    driver: bridge
+    internal: true
+    driver_opts:
+      com.docker.network.bridge.name: "br-fireflyiii"
+  vaultwarden-net:
+    name: vaultwarden-net
+    driver: bridge
+    internal: true
+    driver_opts:
+      com.docker.network.bridge.name: "br-vaultwarden"
+  digikam-net:
+    name: digikam-net
+    driver: bridge
+    internal: true
+    driver_opts:
+      com.docker.network.bridge.name: "br-digikam"
+      
+services:
+  netbb:
+    image: busybox
+    hostname: netsvc2
+    networks:
+      - traefik-net
+      - postgres-net
+      - mariadb-net
+      - mysql-net
+      - authentik-net
+      - fireflyiii-net
+      - vaultwarden-net
+      - digikam-net
+      - macvlan0
+
+
+
+
+
diff --git a/nextcloud/nextcloud_jm.txt b/nextcloud/nextcloud_jm.txt
new file mode 100644
index 0000000..b532306
--- /dev/null
+++ b/nextcloud/nextcloud_jm.txt
@@ -0,0 +1,297 @@
+# https://github.com/nextcloud/docker
+# https://github.com/nextcloud/docker?tab=readme-ov-file#running-this-image-with-docker-compose
+# https://api.onlyoffice.com/docs/docs-api/get-started/ready-to-use-connectors/nextcloud-integration/
+
+Create user and group
+---------------------
+Credentials -> Local Groups -> Add
+GID: 33
+Name: www-data
+Save
+Credentials -> Local Users -> Add
+Full Name: www-data
+Username: www-data
+Disable Password: <select>
+Email: <leave blank>
+UID: 33
+Create New Primary Group: <unselect>
+Primary Group: www-data
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+www-data UID: 82 #33
+www-data GID: 82 #33
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*nextcloud"
+zfs list | grep -i "NData2.*nextcloud"
+# create following datasets if not present
+zfs create SSD1/docker/data/nextcloud
+zfs create SSD1/docker/data/nextcloud/appdata
+zfs create SSD1/docker/data/nextcloud/config
+zfs create SSD1/docker/data/nextcloud/custom_apps
+zfs create SSD1/docker/data/nextcloud/themes
+zfs create SSD1/docker/data/nextcloud/redis
+zfs create SSD1/docker/data/nextcloud/nginx
+zfs create SSD1/docker/data/nextcloud/pgdata
+zfs create SSD1/docker/data/nextcloud/pgbackups
+chown -R www-data:www-data /mnt/SSD1/docker/data/nextcloud
+chown -R postgres:postgres /mnt/SSD1/docker/data/nextcloud/pgdata
+chown -R postgres:postgres /mnt/SSD1/docker/data/nextcloud/pgbackups
+zfs create stpool1/NData2/bulkstore
+zfs create stpool1/NData2/bulkstore/nextcloud
+zfs create stpool1/NData2/bulkstore/nextcloud/data
+chown -R www-data:www-data /mnt/stpool1/NData2/bulkstore/nextcloud
+
+Create folders
+--------------
+mkdir -p /mnt/SSD1/docker/stacks/nextcloud/secrets
+
+If not done already, add mapping for 2nd pool's appdata in jail config
+----------------------------------------------------------------------
+# the folder where appdata for nextcloud is stored is /mnt/stpool1/NData2/appdata/nextcloud
+On Truenas shell:
+jlmkr edit docker
+Add the following args to "systemd_nspawn_user_args": 
+--bind='/mnt/stpool1/NData2/bulkstore:/mnt/bulkstore'
+jlmkr restart docker
+
+Enabling outgoing connections for nextcloud 
+-------------------------------------------
+# If your server has multiple network connections, there could be a need to use a specific network interface to use for outgoing connections. 
+# Use the following steps to enable it:
+#
+# list available networks
+docker network ls
+# check if the "traefik-net" network is listed. The "traefik-net" network is created by the "networks" project
+# if not present, execute the following command in docker shell to create the "traefik-net" network
+docker network create --attachable --opt ‘com.docker.network.bridge.name=traefik-net’ --opt ‘com.docker.network.bridge.enable_ip_masquerade=false’ traefik-net
+# execute the following to enable outgoing connections for on this network
+# first, check the subnet of traefik-net 
+docker inspect traefik-net | grep "Subnet"
+# note the subnet 
+# second, check the ip address of docker / host, replacing <interface name> with the name of the interface that will be used for outgoing connections
+# note the host ip
+ip a | grep <interface name>
+# use in the following command, replacing <SUBNET> with the noted subnet and <HOST IP> noted host ip
+iptables -t nat -A POSTROUTING -s <SUBNET> ! -o traefik-net -j SNAT --to-source <HOST IP>
+# to delete the iptable entry added above, use the same iptables command but replace the "-A" with a "-D"
+# check for SNAT entry with following command:
+#   iptables -t nat -L
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in nextcloud folder, enter:
+./cp2nas
+# or
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/nextcloud/
+
+Create secrets
+--------------
+# In Truenas shell:
+cd /mnt/SSD1/docker/stacks/nextcloud/secrets
+echo -n 'admin' > /mnt/SSD1/docker/stacks/nextcloud/secrets/nextcloud_admin_username
+echo -n 'your_admin_password' > /mnt/SSD1/docker/stacks/nextcloud/secrets/nextcloud_admin_password
+echo -n 'your_postgresql_database_name' > /mnt/SSD1/docker/stacks/nextcloud/secrets/nextcloud_postgresql_database
+echo -n 'postgres' > /mnt/SSD1/docker/stacks/nextcloud/secrets/nextcloud_postgresql_username
+openssl rand 64 | base64 -w 0 | sed 's/[\$,\#,/,+,=]//g' | cut -c -62  | tr -d '\n' > /mnt/SSD1/docker/stacks/nextcloud/secrets/nextcloud_postgresql_password
+openssl rand 64 | base64 -w 0 | sed 's/[\$,\#,/,+,=]//g' | cut -c -50  | tr -d '\n' > /mnt/SSD1/docker/stacks/nextcloud/secrets/nextcloud_redis_password
+# restrict access
+chown -R www-data:www-data /mnt/SSD1/docker/stacks/nextcloud/secrets/
+chmod -R 400 /mnt/SSD1/docker/stacks/nextcloud/secrets/
+# read existing acl permissions, if any
+getfacl /mnt/SSD1/docker/stacks/nextcloud/secrets
+# set acl permissions
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/nextcloud/secrets
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/nextcloud/secrets/nextcloud_postgresql_password
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/nextcloud/secrets/nextcloud_postgresql_username
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/nextcloud/secrets/nextcloud_postgresql_database
+# NB! if you want to remove all acl entries from a folder recursively, use setfacl -b -R <foldername>
+# to list secrets in secrets dir
+cd /mnt/SSD1/docker/stacks/nextcloud/secrets
+for i in $(ls -1); do echo $i = `cat $i`; done | sort
+
+Migration
+---------
+# you do this at your own risk
+Old installation (truecharts)            New installation (on docker)
+-----------------------------            ----------------------------
+/mnt/stpool1/apps/nextcloud              /mnt/SSD1/docker/data/nextcloud/config
+/mnt/stpool1/appdata/nextcloud/html      /mnt/SSD1/docker/data/nextcloud/appdata
+/mnt/stpool1/appdata/nextcloud/userdata  /mnt/stpool1/NData2/bulkstore/nextcloud/data
+
+# Stop old/source nextcloud
+heavyscript app --stop nextcloud
+# Stop new/target nextcloud
+# On Dockge, select nextcloud and click stop & inactive
+# Copy the source Library to target folder:
+cp -rp /mnt/stpool1/apps/nextcloud/. /mnt/SSD1/docker/data/nextcloud/config/
+cp -rp /mnt/stpool1/appdata/nextcloud/html/. /mnt/SSD1/docker/data/nextcloud/appdata
+cp -rp /mnt/stpool1/appdata/nextcloud/userdata/.  /mnt/stpool1/NData2/bulkstore/nextcloud/data
+# Change ownership of copied folders
+chown -R www-data:www-data /mnt/SSD1/docker/data/nextcloud /mnt/stpool1/NData2/bulkstore/nextcloud/data
+
+Getting upgrading error message?
+-------------------------------
+# if you get an upgrading error message, then you need to perform a step wise upgrade until you end up with the desired release
+# for example, if the error message you get is:
+  Can't start Nextcloud because upgrading from 28.0.2.5 to 30.0.0.14 is not supported.
+# then you will have to go through the following steps:
+# in Dockge, click Edit and set tag in compose.yml image setting to:
+nextcloud:28.0.10-fpm
+# click Save
+# click Start; wait till startup is done
+# click Stop & Inactive; wait till all containers have stopped
+# in Dockge, click Edit and set tag in compose.yml image setting to:
+nextcloud:29.0.7-fpm
+# click Save
+# click Start; wait till startup is done
+# click Stop & Inactive; wait till all containers have stopped
+# in Dockge, click Edit and set tag in compose.yml image setting to:
+nextcloud:30.0.0-fpm
+# click Save
+# click Start; wait till startup is done
+# Navigate to nextcloud using browser
+
+Verify config settings in config.php
+------------------------------------
+nano /mnt/data/nextcloud/config/config.php
+# verify the following settings to align with the new nextcloud installation:
+  'dbtype' => 'pgsql',
+  'version' => '28.0.2.5',
+  'overwrite.cli.url' => 'nextcloud.example.com',   # update if required
+  'dbname' => 'nextcloud',                          # update if required
+  'dbhost' => 'nextcloud_postgresql',               # updated
+  'dbport' => '5432',                               # update if required
+  'dbtableprefix' => 'oc_',
+  'dbuser' => 'nextcloud',                          # update if required
+  'dbpassword' => 'your very strong password',      # update
+  ....
+  'redis' =>
+  array (
+    'host' => 'nextcloud-redis',
+    'password' => 'your very strong password',      # update
+    'port' => '6379',                               # update if required
+  ),
+  'overwritehost' => 'nextcloud.example.com',       # update if required
+  'overwriteprotocol' => 'https',
+  ....
+  'onlyoffice' =>
+  array (
+    'jwt_secret' => 'your_onlyoffice_jwt_secret',   # obtain from onlyoffice and update
+    'jwt_header' => 'Authorization',
+  ),
+  ....
+  'mail_from_address' => 'your_email_from_address', # update all
+  'mail_smtpmode' => 'smtp',
+  'mail_sendmailmode' => 'smtp',
+  'mail_domain' => 'your_email_domainname',
+  'mail_smtphost' => 'your_email_smtp_host',
+  'mail_smtpport' => '25',
+  'mail_smtpauth' => 1,
+  'mail_smtpname' => 'your_email_smtp_username',
+  'mail_smtppassword' => 'your_email_smtp_password',
+  ....
+  'trusted_domains' =>
+  array (
+    0 => '127.0.0.1',   # update all with your trusted domains
+    1 => 'localhost',
+    2 => 'nextcloud',
+    3 => 'nextcloud-*',
+    4 => '*.sthome.org',
+    5 => '*.sthome.net',
+    6 => '*.sthome.lan',
+    7 => 'onlyoffice.sthome.org',
+  ....
+  'trusted_proxies' =>
+  array (
+    0 => '172.16.0.0/16',           # update with traefik network CIDR
+  ),  
+
+Please note
+-----------
+# 1. It seems like nextcloud works only correctly with PUID=33 and PGID=33?
+# 2. The NEXTCLOUD_TRUSTED_DOMAINS environment variable is ineffective after the first install. It seems to be ignored after the config/config.php file has been initialised.
+#    If the config, e.g. trusted domains setting requires editing, do it in config/config.php, for example:
+     nano /mnt/SSD1/docker/data/nextcloud/config
+		'trusted_domains' =>
+		array (
+		  0 => 'localhost',
+		  1 => '*.example.com',
+		  2 => '*.example.net',
+	    ),
+     It is advisable to keep the environment variables in step with changes made to the config/config.php settings.
+
+
+Backup old nextcloud
+--------------------
+#https://docs.nextcloud.com/server/latest/admin_manual/maintenance/backup.html
+# on truenas:
+sudo -u www-data php occ maintenance:mode --on
+rsync -Aavx /mnt/stpool1/apps/nextcloud/ /mnt/SSD1/docker/data/nextcloud/nextcloud-dirbkp_`date +"%Y%m%d"`/config/
+rsync -Aavx /mnt/stpool1/appdata/nextcloud/html/ /mnt/SSD1/docker/data/nextcloud/nextcloud-dirbkp_`date +"%Y%m%d"`/appdata/
+rsync -Aavx /mnt/stpool1/appdata/nextcloud/userdata/ /mnt/stpool1/NData2/bulkstore/nextcloud/nextcloud-dirbkp_`date +"%Y%m%d"`/data
+# to back db, use: PGPASSWORD="password" pg_dump [db_name] -h [server] -U [username] -f nextcloud-sqlbkp_`date +"%Y%m%d"`.bak
+PGPASSWORD="UfxuRXEX9okv0kSIjPM1PBnKev3UQaKL6rXpnsnIoFBJB6U3lKJyXZPgnwSXrl" pg_dump nextcloud -h nextcloud-cnpg-main-rw.ix-nextcloud.svc.cluster.local -U nextcloud -f /mnt/SSD1/docker/data/nextcloud/pgbackups/nextcloud-sqlbkp_`date +"%Y%m%d"`.bak
+
+Restore to new nextcloud
+------------------------
+rsync -Aax /mnt/SSD1/docker/data/nextcloud/nextcloud-dirbkp_`date +"%Y%m%d"`/config/ /mnt/SSD1/docker/data/nextcloud/config/
+rsync -Aax /mnt/SSD1/docker/data/nextcloud/nextcloud-dirbkp_`date +"%Y%m%d"`/appdata/ /mnt/SSD1/docker/data/nextcloud/appdata/
+rsync -Aax /mnt/stpool1/NData2/bulkstore/nextcloud/nextcloud-dirbkp_`date +"%Y%m%d"`/data /mnt/stpool1/NData2/bulkstore/nextcloud/data
+PGPASSWORD="password" psql -h [server] -U [username] -d template1 -c "DROP DATABASE \"nextcloud\";"
+PGPASSWORD="password" psql -h [server] -U [username] -d template1 -c "CREATE DATABASE \"nextcloud\";"
+PGPASSWORD="password" psql -h [server] -U [username] -d nextcloud -f nextcloud-sqlbkp.bak
+
+Setting up nextcloud
+--------------------
+# start nextcloud using Dockge
+# login to nextcloud as admin and go to Administration settings -> Basic settings
+# Setup Email server
+#
+# go to Administration settings -> Overview
+# wait for "Security & setup warnings" scan to complete
+# check for any warnings; see examples below how to fix
+#
+1. setting maintenance window
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# in docker shell execute the following using nextcloud www-data user (82) to set window to start at 11:pm UTC
+docker exec -u 82 nextcloud-app-1 /var/www/html/occ config:system:set maintenance_window_start --type=integer --value=23
+#
+2. adding database indices after upgrade
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# in docker shell, run the following commands after nextcloud upgrade
+# first, set maintenance mode on
+docker exec -u 82 nextcloud-app-1 /var/www/html/occ maintenance:mode --on
+# above should return "Maintenance mode enabled"
+# run following commands
+docker exec -u 82 nextcloud-app-1 /var/www/html/occ db:add-missing-columns
+docker exec -u 82 nextcloud-app-1 /var/www/html/occ db:add-missing-indices
+docker exec -u 82 nextcloud-app-1 /var/www/html/occ db:add-missing-primary-keys
+# turn off maintenance mode
+docker exec -u 82 nextcloud-app-1 /var/www/html/occ maintenance:mode --off
+# above should return "Maintenance mode disabled"
+#
+3. Migrating available mimetypes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# in docker shell, enter:
+docker exec -u 82 nextcloud-app-1 /var/www/html/occ maintenance:repair --include-expensive
+#
+4. Setting default phone region
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+docker exec -u 82 nextcloud-app-1 /var/www/html/occ config:system:set default_phone_region --type=string --value=ZA
+
+Configure OnlyOffice in nextcloud
+---------------------------------
+# Login to nextcloud as admin
+# Browse to nextcloud admin settings
+Click on top left icon (new install has an 'A') -> Apps (below Administration settings)
+# Search for onlyoffice
+Click on search icon (top left magnifying glass) and enter onlyoffice
+
+
+
diff --git a/nextcloud/nginx-sec.conf b/nextcloud/nginx-sec.conf
new file mode 100644
index 0000000..22f1b34
--- /dev/null
+++ b/nextcloud/nginx-sec.conf
@@ -0,0 +1,205 @@
+# https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html
+#
+# Version 2024-07-17
+# 
+upstream php-handler {
+    server 127.0.0.1:9000;
+    #server unix:/run/php/php8.2-fpm.sock;
+}
+
+# Set the `immutable` cache control options only for assets with a cache busting `v` argument
+map $arg_v $asset_immutable {
+    "" "";
+    default ", immutable";
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name nextcloud.sthome.org;
+
+    # Prevent nginx HTTP Server Detection
+    server_tokens off;
+
+    # Enforce HTTPS
+    return 301 https://$server_name$request_uri;
+}
+
+server {
+    #listen 443 ssl http2;
+    #listen [::]:443 ssl http2;
+	# -------
+    # With NGinx >= 1.25.1 you should use this instead:
+    listen 443      ssl;
+    listen [::]:443 ssl;
+    http2 on;
+	# -------
+    server_name nextcloud.sthome.org;
+
+    # Path to the root of your installation
+    root /var/www/nextcloud;
+
+    # Use Mozilla's guidelines for SSL/TLS settings
+    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
+    ssl_certificate     /etc/ssl/nginx/nextcloud.sthome.org.crt;
+    ssl_certificate_key /etc/ssl/nginx/nextcloud.sthome.org.key;
+
+    # Prevent nginx HTTP Server Detection
+    server_tokens off;
+
+    # HSTS settings
+    # WARNING: Only add the preload option once you read about
+    # the consequences in https://hstspreload.org/. This option
+    # will add the domain to a hardcoded list that is shipped
+    # in all major browsers and getting removed from this list
+    # could take several months.
+    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
+
+    # set max upload size and increase upload timeout:
+    client_max_body_size 512M;
+    client_body_timeout 300s;
+    fastcgi_buffers 64 4K;
+
+    # Enable gzip but do not remove ETag headers
+    gzip on;
+    gzip_vary on;
+    gzip_comp_level 4;
+    gzip_min_length 256;
+    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+    gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+    # Pagespeed is not supported by Nextcloud, so if your server is built
+    # with the `ngx_pagespeed` module, uncomment this line to disable it.
+    #pagespeed off;
+
+    # The settings allows you to optimize the HTTP2 bandwidth.
+    # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
+    # for tuning hints
+    client_body_buffer_size 512k;
+
+    # HTTP response headers borrowed from Nextcloud `.htaccess`
+    add_header Referrer-Policy                   "no-referrer"       always;
+    add_header X-Content-Type-Options            "nosniff"           always;
+    add_header X-Frame-Options                   "SAMEORIGIN"        always;
+    add_header X-Permitted-Cross-Domain-Policies "none"              always;
+    add_header X-Robots-Tag                      "noindex, nofollow" always;
+    add_header X-XSS-Protection                  "1; mode=block"     always;
+
+    # Remove X-Powered-By, which is an information leak
+    fastcgi_hide_header X-Powered-By;
+
+    # Set .mjs and .wasm MIME types
+    # Either include it in the default mime.types list
+    # and include that list explicitly or add the file extension
+    # only for Nextcloud like below:
+    include mime.types;
+    types {
+        text/javascript mjs;
+	application/wasm wasm;
+    }
+
+    # Specify how to handle directories -- specifying `/index.php$request_uri`
+    # here as the fallback means that Nginx always exhibits the desired behaviour
+    # when a client requests a path that corresponds to a directory that exists
+    # on the server. In particular, if that directory contains an index.php file,
+    # that file is correctly served; if it doesn't, then the request is passed to
+    # the front-end controller. This consistent behaviour means that we don't need
+    # to specify custom rules for certain paths (e.g. images and other assets,
+    # `/updater`, `/ocs-provider`), and thus
+    # `try_files $uri $uri/ /index.php$request_uri`
+    # always provides the desired behaviour.
+    index index.php index.html /index.php$request_uri;
+
+    # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+    location = / {
+        if ( $http_user_agent ~ ^DavClnt ) {
+            return 302 /remote.php/webdav/$is_args$args;
+        }
+    }
+
+    location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+
+    # Make a regex exception for `/.well-known` so that clients can still
+    # access it despite the existence of the regex rule
+    # `location ~ /(\.|autotest|...)` which would otherwise handle requests
+    # for `/.well-known`.
+    location ^~ /.well-known {
+        # The rules in this block are an adaptation of the rules
+        # in `.htaccess` that concern `/.well-known`.
+
+        location = /.well-known/carddav { return 301 /remote.php/dav/; }
+        location = /.well-known/caldav  { return 301 /remote.php/dav/; }
+
+        location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
+        location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
+
+        # Let Nextcloud's API for `/.well-known` URIs handle all other
+        # requests by passing them to the front-end controller.
+        return 301 /index.php$request_uri;
+    }
+
+    # Rules borrowed from `.htaccess` to hide certain paths from clients
+    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
+
+    # Ensure this block, which passes PHP files to the PHP process, is above the blocks
+    # which handle static assets (as seen below). If this block is not declared first,
+    # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
+    # to the URI, resulting in a HTTP 500 error response.
+    location ~ \.php(?:$|/) {
+        # Required for legacy support
+        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
+
+        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+        set $path_info $fastcgi_path_info;
+
+        try_files $fastcgi_script_name =404;
+
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $path_info;
+        fastcgi_param HTTPS on;
+
+        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
+        fastcgi_param front_controller_active true;     # Enable pretty urls
+        fastcgi_pass php-handler;
+
+        fastcgi_intercept_errors on;
+        fastcgi_request_buffering off;
+
+        fastcgi_max_temp_file_size 0;
+    }
+
+    # Serve static files
+    location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
+        try_files $uri /index.php$request_uri;
+        # HTTP response headers borrowed from Nextcloud `.htaccess`
+        add_header Cache-Control                     "public, max-age=15778463$asset_immutable";
+        add_header Referrer-Policy                   "no-referrer"       always;
+        add_header X-Content-Type-Options            "nosniff"           always;
+        add_header X-Frame-Options                   "SAMEORIGIN"        always;
+        add_header X-Permitted-Cross-Domain-Policies "none"              always;
+        add_header X-Robots-Tag                      "noindex, nofollow" always;
+        add_header X-XSS-Protection                  "1; mode=block"     always;
+        access_log off;     # Optional: Don't log access to assets
+    }
+
+    location ~ \.(otf|woff2?)$ {
+        try_files $uri /index.php$request_uri;
+        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
+        access_log off;     # Optional: Don't log access to assets
+    }
+
+    # Rule borrowed from `.htaccess`
+    location /remote {
+        return 301 /remote.php$request_uri;
+    }
+
+    location / {
+        try_files $uri $uri/ /index.php$request_uri;
+    }
+}
\ No newline at end of file
diff --git a/nextcloud/nginx.conf b/nextcloud/nginx.conf
new file mode 100644
index 0000000..f6be1ea
--- /dev/null
+++ b/nextcloud/nginx.conf
@@ -0,0 +1,201 @@
+# Version 2024-07-17
+
+upstream php-handler {
+    server 127.0.0.1:9000;
+    #server unix:/run/php/php8.2-fpm.sock;
+}
+
+# Set the `immutable` cache control options only for assets with a cache busting `v` argument
+map $arg_v $asset_immutable {
+    "" "";
+    default ", immutable";
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name nextcloud.sthome.org;
+
+    # Prevent nginx HTTP Server Detection
+    server_tokens off;
+
+    # Enforce HTTPS
+    return 301 https://$server_name$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    # With NGinx >= 1.25.1 you should use this instead:
+    # listen 443      ssl;
+    # listen [::]:443 ssl;
+    # http2 on;
+    server_name nextcloud.sthome.org;
+
+    # Path to the root of your installation
+    root /var/www/nextcloud;
+
+    # Use Mozilla's guidelines for SSL/TLS settings
+    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
+    ssl_certificate     /etc/ssl/nginx/nextcloud.sthome.org.crt;
+    ssl_certificate_key /etc/ssl/nginx/nextcloud.sthome.org.key;
+
+    # Prevent nginx HTTP Server Detection
+    server_tokens off;
+
+    # HSTS settings
+    # WARNING: Only add the preload option once you read about
+    # the consequences in https://hstspreload.org/. This option
+    # will add the domain to a hardcoded list that is shipped
+    # in all major browsers and getting removed from this list
+    # could take several months.
+    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
+
+    # set max upload size and increase upload timeout:
+    client_max_body_size 512M;
+    client_body_timeout 300s;
+    fastcgi_buffers 64 4K;
+
+    # Enable gzip but do not remove ETag headers
+    gzip on;
+    gzip_vary on;
+    gzip_comp_level 4;
+    gzip_min_length 256;
+    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+    gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+    # Pagespeed is not supported by Nextcloud, so if your server is built
+    # with the `ngx_pagespeed` module, uncomment this line to disable it.
+    #pagespeed off;
+
+    # The settings allows you to optimize the HTTP2 bandwidth.
+    # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
+    # for tuning hints
+    client_body_buffer_size 512k;
+
+    # HTTP response headers borrowed from Nextcloud `.htaccess`
+    add_header Referrer-Policy                   "no-referrer"       always;
+    add_header X-Content-Type-Options            "nosniff"           always;
+    add_header X-Frame-Options                   "SAMEORIGIN"        always;
+    add_header X-Permitted-Cross-Domain-Policies "none"              always;
+    add_header X-Robots-Tag                      "noindex, nofollow" always;
+    add_header X-XSS-Protection                  "1; mode=block"     always;
+
+    # Remove X-Powered-By, which is an information leak
+    fastcgi_hide_header X-Powered-By;
+
+    # Set .mjs and .wasm MIME types
+    # Either include it in the default mime.types list
+    # and include that list explicitly or add the file extension
+    # only for Nextcloud like below:
+    include mime.types;
+    types {
+        text/javascript mjs;
+	application/wasm wasm;
+    }
+
+    # Specify how to handle directories -- specifying `/index.php$request_uri`
+    # here as the fallback means that Nginx always exhibits the desired behaviour
+    # when a client requests a path that corresponds to a directory that exists
+    # on the server. In particular, if that directory contains an index.php file,
+    # that file is correctly served; if it doesn't, then the request is passed to
+    # the front-end controller. This consistent behaviour means that we don't need
+    # to specify custom rules for certain paths (e.g. images and other assets,
+    # `/updater`, `/ocs-provider`), and thus
+    # `try_files $uri $uri/ /index.php$request_uri`
+    # always provides the desired behaviour.
+    index index.php index.html /index.php$request_uri;
+
+    # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+    location = / {
+        if ( $http_user_agent ~ ^DavClnt ) {
+            return 302 /remote.php/webdav/$is_args$args;
+        }
+    }
+
+    location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+
+    # Make a regex exception for `/.well-known` so that clients can still
+    # access it despite the existence of the regex rule
+    # `location ~ /(\.|autotest|...)` which would otherwise handle requests
+    # for `/.well-known`.
+    location ^~ /.well-known {
+        # The rules in this block are an adaptation of the rules
+        # in `.htaccess` that concern `/.well-known`.
+
+        location = /.well-known/carddav { return 301 /remote.php/dav/; }
+        location = /.well-known/caldav  { return 301 /remote.php/dav/; }
+
+        location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
+        location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
+
+        # Let Nextcloud's API for `/.well-known` URIs handle all other
+        # requests by passing them to the front-end controller.
+        return 301 /index.php$request_uri;
+    }
+
+    # Rules borrowed from `.htaccess` to hide certain paths from clients
+    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
+
+    # Ensure this block, which passes PHP files to the PHP process, is above the blocks
+    # which handle static assets (as seen below). If this block is not declared first,
+    # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
+    # to the URI, resulting in a HTTP 500 error response.
+    location ~ \.php(?:$|/) {
+        # Required for legacy support
+        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
+
+        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+        set $path_info $fastcgi_path_info;
+
+        try_files $fastcgi_script_name =404;
+
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $path_info;
+        fastcgi_param HTTPS on;
+
+        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
+        fastcgi_param front_controller_active true;     # Enable pretty urls
+        fastcgi_pass php-handler;
+
+        fastcgi_intercept_errors on;
+        fastcgi_request_buffering off;
+
+        fastcgi_max_temp_file_size 0;
+    }
+
+    # Serve static files
+    location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
+        try_files $uri /index.php$request_uri;
+        # HTTP response headers borrowed from Nextcloud `.htaccess`
+        add_header Cache-Control                     "public, max-age=15778463$asset_immutable";
+        add_header Referrer-Policy                   "no-referrer"       always;
+        add_header X-Content-Type-Options            "nosniff"           always;
+        add_header X-Frame-Options                   "SAMEORIGIN"        always;
+        add_header X-Permitted-Cross-Domain-Policies "none"              always;
+        add_header X-Robots-Tag                      "noindex, nofollow" always;
+        add_header X-XSS-Protection                  "1; mode=block"     always;
+        access_log off;     # Optional: Don't log access to assets
+    }
+
+    location ~ \.(otf|woff2?)$ {
+        try_files $uri /index.php$request_uri;
+        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
+        access_log off;     # Optional: Don't log access to assets
+    }
+
+    # Rule borrowed from `.htaccess`
+    location /remote {
+        return 301 /remote.php$request_uri;
+    }
+
+    location / {
+        try_files $uri $uri/ /index.php$request_uri;
+    }
+}
\ No newline at end of file
diff --git a/nextcloud/nginx2.conf b/nextcloud/nginx2.conf
new file mode 100644
index 0000000..87f0e9b
--- /dev/null
+++ b/nextcloud/nginx2.conf
@@ -0,0 +1,202 @@
+# https://github.com/nextcloud/docker/blob/master/.examples/docker-compose/with-nginx-proxy/mariadb/fpm/web/nginx.conf
+worker_processes auto;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include mime.types;
+    default_type  application/octet-stream;
+    types {
+        text/javascript mjs;
+        application/wasm wasm;
+    }
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    # Prevent nginx HTTP Server Detection
+    server_tokens   off;
+
+    keepalive_timeout  65;
+
+    # Set the `immutable` cache control options only for assets with a cache busting `v` argument
+    map $arg_v $asset_immutable {
+        "" "";
+    default ", immutable";
+    }
+
+    #gzip  on;
+
+    upstream php-handler {
+        server nextcloud_app:9000;
+    }
+
+    server {
+        listen 80;
+
+        # HSTS settings
+        # WARNING: Only add the preload option once you read about
+        # the consequences in https://hstspreload.org/. This option
+        # will add the domain to a hardcoded list that is shipped
+        # in all major browsers and getting removed from this list
+        # could take several months.
+        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+
+        # set max upload size and increase upload timeout:
+        client_max_body_size 512M;
+        client_body_timeout 300s;
+        fastcgi_buffers 64 4K;
+
+        # The settings allows you to optimize the HTTP2 bandwidth.
+        # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
+        # for tuning hints
+        client_body_buffer_size 512k;
+
+        # Enable gzip but do not remove ETag headers
+        gzip on;
+        gzip_vary on;
+        gzip_comp_level 4;
+        gzip_min_length 256;
+        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+        gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+        # Pagespeed is not supported by Nextcloud, so if your server is built
+        # with the `ngx_pagespeed` module, uncomment this line to disable it.
+        #pagespeed off;
+
+        # HTTP response headers borrowed from Nextcloud `.htaccess`
+        add_header Referrer-Policy                      "no-referrer"       always;
+        add_header X-Content-Type-Options               "nosniff"           always;
+        add_header X-Frame-Options                      "SAMEORIGIN"        always;
+        add_header X-Permitted-Cross-Domain-Policies    "none"              always;
+        add_header X-Robots-Tag                         "noindex, nofollow" always;
+        add_header X-XSS-Protection                     "1; mode=block"     always;
+
+        # Remove X-Powered-By, which is an information leak
+        fastcgi_hide_header X-Powered-By;
+
+        # Path to the root of your installation
+        root /var/www/html;
+
+        # Specify how to handle directories -- specifying `/index.php$request_uri`
+        # here as the fallback means that Nginx always exhibits the desired behaviour
+        # when a client requests a path that corresponds to a directory that exists
+        # on the server. In particular, if that directory contains an index.php file,
+        # that file is correctly served; if it doesn't, then the request is passed to
+        # the front-end controller. This consistent behaviour means that we don't need
+        # to specify custom rules for certain paths (e.g. images and other assets,
+        # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
+        # `try_files $uri $uri/ /index.php$request_uri`
+        # always provides the desired behaviour.
+        index index.php index.html /index.php$request_uri;
+
+        # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+        location = / {
+            if ( $http_user_agent ~ ^DavClnt ) {
+                return 302 /remote.php/webdav/$is_args$args;
+            }
+        }
+
+        location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
+        }
+
+        # Make a regex exception for `/.well-known` so that clients can still
+        # access it despite the existence of the regex rule
+        # `location ~ /(\.|autotest|...)` which would otherwise handle requests
+        # for `/.well-known`.
+        location ^~ /.well-known {
+            # The rules in this block are an adaptation of the rules
+            # in `.htaccess` that concern `/.well-known`.
+
+            location = /.well-known/carddav { return 301 /remote.php/dav/; }
+            location = /.well-known/caldav  { return 301 /remote.php/dav/; }
+
+            location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
+            location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
+
+            # Let Nextcloud's API for `/.well-known` URIs handle all other
+            # requests by passing them to the front-end controller.
+            return 301 /index.php$request_uri;
+        }
+
+        # Rules borrowed from `.htaccess` to hide certain paths from clients
+        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
+
+        # Ensure this block, which passes PHP files to the PHP process, is above the blocks
+        # which handle static assets (as seen below). If this block is not declared first,
+        # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
+        # to the URI, resulting in a HTTP 500 error response.
+        location ~ \.php(?:$|/) {
+            # Required for legacy support
+            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
+
+            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+            set $path_info $fastcgi_path_info;
+
+            try_files $fastcgi_script_name =404;
+
+            include fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_param PATH_INFO $path_info;
+            fastcgi_param HTTPS on;
+
+            fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
+            fastcgi_param front_controller_active true;     # Enable pretty urls
+            fastcgi_pass php-handler;
+
+            fastcgi_intercept_errors on;
+            fastcgi_request_buffering off;
+
+            fastcgi_max_temp_file_size 0;
+        }
+
+        # Serve static files
+        location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
+            try_files $uri /index.php$request_uri;
+            add_header Cache-Control "public, max-age=15778463$asset_immutable";
+            add_header Referrer-Policy                   "no-referrer"       always;
+            add_header X-Content-Type-Options            "nosniff"           always;
+            add_header X-Frame-Options                   "SAMEORIGIN"        always;
+            add_header X-Permitted-Cross-Domain-Policies "none"              always;
+            add_header X-Robots-Tag                      "noindex, nofollow" always;
+            add_header X-XSS-Protection                  "1; mode=block"     always;
+            access_log off;     # Optional: Don't log access to assets
+
+            location ~ \.wasm$ {
+                default_type application/wasm;
+            }
+        }
+
+        location ~ \.woff2?$ {
+            try_files $uri /index.php$request_uri;
+            expires 7d;         # Cache-Control policy borrowed from `.htaccess`
+            access_log off;     # Optional: Don't log access to assets
+        }
+
+        # Rule borrowed from `.htaccess`
+        location /remote {
+            return 301 /remote.php$request_uri;
+        }
+
+        location / {
+            try_files $uri $uri/ /index.php$request_uri;
+        }
+    }
+}
\ No newline at end of file
diff --git a/nextcloud/nginx3.conf b/nextcloud/nginx3.conf
new file mode 100644
index 0000000..2355010
--- /dev/null
+++ b/nextcloud/nginx3.conf
@@ -0,0 +1,201 @@
+worker_processes auto;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include mime.types;
+    default_type  application/octet-stream;
+    types {
+        text/javascript mjs;
+        application/wasm wasm;
+    }
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    # Prevent nginx HTTP Server Detection
+    server_tokens   off;
+
+    keepalive_timeout  65;
+
+    # Set the `immutable` cache control options only for assets with a cache busting `v` argument
+    map $arg_v $asset_immutable {
+        "" "";
+    default ", immutable";
+    }
+
+    #gzip  on;
+
+    upstream php-handler {
+        server nextcloud_app:9000;
+    }
+
+    server {
+        listen 80;
+
+        # HSTS settings
+        # WARNING: Only add the preload option once you read about
+        # the consequences in https://hstspreload.org/. This option
+        # will add the domain to a hardcoded list that is shipped
+        # in all major browsers and getting removed from this list
+        # could take several months.
+        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+
+        # set max upload size and increase upload timeout:
+        client_max_body_size 512M;
+        client_body_timeout 300s;
+        fastcgi_buffers 64 4K;
+
+        # The settings allows you to optimize the HTTP2 bandwidth.
+        # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
+        # for tuning hints
+        client_body_buffer_size 512k;
+
+        # Enable gzip but do not remove ETag headers
+        gzip on;
+        gzip_vary on;
+        gzip_comp_level 4;
+        gzip_min_length 256;
+        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+        gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+        # Pagespeed is not supported by Nextcloud, so if your server is built
+        # with the `ngx_pagespeed` module, uncomment this line to disable it.
+        #pagespeed off;
+
+        # HTTP response headers borrowed from Nextcloud `.htaccess`
+        add_header Referrer-Policy                      "no-referrer"       always;
+        add_header X-Content-Type-Options               "nosniff"           always;
+        add_header X-Frame-Options                      "SAMEORIGIN"        always;
+        add_header X-Permitted-Cross-Domain-Policies    "none"              always;
+        add_header X-Robots-Tag                         "noindex, nofollow" always;
+        add_header X-XSS-Protection                     "1; mode=block"     always;
+
+        # Remove X-Powered-By, which is an information leak
+        fastcgi_hide_header X-Powered-By;
+
+        # Path to the root of your installation
+        root /var/www/html;
+
+        # Specify how to handle directories -- specifying `/index.php$request_uri`
+        # here as the fallback means that Nginx always exhibits the desired behaviour
+        # when a client requests a path that corresponds to a directory that exists
+        # on the server. In particular, if that directory contains an index.php file,
+        # that file is correctly served; if it doesn't, then the request is passed to
+        # the front-end controller. This consistent behaviour means that we don't need
+        # to specify custom rules for certain paths (e.g. images and other assets,
+        # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
+        # `try_files $uri $uri/ /index.php$request_uri`
+        # always provides the desired behaviour.
+        index index.php index.html /index.php$request_uri;
+
+        # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+        location = / {
+            if ( $http_user_agent ~ ^DavClnt ) {
+                return 302 /remote.php/webdav/$is_args$args;
+            }
+        }
+
+        location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
+        }
+
+        # Make a regex exception for `/.well-known` so that clients can still
+        # access it despite the existence of the regex rule
+        # `location ~ /(\.|autotest|...)` which would otherwise handle requests
+        # for `/.well-known`.
+        location ^~ /.well-known {
+            # The rules in this block are an adaptation of the rules
+            # in `.htaccess` that concern `/.well-known`.
+
+            location = /.well-known/carddav { return 301 /remote.php/dav/; }
+            location = /.well-known/caldav  { return 301 /remote.php/dav/; }
+
+            location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
+            location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
+
+            # Let Nextcloud's API for `/.well-known` URIs handle all other
+            # requests by passing them to the front-end controller.
+            return 301 /index.php$request_uri;
+        }
+
+        # Rules borrowed from `.htaccess` to hide certain paths from clients
+        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
+
+        # Ensure this block, which passes PHP files to the PHP process, is above the blocks
+        # which handle static assets (as seen below). If this block is not declared first,
+        # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
+        # to the URI, resulting in a HTTP 500 error response.
+        location ~ \.php(?:$|/) {
+            # Required for legacy support
+            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
+
+            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+            set $path_info $fastcgi_path_info;
+
+            try_files $fastcgi_script_name =404;
+
+            include fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_param PATH_INFO $path_info;
+            #fastcgi_param HTTPS on;
+
+            fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
+            fastcgi_param front_controller_active true;     # Enable pretty urls
+            fastcgi_pass php-handler;
+
+            fastcgi_intercept_errors on;
+            fastcgi_request_buffering off;
+
+            fastcgi_max_temp_file_size 0;
+        }
+
+        # Serve static files
+        location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
+            try_files $uri /index.php$request_uri;
+            add_header Cache-Control "public, max-age=15778463$asset_immutable";
+            add_header Referrer-Policy                   "no-referrer"       always;
+            add_header X-Content-Type-Options            "nosniff"           always;
+            add_header X-Frame-Options                   "SAMEORIGIN"        always;
+            add_header X-Permitted-Cross-Domain-Policies "none"              always;
+            add_header X-Robots-Tag                      "noindex, nofollow" always;
+            add_header X-XSS-Protection                  "1; mode=block"     always;
+            access_log off;     # Optional: Don't log access to assets
+
+            location ~ \.wasm$ {
+                default_type application/wasm;
+            }
+        }
+
+        location ~ \.woff2?$ {
+            try_files $uri /index.php$request_uri;
+            expires 7d;         # Cache-Control policy borrowed from `.htaccess`
+            access_log off;     # Optional: Don't log access to assets
+        }
+
+        # Rule borrowed from `.htaccess`
+        location /remote {
+            return 301 /remote.php$request_uri;
+        }
+
+        location / {
+            try_files $uri $uri/ /index.php$request_uri;
+        }
+    }
+}
\ No newline at end of file
diff --git a/nextcloud/nginx4.conf b/nextcloud/nginx4.conf
new file mode 100644
index 0000000..55f059f
--- /dev/null
+++ b/nextcloud/nginx4.conf
@@ -0,0 +1,208 @@
+worker_processes auto;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    # Prevent nginx HTTP Server Detection
+    server_tokens   off;
+
+    keepalive_timeout  65;
+
+    # Set the `immutable` cache control options only for assets with a cache busting `v` argument
+    map $arg_v $asset_immutable {
+        "" "";
+		default ", immutable";
+    }
+
+    #gzip  on;
+
+    upstream php-handler {
+        server nextcloud_app:9000;
+		#server 127.0.0.1:9000;
+		#server unix:/run/php/php8.2-fpm.sock;
+    }
+
+    server {
+        listen 80;
+		#listen [::]:80;
+		#server_name nextcloud.sthome.org;
+		
+        # HSTS settings
+        # WARNING: Only add the preload option once you read about
+        # the consequences in https://hstspreload.org/. This option
+        # will add the domain to a hardcoded list that is shipped
+        # in all major browsers and getting removed from this list
+        # could take several months.
+        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+
+        # set max upload size and increase upload timeout:
+        client_max_body_size 512M;
+        client_body_timeout 300s;
+        fastcgi_buffers 64 4K;
+
+        # The settings allows you to optimize the HTTP2 bandwidth.
+        # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
+        # for tuning hints
+        client_body_buffer_size 512k;
+
+        # Enable gzip but do not remove ETag headers
+        gzip on;
+        gzip_vary on;
+        gzip_comp_level 4;
+        gzip_min_length 256;
+        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+        gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+        # Pagespeed is not supported by Nextcloud, so if your server is built
+        # with the `ngx_pagespeed` module, uncomment this line to disable it.
+        #pagespeed off;
+
+        # HTTP response headers borrowed from Nextcloud `.htaccess`
+        add_header Referrer-Policy                      "no-referrer"       always;
+        add_header X-Content-Type-Options               "nosniff"           always;
+        add_header X-Frame-Options                      "SAMEORIGIN"        always;
+        add_header X-Permitted-Cross-Domain-Policies    "none"              always;
+        add_header X-Robots-Tag                         "noindex, nofollow" always;
+        add_header X-XSS-Protection                     "1; mode=block"     always;
+
+        # Remove X-Powered-By, which is an information leak
+        fastcgi_hide_header X-Powered-By;
+
+        # Path to the root of your installation
+        root /var/www/html;
+
+        # Specify how to handle directories -- specifying `/index.php$request_uri`
+        # here as the fallback means that Nginx always exhibits the desired behaviour
+        # when a client requests a path that corresponds to a directory that exists
+        # on the server. In particular, if that directory contains an index.php file,
+        # that file is correctly served; if it doesn't, then the request is passed to
+        # the front-end controller. This consistent behaviour means that we don't need
+        # to specify custom rules for certain paths (e.g. images and other assets,
+        # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
+        # `try_files $uri $uri/ /index.php$request_uri`
+        # always provides the desired behaviour.
+        index index.php index.html /index.php$request_uri;
+
+        # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+        location = / {
+            if ( $http_user_agent ~ ^DavClnt ) {
+                return 302 /remote.php/webdav/$is_args$args;
+            }
+        }
+
+        location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
+        }
+
+        # Make a regex exception for `/.well-known` so that clients can still
+        # access it despite the existence of the regex rule
+        # `location ~ /(\.|autotest|...)` which would otherwise handle requests
+        # for `/.well-known`.
+        location ^~ /.well-known {
+            # The rules in this block are an adaptation of the rules
+            # in `.htaccess` that concern `/.well-known`.
+
+            location = /.well-known/carddav { return 301 /remote.php/dav/; }
+            location = /.well-known/caldav  { return 301 /remote.php/dav/; }
+
+            location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
+            location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
+
+            # Let Nextcloud's API for `/.well-known` URIs handle all other
+            # requests by passing them to the front-end controller.
+            return 301 /index.php$request_uri;
+        }
+
+        # Rules borrowed from `.htaccess` to hide certain paths from clients
+        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
+
+        # Ensure this block, which passes PHP files to the PHP process, is above the blocks
+        # which handle static assets (as seen below). If this block is not declared first,
+        # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
+        # to the URI, resulting in a HTTP 500 error response.
