https://github.com/qdm12/gluetun-wiki
https://www.youtube.com/watch?v=0F6I03LQcI4

# all services in this project will make use of the gluetun VPN

Create user and group
---------------------
Credentials -> Local Users -> Add
Full Name: gluetun
Username: gluetun
Disable Password: <selected>
Email:
UID: 3029
Create New Primary Group: <selected>
Create Home Directory: <unchecked>
Samba Authentication: <unchecked>
Save
Check Credentials -> Local Groups for GID
Name: gluetun
GID: 3028

gluetun UID: 3029
gluetun GID: 3028

Create datasets
---------------
# In Truenas shell:
# list datasets
zfs list | grep -i "docker.*gluetun-arr"
# create following datasets if not present
zfs create SSD1/docker/data/gluetun-arr
zfs create SSD1/docker/data/gluetun-arr/appdata
chown -R gluetun:gluetun /mnt/SSD1/docker/data/gluetun-arr

Create folder
-------------
mkdir /mnt/SSD1/docker/stacks/gluetun-arr

Copy folder to docker stacks
----------------------------
# In Windows cmd shell in gluetun-arr folder, enter:
./cp2nas 10.0.0.20
# OR
pscp -P 22 -r stacks/*.* root@10.0.0.20:/mnt/SSD1/docker/stacks/gluetun-arr/
# The above should copy compose.yaml, .env and secrets folder to /mnt/SSD1/docker/stacks/gluetun-arr

Creating secrets
----------------
In Truenas shell:
cd /mnt/SSD1/docker/stacks/gluetun-arr/secrets
echo -n 'nordvpn private key' > wireguard_private_key
cd /mnt/SSD1/docker/stacks/gluetun-arr
chown -R gluetun:gluetun secrets/
chmod -R 400 secrets/

Creating user password hash strings for user authorisation using traefik basic-auth
-----------------------------------------------------------------------------------
# If not installed, install htpasswd:
jlmkr shell docker
apt update & apt install apache2-utils
# The user credentials can be applied as a label entry in the compose.yml file or as a line entry in a text file
# When used as a label entry, all '$' needs to be escaped with a second '$'; sed can be used for this purpose:
# To create user list textfile line item
echo $(htpasswd -nB admin)  > /opt/stacks/traefik/users/<appname>.txt
# To create string to be used in compose file label 
echo $(htpasswd -nB admin) | sed -e s/\\$/\\$\\$/g
# See traefik_jm.txt for more detailed instructions

gluetun folder mappings
----------------------
# To avoid problems setting up new app, it is recommended that the mount path for downloads inside the container be kept exactly the same as what the old app use to have
# As we did not migrate data from old app to new, on initial import, all tvshows will default to being monitored. Make changes accordingly.

Check gluetun ip
----------------
# Exec into any of the apps' container using gluetun
docker exec -it <app-container-name> sh
# Check remote ip
curl ifconfig.me # or curl http://whatismyip.akamai.com

Update .env and compose.yml for app
-----------------------------------
# The gluetun .env file requires the following entries for each app using the gluetun VPN, e.g. for radarr:
RADARR_APP=radarr
RADARR_PORT=7878

# The gluetun compose.yml file requires the following label entries for each app using the gluetun VPN, e.g. for radarr:
      #- "traefik.http.middlewares.${RADARR_APP}-auth.basicauth.users=${ADMIN_CREDENTIALS}, ${USER_CREDENTIALS}" # uncomment to use common credentials
      #- "traefik.http.middlewares.${RADARR_APP}-auth.basicauth.usersfile=/mnt/users/${RADARR_APP}.txt"          # uncomment to use credentials stored in /opt/stacks/traefik/users/<appname>.txt
      - "traefik.http.services.${RADARR_APP}-gt-svc.loadbalancer.server.port=${RADARR_PORT}"
      - "traefik.http.routers.${RADARR_APP}.entrypoints=web"
      - "traefik.http.routers.${RADARR_APP}.rule=Host(`${RADARR_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
      - "traefik.http.routers.${RADARR_APP}-secure.entrypoints=websecure"
      - "traefik.http.routers.${RADARR_APP}-secure.rule=Host(`${RADARR_APP}.${DOMAINNAME}`)&& PathPrefix(`/`)"
      - "traefik.http.routers.${RADARR_APP}-secure.tls=true"
      - "traefik.http.routers.${RADARR_APP}-secure.tls.certresolver=sthomeresolver"
      #- "traefik.http.routers.${RADARR_APP}-secure.middlewares=${RADARR_APP}-auth"          # uncomment to use basic-auth; requires one or both of above basicauth middlewares to be uncommented
      - "traefik.http.routers.${RADARR_APP}-secure.service=${RADARR_APP}-gt-svc"

Troubleshooting
---------------
If dockge / docker compose up complains about "parsing /opt/stacks/.../compose.yml: yaml: line ##: did not find expected '-' indicator", where ## is the "labels:" line number in compose.yml:
 - look for missing trailing '"' amongst the labels