Skip to content

Working Services Documentation

Status: Live snapshot (July 2, 2026) — 39 containers running. Core app services are bound to 127.0.0.1 behind Authelia forward-auth (security port-rebind 20cf19e). Exceptions: Samba/NFS remain 0.0.0.0 for LAN file-sharing.

Current automation caveats: Gachiakuta is blocked on SAB category/final-path remediation, not service reachability; Mylar weekly has current 2026 rows while futureupcoming/upcoming are empty, so pull health is table-specific.

Core Working Services

Search & Automation

Libraries

Media Servers

Processing & Management

Auth & Networking

Dashboards

Analytics

File Services

  • Bazarrhttp://127.0.0.1:6767 (subtitles)
  • Samba — ports 0.0.0.0:139/445 (LAN file sharing)
  • NFS — ports 0.0.0.0:2049 and 0.0.0.0:111/tcp+udp (LAN file sharing)

Disabled / Not Running

  • Traefik (routes not wired)

Fleet Docs (VitePress)

  • Built from docs/ via VitePress; served via GitHub Pages at docs.beppesarrstack.net (auth hardening tracked by TP-404: side-port Authelia proof shipped; production rollout decision pending)
  • Sidebar: fleet overview, active tasks, orchestration plan, brand system, substrate audit, TP triage inventory, ADR index

Quick Start

Key URLs

bash
Plex:         http://localhost:32400   # Media streaming
Prowlarr:     http://localhost:9696    # Indexer management
Portainer:    http://localhost:9000    # Container management
Uptime Kuma:  http://localhost:3031    # Service health dashboard
Tdarr:        http://localhost:8265    # Transcoding dashboard

CLI Management

bash
# Service status (requires sudo for docker)
sudo docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}"

# Individual service logs
sudo docker logs kavita --tail 50
sudo docker logs prowlarr --tail 50

# Restart a service
sudo docker restart kavita

Tautulli reverse-proxy configuration

Tautulli writes its in-memory configuration back to config.ini when it receives SIGTERM. Therefore, applying http_proxy = 1 while Tautulli is running and then invoking docker restart tautulli reverts the edit during shutdown. A live-process edit followed by restart is not a supported sequence.

Use only stop -> apply -> start. The reconciler independently refuses an apply while 127.0.0.1:8181 is listening and probes again immediately before the backup/write boundary. The shell trap prevents an apply failure from leaving the service stopped:

bash
set -euo pipefail

scripts/reconcile_tautulli_proxy.py --check

docker stop tautulli
trap 'docker start tautulli >/dev/null' EXIT

scripts/reconcile_tautulli_proxy.py \
  --apply \
  --execution-gate ENABLE-TAUTULLI-REVERSE-PROXY-20260711

docker start tautulli
trap - EXIT

# Acceptance: redirect location must remain HTTPS after the process starts.
curl -ksS -o /dev/null \
  -w 'code=%{http_code} redirect=%{redirect_url}\n' \
  https://joe-steambox.alai-opaleye.ts.net:8181/

Never use docker restart tautulli for this configuration mutation. Inspect the protected receipt emitted by the reconciler before starting the service.

Technical Notes

Container Runtime

  • Docker is the primary runtime (requires sudo)
  • Do NOT use podman (creates separate instances, causes conflicts)
  • Socket: /var/run/docker.sock
  • All 24 containers managed via docker compose

GPU Acceleration (Tdarr)

  • GPU: AMD Radeon 780M (integrated, RDNA 3)
  • Video Engine: VCN 4.0 (Video Core Next)
  • Acceleration: VA-API hardware encoding/decoding
  • Device Passthrough: /dev/dri mounted in container
  • Init System: s6-supervise inside Tdarr container

Tdarr GPU Configuration

The Tdarr container has GPU passthrough configured:

yaml
devices:
  - /dev/dri:/dev/dri

VA-API is available inside the container for hardware-accelerated transcoding:

  • H.264/AVC encoding and decoding
  • HEVC/H.265 encoding and decoding
  • VP9 decoding
  • AV1 decoding (VCN 4.0)

Validation Method (Dec 27, 2025)

  • HTTP health checks on all web endpoints
  • Docker container status inspection
  • GPU passthrough verified via VA-API inside Tdarr container
  • All services responding with 200/301/302/307 (auth redirects normal)

Known Issues

  • Mylar returns 401 (requires auth - normal)
  • Overseerr/Portainer return 307 (auth redirect - normal)

Last validated: 29Dec25 via automated HTTP probe and GPU verification

Built with ❤️ following Bell Labs standards. Dedicated to Stan Eisenstat.