+        location ~ \.php(?:$|/) {
+            # Required for legacy support
+            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+
+            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+            set $path_info $fastcgi_path_info;
+
+            try_files $fastcgi_script_name =404;
+
+            include fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_param PATH_INFO $path_info;
+            fastcgi_param HTTPS on;
+
+            fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
+            fastcgi_param front_controller_active true;     # Enable pretty urls
+            fastcgi_pass php-handler;
+
+            fastcgi_intercept_errors on;
+            fastcgi_request_buffering off;
+
+            fastcgi_max_temp_file_size 0;
+        }
+
+        # Javascript mimetype fixes for nginx
+        # Note: The block below should be removed, and the js|mjs section should be
+        # added to the block below this one. This is a temporary fix until Nginx 
+        # upstream fixes the js mime-type
+        location ~* \.(?:js|mjs)$ {
+            types { 
+                text/javascript js mjs;
+            } 
+            try_files $uri /index.php$request_uri;
+            add_header Cache-Control "public, max-age=15778463, $asset_immutable";
+            access_log off;
+        }
+
+        # Serve static files
+        location ~ \.(?:css|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
+            try_files $uri /index.php$request_uri;
+            add_header Cache-Control "public, max-age=15778463, $asset_immutable";
+            access_log off;     # Optional: Don't log access to assets
+
+            location ~ \.wasm$ {
+                default_type application/wasm;
+            }
+        }
+
+        location ~ \.woff2?$ {
+            try_files $uri /index.php$request_uri;
+            expires 7d;         # Cache-Control policy borrowed from `.htaccess`
+            access_log off;     # Optional: Don't log access to assets
+        }
+
+        # Rule borrowed from `.htaccess`
+        location /remote {
+            return 301 /remote.php$request_uri;
+        }
+
+        location / {
+            try_files $uri $uri/ /index.php$request_uri;
+        }
+    }
+}
\ No newline at end of file
diff --git a/nextcloud/ssl intermediate config.txt b/nextcloud/ssl intermediate config.txt
new file mode 100644
index 0000000..d7996bf
--- /dev/null
+++ b/nextcloud/ssl intermediate config.txt	
@@ -0,0 +1,46 @@
+# generated 2024-12-09, Mozilla Guideline v5.7, nginx 1.27.3, OpenSSL 3.4.0, intermediate config
+# https://ssl-config.mozilla.org/#server=nginx&version=1.27.3&config=intermediate&openssl=3.4.0&guideline=5.7
+
+http {
+
+    server {
+        listen 443 ssl;
+        listen [::]:443 ssl;
+        http2 on;
+        ssl_certificate /path/to/signed_cert_plus_intermediates;
+        ssl_certificate_key /path/to/private_key;
+
+        # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+        add_header Strict-Transport-Security "max-age=63072000" always;
+    }
+    
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+
+    # intermediate configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ecdh_curve X25519:prime256v1:secp384r1;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+    ssl_prefer_server_ciphers off;
+
+    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
+    ssl_dhparam "/path/to/dhparam"
+
+    # OCSP stapling
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    # verify chain of trust of OCSP response using Root CA and Intermediate certs
+    ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
+
+    # replace with the IP address of your resolver
+    resolver 127.0.0.1;
+
+    # HSTS
+    server {
+        listen 80 default_server;
+        listen [::]:80 default_server;
+
+        return 301 https://$host$request_uri;
+    }
+}
diff --git a/nextcloud/ssl modern config b/nextcloud/ssl modern config
new file mode 100644
index 0000000..f53f962
--- /dev/null
+++ b/nextcloud/ssl modern config	
@@ -0,0 +1,42 @@
+# generated 2024-12-09, Mozilla Guideline v5.7, nginx 1.27.3, OpenSSL 3.4.0, modern config
+# https://ssl-config.mozilla.org/#server=nginx&version=1.27.3&config=modern&openssl=3.4.0&guideline=5.7
+
+http {
+
+    server {
+        listen 443 ssl;
+        listen [::]:443 ssl;
+        http2 on;
+        ssl_certificate /path/to/signed_cert_plus_intermediates;
+        ssl_certificate_key /path/to/private_key;
+
+        # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+        add_header Strict-Transport-Security "max-age=63072000" always;
+    }
+    
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+
+    # modern configuration
+    ssl_protocols TLSv1.3;
+    ssl_ecdh_curve X25519:prime256v1:secp384r1;
+    ssl_prefer_server_ciphers off;
+
+    # OCSP stapling
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    # verify chain of trust of OCSP response using Root CA and Intermediate certs
+    ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
+
+    # replace with the IP address of your resolver
+    resolver 127.0.0.1;
+
+    # HSTS
+    server {
+        listen 80 default_server;
+        listen [::]:80 default_server;
+
+        return 301 https://$host$request_uri;
+    }
+}
diff --git a/nextcloud/stacks/.env b/nextcloud/stacks/.env
new file mode 100644
index 0000000..503defb
--- /dev/null
+++ b/nextcloud/stacks/.env
@@ -0,0 +1,35 @@
+
+APPLICATION_NAME=nextcloud
+
+DOCKERDIR=/mnt/SSD1/docker/
+MEDIADIR=/mnt/stpool1/NData1/Media
+
+BULKSTOREDIR=/mnt/stpool1/NData2/bulkstore
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+PUID=82 #33 #3048
+PGID=82 #33 #3047
+TZ=Africa/Johannesburg
+DOMAINNAME=sthome.org
+WEBUI_PORT=80
+
+TRUSTED_DOMAINS="127.0.0.1 localhost nextcloud nextcloud-* *.sthome.org *.sthome.net *.sthome.lan onlyoffice.sthome.org"
+
+POSTGRES_DB_PORT=5432
+POSTGRES_DB_HOST=nextcloud_postgresql
+POSTGRES_DB_FILE=/run/secrets/nextcloud_postgresql_database
+POSTGRES_USER_FILE=/run/secrets/nextcloud_postgresql_username
+POSTGRES_PASSWORD_FILE=/run/secrets/nextcloud_postgresql_password
+
+REDIS_PORT=6379
+REDIS_HOST=nextcloud_redis
+REDIS_PASSWORD_FILE=/run/secrets/nextcloud_redis_password
+# redis does not support docker secrets, so we have to specify in clear text
+REDIS_PASSWORD=al4TzTOTYwM74Bj8XqVEQcriMo3ZDEQYcbGINBckvo5QIhRI0t
+
+JWT=sEknyxjVGK7PaDgOMsV8rsHc79A6frHp
+JWT_SECRET=sEknyxjVGK7PaDgOMsV8rsHc79A6frHp
diff --git a/nextcloud/stacks/.nextcloud.env b/nextcloud/stacks/.nextcloud.env
new file mode 100644
index 0000000..fb67e23
--- /dev/null
+++ b/nextcloud/stacks/.nextcloud.env
@@ -0,0 +1,28 @@
+
+PUID=${PUID}
+PGID=${PGID}
+TZ=${TZ}
+
+POSTGRES_HOST=${POSTGRES_DB_HOST}
+POSTGRES_DB_PORT=${POSTGRES_DB_PORT}
+POSTGRES_DB_FILE=${POSTGRES_DB_FILE}
+POSTGRES_USER_FILE=${POSTGRES_USER_FILE}
+POSTGRES_PASSWORD_FILE=${POSTGRES_PASSWORD_FILE}
+NEXTCLOUD_ADMIN_PASSWORD_FILE=/run/secrets/nextcloud_admin_password
+NEXTCLOUD_ADMIN_USER_FILE=/run/secrets/nextcloud_admin_username
+
+REDIS_HOST=${REDIS_HOST}
+REDIS_HOST_PORT=${REDIS_PORT}
+REDIS_HOST_PASSWORD_FILE=${REDIS_PASSWORD_FILE}
+
+TRUSTED_PROXIES=10.255.224.0/20
+OVERWRITEHOST=nextcloud.sthome.org
+OVERWRITECLIURL=https://nextcloud.sthome.org
+
+NEXTCLOUD_TRUSTED_DOMAINS=${TRUSTED_DOMAINS}
+TRUSTED_DOMAINS=${TRUSTED_DOMAINS}
+
+JWT=${JWT}
+JWT_SECRET=${JWT_SECRET}
+
+NC_SETUP_CREATE_DB_USER=false
diff --git a/nextcloud/stacks/.nginx.env b/nextcloud/stacks/.nginx.env
new file mode 100644
index 0000000..54b846e
--- /dev/null
+++ b/nextcloud/stacks/.nginx.env
@@ -0,0 +1,5 @@
+
+PUID=${PUID}
+PGID=${PGID}
+TZ=${TZ}
+UMASK=0022
\ No newline at end of file
diff --git a/nextcloud/stacks/.postgresql.env b/nextcloud/stacks/.postgresql.env
new file mode 100644
index 0000000..57fa550
--- /dev/null
+++ b/nextcloud/stacks/.postgresql.env
@@ -0,0 +1,11 @@
+
+PUID=70
+PGID=70
+TZ=${TZ}
+
+DB_PORT=${POSTGRES_DB_PORT}
+POSTGRES_DB_FILE=${POSTGRES_DB_FILE}
+POSTGRES_USER_FILE=${POSTGRES_USER_FILE}
+POSTGRES_PASSWORD_FILE=${POSTGRES_PASSWORD_FILE}
+POSTGRES_HOST_AUTH_METHOD=trust   # WARNING: this enables trust for all connections
+
diff --git a/nextcloud/stacks/.redis.env b/nextcloud/stacks/.redis.env
new file mode 100644
index 0000000..b58830c
--- /dev/null
+++ b/nextcloud/stacks/.redis.env
@@ -0,0 +1,9 @@
+
+PUID=${PUID}
+PGID=${PGID}
+TZ=${TZ}
+
+REDIS_PORT=${REDIS_PORT}
+
+# redis does not support docker secrets
+#REDIS_PASSWORD_FILE=${REDIS_PASSWORD_FILE}
diff --git a/nextcloud/stacks/compose.yml b/nextcloud/stacks/compose.yml
new file mode 100644
index 0000000..427616c
--- /dev/null
+++ b/nextcloud/stacks/compose.yml
@@ -0,0 +1,147 @@
+# https://github.com/nextcloud/docker?tab=readme-ov-file#running-this-image-with-docker-compose
+# https://www.linuxbabe.com/redhat/install-nextcloud-rhel-8-centos-8-nginx-lemp
+
+name: nextcloud
+
+secrets:
+  nextcloud_postgresql_database:
+    file: ${SECRETSDIR}/nextcloud_postgresql_database
+  nextcloud_postgresql_password:
+    file: ${SECRETSDIR}/nextcloud_postgresql_password
+  nextcloud_postgresql_username:
+    file: ${SECRETSDIR}/nextcloud_postgresql_username
+  nextcloud_admin_password:
+    file: ${SECRETSDIR}/nextcloud_admin_password
+  nextcloud_admin_username:
+    file: ${SECRETSDIR}/nextcloud_admin_username
+  nextcloud_redis_password:
+    file: ${SECRETSDIR}/nextcloud_redis_password
+
+networks:
+  traefik-net:
+    external: true
+  postgres-net:
+    external: true
+#  backend:
+#    driver: bridge
+#    parent: eth1
+
+# This server has no working outgoing internet connection:
+# might need to emply firewall markings
+# https://stackoverflow.com/questions/51312310/connecting-to-hosts-secondary-ip-from-inside-docker-container/51312755#51312755
+# https://williamsbdev.com/posts/docker-connection-marking/
+services:
+  app:
+#    image: nextcloud:30.0.0-fpm
+    image: nextcloud:fpm-alpine
+    hostname: nextcloud_app
+    env_file: .nextcloud.env
+    restart: unless-stopped
+    depends_on:
+      postgresql:
+        condition: service_healthy
+      redis: 
+        condition: service_started
+    secrets:
+      - nextcloud_postgresql_database
+      - nextcloud_postgresql_password
+      - nextcloud_postgresql_username
+      - nextcloud_admin_username
+      - nextcloud_admin_password
+      - nextcloud_redis_password
+    volumes:
+      - "${DATADIR}/appdata:/var/www/html:rw,z"
+      - "${DATADIR}/custom_apps:/var/www/html/custom_apps"
+      - "${DATADIR}/config:/var/www/html/config"
+      - "${DATADIR}/themes:/var/www/html/themes"
+      - "${DATADIR}/nginx/ssl:/etc/ssl/nginx"
+      - "${BULKSTOREDIR}/data:/var/www/html/data"
+    networks:
+      - traefik-net
+      - postgres-net
+#      - backend
+    environment:
+      POSTGRES_DB_HOST: nextcloud_postgresql
+
+  web:
+    image: nginx
+    hostname: nextcloud
+    env_file: .nginx.env
+    restart: unless-stopped
+    links:
+      - app
+    volumes:
+      - "${STACKSDIR}/nginx.conf:/etc/nginx/nginx.conf:ro"
+    volumes_from:
+      - app
+    networks:
+#      backend:
+#        aliases: ["nextcloud_web"]
+      traefik-net: {}
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      #
+      - "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.permanent=true"
+      #
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
+      #
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=${APPLICATION_NAME}-https-redirect"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      #
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=sthomeresolver"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
+
+# https://stackoverflow.com/questions/66738931/how-to-set-password-for-redis-server
+# I managed to set the password permanently for the default user. Adding these 2 parameters in the file "redis.conf" requirepass newpass123 masterauth newpass123 And in the file "sentinel.conf" sentinel auth-pass mymaster newpass123 Thanks – 
+#user14867757
+# CommentedMar 24, 2021 at 4:19
+  redis:
+    image: docker.io/library/redis:alpine
+    #command: --save 60 1 --loglevel warning 
+    command: sh -c "redis-server --requirepass ${REDIS_PASSWORD}"  && --save 60 1  && --loglevel warning
+    env_file: .redis.env
+    restart: unless-stopped
+    expose:
+      - ${REDIS_PORT}
+#    healthcheck:
+#      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+#      start_period: 20s
+#      interval: 30s
+#      retries: 5
+#      timeout: 3s
+    secrets:
+      - nextcloud_redis_password
+    networks:
+      postgres-net:
+        aliases: ["nextcloud_redis"]
+    volumes:
+      - "$DATADIR/redis/data:/data"
+      
+  postgresql:
+    image: postgres:16-alpine
+    hostname: nextcloud_postgresql
+    shm_size: 128mb
+    restart: unless-stopped
+    env_file: .postgresql.env
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    networks:
+      - postgres-net
+    secrets:
+      - nextcloud_postgresql_database
+      - nextcloud_postgresql_password
+      - nextcloud_postgresql_username
+    volumes:
+      - "${DATADIR}/pgdata:/var/lib/postgresql/data"
+      - "${DATADIR}/pgbackups:/mnt/backups"
\ No newline at end of file
diff --git a/nextcloud/stacks/nextcloud.conf b/nextcloud/stacks/nextcloud.conf
new file mode 100644
index 0000000..e3d947d
--- /dev/null
+++ b/nextcloud/stacks/nextcloud.conf
@@ -0,0 +1,157 @@
+# https://www.linuxbabe.com/redhat/install-nextcloud-rhel-8-centos-8-nginx-lemp
+
+worker_processes auto;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    # Prevent nginx HTTP Server Detection
+    server_tokens   off;
+
+    keepalive_timeout  65;
+
+    # Set the `immutable` cache control options only for assets with a cache busting `v` argument
+    map $arg_v $asset_immutable {
+        "" "";
+		default "immutable";
+    }
+
+    #gzip  on;
+
+    upstream php-handler {
+        server nextcloud_app:9000;
+		#server 127.0.0.1:9000;
+		#server unix:/run/php/php8.2-fpm.sock;
+    }
+
+	server {
+		listen 80;
+		listen [::]:80;
+		#server_name nextcloud.sthome.org;
+
+		# Add headers to serve security related headers
+		add_header X-Content-Type-Options nosniff;
+		add_header X-XSS-Protection "1; mode=block";
+		add_header X-Robots-Tag none;
+		add_header X-Download-Options noopen;
+		add_header X-Permitted-Cross-Domain-Policies none;
+		add_header Referrer-Policy no-referrer;
+
+		#I found this header is needed on Debian/Ubuntu/CentOS/RHEL, but not on Arch Linux.
+		add_header X-Frame-Options "SAMEORIGIN";
+
+		# Path to the root of your installation
+		root /var/www/html;
+
+		access_log /var/log/nginx/nextcloud.access;
+		error_log /var/log/nginx/nextcloud.error;
+
+		location = /robots.txt {
+			allow all;
+			log_not_found off;
+			access_log off;
+		}
+
+		# The following 2 rules are only needed for the user_webfinger app.
+		# Uncomment it if you're planning to use this app.
+		#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
+		#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
+		# last;
+
+		location = /.well-known/carddav {
+			return 301 $scheme://$host/remote.php/dav;
+		}
+		location = /.well-known/caldav {
+		   return 301 $scheme://$host/remote.php/dav;
+		}
+
+		location ~ /.well-known/acme-challenge {
+		  allow all;
+		}
+
+		# set max upload size
+		client_max_body_size 512M;
+		fastcgi_buffers 64 4K;
+
+		# Disable gzip to avoid the removal of the ETag header
+		gzip off;
+
+		# Uncomment if your server is build with the ngx_pagespeed module
+		# This module is currently not supported.
+		#pagespeed off;
+
+		error_page 403 /core/templates/403.php;
+		error_page 404 /core/templates/404.php;
+
+		location / {
+		   rewrite ^ /index.php;
+		}
+
+		location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
+		   deny all;
+		}
+		location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
+		   deny all;
+		 }
+
+		location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
+		   include fastcgi_params;
+		   fastcgi_split_path_info ^(.+\.php)(/.*)$;
+		   try_files $fastcgi_script_name =404;
+		   fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+		   fastcgi_param PATH_INFO $fastcgi_path_info;
+		   #Avoid sending the security headers twice
+		   fastcgi_param modHeadersAvailable true;
+		   fastcgi_param front_controller_active true;
+		   fastcgi_pass unix:/run/php-fpm/www.sock;
+		   fastcgi_intercept_errors on;
+		   fastcgi_request_buffering off;
+		}
+
+		location ~ ^/(?:updater|ocs-provider)(?:$|/) {
+		   try_files $uri/ =404;
+		   index index.php;
+		}
+
+		# Adding the cache control header for js and css files
+		# Make sure it is BELOW the PHP block
+		location ~* \.(?:css|js)$ {
+			try_files $uri /index.php$uri$is_args$args;
+			add_header Cache-Control "public, max-age=7200";
+			# Add headers to serve security related headers (It is intended to
+			# have those duplicated to the ones above)
+			add_header X-Content-Type-Options nosniff;
+			add_header X-XSS-Protection "1; mode=block";
+			add_header X-Robots-Tag none;
+			add_header X-Download-Options noopen;
+			add_header X-Permitted-Cross-Domain-Policies none;
+			# Optional: Don't log access to assets
+			access_log off;
+	   }
+
+	   location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
+			try_files $uri /index.php$uri$is_args$args;
+			# Optional: Don't log access to other assets
+			access_log off;
+	   }
+	}
+}
\ No newline at end of file
diff --git a/nextcloud/stacks/nginx.conf b/nextcloud/stacks/nginx.conf
new file mode 100644
index 0000000..55f059f
--- /dev/null
+++ b/nextcloud/stacks/nginx.conf
@@ -0,0 +1,208 @@
+worker_processes auto;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    # Prevent nginx HTTP Server Detection
+    server_tokens   off;
+
+    keepalive_timeout  65;
+
+    # Set the `immutable` cache control options only for assets with a cache busting `v` argument
+    map $arg_v $asset_immutable {
+        "" "";
+		default ", immutable";
+    }
+
+    #gzip  on;
+
+    upstream php-handler {
+        server nextcloud_app:9000;
+		#server 127.0.0.1:9000;
+		#server unix:/run/php/php8.2-fpm.sock;
+    }
+
+    server {
+        listen 80;
+		#listen [::]:80;
+		#server_name nextcloud.sthome.org;
+		
+        # HSTS settings
+        # WARNING: Only add the preload option once you read about
+        # the consequences in https://hstspreload.org/. This option
+        # will add the domain to a hardcoded list that is shipped
+        # in all major browsers and getting removed from this list
+        # could take several months.
+        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+
+        # set max upload size and increase upload timeout:
+        client_max_body_size 512M;
+        client_body_timeout 300s;
+        fastcgi_buffers 64 4K;
+
+        # The settings allows you to optimize the HTTP2 bandwidth.
+        # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
+        # for tuning hints
+        client_body_buffer_size 512k;
+
+        # Enable gzip but do not remove ETag headers
+        gzip on;
+        gzip_vary on;
+        gzip_comp_level 4;
+        gzip_min_length 256;
+        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+        gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+        # Pagespeed is not supported by Nextcloud, so if your server is built
+        # with the `ngx_pagespeed` module, uncomment this line to disable it.
+        #pagespeed off;
+
+        # HTTP response headers borrowed from Nextcloud `.htaccess`
+        add_header Referrer-Policy                      "no-referrer"       always;
+        add_header X-Content-Type-Options               "nosniff"           always;
+        add_header X-Frame-Options                      "SAMEORIGIN"        always;
+        add_header X-Permitted-Cross-Domain-Policies    "none"              always;
+        add_header X-Robots-Tag                         "noindex, nofollow" always;
+        add_header X-XSS-Protection                     "1; mode=block"     always;
+
+        # Remove X-Powered-By, which is an information leak
+        fastcgi_hide_header X-Powered-By;
+
+        # Path to the root of your installation
+        root /var/www/html;
+
+        # Specify how to handle directories -- specifying `/index.php$request_uri`
+        # here as the fallback means that Nginx always exhibits the desired behaviour
+        # when a client requests a path that corresponds to a directory that exists
+        # on the server. In particular, if that directory contains an index.php file,
+        # that file is correctly served; if it doesn't, then the request is passed to
+        # the front-end controller. This consistent behaviour means that we don't need
+        # to specify custom rules for certain paths (e.g. images and other assets,
+        # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
+        # `try_files $uri $uri/ /index.php$request_uri`
+        # always provides the desired behaviour.
+        index index.php index.html /index.php$request_uri;
+
+        # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+        location = / {
+            if ( $http_user_agent ~ ^DavClnt ) {
+                return 302 /remote.php/webdav/$is_args$args;
+            }
+        }
+
+        location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
+        }
+
+        # Make a regex exception for `/.well-known` so that clients can still
+        # access it despite the existence of the regex rule
+        # `location ~ /(\.|autotest|...)` which would otherwise handle requests
+        # for `/.well-known`.
+        location ^~ /.well-known {
+            # The rules in this block are an adaptation of the rules
+            # in `.htaccess` that concern `/.well-known`.
+
+            location = /.well-known/carddav { return 301 /remote.php/dav/; }
+            location = /.well-known/caldav  { return 301 /remote.php/dav/; }
+
+            location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
+            location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
+
+            # Let Nextcloud's API for `/.well-known` URIs handle all other
+            # requests by passing them to the front-end controller.
+            return 301 /index.php$request_uri;
+        }
+
+        # Rules borrowed from `.htaccess` to hide certain paths from clients
+        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
+
+        # Ensure this block, which passes PHP files to the PHP process, is above the blocks
+        # which handle static assets (as seen below). If this block is not declared first,
+        # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
+        # to the URI, resulting in a HTTP 500 error response.
+        location ~ \.php(?:$|/) {
+            # Required for legacy support
+            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+
+            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+            set $path_info $fastcgi_path_info;
+
+            try_files $fastcgi_script_name =404;
+
+            include fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_param PATH_INFO $path_info;
+            fastcgi_param HTTPS on;
+
+            fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
+            fastcgi_param front_controller_active true;     # Enable pretty urls
+            fastcgi_pass php-handler;
+
+            fastcgi_intercept_errors on;
+            fastcgi_request_buffering off;
+
+            fastcgi_max_temp_file_size 0;
+        }
+
+        # Javascript mimetype fixes for nginx
+        # Note: The block below should be removed, and the js|mjs section should be
+        # added to the block below this one. This is a temporary fix until Nginx 
+        # upstream fixes the js mime-type
+        location ~* \.(?:js|mjs)$ {
+            types { 
+                text/javascript js mjs;
+            } 
+            try_files $uri /index.php$request_uri;
+            add_header Cache-Control "public, max-age=15778463, $asset_immutable";
+            access_log off;
+        }
+
+        # Serve static files
+        location ~ \.(?:css|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
+            try_files $uri /index.php$request_uri;
+            add_header Cache-Control "public, max-age=15778463, $asset_immutable";
+            access_log off;     # Optional: Don't log access to assets
+
+            location ~ \.wasm$ {
+                default_type application/wasm;
+            }
+        }
+
+        location ~ \.woff2?$ {
+            try_files $uri /index.php$request_uri;
+            expires 7d;         # Cache-Control policy borrowed from `.htaccess`
+            access_log off;     # Optional: Don't log access to assets
+        }
+
+        # Rule borrowed from `.htaccess`
+        location /remote {
+            return 301 /remote.php$request_uri;
+        }
+
+        location / {
+            try_files $uri $uri/ /index.php$request_uri;
+        }
+    }
+}
\ No newline at end of file
diff --git a/onlyoffice/Docker-DocumentServer b/onlyoffice/Docker-DocumentServer
new file mode 160000
index 0000000..aeba194
--- /dev/null
+++ b/onlyoffice/Docker-DocumentServer
@@ -0,0 +1 @@
+Subproject commit aeba194cf1d512b4dee2133d6420d213ca366085
diff --git a/onlyoffice/onlyoffice_jm.txt b/onlyoffice/onlyoffice_jm.txt
new file mode 100644
index 0000000..e1e7e30
--- /dev/null
+++ b/onlyoffice/onlyoffice_jm.txt
@@ -0,0 +1,165 @@
+# https://github.com/ONLYOFFICE/Docker-documentserver/blob/master/README.md
+# https://hub.docker.com/r/onlyoffice/documentserver
+# https://github.com/ONLYOFFICE/Docker-documentserver
+
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: onlyoffice
+Username: onlyoff
+Disable Password: <select>
+Email: stuurmcp@telkomsa.net
+UID: (note)
+Create New Primary Group: <select>
+Primary Group: onlyoff
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+onlyoff UID: 3049
+onlyoff GID: 3048
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*onlyoffice"
+zfs list | grep -i "NData2.*onlyoffice"
+# create following datasets if not present
+zfs create SSD1/docker/data/onlyoffice
+zfs create SSD1/docker/data/onlyoffice/communityserver
+zfs create SSD1/docker/data/onlyoffice/documentserver
+zfs create SSD1/docker/data/onlyoffice/mailserver
+zfs create SSD1/docker/data/onlyoffice/rabbitmq
+zfs create SSD1/docker/data/onlyoffice/redis
+zfs create SSD1/docker/data/onlyoffice/communityserver/letsencrypt
+zfs create SSD1/docker/data/onlyoffice/communityserver/logs
+zfs create SSD1/docker/data/onlyoffice/communityserver/data
+zfs create SSD1/docker/data/onlyoffice/documentserver/logs
+zfs create SSD1/docker/data/onlyoffice/documentserver/data
+zfs create SSD1/docker/data/onlyoffice/documentserver/lib
+zfs create SSD1/docker/data/onlyoffice/mailserver/logs
+zfs create SSD1/docker/data/onlyoffice/mailserver/data
+zfs create SSD1/docker/data/onlyoffice/pgdata
+zfs create SSD1/docker/data/onlyoffice/pgbackups
+zfs create SSD1/docker/data/onlyoffice/mysqldata
+zfs create stpool1/NData2/bulkstore
+zfs create stpool1/NData2/bulkstore/onlyoffice
+zfs create stpool1/NData2/bulkstore/onlyoffice/mailserver
+zfs create stpool1/NData2/bulkstore/onlyoffice/mailserver/data
+chown -R onlyoff:onlyoff /mnt/SSD1/docker/data/onlyoffice
+chown -R postgres:postgres /mnt/SSD1/docker/data/onlyoffice/pgdata
+chown -R postgres:postgres /mnt/SSD1/docker/data/onlyoffice/pgbackups
+chown -R onlyoff:onlyoff /mnt/SSD1/docker/data/onlyoffice/mysqldata
+chown -R onlyoff:onlyoff /mnt/stpool1/NData2/bulkstore/onlyoffice
+
+Create secrets folder
+---------------------
+mkdir -p /mnt/SSD1/docker/stacks/onlyoffice/secrets
+mkdir /mnt/SSD1/docker/data/onlyoffice/redis/data
+
+Create folders
+--------------
+mkdir /mnt/SSD1/docker/data/onlyoffice/documentserver/data/certs
+mkdir /mnt/SSD1/docker/data/onlyoffice/documentserver/public
+mkdir /mnt/SSD1/docker/data/onlyoffice/documentserver/fonts
+mkdir /mnt/SSD1/docker/data/onlyoffice/mailserver/data/certs
+chown onlyoff:onlyoff /mnt/SSD1/docker/data/onlyoffice/documentserver/data
+chown onlyoff:onlyoff /mnt/SSD1/docker/data/onlyoffice/documentserver/public
+chown onlyoff:onlyoff /mnt/SSD1/docker/data/onlyoffice/documentserver/fonts
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in onlyoffice folder, enter:
+./cp2nas
+# or
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/onlyoffice/
+
+Create secrets
+--------------
+# In Truenas shell:
+cd /mnt/SSD1/docker/stacks/onlyoffice/secrets
+echo -n $(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 32) > /mnt/SSD1/docker/stacks/onlyoffice/secrets/onlyoffice_jwt_secret
+echo -n 'your_postgresql_database_name' > /mnt/SSD1/docker/stacks/onlyoffice/secrets/onlyoffice_postgresql_database
+echo -n 'your_postgresql_username' > /mnt/SSD1/docker/stacks/onlyoffice/secrets/onlyoffice_postgresql_username
+openssl rand 36 | base64 -w 0 > /mnt/SSD1/docker/stacks/onlyoffice/secrets/onlyoffice_postgresql_password
+openssl rand 64 | base64 -w 0 | sed 's/[\$,\#,/,+,=]//g' | cut -c -50  | tr -d '\n' > /mnt/SSD1/docker/stacks/onlyoffice/secrets/onlyoffice_redis_password
+openssl rand 48 | base64 -w 0 > /mnt/SSD1/docker/stacks/onlyoffice/secrets/onlyoffice_mysql_rootpassword
+openssl rand 36 | base64 -w 0 > /mnt/SSD1/docker/stacks/onlyoffice/secrets/onlyoffice_mysql_password
+openssl rand 36 | base64 -w 0 > /mnt/SSD1/docker/stacks/onlyoffice/secrets/onlyoffice_mysql_mailpassword
+# restrict access
+chown -R onlyoff:onlyoff /mnt/SSD1/docker/stacks/onlyoffice/secrets/
+chmod -R 400 /mnt/SSD1/docker/stacks/onlyoffice/secrets/
+# read existing acl permissions, if any
+getfacl /mnt/SSD1/docker/stacks/onlyoffice/secrets
+# set acl permissions
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/onlyoffice/secrets
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/onlyoffice/secrets/onlyoffice_postgresql_password
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/onlyoffice/secrets/onlyoffice_postgresql_username
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/onlyoffice/secrets/onlyoffice_postgresql_database
+# NB! if you want to remove all acl entries from a folder recursively, use setfacl -b -R <foldername>
+# to list secrets in secrets dir
+cd /mnt/SSD1/docker/stacks/onlyoffice/secrets
+for i in $(ls -1); do echo $i = `cat $i`; done | sort
+
+Backup onlyoffice database
+-------------------------- 
+# In truenas shell:
+mkdir /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/$(date -I)
+chown pgadmin:pgadmin /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/$(date -I)
+# Using browser, log in to pgAdmin on truenas
+# Connect to servers; refer to "connecting to servers.txt", which also explains how to obtain db passwords
+# To perform plain text backup:
+# Navigate to Servers => onlyoffice -> Databases -> onlyoffice
+# Right click on onlyoffice database and select Backup...
+# Enter the following on the different tabs of dialog box that opened:
+General:
+# Replace ##### with date in YYYY-MM-DD format when backup is being made
+Filename: /#####/onlyoffice-backup.sql (this maps to: /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/#####/onlyoffice-backup.sql on truenas)
+# Or click on folder icon and navigate to the folder that was created above. Enter onlyoffice-backup.sql in Save As field, then click on Create
+Format: Plain
+Encoding: UTF8
+Role name: onlyoffice
+Data Options:
+Sections:
+Pre-data: <select>
+Data: <select>
+Post-data: <select>
+Objects:
+Check public to select all objects
+Click Backup
+# After backup, verify presence of backup file:
+ls -al /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/$(date -I)
+# copy backup file(s) to onlyoffice backups folder, replacing $(date -I) with date when backup was made if not today
+mkdir /mnt/SSD1/docker/data/onlyoffice/documentserver/pgbackups/$(date -I)/
+cp -vr /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/$(date -I)/onlyoffice-backup.sql /mnt/SSD1/docker/data/onlyoffice/documentserver/pgbackups/$(date -I)/ 
+chown -R pguser:pguser /mnt/SSD1/docker/data/onlyoffice/documentserver/pgbackups/
+
+Migrating database
+------------------
+# In truenas shell
+jlmkr shell docker
+cd /opt/stacks/onlyoffice
+docker compose down
+# remove all files/folders from pgdata; if any are already in this folder with data to be retained, move it to another folder before executing next command
+rm -r /mnt/data/onlyoffice/documentserver/pgdata/*
+docker compose up -d
+# get the container names
+docker ps
+# After successfull startup of documentserver and postgres, stop documentserver from docker cmd line
+docker stop onlyoffice-documentserver-1   
+docker exec onlyoffice-postgresql-1 psql -U <your_db_user> -d postgres -c "DROP DATABASE \"<your_db_name>\";"
+docker exec onlyoffice-postgresql-1 psql -U <your_db_user> -d postgres -c "CREATE DATABASE \"<your_db_name>\";"
+docker exec onlyoffice-postgresql-1 psql -U <your_db_user> -d <your_db_name> -f /mnt/backups/$(date -I)/onlyoffice-backup.sql   # replace $(date -I) with the appropriate date
+docker stop onlyoffice-documentserver-1  
+
+Stop truenas onlyoffice
+---------------------------
+# In truenas shell
+heavyscript app --stop onlyoffice
+# NB: Do NOT stop onlyoffice with truenas gui
+
+If you need to log into db
+--------------------------
+docker exec -it onlyoffice_postgresql bash
+psql -U <your_db_user> -d <your_db_name>
diff --git a/onlyoffice/stacks/.communityserver.env b/onlyoffice/stacks/.communityserver.env
new file mode 100644
index 0000000..131f179
--- /dev/null
+++ b/onlyoffice/stacks/.communityserver.env
@@ -0,0 +1,24 @@
+#
+# environment variables for communityserver
+# 
+PUID=${PUID}
+PGID=${PUID}
+TZ=${TZ}
+PORT=${WEBUI_PORT} #80
+
+MYSQL_SERVER_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
+MYSQL_SERVER_DB_NAME=${MYSQL_DB_NAME}
+MYSQL_SERVER_USER=${MYSQL_USER}
+MYSQL_SERVER_PASS=${MYSQL_PASSWORD}
+MAIL_SERVER_API_HOST=${MAIL_SERVER_IP}
+MAIL_SERVER_DB_NAME=${MAIL_SERVER_DB_NAME}
+MAIL_SERVER_DB_PORT=${MYSQL_PORT}
+MAIL_SERVER_DB_USER=${MYSQL_ROOT_USER}
+MAIL_SERVER_DB_PASS=${MAIL_SERVER_DB_PASS}
+
+DOCUMENT_SERVER_JWT_ENABLED=${JWT_ENABLED}
+DOCUMENT_SERVER_JWT_SECRET=${JWT_SECRET}
+DOCUMENT_SERVER_JWT_HEADER=${DOCUMENT_SERVER_JWT_HEADER}
+
+# https://github.com/thomisus/Docker-DocumentServer/pkgs/container/onlyoffice-documentserver-unlimited#installing-mysql
+# https://medium.com/@chrischuck35/how-to-create-a-mysql-instance-with-docker-compose-1598f3cc1bee
\ No newline at end of file
diff --git a/onlyoffice/stacks/.documentserver.env b/onlyoffice/stacks/.documentserver.env
new file mode 100644
index 0000000..7b91a30
--- /dev/null
+++ b/onlyoffice/stacks/.documentserver.env
@@ -0,0 +1,114 @@
+#
+# environment variables for documentserver
+# 
+PUID=${PUID}
+PGID=${PUID}
+TZ=${TZ}
+PORT=${WEBUI_PORT} #80
+
+# Advanced configuration option for turning off the HSTS configuration. Applicable only when SSL is in use. Defaults to true.
+ONLYOFFICE_HTTPS_HSTS_ENABLED=
+
+# Advanced configuration option for setting the HSTS max-age in the onlyoffice nginx vHost configuration. Applicable only when SSL is in use. Defaults to 31536000.
+ONLYOFFICE_HTTPS_HSTS_MAXAGE=
+
+# The path to the SSL certificate to use. Defaults to /var/www/onlyoffice/Data/certs/tls.crt.
+SSL_CERTIFICATE_PATH=
+
+# The path to the SSL certificate's private key. Defaults to /var/www/onlyoffice/Data/certs/tls.key.
+SSL_KEY_PATH=
+
+# The path to the Diffie-Hellman parameter. Defaults to /var/www/onlyoffice/Data/certs/dhparam.pem.
+SSL_DHPARAM_PATH=
+
+# Enable verification of client certificates using the CA_CERTIFICATES_PATH file. Defaults to false
+SSL_VERIFY_CLIENT=
+
+# The NODE_EXTRA_CA_CERTS to extend CAs with the extra certificates for Node.js. Defaults to /var/www/onlyoffice/Data/certs/extra-ca-certs.pem.
+NODE_EXTRA_CA_CERTS=
+
+# The database type. Supported values are postgres, mariadb, mysql, mssql or oracle. Defaults to postgres.
+DB_TYPE=postgres
+
+# The database server port number.
+DB_PORT=${POSTGRES_PORT}
+
+# The name of a database to use. Should be existing on container startup.
+# DB_NAME_FILE=${POSTGRES_DB_FILE}
+DB_NAME=${POSTGRES_DB}
+
+# The new user name with superuser permissions for the database account.
+# DB_USER_FILE=${POSTGRES_USER_FILE}
+DB_USER=${POSTGRES_USER}
+
+# The password set for the database account.
+# DB_PWD_FILE=${POSTGRES_PASSWORD_FILE}
+DB_PWD=${POSTGRES_PASSWORD}
+
+# The message broker type. Supported values are rabbitmq or activemq. Defaults to rabbitmq.
+AMQP_TYPE=rabbitmq
+
+# The Redis server port number.
+REDIS_SERVER_PORT=${REDIS_PORT}
+
+# The Redis server password. The password is not set by default.
+REDIS_SERVER_PASS=${REDIS_PASSWORD}
+
+# Defines the number of nginx worker processes.
+NGINX_WORKER_PROCESSES=
+
+# Sets the maximum number of simultaneous connections that can be opened by a nginx worker process.
+NGINX_WORKER_CONNECTIONS=
+
+# Defines secret for the nginx config directive secure_link_md5. Defaults to random string.
+SECURE_LINK_SECRET=
+
+# Specifies the enabling the JSON Web Token validation by the ONLYOFFICE Document Server. Defaults to true.
+JWT_ENABLED=${JWT_ENABLED}
+
+# Defines the secret key to validate the JSON Web Token in the request to the ONLYOFFICE Document Server. Defaults to random value.
+JWT_SECRET=${JWT_SECRET}
+
+# Defines the http header that will be used to send the JSON Web Token. Defaults to Authorization.
+JWT_HEADER=${JWT_HEADER}
+
+# Specifies the enabling the token validation in the request body to the ONLYOFFICE Document Server. Defaults to false.
+JWT_IN_BODY=true
+
+# Specifies the enabling the wopi handlers. Defaults to false.
+WOPI_ENABLED=
+
+# Defines if it is allowed to connect meta IP address or not. Defaults to false.
+ALLOW_META_IP_ADDRESS=
+
+# Defines if it is allowed to connect private IP address or not. Defaults to false.
+ALLOW_PRIVATE_IP_ADDRESS=
+
+# Set to trueif using selfsigned certificates for your storage server e.g. Nextcloud. Defaults to false
+USE_UNAUTHORIZED_STORAGE=
+
+# When 'true' regenerates fonts list and the fonts thumbnails etc. at each start. Defaults to true
+GENERATE_FONTS=
+
+# Specifies the enabling StatsD for ONLYOFFICE Document Server. Defaults to false.
+METRICS_ENABLED=
+
+# Defines StatsD listening host. Defaults to localhost.
+METRICS_HOST=
+
+# Defines StatsD listening port. Defaults to 8125.
+METRICS_PORT=
+
+# Defines StatsD metrics prefix for backend services. Defaults to ds..
+METRICS_PREFIX=
+
+# Defines the domain for Let's Encrypt certificate.
+LETS_ENCRYPT_DOMAIN=${CERT_LETS_ENCRYPT_DOMAIN}
+
+# Defines the domain administator mail address for Let's Encrypt certificate.
+LETS_ENCRYPT_MAIL=${CERT_LETS_ENCRYPT_MAIL}
+
+# Defines whether to enable default plugins. Defaults to false.
+PLUGINS_ENABLED=
+
+
diff --git a/onlyoffice/stacks/.env b/onlyoffice/stacks/.env
new file mode 100644
index 0000000..eda4c46
--- /dev/null
+++ b/onlyoffice/stacks/.env
@@ -0,0 +1,64 @@
+#
+# values to be used for substitution by docker compose in compose.yml AND .*.env files
+#
+APPLICATION_NAME=onlyoffice
+
+DOCKERDIR=/mnt/SSD1/docker/
+MEDIADIR=/mnt/stpool1/NData1/Media
+
+BULKSTOREDIR=/mnt/stpool1/NData2/bulkstore
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+DOMAINNAME=sthome.org
+BULKSTORE=/mnt/bulkstore/onlyoffice
+
+PUID=3049
+PGID=3048
+TZ=Africa/Johannesburg
+WEBUI_PORT=80
+MAIL_SERVER_IP=10.0.0.61
+
+CERT_LETS_ENCRYPT_DOMAIN=onlyoffice.sthome.org
+CERT_LETS_ENCRYPT_MAIL=stuurmcp@telkomsa.net
+
+#
+# Generate DB_PASSWORD with:
+# openssl rand 36 | base64 -w 0 > /mnt/SSD1/docker/stacks/onlyoffice/secrets/onlyoffice_postgresql_password
+
+POSTGRES_PORT=5432
+POSTGRES_DB_FILE=/run/secrets/onlyoffice_postgresql_database
+POSTGRES_USER_FILE=/run/secrets/onlyoffice_postgresql_username
+POSTGRES_PASSWORD_FILE=/run/secrets/onlyoffice_postgresql_password
+# onlyoffice does not support docker secrets, so we have to specify in clear text
+POSTGRES_USER=onlyoffice
+POSTGRES_DB=onlyoffice
+POSTGRES_PASSWORD=zHLIEq8fJu6qlDRIb0bDkv3QNR6fET7ywRwgDeZa53Q0AEvV
+
+MYSQL_PORT=3306
+MYSQL_ROOT_USER=root
+MYSQL_USER=onlyoffice
+MYSQL_DB_NAME=onlyoffice
+MYSQL_PASSWORD=vOVHV7wfuAj4QzzLFbolntWf0Io+CmxoKp2KAMFlw2tYQ8z7
+MYSQL_ROOT_PASSWORD=du4WD8y+sqbPeJgkqbl6c4zf179fRtEHFW8lTm58UPVE6Abn8gkarkTSvIPyUJsD
+
+MAIL_SERVER_DB_NAME=onlyoffice-mailserver
+MAIL_SERVER_DB_PASS=WNnqrayLW/nFsFEjN1fVeqSvrmwABK+vGACeXhVlFRS47oQI
+MAIL_SERVER_API_HOST=${MAIL_SERVER_IP}
+
+REDIS_PORT=6379
+REDIS_PASSWORD_FILE=/run/secrets/onlyoffice_redis_password
+# redis does not support docker secrets, so we have to specify in clear text
+REDIS_PASSWORD=uLlXF7byd9BcXcKRX63b928lnkDmYFUnamtnaPWCsdaWAWieTH
+ 
+JWT_ENABLED=true
+JWT_HEADER=Authorization
+DOCUMENT_SERVER_JWT_HEADER=AuthorizationJwt
+# Generate JWT_SECRET with:
+# echo -n $(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 32) > /mnt/SSD1/docker/stacks/onlyoffice/secrets/onlyoffice_jwt_secret
+JWT_SECRET_FILE=/run/secrets/onlyoffice_jwt_secret    # we leave this in case onlyoffice supports docker secrets in future
+# onlyoffice does not support docker secrets, so we have to specify in clear text
+JWT_SECRET=sEknyxjVGK7PaDgOMsV8rsHc79A6frHp
diff --git a/onlyoffice/stacks/.mailserver.env b/onlyoffice/stacks/.mailserver.env
new file mode 100644
index 0000000..80b441f
--- /dev/null
+++ b/onlyoffice/stacks/.mailserver.env
@@ -0,0 +1,13 @@
+#
+# environment variables for mailserver
+# 
+PUID=${PUID}
+PGID=${PUID}
+TZ=${TZ}
+PORT=${WEBUI_PORT} #80
+
+MYSQL_SERVER_PORT=${MYSQL_PORT}
+MYSQL_ROOT_USER=${MYSQL_ROOT_USER}
+MYSQL_ROOT_PASSWD=${MYSQL_ROOT_PASSWORD}
+MYSQL_SERVER_DB_NAME=${MYSQL_DB_NAME}
+# MYSQL_PASS=${MYSQL_PASSWORD}
diff --git a/onlyoffice/stacks/.mysql.env b/onlyoffice/stacks/.mysql.env
new file mode 100644
index 0000000..a5cb54e
--- /dev/null
+++ b/onlyoffice/stacks/.mysql.env
@@ -0,0 +1,10 @@
+
+PUID=${PUID}
+PGID=${PUID}
+TZ=${TZ}
+PORT=${WEBUI_PORT} #80
+
+# MYSQL_DATABASE='db'
+# MYSQL_USER='user'
+MYSQL_PASSWORD=$MYSQL_PASSWORD}
+MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
\ No newline at end of file
diff --git a/onlyoffice/stacks/.postgresql.env b/onlyoffice/stacks/.postgresql.env
new file mode 100644
index 0000000..5eef283
--- /dev/null
+++ b/onlyoffice/stacks/.postgresql.env
@@ -0,0 +1,10 @@
+
+PUID=70
+PGID=70
+TZ=${TZ}
+
+DB_PORT=${POSTGRES_PORT}
+POSTGRES_DB_FILE=${POSTGRES_DB_FILE}
+POSTGRES_USER_FILE=${POSTGRES_USER_FILE}
+POSTGRES_PASSWORD_FILE=${POSTGRES_PASSWORD_FILE}
+POSTGRES_HOST_AUTH_METHOD=scram-sha-256   # WARNING: setting this to "trust" will allow logins without password for all connections
diff --git a/onlyoffice/stacks/.redis.env b/onlyoffice/stacks/.redis.env
new file mode 100644
index 0000000..b58830c
--- /dev/null
+++ b/onlyoffice/stacks/.redis.env
@@ -0,0 +1,9 @@
+
+PUID=${PUID}
+PGID=${PGID}
+TZ=${TZ}
+
+REDIS_PORT=${REDIS_PORT}
+
+# redis does not support docker secrets
+#REDIS_PASSWORD_FILE=${REDIS_PASSWORD_FILE}
diff --git a/onlyoffice/stacks/compose.yml b/onlyoffice/stacks/compose.yml
new file mode 100644
index 0000000..a1ff522
--- /dev/null
+++ b/onlyoffice/stacks/compose.yml
@@ -0,0 +1,239 @@
+# before stopping only-office execute:
+# docker exec <CONTAINER> documentserver-prepare4shutdown.sh
+#
+# https://gist.github.com/kvaps/6ac945e6c2e2e41bd536b7486a7dea4a
+
+name: onlyoffice
+
+secrets:
+  onlyoffice_postgresql_database:
+    file: ${SECRETSDIR}/onlyoffice_postgresql_database
+  onlyoffice_postgresql_password:
+    file: ${SECRETSDIR}/onlyoffice_postgresql_password
+  onlyoffice_postgresql_username:
+    file: ${SECRETSDIR}/onlyoffice_postgresql_username
+  onlyoffice_jwt_secret:
+    file: ${SECRETSDIR}/onlyoffice_jwt_secret
+  onlyoffice_redis_password:
+    file: ${SECRETSDIR}/onlyoffice_redis_password
+
+networks:
+  traefik-net:
+    external: true
+  postgres-net:
+    external: true
+  backend:
+    name: onlyoffice-net
+    driver: bridge
+    driver_opts:
+      com.docker.network.bridge.name: "br-onlyoffice"
+
+services:
+  documentserver:
+    image: "onlyoffice/documentserver:latest"
+    hostname: onlyoffice_documentserver
+    env_file: .documentserver.env
+    privileged: true
+    stdin_open: true
+    tty: true
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /run/dbus:/run/dbus:ro
+      - "${DATADIR}/redis:/var/lib/redis"
+      - "${DATADIR}/rabbitmq:/var/lib/rabbitmq"
+      - "${DATADIR}/pgdata:/var/lib/postgresql"
+      - "${DATADIR}/documentserver/logs:/var/log/onlyoffice"
+      - "${DATADIR}/documentserver/data:/var/www/onlyoffice/Data"
+      - "${DATADIR}/documentserver/lib:/var/lib/onlyoffice"
+#      - "${DATADIR}/documentserver/public:/var/www/onlyoffice/documentserver-example/public/files"
+#      - "${DATADIR}/documentserver/fonts:/usr/share/fonts"
+    networks:
+      - traefik-net
+      - backend
+      - postgres-net
+    secrets:
+      - onlyoffice_postgresql_database
+      - onlyoffice_postgresql_password
+      - onlyoffice_postgresql_username
+      - onlyoffice_jwt_secret
+      - onlyoffice_redis_password
+    environment:
+      # The IP address or the name of the host where the database server is running.
