Working Services Documentation
Status: Live snapshot (July 2, 2026) — 39 containers running. Core app services are bound to 127.0.0.1 behind Authelia forward-auth (security port-rebind 20cf19e). Exceptions: Samba/NFS remain 0.0.0.0 for LAN file-sharing.
Current automation caveats: Gachiakuta is blocked on SAB category/final-path remediation, not service reachability; Mylar weekly has current 2026 rows while futureupcoming/upcoming are empty, so pull health is table-specific.
Core Working Services
Search & Automation
- Prowlarr — http://127.0.0.1:9696 (indexer management)
- Sonarr — http://127.0.0.1:8989 (TV shows)
- Radarr — http://127.0.0.1:7878 (movies)
- Lidarr — http://127.0.0.1:8686 (music)
- Readarr — http://127.0.0.1:8787 (books)
- SABnzbd — http://127.0.0.1:8180 (usenet downloads)
- Transmission — via Gluetun VPN (port 9092→9091)
- Aria2 — http://127.0.0.1:6800/jsonrpc (RPC downloads)
- Overseerr — http://127.0.0.1:5055 (requests)
- Recyclarr — (no web UI, runs scheduled sync)
Libraries
- Komga — http://127.0.0.1:8081 (comics/manga reader, internal port 25600)
- Komf — http://127.0.0.1:8085 (metadata enrichment)
- Kavita — http://127.0.0.1:5000 (manga/ebook reader)
- Mylar — http://127.0.0.1:8090 (comics automation)
- Whisparr — http://127.0.0.1:6969 (adult content)
- Suwayomi — http://127.0.0.1:4567 (manga sources)
- Audiobookshelf — http://127.0.0.1:13378 (audiobooks/podcasts)
- Stash — http://127.0.0.1:9999 (media organizer)
Media Servers
- Plex — host network (port 32400)
- Tautulli — http://127.0.0.1:8181 (Plex analytics)
Processing & Management
- Tdarr — http://127.0.0.1:8265 (transcoding with GPU acceleration)
- Tdarr Node — (worker, no web UI)
- MakeMKV — http://127.0.0.1:5800 (ISO extraction, VNC: 5900)
- Portainer — http://127.0.0.1:9000 (container management)
- Netdata — http://127.0.0.1:19999 (system monitoring)
- Uptime Kuma — http://127.0.0.1:3031 (service monitoring)
- Dozzle — http://127.0.0.1:8890 (container log viewer)
- Scrutiny — http://127.0.0.1:8086 (disk health/SMART)
Auth & Networking
- Authelia — http://127.0.0.1:9091 (SSO/forward-auth portal)
- Redis — (Authelia session store, no exposed port)
- Caddy — http://127.0.0.1:8092 (public tier), http://127.0.0.1:8093 (adult tier)
- Gluetun — VPN container for Transmission
Dashboards
- Homepage (public) — http://127.0.0.1:3000 (service launcher)
- Homepage (adult) — http://127.0.0.1:3010 (adult-tier launcher)
- Mom Portal — http://127.0.0.1:8094 (family portal)
Analytics
- ClickHouse — http://127.0.0.1:8123 (analytics, also on Tailnet 100.115.21.9:8123)
File Services
- Bazarr — http://127.0.0.1:6767 (subtitles)
- Samba — ports 0.0.0.0:139/445 (LAN file sharing)
- NFS — ports 0.0.0.0:2049 and 0.0.0.0:111/tcp+udp (LAN file sharing)
Disabled / Not Running
- Traefik (routes not wired)
Fleet Docs (VitePress)
- Built from
docs/via VitePress; served via GitHub Pages atdocs.beppesarrstack.net(auth hardening tracked by TP-404: side-port Authelia proof shipped; production rollout decision pending) - Sidebar: fleet overview, active tasks, orchestration plan, brand system, substrate audit, TP triage inventory, ADR index
Quick Start
Key URLs
Plex: http://localhost:32400 # Media streaming
Prowlarr: http://localhost:9696 # Indexer management
Portainer: http://localhost:9000 # Container management
Uptime Kuma: http://localhost:3031 # Service health dashboard
Tdarr: http://localhost:8265 # Transcoding dashboardCLI Management
# Service status (requires sudo for docker)
sudo docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}"
# Individual service logs
sudo docker logs kavita --tail 50
sudo docker logs prowlarr --tail 50
# Restart a service
sudo docker restart kavitaTautulli reverse-proxy configuration
Tautulli writes its in-memory configuration back to config.ini when it receives SIGTERM. Therefore, applying http_proxy = 1 while Tautulli is running and then invoking docker restart tautulli reverts the edit during shutdown. A live-process edit followed by restart is not a supported sequence.
Use only stop -> apply -> start. The reconciler independently refuses an apply while 127.0.0.1:8181 is listening and probes again immediately before the backup/write boundary. The shell trap prevents an apply failure from leaving the service stopped:
set -euo pipefail
scripts/reconcile_tautulli_proxy.py --check
docker stop tautulli
trap 'docker start tautulli >/dev/null' EXIT
scripts/reconcile_tautulli_proxy.py \
--apply \
--execution-gate ENABLE-TAUTULLI-REVERSE-PROXY-20260711
docker start tautulli
trap - EXIT
# Acceptance: redirect location must remain HTTPS after the process starts.
curl -ksS -o /dev/null \
-w 'code=%{http_code} redirect=%{redirect_url}\n' \
https://joe-steambox.alai-opaleye.ts.net:8181/Never use docker restart tautulli for this configuration mutation. Inspect the protected receipt emitted by the reconciler before starting the service.
Technical Notes
Container Runtime
- Docker is the primary runtime (requires sudo)
- Do NOT use podman (creates separate instances, causes conflicts)
- Socket:
/var/run/docker.sock - All 24 containers managed via docker compose
GPU Acceleration (Tdarr)
- GPU: AMD Radeon 780M (integrated, RDNA 3)
- Video Engine: VCN 4.0 (Video Core Next)
- Acceleration: VA-API hardware encoding/decoding
- Device Passthrough:
/dev/drimounted in container - Init System: s6-supervise inside Tdarr container
Tdarr GPU Configuration
The Tdarr container has GPU passthrough configured:
devices:
- /dev/dri:/dev/driVA-API is available inside the container for hardware-accelerated transcoding:
- H.264/AVC encoding and decoding
- HEVC/H.265 encoding and decoding
- VP9 decoding
- AV1 decoding (VCN 4.0)
Validation Method (Dec 27, 2025)
- HTTP health checks on all web endpoints
- Docker container status inspection
- GPU passthrough verified via VA-API inside Tdarr container
- All services responding with 200/301/302/307 (auth redirects normal)
Known Issues
- Mylar returns 401 (requires auth - normal)
- Overseerr/Portainer return 307 (auth redirect - normal)
Last validated: 29Dec25 via automated HTTP probe and GPU verification