+      DB_HOST: onlyoffice_postgresql
+      # The IP address or the name of the host where the Redis server is running.
+      REDIS_SERVER_HOST: onlyoffice_rabbitmq
+      # The AMQP URI to connect to message broker server.
+      AMQP_URI: amqp://guest:guest@onlyoffice_rabbitmq
+    depends_on:
+      postgresql:
+        condition: service_healthy
+      rabbitmq:
+        condition: service_healthy
+      redis: 
+        condition: service_started
+    restart: unless-stopped
+    stop_grace_period: 60s
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      #
+      - "traefik.http.middlewares.onlyoffice_documentserver-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.onlyoffice_documentserver-https-redirect.redirectscheme.permanent=true"
+      #
+      - "traefik.http.services.onlyoffice_documentserver-svc.loadbalancer.server.port=${WEBUI_PORT}"
+      #
+      - "traefik.http.routers.onlyoffice_documentserver-rtr.entrypoints=web"
+      - "traefik.http.routers.onlyoffice_documentserver-rtr.rule=Host(`onlyoffice.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.onlyoffice_documentserver-rtr.middlewares=onlyoffice_documentserver-https-redirect"
+      - "traefik.http.routers.onlyoffice_documentserver-rtr.service=onlyoffice_documentserver-svc"
+      #
+      - "traefik.http.routers.onlyoffice_documentserver-secure-rtr.entrypoints=websecure"
+      - "traefik.http.routers.onlyoffice_documentserver-secure-rtr.rule=Host(`onlyoffice.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.onlyoffice_documentserver-secure-rtr.tls=true"
+      - "traefik.http.routers.onlyoffice_documentserver-secure-rtr.tls.certresolver=sthomeresolver"
+      - "traefik.http.routers.onlyoffice_documentserver-secure-rtr.service=onlyoffice_documentserver-svc"
+
+  rabbitmq:
+    image: rabbitmq
+    restart: unless-stopped
+    healthcheck:
+      test: rabbitmq-diagnostics -q ping
+      interval: 30s
+      timeout: 30s
+      retries: 3
+    networks:
+      backend:
+          aliases: ["onlyoffice_rabbitmq"]
+
+# https://stackoverflow.com/questions/66738931/how-to-set-password-for-redis-server
+# I managed to set the password permanently for the default user. Adding these 2 parameters in the file "redis.conf" requirepass newpass123 masterauth newpass123 And in the file "sentinel.conf" sentinel auth-pass mymaster newpass123 Thanks – 
+#user14867757
+# CommentedMar 24, 2021 at 4:19
+  redis:
+    image: docker.io/library/redis:alpine
+    #command: --save 60 1 --loglevel warning 
+    command: sh -c "redis-server --requirepass ${REDIS_PASSWORD}"  && --save 60 1  && --loglevel warning
+    env_file: .redis.env
+    restart: unless-stopped
+    expose:
+      - ${REDIS_PORT}
+#    healthcheck:
+#      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+#      start_period: 20s
+#      interval: 30s
+#      retries: 5
+#      timeout: 3s
+    secrets:
+      - onlyoffice_redis_password
+    networks:
+      backend:
+        aliases: ["onlyoffice_redis"]
+    volumes:
+      - "$DATADIR/redis/data:/data"
+
+#  mailserver:
+#    init: true
+#    hostname: "mail.${DOMAINNAME}"
+#    image: onlyoffice/mailserver
+#    env_file: .mailserver.env
+#    networks:
+#      backend:
+#        aliases: ["onlyoffice_mailserver"]
+#    privileged: true
+#    stdin_open: true
+#    tty: true
+#    restart: always
+#    ports:
+#      - 25:25
+#      - 143:143
+#      - 587:587
+#    environment:
+#      MYSQL_SERVER: onlyoffice_mysql
+#    volumes:
+#      - "${BULKSTORE}/mailserver/data:/var/vmail"
+#      - "${DATADIR}/mailserver/data/certs:/etc/pki/tls/mailserver"
+#      - "${DATADIR}/mailserver/logs:/var/log"
+#    
+#  communityserver:
+#    image: onlyoffice/communityserver
+#    env_file: .communityserver.env
+#    networks:
+#      backend:
+#        aliases: ["onlyoffice_communityserver"]
+#    stdin_open: true
+#    tty: true
+#    privileged: true
+#    restart: always
+##    ports:
+##      - 80:80
+##      - 443:443
+##      - 5222:5222
+#    cgroup: host
+#    environment:
+#      MYSQL_SERVER_HOST: onlyoffice_mysql
+#      MAIL_SERVER_DB_HOST: onlyoffice_mysql
+#      DOCUMENT_SERVER_PORT_80_TCP_ADDR: onlyoffice_documentserver
+#    volumes:
+#      - "${DATADIR}/communityserver/data:/var/www/onlyoffice/Data"
+#      - "${DATADIR}/communityserver/logs:/var/log/onlyoffice"
+#      - "${DATADIR}/communityserver/letsencrypt:/etc/letsencrypt"
+#      - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
+#    labels:
+#      - traefik.enable=true
+#      - traefik.docker.network=traefik-net
+#      #
+#      - "traefik.http.middlewares.onlyoffice_communityserver-https-redirect.redirectscheme.scheme=https"
+#      - "traefik.http.middlewares.onlyoffice_communityserver-https-redirect.redirectscheme.permanent=true"
+#      #
+#      - "traefik.http.services.onlyoffice_communityserver-svc.loadbalancer.server.port=${WEBUI_PORT}"
+#      #
+#      - "traefik.http.routers.onlyoffice_communityserver-rtr.entrypoints=web"
+#      - "traefik.http.routers.onlyoffice_communityserver-rtr.rule=Host(`onlyoffice_communityserver.${DOMAINNAME}`)&& PathPrefix(`/`)"
+#      - "traefik.http.routers.onlyoffice_communityserver-rtr.middlewares=onlyoffice_communityserver-https-redirect"
+#      - "traefik.http.routers.onlyoffice_communityserver-rtr.service=onlyoffice_communityserver-svc"
+#      #
+#      - "traefik.http.routers.onlyoffice_communityserver-secure-rtr.entrypoints=websecure"
+#      - "traefik.http.routers.onlyoffice_communityserver-secure-rtr.rule=Host(`onlyoffice_communityserver.${DOMAINNAME}`)&& PathPrefix(`/`)"
+#      - "traefik.http.routers.onlyoffice_communityserver-secure-rtr.tls=true"
+#      - "traefik.http.routers.onlyoffice_communityserver-secure-rtr.tls.certresolver=sthomeresolver"
+#      - "traefik.http.routers.onlyoffice_communityserver-secure-rtr.service=onlyoffice_communityserver-svc"
+      
+  postgresql:
+    image: postgres:16-alpine
+    hostname: "onlyoffice_postgresql"
+    shm_size: 128mb # https://hub.docker.com/_/postgres
+    restart: unless-stopped
+    env_file: .postgresql.env
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    networks:
+      postgres-net:
+          aliases: ["onlyoffice_postgresql"]
+    secrets:
+      - onlyoffice_postgresql_database
+      - onlyoffice_postgresql_password
+      - onlyoffice_postgresql_username
+    volumes:
+      - "${DATADIR}/pgdata:/var/lib/postgresql/data"
+      - "${DATADIR}/pgbackups:/mnt/backups"
+      
+#  mysql:
+#    image: mysql:5.7
+#    restart: always
+#    env_file: .mysql.env
+#    networks:
+#      backend:
+#          aliases: ["onlyoffice_mysql"]
+#    ports:
+#      # <Port exposed> : <MySQL Port running inside container>
+#      - '3306:3306'
+#    expose:
+#      # Opens port 3306 on the container
+#      - '3306'
+#      # Where our data will be persisted
+#    volumes:
+#      - "${DATADIR}/mysqldata:/var/lib/mysql"
diff --git a/overseerr/overseerr_jm.txt b/overseerr/overseerr_jm.txt
new file mode 100644
index 0000000..28a3be3
--- /dev/null
+++ b/overseerr/overseerr_jm.txt
@@ -0,0 +1,127 @@
+
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: overseerr
+Username: overseer
+Disable Password: <select>
+Email: stuurmcp@telkomsa.net
+UID: (note)
+Create New Primary Group: <select>
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+overseer UID: 3031
+overseer GID: 3030
+
+Create datasets
+---------------
+/mnt/SSD1/docker/data/overseerr
+/mnt/SSD1/docker/data/overseerr/config
+# Set Owner:Group to overseer:overseer
+
+Create folder
+-------------
+mkdir /opt/stacks/overseerr
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in overseerr folder, enter:
+./cp2nas
+# or
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/overseerr/
+# This should copy compose.yaml, .env and secrets to /mnt/SSD1/docker/stacks/overseerr
+
+Migrating data from old overseerr (source) to newly installed one (target)
+--------------------------------------------------------------------------
+# Stop old/source overseerr
+heavyscript app --stop overseerr
+# Stop new/target overseerr media server
+# On Dockge, select overseerr and click stop
+# Copy the source Library to target folder:
+cp -pr /mnt/stpool1/apps/overseerr/* /mnt/SSD1/docker/data/overseerr/config/
+chown -R overseer:overseer /mnt/SSD1/docker/data/overseerr/config/
+
+Obtaining radarr/sonarr hostname
+--------------------------------
+Use the following hostname in overseerr settings for sonarr/radarr depending on given scenario:
+Scenario                                                                            Hostname to use
+~~~~~~~~                                                                            ~~~~~~~~~~~~~~~
+Overseerr, radarr and sonarr are services in the same project                       localhost
+Overseerr in separate project; radarr and sonarr part of gluetun-arr project        alias of gluetun service
+
+How to get alias of alias of gluetun-arr service
+------------------------------------------------
+Assuming that gluetun service has an alias configured under the networks stanza
+In docker shell:
+cd /opt/stacks/gluetun-arr
+docker compose config | grep -A 1 "aliases"
+
+Overseerr settings
+------------------
+Open overseerr web app using browser
+Sign in
+Settings->Plex window, enter "plex.sthome.org" for Hostname or IP Address
+Click on Save Changes
+You should get a "Plex connection established successfully" in top right corner
+Leave "Use SSL" checked
+Click on Sync Libraries
+Select Libraries to sync and click on Scan Libraries
+After scan completes, click Continue
+Settings->Services
+Click on Edit Radarr Server
+Default Server: <checked>
+4K Server: <unchecked>
+Server Name: radarr
+Hostname or IP Address: <hostname as obtained above>
+Port: 7878
+Use SSL: <unchecked>
+API Key: <obtain from radarr->settings->general->API Key>
+URL Base: <leave blank>
+Click on Test
+You should get a "Radarr connection established successfully" in top right corner
+Quality Profile: <select>
+Root Folder: <select>
+Minimum Availability: <select>
+External URL: https://radarr.sthome.org
+Enable Scan: <checked>
+Enable Automatic Search: <checked>
+Tag Requests: <checked>
+Click Add Server
+Repeat for another radarr server, e.g. dedicated 4k server if required
+Click on Add Sonarr Server
+Default Server: <checked>
+4K Server: <unchecked>
+Server Name: sonarr
+Hostname or IP Address: <hostname as obtained above>
+Port: 8989
+Use SSL: <unchecked>
+API Key: <obtain from sonarr->settings->general->API Key>
+URL Base: <leave blank>
+Click on Test
+You should get a "Sonarr connection established successfully" in top right corner
+Quality Profile: <select>
+Root Folder: <select>
+Language Profile: Deprecated
+Tags: <Leave unselected>
+Repeat for Anime
+Season Folders: <checked>
+External URL: https://sonarr.sthome.org
+Enable Scan: <checked>
+Enable Automatic Search: <checked>
+Tag Requests: <checked>
+Click Add Server
+Repeat for another sonarr server, e.g. dedicated 4k server if required
+Click Finish Setup
+
+Troubleshooting
+---------------
+Android not connecting to server
+Open overseerr app
+Sign out from your account
+Sign in entering overseerr account credentials
+See if it works
+
+
+
diff --git a/overseerr/stacks/.env b/overseerr/stacks/.env
new file mode 100644
index 0000000..ab39e6e
--- /dev/null
+++ b/overseerr/stacks/.env
@@ -0,0 +1,22 @@
+
+APPLICATION_NAME=overseerr
+
+DOCKERDIR=/mnt/SSD1/docker/
+MEDIADIR=/mnt/stpool1/NData1/Media
+DOWNLOADSDIR=/mnt/stpool1/Downloads
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+CT_DOWNLOADS=/Downloads
+CT_MEDIA=/Media
+DOMAINNAME=sthome.org
+WEBUI_PORT=5055
+
+PUID=3031
+PGID=3030 
+TZ=Africa/Johannesburg
+
+
diff --git a/overseerr/stacks/.overseerr.env b/overseerr/stacks/.overseerr.env
new file mode 100644
index 0000000..74db266
--- /dev/null
+++ b/overseerr/stacks/.overseerr.env
@@ -0,0 +1,7 @@
+
+# environment variables
+PUID=${PUID}
+PGID=${PGID} 
+TZ=${TZ}
+
+
diff --git a/overseerr/stacks/compose.yml b/overseerr/stacks/compose.yml
new file mode 100644
index 0000000..7eb4f2f
--- /dev/null
+++ b/overseerr/stacks/compose.yml
@@ -0,0 +1,38 @@
+# See .static-ips.yml for static ip addresses
+
+name: overseerr
+
+networks:
+  traefik-net:
+    external: true
+    
+services:
+  overseerr:
+    image: lscr.io/linuxserver/overseerr:latest
+    env_file: .overseerr.env
+    hostname: overseerr
+    networks:
+      - traefik-net
+    volumes:
+      - "${DATADIR}/config:/config"
+      - "${DOWNLOADSDIR}:${CT_DOWNLOADS}"
+      - "${MEDIADIR}:${CT_MEDIA}"
+    restart: unless-stopped
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      #- "traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.users=${ADMIN_CREDENTIALS}, ${USER_CREDENTIALS}"
+      #- "traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.usersfile=/mnt/users/${APPLICATION_NAME}.txt"
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-redirect@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
+      #- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=${APPLICATION_NAME}-auth"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
\ No newline at end of file
diff --git a/pgadmin/pgadmin_jm.txt b/pgadmin/pgadmin_jm.txt
new file mode 100644
index 0000000..b3680f0
--- /dev/null
+++ b/pgadmin/pgadmin_jm.txt
@@ -0,0 +1,62 @@
+Create user and group
+---------------------
+Credentials -> Local Groups -> Add
+GID: 5050
+Name: pgadmin
+Save
+Credentials -> Local Users -> Add
+Full Name: pgadmin
+Username: pgadmin
+Disable Password: <select>
+Email: <leave blank>
+UID: 5050
+Create New Primary Group: <unselect>
+Primary Group: pgadmin
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+pgadmin UID: 5050
+pgadmin GID: 5050
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*pgadmin"
+# create following datasets if not present
+zfs create SSD1/docker/data/pgadmin
+zfs create SSD1/docker/data/pgadmin/config
+chown -R pgadmin:pgadmin /mnt/SSD1/docker/data/pgadmin
+
+Create folders
+--------------
+# In Truenas shell:
+mkdir -p /mnt/SSD1/docker/stacks/pgadmin/secrets
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in pgadmin folder, enter:
+./cp2nas
+# or
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/pgadmin/
+# This should copy pgadmin stacks folder to /mnt/SSD1/docker/stacks/pgadmin
+
+Create secrets
+--------------
+# In Truenas shell:
+cd /mnt/SSD1/docker/stacks/pgadmin/secrets
+echo -n 'your_pgadmin_password' > /mnt/SSD1/docker/stacks/pgadmin/secrets/pgadmin_default_password
+# restrict access
+cd /mnt/SSD1/docker/stacks/pgadmin
+chown -R pgadmin:pgadmin secrets/
+chmod -R 400 secrets/
+
+Migrating config data
+---------------------
+# Stop pgadmin on truenas, in truenas shell
+heavyscript app --stop pgadmin
+# copy config storage to new install data folder
+cp -pr /mnt/stpool1/apps/pgadmin/. /mnt/SSD1/docker/data/pgadmin/config/
+chown -R pgadmin:pgadmin /mnt/SSD1/docker/data/pgadmin/
+
diff --git a/pgadmin/stacks/.env b/pgadmin/stacks/.env
new file mode 100644
index 0000000..bb75983
--- /dev/null
+++ b/pgadmin/stacks/.env
@@ -0,0 +1,20 @@
+
+APPLICATION_NAME=pgadmin
+
+DOCKERDIR=/mnt/SSD1/docker/
+MEDIADIR=/mnt/stpool1/NData1/Media
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+DOMAINNAME=sthome.org
+
+PUID=5050
+PGID=5050
+TZ=Africa/Johannesburg
+WEBUI_PORT=80
+
+PGADMIN_DEFAULT_EMAIL_FILE=/run/secrets/pgadmin_default_email
+PGADMIN_DEFAULT_PASSWORD_FILE=/run/secrets/pgadmin_default_password
\ No newline at end of file
diff --git a/pgadmin/stacks/.pgadmin.env b/pgadmin/stacks/.pgadmin.env
new file mode 100644
index 0000000..449fe8f
--- /dev/null
+++ b/pgadmin/stacks/.pgadmin.env
@@ -0,0 +1,25 @@
+# https://www.pgadmin.org/docs/pgadmin4/latest/container_deployment.html
+
+PUID=${PUID}
+PGID=${PGID}
+TZ=${TZ}
+
+PGADMIN_DEFAULT_EMAIL=${PGADMIN_DEFAULT_EMAIL_FILE}
+PGADMIN_DEFAULT_PASSWORD_FILE=${PGADMIN_DEFAULT_PASSWORD_FILE}
+
+# PGADMIN_DISABLE_POSTFIX=
+# PGADMIN_ENABLE_TLS=
+# PGADMIN_LISTEN_ADDRESS=
+# PGADMIN_LISTEN_PORT=
+# PGADMIN_SERVER_JSON_FILE=
+# GUNICORN_ACCESS_LOGFILE=
+# GUNICORN_LIMIT_REQUEST_LINE=
+# GUNICORN_THREADS=
+
+
+# PGADMIN_CONFIG_*
+# This is a variable prefix that can be used to override any of the configuration options in pgAdmin’s config.py file. Add the PGADMIN_CONFIG_ prefix to any variable name from config.py and give the value in the format ‘string value’ for strings, True/False for booleans or 123 for numbers
+# examples
+# PGADMIN_CONFIG_ENHANCED_COOKIE_PROTECTION=True
+# PGADMIN_CONFIG_LOGIN_BANNER="Authorised users only!"
+# PGADMIN_CONFIG_CONSOLE_LOG_LEVEL=10
diff --git a/pgadmin/stacks/compose.yml b/pgadmin/stacks/compose.yml
new file mode 100644
index 0000000..7210f34
--- /dev/null
+++ b/pgadmin/stacks/compose.yml
@@ -0,0 +1,56 @@
+
+name: pgadmin
+
+secrets:
+  pgadmin_default_password:
+    file: ${SECRETSDIR}/pgadmin_default_password
+  pgadmin_default_email:
+    file: ${SECRETSDIR}/pgadmin_default_email
+    
+networks:
+  traefik-net:
+    external: true
+  postgres-net:
+    external: true
+  authentik-net:
+    external: true
+  fireflyiii-net:
+    external: true
+  vaultwarden-net:
+    external: true
+
+services:
+  pgadmin:
+    image: dpage/pgadmin4
+    env_file: .pgadmin.env
+    hostname: pgadmin
+    networks:
+      - traefik-net
+      - postgres-net
+      - authentik-net
+      - fireflyiii-net
+      - vaultwarden-net
+    restart: unless-stopped
+    volumes:
+      - "${DATADIR}/config:/var/lib/pgadmin"
+    secrets:
+      - pgadmin_default_password
+      - pgadmin_default_email
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      #
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
+      #
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      #
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"  
diff --git a/photoview/cp2nas.ps1 b/photoview/cp2nas.ps1
new file mode 100644
index 0000000..6778989
--- /dev/null
+++ b/photoview/cp2nas.ps1
@@ -0,0 +1,57 @@
+############### MAIN ###############
+$Main =
+{
+    [CmdletBinding()]
+    Param(
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $destHost,
+        [Parameter(Mandatory=$false)]
+        [string[]] $apps
+    )
+    If($PSBoundParameters.ContainsKey("apps")) {
+        foreach ($appname in $apps)
+        {
+            copyfolder $destHost "$appname\stacks" $appname
+        }
+    }
+    else {
+        $appname="$pwd".Split("\\")[-1]
+        copyfolder $destHost "stacks" $appname
+    }
+}
+
+###################################
+Function copyfolder
+{
+    [CmdletBinding()]
+    Param(
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $destHost,
+        
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $srcdir,
+
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $appname
+    )
+    if (-Not(Test-Path -Path $srcdir)) {
+        Write-Host "Source path doesn't exist: ""$PSScriptRoot\$srcdir\*.*"". No files copied!"  -ForegroundColor Red
+        Write-Host "Usage: in app folder       : ./cp2nas DEST|IP"
+        Write-Host "       in app parent folder: ./cp2nas DEST|IP app1, app2, app3, ..."
+        return
+    }
+    $destStacks="/mnt/SSD1/docker/stacks/"
+    $destDir=$destStacks+$appname+"/"
+    Write-Host "pscp -P 22 -r ""$srcdir\*.*"" root@${destHost}:""${destDir}""" -ForegroundColor Green
+    Write-Host "Copying to ${destHost}:""${destStacks}" -NoNewline 
+    Write-Host "${appname}/" -ForegroundColor DarkYellow  -NoNewline 
+    Write-Host """:"
+    pscp -P 22 -r "$srcdir\*.*" root@${destHost}:""${destDir}""
+}
+
+###################################
+& $Main @Args
\ No newline at end of file
diff --git a/photoview/photoview_jm.txt b/photoview/photoview_jm.txt
new file mode 100644
index 0000000..565bd5b
--- /dev/null
+++ b/photoview/photoview_jm.txt
@@ -0,0 +1,132 @@
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: photoview
+Username: photovw
+Disable Password: <selected>
+Email: stuurmcp@telkomsa.net
+UID: 3018
+Create New Primary Group: <unselected>
+Create Home Directory: <unchecked>
+Samba Authentication: <unchecked>
+Save
+Credentials -> Local Groups -> Add
+Name: photovw
+GID: 3056
+
+photovw UID: 3018
+photovw GID: 3056
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*photoview"
+# create following datasets if not present
+zfs create SSD1/docker/data/photoview
+zfs create SSD1/docker/data/photoview/appdata
+zfs create SSD1/docker/data/photoview/config
+zfs create SSD1/docker/data/photoview/pgdata
+zfs create SSD1/docker/data/photoview/pgbackups
+chown -R photovw:photovw /mnt/SSD1/docker/data/photoview
+chown -R postgres:postgres /mnt/SSD1/docker/data/photoview/pgdata
+chown -R postgres:postgres /mnt/SSD1/docker/data/photoview/pgbackups
+
+Create folder
+-------------
+mkdir -p /opt/stacks/photoview/secrets
+
+Copy folder to docker stacks
+----------------------------
+In Windows cmd shell in photoview parent (apps) folder, enter:
+./cp2nas 10.0.0.20 photoview
+# or
+pscp -P 22 -r photoview/stacks/*.* root@10.0.0.20:/mnt/SSD1/docker/stacks/photoview/
+
+Create secrets
+--------------
+# NB! As of writing of this guide, I could not get photoview to work with docker secrets; steps are included to adopt docker secrets as soon as photoview supports it
+# In Truenas shell:
+cd /mnt/SSD1/docker/stacks/photoview/secrets
+# database secrets
+echo -n 'your_postgresql_database_name' > /mnt/SSD1/docker/stacks/photoview/secrets/photoview_postgresql_database
+echo -n 'your_postgresql_username' > /mnt/SSD1/docker/stacks/photoview/secrets/photoview_postgresql_username
+openssl rand 36 | base64 -w 0 > /mnt/SSD1/docker/stacks/photoview/secrets/photoview_postgresql_password
+# for future photoview's benefit
+cd /mnt/SSD1/docker/stacks/photoview/secrets/
+echo -n "postgres://$(cat photoview_postgresql_username):$(cat photoview_postgresql_password)@photoview_postgresql:5432/$(cat photoview_postgresql_database)" > photoview_database_url
+# restrict access
+chown -R photovw:photovw /mnt/SSD1/docker/stacks/photoview/secrets/
+chmod -R 400 /mnt/SSD1/docker/stacks/photoview/secrets/
+# read existing acl permissions, if any
+getfacl /mnt/SSD1/docker/stacks/photoview/secrets
+# set acl permissions
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/photoview/secrets
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/photoview/secrets/photoview_postgresql_password
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/photoview/secrets/photoview_postgresql_username
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/photoview/secrets/photoview_postgresql_database
+# NB! if you want to remove all acl entries from a folder recursively, use setfacl -b -R <foldername>
+# to list secrets in secrets dir
+cd /mnt/SSD1/docker/stacks/photoview/secrets
+for i in $(ls -1); do echo $i = `cat $i`; done | sort
+
+Backup photoview database
+---------------------  
+In truenas shell:
+mkdir /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/$(date -I)
+chown pgadmin:pgadmin /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/$(date -I)
+
+Using browser log in to pgAdmin on truenas
+Connect to servers; refer to "connecting to servers.txt", which also explains how to obtain db passwords
+To perform plain text backup:
+Navigate to Servers => photoview -> Databases -> photoview
+Right click on photoview database and select Backup...
+Enter the following on the different tabs of dialog box that opened:
+General:
+Replace ##### with today's date in YYYY-MM-DD format
+Filename: /#####/photoview-backup.sql (this maps to: /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/#####/photoview-backup.sql on truenas)
+Format: Plain
+Encoding: UTF8
+Role name: photoview
+Data Options:
+Sections:
+Pre-data: <select>
+Data: <select>
+Post-data: <select>
+Objects:
+Check public to select all objects
+Click Backup
+
+Migrating database
+------------------
+# Refresh Dockge window/tab and start photoview in Dockge
+# After successfull startup of photoview and postgress, stop photoview from cmd line
+docker stop photoview
+# copy back up file(s) to photoview backups folder
+cp -vr /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/$(date -I) /mnt/SSD1/docker/data/photoview/pgbackups #replace $(date -I) with date when backup was made if not today
+jlmkr shell docker
+docker exec -it photoview_postgresql sh
+psql -U photoview -d photoview < /mnt/backups/photoview-backup.sql 
+docker start photoview
+exit
+
+Copying photoview media-cache (optional)
+----------------------------------------
+If you choose not to copy the cache, prepare for a long wait (depending on the number photos) for thumbnails to be regenerated
+In truenas shell:
+cp -rp /mnt/stpool1/apps/photoview/*  /mnt/SSD1/docker//data/photoview/appdata/media-cache/
+chown -R photovw:media /mnt/SSD1/docker//data/photoview/appdata/media-cache
+
+Starting up new photoview
+---------------------
+If photoview and postgresql containers are healthy in Dockge, browse to photoview.sthome.org
+
+Stopping old photoview
+----------------------
+# Use heavyscript (not the truenas gui) to stop the app:
+heavyscript app --stop photoview
+
+
+
+
+
diff --git a/photoview/stacks/.env b/photoview/stacks/.env
new file mode 100644
index 0000000..f5cf07c
--- /dev/null
+++ b/photoview/stacks/.env
@@ -0,0 +1,39 @@
+################################################################
+APPLICATION_NAME=photoview
+
+DOCKERDIR=/mnt/SSD1/docker/
+MEDIADIR=/mnt/stpool1/NData1/Media
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+PUID=3018
+PGID=3056
+MEDIA_PGID=3017
+
+TZ=Africa/Johannesburg
+DOMAINNAME=sthome.org
+
+WEBUI_PORT=80
+
+################################################################
+# DB related
+# ----------
+PHOTOVIEW_DATABASE_DRIVER=postgres
+POSTGRES_DB_PORT=5432
+
+# can't get photoview to work with docker secrets; remove when photoview work with docker secrets
+POSTGRES_DB=photoview
+POSTGRES_USER=photoview
+POSTGRES_PASSWORD=NsGDEZl3vAgcZxdTa2xNLib99YY9DEkjOX4RzPgoxGih5rP6   
+
+# for current postgresql and future photoview that supports docker secrets
+POSTGRES_PASSWORD_FILE=/run/secrets/photoview_postgresql_password
+POSTGRES_USER_FILE=/run/secrets/photoview_postgresql_username
+POSTGRES_DB_FILE=/run/secrets/photoview_postgresql_database
+# OR future photoview that supports docker secrets but not env_var embedded in another env_var
+# DATABASE_URL_FILE=/run/secrets/photoview_database_url
+
+################################################################
diff --git a/photoview/stacks/.photoview.env b/photoview/stacks/.photoview.env
new file mode 100644
index 0000000..99253a9
--- /dev/null
+++ b/photoview/stacks/.photoview.env
@@ -0,0 +1,33 @@
+################################################################
+
+PUID=${PUID}
+PGID=${MEDIA_PGID}
+TZ=${TZ}
+
+################################################################
+# DB related
+# ----------
+PHOTOVIEW_DATABASE_DRIVER=${PHOTOVIEW_DATABASE_DRIVER}
+POSTGRES_DB_PORT=${POSTGRES_DB_PORT}
+#
+# can't get photoview to work with docker secrets; secrets added here for future compatibility only
+# POSTGRES_DB_FILE=${POSTGRES_DB_FILE}
+# POSTGRES_USER_FILE=${POSTGRES_USER_FILE}
+# POSTGRES_PASSWORD_FILE=${POSTGRES_PASSWORD_FILE}
+# OR
+# PHOTOVIEW_POSTGRES_URL_FILE=${DATABASE_URL_FILE}
+
+# Server related
+# --------------
+PHOTOVIEW_LISTEN_IP=localhost
+PHOTOVIEW_LISTEN_PORT=${WEBUI_PORT}
+
+# General
+# -------
+PHOTOVIEW_MEDIA_CACHE=/home/photoview/media-cache
+#MAPBOX_TOKEN=
+PHOTOVIEW_DISABLE_FACE_RECOGNITION=0
+PHOTOVIEW_DISABLE_VIDEO_ENCODING=0
+PHOTOVIEW_DISABLE_RAW_PROCESSING=0
+
+################################################################
diff --git a/photoview/stacks/.postgresql.env b/photoview/stacks/.postgresql.env
new file mode 100644
index 0000000..0d95871
--- /dev/null
+++ b/photoview/stacks/.postgresql.env
@@ -0,0 +1,11 @@
+
+PUID=70
+PGID=70
+TZ=${TZ}
+
+POSTGRES_DB_PORT=${POSTGRES_DB_PORT}
+POSTGRES_DB_FILE=${POSTGRES_DB_FILE}
+POSTGRES_USER_FILE=${POSTGRES_USER_FILE}
+POSTGRES_PASSWORD_FILE=${POSTGRES_PASSWORD_FILE}
+
+
diff --git a/photoview/stacks/compose.yml b/photoview/stacks/compose.yml
new file mode 100644
index 0000000..4051ea6
--- /dev/null
+++ b/photoview/stacks/compose.yml
@@ -0,0 +1,132 @@
+# https://github.com/photoview/photoview/blob/master/docker-compose%20example/docker-compose.example.yml
+#
+secrets:
+  photoview_postgresql_password:
+    file: "${SECRETSDIR}/photoview_postgresql_password"
+  photoview_postgresql_database:
+    file: "${SECRETSDIR}/photoview_postgresql_database"
+  photoview_postgresql_username:
+    file: "${SECRETSDIR}/photoview_postgresql_username"
+  photoview_database_url:
+    file: "${SECRETSDIR}/photoview_database_url"
+
+networks:
+  traefik-net:
+    external: true
+  postgres-net:
+    external: true
+ 
+services:
+  photoview:
+    image: photoview/photoview:latest
+    hostname: "${APPLICATION_NAME}"
+    env_file: .photoview.env
+    user: "${PUID}:${MEDIA_PGID}"
+    networks:
+      - postgres-net
+      - traefik-net
+    secrets:
+      - photoview_postgresql_database
+      - photoview_postgresql_password
+      - photoview_postgresql_username
+      - photoview_database_url
+    environment:
+    # can't get photoview to work with docker secrets; remove when photoview work with docker secrets
+      - PHOTOVIEW_POSTGRES_URL=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@photoview_postgresql:${POSTGRES_DB_PORT}/${POSTGRES_DB}
+    #  
+    # for future photoview that supports docker secrets
+    #  - PHOTOVIEW_POSTGRES_URL=postgres://$${POSTGRES_USER}:$${POSTGRES_PASSWORD}@photoview_postgresql:${POSTGRES_DB_PORT}/$${POSTGRES_DB}
+    # OR as per single PHOTOVIEW_POSTGRES_URL_FILE entry in .photoview.env
+    volumes:
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+      - "${DATADIR}/config:/etc/photoview"
+      - "${DATADIR}/appdata:/home/photoview"
+      - "${MEDIADIR}/Pictures/Photos:/photos:ro"
+#      - "${DATADIR}/backups:/mnt/backups"
+    restart: unless-stopped
+    stop_grace_period: 10s
+#    healthcheck:
+#      test: [ "CMD", "bash", "-c", "[ $(curl -s -o /dev/null -w '%{http_code}' http://localhost:80/login) == '200' ]" ]
+#      interval: 1m
+#      timeout: 2s
+#      retries: 5
+#      start_period: 30s
+    depends_on:
+      postgresql:
+        condition: service_healthy
+    ## Security options for some restricted systems
+    security_opt:
+      - seccomp:unconfined
+      - apparmor:unconfined
+    ## Share hardware devices with FFmpeg (optional):
+    devices:
+      ## Uncomment next devices mappings if they are available in your host system
+      ## Intel QSV
+      # - "/dev/dri:/dev/dri"
+      ## Nvidia CUDA
+      - "/dev/nvidia0:/dev/nvidia0"
+      - "/dev/nvidiactl:/dev/nvidiactl"
+      - "/dev/nvidia-modeset:/dev/nvidia-modeset"
+      # - "/dev/nvidia-nvswitchctl:/dev/nvidia-nvswitchctl"
+      - "/dev/nvidia-uvm:/dev/nvidia-uvm"
+      - "/dev/nvidia-uvm-tools:/dev/nvidia-uvm-tools"
+      ## Video4Linux Video Encode Device (h264_v4l2m2m)
+      # - "/dev/video11:/dev/video11"
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      #
+      # http middlewares
+      # ----------------
+      - "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.scheme=https"  # we have global redirection, but added for good measure
+      - "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.permanent=true"  # we have global redirection, but added for good measure
+      #
+      # http services
+      # -------------
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
+      #
+      # http routers
+      # ------------
+      # limit router to web ":80" entrypoint (Note: web entrypoint http requests are globally redirected to websecure router in traefik.yml)
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # attach middlewares to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=${APPLICATION_NAME}-https-redirect"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      #
+      # limit router to websecure ":443" entrypoint
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # set router to be dedicated to secure requests only for the host specified in match criteria 
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      # generate certificates using following certresolver
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=sthomeresolver"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
+
+  postgresql:
+    image: postgres:16-alpine
+    hostname: "${APPLICATION_NAME}_postgresql"
+    shm_size: 128mb # https://hub.docker.com/_/postgres
+    env_file: .postgresql.env
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    networks:
+      postgres-net:
+          aliases: ["${APPLICATION_NAME}_postgresql"]
+    secrets:
+      - ${APPLICATION_NAME}_postgresql_database
+      - ${APPLICATION_NAME}_postgresql_password
+      - ${APPLICATION_NAME}_postgresql_username
+    volumes:
+      - "${DATADIR}/pgdata:/var/lib/postgresql/data"
+      - "${DATADIR}/pgbackups:/mnt/backups"
\ No newline at end of file
diff --git a/photoview/traefik-users/photoview.txt b/photoview/traefik-users/photoview.txt
new file mode 100644
index 0000000..2084684
--- /dev/null
+++ b/photoview/traefik-users/photoview.txt
@@ -0,0 +1,5 @@
+admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
+chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
+Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC
+home:$2y$05$VjkUjMGVdxMn3N/rMK8nBuh1jAUfezo8i4167enEg7i9Xl45cVQGi
+Home:$2y$05$JP8tB1nkPA8tbhEnhGV6teke.X87eFX4V9hi9qa2ArLISJ4Ksf2ca
\ No newline at end of file
diff --git a/pihole/pihole-dns.xlsx b/pihole/pihole-dns.xlsx
new file mode 100644
index 0000000..e52cb37
Binary files /dev/null and b/pihole/pihole-dns.xlsx differ
diff --git a/pihole/pihole_jm.txt b/pihole/pihole_jm.txt
new file mode 100644
index 0000000..b7c273a
--- /dev/null
+++ b/pihole/pihole_jm.txt
@@ -0,0 +1,60 @@
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: pihole
+Username: pihole
+Disable Password: <select>
+Email: stuurmcp@telkomsa.net
+UID: (note)
+Create New Primary Group: <select>
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+pihole UID: 3056
+pihole GID: 3057
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*pihole"
+# create following datasets if not present
+zfs create SSD1/docker/data/pihole
+zfs create SSD1/docker/data/pihole/appdata
+zfs create SSD1/docker/data/pihole/config
+chown -R pihole:pihole /mnt/SSD1/docker/data/pihole
+
+Create folders
+--------------
+# In Truenas shell:
+mkdir -p /mnt/SSD1/docker/stacks/pihole/secrets
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in pihole folder, enter:
+./cp2nas
+# or
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/pihole/
+# This should copy pihole stacks folder to /mnt/SSD1/docker/stacks/pihole
+
+Create secrets
+--------------
+# In Truenas shell:
+cd /mnt/SSD1/docker/stacks/pihole/secrets
+echo -n 'your_webpassword' > /mnt/SSD1/docker/stacks/pihole/secrets/pihole_webpassword
+# restrict access
+cd /mnt/SSD1/docker/stacks/pihole
+chown -R pihole:pihole secrets/
+chmod -R 400 secrets/
+# read existing acl permissions, if any
+
+Migrating config data
+---------------------
+# Stop pihole on truenas, in truenas shell
+heavyscript app --stop pihole
+# copy config storage to new install data folder
+cp -pr /mnt/stpool1/apps/pihole/* /mnt/SSD1/docker/data/pihole/config/
+cp -pr /mnt/stpool1/appdata/pihole/* /mnt/SSD1/docker/data/pihole/appdata/
+chown -R pihole:pihole /mnt/SSD1/docker/data/pihole/
+
diff --git a/pihole/stacks/.env b/pihole/stacks/.env
new file mode 100644
index 0000000..864d982
--- /dev/null
+++ b/pihole/stacks/.env
@@ -0,0 +1,22 @@
+#
+# values to be used for substitution by docker compose in compose.yml AND .*.env files
+#
+APPLICATION_NAME=pihole
+
+DOCKERDIR=/mnt/SSD1/docker/
+MEDIADIR=/mnt/stpool1/NData1/Media
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+DOMAINNAME=sthome.org
+TIMEZONE=Africa/Johannesburg
+WEBUI_PORT=80
+PUID=3035
+PGID=3034
+
+PH_HOSTIP=10.0.0.61
+
+
diff --git a/pihole/stacks/.pihole.env b/pihole/stacks/.pihole.env
new file mode 100644
index 0000000..1b09123
--- /dev/null
+++ b/pihole/stacks/.pihole.env
@@ -0,0 +1,54 @@
+# https://github.com/pi-hole/docker-pi-hole/?tab=readme-ov-file
+#
+# environment variables for pihole
+# 
+PUID=${PUID}
+PGID=${PGID}
+
+PORT=${WEBUI_PORT}
+
+# Recommended Variables
+# ---------------------
+TZ=${TIMEZONE}
+FTLCONF_LOCAL_IPV4=${PH_HOSTIP}
+WEBPASSWORD_FILE=/run/secrets/pihole_webpassword
+
+# Optional Variables
+# ------------------
+# PIHOLE_DNS_=8.8.8.8;8.8.4.4
+# DNSSEC=false
+# DNS_BOGUS_PRIV=true
+# DNS_FQDN_REQUIRED=true
+# REV_SERVER=false
+# REV_SERVER_DOMAIN=
+# REV_SERVER_TARGET=
+# REV_SERVER_CIDR=
+# DHCP_ACTIVE=false
+# DHCP_START=
+# DHCP_END=
+# DHCP_ROUTER=
+# DHCP_LEASETIME=24
+# PIHOLE_DOMAIN=lan
+# DHCP_IPv6=false
+# DHCP_rapid_commit=false
+# VIRTUAL_HOST=
+# IPv6=true
+# TEMPERATUREUNIT=c
+# WEBUIBOXEDLAYOUT=boxed
+# QUERY_LOGGING=true
+# WEBTHEME=dark
+
+# Advanced Variables
+# ------------------
+# INTERFACE=
+# DNSMASQ_LISTENING=local
+# WEB_PORT=
+# WEB_BIND_ADDR=
+# SKIPGRAVITYONBOOT=
+# CORS_HOSTS=
+# FTL_CMD=
+
+
+
+
+
diff --git a/pihole/stacks/compose.yml b/pihole/stacks/compose.yml
new file mode 100644
index 0000000..86e7de7
--- /dev/null
+++ b/pihole/stacks/compose.yml
@@ -0,0 +1,72 @@
+# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
+
+name: pihole
+
+networks:
+  traefik-net:
+    external: true
+    
+secrets:
+  pihole_webpassword:
+    file: ${SECRETSDIR}/pihole_webpassword
+    
+services:
+  pihole:
+    image: pihole/pihole:latest
+    hostname: pihole
+    env_file: .pihole.env
+    # For DHCP it is recommended to remove these ports and instead add: network_mode: "host"
+#    ports:
+#      - "53:53/tcp"
+#      - "53:53/udp"
+#      - "67:67/udp" # Only required if you are using Pi-hole as your DHCP server
+#      - "80:80/tcp"
+    networks:
+      - traefik-net
+    # Volumes store your data between container upgrades
+    volumes:
+      - "${DATADIR}/config:/etc/pihole"
+      - "${DATADIR}/appdata:/etc/dnsmasq.d"
+    #   https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
+#    cap_add:
+#      - NET_ADMIN # Required if you are using Pi-hole as your DHCP server, else not needed
+    restart: unless-stopped
+    secrets:
+      - pihole_webpassword
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      # http middlewares
+      # ---------------------------
+      #- "traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.users=${ADMIN_CREDENTIALS}, ${USER_CREDENTIALS}"
+      #- "traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.usersfile=/mnt/users/${APPLICATION_NAME}.txt"
+      - "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.permanent=true"
+      #
+      # http services
+      # -------------
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
+      #
+      # http routers
+      # ------------
+      # limit router to web ":80" entrypoint (Note: web entrypoint http requests are globally redirected to websecure router in traefik.yml)
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # attach middlewares to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=${APPLICATION_NAME}-https-redirect"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      #
+      # limit router to websecure ":443" entrypoint
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # set router to be dedicated to secure requests only for the host specified in match criteria 
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      # generate certificates using following certresolver
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=sthomeresolver"
+      # attach middlewares to routers
+      #- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=${APPLICATION_NAME}-auth"
+      # assign svc target to routers
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
\ No newline at end of file
diff --git a/plex/cp2nas.ps1 b/plex/cp2nas.ps1
new file mode 100644
index 0000000..6778989
--- /dev/null
+++ b/plex/cp2nas.ps1
@@ -0,0 +1,57 @@
+############### MAIN ###############
+$Main =
+{
+    [CmdletBinding()]
+    Param(
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $destHost,
+        [Parameter(Mandatory=$false)]
+        [string[]] $apps
+    )
+    If($PSBoundParameters.ContainsKey("apps")) {
+        foreach ($appname in $apps)
+        {
+            copyfolder $destHost "$appname\stacks" $appname
+        }
+    }
+    else {
+        $appname="$pwd".Split("\\")[-1]
+        copyfolder $destHost "stacks" $appname
+    }
+}
+
+###################################
+Function copyfolder
+{
+    [CmdletBinding()]
+    Param(
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $destHost,
+        
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $srcdir,
+
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $appname
+    )
+    if (-Not(Test-Path -Path $srcdir)) {
+        Write-Host "Source path doesn't exist: ""$PSScriptRoot\$srcdir\*.*"". No files copied!"  -ForegroundColor Red
+        Write-Host "Usage: in app folder       : ./cp2nas DEST|IP"
+        Write-Host "       in app parent folder: ./cp2nas DEST|IP app1, app2, app3, ..."
+        return
+    }
+    $destStacks="/mnt/SSD1/docker/stacks/"
+    $destDir=$destStacks+$appname+"/"
+    Write-Host "pscp -P 22 -r ""$srcdir\*.*"" root@${destHost}:""${destDir}""" -ForegroundColor Green
+    Write-Host "Copying to ${destHost}:""${destStacks}" -NoNewline 
+    Write-Host "${appname}/" -ForegroundColor DarkYellow  -NoNewline 
+    Write-Host """:"
+    pscp -P 22 -r "$srcdir\*.*" root@${destHost}:""${destDir}""
+}
+
+###################################
+& $Main @Args
\ No newline at end of file
diff --git a/plex/createp12.sh b/plex/createp12.sh
new file mode 100644
index 0000000..305be27
--- /dev/null
+++ b/plex/createp12.sh
@@ -0,0 +1,64 @@
+#!/bin/zsh
+
+# if this script fails, execute "sed -i -e 's/\r$//' ./createp12.sh" to replace CRLF with LF, then try again
+
+# Copy this script file to /mnt/SSD1/docker/data/traefik/certs folder an run from there
+
+ud_shell="$(readlink /proc/$$/exe)"
+UD_SHELL=${ud_shell##*/}
+if [[ "$UD_SHELL" != "zsh" ]]; then
+        echo "Please run script in zsh shell!"
+        exit 1
+fi
+_get_password() {
+        success=0
+        prompt=$1
+        unset pass
+        while IFS= read -s -k 1 "char?$prompt"
+        do
+                if [[ $char == $'\n' ]]; then
+                        success=1
+                        break
+                else
+                        prompt='*'
+                        pass+="$char"
+                fi
+        done
+        echo "$pass"
+        return $success
+}
+unset password
+echo "The .p12 file must be protected with a password. Please enter password to encrypt .p12 file"
+confirm=0
+while [[ $confirm -eq 0 ]]
+do
+        password=`_get_password "password:"`; retval=$?
+        if [[ $retval -eq 0 ]]; then
+                break
+        fi
+        echo
+        passlen=${#password}
+        if [[ $passlen -lt 8 ]]; then
+                echo "password must be 8 characters or longer!"
+                continue
+        fi
+        password2=`_get_password "confirm :"`; retval=$?
+        if [[ $retval -eq 0 ]]; then
+                break
+        fi
+        echo
+        if [[ "$password" == "$password2" ]]; then
+                confirm=1
+                break;
+        fi
+        echo "Confirmation differs from password entered. Please re-enter password"
+done
+echo
+if [[ $confirm -eq 1 ]]; then
+        #echo "pass2: $password2"
+        echo "$password" | openssl pkcs12 -export -out plex_cert.p12 -in plex.pem -inkey plex-key.pem -certfile plex.pem -passout stdin -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256
+        #openssl pkcs12 -export -out plex_cert.p12 -in plex.pem -inkey plex-key.pem -certfile plex.pem -passout pass: "password" -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256
+        echo "Created plex_cert.p12"
+else
+        echo "Aborted!"
+fi
\ No newline at end of file
diff --git a/plex/extras.txt b/plex/extras.txt
new file mode 100644
index 0000000..c4f1686
--- /dev/null
+++ b/plex/extras.txt
@@ -0,0 +1,21 @@
+https://support.plex.tv/articles/local-files-for-trailers-and-extras/
+
+Movies/MovieName (Release Date)/Extra_Directory_Type/Descriptive_name.ext
+    Behind The Scenes
+    Deleted Scenes
+    Featurettes
+    Interviews
+    Scenes
+    Shorts
+    Trailers
+    Other
+
+Movies/MovieName (Release Date)/Descriptive_Name-Extra_Type.ext
+    -behindthescenes
+    -deleted
+    -featurette
+    -interview
+    -scene
+    -short
+    -trailer
+    -other
diff --git a/plex/plex labels.yml b/plex/plex labels.yml
new file mode 100644
index 0000000..50e78e5
--- /dev/null
+++ b/plex/plex labels.yml	
@@ -0,0 +1,527 @@
+# Plex labels
+# ===========  
+
+# CONFIG 1: traefik tcp entrypoint 32400 named plex; plex entrypoint redirected to https; web entrypoint redirected to https
+# --------------------------------------------------------------------------------------------------------------------------
+#   Local plex app works, but "plex-sthome" every so often shows rotating cursor; probably loosing connection; movies play without interruption
+#   Plex web UI works ok
+#   No remote access from outside; tested with phone with WiFi disabled
+#
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik"
+      #
+      # http routers
+      # ------------
+      # http://appname.domainname:32400
+      - "traefik.http.routers.${APP_NAME}-rem.entrypoints=plex"
+      - "traefik.http.routers.${APP_NAME}-rem.rule=Host(`${APP_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`10.0.0.61`)"
+      # http://appname.domainname:80/
+      - "traefik.http.routers.${APP_NAME}.entrypoints=web"
+      - "traefik.http.routers.${APP_NAME}.rule=Host(`${APP_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # https://appname.domainname:443/
+      - "traefik.http.routers.${APP_NAME}-secure.entrypoints=websecure"
+      - "traefik.http.routers.${APP_NAME}-secure.rule=Host(`${APP_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${APP_NAME}-secure.tls=true"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.options=tls-opts@file"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.certresolver=sthomeresolver"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.domains[0].main=${DOMAINNAME}"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.domains[0].sans=${APP_NAME}.${DOMAINNAME}"
+      #
+      # http middlewares
+      # ----------------
+      - "traefik.http.middlewares.${APP_NAME}-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.${APP_NAME}-https-redirect.redirectscheme.permanent=true"
+      #
+      # assign middlewares to routers
+      # -----------------------------
+      - "traefik.http.routers.${APP_NAME}.middlewares=${APP_NAME}-https-redirect"
+      - "traefik.http.routers.${APP_NAME}-rem.middlewares=${APP_NAME}-https-redirect"
+      #
+      # http services
+      # -------------
+      - "traefik.http.routers.${APP_NAME}-secure.service=${APP_NAME}-svc"
+      - "traefik.http.services.${APP_NAME}-svc.loadbalancer.server.port=${PORT}"
+
+# ===============================================================================================================================
+# CONFIG 2: still have traefik tcp entrypoint 32400 named plex, however, no router configured; web entrypoint redirected to https
+# -------------------------------------------------------------------------------------------------------------------------------
+#   Local plex app works, but no movies play; 
+#   Plex web UI works ok
+#   No remote access from outside; tested with phone with WiFi disabled
+#
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik"
+      #
+      # http routers
+      # ------------
+      # http://appname.domainname:80/
+      - "traefik.http.routers.${APP_NAME}.entrypoints=web"
+      - "traefik.http.routers.${APP_NAME}.rule=Host(`${APP_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`10.0.0.61`)"
+      # https://appname.domainname:443/
+      - "traefik.http.routers.${APP_NAME}-secure.entrypoints=websecure"
+      - "traefik.http.routers.${APP_NAME}-secure.rule=Host(`${APP_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`10.0.0.61`)"
+      - "traefik.http.routers.${APP_NAME}-secure.tls=true"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.options=tls-opts@file"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.certresolver=sthomeresolver"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.domains[0].main=${DOMAINNAME}"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.domains[0].sans=${APP_NAME}.${DOMAINNAME}"
+      #
+      # http middlewares
+      # ----------------
+      - "traefik.http.middlewares.${APP_NAME}-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.${APP_NAME}-https-redirect.redirectscheme.permanent=true"
+      #
+      # assign middlewares to routers
+      # -----------------------------
+      - "traefik.http.routers.${APP_NAME}.middlewares=${APP_NAME}-https-redirect"
+      #
+      # http services
+      # -------------
+      - "traefik.http.routers.${APP_NAME}-secure.service=${APP_NAME}-svc"
+      - "traefik.http.services.${APP_NAME}-svc.loadbalancer.server.port=${PORT}"
+
+# ===============================================================================================
+# CONFIG 3: removed tcp entrypoint 32400, but kept 32400 port on traefik; same labels as CONFIG 2
+# -----------------------------------------------------------------------------------------------
+#   Local plex app works, but no movies play; 
+#   Plex web UI works ok
+#   No remote access from outside; tested with phone with WiFi disabled
+#
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik"
+      #
+      # http routers
+      # ------------
+      # http://appname.domainname:80/
+      - "traefik.http.routers.${APP_NAME}.entrypoints=web"
+      - "traefik.http.routers.${APP_NAME}.rule=Host(`${APP_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`10.0.0.61`)"
+      # https://appname.domainname:443/
+      - "traefik.http.routers.${APP_NAME}-secure.entrypoints=websecure"
+      - "traefik.http.routers.${APP_NAME}-secure.rule=Host(`${APP_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`10.0.0.61`)"
+      - "traefik.http.routers.${APP_NAME}-secure.tls=true"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.options=tls-opts@file"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.certresolver=sthomeresolver"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.domains[0].main=${DOMAINNAME}"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.domains[0].sans=${APP_NAME}.${DOMAINNAME}"
+      #
+      # http middlewares
+      # ----------------
+      - "traefik.http.middlewares.${APP_NAME}-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.${APP_NAME}-https-redirect.redirectscheme.permanent=true"
+      #
+      # assign middlewares to routers
+      # -----------------------------
+      - "traefik.http.routers.${APP_NAME}.middlewares=${APP_NAME}-https-redirect"
+      #
+      # http services
+      # -------------
+      - "traefik.http.routers.${APP_NAME}-secure.service=${APP_NAME}-svc"
+      - "traefik.http.services.${APP_NAME}-svc.loadbalancer.server.port=${PORT}"
+
+# =============================================================================================
+# CONFIG 4: removed tcp entrypoint 32400 and 32400 port on traefik; same labels as CONFIG 2 & 3
+# ---------------------------------------------------------------------------------------------
+#   Local plex app works, but no movies play; no posters showing; no playback
+#   Plex web UI works ok
+#   No remote access from outside; tested with phone with WiFi disabled
+#
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik"
+      #
+      # http routers
+      # ------------
+      # http://appname.domainname:80/
+      - "traefik.http.routers.${APP_NAME}.entrypoints=web"
+      - "traefik.http.routers.${APP_NAME}.rule=Host(`${APP_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`10.0.0.61`)"
+      # https://appname.domainname:443/
+      - "traefik.http.routers.${APP_NAME}-secure.entrypoints=websecure"
+      - "traefik.http.routers.${APP_NAME}-secure.rule=Host(`${APP_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`10.0.0.61`)"
+      - "traefik.http.routers.${APP_NAME}-secure.tls=true"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.options=tls-opts@file"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.certresolver=sthomeresolver"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.domains[0].main=${DOMAINNAME}"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.domains[0].sans=${APP_NAME}.${DOMAINNAME}"
+      #
+      # http middlewares
+      # ----------------
+      - "traefik.http.middlewares.${APP_NAME}-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.${APP_NAME}-https-redirect.redirectscheme.permanent=true"
+      #
+      # assign middlewares to routers
+      # -----------------------------
+      - "traefik.http.routers.${APP_NAME}.middlewares=${APP_NAME}-https-redirect"
+      #
+      # http services
+      # -------------
+      - "traefik.http.routers.${APP_NAME}-secure.service=${APP_NAME}-svc"
+      - "traefik.http.services.${APP_NAME}-svc.loadbalancer.server.port=${PORT}"
+
+# ===============================================================================
+# CONFIG 5: Same as CONFIG 1, but with IP address added to http and https filters
+# -------------------------------------------------------------------------------
+#   Local plex app works, but "plex-sthome" every so often shows rotating cursor = didn't receive any data from traefik in time, dropping connection; no drop when movies play, movies play without interruption
+#   Plex web UI works ok
+#   No remote access from outside; tested with phone with WiFi disabled
+#
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik"
+      #
+      # http routers
+      # ------------
+      # http://appname.domainname:32400
+      - "traefik.http.routers.${APP_NAME}-rem.entrypoints=plex"
+      - "traefik.http.routers.${APP_NAME}-rem.rule=Host(`${APP_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`10.0.0.61`)"
+      # http://appname.domainname:80/
+      - "traefik.http.routers.${APP_NAME}.entrypoints=web"
+      - "traefik.http.routers.${APP_NAME}.rule=Host(`${APP_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`10.0.0.61`)"
+      # https://appname.domainname:443/
+      - "traefik.http.routers.${APP_NAME}-secure.entrypoints=websecure"
+      - "traefik.http.routers.${APP_NAME}-secure.rule=Host(`${APP_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`10.0.0.61`)"
+      - "traefik.http.routers.${APP_NAME}-secure.tls=true"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.options=tls-opts@file"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.certresolver=sthomeresolver"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.domains[0].main=${DOMAINNAME}"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.domains[0].sans=${APP_NAME}.${DOMAINNAME}"
+      #
+      # http middlewares
+      # ----------------
+      - "traefik.http.middlewares.${APP_NAME}-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.${APP_NAME}-https-redirect.redirectscheme.permanent=true"
+      #
+      # assign middlewares to routers
+      # -----------------------------
+      - "traefik.http.routers.${APP_NAME}.middlewares=${APP_NAME}-https-redirect"
+      - "traefik.http.routers.${APP_NAME}-rem.middlewares=${APP_NAME}-https-redirect"
+      #
+      # http services
+      # -------------
+      - "traefik.http.routers.${APP_NAME}-secure.service=${APP_NAME}-svc"
+      - "traefik.http.services.${APP_NAME}-svc.loadbalancer.server.port=${PORT}"
+
+# ===========================================================
+# CONFIG 6: Same as CONFIG 5, but with tls-opts@file removed
+# -----------------------------------------------------------
+# MUST BE RECHECKED
+#   Local plex app works, "plex-sthome" stable; No movie interruption; dashboard displays the movies being currently streamed
+#   Plex web UI works ok; dashboard displays the movies being currently streamed
+#   No remote access from outside; tested with phone with WiFi disabled
+# 
+#
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik"
+      #
+      # http routers
+      # ------------
+      # http://appname.domainname:32400
+      - "traefik.http.routers.${APP_NAME}-rem.entrypoints=plex"
+      - "traefik.http.routers.${APP_NAME}-rem.rule=Host(`${APP_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`10.0.0.61`)"
+      # http://appname.domainname:80/
+      - "traefik.http.routers.${APP_NAME}.entrypoints=web"
+      - "traefik.http.routers.${APP_NAME}.rule=Host(`${APP_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`10.0.0.61`)"
+      # https://appname.domainname:443/
+      - "traefik.http.routers.${APP_NAME}-secure.entrypoints=websecure"
+      - "traefik.http.routers.${APP_NAME}-secure.rule=Host(`${APP_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`10.0.0.61`)"
+      - "traefik.http.routers.${APP_NAME}-secure.tls=true"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.certresolver=sthomeresolver"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.domains[0].main=${DOMAINNAME}"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.domains[0].sans=${APP_NAME}.${DOMAINNAME}"
+      #
+      # http middlewares
+      # ----------------
+      - "traefik.http.middlewares.${APP_NAME}-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.${APP_NAME}-https-redirect.redirectscheme.permanent=true"
+      #
+      # assign middlewares to routers
+      # -----------------------------
+      - "traefik.http.routers.${APP_NAME}.middlewares=${APP_NAME}-https-redirect"
+      - "traefik.http.routers.${APP_NAME}-rem.middlewares=${APP_NAME}-https-redirect"
+      #
+      # http services
+      # -------------
+      - "traefik.http.routers.${APP_NAME}-secure.service=${APP_NAME}-svc"
+      - "traefik.http.services.${APP_NAME}-svc.loadbalancer.server.port=${PORT}"      
+
+# ====================================================================================================
+# CONFIG 7: Same as CONFIG 6, but with 32400 entrypoint removed in traefik.yml and traefik compose.yml
+# ----------------------------------------------------------------------------------------------------
+#   Local plex app not working; no movie posters displayed
+#   Plex web UI works ok; dashboard displays the movies being currently streamed
+#   No remote access from outside; tested with phone with WiFi disabled
+# 
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik"
+      #
+      # http routers
+      # ------------
+      # http://appname.domainname:80/
+      - "traefik.http.routers.${APP_NAME}.entrypoints=web"
+      - "traefik.http.routers.${APP_NAME}.rule=Host(`${APP_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`10.0.0.61`)"
+      # https://appname.domainname:443/
+      - "traefik.http.routers.${APP_NAME}-secure.entrypoints=websecure"
+      - "traefik.http.routers.${APP_NAME}-secure.rule=Host(`${APP_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`10.0.0.61`)"
+      - "traefik.http.routers.${APP_NAME}-secure.tls=true"
+      #- "traefik.http.routers.${APP_NAME}-secure.tls.options=tls-opts@file"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.certresolver=sthomeresolver"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.domains[0].main=${DOMAINNAME}"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.domains[0].sans=${APP_NAME}.${DOMAINNAME}"
+      #
+      # http middlewares
+      # ----------------
+      - "traefik.http.middlewares.${APP_NAME}-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.${APP_NAME}-https-redirect.redirectscheme.permanent=true"
+      #
+      # assign middlewares to routers
+      # -----------------------------
+      - "traefik.http.routers.${APP_NAME}.middlewares=${APP_NAME}-https-redirect"
+      #
+      # http services
+      # -------------
+      - "traefik.http.routers.${APP_NAME}-secure.service=${APP_NAME}-svc"
+      - "traefik.http.services.${APP_NAME}-svc.loadbalancer.server.port=${PORT}"
+
+# ===========================================================
+# CONFIG 8: No traefik labels. Port 32400 opened on container
+# -----------------------------------------------------------
+#   Local plex app not working; no movie posters displayed
+#   Plex web UI works ok; dashboard displays the movies being currently streamed
+#   Remote access from outside ok, movies play; tested with phone with WiFi disabled; not working with WiFi enabled
+#  
+    ports:
+      - 32400:32400
+
+# =========================================================================
+# CONFIG 9: Same as CONFIG 5 but with no path prefixes and no tls-opts@file
+# -------------------------------------------------------------------------
+#   Local plex app working; movies playing; dashboard sometimes display the movies being currently streamed
+#   Plex web UI works ok; dashboard displays the movies being currently streamed
+#   No remote access from outside
+#   Custom server access URLs: https://plex.sthome.org, http://plex.sthome.org, http://plex.sthome.org:32400
+
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik"
+      #
+      # http routers
+      # ------------
+      # http://appname.domainname:32400
+      - "traefik.http.routers.${APP_NAME}-rem.entrypoints=plex"
+      - "traefik.http.routers.${APP_NAME}-rem.rule=Host(`${APP_NAME}.${DOMAINNAME}`) || Host(`10.0.0.61`)"
+      # http://appname.domainname:80/
+      - "traefik.http.routers.${APP_NAME}.entrypoints=web"
+      - "traefik.http.routers.${APP_NAME}.rule=Host(`${APP_NAME}.${DOMAINNAME}`) || Host(`10.0.0.61`)"
+      # https://appname.domainname:443/
+      - "traefik.http.routers.${APP_NAME}-secure.entrypoints=websecure"
+      - "traefik.http.routers.${APP_NAME}-secure.rule=Host(`${APP_NAME}.${DOMAINNAME}`) || Host(`10.0.0.61`)"
+      - "traefik.http.routers.${APP_NAME}-secure.tls=true"
+      #- "traefik.http.routers.${APP_NAME}-secure.tls.options=tls-opts@file"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.certresolver=sthomeresolver"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.domains[0].main=${DOMAINNAME}"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.domains[0].sans=${APP_NAME}.${DOMAINNAME}"
+      #
+      # http middlewares
+      # ----------------
+      - "traefik.http.middlewares.${APP_NAME}-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.${APP_NAME}-https-redirect.redirectscheme.permanent=true"
+      #
+      # assign middlewares to routers
+      # -----------------------------
+      - "traefik.http.routers.${APP_NAME}.middlewares=${APP_NAME}-https-redirect"
+      - "traefik.http.routers.${APP_NAME}-rem.middlewares=${APP_NAME}-https-redirect"
+      #
+      # http services
+      # -------------
+      - "traefik.http.routers.${APP_NAME}-secure.service=${APP_NAME}-svc"
+      - "traefik.http.services.${APP_NAME}-svc.loadbalancer.server.port=${PORT}" 
+
+# ===========================================================================
+# CONFIG 10: Added tcp router for port 32400; no tls-opts@file
+# ---------------------------------------------------------------------------
+#   Local plex app not working; movies posters not showing - the only access not working
+#   Plex web UI works ok; dashboard displays the movies being currently streamed
+#   Remote access from outside ok, movies play; tested with phone with WiFi disabled, working; not working with WiFi enabled
+#   Custom server access URLs: https://plex.sthome.org, http://plex.sthome.org, http://plex.sthome.org:32400
+
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik"
+      #
+      # tcp routers
+      # ------------
+      # tcp: port 32400
+      - "traefik.tcp.routers.${APP_NAME}-tcp-secure.entrypoints=plex"
+      - "traefik.tcp.routers.${APP_NAME}-tcp-secure.rule=HostSNI(`${APP_NAME}.${DOMAINNAME}`) || HostSNI(`10.0.0.61`)"
+      - "traefik.tcp.routers.${APP_NAME}-tcp-secure.tls=true"
+      - "traefik.tcp.routers.${APP_NAME}-tcp-secure.tls.passthrough=true"
+      - "traefik.tcp.routers.${APP_NAME}-tcp-secure.tls.certresolver=sthomeresolver"
+      - "traefik.tcp.routers.${APP_NAME}-tcp-secure.tls.domains[0].main=${DOMAINNAME}"
+      - "traefik.tcp.routers.${APP_NAME}-tcp-secure.tls.domains[0].sans=${APP_NAME}.${DOMAINNAME}"
+      #
+      # http routers
+      # ------------
+      # http://appname.domainname:80
+      - "traefik.http.routers.${APP_NAME}.entrypoints=web"
+      - "traefik.http.routers.${APP_NAME}.rule=Host(`${APP_NAME}.${DOMAINNAME}`) || Host(`10.0.0.61`)"
+      # https://appname.domainname:443
+      - "traefik.http.routers.${APP_NAME}-secure.entrypoints=websecure"
+      - "traefik.http.routers.${APP_NAME}-secure.rule=Host(`${APP_NAME}.${DOMAINNAME}`) || Host(`10.0.0.61`)"
+      - "traefik.http.routers.${APP_NAME}-secure.tls=true"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.certresolver=sthomeresolver"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.domains[0].main=${DOMAINNAME}"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.domains[0].sans=${APP_NAME}.${DOMAINNAME}"
+      #
+      # http middlewares
+      # ----------------
+      - "traefik.http.middlewares.${APP_NAME}-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.${APP_NAME}-https-redirect.redirectscheme.permanent=true"
+      #
+      # http services
+      # -------------
+      - "traefik.http.services.${APP_NAME}-svc.loadbalancer.server.port=${PORT}"   
+      #
+      # tcp services
+      # -------------
+      - "traefik.tcp.services.${APP_NAME}-tcp-svc.loadbalancer.server.port=${PORT}"
+      #
+      # assign middlewares to routers
+      # -----------------------------
+      - "traefik.http.routers.${APP_NAME}.middlewares=${APP_NAME}-https-redirect"
+      #
+      # assign services to routers
+      # --------------------------
+      - "traefik.http.routers.${APP_NAME}-secure.service=${APP_NAME}-svc"
+      - "traefik.tcp.routers.${APP_NAME}-tcp-secure.service=${APP_NAME}-tcp-svc"  
+
+# ===========================================================================
+# CONFIG 11: Same as CONFIG 10 but also with http router for port 32400
+# ---------------------------------------------------------------------------
+#   Local plex app working; but dashboard not showing movies currently playing
+#   Plex web UI works ok; dashboard displays the movies being currently streamed
+#   Remote access from outside ok, movies play; tested with phone with WiFi disabled, working; not working with WiFi enabled
+#   Custom server access URLs: https://plex.sthome.org, http://plex.sthome.org, http://plex.sthome.org:32400
+#   The only access not working is phone with WiFi enabled
+
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik"
+      #
+      # tcp routers
+      # ------------
+      # tcp: port 32400
+      - "traefik.tcp.routers.${APP_NAME}-tcp-secure.entrypoints=plex"
+      - "traefik.tcp.routers.${APP_NAME}-tcp-secure.rule=HostSNI(`${APP_NAME}.${DOMAINNAME}`) || HostSNI(`10.0.0.61`)"
+      - "traefik.tcp.routers.${APP_NAME}-tcp-secure.tls=true"
+      - "traefik.tcp.routers.${APP_NAME}-tcp-secure.tls.passthrough=true"
+      - "traefik.tcp.routers.${APP_NAME}-tcp-secure.tls.certresolver=sthomeresolver"
+      - "traefik.tcp.routers.${APP_NAME}-tcp-secure.tls.domains[0].main=${DOMAINNAME}"
+      - "traefik.tcp.routers.${APP_NAME}-tcp-secure.tls.domains[0].sans=${APP_NAME}.${DOMAINNAME}"
+      #
+      # http routers
+      # ------------
+      # http://appname.domainname:32400
+      - "traefik.http.routers.${APP_NAME}-rem.entrypoints=plex"
+      - "traefik.http.routers.${APP_NAME}-rem.rule=Host(`${APP_NAME}.${DOMAINNAME}`) || Host(`10.0.0.61`)"
+      # http://appname.domainname:80/
+      - "traefik.http.routers.${APP_NAME}.entrypoints=web"
+      - "traefik.http.routers.${APP_NAME}.rule=Host(`${APP_NAME}.${DOMAINNAME}`) || Host(`10.0.0.61`)"
+      # https://appname.domainname:443/
+      - "traefik.http.routers.${APP_NAME}-secure.entrypoints=websecure"
+      - "traefik.http.routers.${APP_NAME}-secure.rule=Host(`${APP_NAME}.${DOMAINNAME}`) || Host(`10.0.0.61`)"
+      - "traefik.http.routers.${APP_NAME}-secure.tls=true"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.certresolver=sthomeresolver"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.domains[0].main=${DOMAINNAME}"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.domains[0].sans=${APP_NAME}.${DOMAINNAME}"
+      #
+      # http middlewares
+      # ----------------
+      - "traefik.http.middlewares.${APP_NAME}-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.${APP_NAME}-https-redirect.redirectscheme.permanent=true"
+      #
+      # http services
+      # -------------
+      - "traefik.http.services.${APP_NAME}-svc.loadbalancer.server.port=${PORT}"   
+      #
+      # tcp services
+      # -------------
+      - "traefik.tcp.services.${APP_NAME}-tcp-svc.loadbalancer.server.port=${PORT}"
+      #
+      # assign middlewares to routers
+      # -----------------------------
+      - "traefik.http.routers.${APP_NAME}.middlewares=${APP_NAME}-https-redirect"
+      - "traefik.http.routers.${APP_NAME}-rem.middlewares=${APP_NAME}-https-redirect"
+      #
+      # assign svc to routers
+      # ---------------------
+      - "traefik.http.routers.${APP_NAME}-secure.service=${APP_NAME}-svc"
+      - "traefik.tcp.routers.${APP_NAME}-tcp-secure.service=${APP_NAME}-tcp-svc"  
+      
+# ===========================================================================
+# CONFIG 12: Same as CONFIG 11 but with prefixes added to http routers
+# ---------------------------------------------------------------------------
+#   Local plex app working; but dashboard not showing movies currently playing
+#   Plex web UI works ok; dashboard displays the movies being currently streamed
+#   Remote access from outside ok, movies play; tested with phone with WiFi disabled, working; not working with WiFi enabled
+#   Custom server access URLs: https://plex.sthome.org, http://plex.sthome.org, http://plex.sthome.org:32400
+#   The only access not working is phone with WiFi enabled. However, it works if hairpin / NAT Loopback is enabled on router.
+#   If WebUI does not work, try accessing plex with ipaddr:32400 (insecure) or ipconfig /flushdns and close / open browser
+#   Exact same performance as CONFIG 11 with just prefixes added. With hairpin  / NAT Loopback enabled, everything works, as explaind above, WebUI might give issues initially.
+#
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik"
+      #
+      # tcp routers
+      # ------------
+      # tcp: port 32400
+      - "traefik.tcp.routers.${APP_NAME}-tcp-secure.entrypoints=plex"
+      - "traefik.tcp.routers.${APP_NAME}-tcp-secure.rule=HostSNI(`${APP_NAME}.${DOMAINNAME}`) || HostSNI(`10.0.0.61`)"
+      - "traefik.tcp.routers.${APP_NAME}-tcp-secure.tls=true"
+      - "traefik.tcp.routers.${APP_NAME}-tcp-secure.tls.passthrough=true"
+      - "traefik.tcp.routers.${APP_NAME}-tcp-secure.tls.certresolver=sthomeresolver"
+      - "traefik.tcp.routers.${APP_NAME}-tcp-secure.tls.domains[0].main=${DOMAINNAME}"
+      - "traefik.tcp.routers.${APP_NAME}-tcp-secure.tls.domains[0].sans=*.${DOMAINNAME}, ${APP_NAME}.${DOMAINNAME}"
+      #
+      # http routers
+      # ------------
+      # http://appname.domainname:32400
+      - "traefik.http.routers.${APP_NAME}-rem.entrypoints=plex"
+      - "traefik.http.routers.${APP_NAME}-rem.rule=Host(`${APP_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`10.0.0.61`)"
+      # http://appname.domainname:80/
+      - "traefik.http.routers.${APP_NAME}.entrypoints=web"
+      - "traefik.http.routers.${APP_NAME}.rule=Host(`${APP_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`10.0.0.61`)"
+      # https://appname.domainname:443/
+      - "traefik.http.routers.${APP_NAME}-secure.entrypoints=websecure"
+      - "traefik.http.routers.${APP_NAME}-secure.rule=Host(`${APP_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`10.0.0.61`)"
+      - "traefik.http.routers.${APP_NAME}-secure.tls=true"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.certresolver=sthomeresolver"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.domains[0].main=${DOMAINNAME}"
+      - "traefik.http.routers.${APP_NAME}-secure.tls.domains[0].sans=${APP_NAME}.${DOMAINNAME}"
+      #
+      # http middlewares
+      # ----------------
+      - "traefik.http.middlewares.${APP_NAME}-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.${APP_NAME}-https-redirect.redirectscheme.permanent=true"
+      #
+      # http services
+      # -------------
+      - "traefik.http.services.${APP_NAME}-svc.loadbalancer.server.port=${PORT}"   
+      #
+      # tcp services
+      # -------------
+      - "traefik.tcp.services.${APP_NAME}-tcp-svc.loadbalancer.server.port=${PORT}"
+      #
+      # assign middlewares to routers
+      # -----------------------------
+      - "traefik.http.routers.${APP_NAME}.middlewares=${APP_NAME}-https-redirect"
+      - "traefik.http.routers.${APP_NAME}-rem.middlewares=${APP_NAME}-https-redirect"
+      #
+      # assign svc to routers
+      # ---------------------
+      - "traefik.http.routers.${APP_NAME}-secure.service=${APP_NAME}-svc"
+      - "traefik.tcp.routers.${APP_NAME}-tcp-secure.service=${APP_NAME}-tcp-svc"   
\ No newline at end of file
diff --git a/plex/plex_jm.txt b/plex/plex_jm.txt
new file mode 100644
index 0000000..c3176c2
--- /dev/null
+++ b/plex/plex_jm.txt
@@ -0,0 +1,155 @@
+https://github.com/plexinc/pms-docker
+https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/install-guide.html
+https://docs.docker.com/compose/how-tos/gpu-support/
+
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: plex
+Username: plex
+Disable Password: <select>
+Email: stuurmcp@telkomsa.net
+UID: (note)
+Create New Primary Group: <unselect>
+Primary Group: media
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+plex UID: 3015
+media GID: 3017
+
+If not done already, add mapping for media on container config
+--------------------------------------------------------------
+In this example: the folder where media is stored is /mnt/stpool1/NData1/Media
+On Truenas shell:
+jlmkr edit docker
+Add the following args to "systemd_nspawn_user_args": 
+--bind='/mnt/stpool1/NData1/Media:/mnt/media'
+
+If not done already, set ACL permissions for media to be accessible by media group
+----------------------------------------------------------------------------------
+On Truenas shell:
+# read and note acl entries
+getfacl /mnt/stpool1/NData1
+getfacl /mnt/stpool1/NData1/Media
+# set read and execute permissions for media group on parent folder
+setfacl -m g:media:5 /mnt/stpool1/NData1
+# set full permissions for media group on Media folder recursively
+setfacl -R -m g:media:7 /mnt/stpool1/NData1/Media
+# modify defaults recursively
+setfacl -R -d -m g:media:7 /mnt/stpool1/NData1/Media
+# NB! if you want to remove all acl entries from a folder recursively, use setfacl -b -R <foldername>
+
+set ACL permissions for custom certificates
+--------------------------------------------
+# On Truenas shell:
+# read and note acl entries
+getfacl /mnt/SSD1/docker/data/traefik/certs
+# change owner and group if not traefik
+chown -R traefik:traefik /mnt/SSD1/docker/data/traefik/certs  
+# set access permissions to 750
+chmod -R 750 /mnt/SSD1/docker/data/traefik/certs
+# modify for media group recursively
+setfacl -R -m g:media:4 /mnt/SSD1/docker/data/traefik/certs  
+# modify defaults recursively
+setfacl -R -d -m g:media:4 /mnt/SSD1/docker/data/traefik/certs  
+
+Create datasets
+---------------
+/mnt/SSD1/docker/data/plex
+/mnt/SSD1/docker/data/plex/config
+Set Owner:Group to plex:plex
+
+Copy folder to docker stacks
+----------------------------
+In Windows cmd shell in plex folder, enter:
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/plex/
+This should copy compose.yaml, .env and secrets to /mnt/SSD1/docker/stacks/plex
+
+Create data folders
+-------------------
+mkdir /mnt/data/plex/config
+mkdir /mnt/data/plex/transcodes
+cd /mnt/data/plex
+
+Create secrets
+--------------
+Visit https://www.plex.tv/claim/ and get your plex claim which will expire in 4 minutes
+cd /opt/stacks/plex/secrets
+echo -n 'claim-b6UNdeGsjjMz4tRADKfB' > plex_claim  # this one is expired
+chown 3015:3014 plex_claim
+chmod 400 plex_claim
+Update and start your plex container within the 4 minutes
+
+Create plex custom cert
+-----------------------
+openssl pkcs12 -export -out plex_cert.p12 -in plex.pem -inkey plex-key.pem -certfile plex.pem -passout stdin -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256
+# enter the password directly after executing above
+# if secruity is not an issue, the password can be specified on the command line as follows:
+openssl pkcs12 -export -out plex_cert.p12 -in plex.pem -inkey plex-key.pem -certfile plex.pem -passout pass:'password' -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256
+
+Migrating data from old plex media server (source) to newly installed one (target)
+----------------------------------------------------------------------------------
+# Stop old/source plex media server
+heavyscript app --stop plex
+# Stop new/target plex media server
+# On Dockge, select plex and click stop
+# Copy the source Library to target folder:
+cp -r /mnt/stpool1/apps/plex/Library /mnt/SSD1/docker/data/plex/config/
+# Change ownership of copied folders
+chown -R plex:media /mnt/stpool1/apps/plex/Library /mnt/SSD1/docker/data/plex/config/
+
+Managing library files
+----------------------
+Try and keep the mount folders for the media the same as that of the old media server
+However, if you choose to have a different mount:
+For example,
+If the old media server mapped to /Media and the new one now maps to /data, then you will have to modify the media folders in plex settings to reflect the new mount.
+Open plex, click on the spanner/wrench and select Manage->Libraries
+Go through all the libraries items, adding new media folders and removing those that were replaced
+This may take some time (depends on library size)
+
+Check and update custom server access URLs in Plex
+--------------------------------------------------
+Open Plex web app using browser on plex server
+Click on wrench/spanner, navigate to your home server name -> Settings -> Network
+Scroll down to Enable Relay checkbox, and uncheck it (you can check it again after getting remote access to work)
+Check entries in Custom server access URLs textbox
+Update the settings to reflect new server ip address and URL; and ensure there is a URL for https://plex.sthome.org:443
+https://plex.sthome.org,http://plex.sthome.org,http://plex.sthome.org:32400
+Click on Save Changes
+Still under Settings, click on Remote Access
+Click on Enable Remote Access
+Put check mark in Manually specify public port and enter 443 (traefik will map this to 32400)
+Click on Retry
+Restart plex container for good measure
+Go previous Settings -> Remote Access screen
+Click on Retry
+The server should briefly be connected
+Open Plex Windows or Android App and check if it works
+
+Hardware accelleration (nVidia)
+-------------------------------
+# install nvidia-container-toolkit; in docker shell:
+curl -fsSL https://nvidia.github.io/libnvidia-container/gpgkey | sudo gpg --dearmor -o /usr/share/keyrings/nvidia-container-toolkit-keyring.gpg \
+  && curl -s -L https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list | \
+    sed 's#deb https://#deb [signed-by=/usr/share/keyrings/nvidia-container-toolkit-keyring.gpg] https://#g' | \
+    sudo tee /etc/apt/sources.list.d/nvidia-container-toolkit.list
+apt-get update
+apt-get install -y nvidia-container-toolkit
+nvidia-ctk runtime configure --runtime=docker
+systemctl restart docker
+
+Troubleshooting
+---------------
+Android not connecting to server
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Open plex app
+Sign out from your account
+Sign in entering plex account credentials
+See if it works
+
+Transcoding: plex client fails with "An unknown error occurred (4294967283)"
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
diff --git a/plex/stacks/.env b/plex/stacks/.env
new file mode 100644
index 0000000..28a4e50
--- /dev/null
+++ b/plex/stacks/.env
@@ -0,0 +1,19 @@
+##############################################################################################
+# Values to be used for substitution by docker compose in compose.yml AND .*.env files
+##############################################################################################
+
+APPLICATION_NAME=plex
+
+DOCKERDIR=/mnt/SSD1/docker
+MEDIADIR=/mnt/stpool1/NData1/Media
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+CERTSDIR=${DATAROOT}/traefik/certs
+
+SERVICE_PORT=32400
+DOMAINNAME=sthome.org
+
+
diff --git a/plex/stacks/.plex.env b/plex/stacks/.plex.env
new file mode 100644
index 0000000..cf814a8
--- /dev/null
+++ b/plex/stacks/.plex.env
@@ -0,0 +1,33 @@
+
+##############################################################################################
+# Environment variables for plex
+##############################################################################################
+
+PUID=3015
+PGID=3017
+PLEX_UID=3015 
+PLEX_GID=3017
+TZ=Africa/Johannesburg
+
+ADVERTISE_IP=https://plex.sthome.org
+
+LOCAL_IPS=127.0.0.1/32,10.0.0.0/20,192.168.2.0/24,10.255.224.0/20
+
+# Valid settings for VERSION are:-
+# docker: Let Docker handle the Plex Version, we keep our Dockerhub Endpoint up to date with the latest public builds. This is the same as leaving this setting out of your create command.
+# latest: will update plex to the latest version available that you are entitled to.
+# public: will update plexpass users to the latest public version, useful for plexpass users that don't want to be on the bleeding edge but still want the latest public updates.
+# <specific-version>: will select a specific version (eg 0.9.12.4.1192-9a47d21) of plex to install, note you cannot use this to access plexpass versions if you do not have plexpass.
+VERSION=docker
+
+
+# set to: all or UUID / to get UUID use nvidia-smi --query-gpu=gpu_name,gpu_uuid --format=csv
+NVIDIA_VISIBLE_DEVICES=all # "GPU-b9bf37c1-f8c9-201c-3456-0aa35381be42"
+
+
+# Visit https://www.plex.tv/claim/ and get your plex claim which will expire in 4 minutes
+# save in plex_claim file in SECRETSDIR and start plex media server app before expiration period ends
+PLEX_CLAIM=file:///run/secrets/plex_claim
+
+
+
diff --git a/plex/stacks/compose.yml b/plex/stacks/compose.yml
new file mode 100644
index 0000000..51ac776
--- /dev/null
+++ b/plex/stacks/compose.yml
@@ -0,0 +1,99 @@
+# See .static-ips.yml for static ip addresses
+
+name: plex
+
+networks:
+  traefik-net:
+    external: true
+
+secrets:
+  plex_claim:
+    file: ${SECRETSDIR}/plex_claim
+
+services:
+  plex:
+    image: lscr.io/linuxserver/plex:latest
+    restart: unless-stopped
+    env_file: .plex.env
+    hostname: plex
+    secrets:
+      - plex_claim
+    # this deploy section requires the installation of the nvidia-container-toolkit; comment out if the toolkit is not installed
+    deploy:
+      resources:
+        reservations:
+          devices:
+            - driver: nvidia
+              #count: 1
+              device_ids:
+                - "GPU-b9bf37c1-f8c9-201c-3456-0aa35381be42"
+              capabilities: [gpu]
+    volumes:
+      - "${DATADIR}/config:/config"
+      - "${DATADIR}/transcodes:/transcode"
+      - "${CERTSDIR}:/certs"
+      - "${MEDIADIR}:/data"
+    networks:
+      - traefik-net
+#   Set plex network custom server access URLs setting to: https://plex.sthome.org,http://plex.sthome.org,http://plex.sthome.org:32400,http://10.0.0.61:32400
+#   Enable hairpin / NAT Loopback at NAT setting for plex on router
+#   Use ipaddr:32400 for WebUI access (insecure) / perform ipconfig /flushdns and restart browser 
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      #
+      # tcp service
+      # -----------
+      - "traefik.tcp.services.${APPLICATION_NAME}-tcp-svc.loadbalancer.server.port=${SERVICE_PORT}"
+      #
+      # http service
+      # ------------
+      - "traefik.http.services.${APPLICATION_NAME}-http-svc.loadbalancer.server.port=${SERVICE_PORT}"
+      #
+      # tcp routers
+      # -----------
+      # limit router to plex ":32400" entrypoint
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr.entrypoints=plex"
+      # set match criteria for router, since this is not tls, header might not contain hostsni field; we're forced to use wildcard
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr.rule=HostSNI(`*`)"
+      # assign svc target to router
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr.service=${APPLICATION_NAME}-tcp-svc" 
+      #
+      # limit router to plex ":32400" entrypoint
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.entrypoints=plex"
+      # set match criteria for router
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.rule=HostSNI(`${APPLICATION_NAME}.${DOMAINNAME}`)"
+      # set router to be dedicated to secure requests only for the hosts specified in match criteria
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.tls=true"
+      # forward requests "as is" keeping all data encrypted.
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.tls.passthrough=true"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.tls.options=tls-options@file"
+      # generate certificates using following certresolver
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.tls.certresolver=solver-dns"
+      # assign svc target to router
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.service=${APPLICATION_NAME}-tcp-svc" 
+      #
+      # http routers
+      # ------------
+      # limit router to web ":80" and plex ":32400" entrypoints
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=plex, web"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # attach secure headers middlewares
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-redirect@file"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-http-svc"
+      #
+      # limit router to websecure ":443" entrypoint
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # attach middlewares
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders@file"
+      # set router to be dedicated to secure requests only for the hosts specified in match criteria
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file"
+      # generate certificates using following certresolver
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-http-svc"
diff --git a/prometheus/cp2nas.ps1 b/prometheus/cp2nas.ps1
new file mode 100644
index 0000000..6778989
--- /dev/null
+++ b/prometheus/cp2nas.ps1
@@ -0,0 +1,57 @@
+############### MAIN ###############
+$Main =
+{
+    [CmdletBinding()]
+    Param(
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $destHost,
+        [Parameter(Mandatory=$false)]
+        [string[]] $apps
+    )
+    If($PSBoundParameters.ContainsKey("apps")) {
+        foreach ($appname in $apps)
+        {
+            copyfolder $destHost "$appname\stacks" $appname
+        }
+    }
+    else {
+        $appname="$pwd".Split("\\")[-1]
+        copyfolder $destHost "stacks" $appname
+    }
+}
+
+###################################
+Function copyfolder
+{
+    [CmdletBinding()]
+    Param(
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $destHost,
+        
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $srcdir,
+
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $appname
+    )
+    if (-Not(Test-Path -Path $srcdir)) {
+        Write-Host "Source path doesn't exist: ""$PSScriptRoot\$srcdir\*.*"". No files copied!"  -ForegroundColor Red
+        Write-Host "Usage: in app folder       : ./cp2nas DEST|IP"
+        Write-Host "       in app parent folder: ./cp2nas DEST|IP app1, app2, app3, ..."
+        return
+    }
+    $destStacks="/mnt/SSD1/docker/stacks/"
+    $destDir=$destStacks+$appname+"/"
+    Write-Host "pscp -P 22 -r ""$srcdir\*.*"" root@${destHost}:""${destDir}""" -ForegroundColor Green
+    Write-Host "Copying to ${destHost}:""${destStacks}" -NoNewline 
+    Write-Host "${appname}/" -ForegroundColor DarkYellow  -NoNewline 
+    Write-Host """:"
+    pscp -P 22 -r "$srcdir\*.*" root@${destHost}:""${destDir}""
+}
+
+###################################
+& $Main @Args
\ No newline at end of file
diff --git a/prometheus/data/config/prometheus.yml b/prometheus/data/config/prometheus.yml
new file mode 100644
index 0000000..0612bba
--- /dev/null
+++ b/prometheus/data/config/prometheus.yml
@@ -0,0 +1,65 @@
+global:
+  scrape_interval: 15s
+  scrape_timeout: 10s
+  evaluation_interval: 15s
+  
+alerting:
+  alertmanagers:
+    - static_configs:
+      - targets: 
+        - alert-manager:9093
+      scheme: http
+      timeout: 10s
+      api_version: v2
+      
+scrape_configs:
+
+# grafana dashboard id: 159
+  - job_name: prometheus
+    honor_timestamps: true
+    scrape_interval: 15s
+    scrape_timeout: 10s
+    metrics_path: /metrics
+    scheme: http
+    static_configs:
+      - targets:
+        - prometheus:9090
+
+# wg-easy current production version does not support metrics (2024/12)
+## grafana dashboard id: 21733
+#  - job_name: wg-easy 
+##    #basic_auth:
+###    #  username: wgpw
+###    #  password: 
+###    #  password_file:
+###    scheme: http
+###    static_configs:
+##      - targets:
+#        - wg-easy:51821
+
+# grafana dashboard id: 17346
+  - job_name: traefik 
+    #scheme: https
+    static_configs:
+      - targets:
+        - traefik:8082
+
+# grafana dashboard id: 14282
+  - job_name: cadvisor
+    scrape_interval: 300s
+    scrape_timeout: 55s
+    static_configs:
+      - targets:
+        - cadvisor:8080
+        
+# grafana dashboard id: 1860
+  - job_name: node
+    static_configs:
+      - targets:
+        - node-exporter:9100
+
+# grafana dashboard id: 18226
+  - job_name: frigate
+    static_configs:
+      - targets:
+        - frigate-exporter:9200
diff --git a/prometheus/data/config/rules.yml b/prometheus/data/config/rules.yml
new file mode 100644
index 0000000..81e4c0e
--- /dev/null
+++ b/prometheus/data/config/rules.yml
@@ -0,0 +1,6 @@
+groups:
+ - name: example
+   rules:
+   - alert: InstanceDown
+     expr: up == 0
+     for: 1m
\ No newline at end of file
diff --git a/prometheus/prometheus_jm.txt b/prometheus/prometheus_jm.txt
new file mode 100644
index 0000000..7e1b636
--- /dev/null
+++ b/prometheus/prometheus_jm.txt
@@ -0,0 +1,77 @@
+# https://mxulises.medium.com/simple-prometheus-setup-on-docker-compose-f702d5f98579
+
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: prometheus
+Username: prometh
+Disable Password: <selected>
+Email:
+UID: 3021
+Create New Primary Group: <selected>
+Create Home Directory: <unchecked>
+Samba Authentication: <unchecked>
+Save
+Check Credentials -> Local Groups for GID
+Name: prometh
+GID: 3020
+
+prometh UID: 3021
+prometh GID: 3020
+
+Create datasets
+---------------
+/mnt/SSD1/docker/data/prometheus  ; set Owner:Group to prometheus:prometheus
+/mnt/SSD1/docker/data/prometheus/config  ; set Owner:Group to prometheus:prometheus
+/mnt/SSD1/docker/data/prometheus/appdata  ; set Owner:Group to prometheus:prometheus
+/mnt/SSD1/docker/data/prometheus/alertmgr  ; set Owner:Group to prometheus:prometheus
+
+Create folder
+-------------
+mkdir /mnt/SSD1/docker/stacks/prometheus
+
+Create secrets
+--------------
+# In docker shell:
+cd /opt/stacks/prometheus/secrets
+# generate password hash and convert $ in hash to $$; password must be surrounded by single quotes
+echo $(htpasswd -nB admin) 
+# Remove the single quotes from the generated hash and copy the result to local stacks\.env file
+# Repeat the above for the prometheus metrics password
+
+Creating user password hash strings for user authorisation using traefik basic-auth
+-----------------------------------------------------------------------------------
+# If not installed, install htpasswd:
+jlmkr shell docker
+apt update & apt install apache2-utils
+# The user credentials can be applied as a label entry in the compose.yml file or as a line entry in a text file
+# When used as a label entry, all '$' needs to be escaped with a second '$'; sed can be used for this purpose:
+# To create user list textfile line item
+echo $(htpasswd -nB admin)
+# To create string to be used in compose file label 
+echo $(htpasswd -nB admin) | sed -e s/\\$/\\$\\$/g
+# See traefik_jm.txt for more detailed instructions
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in prometheus folder, enter:
+./cp2nas 10.0.0.20
+# OR
+pscp -P 22 -r stacks/*.* root@10.0.0.20:/mnt/SSD1/docker/stacks/prometheus/
+# The above should copy compose.yaml and .env to /mnt/SSD1/docker/stacks/prometheus
+
+Prometheus exporters
+--------------------
+https://github.com/bairhys/prometheus-frigate-exporter
+
+Troubleshooting
+---------------
+Config file
+~~~~~~~~~~~
+# Check for errors in config file with the following command:
+docker exec prometheus-prometheus-1 promtool check config /etc/prometheus/prometheus.yml
+# note that "prometheus-prometheus-1" is the prometheus container name
+
+Endpoints
+~~~~~~~~~
+# Open "https://prometheus.sthome.org/targets" in browser to check whether endpoints are up
diff --git a/prometheus/stacks/.env b/prometheus/stacks/.env
new file mode 100644
index 0000000..671e1af
--- /dev/null
+++ b/prometheus/stacks/.env
@@ -0,0 +1,20 @@
+################################################################
+APPLICATION_NAME=prometheus
+
+DOCKERDIR=/mnt/SSD1/docker/
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+CERTSDIR=${DATAROOT}/traefik/certs
+
+PUID=3021
+PGID=3020
+DOMAINNAME=sthome.org
+
+################################################################
+
+WEBUI_PORT=9090
+
+
diff --git a/prometheus/stacks/alertmanager/alertmanager.yml b/prometheus/stacks/alertmanager/alertmanager.yml
new file mode 100644
index 0000000..d6ca599
--- /dev/null
+++ b/prometheus/stacks/alertmanager/alertmanager.yml
@@ -0,0 +1,19 @@
+global:
+  smtp_smarthost: 'smtp.telkomsa.net:25'
+  smtp_from: 'alertmanager@sthome.org'
+  smtp_auth_username: 'stuurman30@telkomsa.net'
+  smtp_auth_password: "UltraM3!2024#"
+  
+route:
+  receiver: 'mail'
+  repeat_interval: 4h
+  group_by: [alertname]
+  
+receivers:
+ - name: 'mail'
+   email_configs:
+     - smarthost: 'smtp.telkomsa.net:25'
+       auth_username: 'stuurman30@telkomsa.net'
+       auth_password: "UltraM3!2024#"
+       from: 'alertmanager@sthome.org'
+       to: 'stuurmcp@telkomsa.net'
\ No newline at end of file
diff --git a/prometheus/stacks/compose.yml b/prometheus/stacks/compose.yml
new file mode 100644
index 0000000..d29d80f
--- /dev/null
+++ b/prometheus/stacks/compose.yml
@@ -0,0 +1,134 @@
+
+name: prometheus
+
+secrets:
+  prometheus_metrics_password:
+    file: ${STACKSDIR}/secrets/prometheus_metrics_password
+
+networks:
+  backend:
+    name: prometheus-net
+    driver: bridge
+    ipam:
+      config:
+        - subnet: 10.255.223.0/27 # Range: 10.255.223.1 - 10.255.223.30
+    driver_opts:
+      com.docker.network.bridge.name: "br-prometheus"
+    internal: true
+
+  traefik-net:
+    external: true
+
+services:
+  prometheus:
+    image: prom/prometheus:latest #v2.54.1
+    command:
+      - '--config.file=/etc/prometheus/prometheus.yml'
+    networks:
+      - traefik-net
+      - backend
+    restart: unless-stopped
+    user: "${PUID}:${PGID}"
+    volumes:
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+      - "${DATADIR}/config:/etc/prometheus"
+      - "${DATADIR}/appdata:/prometheus"
+    secrets:
+      - prometheus_metrics_password
+    environment:
+      - PROMETHEUS_METRICS_PASSWORD
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      #
+      # http service
+      # ------------
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
+      #
+      # http middlewares
+      # ----------------
+      - "traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.usersfile=/mnt/users/${APPLICATION_NAME}.txt"
+      #
+      # http routers
+      # ------------
+      # http://appname.domainname/
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      # https://appname.domainname/
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=${APPLICATION_NAME}-auth"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
+      # https://appname.domainname/-/healthy  (for status check)
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-status-rtr.entrypoints=websecure"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-status-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/-/healthy`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-status-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-status-rtr.tls=true"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-status-rtr.tls.options=tls-options@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-status-rtr.tls.certresolver=solver-dns"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-status-rtr.service=${APPLICATION_NAME}-svc"
+
+  node-exporter:
+    image: prom/node-exporter:v1.8.2
+    hostname: node-exporter
+    networks:
+      - backend
+    ports:
+      - 9100:9100
+    restart: unless-stopped
+
+  alert-manager:
+    image: prom/alertmanager:v0.27.0
+    command: --config.file=/config/alertmanager.yml # --log.level=debug
+    volumes:
+      - "${STACKSDIR}/alertmanager:/config"
+      - "${DATADIR}/alertmgr:/data"
+    networks:
+      - backend
+    ports:
+      - 9093:9093
+    restart: unless-stopped
+
+# to enable profiling of cadvisor
+# https://github.com/google/cadvisor/issues/2523
+# iwankgb
+# add argument -profiling to your cadvisor invocation and navigate to IP:PORT/debug/pprof/profile?seconds=300. It will generate profile for 300 seconds of cAdvisor execution. After 300 seconds a file will be sent to you - download it and then navigate to the directory where the file is saved and execute: go tool pprof profile (profile is default name for the downloaded file). It will open profiling console. Type web and hit enter. After some time a browser should be opened on your system and you should execution profile for your instance.
+# http://docker.sthome.org:8080/debug/pprof/profile?seconds=300 to get results   
+  cadvisor:
+    image: gcr.io/cadvisor/cadvisor:v0.49.1
+#    command: -profiling # setting for profiling cadvisor
+    volumes:
+      - /:/rootfs:ro
+      - /var/run:/var/run:ro
+      - /sys:/sys:ro
+      - /var/lib/docker/:/var/lib/docker:ro
+      - /dev/disk/:/dev/disk:ro
+    privileged: true
+    devices:
+      - /dev/kmsg
+    networks:
+      - backend
+#      - traefik-net # setting for profiling cadvisor
+    ports:
+      - 8080:8080
+    restart: unless-stopped
+
+  frigate-exporter: 
+    image: rhysbailey/prometheus-frigate-exporter
+    hostname: frigate-exporter
+    restart: unless-stopped
+    networks:
+      - traefik-net  # to reach frigate externally
+      - backend
+    ports:
+      - 10.255.223.1:9200:9200  # restrict the port to backend network
+    environment:
+      - PORT=9200
+      - FRIGATE_STATS_URL=http://10.0.0.51:5000/api/stats
diff --git a/prometheus/traefik-users/prometheus.txt b/prometheus/traefik-users/prometheus.txt
new file mode 100644
index 0000000..a5462c1
--- /dev/null
+++ b/prometheus/traefik-users/prometheus.txt
@@ -0,0 +1,4 @@
+grafana:$2y$05$r6bSihiBh.xKWV5FPP9yPunhIr0t.cavZqq2Ghsl6TEGKbXDXk6qy
+admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
+chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
+Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC
\ No newline at end of file
diff --git a/root/root_jm.txt b/root/root_jm.txt
new file mode 100644
index 0000000..01ef803
--- /dev/null
+++ b/root/root_jm.txt
@@ -0,0 +1,133 @@
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: rootappapp
+Username: rootappapp
+Disable Password: <select>
+Email: stuurmcp@telkomsa.net
+UID: (note)
+Create New Primary Group: <unselect>
+Primary Group: rootapp
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+rootapp UID: 3050
+rootapp GID: 3049
+
+If not done already, add mapping for media on container config
+--------------------------------------------------------------
+In this example: the folder where media is stored is /mnt/stpool1/NData1/Media
+On Truenas shell:
+jlmkr edit docker
+Add the following args to "systemd_nspawn_user_args": 
+--bind='/mnt/stpool1/NData1/Media:/mnt/media'
+
+If not done already, set ACL permissions for media to be accessible by media group
+----------------------------------------------------------------------------------
+On Truenas shell:
+# read and note acl entries
+getfacl /mnt/stpool1/NData1
+getfacl /mnt/stpool1/NData1/Media
+# set read and execute permissions for media group on parent folder
+setfacl -m g:media:5 /mnt/stpool1/NData1
+# set full permissions for media group on Media folder recursively
+setfacl -R -m g:media:7 /mnt/stpool1/NData1/Media
+# modify defaults recursively
+setfacl -R -d -m g:media:7 /mnt/stpool1/NData1/Media
+# NB! if you want to remove all acl entries from a folder recursively, use setfacl -b -R <foldername>
+
+set ACL permissions for custom certificcates
+--------------------------------------------
+# On Truenas shell:
+# read and note acl entries
+getfacl /mnt/SSD1/docker/data/traefik/certs
+# change owner and group if not traefik
+chown -R traefik:traefik /mnt/SSD1/docker/data/traefik/certs  
+# set access permissions to 750
+chmod -R 750 /mnt/SSD1/docker/data/traefik/certs
+# modify for media group recursively
+setfacl -R -m g:media:4 /mnt/SSD1/docker/data/traefik/certs  
+# modify defaults recursively
+setfacl -R -d -m g:media:4 /mnt/SSD1/docker/data/traefik/certs  
+
+Create datasets
+---------------
+/mnt/SSD1/docker/data/rootapp
+/mnt/SSD1/docker/data/rootapp/config
+Set Owner:Group to rootapp:rootapp
+
+Copy folder to docker stacks
+----------------------------
+In Windows cmd shell in rootapp folder, enter:
+pscp -P 22 -r stacks/*.* rootapp@192.168.2.2:/mnt/SSD1/docker/stacks/rootapp/
+This should copy compose.yaml, .env and secrets to /mnt/SSD1/docker/stacks/rootapp
+
+Create data folders
+-------------------
+mkdir /mnt/data/rootapp/config
+mkdir /mnt/data/rootapp/transcodes
+cd /mnt/data/rootapp
+
+Create secrets
+--------------
+Visit https://www.rootapp.tv/claim/ and get your rootapp claim which will expire in 4 minutes
+cd /opt/stacks/rootapp/secrets
+echo -n 'claim-b6UNdeGsjjMz4tRADKfB' > rootapp_claim  # this one is expired
+chown 3015:3014 rootapp_claim
+chmod 400 rootapp_claim
+Update and start your rootapp container within the 4 minutes
+
+Create rootapp custom cert
+-----------------------
+openssl pkcs12 -export -out rootapp_cert.p12 -in rootapp.pem -inkey rootapp-key.pem -certfile rootapp.pem -passout pass:'password' -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256
+
+Migrating data from old rootapp media server (source) to newly installed one (target)
+----------------------------------------------------------------------------------
+Stop old/source rootapp media server
+heavyscript app --stop rootapp
+
+Stop new/target rootapp media server
+On Dockge, select rootapp and click stop
+Copy the source Library to target folder:
+cp -r /mnt/stpool1/apps/rootapp/Library /mnt/SSD1/docker/data/rootapp/config/
+
+Managing library files
+----------------------
+Try and keep the mount folders for the media the same as that of the old media server
+However, if you choose to have a different mount:
+For example,
+If the old media server mapped to /Media and the new one now maps to /data, then you will have to modify the media folders in rootapp settings to reflect the new mount.
+Open rootapp, click on the spanner/wrench and select Manage->Libraries
+Go through all the libraries items, adding new media folders and removing those that were replaced
+This may take some time (depends on library size)
+
+Check and update custom server access URLs in rootapp
+--------------------------------------------------
+Open rootapp web app using browser on rootapp server
+Click on wrench/spanner, navigate to your home server name -> Settings -> Network
+Scroll down to Enable Relay checkbox, and uncheck it (you can check it again after getting remote access to work)
+Check entries in Custom server access URLs textbox
+Update the settings to reflect new server ip address and URL; and ensure there is a URL for https://rootapp.sthome.org:443
+https://rootapp.sthome.org,http://rootapp.sthome.org,http://rootapp.sthome.org:32400
+Click on Save Changes
+Still under Settings, click on Remote Access
+Click on Enable Remote Access
+Put check mark in Manually specify public port and enter 443 (traefik will map this to 32400)
+Click on Retry
+Restart rootapp container for good measure
+Go previous Settings -> Remote Access screen
+Click on Retry
+The server should briefly be connected
+Open rootapp Windows or Android App and check if it works
+
+Troubleshooting
+---------------
+Android not connecting to server
+Open rootapp app
+Sign out from your account
+Sign in entering rootapp account credentials
+See if it works
+
+
+
diff --git a/root/stacks/.env b/root/stacks/.env
new file mode 100644
index 0000000..0018f41
--- /dev/null
+++ b/root/stacks/.env
@@ -0,0 +1,19 @@
+# https://hub.docker.com/r/rootproject/root
+
+APPLICATION_NAME=root
+
+DOCKERDIR=/mnt/SSD1/docker/
+MEDIADIR=/mnt/stpool1/NData1/Media
+DOWNLOADSDIR=/mnt/stpool1/Downloads
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+PUID=3050
+PGID=3049 
+TZ=Africa/Johannesburg
+DOMAINNAME=sthome.org
+WEBUI_PORT=80
+
diff --git a/root/stacks/.root.env b/root/stacks/.root.env
new file mode 100644
index 0000000..fc2ffbd
--- /dev/null
+++ b/root/stacks/.root.env
@@ -0,0 +1,6 @@
+
+PUID=${PUID}
+PGID=${PGID}
+TZ=${TZ}
+
+
diff --git a/root/stacks/compose.yml b/root/stacks/compose.yml
new file mode 100644
index 0000000..4938541
--- /dev/null
+++ b/root/stacks/compose.yml
@@ -0,0 +1,49 @@
+# https://hub.docker.com/r/rootproject/root
+
+name: root
+
+networks:
+  traefik-net:
+    external: true
+    
+services:
+  root:
+    image: lscr.io/linuxserver/root:latest
+    container_name: "${APPLICATION_NAME}"
+    networks:
+      - traefik-net
+    environment:
+      - PUID
+      - PGID
+      - TZ
+    volumes:
+      - "${DATADIR}/config:/config"
+
+    restart: unless-stopped
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      #
+      # http service
+      # ------------
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
+      #
+      # http routers
+      # ------------
+      # limit router to web ":80" entrypoint (Note: web entrypoint http requests are globally redirected to websecure router in traefik.yml)
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      #
+      # limit router to websecure ":443" entrypoint
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # set router to be dedicated to secure requests only for the host specified in match criteria 
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      # generate certificates using following certresolver
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=sthomeresolver"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
diff --git a/sftpgo/sftpgo-tcp-svc.yml b/sftpgo/sftpgo-tcp-svc.yml
new file mode 100644
index 0000000..4109b3f
--- /dev/null
+++ b/sftpgo/sftpgo-tcp-svc.yml
@@ -0,0 +1,45 @@
+# sftpgo - multiple ports per service
+
+tcp:
+  routers:
+    sftpgo-tcp-rtr:
+      entrypoints:
+        - "sftp1"
+      rule: "HostSNI(`*`)"
+      service: "sftpgo-tcp-svc"
+      
+  services:
+    sftpgo-tcp-svc:
+#      weighted:
+#        services:
+#        - name: sftpgo-tcp-svc1
+#          weight: 1
+#        - name: sftpgo-tcp-svc2
+#          weight: 2
+#          
+#    sftpgo-tcp-svc1:  
+#      loadBalancer:
+#        servers:
+#        - address: "sftpgo:2022"
+#        - address: "sftpgo:2023"
+#        - address: "sftpgo:2024"
+#        - address: "sftpgo:2025"
+#
+#    sftpgo-tcp-svc2:
+#      loadBalancer:
+#        servers:    
+#        - address: "sftpgo:2026"
+#        - address: "sftpgo:2027"
+#        - address: "sftpgo:2028"
+#        - address: "sftpgo:2029"
+      loadBalancer:
+        servers:
+         - address: "sftpgo:2022"
+         - address: "sftpgo:2023"
+         - address: "sftpgo:2024"
+         - address: "sftpgo:2025"
+         - address: "sftpgo:2026"
+         - address: "sftpgo:2027"
+         - address: "sftpgo:2028"
+         - address: "sftpgo:2029"
+        passHostHeader: true
\ No newline at end of file
diff --git a/sftpgo/sftpgo_jm.txt b/sftpgo/sftpgo_jm.txt
new file mode 100644
index 0000000..7e53cfc
--- /dev/null
+++ b/sftpgo/sftpgo_jm.txt
@@ -0,0 +1,93 @@
+# https://www.youtube.com/watch?v=Bql1JCVFw4k&t=194s
+
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: sftpgo
+Username: sftpgo
+Disable Password: <select>
+Email: <leave blank>
+UID: (note)
+Create New Primary Group: <select>
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+sftpgo UID: 3065
+sftpgo GID: 3066
+media GID:3017
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*sftpgo"
+# create following dataset if not present
+zfs create SSD1/docker/data/sftpgo
+zfs create SSD1/docker/data/sftpgo/config
+zfs create SSD1/docker/data/sftpgo/appdata
+zfs create SSD1/docker/data/sftpgo/logs
+zfs create SSD1/docker/data/sftpgo/certs
+zfs create SSD1/docker/data/sftpgo/credentials
+zfs create SSD1/docker/data/sftpgo/webroot
+zfs create SSD1/docker/data/sftpgo/pgdata
+zfs create SSD1/docker/data/sftpgo/pgbackups
+chmod -R 750 /mnt/SSD1/docker/data/sftpgo
+chmod -R 700 /mnt/SSD1/docker/data/sftpgo/config
+chmod -R 700 /mnt/SSD1/docker/data/sftpgo/certs
+chmod -R 700 /mnt/SSD1/docker/data/sftpgo/credentials
+chmod -R 700 /mnt/SSD1/docker/data/sftpgo/webroot
+chown -R sftpgo:sftpgo /mnt/SSD1/docker/data/sftpgo
+chown -R postgres:postgres /mnt/SSD1/docker/data/sftpgo/pgdata
+chown -R postgres:postgres /mnt/SSD1/docker/data/sftpgo/pgbackups
+
+
+Create folders
+--------------
+mkdir -p /mnt/SSD1/docker/stacks/sftpgo/secrets
+mkdir /mnt/stpool1/NData2/backups/sftpgo
+mkdir /mnt/stpool1/NData1/Media/uploads
+mkdir /mnt/SSD1/docker/data/sftpgo/webroot/sftpgo.com
+chown -R sftpgo:media /mnt/stpool1/NData1/Media/uploads
+chown -R sftpgo:sftpgo /mnt/stpool1/NData2/backups/sftpgo
+chown -R sftpgo:sftpgo /mnt/SSD1/docker/data/sftpgo/webroot
+chmod -R 700 /mnt/SSD1/docker/data/sftpgo/webroot
+chmod -R 775 /mnt/stpool1/NData1/Media/uploads
+
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in sftpgo folder, enter:
+./cp2nas 192.168.2.2
+# or
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/sftpgo/
+# This should copy stacks folder to /mnt/SSD1/docker/stacks/sftpgo
+
+Create secrets
+--------------
+In Truenas shell:
+cd /mnt/SSD1/docker/stacks/sftpgo/secrets/
+# database secrets
+echo -n 'sftpgo' > /mnt/SSD1/docker/stacks/sftpgo/secrets/sftpgo_postgresql_database
+echo -n 'sftpgo' > /mnt/SSD1/docker/stacks/sftpgo/secrets/sftpgo_postgresql_username
+openssl rand 48 | base64 -w 0 > /mnt/SSD1/docker/stacks/sftpgo/secrets/sftpgo_postgresql_password
+# smtp email secrets
+echo -n 'your_smtp_destination' > /mnt/SSD1/docker/stacks/sftpgo/secrets/smtp_destination
+echo -n 'your_smtp_from' > /mnt/SSD1/docker/stacks/sftpgo/secrets/smtp_from
+echo -n 'your_smtp_host' > /mnt/SSD1/docker/stacks/sftpgo/secrets/smtp_host
+echo -n 'your_smtp_username' > /mnt/SSD1/docker/stacks/sftpgo/secrets/smtp_username
+echo -n 'your_smtp_password' > /mnt/SSD1/docker/stacks/sftpgo/secrets/smtp_password
+# restrict access
+chown -R sftpgo:sftpgo /mnt/SSD1/docker/stacks/sftpgo/secrets/
+chmod -R 400 /mnt/SSD1/docker/stacks/sftpgo/secrets/
+# read existing acl permissions, if any
+getfacl /mnt/SSD1/docker/stacks/sftpgo/secrets
+# set acl permissions
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/sftpgo/secrets
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/sftpgo/secrets/sftpgo_postgresql_password
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/sftpgo/secrets/sftpgo_postgresql_username
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/sftpgo/secrets/sftpgo_postgresql_database
+# NB! if you want to remove all acl entries from a folder recursively, use setfacl -b -R <foldername>
+# to list secrets in secrets dir
+cd /mnt/SSD1/docker/stacks/sftpgo/secrets
+for i in $(ls -1); do echo $i = `cat $i`; done | sort
\ No newline at end of file
diff --git a/sftpgo/stacks/.env b/sftpgo/stacks/.env
new file mode 100644
index 0000000..c8c5e37
--- /dev/null
+++ b/sftpgo/stacks/.env
@@ -0,0 +1,61 @@
+##############################################################################################
+# Values to be used for substitution by docker compose in compose.yml AND .*.env files
+##############################################################################################
+
+APPLICATION_NAME=sftpgo
+
+DOCKERDIR=/mnt/SSD1/docker
+MEDIADIR=/mnt/stpool1/NData1/Media
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+CERTSDIR=${DATADIR}/certs
+CREDENTIALSDIR=${DATADIR}/credentials
+# USERDATADIR=/mnt/stpool1/NData2/appdata/${APPLICATION_NAME}
+USERDATADIR=${MEDIADIR}/uploads
+USERTEMPDIR=${MEDIADIR}/uploads_temp
+USERSHAREDDIR=${MEDIADIR}/uploads_shared
+BACKUPDIR=${DATADIR}/appdata
+HOMEDIR=/mnt/stpool1/Users/${APPLICATION_NAME}
+
+PUID=3065
+PGID=3066 # using 'media' GID 3017 
+MEDIA_GID=3017
+TZ=Africa/Johannesburg
+
+SERVICE_PORT=8080
+TCP_PORT1=2022
+TCP_PORT2=2023
+TCP_PORT3=2024
+TCP_PORT4=2025
+TCP_PORT5=2026
+TCP_PORT6=2027
+TCP_PORT7=2028
+TCP_PORT8=2029
+DOMAINNAME=sthome.org
+SUBDOMAIN1=sftpgo
+
+DB_TYPE=postgresql
+POSTGRES_DB_PORT=5432
+POSTGRES_DB_HOST=${APPLICATION_NAME}_postgresql
+POSTGRES_DB_FILE=/run/secrets/sftpgo_postgresql_database
+POSTGRES_USER_FILE=/run/secrets/sftpgo_postgresql_username
+POSTGRES_PASSWORD_FILE=/run/secrets/sftpgo_postgresql_password
+
+SMTP_HOST_FILE=/run/secrets/smtp_host
+SMTP_FROM_FILE=/run/secrets/smtp_from
+SMTP_USERNAME_FILE=/run/secrets/smtp_username
+SMTP_PASSWORD_FILE=/run/secrets/smtp_password
+
+#####################################################################################
+# if /run/secrets works, remove the following lines from .env file and append _FILE to corresponding variables in .sftpgo.env file
+POSTGRES_DB=sftpgo
+POSTGRES_USER=sftpgo
+POSTGRES_PASSWORD=39rREgsGSAZDCiVUYDgC0tlT+fa/xziFWpe9sEPJiNlEt9qJe6pETxMkxVLaSZCu
+SMTP_HOST=smtp.telkomsa.net
+SMTP_FROM=stuurman30@telkomsa.net
+SMTP_USERNAME=stuurman30@telkomsa.net
+SMTP_PASSWORD=UltraM3!2024#
+#####################################################################################
\ No newline at end of file
diff --git a/sftpgo/stacks/.postgresql.env b/sftpgo/stacks/.postgresql.env
new file mode 100644
index 0000000..0d95871
--- /dev/null
+++ b/sftpgo/stacks/.postgresql.env
@@ -0,0 +1,11 @@
+
+PUID=70
+PGID=70
+TZ=${TZ}
+
+POSTGRES_DB_PORT=${POSTGRES_DB_PORT}
+POSTGRES_DB_FILE=${POSTGRES_DB_FILE}
+POSTGRES_USER_FILE=${POSTGRES_USER_FILE}
+POSTGRES_PASSWORD_FILE=${POSTGRES_PASSWORD_FILE}
+
+
diff --git a/sftpgo/stacks/.sftpgo.env b/sftpgo/stacks/.sftpgo.env
new file mode 100644
index 0000000..e45a027
--- /dev/null
+++ b/sftpgo/stacks/.sftpgo.env
@@ -0,0 +1,173 @@
+
+PUID=${PUID}
+PGID=${MEDIA_GID}
+TZ=${TZ}
+
+SFTPGO_GRACE_TIME=80   # must set docker grace time to be > 80
+
+# COMMON
+# ------
+SFTPGO_COMMON__IDLE_TIMEOUT=30
+SFTPGO_COMMON__UPLOAD_MODE=2
+# SFTPGO_COMMON__ACTIONS__EXECUTE_ON=upload,download
+SFTPGO_COMMON__TEMP_PATH=/srv/sftpgo/temp
+SFTPGO_COMMON__MAX_TOTAL_CONNECTIONS=0
+SFTPGO_COMMON__MAX_PER_HOST_CONNECTIONS=20
+SFTPGO_COMMON__UMASK=002
+
+SFTPGO_COMMON__DEFENDER__ENABLED=true
+SFTPGO_COMMON__DEFENDER__DRIVER=memory
+SFTPGO_COMMON__DEFENDER__BAN_TIME=30
+SFTPGO_COMMON__DEFENDER__BAN_TIME_INCREMENT=50
+SFTPGO_COMMON__DEFENDER__THRESHOLD=15
+SFTPGO_COMMON__DEFENDER__SCORE_INVALID=2
+SFTPGO_COMMON__DEFENDER__SCORE_VALID=1
+SFTPGO_COMMON__DEFENDER__SCORE_LIMIT_EXCEEDED=3
+SFTPGO_COMMON__DEFENDER__SCORE_NO_AUTH=0
+SFTPGO_COMMON__DEFENDER__OBSERVATION_TIME=30
+SFTPGO_COMMON__DEFENDER__ENTRIES_SOFT_LIMIT=100
+SFTPGO_COMMON__DEFENDER__ENTRIES_HARD_LIMIT=150
+SFTPGO_COMMON__DEFENDER__LOGIN_DELAY__SUCCESS=0
+SFTPGO_COMMON__DEFENDER__LOGIN_DELAY__PASSWORD_FAILED=1000
+
+SFTPGO_COMMON__RATE_LIMITERS__0__AVERAGE=100
+SFTPGO_COMMON__RATE_LIMITERS__0__PERIOD=1000
+SFTPGO_COMMON__RATE_LIMITERS__0__BURST=1
+SFTPGO_COMMON__RATE_LIMITERS__0__TYPE=1
+SFTPGO_COMMON__RATE_LIMITERS__0__PROTOCOLS=SSH,FTP,DAV,HTTP
+SFTPGO_COMMON__RATE_LIMITERS__0__GENERATE_DEFENDER_EVENTS=0
+SFTPGO_COMMON__RATE_LIMITERS__0__ENTRIES_SOFT_LIMIT=100
+SFTPGO_COMMON__RATE_LIMITERS__0__ENTRIES_HARD_LIMIT=150
+SFTPGO_COMMON__RATE_LIMITERS__1__AVERAGE=10
+SFTPGO_COMMON__RATE_LIMITERS__1__PERIOD=1000
+SFTPGO_COMMON__RATE_LIMITERS__1__BURST=1
+SFTPGO_COMMON__RATE_LIMITERS__1__TYPE=2
+SFTPGO_COMMON__RATE_LIMITERS__1__PROTOCOLS=SSH,FTP
+SFTPGO_COMMON__RATE_LIMITERS__1__GENERATE_DEFENDER_EVENTS=1
+SFTPGO_COMMON__RATE_LIMITERS__1__ENTRIES_SOFT_LIMIT=100
+SFTPGO_COMMON__RATE_LIMITERS__1__ENTRIES_HARD_LIMIT=150
+
+# ACME
+# ----
+# refer to https://docs.sftpgo.com/latest/config-file/#acme
+SFTPGO_ACME__DOMAINS="sthome.org, stokvis.co.za"
+SFTPGO_ACME__EMAIL="stuurmcp@telkomsa.net"
+SFTPGO_ACME__KEY_TYPE=4096
+SFTPGO_ACME__CERTS_PATH=/srv/sftpgo/certificates
+SFTPGO_ACME__CA_ENDPOINT=https://acme-staging-v02.api.letsencrypt.org/directory
+#SFTPGO_ACME__CA_ENDPOINT=https://acme-v02.api.letsencrypt.org/directory
+SFTPGO_ACME__RENEW_DAYS=30
+# cloudflare does not support TLS-ALPN-01 challenge, so we have to use HTTP-01
+SFTPGO_ACME__HTTP01_CHALLENGE__PORT=80 
+SFTPGO_ACME__HTTP01_CHALLENGE__PROXY_HEADER=Host
+SFTPGO_ACME__HTTP01_CHALLENGE__WEBROOT="/var/www/sftpgo.com"
+# SFTPGO_ACME__TLS_ALPN01_CHALLENGE=443
+
+# SSH/SFTP server
+# ---------------
+SFTPGO_SFTPD__BINDINGS__0__PORT=${TCP_PORT1}
+SFTPGO_SFTPD__BINDINGS__1__PORT=${TCP_PORT2}
+SFTPGO_SFTPD__BINDINGS__2__PORT=${TCP_PORT3}
+SFTPGO_SFTPD__BINDINGS__3__PORT=${TCP_PORT4}
+SFTPGO_SFTPD__BINDINGS__4__PORT=${TCP_PORT5}
+SFTPGO_SFTPD__BINDINGS__5__PORT=${TCP_PORT6}
+SFTPGO_SFTPD__BINDINGS__6__PORT=${TCP_PORT7}
+SFTPGO_SFTPD__BINDINGS__7__PORT=${TCP_PORT8}
+# SFTPGO_SFTPD__BINDINGS__0__ADDRESS=
+# SFTPGO_SFTPD__BINDINGS__1__ADDRESS=
+# SFTPGO_SFTPD__BINDINGS__2__ADDRESS=
+# SFTPGO_SFTPD__BINDINGS__3__ADDRESS=
+# SFTPGO_SFTPD__BINDINGS__4__ADDRESS=
+# SFTPGO_SFTPD__BINDINGS__5__ADDRESS=
+# SFTPGO_SFTPD__BINDINGS__6__ADDRESS=
+# SFTPGO_SFTPD__BINDINGS__7__ADDRESS=
+SFTPGO_SFTPD__BINDINGS__0__APPLY_PROXY_CONFIG=true
+SFTPGO_SFTPD__BINDINGS__1__APPLY_PROXY_CONFIG=true
+SFTPGO_SFTPD__BINDINGS__2__APPLY_PROXY_CONFIG=true
+SFTPGO_SFTPD__BINDINGS__3__APPLY_PROXY_CONFIG=true
+SFTPGO_SFTPD__BINDINGS__4__APPLY_PROXY_CONFIG=true
+SFTPGO_SFTPD__BINDINGS__5__APPLY_PROXY_CONFIG=true
+SFTPGO_SFTPD__BINDINGS__6__APPLY_PROXY_CONFIG=true
+SFTPGO_SFTPD__BINDINGS__7__APPLY_PROXY_CONFIG=true
+SFTPGO_SFTPD__MAX_AUTH_TRIES=6
+SFTPGO_SFTPD__HOST_KEYS=
+SFTPGO_SFTPD__HOST_CERTIFICATES=
+SFTPGO_SFTPD__HOST_KEY_ALGORITHMS=rsa-sha2-512, rsa-sha2-256, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, ssh-ed25519
+SFTPGO_SFTPD__KEX_ALGORITHMS=curve25519-sha256, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group-exchange-sha256
+SFTPGO_SFTPD__MIN_DH_GROUP_EXCHANGE_KEY_SIZE=2048
+SFTPGO_SFTPD__CIPHERS=aes128-gcm@openssh.com, aes256-gcm@openssh.com, chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr
+SFTPGO_SFTPD__MACS=hmac-sha2-256-etm@openssh.com, hmac-sha2-256
+SFTPGO_SFTPD__PUBLIC_KEY_ALGORITHMS=ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, rsa-sha2-512, rsa-sha2-256, ssh-ed25519, sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com
+SFTPGO_SFTPD__TRUSTED_USER_CA_KEYS=
+SFTPGO_SFTPD__REVOKED_USER_CERTS_FILE=
+SFTPGO_SFTPD__LOGIN_BANNER_FILE=
+SFTPGO_SFTPD__ENABLED_SSH_COMMANDS=
+SFTPGO_SFTPD__KEYBOARD_INTERACTIVE_AUTHENTICATION=true
+SFTPGO_SFTPD__KEYBOARD_INTERACTIVE_AUTH_HOOK=
+SFTPGO_SFTPD__PASSWORD_AUTHENTICATION=true
+
+# Data provider
+# -------------
+SFTPGO_DATA_PROVIDER__DRIVER=${DB_TYPE}
+SFTPGO_DATA_PROVIDER__HOST=${POSTGRES_DB_HOST}
+SFTPGO_DATA_PROVIDER__PORT=${POSTGRES_DB_PORT}
+SFTPGO_DATA_PROVIDER__NAME=${POSTGRES_DB}
+SFTPGO_DATA_PROVIDER__USERNAME=${POSTGRES_USER}
+SFTPGO_DATA_PROVIDER__PASSWORD=${POSTGRES_PASSWORD}
+# SFTPGO_DATA_PROVIDER__NAME=${POSTGRES_DB_FILE}
+# SFTPGO_DATA_PROVIDER__USERNAME=${POSTGRES_USER_FILE}
+# SFTPGO_DATA_PROVIDER__PASSWORD=${POSTGRES_PASSWORD_FILE}
+SFTPGO_DATA_PROVIDER__SSLMODE=0
+# SFTPGO_DATA_PROVIDER__ROOT_CERT=
+SFTPGO_DATA_PROVIDER__DISABLE_SNI=false
+# SFTPGO_DATA_PROVIDER__TARGET_SESSION_ATTRS=
+# SFTPGO_DATA_PROVIDER__CLIENT_CERT=
+# SFTPGO_DATA_PROVIDER__CLIENT_KEY=
+# SFTPGO_DATA_PROVIDER__CONNECTION_STRING=postgres://$${POSTGRES_USER}:$${POSTGRES_PASSWORD}@$${POSTGRES_DB_HOST}:$${POSTGRES_DB_PORT}/$${POSTGRES_DB}
+SFTPGO_DATA_PROVIDER__TRACK_QUOTA=0
+SFTPGO_DATA_PROVIDER__DELAYED_QUOTA_UPDATE=10
+# SFTPGO_DATA_PROVIDER__USERS_BASE_DIR=
+SFTPGO_DATA_PROVIDER__EXTERNAL_AUTH_SCOPE=0
+SFTPGO_DATA_PROVIDER__CREDENTIALS_PATH=/credentials
+SFTPGO_DATA_PROVIDER__POST_LOGIN_SCOPE=0
+SFTPGO_DATA_PROVIDER__PASSWORD_HASHING__ALGO=argon2id
+SFTPGO_DATA_PROVIDER__PASSWORD_HASHING__ARGON2_OPTIONS__MEMORY=65536
+SFTPGO_DATA_PROVIDER__PASSWORD_HASHING__ARGON2_OPTIONS__PARALLELISM=8
+SFTPGO_DATA_PROVIDER__PASSWORD_HASHING__ARGON2_OPTIONS__ITERATIONS=2
+SFTPGO_DATA_PROVIDER__PASSWORD_HASHING__BCRYPT_OPTIONS__COST=20
+SFTPGO_DATA_PROVIDER__PASSWORD_VALIDATION__ADMINS=80
+SFTPGO_DATA_PROVIDER__PASSWORD_VALIDATION__USERS=70
+SFTPGO_DATA_PROVIDER__PASSWORD_CACHING=true
+SFTPGO_DATA_PROVIDER__UPDATE_MODE=0
+SFTPGO_DATA_PROVIDER__CREATE_DEFAULT_ADMIN=false
+SFTPGO_DATA_PROVIDER__NAMING_RULES=5
+
+# Multi-factor authentication
+# ---------------------------
+SFTPGO_MFA__TOTP__NAME=Default
+SFTPGO_MFA__TOTP__ISSUER=STHOME
+SFTPGO_MFA__TOTP__ALGO=sha1
+
+# SMTP
+# ----
+SFTPGO_SMTP__PORT=25
+SFTPGO_SMTP__HOST=${SMTP_HOST}
+SFTPGO_SMTP__FROM=${SMTP_FROM}
+SFTPGO_SMTP__USER=${SMTP_USERNAME}
+SFTPGO_SMTP__PASSWORD=${SMTP_PASSWORD}
+# SFTPGO_SMTP__HOST=${SMTP_HOST_FILE} 
+# SFTPGO_SMTP__FROM=${SMTP_FROM_FILE}
+# SFTPGO_SMTP__USER=${SMTP_USERNAME_FILE}
+# SFTPGO_SMTP__PASSWORD=${SMTP_PASSWORD_FILE}
+SFTPGO_SMTP__AUTH_TYPE=0
+SFTPGO_SMTP__ENCRYPTION=2
+# SFTPGO_SMTP__DOMAIN=
+# SFTPGO_SMTP__TEMPLATES_PATH=
+SFTPGO_SMTP__DEBUG=1
+SFTPGO_SMTP__OAUTH2__PROVIDER=0
+# SFTPGO_SMTP__OAUTH2__TENANT=
+# SFTPGO_SMTP__OAUTH2__CLIENT_ID=
+# SFTPGO_SMTP__OAUTH2__CLIENT_SECRET=
+# SFTPGO_SMTP__OAUTH2__REFRESH_TOKEN=
+
+
diff --git a/sftpgo/stacks/compose - multi-rtr.yml b/sftpgo/stacks/compose - multi-rtr.yml
new file mode 100644
index 0000000..a345228
--- /dev/null
+++ b/sftpgo/stacks/compose - multi-rtr.yml	
@@ -0,0 +1,199 @@
+# https://hub.docker.com/r/atmoz/sftp/
+#
+#sftp:
+#    image: atmoz/sftp
+#    volumes:
+#        - <host-dir>/upload:/home/foo/upload
+#    ports:
+#        - "2222:22"
+#    command: foo:pass:1001
+#
+#https://docs.sftpgo.com/latest/docker/#container-shell-access-and-viewing-sftpgo-logs
+
+name: sftpgo
+
+secrets:
+  sftpgo_postgresql_database:
+    file: "${SECRETSDIR}/sftpgo_postgresql_database"
+  sftpgo_postgresql_username:
+    file: "${SECRETSDIR}/sftpgo_postgresql_username"
+  sftpgo_postgresql_password:
+    file: "${SECRETSDIR}/sftpgo_postgresql_password"
+
+networks:
+  traefik-net:
+    external: true
+  postgres-net:
+    external: true
+    
+services:
+  sftpgo:
+    image: drakkan/sftpgo:latest
+    env_file: .sftpgo.env
+    hostname: sftpgo
+    user: ${PUID}:${MEDIA_GID}
+    networks:
+      - postgres-net
+      - traefik-net
+    volumes:
+      - ${DATADIR}/config:/etc/sftpgo
+      - ${CERTSDIR}:/srv/sftpgo/certificates
+      - ${CREDENTIALSDIR}:/srv/sftpgo/credentials
+      - ${USERDATADIR}:/srv/sftpgo/data
+      - ${USERTEMPDIR}:/srv/sftpgo/temp
+      - ${USERSHAREDDIR}:/srv/sftpgo/shared
+      - ${BACKUPDIR}:/srv/sftpgo/backups
+      - ${HOMEDIR}:/var/lib/sftpgo
+      - ${DATADIR}/webroot:/var/www
+    restart: unless-stopped
+    depends_on:
+      postgresql:
+        condition: service_healthy
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      # tcp service
+      # -----------
+#      - "traefik.tcp.services.${APPLICATION_NAME}-tcp-svc.loadbalancer.server.port=${TCP_PORT1}, ${TCP_PORT2}, ${TCP_PORT3}, ${TCP_PORT4}, ${TCP_PORT5}, ${TCP_PORT6}, ${TCP_PORT7}, ${TCP_PORT7}"
+#      - "traefik.tcp.services.${APPLICATION_NAME}-tcp-svc.loadbalancer.server.port=${TCP_PORT1}"
+      - "traefik.tcp.services.${APPLICATION_NAME}-tcp-svc-1.loadbalancer.server.port=${TCP_PORT1}"
+      - "traefik.tcp.services.${APPLICATION_NAME}-tcp-svc-2.loadbalancer.server.port=${TCP_PORT2}"
+      - "traefik.tcp.services.${APPLICATION_NAME}-tcp-svc-3.loadbalancer.server.port=${TCP_PORT3}"
+      - "traefik.tcp.services.${APPLICATION_NAME}-tcp-svc-4.loadbalancer.server.port=${TCP_PORT4}"
+      - "traefik.tcp.services.${APPLICATION_NAME}-tcp-svc-5.loadbalancer.server.port=${TCP_PORT5}"
+      - "traefik.tcp.services.${APPLICATION_NAME}-tcp-svc-6.loadbalancer.server.port=${TCP_PORT6}"
+      - "traefik.tcp.services.${APPLICATION_NAME}-tcp-svc-7.loadbalancer.server.port=${TCP_PORT7}"
+      - "traefik.tcp.services.${APPLICATION_NAME}-tcp-svc-8.loadbalancer.server.port=${TCP_PORT8}"
+     # tcp routers
+      # -----------
+      # limit router to sftp ":2022 - 2029" entrypoints
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-1.entrypoints=sftp1"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-2.entrypoints=sftp2"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-3.entrypoints=sftp3"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-4.entrypoints=sftp4"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-5.entrypoints=sftp5"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-6.entrypoints=sftp6"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-7.entrypoints=sftp7"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-8.entrypoints=sftp8"
+      # set match criteria for router, since this is not tls, header might not contain hostsni field; we're forced to use wildcard
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-1.rule=HostSNI(`*`)"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-2.rule=HostSNI(`*`)"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-3.rule=HostSNI(`*`)"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-4.rule=HostSNI(`*`)"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-5.rule=HostSNI(`*`)"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-6.rule=HostSNI(`*`)"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-7.rule=HostSNI(`*`)"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-8.rule=HostSNI(`*`)"
+      # assign svc target to router
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-1.service=${APPLICATION_NAME}-tcp-svc-1" 
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-2.service=${APPLICATION_NAME}-tcp-svc-2" 
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-3.service=${APPLICATION_NAME}-tcp-svc-3" 
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-4.service=${APPLICATION_NAME}-tcp-svc-4" 
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-5.service=${APPLICATION_NAME}-tcp-svc-5" 
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-6.service=${APPLICATION_NAME}-tcp-svc-6" 
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-7.service=${APPLICATION_NAME}-tcp-svc-7" 
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-rtr-8.service=${APPLICATION_NAME}-tcp-svc-8" 
+      #
+      # limit router to sftp ":2022 - 2029" entrypoints
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-1.entrypoints=sftp1"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-2.entrypoints=sftp2"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-3.entrypoints=sftp3"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-4.entrypoints=sftp4"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-5.entrypoints=sftp5"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-6.entrypoints=sftp6"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-7.entrypoints=sftp7"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-8.entrypoints=sftp8"
+      # set match criteria for router
+#      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.rule=HostSNI(`${SUBDOMAIN1}.${DOMAINNAME}`)"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-1.rule=HostSNI(`${SUBDOMAIN1}.${DOMAINNAME}`)"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-2.rule=HostSNI(`${SUBDOMAIN1}.${DOMAINNAME}`)"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-3.rule=HostSNI(`${SUBDOMAIN1}.${DOMAINNAME}`)"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-4.rule=HostSNI(`${SUBDOMAIN1}.${DOMAINNAME}`)"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-5.rule=HostSNI(`${SUBDOMAIN1}.${DOMAINNAME}`)"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-6.rule=HostSNI(`${SUBDOMAIN1}.${DOMAINNAME}`)"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-7.rule=HostSNI(`${SUBDOMAIN1}.${DOMAINNAME}`)"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-8.rule=HostSNI(`${SUBDOMAIN1}.${DOMAINNAME}`)"
+      # set router to be dedicated to secure requests only for the hosts specified in match criteria
+      #- "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.tls=true"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-1.tls=true"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-2.tls=true"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-3.tls=true"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-4.tls=true"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-5.tls=true"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-6.tls=true"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-7.tls=true"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-8.tls=true"
+      # forward requests "as is" keeping all data encrypted.
+#      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.tls.passthrough=true"
+#      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.tls.options=tls-opts@file"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-1.tls.passthrough=true"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-2.tls.passthrough=true"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-3.tls.passthrough=true"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-4.tls.passthrough=true"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-5.tls.passthrough=true"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-6.tls.passthrough=true"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-7.tls.passthrough=true"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-8.tls.passthrough=true"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-1.tls.options=tls-opts@file"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-2.tls.options=tls-opts@file"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-3.tls.options=tls-opts@file"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-4.tls.options=tls-opts@file"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-5.tls.options=tls-opts@file"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-6.tls.options=tls-opts@file"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-7.tls.options=tls-opts@file"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-8.tls.options=tls-opts@file"
+      # generate certificates using following certresolver
+#      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.tls.certresolver=solver-dns"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-1.tls.certresolver=solver-dns"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-2.tls.certresolver=solver-dns"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-3.tls.certresolver=solver-dns"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-4.tls.certresolver=solver-dns"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-5.tls.certresolver=solver-dns"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-6.tls.certresolver=solver-dns"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-7.tls.certresolver=solver-dns"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-8.tls.certresolver=solver-dns"
+      # assign svc target to router
+#      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr.service=${APPLICATION_NAME}-tcp-svc" 
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-1.service=${APPLICATION_NAME}-tcp-svc-1"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-2.service=${APPLICATION_NAME}-tcp-svc-2"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-3.service=${APPLICATION_NAME}-tcp-svc-3"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-4.service=${APPLICATION_NAME}-tcp-svc-4"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-5.service=${APPLICATION_NAME}-tcp-svc-5"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-6.service=${APPLICATION_NAME}-tcp-svc-6"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-7.service=${APPLICATION_NAME}-tcp-svc-7"
+      - "traefik.tcp.routers.${APPLICATION_NAME}-tcp-secure-rtr-8.service=${APPLICATION_NAME}-tcp-svc-8"
+      
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${SERVICE_PORT}"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${SUBDOMAIN1}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=middlewares-secure-headers@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${SUBDOMAIN1}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=sthomeresolver"
+      #- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=${APPLICATION_NAME}-auth"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=middlewares-secure-headers@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
+
+  postgresql:
+    image: postgres:16-alpine
+    hostname: ${POSTGRES_DB_HOST}
+    env_file: .postgresql.env
+    shm_size: 128mb # https://hub.docker.com/_/postgres
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    networks:
+      postgres-net:
+    secrets:
+      - ${APPLICATION_NAME}_postgresql_database
+      - ${APPLICATION_NAME}_postgresql_username
+      - ${APPLICATION_NAME}_postgresql_password
+    volumes:
+      - "${DATADIR}/pgdata:/var/lib/postgresql/data"
+      - "${DATADIR}/pgbackups:/mnt/backups"
\ No newline at end of file
diff --git a/sftpgo/stacks/compose.yml b/sftpgo/stacks/compose.yml
new file mode 100644
index 0000000..7af07a7
--- /dev/null
+++ b/sftpgo/stacks/compose.yml
@@ -0,0 +1,79 @@
+#https://docs.sftpgo.com/latest/docker/#container-shell-access-and-viewing-sftpgo-logs
+
+name: sftpgo
+
+secrets:
+  sftpgo_postgresql_database:
+    file: "${SECRETSDIR}/sftpgo_postgresql_database"
+  sftpgo_postgresql_username:
+    file: "${SECRETSDIR}/sftpgo_postgresql_username"
+  sftpgo_postgresql_password:
+    file: "${SECRETSDIR}/sftpgo_postgresql_password"
+
+networks:
+  traefik-net:
+    external: true
+  postgres-net:
+    external: true
+    
+services:
+  sftpgo:
+    image: drakkan/sftpgo:latest
+    env_file: .sftpgo.env
+    hostname: sftpgo
+    user: ${PUID}:${MEDIA_GID}
+    networks:
+      - postgres-net
+      - traefik-net
+    volumes:
+      - ${DATADIR}/config:/etc/sftpgo
+      - ${CERTSDIR}:/srv/sftpgo/certificates
+      - ${CREDENTIALSDIR}:/srv/sftpgo/credentials
+      - ${USERDATADIR}:/srv/sftpgo/data
+      - ${USERTEMPDIR}:/srv/sftpgo/temp
+      - ${USERSHAREDDIR}:/srv/sftpgo/shared
+      - ${BACKUPDIR}:/srv/sftpgo/backups
+      - ${HOMEDIR}:/var/lib/sftpgo
+      - ${DATADIR}/webroot:/var/www
+    restart: unless-stopped
+    depends_on:
+      postgresql:
+        condition: service_healthy
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      # tcp  - Refer to sftpgo-tcp-svc.yml in traefik-rules folder
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${SERVICE_PORT}"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${SUBDOMAIN1}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-redirect@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${SUBDOMAIN1}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
+
+  postgresql:
+    image: postgres:16-alpine
+    hostname: ${POSTGRES_DB_HOST}
+    env_file: .postgresql.env
+    shm_size: 128mb # https://hub.docker.com/_/postgres
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    networks:
+      postgres-net:
+    secrets:
+      - ${APPLICATION_NAME}_postgresql_database
+      - ${APPLICATION_NAME}_postgresql_username
+      - ${APPLICATION_NAME}_postgresql_password
+    volumes:
+      - "${DATADIR}/pgdata:/var/lib/postgresql/data"
+      - "${DATADIR}/pgbackups:/mnt/backups"
\ No newline at end of file
diff --git a/sftpgo/traefik-rules/sftpgo-tcp-svc.yml b/sftpgo/traefik-rules/sftpgo-tcp-svc.yml
new file mode 100644
index 0000000..0458428
--- /dev/null
+++ b/sftpgo/traefik-rules/sftpgo-tcp-svc.yml
@@ -0,0 +1,29 @@
+# sftpgo - multiple ports per service
+#   and thus cannot configure as labels
+tcp:
+  routers:
+    sftpgo-tcp-rtr:
+      entrypoints: ["sftp1", "sftp2", "sftp3", "sftp4", "sftp5", "sftp6", "sftp7", "sftp8"] 
+      rule: "HostSNI(`*`)"
+      service: "sftpgo-tcp-svc"
+    sftpgo-tcp-secure-rtr:
+      entrypoints: ["sftp1", "sftp2", "sftp3", "sftp4", "sftp5", "sftp6", "sftp7", "sftp8"] 
+      rule: "HostSNI(`sftpgo.sthome.org`)"
+      tls:
+        options: "tls-options@file"
+        certresolver: "solver-dns"
+        passthrough: true
+      service: "sftpgo-tcp-svc" 
+
+  services:
+    sftpgo-tcp-svc:
+      loadBalancer:
+        servers:
+          - address: "sftpgo:2022"
+          - address: "sftpgo:2023"
+          - address: "sftpgo:2024"
+          - address: "sftpgo:2025"
+          - address: "sftpgo:2026"
+          - address: "sftpgo:2027"
+          - address: "sftpgo:2028"
+          - address: "sftpgo:2029"
\ No newline at end of file
diff --git a/sheetable/sheetable_jm.txt b/sheetable/sheetable_jm.txt
new file mode 100644
index 0000000..9942a34
--- /dev/null
+++ b/sheetable/sheetable_jm.txt
@@ -0,0 +1,163 @@
+# https://www.reddit.com/r/selfhosted/comments/vpotsn/sheetable_selfhosted_music_sheet_organizer_v10/
+
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: sheetable
+Username: sheetabl
+Disable Password: <select>
+Email: <leave blank>
+UID: (note)
+Create New Primary Group: <unselect>
+Primary Group: sheetabl
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+sheetabl UID: 3051
+sheetabl GID: 3050
+
+Create datasets
+---------------
+/mnt/SSD1/docker/data/sheetable          # set Owner:Group to sheetabl:sheetabl
+/mnt/SSD1/docker/data/sheetable/config   # set Owner:Group to sheetabl:sheetabl
+/mnt/SSD1/docker/data/sheetable/pgbackups # set Owner:Group to pguser:pguser
+/mnt/SSD1/docker/data/sheetable/pgdata    # set Owner:Group to pguser:pguser
+
+Create secrets folder
+---------------------
+mkdir -p /opt/stacks/sheetable/secrets
+
+Verifying truenas sheetable container sheets folder
+---------------------------------------------------
+# List sheetable pods to check if they are running and to get pod name. If not, wait for the container to start:
+k3s kubectl get pods -n ix-sheetable
+# If all are ok, the listed containers should resemble the following:
+#   NAME                         READY   STATUS    RESTARTS   AGE
+#   sheetable-cnpg-main-1        1/1     Running   0          5d23h
+#   sheetable-66df7b74c5-qr9jq   1/1     Running   0          12m
+# Verify that the /app/config folder has a sheets subfolder:
+k3s kubectl exec -n ix-sheetable sheetable-66df7b74c5-qr9jq -c sheetable -it -- ls -al /app/config
+# expected listing:
+#   total 2
+#   drwxr-xr-x    3 568      568              3 Jul 11 16:33 .
+#   drwxr-xr-x    1 root     root             3 Sep 21 11:58 ..
+#   drwxr-xr-x    4 568      568              4 Jul 11 16:33 sheets
+# If you don't see the sheets folder as per the above, shell into the container and check where the sheets folder is located.
+k3s kubectl exec -n ix-sheetable sheetable-66df7b74c5-qr9jq -c sheetable -it -- sh
+
+# Update the APPLICATION_CONFIG_PATH value in the .env file with the correct location if not /app/config
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in sheetable folder, enter:
+./cp2nas
+# or
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/sheetable/
+# This should copy sheetable stacks folder to /mnt/SSD1/docker/stacks/sheetable
+
+Create secrets
+--------------
+# In Truenas shell:
+cd /mnt/SSD1/docker/stacks/sheetable/secrets
+echo -n 'your_admin_email' > /mnt/SSD1/docker/stacks/sheetable/secrets/sheetable_admin_email
+echo -n 'your_admin_password' > /mnt/SSD1/docker/stacks/sheetable/secrets/sheetable_admin_password
+echo -n 'your_db_name' > /mnt/SSD1/docker/stacks/sheetable/secrets/sheetable_postgresql_database
+echo -n 'your_db_user' > /mnt/SSD1/docker/stacks/sheetable/secrets/sheetable_postgresql_username
+openssl rand 36 | base64 -w 0 > /mnt/SSD1/docker/stacks/sheetable/secrets/sheetable_postgresql_password
+openssl rand 26 | base64 -w 0 | sed 's/[\$,\#,/,+,=]//g' > /mnt/SSD1/docker/stacks/sheetable/secrets/sheetable_api_secret
+# restrict access
+cd /mnt/SSD1/docker/stacks/sheetable
+chown -R sheetabl:sheetabl secrets/
+chmod -R 400 secrets/
+# read existing acl permissions, if any
+getfacl /mnt/SSD1/docker/stacks/sheetable/secrets
+# set acl permissions
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/sheetable/secrets
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/sheetable/secrets/sheetable_postgresql_password
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/sheetable/secrets/sheetable_postgresql_username
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/sheetable/secrets/sheetable_postgresql_database
+# NB! if you want to remove all acl entries from a folder recursively, use setfacl -b -R <foldername>
+# to list secrets in secrets dir
+cd /mnt/SSD1/docker/stacks/authentik/secrets
+for i in $(ls -1); do echo $i = `cat $i`; done | sort
+
+
+Backup sheetable database
+-------------------------- 
+# In truenas shell:
+mkdir /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/$(date -I)
+chown pgadmin:pgadmin /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/$(date -I)
+# Using browser, log in to pgAdmin on truenas
+# Connect to servers; refer to "connecting to servers.txt", which also explains how to obtain db passwords
+# To perform plain text backup:
+# Navigate to Servers => sheetable -> Databases -> sheetable
+# Right click on sheetable database and select Backup...
+# Enter the following on the different tabs of dialog box that opened:
+General:
+# Replace ##### with date in YYYY-MM-DD format when backup is being made
+Filename: /#####/sheetable-backup.sql (this maps to: /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/#####/sheetable-backup.sql on truenas)
+# Or click on folder icon and navigate to the folder that was created above. Enter sheetable-backup.sql in Save As field, then click on Create
+Format: Plain
+Encoding: UTF8
+Role name: sheetable
+Data Options:
+Sections:
+Pre-data: <select>
+Data: <select>
+Post-data: <select>
+Objects:
+Check public to select all objects
+Click Backup
+# After backup, verify presence of backup file:
+ls -al /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/$(date -I)
+
+Migrating database
+------------------
+# In truenas shell
+# copy backup file(s) to sheetable backups folder, replacing $(date -I) with date when backup was made if not today
+cp -vr /mnt/stpool1/apps/pgadmin/storage/stuurmcp_telkomsa.net/$(date -I) /mnt/SSD1/docker/data/sheetable/pgbackups 
+jlmkr shell docker
+cd /opt/stacks/sheetable
+docker compose down
+# remove all files/folders from pgdata; if any are already in this folder with data to be retained, move it to another folder before executing next command
+rm -r /mnt/data/sheetable/pgdata/*
+docker compose up -d
+# After successfull startup of sheetable and postgres, stop sheetable from docker cmd line
+docker stop sheetable
+docker exec sheetable_postgresql psql -U sheetable -d postgres -c "DROP DATABASE \"sheetable\";"
+docker exec sheetable_postgresql psql -U sheetable -d postgres -c "CREATE DATABASE \"sheetable\";"
+docker exec sheetable_postgresql psql -U sheetable -d sheetable -f /mnt/backups/$(date -I)/sheetable-backup.sql   # replace $(date -I) with the appropriate date
+
+Migrating config storage
+------------------------
+# In truenas shell
+# copy config storage to new install data folder
+cp -pr /mnt/stpool1/apps/sheetable/* /mnt/SSD1/docker/data/sheetable/appdata/
+chown -R sheetabl:sheetabl /mnt/SSD1/docker/data/sheetable/appdata/
+docker start sheetable
+
+Default admin login
+-------------------
+Email: admin@admin.com
+Password: sheetable
+
+Stop truenas sheetable
+-----------------------
+# In truenas shell
+heavyscript app --stop sheetable
+# NB: Do NOT stop sheetable with truenas gui
+
+Troubleshooting
+---------------
+# If you get persistent db authentication errors:
+Ensure that the service name (name of the stanza), host name and container name of the postgresql container in the compose.yml file and the DB_HOST value in the .env file are all the same
+# If you cannot login to sheetable with the email and password used on the truenas version:
+Check the /mnt/data/sheetable/config folder to see if there is any *.db file created. If so, it means that sheetable created a default sqlite db instead of using postgres. Make sure that the .sheetable.env file has a DB_DRIVER=postgres line item.
+
+If you need to log into db
+--------------------------
+docker exec -it sheetable_postgresql bash
+psql -U sheetable -d sheetable
+
+
diff --git a/sheetable/stacks/.env b/sheetable/stacks/.env
new file mode 100644
index 0000000..2b54ed7
--- /dev/null
+++ b/sheetable/stacks/.env
@@ -0,0 +1,36 @@
+#
+# values to be used for substitution by docker compose in compose.yml AND .*.env files
+#
+APPLICATION_NAME=sheetable 
+
+DOCKERDIR=/mnt/SSD1/docker/
+MEDIADIR=/mnt/stpool1/NData1/Media
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+DOMAINNAME=sthome.org
+APPLICATION_CONFIG_PATH=/app/config
+WEBUI_PORT=8080
+
+PUID=3051
+PGID=3050
+TZ=Africa/Johannesburg
+
+# Generate API_SECRET with:
+# openssl rand 26 | base64 -w 0 | sed 's/[\$,\#,/,+,=]//g' > /mnt/SSD1/docker/stacks/sheetable/secrets/sheetable_api_secret
+#
+# Generate DB_PASSWORD with:
+# openssl rand 36 | base64 -w 0 > /mnt/SSD1/docker/stacks/sheetable/secrets/sheetable_postgresql_password
+
+APPLICATION_API_SECRET=/run/secrets/sheetable_api_secret
+POSTGRES_DB_PORT=5432
+POSTGRES_DB_HOST=sheetable_postgresql
+# sheetable does not support docker secrets, so we have to store everthing secret in clear text
+POSTGRES_DB_NAME=sheetable                                             #/run/secrets/sheetable_postgresql_database
+POSTGRES_DB_USER=sheetable                                             #/run/secrets/sheetable_postgresql_username
+POSTGRES_DB_PASSWORD=4NXpEWK015kEhQSaj7A+MuAC+gTFUHa9Rb52JcmYv+VjO1vt  #/run/secrets/sheetable_postgresql_password
+APPLICATION_ADMIN_EMAIL=stuurmcp@telkomsa.net                          #/run/secrets/sheetable_admin_email
+APPLICATION_ADMIN_PASSWORD='Saterdag!32#'                              #/run/secrets/sheetable_admin_password
\ No newline at end of file
diff --git a/sheetable/stacks/.postgresql.env b/sheetable/stacks/.postgresql.env
new file mode 100644
index 0000000..7acf148
--- /dev/null
+++ b/sheetable/stacks/.postgresql.env
@@ -0,0 +1,11 @@
+PUID=70
+PGID=70
+TZ=Africa/Johannesburg
+
+API_SECRET=${APPLICATION_API_SECRET}
+DB_HOST=${POSTGRES_DB_HOST}
+DB_PORT=${POSTGRES_DB_PORT}
+POSTGRES_DB_FILE=/run/secrets/sheetable_postgresql_database
+POSTGRES_USER_FILE=/run/secrets/sheetable_postgresql_username
+POSTGRES_PASSWORD_FILE=/run/secrets/sheetable_postgresql_password
+
diff --git a/sheetable/stacks/.sheetable.env b/sheetable/stacks/.sheetable.env
new file mode 100644
index 0000000..4e412f1
--- /dev/null
+++ b/sheetable/stacks/.sheetable.env
@@ -0,0 +1,30 @@
+#
+# environment variables for sheetable
+# 
+PUID=${PUID}
+PGID=${PGID}
+TZ=${TZ}
+PORT=${WEBUI_PORT} 
+
+
+############
+# DATABASE #
+############
+API_SECRET=${APPLICATION_API_SECRET}
+DB_DRIVER=postgres
+DB_HOST=${POSTGRES_DB_HOST}
+DB_PORT=${POSTGRES_DB_PORT}
+# sheetable does not support docker secrets, so we have to set .env with clear text secrets
+DB_NAME=${POSTGRES_DB_NAME}
+DB_USER=${POSTGRES_DB_USER}
+DB_PASSWORD=${POSTGRES_DB_PASSWORD}
+
+#############
+# USER DATA #
+#############
+ADMIN_EMAIL=${APPLICATION_ADMIN_EMAIL}
+ADMIN_PASSWORD=${APPLICATION_ADMIN_PASSWORD}
+
+DEV=0
+
+CONFIG_PATH=${APPLICATION_CONFIG_PATH}
diff --git a/sheetable/stacks/compose.yml b/sheetable/stacks/compose.yml
new file mode 100644
index 0000000..9e51799
--- /dev/null
+++ b/sheetable/stacks/compose.yml
@@ -0,0 +1,105 @@
+# https://docs.sheetable-iii.org/how-to/sheetable-iii/installation/docker/
+
+name: sheetable
+
+secrets:
+  sheetable_api_secret:
+    file: ${SECRETSDIR}/sheetable_api_secret
+  sheetable_admin_email:
+    file: ${SECRETSDIR}/sheetable_admin_email
+  sheetable_admin_password:
+    file: ${SECRETSDIR}/sheetable_admin_password
+  sheetable_postgresql_database:
+    file: ${SECRETSDIR}/sheetable_postgresql_database
+  sheetable_postgresql_password:
+    file: ${SECRETSDIR}/sheetable_postgresql_password
+  sheetable_postgresql_username:
+    file: ${SECRETSDIR}/sheetable_postgresql_username
+
+networks:
+  traefik-net:
+    external: true
+  postgres-net:
+    external: true
+    
+services:
+  sheetable:
+    image: vallezw/sheetable
+    hostname: "sheetable"
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - "${DATADIR}/config:${APPLICATION_CONFIG_PATH}"
+    restart: unless-stopped
+    env_file: .sheetable.env
+    networks:
+      - traefik-net
+      - postgres-net
+    depends_on:
+      postgresql:
+        condition: service_healthy
+    secrets:
+      - sheetable_api_secret
+      - sheetable_admin_email
+      - sheetable_admin_password
+      - sheetable_postgresql_database
+      - sheetable_postgresql_password
+      - sheetable_postgresql_username
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      #
+      # http middlewares
+      # ---------------------------
+      - "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.permanent=true"
+      #
+      # http services
+      # -------------
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
+      #
+      # http routers
+      # ------------
+      # limit router to web ":80" entrypoint
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # attach middlewares to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=${APPLICATION_NAME}-https-redirect"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      #
+      # limit router to websecure ":443" entrypoint
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # set router to be dedicated to secure requests only for the host specified in match criteria 
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      # generate certificates using following certresolver
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=sthomeresolver"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
+
+  postgresql:
+    image: postgres:16-alpine
+    hostname: "${APPLICATION_NAME}_postgresql"
+    shm_size: 128mb # https://hub.docker.com/_/postgres
+    restart: unless-stopped
+    env_file: .postgresql.env
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    networks:
+      postgres-net:
+        aliases: ["sheetable_postgresql"]
+    secrets:
+      - sheetable_postgresql_database
+      - sheetable_postgresql_password
+      - sheetable_postgresql_username
+    volumes:
+      - "${DATADIR}/pgdata:/var/lib/postgresql/data"
+      - "${DATADIR}/pgbackups:/mnt/backups"
+
+
diff --git a/songkong/songkong_jm.txt b/songkong/songkong_jm.txt
new file mode 100644
index 0000000..804b5d4
--- /dev/null
+++ b/songkong/songkong_jm.txt
@@ -0,0 +1,78 @@
+https://github.com/songkonginc/pms-docker
+
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: songkong
+Username: songkong
+Disable Password: <select>
+Email: stuurmcp@telkomsa.net
+UID: (note)
+Create New Primary Group: <select>
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+songkong UID: 3052
+songkong GID: 3051
+
+If not done already, add mapping for media on container config
+--------------------------------------------------------------
+In this example: the folder where media is stored is /mnt/stpool1/NData1/Media
+On Truenas shell:
+jlmkr edit docker
+Add the following args to "systemd_nspawn_user_args": 
+--bind='/mnt/stpool1/NData1/Media:/mnt/media'
+
+If not done already, set ACL permissions for media to be accessible by media group
+----------------------------------------------------------------------------------
+On Truenas shell:
+# read and note acl entries
+getfacl /mnt/stpool1/NData1
+getfacl /mnt/stpool1/NData1/Media
+# set read and execute permissions for media group on parent folder
+setfacl -m g:media:5 /mnt/stpool1/NData1
+# set full permissions for media group on Media folder recursively
+setfacl -R -m g:media:7 /mnt/stpool1/NData1/Media
+# modify defaults recursively
+setfacl -R -d -m g:media:7 /mnt/stpool1/NData1/Media
+# NB! if you want to remove all acl entries from a folder recursively, use setfacl -b -R <foldername>
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*songkong"
+# create following dataset if not present
+zfs create SSD1/docker/data/songkong
+zfs create SSD1/docker/data/songkong/config
+chown -R songkong:songkong /mnt/SSD1/docker/data/songkong
+
+Create folder
+-------------
+mkdir /mnt/SSD1/docker/stacks/songkong
+
+Copy folder to docker stacks
+----------------------------
+In Windows cmd shell in songkong folder, enter:
+./cp2nas
+# or
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/songkong/
+
+
+Migrating data from old songkong (source) to newly installed one (target)
+-------------------------------------------------------------------------
+Stop old/source songkong
+heavyscript app --stop songkong
+
+Stop new/target songkong media server
+On Dockge, select songkong and click stop
+Copy the source Library to target folder:
+cp -rp /mnt/stpool1/apps/songkong/. /mnt/SSD1/docker/data/songkong/config/
+chown -R songkong:songkong /mnt/SSD1/docker/data/songkong
+chmod -R o-rw /mnt/SSD1/docker/data/songkong/config/ 
+
+
+
+
+
diff --git a/songkong/stacks/.env b/songkong/stacks/.env
new file mode 100644
index 0000000..0a2e100
--- /dev/null
+++ b/songkong/stacks/.env
@@ -0,0 +1,20 @@
+
+APPLICATION_NAME=songkong
+
+DOCKERDIR=/mnt/SSD1/docker/
+MEDIADIR=/mnt/stpool1/NData1/Media
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+CERTSDIR=${DATAROOT}/traefik/certs
+
+PUID=3052
+PGID=3051
+MEDIA_PGID=3017
+
+TZ=Africa/Johannesburg
+DOMAINNAME=sthome.org
+WEBUI_PORT=4567
+
diff --git a/songkong/stacks/.songkong.env b/songkong/stacks/.songkong.env
new file mode 100644
index 0000000..11bca50
--- /dev/null
+++ b/songkong/stacks/.songkong.env
@@ -0,0 +1,5 @@
+
+PUID=${PUID}
+PGID=${MEDIA_PGID}
+TZ=${TZ}
+
diff --git a/songkong/stacks/compose.yml b/songkong/stacks/compose.yml
new file mode 100644
index 0000000..fe56aa3
--- /dev/null
+++ b/songkong/stacks/compose.yml
@@ -0,0 +1,32 @@
+name: songkong
+
+networks:
+  traefik-net:
+    external: true
+
+services:
+  songkong:
+    image: songkong/songkong
+    env_file: .songkong.env
+    hostname: ${APPLICATION_NAME}
+    networks:
+      - traefik-net
+    volumes:
+      - "${DATADIR}/config:/songkong"
+      - "${MEDIADIR}/Music:/music"
+    restart: unless-stopped
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      - traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.scheme=https
+      - traefik.http.middlewares.${APPLICATION_NAME}-https-redirect.redirectscheme.permanent=true
+      - traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}
+      - traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web
+      - traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)
+      - traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=${APPLICATION_NAME}-https-redirect
+      - traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc
+      - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure
+      - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)
+      - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true
+      - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=sthomeresolver
+      - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc
diff --git a/static-web-server/stacks/.env b/static-web-server/stacks/.env
new file mode 100644
index 0000000..49ec3aa
--- /dev/null
+++ b/static-web-server/stacks/.env
@@ -0,0 +1,19 @@
+
+APPLICATION_NAME=static-web-server
+
+DOCKERDIR=/mnt/SSD1/docker/
+MEDIADIR=/mnt/stpool1/NData1/Media
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+CERTSDIR=${DATAROOT}/traefik/certs
+
+DOMAINNAME=sthome.org
+SUBDOMAIN1=dev
+SUBDOMAIN2=acme-challenge
+SERVICE_PORT=80
+
+
+
diff --git a/static-web-server/stacks/.static-web-server.env b/static-web-server/stacks/.static-web-server.env
new file mode 100644
index 0000000..ced72ad
--- /dev/null
+++ b/static-web-server/stacks/.static-web-server.env
@@ -0,0 +1,16 @@
+# https://static-web-server.net/configuration/environment-variables/
+
+PUID=3053
+PGID=3052  
+TZ=Africa/Johannesburg
+
+# listing of directories
+SERVER_DIRECTORY_LISTING=true
+
+# log level: possible values are error, warn, info, debug or trace
+SERVER_LOG_LEVEL=info
+
+# location of website root
+SERVER_ROOT=/data/wwwroot
+
+SERVER_INDEX_FILES="index.html, index.htm, default.html"
\ No newline at end of file
diff --git a/static-web-server/stacks/compose.yml b/static-web-server/stacks/compose.yml
new file mode 100644
index 0000000..00b9fd8
--- /dev/null
+++ b/static-web-server/stacks/compose.yml
@@ -0,0 +1,56 @@
+
+name: static-web-server
+
+networks:
+  traefik-net:
+    external: true
+    
+services:
+  static-web-server:
+    image: ghcr.io/static-web-server/static-web-server:2-alpine
+    hostname: "${APPLICATION_NAME}"
+    env_file: .static-web-server.env
+#    stdin_open: true
+    networks:
+      traefik-net:
+        aliases: ["${SUBDOMAIN1}", "${SUBDOMAIN2}"]
+    volumes:
+      - ${DATADIR}/config:/config
+      - ${DATADIR}/appdata:/data
+    restart: unless-stopped
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      # http middlewares
+      # ---------------------------
+      #- "traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.users=${ADMIN_CREDENTIALS}, ${USER_CREDENTIALS}"
+      #- "traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.usersfile=/mnt/users/${APPLICATION_NAME}.txt"
+      #
+      # http services
+      # -------------
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${SERVICE_PORT}"
+      #
+      # http routers
+      # ------------
+      # limit router to web ":80" entrypoint (Note: web entrypoint http requests are globally redirected to websecure router in traefik.yml)
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${SUBDOMAIN1}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`${SUBDOMAIN2}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # no redirectscheme due to acme-challenge domain
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      #
+      # limit router to websecure ":443" entrypoint
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${SUBDOMAIN1}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`${SUBDOMAIN2}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # set router to be dedicated to secure requests only for the host specified in match criteria 
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      # generate certificates using following certresolver
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
+      # attach middlewares to router
+      #- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=${APPLICATION_NAME}-auth"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
diff --git a/static-web-server/static-web-server_jm.txt b/static-web-server/static-web-server_jm.txt
new file mode 100644
index 0000000..7afda52
--- /dev/null
+++ b/static-web-server/static-web-server_jm.txt
@@ -0,0 +1,54 @@
+https://github.com/static-web-serverinc/pms-docker
+https://static-web-server.net
+
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: static-web-server
+Username: swebsvr
+Disable Password: <select>
+Email: stuurmcp@telkomsa.net
+UID: (note)
+Create New Primary Group: <unselect>
+Primary Group: swebsvr
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+swebsvr UID: 3053
+swebsvr GID: 3052
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*static-web-server"
+# create following datasets if not present
+zfs create SSD1/docker/data/static-web-server
+zfs create SSD1/docker/data/static-web-server/appdata
+zfs create SSD1/docker/data/static-web-server/config
+chown -R swebsvr:swebsvr /mnt/SSD1/docker/data/static-web-server
+
+Create folders
+--------------
+# In Truenas shell:
+mkdir -p /mnt/SSD1/docker/stacks/static-web-server
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in static-web-server folder, enter:
+./cp2nas
+# or
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/static-web-server/
+# This should copy static-web-server stacks folder to /mnt/SSD1/docker/stacks/static-web-server
+
+Migrating data
+--------------
+# Stop static-web-server on truenas, in truenas shell
+heavyscript app --stop static-web-server
+# copy config storage to new install data folder
+cp -pr /mnt/stpool1/apps/static-web-server/* /mnt/SSD1/docker/data/static-web-server/config/
+cp -pr /mnt/stpool1/appdata/static-web-server/* /mnt/SSD1/docker/data/static-web-server/appdata/
+chown -R swebsvr:swebsvr /mnt/SSD1/docker/data/static-web-server/
+
+
diff --git a/syncthing/stacks/.env b/syncthing/stacks/.env
new file mode 100644
index 0000000..833f695
--- /dev/null
+++ b/syncthing/stacks/.env
@@ -0,0 +1,29 @@
+
+APPLICATION_NAME=syncthing
+
+DOCKERDIR=/mnt/SSD1/docker/
+MEDIADIR=/mnt/stpool1/NData1/Media
+DOWNLOADSDIR=/mnt/stpool1/Downloads
+
+STAGINGDIR=/mnt/stpool1/NData1/staging
+SHAREDDATADIR=/mnt/stpool1/Shared_Data
+BULKSTOREDIR=/mnt/stpool1/NData2/bulkstore
+SYNCHEDDIR=/mnt/stpool1/synched
+OBJECTSTOREDIR=/mnt/stpool1/objectstore
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+CERTSDIR=${DATAROOT}/traefik/certs
+
+PUID=3054
+PGID=3053
+MEDIA_PGID=3017
+
+TZ=Africa/Johannesburg
+DOMAINNAME=sthome.org
+WEBUI_PORT=8384
+
+# refer to .static-ips.yml for the IP address of the container
+SYNCTHING_IP=192.168.2.241
diff --git a/syncthing/stacks/.syncthing.env b/syncthing/stacks/.syncthing.env
new file mode 100644
index 0000000..f831b12
--- /dev/null
+++ b/syncthing/stacks/.syncthing.env
@@ -0,0 +1,6 @@
+
+PUID=${PUID}
+PGID=${MEDIA_PGID}
+TZ=${TZ}
+UMASK=0002
+
diff --git a/syncthing/stacks/compose.yml b/syncthing/stacks/compose.yml
new file mode 100644
index 0000000..56a3a93
--- /dev/null
+++ b/syncthing/stacks/compose.yml
@@ -0,0 +1,60 @@
+
+name: syncthing
+
+networks:
+  traefik-net:
+    external: true
+  macvlan0:
+    external: true  
+services:
+  syncthing:
+    image: lscr.io/linuxserver/syncthing:latest
+    hostname: "${APPLICATION_NAME}"
+    networks:
+      traefik-net: null
+      macvlan0:
+        ipv4_address: "${SYNCTHING_IP}"
+        
+    env_file: .syncthing.env
+    volumes:
+      - "${DATADIR}/config:/config"
+      - "${SYNCHEDDIR}:/synched"
+      - "${MEDIADIR}:/mnt/media"
+    restart: unless-stopped
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      # http middlewares
+      # ---------------------------
+      #- "traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.users=${ADMIN_CREDENTIALS}, ${USER_CREDENTIALS}"
+      #- "traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.usersfile=/mnt/users/${APPLICATION_NAME}.txt"
+      #
+      # http services
+      # -------------
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
+      #
+      # http routers
+      # ------------
+      # limit router to web ":80" entrypoint (Note: web entrypoint http requests are globally redirected to websecure router in traefik.yml)
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      #
+      # limit router to websecure ":443" entrypoint
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      # set match criteria for router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # set router to be dedicated to secure requests only for the host specified in match criteria 
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      # assign tls-options
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file"
+      # generate certificates using following certresolver
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
+      # attach middlewares to routers
+      #- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=${APPLICATION_NAME}-auth"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+      # assign svc target to routers
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
diff --git a/syncthing/syncthing_jm.txt b/syncthing/syncthing_jm.txt
new file mode 100644
index 0000000..b69d78a
--- /dev/null
+++ b/syncthing/syncthing_jm.txt
@@ -0,0 +1,81 @@
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: syncthing
+Username: syncthin
+Disable Password: <select>
+Email: stuurmcp@telkomsa.net
+UID: (note)
+Create New Primary Group: <unselect>
+Primary Group: syncthin
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+syncthin UID: 3054
+syncthin GID: 3053
+
+Add mapping for synched folder in docker config
+-----------------------------------------------
+In this example: the folder where synched data are stored is /mnt/stpool1/synched
+On Truenas shell:
+jlmkr edit docker
+Add the following args to "systemd_nspawn_user_args": 
+--bind='/mnt/stpool1/synched:/mnt/synched'
+
+set ACL permissions for media to be accessible by syncthing
+-----------------------------------------------------------
+As photos will be synched from home computer, we will provide permissions for synchting
+On Truenas shell:
+# read and note acl entries
+getfacl /mnt/stpool1/NData1/Media
+getfacl /mnt/stpool1/NData1/Media/Pictures
+# set read and execute permissions for syncthin user on parent folder
+setfacl -m u:syncthin:5 /mnt/stpool1/NData1/Media
+# set full permissions for syncthin user on Pictures folder recursively
+setfacl -R -m u:syncthin:7 /mnt/stpool1/NData1/Media/Pictures
+# modify defaults recursively
+setfacl -R -d -m u:syncthin:7 /mnt/stpool1/NData1/Media/Pictures
+# NB! if you want to remove all acl entries from a folder recursively, use setfacl -b -R <foldername>
+
+Change ownership of synched folder
+----------------------------------
+On Truenas shell:
+Stop old/source syncthing
+heavyscript app --stop syncthing
+chown -R syncthin:syncthin /mnt/stpool1/synched
+
+Create datasets
+---------------
+/mnt/SSD1/docker/data/syncthing
+/mnt/SSD1/docker/data/syncthing/config
+Set Owner:Group to syncthin:syncthin
+
+Copy folder to docker stacks
+----------------------------
+In Windows cmd shell in syncthing folder, enter:
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/syncthing/
+This should copy compose.yaml, .env and secrets to /mnt/SSD1/docker/stacks/syncthing
+
+Migrating data from old syncthing (source) to newly installed one (target)
+--------------------------------------------------------------------------
+It is recommedend to start the new synchting from scratch, however if you absolutely must migrate, only copying the config file should be sufficient.
+If still running, stop old/source syncthing
+heavyscript app --stop syncthing
+Stop new/target syncthing media server
+On Dockge, select syncthing and click stop
+Copy the source config to target folder:
+cp -vp /mnt/stpool1/apps/syncthing/config/config.xml /mnt/SSD1/docker/data/syncthing/config
+chown -R syncthin:syncthin /mnt/SSD1/docker/data/syncthing/config
+
+If the mounts for the synched folders are he same as that of the old media server then we're done, if not:
+Edit destination config.yml to update to the new paths of synched folders:
+nano /mnt/SSD1/docker/data/syncthing/config/config.yml
+Change the paths to folder mounts in new syncthing
+
+
+
+
+
+
+
diff --git a/syncthing/traefik-users/syncthing.txt b/syncthing/traefik-users/syncthing.txt
new file mode 100644
index 0000000..0b6a9a2
--- /dev/null
+++ b/syncthing/traefik-users/syncthing.txt
@@ -0,0 +1,3 @@
+admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
+chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
+Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC
\ No newline at end of file
diff --git a/tautulli/stacks/.env b/tautulli/stacks/.env
new file mode 100644
index 0000000..909ad71
--- /dev/null
+++ b/tautulli/stacks/.env
@@ -0,0 +1,22 @@
+
+APPLICATION_NAME=tautulli
+
+DOCKERDIR=/mnt/SSD1/docker/
+MEDIADIR=/mnt/stpool1/NData1/Media
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+WEBUI_PORT=8181
+DOMAINNAME=sthome.org
+DNS_RESOLVER=sthomeresolver
+
+# environment variables
+PUID=3055
+PGID=3054
+TZ=Africa/Johannesburg
+
+
+
diff --git a/tautulli/stacks/.tautulli.env b/tautulli/stacks/.tautulli.env
new file mode 100644
index 0000000..79ba011
--- /dev/null
+++ b/tautulli/stacks/.tautulli.env
@@ -0,0 +1,4 @@
+
+PUID=${PUID}
+PGID=${PGID}
+TZ=${TZ}
\ No newline at end of file
diff --git a/tautulli/stacks/compose.yml b/tautulli/stacks/compose.yml
new file mode 100644
index 0000000..4fca2cd
--- /dev/null
+++ b/tautulli/stacks/compose.yml
@@ -0,0 +1,35 @@
+
+name: tautulli
+
+networks:
+  traefik-net:
+    external: true
+    
+services:
+  tautulli:
+    image: lscr.io/linuxserver/tautulli:latest
+    env_file: .tautulli.env
+    hostname: tautulli
+    networks:
+      - traefik-net
+    volumes:
+      - "${DATADIR}/config:/config"
+    restart: unless-stopped
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      #
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
+      #
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      #
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
\ No newline at end of file
diff --git a/tautulli/tautulli_jm.txt b/tautulli/tautulli_jm.txt
new file mode 100644
index 0000000..dda2861
--- /dev/null
+++ b/tautulli/tautulli_jm.txt
@@ -0,0 +1,55 @@
+https://github.com/tautulliinc/pms-docker
+
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: tautulli
+Username: tautulli
+Disable Password: <select>
+Email: stuurmcp@telkomsa.net
+UID: (note)
+Create New Primary Group: <unselect>
+Primary Group: tautulli
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+tautulli UID: 3055
+tautulli GID: 3054
+
+Create datasets
+---------------
+/mnt/SSD1/docker/data/tautulli
+/mnt/SSD1/docker/data/tautulli/config
+# Set Owner:Group to tautulli:tautulli
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in tautulli folder, enter:
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/tautulli/
+# This should copy compose.yaml, .env and secrets to /mnt/SSD1/docker/stacks/tautulli
+
+Create folders
+--------------
+mkdir /opt/stacks/tautulli
+
+Migrating data from old tautulli to newly installed one (target)
+----------------------------------------------------------------
+# Stop old/source tautulli media server
+heavyscript app --stop tautulli
+
+# Stop new/target tautulli media server
+# On Dockge, select tautulli and click stop
+# Copy the source Library to target folder:
+cp -pr /mnt/stpool1/apps/tautulli/* /mnt/SSD1/docker/data/tautulli/config/
+
+Check and update custom server access URLs in tautulli
+------------------------------------------------------
+# Open tautulli web app using browser
+# Go to Setting -> Plex Media Server
+# Change Plex IP Address or Hostname field to "plex". This is assuming that tautulli and plex is on the same docker network.
+
+
+
+
+
diff --git a/traefik/app-wg-easy.yml b/traefik/app-wg-easy.yml
new file mode 100644
index 0000000..762e171
--- /dev/null
+++ b/traefik/app-wg-easy.yml
@@ -0,0 +1,14 @@
+entryPoints:
+  wgudpep:
+    address: ':51820/udp'
+udp:
+  routers:
+    wg-rtr:
+      entryPoints:
+        - wgudpep
+      service: wg-svc
+  services:
+    wg-svc:
+      loadBalancer:
+        servers:
+          - address: 'wg-easy:51820'
\ No newline at end of file
diff --git a/traefik/cp2nas.ps1 b/traefik/cp2nas.ps1
new file mode 100644
index 0000000..6778989
--- /dev/null
+++ b/traefik/cp2nas.ps1
@@ -0,0 +1,57 @@
+############### MAIN ###############
+$Main =
+{
+    [CmdletBinding()]
+    Param(
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $destHost,
+        [Parameter(Mandatory=$false)]
+        [string[]] $apps
+    )
+    If($PSBoundParameters.ContainsKey("apps")) {
+        foreach ($appname in $apps)
+        {
+            copyfolder $destHost "$appname\stacks" $appname
+        }
+    }
+    else {
+        $appname="$pwd".Split("\\")[-1]
+        copyfolder $destHost "stacks" $appname
+    }
+}
+
+###################################
+Function copyfolder
+{
+    [CmdletBinding()]
+    Param(
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $destHost,
+        
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $srcdir,
+
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $appname
+    )
+    if (-Not(Test-Path -Path $srcdir)) {
+        Write-Host "Source path doesn't exist: ""$PSScriptRoot\$srcdir\*.*"". No files copied!"  -ForegroundColor Red
+        Write-Host "Usage: in app folder       : ./cp2nas DEST|IP"
+        Write-Host "       in app parent folder: ./cp2nas DEST|IP app1, app2, app3, ..."
+        return
+    }
+    $destStacks="/mnt/SSD1/docker/stacks/"
+    $destDir=$destStacks+$appname+"/"
+    Write-Host "pscp -P 22 -r ""$srcdir\*.*"" root@${destHost}:""${destDir}""" -ForegroundColor Green
+    Write-Host "Copying to ${destHost}:""${destStacks}" -NoNewline 
+    Write-Host "${appname}/" -ForegroundColor DarkYellow  -NoNewline 
+    Write-Host """:"
+    pscp -P 22 -r "$srcdir\*.*" root@${destHost}:""${destDir}""
+}
+
+###################################
+& $Main @Args
\ No newline at end of file
diff --git a/traefik/data/haproxy/haproxy.cfg.template b/traefik/data/haproxy/haproxy.cfg.template
new file mode 100644
index 0000000..f019ded
--- /dev/null
+++ b/traefik/data/haproxy/haproxy.cfg.template
@@ -0,0 +1,78 @@
+global
+    log stdout format raw daemon "${LOG_LEVEL}"
+
+    pidfile /run/haproxy.pid
+    maxconn 4000
+
+    # Turn on stats unix socket
+    server-state-file /var/lib/haproxy/server-state
+
+defaults
+    mode http
+    log global
+    option httplog
+    option dontlognull
+    option http-server-close
+    option redispatch
+    retries 3
+    timeout http-request 10s
+    timeout queue 1m
+    timeout connect 10s
+    timeout client 10m
+    timeout server 10m
+    timeout http-keep-alive 10s
+    timeout check 10s
+    maxconn 3000
+
+    # Allow seamless reloads
+    load-server-state-from-file global
+
+    # Use provided example error pages
+    errorfile 400 /usr/local/etc/haproxy/errors/400.http
+    errorfile 403 /usr/local/etc/haproxy/errors/403.http
+    errorfile 408 /usr/local/etc/haproxy/errors/408.http
+    errorfile 500 /usr/local/etc/haproxy/errors/500.http
+    errorfile 502 /usr/local/etc/haproxy/errors/502.http
+    errorfile 503 /usr/local/etc/haproxy/errors/503.http
+    errorfile 504 /usr/local/etc/haproxy/errors/504.http
+
+backend dockerbackend
+    server dockersocket $SOCKET_PATH
+
+backend docker-events
+    server dockersocket $SOCKET_PATH
+    timeout server 5m
+
+frontend dockerfrontend
+    bind ${BIND_CONFIG}
+    http-request deny unless METH_GET || { env(POST) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/((stop)|(restart)|(kill)) } { env(ALLOW_RESTARTS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/start } { env(ALLOW_START) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/stop } { env(ALLOW_STOP) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/auth } { env(AUTH) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/build } { env(BUILD) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/commit } { env(COMMIT) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/configs } { env(CONFIGS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers } { env(CONTAINERS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/distribution } { env(DISTRIBUTION) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/events } { env(EVENTS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/exec } { env(EXEC) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/grpc } { env(GRPC) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images } { env(IMAGES) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/info } { env(INFO) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/networks } { env(NETWORKS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/nodes } { env(NODES) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping } { env(PING) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/plugins } { env(PLUGINS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/secrets } { env(SECRETS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/services } { env(SERVICES) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/session } { env(SESSION) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/swarm } { env(SWARM) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/system } { env(SYSTEM) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/tasks } { env(TASKS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/version } { env(VERSION) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes } { env(VOLUMES) -m bool }
+    http-request deny
+    default_backend dockerbackend
+
+    use_backend docker-events if { path,url_dec -m reg -i ^(/v[\d\.]+)?/events }
diff --git a/traefik/stacks/.env b/traefik/stacks/.env
new file mode 100644
index 0000000..d431bdf
--- /dev/null
+++ b/traefik/stacks/.env
@@ -0,0 +1,20 @@
+################################################################
+# .env
+# When both env_file and environment are set for a service, values set by environment have precedence.
+# https://docs.docker.com/compose/environment-variables/envvars-precedence/
+#
+#
+################################################################
+
+APPLICATION_NAME=traefik
+DOCKERDIR=/mnt/SSD1/docker/
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATADIR=${DOCKERDIR}/data/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+DOMAINNAME=sthome.org
+
+PUID=3012
+PGID=3011
+TZ=Africa/Johannesburg
+
diff --git a/traefik/stacks/.socket-proxy.env b/traefik/stacks/.socket-proxy.env
new file mode 100644
index 0000000..97691c1
--- /dev/null
+++ b/traefik/stacks/.socket-proxy.env
@@ -0,0 +1,36 @@
+#
+# environment variables for socket-proxy
+#
+
+LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
+
+## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
+### 0 to revoke access.
+### 1 to grant access.
+## Granted by Default
+EVENTS=1
+PING=1
+VERSION=1
+## Revoked by Default
+### Security critical
+AUTH=0
+SECRETS=0
+POST=1          # Watchtower
+### Not always needed
+BUILD=0
+COMMIT=0
+CONFIGS=0
+CONTAINERS=1    # Traefik, portainer, etc.
+DISTRIBUTION=0
+EXEC=0
+IMAGES=1        # Portainer
+INFO=1          # Portainer
+NETWORKS=1      # Portainer
+NODES=0
+PLUGINS=0
+SERVICES=1      # Portainer
+SESSION=0
+SWARM=0
+SYSTEM=0
+TASKS=1         # Portainer
+VOLUMES=1       # Portainer
\ No newline at end of file
diff --git a/traefik/stacks/.traefik.env b/traefik/stacks/.traefik.env
new file mode 100644
index 0000000..b6490a6
--- /dev/null
+++ b/traefik/stacks/.traefik.env
@@ -0,0 +1,15 @@
+#
+# environment variables for traefik
+# 
+
+PUID=${PUID}
+PGID=${PGID}
+TZ=${TZ}
+
+################################################################  
+#################### Traefik 3 - June 2024 #####################
+# Cloudflare IPs (IPv4 and/or IPv6): https://www.cloudflare.com/ips/
+################################################################  
+CLOUDFLARE_IPS=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22
+LOCAL_IPS=127.0.0.1/32,10.0.0.0/24,192.168.2.0/24,172.16.0.0/12,10.255.224.0/20
+CF_DNS_API_TOKEN_FILE=/run/secrets/cf_dns_api_token 
\ No newline at end of file
diff --git a/traefik/stacks/compose.yml b/traefik/stacks/compose.yml
new file mode 100644
index 0000000..941b50a
--- /dev/null
+++ b/traefik/stacks/compose.yml
@@ -0,0 +1,206 @@
+
+name: traefik
+
+###############################################################
+# Networks
+###############################################################
+networks:
+  socket_proxy:
+    driver: bridge
+    driver_opts:
+      com.docker.network.bridge.name: "br-traefik_sx"
+  traefik-net:
+    external: true
+  mariadb-net:
+    external: true
+    
+###############################################################
+# Docker Secrets
+# Owner (default): root:root
+# Recommend Set Owner to match container user Example: UID=1100, GID=1100
+# Permissions of files & directory on host to: 0400 (-r--)
+###############################################################
+secrets:
+  ## Cloudflare / Traefik
+  cf_dns_api_token:
+    file: ${SECRETSDIR}/cf_dns_api_token
+
+###############################################################
+
+services:
+  traefik:
+    image: traefik:v3.3.3  # v3.2.1  # v3.1.7   # 3.1.2   # v3.1.7-nanoserver-ltsc2022
+    hostname: traefik
+    restart: unless-stopped
+    env_file: .traefik.env
+    security_opt:
+      - no-new-privileges=true
+    depends_on:
+      - socket-proxy  # Comment out if not using socket-proxy
+    networks:
+      - traefik-net
+      - socket_proxy
+      - mariadb-net
+    command:
+      - "--configFile=/config/traefik.yml"
+    ports:
+      - target: 80          # Container Port
+        host_ip: 0.0.0.0    # All interfaces, not a specific one
+        published: "80"     # STRING
+        protocol: tcp       # tcp or udp
+        mode: host          # or Ingress for load balancing
+      - target: 443
+        host_ip: 0.0.0.0
+        published: "443"
+        protocol: tcp
+        mode: host
+      - target: 51820       # wg-easy udp port
+        published: "51820"
+        protocol: udp
+        mode: host
+      - target: 32400       # plex remote access tcp port
+        published: "32400"
+        protocol: tcp
+        mode: host
+      - target: 1883        # mosquitto port
+        published: "1883"
+        protocol: tcp
+        mode: host
+      - target: 8883        # mosquitto secure port
+        published: "8883"
+        protocol: tcp
+        mode: host
+      - target: 19132       # minecraft-bedrock port
+        published: "19132"
+        protocol: udp
+        mode: host
+      - target: 25565       # minecraft-java port
+        published: "25565"
+        protocol: udp
+        mode: host
+      - target: 25575       # minecraft-java rcon port
+        published: "25575"
+        protocol: tcp
+        mode: host
+      - target: 8083        # ping port
+        published: "8083"
+        protocol: tcp
+        mode: host
+      - target: 8306        # mariadb port
+        published: "8306"
+        protocol: tcp
+        mode: host
+      - target: 9306        # mysql port
+        published: "9306"
+        protocol: tcp
+        mode: host
+      - target: 2022        # sftp port1
+        published: "2022"
+        protocol: tcp
+        mode: host
+      - target: 2023        # sftp port2
+        published: "2023"
+        protocol: tcp
+        mode: host
+      - target: 2024        # sftp port3
+        published: "2024"
+        protocol: tcp
+        mode: host
+      - target: 2025        # sftp port4
+        published: "2025"
+        protocol: tcp
+        mode: host
+      - target: 2026        # sftp port5
+        published: "2026"
+        protocol: tcp
+        mode: host
+      - target: 2027        # sftp port6
+        published: "2027"
+        protocol: tcp
+        mode: host
+      - target: 2028        # sftp port7
+        published: "2028"
+        protocol: tcp
+        mode: host
+      - target: 2029        # sftp port8
+        published: "2029"
+        protocol: tcp
+        mode: host
+    secrets:
+      - cf_dns_api_token
+    volumes:
+      - "$STACKSDIR/config:/config" # traefik.yml
+      - "$STACKSDIR/rules:/rules"   # Dynamic File Provider directory
+      - "$STACKSDIR/users:/mnt/users"   # basic-auth username and password hashes
+      - "$DATADIR/appdata:/data"     # acme.json defined in traefik.yaml
+      - "$DATADIR/logs:/logs"
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      #
+      # http basic-auth middlewares
+      # ---------------------------
+      - "traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.usersfile=/mnt/users/${APPLICATION_NAME}.txt"
+      #
+      # http routers
+      # ------------
+      # http
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`traefik.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # attach middlewares to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=${APPLICATION_NAME}-auth, http-mw-rateLimit-secureHeaders-compress-redirect@file"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=api@internal"
+      
+      # https
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`traefik.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      # attach middlewares to routers
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=${APPLICATION_NAME}-auth, http-mw-rateLimit-secureHeaders-compress@file"
+      # tls
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
+      # assign svc target to router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=api@internal"
+      
+###############################################################
+  socket-proxy:
+    image: tecnativa/docker-socket-proxy:0.2.0 #0.1.2
+    hostname: traefik_socket-proxy
+    restart: unless-stopped
+    env_file: .socket-proxy.env
+    security_opt:
+      - no-new-privileges=true
+    networks:
+      - socket_proxy
+    privileged: true  # true for VM.  false for unprivileged LXC container.
+    #depends_on:
+    #  - traefik
+    ports:
+      - "127.0.0.1:2375:2375"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      # the following bind is to persist the non-zero setting of backend docker-events.timeout server
+      - type: bind
+        source: "${DATADIR}/haproxy/haproxy.cfg.template"
+        target: /usr/local/etc/haproxy/haproxy.cfg.template
+###############################################################
+  whoami:
+    image: traefik/whoami:latest
+    container_name: whoami
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges=true
+    depends_on:
+      - traefik
+    networks:
+      - traefik-net
+    environment:
+      - TZ
+    labels:
+      - "traefik.enable=true"
+      ## HTTP Routers
+      - "traefik.http.routers.whoami-rtr.entrypoints=web"
+      - "traefik.http.routers.whoami-rtr.rule=Host(`whoami.${DOMAINNAME}`)"
+###############################################################
diff --git a/traefik/stacks/config/traefik.yml b/traefik/stacks/config/traefik.yml
new file mode 100644
index 0000000..5bf58d9
--- /dev/null
+++ b/traefik/stacks/config/traefik.yml
@@ -0,0 +1,256 @@
+################################################################
+# Global configuration - https://doc.traefik.io/traefik/reference/static-configuration/file/
+################################################################
+
+global:
+  checkNewVersion: false
+  sendAnonymousUsage: false
+
+
+################################################################
+# Entrypoints - https://doc.traefik.io/traefik/routing/entrypoints/
+################################################################
+entryPoints:
+  web:
+    address: ":80"
+    #reusePort: true
+    # Global HTTP to HTTPS redirection
+#    http:
+#      redirections:
+#        entrypoint:
+#          to: websecure
+#          scheme: https
+  websecure:
+    address: ":443"
+    http:
+      tls:
+        certResolver: sthomeresolver
+        #domains:
+        #  - main: "sthome.org"
+        #    sans:
+        #      - "*.sthome.org"
+    forwardedHeaders:
+      trustedIPs:
+        # Cloudflare (https://www.cloudflare.com/ips-v4)
+        - "173.245.48.0/20"
+        - "103.21.244.0/22"
+        - "103.22.200.0/22"
+        - "103.31.4.0/22"
+        - "141.101.64.0/18"
+        - "108.162.192.0/18"
+        - "190.93.240.0/20"
+        - "188.114.96.0/20"
+        - "197.234.240.0/22"
+        - "198.41.128.0/17"
+        - "162.158.0.0/15"
+        - "104.16.0.0/13"
+        - "104.24.0.0/14"
+        - "172.64.0.0/13"
+        - "131.0.72.0/22"
+        # Local IPs
+        - "127.0.0.1/32"
+        - "10.0.0.0/24"
+        - "192.168.2.0/24"
+        - "172.16.0.0/12"
+
+  wireguard:
+    address: ":51820/udp"
+
+  plex:
+    address: ":32400"
+    http:
+      redirections:
+        entrypoint:
+          to: websecure
+          scheme: https
+
+  metrics:
+    address: ":8082"
+
+  ping:
+    address: ":8083"
+
+  mariadb:
+    address: ":8306"
+
+  mysql:
+    address: ":9306"
+
+  mqtt:
+    address: ":1883"
+
+  mqttsecure:
+    address: ":8883"
+
+  mc-bedrock:
+    address: ":19132/udp"
+
+  mc-java:
+    address: ":25565/udp"
+
+  mc-java-rcon:
+    address: ":25575"
+
+  sftp1:
+    address: ":2022"
+  sftp2:
+    address: ":2023"
+  sftp3:
+    address: ":2024"    
+  sftp4:
+    address: ":2025"    
+  sftp5:
+    address: ":2026"    
+  sftp6:
+    address: ":2027"    
+  sftp7:
+    address: ":2028"    
+  sftp8:
+    address: ":2029"
+    
+ping:
+  entryPoint: "ping"
+################################################################
+# Logs - https://doc.traefik.io/traefik/observability/logs/
+################################################################
+log:
+  level: DEBUG # Options: DEBUG, PANIC, FATAL, ERROR (Default), WARN, and INFO
+  filePath: /logs/traefik-container.log # Default is to STDOUT
+  format: json # Uses text format (common) by default
+  noColor: false # Recommended to be true when using common
+  maxSize: 100 # In megabytes
+  compress: true # gzip compression when rotating
+
+################################################################
+# Access logs - https://doc.traefik.io/traefik/observability/access-logs/
+################################################################
+accessLog:
+  addInternals: true  # things like ping@internal
+  filePath: /logs/traefik-access.log # In the Common Log Format (CLF) by default
+  bufferingSize: 100 # Number of log lines
+  fields:
+    names:
+      StartUTC: drop  # Write logs in Container Local Time instead of UTC
+  filters:
+    statusCodes:
+      - "204-299"
+      - "400-499"
+      - "500-599"
+
+################################################################
+# Prometheus - https://doc.traefik.io/traefik/observability/metrics/prometheus/
+################################################################
+metrics:
+  prometheus:
+    entryPoint: metrics
+    buckets:
+      - 0.1
+      - 0.3
+      - 1.2
+      - 5.0
+    addEntryPointsLabels: true
+    addRoutersLabels: true
+    addServicesLabels: true
+
+################################################################
+# API and Dashboard
+################################################################
+api:
+  dashboard: true
+  # disableDashboardAd: true
+  # Rely on api@internal and Traefik with Middleware to control access
+  # insecure: true
+
+################################################################
+# Providers - https://doc.traefik.io/traefik/providers/docker/
+################################################################
+providers:
+  docker:
+    #endpoint: "unix:///var/run/docker.sock" # Comment if using socket-proxy
+    endpoint: "tcp://traefik_socket-proxy:2375" # Uncomment if using socket proxy
+    exposedByDefault: false
+    network: traefik-net  # network to use for connections to all containers
+    # defaultRule: TODO
+
+  # Enable auto loading of newly created rules by watching a directory
+  file:
+  # Apps, LoadBalancers, TLS Options, Middlewares, Middleware Chains
+    directory: /rules  # /etc/traefik
+    watch: true
+
+################################################################
+# tls
+################################################################
+tls:
+  stores:
+    default:
+#      defaultCertificate:
+#        certFile: /data/sthome-org.pem
+#        keyFile: /data/sthome-org-key.pem
+      defaultGeneratedCert:
+        resolver: solver-dns
+        domain:
+          main: sthome.org
+          sans:
+            - plex.sthome.org
+            - emby.sthome.org
+            - jellyfin.sthome.org
+            - traefik.sthome.org
+
+################################################################
+# ACME
+################################################################
+certificatesResolvers:
+#  sthomeresolver:
+#    acme:
+#      email: "stuurmcp@telkomsa.net"
+#      storage: "/data/acme.json" # "/etc/traefik/letsencrypt/acme.json"
+#      #caServer: "https://acme-staging-v02.api.letsencrypt.org/directory" # Comment out when going prod
+#      caServer: "https://acme-v02.api.letsencrypt.org/directory" # production:
+#      dnsChallenge:
+#        provider: cloudflare
+#        #delayBeforeCheck: 30 # Default is 2m0s.  This changes the delay (in seconds)
+#        # Custom DNS server resolution
+#        resolvers:
+#          - "1.1.1.1:53"
+#          - "8.8.8.8:53"
+##
+#  sthome-org:
+#    acme:
+#      email: "stuurmcp@telkomsa.net"
+#      storage: "/data/acme.json" # "/etc/traefik/letsencrypt/acme.json"
+#      #caServer: "https://acme-staging-v02.api.letsencrypt.org/directory" # Comment out when going prod
+#      caServer: "https://acme-v02.api.letsencrypt.org/directory" # production:
+#      dnsChallenge:
+#        provider: cloudflare
+#        #delayBeforeCheck: 30 # Default is 2m0s.  This changes the delay (in seconds)
+#        # Custom DNS server resolution
+#        resolvers:
+#          - "1.1.1.1:53"
+#          - "8.8.8.8:53"
+  solver-dns:
+    acme:
+      email: "stuurmcp@telkomsa.net"
+      storage: "/data/acme.json" # "/etc/traefik/letsencrypt/acme.json"
+      #caServer: "https://acme-staging-v02.api.letsencrypt.org/directory" # Comment out when going prod
+      caServer: "https://acme-v02.api.letsencrypt.org/directory" # production:
+      dnsChallenge:
+        provider: cloudflare
+        #delayBeforeCheck: 30 # Default is 2m0s.  This changes the delay (in seconds)
+        # Custom DNS server resolution
+        resolvers:
+          - "1.1.1.1:53"
+          - "8.8.8.8:53"
+  #sthome-net:
+  #  acme:
+  #    email: "stuurmcp@telkomsa.net"
+  #    storage: "/etc/traefik/local/acme.json"  # "/data/acme.json"
+  #    caServer: "https://upd.sthome.net/acme-v02.api" # production:
+  #    dnsChallenge:
+  #      provider: sthomelocal
+        #delayBeforeCheck: 30 # Default is 2m0s.  This changes the delay (in seconds)
+        # Custom DNS server resolution
+  #      resolvers:
+  #        - "10.0.0.15:53"
+  #        - "192.168.2.1:53"
+  
\ No newline at end of file
diff --git a/traefik/stacks/rules/http-middlewares-buffering.yml b/traefik/stacks/rules/http-middlewares-buffering.yml
new file mode 100644
index 0000000..8e492d9
--- /dev/null
+++ b/traefik/stacks/rules/http-middlewares-buffering.yml
@@ -0,0 +1,18 @@
+################################################################
+# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
+# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
+# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
+#
+# Dynamic configuration
+################################################################
+http:
+  middlewares:
+    # Prevent too large of a body
+    # https://stackoverflow.com/questions/49717670/how-to-config-upload-body-size-restriction-in-traefik
+    http-mw-buffering:
+      buffering:
+        maxRequestBodyBytes: 10485760
+        memRequestBodyBytes: 2097152
+        maxResponseBodyBytes: 10485760
+        memResponseBodyBytes: 2097152
+        retryExpression: "IsNetworkError() && Attempts() <= 2"
\ No newline at end of file
diff --git a/traefik/stacks/rules/http-middlewares-chain-ratelimit-secureheaders-compress-redirect.yml b/traefik/stacks/rules/http-middlewares-chain-ratelimit-secureheaders-compress-redirect.yml
new file mode 100644
index 0000000..a019c9e
--- /dev/null
+++ b/traefik/stacks/rules/http-middlewares-chain-ratelimit-secureheaders-compress-redirect.yml
@@ -0,0 +1,9 @@
+http:
+  middlewares:
+    http-mw-rateLimit-secureHeaders-compress-redirect:
+      chain:
+        middlewares:
+          - http-mw-rateLimit
+          - http-mw-secureHeaders
+          - http-mw-compress
+          - http-mw-redirectScheme
\ No newline at end of file
diff --git a/traefik/stacks/rules/http-middlewares-chain-ratelimit-secureheaders-compress.yml b/traefik/stacks/rules/http-middlewares-chain-ratelimit-secureheaders-compress.yml
new file mode 100644
index 0000000..d29cf8b
--- /dev/null
+++ b/traefik/stacks/rules/http-middlewares-chain-ratelimit-secureheaders-compress.yml
@@ -0,0 +1,8 @@
+http:
+  middlewares:
+    http-mw-rateLimit-secureHeaders-compress:
+      chain:
+        middlewares:
+          - http-mw-rateLimit
+          - http-mw-secureHeaders
+          - http-mw-compress
\ No newline at end of file
diff --git a/traefik/stacks/rules/http-middlewares-chain-ratelimit-secureheaders-redirect.yml b/traefik/stacks/rules/http-middlewares-chain-ratelimit-secureheaders-redirect.yml
new file mode 100644
index 0000000..5f4b2a3
--- /dev/null
+++ b/traefik/stacks/rules/http-middlewares-chain-ratelimit-secureheaders-redirect.yml
@@ -0,0 +1,8 @@
+http:
+  middlewares:
+    http-mw-rateLimit-secureHeaders-redirect:
+      chain:
+        middlewares:
+          - http-mw-rateLimit
+          - http-mw-secureHeaders
+          - http-mw-redirectScheme
\ No newline at end of file
diff --git a/traefik/stacks/rules/http-middlewares-chain-ratelimit-secureheaders.yml b/traefik/stacks/rules/http-middlewares-chain-ratelimit-secureheaders.yml
new file mode 100644
index 0000000..e478cfb
--- /dev/null
+++ b/traefik/stacks/rules/http-middlewares-chain-ratelimit-secureheaders.yml
@@ -0,0 +1,7 @@
+http:
+  middlewares:
+    http-mw-rateLimit-secureHeaders:
+      chain:
+        middlewares:
+          - http-mw-rateLimit
+          - http-mw-secureHeaders
\ No newline at end of file
diff --git a/traefik/stacks/rules/http-middlewares-chain-secureheaders-redirect.yml b/traefik/stacks/rules/http-middlewares-chain-secureheaders-redirect.yml
new file mode 100644
index 0000000..dd3dcbb
--- /dev/null
+++ b/traefik/stacks/rules/http-middlewares-chain-secureheaders-redirect.yml
@@ -0,0 +1,7 @@
+http:
+  middlewares:
+    http-mw-secureHeaders-redirect:
+      chain:
+        middlewares:
+          - http-mw-secureHeaders
+          - http-mw-redirectScheme
\ No newline at end of file
diff --git a/traefik/stacks/rules/http-middlewares-compress.yml b/traefik/stacks/rules/http-middlewares-compress.yml
new file mode 100644
index 0000000..9bd8644
--- /dev/null
+++ b/traefik/stacks/rules/http-middlewares-compress.yml
@@ -0,0 +1,12 @@
+################################################################
+# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
+# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
+# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
+#
+# Dynamic configuration
+################################################################
+http:
+  middlewares:
+    # Compress to save bandwidth
+    http-mw-compress:
+      compress: {}
\ No newline at end of file
diff --git a/traefik/stacks/rules/http-middlewares-ratelimit.yml b/traefik/stacks/rules/http-middlewares-ratelimit.yml
new file mode 100644
index 0000000..94429d9
--- /dev/null
+++ b/traefik/stacks/rules/http-middlewares-ratelimit.yml
@@ -0,0 +1,14 @@
+################################################################
+# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
+# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
+# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
+#
+# Dynamic configuration
+################################################################
+http:
+  middlewares:
+    # DDoS Prevention
+    http-mw-rateLimit:
+      rateLimit:
+        average: 100
+        burst: 50
\ No newline at end of file
diff --git a/traefik/stacks/rules/http-middlewares-redirectscheme.yml b/traefik/stacks/rules/http-middlewares-redirectscheme.yml
new file mode 100644
index 0000000..897e753
--- /dev/null
+++ b/traefik/stacks/rules/http-middlewares-redirectscheme.yml
@@ -0,0 +1,15 @@
+################################################################
+# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
+# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
+# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
+#
+# Dynamic configuration
+################################################################
+http:
+  middlewares:
+    # Middleware for Redirection
+    # This can be used instead of global redirection
+    http-mw-redirectScheme:
+      redirectscheme:
+        scheme: https
+        permanent: true
\ No newline at end of file
diff --git a/traefik/stacks/rules/http-middlewares-secureheaders.yml b/traefik/stacks/rules/http-middlewares-secureheaders.yml
new file mode 100644
index 0000000..5dac440
--- /dev/null
+++ b/traefik/stacks/rules/http-middlewares-secureheaders.yml
@@ -0,0 +1,36 @@
+################################################################
+# Middlewares (https://github.com/htpcBeginner/docker-traefik/blob/master/appdata/traefik2/rules/cloudserver/middlewares.yml)
+# 2024 update: https://github.com/htpcBeginner/docker-traefik/tree/master/appdata/traefik3/rules/hs
+# https://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/
+#
+# Dynamic configuration
+################################################################
+http:
+  middlewares:
+    ################################################################
+    # Good Basic Security Practices
+    ################################################################
+    http-mw-secureHeaders:
+      headers:
+        accessControlAllowMethods:
+          - GET
+          - OPTIONS
+          - PUT
+        accessControlMaxAge: 100
+        hostsProxyHeaders:
+          - "X-Forwarded-Host"
+        stsSeconds: 63072000  # 2 years
+        stsIncludeSubdomains: true
+        stsPreload: true
+        forceSTSHeader: true
+        #customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME"}}" #CSP takes care of this but may be needed for organizr.
+        customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+        contentTypeNosniff: true
+        browserXssFilter: true
+        # sslForceHost: true # add sslHost to all of the services
+        # sslHost: "{{env "DOMAINNAME"}}"
+        referrerPolicy: "same-origin"
+        permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=()"
+        customResponseHeaders:
+          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
+          server: ""
\ No newline at end of file
diff --git a/traefik/stacks/rules/tls-options.yml b/traefik/stacks/rules/tls-options.yml
new file mode 100644
index 0000000..d3e2691
--- /dev/null
+++ b/traefik/stacks/rules/tls-options.yml
@@ -0,0 +1,37 @@
+################################################################
+# TLS Options (https://jellyfin.org/docs/general/networking/traefik2.html#traefik-providertoml)
+# toml -> yml
+# 2024 updates to cipherSuites from (https://www.smarthomebeginner.com/traefik-v3-docker-compose-guide-2024/)
+#
+# Set secure options by disabling insecure older TLS/SSL versions
+# and insecure ciphers. SNIStrict disabled leaves TLS1.0 open.
+# If you have problems with older clients, you can may need to relax
+# these minimums. This configuration will give you an A+ SSL security
+# score supporting TLS1.2 and TLS1.3
+#
+# Dynamic configuration
+# https://doc.traefik.io/traefik/https/tls/
+################################################################
+tls:
+  options:
+    tls-options:
+      sniStrict: true
+      minVersion: VersionTLS12
+      cipherSuites:
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+        - TLS_AES_128_GCM_SHA256
+        - TLS_AES_256_GCM_SHA384
+        - TLS_CHACHA20_POLY1305_SHA256
+        - TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507
+      curvePreferences:
+      # CurveP256, CurveP384, CurveP521, X25519
+      # secp256r1, secp384r1, secp521r1, x25519, x448
+        - secp521r1
+        - secp384r1
+    mintls13:
+      minVersion: VersionTLS13
\ No newline at end of file
diff --git a/traefik/stacks/users/common.txt b/traefik/stacks/users/common.txt
new file mode 100644
index 0000000..0b6a9a2
--- /dev/null
+++ b/traefik/stacks/users/common.txt
@@ -0,0 +1,3 @@
+admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
+chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
+Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC
\ No newline at end of file
diff --git a/traefik/stacks/users/traefik.txt b/traefik/stacks/users/traefik.txt
new file mode 100644
index 0000000..0b6a9a2
--- /dev/null
+++ b/traefik/stacks/users/traefik.txt
@@ -0,0 +1,3 @@
+admin:$2y$05$djOyLnsk5p1.wcCLJCXpcehznR3cc04otaSlpED3fSRC9EpRGDkMC
+chris:$2y$05$FSl7QIqo.VMe69nm8K.Dv.O05Gi6oad.2qY7oKjgqbPa4eBPintbK
+Chris:$2y$05$8r6M8zr0MFIiDLUm1vP1Ee0AP8kMJtDsw4zezFeSDVlWeEOkwuBuC
\ No newline at end of file
diff --git a/traefik/to install htpasswd.txt b/traefik/to install htpasswd.txt
new file mode 100644
index 0000000..c81da8e
--- /dev/null
+++ b/traefik/to install htpasswd.txt	
@@ -0,0 +1,7 @@
+
+Install htpasswd:
+apt update & apt install apache2-utils
+
+Create password hash for user alice with traefik basicauth
+echo $(htpasswd -nB alice) | sed -e s/\\$/\\$\\$/g
+Enter and confirm password to hash
diff --git a/traefik/traefik.cer b/traefik/traefik.cer
new file mode 100644
index 0000000..84a77c2
--- /dev/null
+++ b/traefik/traefik.cer
@@ -0,0 +1,64 @@
+-----BEGIN CERTIFICATE-----
+MIIF9TCCBN2gAwIBAgISBNrV+ChCXbPXp2c5HpZP2fuUMA0GCSqGSIb3DQEBCwUA
+MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
+EwNSMTAwHhcNMjUwMTMwMDM1MzM3WhcNMjUwNDMwMDM1MzM2WjAdMRswGQYDVQQD
+ExJ0cmFlZmlrLnN0aG9tZS5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
+AoICAQCdZeExuQpzaJUJmJUnZQMcGLXsAmKZUfT8ieTgcpeV/t/fSBI4thHu9V6H
+sB82tc0ZAyrR83Fu/YbbcBYnim5tPC5JkXS5j99dfT5l9zluQLQmLTpSjpY4Vg5W
+NhI0JrJOJG/wgLC5abFQuX+QzNfqCe/rkg94Jo6OynpwthsPDw4uMTh0e+2x6BWp
+Uq9WekuSk354gai4F/PtqHOFmS2hMRQm+ZJl0VTJrjgUwDANvd6YmLxL8Wpcv1Yl
+o9TDGv+hL6ocySY5ctsg+Gf1Xg9jb2XqBS4QDkqH+GRloPI1/2yKd2/b+BzMJEzE
+SnLDkAGN0Qzw+zf9vAiJn83NoiQ9VyzpPrgREEmQP1SBA7iQytJh6Og9cdjCMPKH
+IHoi0ZpArEDs3REyhA/JhEmH4OlOCrwxm1MJdSJO1gyXkieKJS9HlccPQnpCZlt/
+RQ+sxH11yv5m/A/ybdpRi3lqdWTqFNoVqwsmNUB/Lf9JS6WRaU/V08rB6QzcHjOV
+KWk2SpxFLFbczP5Ry4UIWfJEMLy5d5kmBV6hieQ1NSK6tbORSCUHOC9YegOq9k1M
+BVXNCX6/iCQLfqgbF0tp+p7/Rmf4RrZDxzN9TuG64hYLqFCDw4lei+PuWMlqEM6V
+H5kWP7txt0MeaX+lTzFI3Q3MjTC6ddfytIqYzrr7ByvEw0Sm3wIDAQABo4ICFzCC
+AhMwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
+AjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBS164JDxEtFIY52qvRibxklzTGeCjAf
+BgNVHSMEGDAWgBS7vMNHpeS8qcbDpHIMEI2iNeHI6DBXBggrBgEFBQcBAQRLMEkw
+IgYIKwYBBQUHMAGGFmh0dHA6Ly9yMTAuby5sZW5jci5vcmcwIwYIKwYBBQUHMAKG
+F2h0dHA6Ly9yMTAuaS5sZW5jci5vcmcvMB0GA1UdEQQWMBSCEnRyYWVmaWsuc3Ro
+b21lLm9yZzATBgNVHSAEDDAKMAgGBmeBDAECATCCAQUGCisGAQQB1nkCBAIEgfYE
+gfMA8QB2AMz7D2qFcQll/pWbU87psnwi6YVcDZeNtql+VMD+TA2wAAABlLWNX4sA
+AAQDAEcwRQIhAOmeed1rXHwEpxHLT4BkVZoCgX8RQaG4CCML1GxAp/qXAiAtpaP4
+7DF54hCslIBk47y5KmQOeQJM4AQfJPU4TZ0BQAB3AN6FgddQJHxrzcuvVjfF54HG
+TORu1hdjn480pybJ4r03AAABlLWNX5kAAAQDAEgwRgIhAJgsdEmkuzw8dVKN4kgY
+k+/s9dWdDs/ZgH5+cA2jNWbSAiEA0yT8UAw6UZmnjS9TKP4RGow4IuxN2u92TsYq
+KtKEq8kwDQYJKoZIhvcNAQELBQADggEBAFVNBE2AGELcjDuhHNWihxdxcsS2lwv5
+ABLagtpOP4EXaJ352ro/6G4PALoci1QV89SDoMJDLaV0xA67XEezvr4cAHcuesXp
+B/+cO2IM70hpVYd+MUx1TSCT6AKCkHu6Pr0w7tWLZ615mXXIcEQLnIPZr+Hlkg0y
+oBeuhskkgzl98BKaAbi/vRntQnVe/WiEY2izFL1OXxJ0VQQAmMvSIKzzi6C9MX+n
+r6tQlN5LsP/+c5tjzZA5Ya7Byj23Z5pJsPExCpSBA3jjG6t1yX568erMhh2mT947
+BQ3omDw/X579lycDCmIWPHjoYwNg+ug49aU+GhX3ipNeZ5MLJMuc6zQ=
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIFBTCCAu2gAwIBAgIQS6hSk/eaL6JzBkuoBI110DANBgkqhkiG9w0BAQsFADBP
+MQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFy
+Y2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMTAeFw0yNDAzMTMwMDAwMDBa
+Fw0yNzAzMTIyMzU5NTlaMDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBF
+bmNyeXB0MQwwCgYDVQQDEwNSMTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDPV+XmxFQS7bRH/sknWHZGUCiMHT6I3wWd1bUYKb3dtVq/+vbOo76vACFL
+YlpaPAEvxVgD9on/jhFD68G14BQHlo9vH9fnuoE5CXVlt8KvGFs3Jijno/QHK20a
+/6tYvJWuQP/py1fEtVt/eA0YYbwX51TGu0mRzW4Y0YCF7qZlNrx06rxQTOr8IfM4
+FpOUurDTazgGzRYSespSdcitdrLCnF2YRVxvYXvGLe48E1KGAdlX5jgc3421H5KR
+mudKHMxFqHJV8LDmowfs/acbZp4/SItxhHFYyTr6717yW0QrPHTnj7JHwQdqzZq3
+DZb3EoEmUVQK7GH29/Xi8orIlQ2NAgMBAAGjgfgwgfUwDgYDVR0PAQH/BAQDAgGG
+MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATASBgNVHRMBAf8ECDAGAQH/
+AgEAMB0GA1UdDgQWBBS7vMNHpeS8qcbDpHIMEI2iNeHI6DAfBgNVHSMEGDAWgBR5
+tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAKG
+Fmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0gBAwwCjAIBgZngQwBAgEwJwYD
+VR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVuY3Iub3JnLzANBgkqhkiG9w0B
+AQsFAAOCAgEAkrHnQTfreZ2B5s3iJeE6IOmQRJWjgVzPw139vaBw1bGWKCIL0vIo
+zwzn1OZDjCQiHcFCktEJr59L9MhwTyAWsVrdAfYf+B9haxQnsHKNY67u4s5Lzzfd
+u6PUzeetUK29v+PsPmI2cJkxp+iN3epi4hKu9ZzUPSwMqtCceb7qPVxEbpYxY1p9
+1n5PJKBLBX9eb9LU6l8zSxPWV7bK3lG4XaMJgnT9x3ies7msFtpKK5bDtotij/l0
+GaKeA97pb5uwD9KgWvaFXMIEt8jVTjLEvwRdvCn294GPDF08U8lAkIv7tghluaQh
+1QnlE4SEN4LOECj8dsIGJXpGUk3aU3KkJz9icKy+aUgA+2cP21uh6NcDIS3XyfaZ
+QjmDQ993ChII8SXWupQZVBiIpcWO4RqZk3lr7Bz5MUCwzDIA359e57SSq5CCkY0N
+4B6Vulk7LktfwrdGNVI5BsC9qqxSwSKgRJeZ9wygIaehbHFHFhcBaMDKpiZlBHyz
+rsnnlFXCb5s8HKn5LsUgGvB24L7sGNZP2CX7dhHov+YhD+jozLW2p9W4959Bz2Ei
+RmqDtmiXLnzqTpXbI+suyCsohKRg6Un0RC47+cpiVwHiXZAW+cn8eiNIjqbVgXLx
+KPpdzvvtTnOPlC7SQZSYmdunr3Bf9b77AiC/ZidstK36dRILKz7OA54=
+-----END CERTIFICATE-----
\ No newline at end of file
diff --git a/traefik/traefik_jm.txt b/traefik/traefik_jm.txt
new file mode 100644
index 0000000..6553ccc
--- /dev/null
+++ b/traefik/traefik_jm.txt
@@ -0,0 +1,61 @@
+https://docs.techdox.nz/traefik/
+https://www.youtube.com/watch?v=wLrmmh1eI94
+
+traefik user: 3012
+traefik group: 3011
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*traefik"
+# create following datasets if not present
+zfs create SSD1/docker/data/traefik
+zfs create SSD1/docker/data/traefik/appdata
+zfs create SSD1/docker/data/traefik/logs
+chown -R traefik:traefik /mnt/SSD1/docker/data/traefik
+chmod 600 /mnt/SSD1/docker/data/traefik/appdata
+
+Create folders
+--------------
+# In Truenas shell:
+mkdir -p /mnt/SSD1/docker/stacks/traefik/secrets
+mkdir /mnt/SSD1/docker/stacks/traefik/config
+mkdir /mnt/SSD1/docker/stacks/traefik/rules
+mkdir /mnt/SSD1/docker/stacks/traefik/users
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in traefik folder, enter:
+./cp2nas
+# or
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/traefik/
+# This should copy traefik stacks folder to /mnt/SSD1/docker/stacks/traefik
+
+Creating secrets
+----------------
+# In Truenas shell:
+cd /mnt/SSD1/docker/stacks/traefik/secrets
+echo -n 'your_cf_dns_api_token' > /mnt/SSD1/docker/stacks/traefik/secrets/cf_dns_api_token
+chown -R traefik:traefik /mnt/SSD1/docker/stacks/traefik
+chmod -R 400 /mnt/SSD1/docker/stacks/traefik
+
+# Skip the next section if you do not need to use basic-auth middlewares
+Creating user password hash strings for user authorisation with basic-auth middlewares
+--------------------------------------------------------------------------------------
+# follow steps in "creating user password hash strings for user authorisation with traefik basic-auth middlewares.txt"
+
+Start traefik
+-------------
+# In docker shell:
+docker compose -f /opt/stacks/traefik/compose.yml up -d
+
+Certificates
+------------
+# The SSL certificates will be stored in /mnt/SSD1/docker/data/traefik/appdata folder in acme.json file
+# Keep this folder clean
+# If you want to save any certificates in this folder separately, make sure that you manage it, e.g. delete all certificates manually added to this folder when they expire
+
+
+
+
diff --git a/uptime-kuma/stacks/.env b/uptime-kuma/stacks/.env
new file mode 100644
index 0000000..84466ab
--- /dev/null
+++ b/uptime-kuma/stacks/.env
@@ -0,0 +1,19 @@
+################################################################
+APPLICATION_NAME=uptime-kuma
+
+DOCKERDIR=/mnt/SSD1/docker/
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+CERTSDIR=${DATAROOT}/traefik/certs
+
+PUID=3058
+PGID=3059
+DOMAINNAME=sthome.org
+DNS_RESOLVER=sthomeresolver
+
+################################################################
+
+WEBUI_PORT=3001
\ No newline at end of file
diff --git a/uptime-kuma/stacks/.uptime-kuma.env b/uptime-kuma/stacks/.uptime-kuma.env
new file mode 100644
index 0000000..38a5465
--- /dev/null
+++ b/uptime-kuma/stacks/.uptime-kuma.env
@@ -0,0 +1,3 @@
+
+PUID=${PUID}
+PGID=${PGID}
\ No newline at end of file
diff --git a/uptime-kuma/stacks/compose.yml b/uptime-kuma/stacks/compose.yml
new file mode 100644
index 0000000..a0a629f
--- /dev/null
+++ b/uptime-kuma/stacks/compose.yml
@@ -0,0 +1,44 @@
+networks:
+  traefik-net:
+    external: true
+
+services:
+  uptime-kuma:
+    image: louislam/uptime-kuma:1
+    hostname: uptime-kuma
+    restart: always
+    env_file: .uptime-kuma.env
+    volumes:
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+      - "${DATADIR}/appdata:/app/data"
+    networks:
+      - traefik-net
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      #
+      # http service
+      # ------------
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
+      #
+      # http middlewares
+      # ----------------
+      #- "traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.usersfile=/mnt/users/${APPLICATION_NAME}.txt"
+      #
+      # http routers
+      # ------------
+      # http://appname.domainname/
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      # https://appname.domainname/
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
+    # - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=${APPLICATION_NAME}-auth"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
diff --git a/users.txt b/users.txt
new file mode 100644
index 0000000..d5bb186
--- /dev/null
+++ b/users.txt
@@ -0,0 +1,117 @@
+root:x:0:0:root:/root:/usr/bin/zsh
+daemon:x:1:1:Owner of many system processes:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:Binaries Commands and Source:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:Games pseudo-user:/usr/games:/usr/sbin/nologin
+man:x:6:12:Mister Man Pages:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:News Subsystem:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:UUCP pseudo-user:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:Packet Filter pseudo-user:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+postgres:x:70:70:postgres:/var/empty:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+systemd-timesync:x:101:101:systemd Time Synchronization:/run/systemd:/usr/sbin/nologin
+systemd-network:x:102:103:systemd Network Management:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:103:104:systemd Resolver:/run/systemd:/usr/sbin/nologin
+messagebus:x:104:111:messagebus user:/nonexistent:/usr/sbin/nologin
+avahi:x:105:112:avahi user:/nonexistent:/usr/sbin/nologin
+_rpc:x:106:65534::/run/rpcbind:/usr/sbin/nologin
+statd:x:107:65534::/var/lib/nfs:/usr/sbin/nologin
+consul:x:108:113:Consul Daemon:/var/tmp/consul:/usr/sbin/nologin
+nvpd:x:109:114:NVIDIA Persistence Daemon:/var/run/nvpd/:/usr/sbin/nologin
+nslcd:x:110:115:Nslcd Daemon:/var/tmp/nslcd:/usr/sbin/nologin
+sshd:x:111:65534:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
+systemd-coredump:x:112:116:systemd Core Dumper:/run/systemd:/usr/sbin/nologin
+Debian-snmp:x:113:117::/var/lib/snmp:/bin/false
+ntp:x:114:119::/nonexistent:/usr/sbin/nologin
+Debian-exim:x:115:120::/var/spool/exim4:/usr/sbin/nologin
+tftp:x:116:121:tftp daemon:/srv/tftp:/usr/sbin/nologin
+sssd:x:117:122:SSSD system user:/var/lib/sss:/usr/sbin/nologin
+tcpdump:x:118:123::/nonexistent:/usr/sbin/nologin
+proftpd:x:120:65534::/run/proftpd:/usr/sbin/nologin
+ftp:x:121:65534::/nonexistent:/usr/sbin/nologin
+nut:x:122:126::/var/lib/nut:/usr/sbin/nologin
+dnsmasq:x:123:65534:dnsmasq:/var/lib/misc:/usr/sbin/nologin
+ladvd:x:124:127:ladvd user:/var/empty:/usr/sbin/nologin
+nova:x:125:129::/var/lib/nova:/bin/bash
+haproxy:x:126:130::/var/lib/haproxy:/usr/sbin/nologin
+uuidd:x:127:131::/run/uuidd:/usr/sbin/nologin
+ntpsec:x:128:135::/nonexistent:/usr/sbin/nologin
+tss:x:129:136:TPM software stack:/var/lib/tpm:/bin/false
+iperf3:x:130:137::/nonexistent:/usr/sbin/nologin
+_chrony:x:131:138:Chrony daemon:/var/lib/chrony:/usr/sbin/nologin
+apps:x:568:568:Unprivileged Apps User:/var/empty:/usr/sbin/nologin
+webdav:x:666:666:WebDAV Anonymous User:/var/empty:/usr/sbin/nologin
+admin:x:950:950:Local Administrator:/home/admin:/usr/bin/zsh
+polkitd:x:998:998:polkit:/nonexistent:/usr/sbin/nologin
+netdata:x:999:997::/var/lib/netdata:/bin/sh
+git:x:1000:1000:git:/mnt/stpool1/Users/git:/usr/bin/bash
+chris:x:3000:3000:Chris:/mnt/stpool1/Users/Chris:/usr/bin/zsh
+roderique:x:3001:3001:Roderique:/mnt/stpool1/Users/Roderique:/usr/sbin/nologin
+zelmique:x:3002:3002:Zelmique:/mnt/stpool1/Users/Zelmique:/usr/sbin/nologin
+carlton:x:3003:3003:Carlton:/mnt/stpool1/Users/Carlton:/usr/sbin/nologin
+zelna:x:3004:3004:Zelna:/mnt/stpool1/Users/Zelna:/usr/sbin/nologin
+lyrique:x:3005:3005:Lyrique:/mnt/stpool1/Users/Lyrique:/usr/sbin/nologin
+docker:x:3006:999:docker:/mnt/stpool1/Users/docker:/usr/sbin/nologin
+acme:x:3007:3006:acme:/mnt/stpool1/Users/acme:/usr/sbin/nologin
+pveuser:x:3008:3007:pveuser:/var/empty:/usr/sbin/nologin
+jellyfin:x:3009:3008:jellyfin:/var/empty:/usr/bin/zsh
+rename:x:3010:3009:rename:/var/empty:/usr/sbin/nologin
+mealie:x:3011:3010:mealie:/var/empty:/usr/sbin/nologin
+traefik:x:3012:3011:traefik:/var/empty:/usr/sbin/nologin
+vaultwdn:x:3013:3012:vaultwarden:/var/empty:/usr/sbin/nologin
+authentik:x:3014:3013:authentik:/var/empty:/usr/sbin/nologin
+plex:x:3015:3017:plex:/var/empty:/usr/sbin/nologin
+gitea:x:3016:3015:gitea:/var/empty:/usr/sbin/nologin
+emby:x:3017:3016:emby:/var/empty:/usr/sbin/nologin
+photovw:x:3018:3056:photovw:/var/empty:/usr/sbin/nologin
+wg-easy:x:3019:3018:wg-easy:/var/empty:/usr/sbin/nologin
+wguard:x:3020:3019:wguard:/var/empty:/usr/sbin/nologin
+prometh:x:3021:3020:prometheus:/var/empty:/usr/sbin/nologin
+grafana:x:3022:3021:grafana:/var/empty:/usr/sbin/nologin
+sonarr:x:3023:3017:sonarr:/var/empty:/usr/sbin/nologin
+prowlarr:x:3024:3023:prowlarr:/var/empty:/usr/sbin/nologin
+radarr:x:3025:3024:radarr:/var/empty:/usr/sbin/nologin
+lidarr:x:3026:3025:lidarr:/var/empty:/usr/sbin/nologin
+readarr:x:3027:3026:readarr:/var/empty:/usr/sbin/nologin
+qbittorr:x:3028:3027:qbittorrent:/var/empty:/usr/sbin/nologin
+gluetun:x:3029:3028:gluetun:/var/empty:/usr/sbin/nologin
+audbkshelf:x:3030:3029:audiobookshelf:/var/empty:/usr/sbin/nologin
+overseer:x:3031:3030:overseerr:/var/empty:/usr/sbin/nologin
+calibre:x:3032:3031:calibre:/var/empty:/usr/sbin/nologin
+cfddns:x:3033:3032:cloudflareddns:/var/empty:/usr/sbin/nologin
+collabor:x:3034:3033:collabora:/var/empty:/usr/sbin/nologin
+firefly3:x:3035:3034:fireflyiii:/var/empty:/usr/sbin/nologin
+firefox:x:3036:3035:firefox:/var/empty:/usr/sbin/nologin
+handbrk:x:3037:3036:handbrake:/var/empty:/usr/sbin/nologin
+hmeassist:x:3038:3037:home-assistant:/var/empty:/usr/sbin/nologin
+jdownldr2:x:3039:3038:jdownloader2:/var/empty:/usr/sbin/nologin
+kavita:x:3040:3039:kavita:/var/empty:/usr/sbin/nologin
+librespd:x:3041:3040:librespeed:/var/empty:/usr/sbin/nologin
+mediaelc:x:3042:3041:mediaelch:/var/empty:/usr/sbin/nologin
+minecraft:x:3043:3042:minecraft:/var/empty:/usr/sbin/nologin
+digikam:x:3044:3043:digikam:/var/empty:/usr/sbin/nologin
+minio:x:3045:3044:minio:/var/empty:/usr/sbin/nologin
+mkvtlnix:x:3046:3045:mkvtoolnix:/var/empty:/usr/sbin/nologin
+mosquitt:x:3047:3046:mosquitto:/var/empty:/usr/sbin/nologin
+nxtcloud:x:3048:3047:nextcloud:/var/empty:/usr/sbin/nologin
+onlyoff:x:3049:3048:onlyoffice-document-server:/var/empty:/usr/sbin/nologin
+rootapp:x:3050:3049:rootapp:/var/empty:/usr/sbin/nologin
+sheetabl:x:3051:3050:sheetable:/var/empty:/usr/sbin/nologin
+songkong:x:3052:3051:songkong:/var/empty:/usr/sbin/nologin
+swebsvr:x:3053:3052:static-web-server:/var/empty:/usr/sbin/nologin
+syncthin:x:3054:3053:syncthing:/var/empty:/usr/sbin/nologin
+tautulli:x:3055:3054:tautulli:/var/empty:/usr/sbin/nologin
+pihole:x:3056:3057:pihole:/var/empty:/usr/sbin/nologin
+dashy:x:3057:3058:dashy:/var/empty:/usr/sbin/nologin
+uptime-k:x:3058:3059:uptime-kuma:/var/empty:/usr/sbin/nologin
+pgadmin:x:5050:5050:pgadmin:/mnt/stpool1/Users/pgadmin:/usr/bin/zsh
+libvirt-qemu:x:64055:106:Libvirt Qemu:/var/lib/libvirt:/usr/sbin/nologin
+nobody:x:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
diff --git a/vaultwarden/stacks/.env b/vaultwarden/stacks/.env
new file mode 100644
index 0000000..5c52064
--- /dev/null
+++ b/vaultwarden/stacks/.env
@@ -0,0 +1,39 @@
+################################################################
+APPLICATION_NAME=vaultwarden
+
+DOCKERDIR=/mnt/SSD1/docker/
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+CERTSDIR=${DATAROOT}/traefik/certs
+
+PUID=3013
+PGID=3012
+TZ=Africa/Johannesburg
+DOMAINNAME=sthome.org
+WEBUI_PORT=80
+DNS_RESOLVER=sthomeresolver
+
+################################################################
+
+#ADMIN_TOKEN=$$argon2id$$v=19$$m=65540,t=3,p=4$$/E2XDKhJuDLlUCO011cel6qqH5w0J9iA45pbgY7bpOM$$Ua9OC9+mEEUtZP7o+yU/aLq0WKqz1vfFU1lrDh6VC5Q
+#ADMIN_TOKEN=$$argon2id$$v=19$$m=65540,t=3,p=4$$TDdUbzgwZEtrek5YV1hRK1VIREEvbklPNHE4cHloa2wwU3MwRDd3RVNNdz0$$/Z1bmtI4TX45P+JZF3il9dLMKz0ju9hRUwftdRvf9vA
+#ADMIN_TOKEN=$$argon2id$$v=19$$m=65540,t=3,p=4$$U3QwellkcjFHUGkrK0lpbGZrM2wyNHlUb25xdU4vSlR4ME1yK09Wb2ZOYz0$$93CJiTWKnaPOP60CXm1guFFh5hlRObfjk5P3ZuXl+xU
+ADMIN_TOKEN=$$argon2id$$v=19$$m=65540,t=3,p=4$$DKzckzPLq9/KxC+MfjPKVY16hZFbXfj3V4g7Viu5A80$$pk2l06ibGTsJOhaI7DKvcycvjrFmretqWGCjnNjcLtg
+################################################################
+
+DB_TYPE=postgres
+POSTGRES_DB_PORT=5432
+
+# postgresql
+POSTGRES_DB_FILE=/run/secrets/vaultwarden_postgresql_database
+POSTGRES_USER_FILE=/run/secrets/vaultwarden_postgresql_username
+POSTGRES_PASSWORD_FILE=/run/secrets/vaultwarden_postgresql_password
+
+# vaultwarden doesn't parse ${env_var} within another env_var, so had to expand url and create composite secret
+DATABASE_URL_FILE=/run/secrets/vaultwarden_database_url
+ 
+
+
diff --git a/vaultwarden/stacks/.postgresql.env b/vaultwarden/stacks/.postgresql.env
new file mode 100644
index 0000000..0d95871
--- /dev/null
+++ b/vaultwarden/stacks/.postgresql.env
@@ -0,0 +1,11 @@
+
+PUID=70
+PGID=70
+TZ=${TZ}
+
+POSTGRES_DB_PORT=${POSTGRES_DB_PORT}
+POSTGRES_DB_FILE=${POSTGRES_DB_FILE}
+POSTGRES_USER_FILE=${POSTGRES_USER_FILE}
+POSTGRES_PASSWORD_FILE=${POSTGRES_PASSWORD_FILE}
+
+
diff --git a/vaultwarden/stacks/.vaultwarden.env b/vaultwarden/stacks/.vaultwarden.env
new file mode 100644
index 0000000..badc784
--- /dev/null
+++ b/vaultwarden/stacks/.vaultwarden.env
@@ -0,0 +1,27 @@
+################################################################
+
+PUID=${PUID}
+PGID=${PGID}
+TZ=${TZ}
+
+SIGNUPS_ALLOWED=false # Set to true for initialising, i.e. for first user signup. After first signup, set to false, then restart vaultwarden stack
+
+WEBSOCKET_ENABLED=false  
+
+#ROCKET_TLS={certs="/ssl/certs/certs.pem",key="/ssl/private/key.pem"}  # specific to the Rocket web server
+
+ADMIN_TOKEN=${ADMIN_TOKEN}
+
+DOMAIN=https://${APPLICATION_NAME}.${DOMAINNAME}
+
+# mailer
+SMTP_PORT=25
+SMTP_SECURITY=starttls
+SMTP_HOST_FILE=/run/secrets/smtp_host
+SMTP_FROM_FILE=/run/secrets/smtp_from
+SMTP_USERNAME_FILE=/run/secrets/smtp_username
+SMTP_PASSWORD_FILE=/run/secrets/smtp_password
+
+# database
+DB_TYPE=${DB_TYPE}
+DATABASE_URL_FILE=${DATABASE_URL_FILE}
diff --git a/vaultwarden/stacks/compose.yml b/vaultwarden/stacks/compose.yml
new file mode 100644
index 0000000..d22fe35
--- /dev/null
+++ b/vaultwarden/stacks/compose.yml
@@ -0,0 +1,84 @@
+name: vaultwarden
+
+secrets:
+  vaultwarden_postgresql_database:
+    file: "${SECRETSDIR}/vaultwarden_postgresql_database"
+  vaultwarden_postgresql_username:
+    file: "${SECRETSDIR}/vaultwarden_postgresql_username"
+  vaultwarden_postgresql_password:
+    file: "${SECRETSDIR}/vaultwarden_postgresql_password"
+  vaultwarden_database_url:
+    file: "${SECRETSDIR}/vaultwarden_database_url"
+  smtp_from:
+    file: "${SECRETSDIR}/smtp_from"
+  smtp_username:
+    file: "${SECRETSDIR}/smtp_username"
+  smtp_password:
+    file: "${SECRETSDIR}/smtp_password"
+  smtp_host:
+    file: "${SECRETSDIR}/smtp_host"
+
+networks:
+  traefik-net:
+    external: true
+  vaultwarden-net:
+    external: true
+    
+services:
+  vaultwarden:
+    image: vaultwarden/server:latest
+    hostname: "${APPLICATION_NAME}"
+    networks:
+      - traefik-net
+      - vaultwarden-net
+    env_file: .vaultwarden.env
+    secrets:
+      - vaultwarden_database_url
+      - smtp_from
+      - smtp_username
+      - smtp_password
+      - smtp_host
+    volumes:
+      - "${DATADIR}/appdata:/data:rw"
+    restart: unless-stopped
+    depends_on:
+      postgresql:
+        condition: service_healthy
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
+
+  postgresql:
+    image: postgres:16-alpine
+    hostname: "vaultwarden_postgresql"
+    env_file: .postgresql.env
+    shm_size: 128mb # https://hub.docker.com/_/postgres
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    networks:
+      vaultwarden-net:
+          aliases: ["vaultwarden_postgresql"]
+    secrets:
+      - ${APPLICATION_NAME}_postgresql_database
+      - ${APPLICATION_NAME}_postgresql_username
+      - ${APPLICATION_NAME}_postgresql_password
+    volumes:
+      - "${DATADIR}/pgdata:/var/lib/postgresql/data"
+      - "${DATADIR}/pgbackups:/mnt/backups"
\ No newline at end of file
diff --git a/vaultwarden/vaultwarden_jm.txt b/vaultwarden/vaultwarden_jm.txt
new file mode 100644
index 0000000..6b7ec20
--- /dev/null
+++ b/vaultwarden/vaultwarden_jm.txt
@@ -0,0 +1,105 @@
+
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: vaultwdn
+Username: vaultwdn
+Disable Password: <selected>
+Email: <leave blank>
+Create New Primary Group: <selected>
+Create Home Directory: <unchecked>
+Samba Authentication: <unchecked>
+Save
+
+PUID: 3013
+PGID: 3012
+Update .env file accordingly (PUID, PGID)
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*vaultwarden"
+# create following datasets if not present
+zfs create SSD1/docker/data/vaultwarden
+zfs create SSD1/docker/data/vaultwarden/appdata
+zfs create SSD1/docker/data/vaultwarden/config
+zfs create SSD1/docker/data/vaultwarden/pgdata
+zfs create SSD1/docker/data/vaultwarden/pgbackups
+chown -R vaultwdn:vaultwdn /mnt/SSD1/docker/data/vaultwarden
+chown -R postgres:postgres /mnt/SSD1/docker/data/vaultwarden/pgdata
+chown -R postgres:postgres /mnt/SSD1/docker/data/vaultwarden/pgbackups
+chmod 700 /mnt/SSD1/docker/data/vaultwarden/pgdata
+chmod 700 /mnt/SSD1/docker/data/vaultwarden/pgbackups
+
+Create folder
+-------------
+# In Truenas shell:
+mkdir -p /mnt/SSD1/docker/stacks/vaultwarden/secrets
+mkdir /mnt/SSD1/docker/stacks/vaultwarden/scripts
+chown -R vaultwdn:vaultwdn /mnt/SSD1/docker/stacks/vaultwarden/scripts/
+
+Create secrets
+--------------
+In Truenas shell:
+cd /mnt/SSD1/docker/stacks/vaultwarden/secrets/
+# database secrets
+echo -n 'vaultwarden' > /mnt/SSD1/docker/stacks/vaultwarden/secrets/vaultwarden_postgresql_database
+echo -n 'vaultwarden' > /mnt/SSD1/docker/stacks/vaultwarden/secrets/vaultwarden_postgresql_username
+openssl rand 64 | base64 -w 0 | sed 's/[\$,\#,/,+,=]//g' | cut -c -64  | tr -d '\n' > /mnt/SSD1/docker/stacks/vaultwarden/secrets/vaultwarden_postgresql_password
+# for vaultwarden's benefit
+cd /mnt/SSD1/docker/stacks/vaultwarden/secrets/
+echo -n "postgres://$(cat vaultwarden_postgresql_username):$(cat vaultwarden_postgresql_password)@vaultwarden_postgresql:5432/$(cat vaultwarden_postgresql_database)" > vaultwarden_database_url
+# smtp email secrets
+echo -n 'your_smtp_destination' > /mnt/SSD1/docker/stacks/vaultwarden/secrets/smtp_destination
+echo -n 'your_smtp_from' > /mnt/SSD1/docker/stacks/vaultwarden/secrets/smtp_from
+echo -n 'your_smtp_host' > /mnt/SSD1/docker/stacks/vaultwarden/secrets/smtp_host
+echo -n 'your_smtp_username' > /mnt/SSD1/docker/stacks/vaultwarden/secrets/smtp_username
+echo -n 'your_smtp_password' > /mnt/SSD1/docker/stacks/vaultwarden/secrets/smtp_password
+# restrict access
+chown -R vaultwdn:vaultwdn /mnt/SSD1/docker/stacks/vaultwarden/secrets/
+chmod -R 400 /mnt/SSD1/docker/stacks/vaultwarden/secrets/
+# read existing acl permissions, if any
+getfacl /mnt/SSD1/docker/stacks/vaultwarden/secrets
+# set acl permissions
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/vaultwarden/secrets
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/vaultwarden/secrets/vaultwarden_postgresql_password
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/vaultwarden/secrets/vaultwarden_postgresql_username
+setfacl -m u:postgres:4 /mnt/SSD1/docker/stacks/vaultwarden/secrets/vaultwarden_postgresql_database
+# NB! if you want to remove all acl entries from a folder recursively, use setfacl -b -R <foldername>
+# to list secrets in secrets dir
+cd /mnt/SSD1/docker/stacks/vaultwarden/secrets
+for i in $(ls -1); do echo $i = `cat $i`; done | sort
+
+Copy folder to docker stacks
+----------------------------
+In Windows cmd shell in vaultwarden parent (apps) folder, enter:
+./cp2nas 10.0.0.20 vaultwarden
+# or
+pscp -P 22 -r vaultwarden/stacks/*.* root@10.0.0.20:/mnt/SSD1/docker/stacks/vaultwarden/
+
+Generating admin token
+----------------------
+# Start vaultwarden using Dockge
+# In docker shell, enter:
+docker exec -it vaultwarden-vaultwarden-1 /vaultwarden hash
+# Enter strong but memorable password
+# Add the string starting with ADMIN_TOKEN to the .vaultwarden.env file
+# Edit the string replacing all $ with $$ and removing single quotes around the string value. After the edit, there should be 5 x $$ in the string and no single quotes.
+# For example (before and after edit):
+# before: ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$Dc3fvaWmkxiZ3PPeVxLNZkTwKghY31S+2bHjN0qZ8PQ$C7p/sWCzfa137Q2coqphcz3WSp2aw4v4TZ/JT9ascTY'
+# after : ADMIN_TOKEN=$$argon2id$$v=19$$m=65540,t=3,p=4$$Dc3fvaWmkxiZ3PPeVxLNZkTwKghY31S+2bHjN0qZ8PQ$$C7p/sWCzfa137Q2coqphcz3WSp2aw4v4TZ/JT9ascTY
+# Restart vaultwarden stack
+# You can login as admin using https://vaultwarden.sthome.org/admin and entering the password used to generate the ADMIN_TOKEN
+
+Changing URL on Opera browser Bitwarden extension
+-------------------------------------------------
+Left click on Bitwarden icon (left bottom corner)
+Click on Log out
+Underneath email address, left click down arrow next to self-hosted
+Click on self-hosted
+Change the Server URL
+Click on Save
+Click on Continue
+Enter master password of new vaultwarden URL
+Click Log in with master password
diff --git a/wg-easy/21733_rev1.json b/wg-easy/21733_rev1.json
new file mode 100644
index 0000000..6590d61
--- /dev/null
+++ b/wg-easy/21733_rev1.json
@@ -0,0 +1,860 @@
+{
+  "__inputs": [
+    {
+      "name": "DS_PROMETHEUS",
+      "label": "Prometheus",
+      "description": "",
+      "type": "datasource",
+      "pluginId": "prometheus",
+      "pluginName": "Prometheus"
+    }
+  ],
+  "__elements": {},
+  "__requires": [
+    {
+      "type": "grafana",
+      "id": "grafana",
+      "name": "Grafana",
+      "version": "11.1.3"
+    },
+    {
+      "type": "datasource",
+      "id": "prometheus",
+      "name": "Prometheus",
+      "version": "1.0.0"
+    },
+    {
+      "type": "panel",
+      "id": "stat",
+      "name": "Stat",
+      "version": ""
+    },
+    {
+      "type": "panel",
+      "id": "table",
+      "name": "Table",
+      "version": ""
+    },
+    {
+      "type": "panel",
+      "id": "timeseries",
+      "name": "Time series",
+      "version": ""
+    }
+  ],
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "datasource",
+          "uid": "grafana"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "type": "dashboard"
+      }
+    ]
+  },
+  "description": "Dashboard for wg-easy exporter\r\nhttps://github.com/wg-easy/wg-easy",
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 0,
+  "id": null,
+  "links": [],
+  "panels": [
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "description": "",
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 5,
+        "w": 8,
+        "x": 0,
+        "y": 0
+      },
+      "id": 9,
+      "options": {
+        "colorMode": "value",
+        "graphMode": "none",
+        "justifyMode": "center",
+        "orientation": "auto",
+        "percentChangeColorMode": "standard",
+        "reduceOptions": {
+          "calcs": [
+            "lastNotNull"
+          ],
+          "fields": "",
+          "values": false
+        },
+        "showPercentChange": false,
+        "textMode": "auto",
+        "wideLayout": true
+      },
+      "pluginVersion": "11.1.3",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "disableTextWrap": false,
+          "editorMode": "builder",
+          "expr": "wireguard_configured_peers{job=\"$job\", instance=\"$node\"}",
+          "fullMetaSearch": false,
+          "includeNullMetadata": true,
+          "instant": false,
+          "legendFormat": "__auto",
+          "range": true,
+          "refId": "A",
+          "useBackend": false
+        }
+      ],
+      "title": "Configured Peers",
+      "type": "stat"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "description": "",
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 5,
+        "w": 8,
+        "x": 8,
+        "y": 0
+      },
+      "id": 10,
+      "options": {
+        "colorMode": "value",
+        "graphMode": "none",
+        "justifyMode": "center",
+        "orientation": "auto",
+        "percentChangeColorMode": "standard",
+        "reduceOptions": {
+          "calcs": [
+            "lastNotNull"
+          ],
+          "fields": "",
+          "values": false
+        },
+        "showPercentChange": false,
+        "textMode": "auto",
+        "wideLayout": true
+      },
+      "pluginVersion": "11.1.3",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "disableTextWrap": false,
+          "editorMode": "builder",
+          "expr": "wireguard_enabled_peers{job=\"$job\", instance=\"$node\"}",
+          "fullMetaSearch": false,
+          "includeNullMetadata": true,
+          "instant": false,
+          "legendFormat": "__auto",
+          "range": true,
+          "refId": "A",
+          "useBackend": false
+        }
+      ],
+      "title": "Enabled Peers",
+      "type": "stat"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "description": "",
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 5,
+        "w": 8,
+        "x": 16,
+        "y": 0
+      },
+      "id": 11,
+      "options": {
+        "colorMode": "value",
+        "graphMode": "none",
+        "justifyMode": "center",
+        "orientation": "auto",
+        "percentChangeColorMode": "standard",
+        "reduceOptions": {
+          "calcs": [
+            "lastNotNull"
+          ],
+          "fields": "",
+          "values": false
+        },
+        "showPercentChange": false,
+        "textMode": "auto",
+        "wideLayout": true
+      },
+      "pluginVersion": "11.1.3",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "disableTextWrap": false,
+          "editorMode": "builder",
+          "expr": "wireguard_connected_peers{job=\"$job\", instance=\"$node\"}",
+          "fullMetaSearch": false,
+          "includeNullMetadata": true,
+          "instant": false,
+          "legendFormat": "__auto",
+          "range": true,
+          "refId": "A",
+          "useBackend": false
+        }
+      ],
+      "title": "Connected Peers",
+      "type": "stat"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "description": "",
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "continuous-GrYlRd"
+          },
+          "custom": {
+            "align": "auto",
+            "cellOptions": {
+              "type": "auto"
+            },
+            "inspect": false
+          },
+          "decimals": 0,
+          "fieldMinMax": false,
+          "mappings": [],
+          "min": 1,
+          "noValue": "0",
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          },
+          "unit": "s"
+        },
+        "overrides": [
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "Last *"
+            },
+            "properties": [
+              {
+                "id": "displayName",
+                "value": "Online"
+              }
+            ]
+          },
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "Field"
+            },
+            "properties": [
+              {
+                "id": "displayName",
+                "value": "Client"
+              }
+            ]
+          }
+        ]
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 0,
+        "y": 5
+      },
+      "id": 7,
+      "options": {
+        "cellHeight": "sm",
+        "footer": {
+          "countRows": false,
+          "fields": "",
+          "reducer": [
+            "sum"
+          ],
+          "show": false
+        },
+        "showHeader": true
+      },
+      "pluginVersion": "11.1.3",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "disableTextWrap": false,
+          "editorMode": "builder",
+          "exemplar": false,
+          "expr": "wireguard_latest_handshake_seconds{job=\"$job\", instance=\"$node\"}",
+          "format": "time_series",
+          "fullMetaSearch": false,
+          "includeNullMetadata": true,
+          "instant": false,
+          "interval": "",
+          "intervalFactor": 1,
+          "legendFormat": "{{name}}",
+          "range": true,
+          "refId": "A",
+          "useBackend": false
+        }
+      ],
+      "title": "Online Clients",
+      "transformations": [
+        {
+          "id": "reduce",
+          "options": {
+            "reducers": [
+              "lastNotNull"
+            ]
+          }
+        },
+        {
+          "id": "filterByValue",
+          "options": {
+            "filters": [
+              {
+                "config": {
+                  "id": "equal",
+                  "options": {
+                    "value": ""
+                  }
+                },
+                "fieldName": "Last *"
+              }
+            ],
+            "match": "any",
+            "type": "exclude"
+          }
+        }
+      ],
+      "type": "table"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "custom": {
+            "align": "auto",
+            "cellOptions": {
+              "type": "auto"
+            },
+            "inspect": false
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          },
+          "unit": "bytes"
+        },
+        "overrides": [
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "Value #RX"
+            },
+            "properties": [
+              {
+                "id": "displayName",
+                "value": "Upload"
+              }
+            ]
+          },
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "Value #TX"
+            },
+            "properties": [
+              {
+                "id": "displayName",
+                "value": "Download"
+              }
+            ]
+          },
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "Time"
+            },
+            "properties": [
+              {
+                "id": "custom.hidden",
+                "value": true
+              }
+            ]
+          },
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "name"
+            },
+            "properties": [
+              {
+                "id": "displayName",
+                "value": "Client"
+              }
+            ]
+          }
+        ]
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 12,
+        "y": 5
+      },
+      "id": 12,
+      "options": {
+        "cellHeight": "sm",
+        "footer": {
+          "countRows": false,
+          "fields": "",
+          "reducer": [
+            "sum"
+          ],
+          "show": false
+        },
+        "showHeader": true,
+        "sortBy": [
+          {
+            "desc": true,
+            "displayName": "Tx"
+          }
+        ]
+      },
+      "pluginVersion": "11.1.3",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "disableTextWrap": false,
+          "editorMode": "builder",
+          "exemplar": false,
+          "expr": "sum by(name) (wireguard_received_bytes{job=\"$job\", instance=\"$node\"})",
+          "format": "table",
+          "fullMetaSearch": false,
+          "includeNullMetadata": false,
+          "instant": true,
+          "legendFormat": "{{name}}",
+          "range": false,
+          "refId": "RX",
+          "useBackend": false
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "disableTextWrap": false,
+          "editorMode": "builder",
+          "exemplar": false,
+          "expr": "sum by(name) (wireguard_sent_bytes{job=\"$job\", instance=\"$node\"})",
+          "format": "table",
+          "fullMetaSearch": false,
+          "hide": false,
+          "includeNullMetadata": true,
+          "instant": true,
+          "interval": "",
+          "legendFormat": "{{name}}",
+          "range": false,
+          "refId": "TX",
+          "useBackend": false
+        }
+      ],
+      "title": "Panel Title",
+      "transformations": [
+        {
+          "id": "merge",
+          "options": {}
+        }
+      ],
+      "type": "table"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "drawStyle": "line",
+            "fillOpacity": 10,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "never",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          },
+          "unit": "Bps"
+        },
+        "overrides": [
+          {
+            "matcher": {
+              "id": "byName",
+              "options": "sent 10.70.0.2"
+            },
+            "properties": [
+              {
+                "id": "color",
+                "value": {
+                  "fixedColor": "green",
+                  "mode": "fixed"
+                }
+              }
+            ]
+          },
+          {
+            "matcher": {
+              "id": "byValue",
+              "options": {
+                "op": "gte",
+                "reducer": "allIsZero",
+                "value": 0
+              }
+            },
+            "properties": [
+              {
+                "id": "custom.hideFrom",
+                "value": {
+                  "legend": true,
+                  "tooltip": true,
+                  "viz": false
+                }
+              }
+            ]
+          },
+          {
+            "matcher": {
+              "id": "byValue",
+              "options": {
+                "op": "gte",
+                "reducer": "allIsNull",
+                "value": 0
+              }
+            },
+            "properties": [
+              {
+                "id": "custom.hideFrom",
+                "value": {
+                  "legend": true,
+                  "tooltip": true,
+                  "viz": false
+                }
+              }
+            ]
+          }
+        ]
+      },
+      "gridPos": {
+        "h": 13,
+        "w": 24,
+        "x": 0,
+        "y": 15
+      },
+      "id": 4,
+      "options": {
+        "legend": {
+          "calcs": [
+            "mean",
+            "max",
+            "min"
+          ],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "mode": "multi",
+          "sort": "none"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "disableTextWrap": false,
+          "editorMode": "builder",
+          "expr": "irate(wireguard_received_bytes{job=\"$job\", instance=\"$node\"}[5m])",
+          "format": "time_series",
+          "fullMetaSearch": false,
+          "includeNullMetadata": true,
+          "instant": false,
+          "intervalFactor": 1,
+          "legendFormat": "received {{name}}",
+          "refId": "A",
+          "useBackend": false
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "disableTextWrap": false,
+          "editorMode": "builder",
+          "expr": "irate(wireguard_sent_bytes{job=\"$job\", instance=\"$node\"}[5m])",
+          "format": "time_series",
+          "fullMetaSearch": false,
+          "includeNullMetadata": true,
+          "intervalFactor": 1,
+          "legendFormat": "sent {{name}}",
+          "range": true,
+          "refId": "B",
+          "useBackend": false
+        }
+      ],
+      "title": "Throughput",
+      "type": "timeseries"
+    }
+  ],
+  "refresh": "10s",
+  "schemaVersion": 39,
+  "tags": [
+    "prometheus",
+    "network",
+    "Wireguard",
+    "wg-easy"
+  ],
+  "templating": {
+    "list": [
+      {
+        "current": {},
+        "datasource": {
+          "type": "prometheus",
+          "uid": "${DS_PROMETHEUS}"
+        },
+        "definition": "label_values(wireguard_configured_peers,job)",
+        "hide": 0,
+        "includeAll": false,
+        "label": "Job",
+        "multi": false,
+        "name": "job",
+        "options": [],
+        "query": {
+          "qryType": 1,
+          "query": "label_values(wireguard_configured_peers,job)",
+          "refId": "PrometheusVariableQueryEditor-VariableQuery"
+        },
+        "refresh": 1,
+        "regex": "",
+        "skipUrlSync": false,
+        "sort": 1,
+        "type": "query"
+      },
+      {
+        "current": {},
+        "datasource": {
+          "type": "prometheus",
+          "uid": "${DS_PROMETHEUS}"
+        },
+        "definition": "label_values(wireguard_configured_peers{job=\"$job\"},instance)",
+        "hide": 0,
+        "includeAll": false,
+        "label": "Node",
+        "multi": false,
+        "name": "node",
+        "options": [],
+        "query": {
+          "qryType": 1,
+          "query": "label_values(wireguard_configured_peers{job=\"$job\"},instance)",
+          "refId": "PrometheusVariableQueryEditor-VariableQuery"
+        },
+        "refresh": 1,
+        "regex": "",
+        "skipUrlSync": false,
+        "sort": 0,
+        "type": "query"
+      }
+    ]
+  },
+  "time": {
+    "from": "now-15m",
+    "to": "now"
+  },
+  "timepicker": {
+    "refresh_intervals": [
+      "10s",
+      "30s",
+      "1m",
+      "5m",
+      "15m",
+      "30m",
+      "1h",
+      "2h",
+      "1d"
+    ],
+    "time_options": [
+      "5m",
+      "15m",
+      "1h",
+      "6h",
+      "12h",
+      "24h",
+      "2d",
+      "7d",
+      "30d"
+    ]
+  },
+  "timezone": "Europe/Moscow",
+  "title": "WireGuard wg-easy",
+  "uid": "c0T_8RkZz",
+  "version": 15,
+  "weekStart": "monday",
+  "gnetId": 21733
+}
\ No newline at end of file
diff --git a/wg-easy/cp2nas.ps1 b/wg-easy/cp2nas.ps1
new file mode 100644
index 0000000..6778989
--- /dev/null
+++ b/wg-easy/cp2nas.ps1
@@ -0,0 +1,57 @@
+############### MAIN ###############
+$Main =
+{
+    [CmdletBinding()]
+    Param(
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $destHost,
+        [Parameter(Mandatory=$false)]
+        [string[]] $apps
+    )
+    If($PSBoundParameters.ContainsKey("apps")) {
+        foreach ($appname in $apps)
+        {
+            copyfolder $destHost "$appname\stacks" $appname
+        }
+    }
+    else {
+        $appname="$pwd".Split("\\")[-1]
+        copyfolder $destHost "stacks" $appname
+    }
+}
+
+###################################
+Function copyfolder
+{
+    [CmdletBinding()]
+    Param(
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $destHost,
+        
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $srcdir,
+
+        [Parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $appname
+    )
+    if (-Not(Test-Path -Path $srcdir)) {
+        Write-Host "Source path doesn't exist: ""$PSScriptRoot\$srcdir\*.*"". No files copied!"  -ForegroundColor Red
+        Write-Host "Usage: in app folder       : ./cp2nas DEST|IP"
+        Write-Host "       in app parent folder: ./cp2nas DEST|IP app1, app2, app3, ..."
+        return
+    }
+    $destStacks="/mnt/SSD1/docker/stacks/"
+    $destDir=$destStacks+$appname+"/"
+    Write-Host "pscp -P 22 -r ""$srcdir\*.*"" root@${destHost}:""${destDir}""" -ForegroundColor Green
+    Write-Host "Copying to ${destHost}:""${destStacks}" -NoNewline 
+    Write-Host "${appname}/" -ForegroundColor DarkYellow  -NoNewline 
+    Write-Host """:"
+    pscp -P 22 -r "$srcdir\*.*" root@${destHost}:""${destDir}""
+}
+
+###################################
+& $Main @Args
\ No newline at end of file
diff --git a/wg-easy/stacks/.env b/wg-easy/stacks/.env
new file mode 100644
index 0000000..8bb05f5
--- /dev/null
+++ b/wg-easy/stacks/.env
@@ -0,0 +1,40 @@
+################################################################
+APPLICATION_NAME=wg-easy
+
+DOCKERDIR=/mnt/SSD1/docker/
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+
+PUID=3019
+PGID=3018
+DOMAINNAME=sthome.org
+TZ=Africa/Johannesburg
+
+PORT=51821
+WG_PORT=51820
+WG_CONFIG_PORT=92820
+################################################################
+#PEERS=10
+
+# Change this to your host's public address
+WG_HOST=vpn.sthome.org
+
+# Optional:
+# generate PASSWORD_HASH with:
+#   docker run --rm -it ghcr.io/wg-easy/wg-easy wgpw 'YOUR_PASSWORD' | sed -e s/\\$/\\$\\$/g # NB: the single quotes around YOUR_PASSWORD
+PASSWORD_HASH=$$2a$$12$$S9vnQ5EtnaXhsjpMLUNR0eervb/Koooa26VrzAjjIGbWRpxuHUenS # NB: the single quotes around the hash should be removed, hint = a
+
+WG_DEFAULT_ADDRESS=10.8.0.x
+WG_DEFAULT_DNS=192.168.2.1, 10.0.0.1, 1.1.1.1
+WG_ALLOWED_IPS=0.0.0.0/0, ::/0 
+WG_PERSISTENT_KEEPALIVE=25
+
+# generate PROMETHEUS_METRICS_PASSWORD with:
+#   docker run --rm -it ghcr.io/wg-easy/wg-easy wgpw 'YOUR_PASSWORD' | sed -e s/\\$/\\$\\$/g # NB: the single quotes around YOUR_PASSWORD
+# PROMETHEUS_METRICS_PASSWORD=$$2a$$12$$h37gtaEp5GIHk7OooBb13O4LAiIefvcDIVUtMR62E1jgwMfGMM2oC  # NB: the single quotes around the hash should be removed
+
+
+
diff --git a/wg-easy/stacks/.wg-easy.env b/wg-easy/stacks/.wg-easy.env
new file mode 100644
index 0000000..5e94775
--- /dev/null
+++ b/wg-easy/stacks/.wg-easy.env
@@ -0,0 +1,41 @@
+################################################################
+
+PUID=${PUID}
+PGID=${PGID}
+TZ=${TZ}
+
+################################################################
+#PEERS=10
+LANG=en
+WG_HOST=${WG_HOST}
+
+# Optional:
+WG_MTU=1400
+WG_PERSISTENT_KEEPALIVE=25
+#
+# WG_PRE_UP=echo "Pre Up" > /etc/wireguard/pre-up.txt
+# WG_POST_UP=echo "Post Up" > /etc/wireguard/post-up.txt
+# WG_PRE_DOWN=echo "Pre Down" > /etc/wireguard/pre-down.txt
+# WG_POST_DOWN=echo "Post Down" > /etc/wireguard/post-down.txt
+#
+# UI_TRAFFIC_STATS=true
+# UI_CHART_TYPE=0 # (0 Charts disabled, 1 # Line chart, 2 # Area chart, 3 # Bar chart)
+# WG_ENABLE_ONE_TIME_LINKS=true
+UI_ENABLE_SORT_CLIENTS=true
+# WG_ENABLE_EXPIRES_TIME=true
+#
+
+ENABLE_PROMETHEUS_METRICS=false   # No point in enabling metrics, as currently (2024/12) this is not supported by the production version of wg-easy
+
+PORT=${PORT}
+WG_PORT=${WG_PORT}
+# WG_CONFIG_PORT=${WG_CONFIG_PORT}
+# PROMETHEUS_METRICS_PASSWORD=${PROMETHEUS_METRICS_PASSWORD}
+PASSWORD_HASH=${PASSWORD_HASH}
+WG_DEFAULT_ADDRESS=${WG_DEFAULT_ADDRESS}
+WG_DEFAULT_DNS=${WG_DEFAULT_DNS}
+WG_ALLOWED_IPS=${WG_ALLOWED_IPS}
+
+
+
+
diff --git a/wg-easy/stacks/compose.yml b/wg-easy/stacks/compose.yml
new file mode 100644
index 0000000..621eaaa
--- /dev/null
+++ b/wg-easy/stacks/compose.yml
@@ -0,0 +1,60 @@
+name: wg-easy
+
+networks:
+  traefik-net:
+    external: true
+
+services:
+  wg-easy:
+    image: ghcr.io/wg-easy/wg-easy:latest
+    hostname: wg-easy
+    restart: unless-stopped
+    env_file: .wg-easy.env
+    networks:
+      - traefik-net
+    cap_add:
+      - NET_ADMIN
+    sysctls:
+      - net.ipv4.ip_forward=1
+      - net.ipv4.conf.all.src_valid_mark=1
+    volumes:
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+      - "${DATADIR}/wireguard:/etc/wireguard"
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      #
+      # udp service
+      # ------------
+      - "traefik.udp.services.wireguard-svc.loadbalancer.server.port=${WG_PORT}"
+      #
+      # udp router
+      # ----------
+      - "traefik.udp.routers.wireguard-rtr.entrypoints=wireguard"
+      # assign service to router
+      - "traefik.udp.routers.wireguard-rtr.service=wireguard-svc"
+      #
+      # http service
+      # ------------
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${PORT}"
+      #
+      # http routers
+      # ------------
+      # http://appname.domainname/
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web" 
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`${WG_HOST}`)&& PathPrefix(`/`)"
+      # attach middlewares to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
+      # assign service to router
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      # https://appname.domainname/
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`${WG_HOST}`)&& PathPrefix(`/`)"
+      # attach middlewares to router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      #- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file" # uncomment and test to see if VPN works correctly BEFORE making permanent
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
+      # assign service to router
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
diff --git a/wg-easy/wg-easy_jm.txt b/wg-easy/wg-easy_jm.txt
new file mode 100644
index 0000000..c572065
--- /dev/null
+++ b/wg-easy/wg-easy_jm.txt
@@ -0,0 +1,61 @@
+https://github.com/wg-easy/wg-easy/pkgs/container/wg-easy
+
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: wg-easy
+Username: wg-easy
+Disable Password: <selected>
+Email: stuurmcp@telkomsa.net
+UID: 3019
+Create New Primary Group: <unselected>
+Create Home Directory: <unchecked>
+Samba Authentication: <unchecked>
+Save
+Credentials -> Local Groups -> Add
+Name: wg-easy
+GID: 3018
+
+wg-easy UID: 3019
+wg-easy GID: 3018
+
+Create datasets
+---------------
+/mnt/SSD1/docker/data/wg-easy  ; set Owner:Group to wg-easy:wg-easy
+/mnt/SSD1/docker/data/wg-easy/wireguard  ; set Owner:Group to wg-easy:wg-easy
+
+Create secrets
+--------------
+# In docker shell:
+cd /opt/stacks/wg-easy/secrets
+# generate password hash and convert $ in hash to $$; password must be surrounded by single quotes
+docker run --rm -it ghcr.io/wg-easy/wg-easy wgpw 'YOUR_PASSWORD' | sed -e s/\\$/\\$\\$/g
+# Remove the single quotes from the generated hash and copy the result to local stacks\.env file
+# Repeat the above for the prometheus metrics password
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in wg-easy folder, enter:
+./cp2nas 10.0.0.20
+# OR
+pscp -P 22 -r stacks/*.* root@10.0.0.20:/mnt/SSD1/docker/stacks/wg-easy/
+# The above should copy compose.yaml and .env to /mnt/SSD1/docker/stacks/wg-easy
+
+Add traefik UDP entrypoint 
+--------------------------
+Assuming that WG_PORT=51820 in .env file:
+If not present, add the following under "entrypoints:" in /opt/stacks/config/traefik.yml 
+  wireguard:
+    address: ":51820/udp"
+
+If not present, add the following under "ports:" in /opt/stacks/compose.yml
+      - target: 51820
+        published: 51820
+        protocol: udp
+        mode: host
+Execute the above by editing traefik\stacks\compose.yml and traefik\stacks\config\traefik.yml on local computer and then copying to nas/server
+
+
+
+
+
diff --git a/www-sthome/data/appdata/www/.gitignore b/www-sthome/data/appdata/www/.gitignore
new file mode 100644
index 0000000..1408ff6
--- /dev/null
+++ b/www-sthome/data/appdata/www/.gitignore
@@ -0,0 +1,6 @@
+# https://git-scm.com/docs/gitignore
+# https://help.github.com/articles/ignoring-files
+# Example.gitignore files : https://github.com/github/gitignore
+_notes/
+/bower_components/
+/node_modules/
\ No newline at end of file
diff --git a/www-sthome/data/appdata/www/index.html b/www-sthome/data/appdata/www/index.html
new file mode 100644
index 0000000..6ae8cb5
--- /dev/null
+++ b/www-sthome/data/appdata/www/index.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+	<head>
+		<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+		<meta http-equiv="copyright" content="Copyright © 2022-2030. CZ All Rights Reserved ">
+		<title>STHOME Upload Server</title>
+		<link rel="stylesheet" type="text/css" href="./style.css">
+		<h1 class="heading1">Welcome to sthome site</h1>
+	</head>
+    <main>
+		<form action="./upload.php" method="post" enctype="multipart/form-data">
+			Select file to upload:
+			<input type="file" name="fileToUpload" id="fileToUpload">
+			<input type="submit" value="Upload" name="submit">
+		</form>
+	</main>
+
+</html>
\ No newline at end of file
diff --git a/www-sthome/data/appdata/www/style.css b/www-sthome/data/appdata/www/style.css
new file mode 100644
index 0000000..bb150b4
--- /dev/null
+++ b/www-sthome/data/appdata/www/style.css
@@ -0,0 +1,113 @@
+@charset "utf-8";
+/* CSS Document */
+
+body {
+	font-family: Roboto;
+	background-color: #CCCCFF;
+	padding: 0px;
+	margin: 0px;
+}
+body img {
+	border : 0px;
+ 	text-decoration: none;
+  }
+#container {
+	background-color: #FFFFFF;
+	width: 80%;
+	margin: 10px auto 10px auto;
+	padding: 10px;
+}
+#masthead {
+	background-color: #CC99FF;
+	background: url('images/top-bnr-8.jpg') center;
+	height: 170px;
+}
+#top-nav {
+	border-top: thin solid #1D01D3;
+	border-bottom: thin solid #1D01D3;
+	background-color: #FFFFFF;
+	padding-top: 10px;
+	padding-bottom: 10px;
+}
+#left-nav {
+	padding: 5px;
+	width: 180px;
+	float: left;
+	margin: 20px 0px 10px 0px;
+	border: thin dashed #EF769A;
+	font-size: .9em;
+}
+#main-content {
+	background-color: #e1e1F8;
+	margin: 20px 10px 10px 200px;
+}
+#footer {
+	clear: both;
+	text-align: center;
+	padding-top: 10px;
+	padding-bottom: 10px;
+}
+#footer p { margin-top: 0px; margin-bottom: 0px;}
+#top-nav ul {
+	text-align: center;
+	list-style-type: none;
+	margin: 0px;
+	padding: 0px;
+}
+#top-nav ul li {
+	display: inline;
+}
+#top-nav ul li a {
+	color: #FFFFFF;
+	background-color: #1D01D3;
+	border-color: #FFFFFF;
+	padding: .2em .75em .2em .75em;
+	border-right-width: 1px;
+	border-left-width: 1px;
+	border-right-style: solid;
+	border-left-style: solid;
+}
+#top-nav ul li a:hover {
+	color: #000000;
+	background-color: #FFFFCC;
+	border: 1px solid #99BF99;
+}
+#left-nav ul {
+	list-style-type: none;
+	padding: 0px;
+	margin: 0px;
+}
+#left-nav ul li {
+	padding-top: 0px;
+	padding-bottom: 0px;
+	color: #FFFFFF;
+}
+#left-nav ul li a {
+	color: #FFFFFF;
+	text-decoration: none;
+	background-color: #3717FD;
+	padding: 5px 0px 5px 8px;
+	display: block;
+}
+#left-nav ul li a:visited {
+	color: #FFFFbb;
+}
+#left-nav ul li a:hover {
+	color: #000000;
+	background-color: #FFFFCC;
+}
+#left-nav .headerbar {
+	color: #FFFFFF;
+	font-size: 1.1em;
+	text-transform: uppercase;
+	display: block;
+	background-color: #3717FD;
+	padding: 4px 2px 4px 2px;
+}
+.heading1 {
+	color: #00008B;
+}
+.heading2 {
+	color: #00008B;
+}
+
diff --git a/www-sthome/data/appdata/www/upload.php b/www-sthome/data/appdata/www/upload.php
new file mode 100644
index 0000000..5fa41a1
--- /dev/null
+++ b/www-sthome/data/appdata/www/upload.php
@@ -0,0 +1,51 @@
+    <?php
+    if ($_SERVER["REQUEST_METHOD"] == "POST") {
+        $target_dir = "/uploads/"; // Directory to store uploaded files
+        $target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
+        $uploadOk = 1;
+        $imageFileType = strtolower(pathinfo($target_file,PATHINFO_EXTENSION));
+
+        // Check if image file is a actual image or fake image
+        if(isset($_POST["submit"])) {
+            $check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);
+            if($check !== false) {
+                echo "File is an image - " . $check["mime"] . ".";
+                $uploadOk = 1;
+            } else {
+                echo "File is not an image.";
+                $uploadOk = 0;
+            }
+        }
+
+        // Check if file already exists
+        if (file_exists($target_file)) {
+            echo "Sorry, file already exists.";
+            $uploadOk = 0;
+        }
+
+        // Check file size
+        if ($_FILES["fileToUpload"]["size"] > 500000) { // 500kb
+            echo "Sorry, your file is too large.";
+            $uploadOk = 0;
+        }
+
+        // Allow certain file formats
+        if($imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg"
+        && $imageFileType != "gif" ) {
+            echo "Sorry, only JPG, JPEG, PNG & GIF files are allowed.";
+            $uploadOk = 0;
+        }
+
+        // Check if $uploadOk is set to 0 by an error
+        if ($uploadOk == 0) {
+            echo "Sorry, your file was not uploaded.";
+        // if everything is ok, try to upload file
+        } else {
+            if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {
+                echo "The file ". htmlspecialchars(basename( $_FILES["fileToUpload"]["name"])). " has been uploaded.";
+            } else {
+                echo "Sorry, there was an error uploading your file.";
+            }
+        }
+    }
+    ?>
\ No newline at end of file
diff --git a/www-sthome/data/config/nginx.conf b/www-sthome/data/config/nginx.conf
new file mode 100644
index 0000000..4c85b8f
--- /dev/null
+++ b/www-sthome/data/config/nginx.conf
@@ -0,0 +1,33 @@
+
+user  nginx;
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log notice;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
+}
diff --git a/www-sthome/data/config/sites-enabled/sthome.conf b/www-sthome/data/config/sites-enabled/sthome.conf
new file mode 100644
index 0000000..5450eaa
--- /dev/null
+++ b/www-sthome/data/config/sites-enabled/sthome.conf
@@ -0,0 +1,11 @@
+
+server {
+    listen       80;
+    listen  [::]:80;
+    server_name  www.sthome.org;
+    root /var/sites/www/;
+    index index.html index/htm;
+    location / {
+        try_files $uri $uri/ =404 ;
+    }
+}
\ No newline at end of file
diff --git a/www-sthome/data/config/templates/default.conf.template b/www-sthome/data/config/templates/default.conf.template
new file mode 100644
index 0000000..2820d5e
--- /dev/null
+++ b/www-sthome/data/config/templates/default.conf.template
@@ -0,0 +1,45 @@
+server {
+#    listen       ${NGINX_PORT};
+#    listen  [::]:${NGINX_PORT};
+#    server_name  ${NGINX_HOST};
+
+    access_log  /var/log/nginx/host.access.log  main;
+
+    location / {
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+    }
+
+    #error_page  404              /404.html;
+
+    # redirect server error pages to the static page /50x.html
+    #
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+    }
+
+    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
+    #
+    #location ~ \.php$ {
+    #    proxy_pass   http://127.0.0.1;
+    #}
+
+    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
+    #
+    location ~ \.php$ {
+        root           html;
+        fastcgi_pass   127.0.0.1:9000;
+        fastcgi_index  index.php;
+    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
+        include        fastcgi_params;
+    }
+
+    # deny access to .htaccess files, if Apache's document root
+    # concurs with nginx's one
+    #
+    #location ~ /\.ht {
+    #    deny  all;
+    #}
+
+}
\ No newline at end of file
diff --git a/www-sthome/stacks/.env b/www-sthome/stacks/.env
new file mode 100644
index 0000000..1d6010a
--- /dev/null
+++ b/www-sthome/stacks/.env
@@ -0,0 +1,21 @@
+##############################################################################################
+# Values to be used for substitution by docker compose in compose.yml AND .*.env files
+##############################################################################################
+
+APPLICATION_NAME=www-sthome
+
+DOCKERDIR=/mnt/SSD1/docker
+MEDIADIR=/mnt/stpool1/NData1/Media
+
+STACKSDIR=${DOCKERDIR}/stacks/${APPLICATION_NAME}
+DATAROOT=${DOCKERDIR}/data
+DATADIR=${DATAROOT}/${APPLICATION_NAME}
+SECRETSDIR=${STACKSDIR}/secrets
+CERTSDIR=${DATAROOT}/traefik/certs
+
+SERVICE_PORT=80
+DOMAINNAME=sthome.org
+
+SUBDOMAIN1=www
+
+
diff --git a/www-sthome/stacks/.nginx.env b/www-sthome/stacks/.nginx.env
new file mode 100644
index 0000000..39aa757
--- /dev/null
+++ b/www-sthome/stacks/.nginx.env
@@ -0,0 +1,9 @@
+
+PUID=3064
+PGID=3065 
+TZ=Africa/Johannesburg
+
+NGINX_HOST=${SUBDOMAIN1}.${DOMAINNAME}
+NGINX_PORT=80
+
+NGINX_ENTRYPOINT_QUIET_LOGS=1
\ No newline at end of file
diff --git a/www-sthome/stacks/compose.yml b/www-sthome/stacks/compose.yml
new file mode 100644
index 0000000..edfb227
--- /dev/null
+++ b/www-sthome/stacks/compose.yml
@@ -0,0 +1,40 @@
+name: www-sthome
+
+networks:
+  traefik-net:
+    external: true
+
+services:    
+  nginx:
+    image: nginx:latest
+    env_file: .nginx.env
+   # command: [nginx-debug, '-g', 'daemon off;']
+    networks:
+      traefik-net:
+        aliases: ["${SUBDOMAIN1}"]
+    volumes:
+      - ${DATADIR}/appdata:/var/sites
+      - ${DATADIR}/config/sites-enabled:/etc/nginx/sites-enabled
+      - ${DATADIR}/config/templates:/etc/nginx/templates
+      - ${DATADIR}/config/nginx.conf:/etc/nginx/nginx.conf:ro
+      - ${DATADIR}/logs:/var/log/nginx
+      - ${MEDIADIR}/uploads:/uploads
+    restart: unless-stopped
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-net
+      #- "traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.usersfile=/mnt/users/${APPLICATION_NAME}.txt"
+      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${SERVICE_PORT}"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${SUBDOMAIN1}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${SUBDOMAIN1}.${DOMAINNAME}`)&& PathPrefix(`/`)"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file" 
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
+      #- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=${APPLICATION_NAME}-auth"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
+      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
+
diff --git a/www-sthome/www-sthome_jm.txt b/www-sthome/www-sthome_jm.txt
new file mode 100644
index 0000000..7be18ce
--- /dev/null
+++ b/www-sthome/www-sthome_jm.txt
@@ -0,0 +1,40 @@
+
+Create user and group
+---------------------
+Credentials -> Local Users -> Add
+Full Name: www-sthome
+Username: www-sthome
+Disable Password: <select>
+Email: <leave blank>
+UID: (note)
+Create New Primary Group: <select>
+Create Home Directory: <uncheck>
+Samba Authentication: <uncheck>
+Save
+
+www-sthome UID: 3064
+www-sthome GID: 3065
+
+Create datasets
+---------------
+# In Truenas shell:
+# list datasets
+zfs list | grep -i "docker.*www-sthome"
+# create following dataset if not present
+zfs create SSD1/docker/data/www-sthome
+zfs create SSD1/docker/data/www-sthome/config
+zfs create SSD1/docker/data/www-sthome/appdata
+zfs create SSD1/docker/data/www-sthome/logs
+chown -R www-sthome:www-sthome /mnt/SSD1/docker/data/www-sthome
+
+Create stacks folder
+---------------------
+mkdir -p /mnt/SSD1/docker/stacks/www-sthome
+
+Copy folder to docker stacks
+----------------------------
+# In Windows cmd shell in www-sthome folder, enter:
+./cp2nas 192.168.2.2
+# or
+pscp -P 22 -r stacks/*.* root@192.168.2.2:/mnt/SSD1/docker/stacks/www-sthome/
+# This should copy stacks folder to /mnt/SSD1/docker/stacks/www-sthome
\ No newline at end of file