Refactor Docker Swarm stack configurations for local deployment

Updated multiple stack files to use local hostnames instead of external domains, simplified Traefik configuration, and reorganized Authentik service location. Changes improve local development setup and reduce complexity.

Key changes:
- Simplified .gitignore to exclude entire conf/ directory
- Updated Traefik labels across services to use .swarm.home domains
- Removed Cloudflare cert resolver references for local TLS
- Moved Authentik from apps/ to core/ directory structure
- Removed Traefik labels from n8n and paperless services
- Updated Traefik stack to use simplified port bindings
- Added timezone environment variable to adminer and outline

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

stacks/core/authentik/stack.yml

@@ -0,0 +1,112 @@
+services:
+  redis:
+    image: redis:alpine
+    command: --save 60 1 --loglevel warning
+    volumes:
+    - /home/doc/projects/swarm-data/appdata/authentik/redis:/data
+    ports:
+    - 6379:6379
+    networks:
+    - homelab
+    healthcheck:
+      test: [ "CMD", "redis-cli", "ping" ]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 10s
+    deploy:
+      replicas: 1
+      resources:
+        limits:
+          memory: 512M
+        reservations:
+          memory: 128M
+
+  authentik_server:
+    image: ghcr.io/goauthentik/server:2025.10.0
+    command: server
+    environment:
+      AUTHENTIK_SECRET_KEY: "file:///run/secrets/auth-key"
+      AUTHENTIK_REDIS__HOST: "redis"
+      AUTHENTIK_POSTGRESQL__HOST: "10.0.4.10"
+      AUTHENTIK_POSTGRESQL__PORT: "5432"
+      AUTHENTIK_POSTGRESQL__USER: "admin"
+      AUTHENTIK_POSTGRESQL__NAME: "authentik"
+      AUTHENTIK_POSTGRESQL__PASSWORD: "file:///run/secrets/postgres-master"
+      # Optional: Set error reporting (set to false for privacy)
+      AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
+    secrets:
+    - auth-key
+    - postgres-master
+    volumes:
+    - /home/doc/projects/swarm-data/appdata/authentik/media:/media
+    - /home/doc/projects/swarm-data/appdata/authentik/templates:/templates
+    - /var/run/docker.sock:/var/run/docker.sock
+    networks:
+    - homelab
+    healthcheck:
+      test: [ "CMD-SHELL", "ak healthcheck" ]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 90s
+    deploy:
+      replicas: 1
+      resources:
+        limits:
+          memory: 1G
+          cpus: '1.0'
+        reservations:
+          memory: 512M
+      labels:
+      - "traefik.enable=true"
+      - "traefik.swarm.network=homelab"
+      - "traefik.http.routers.authentik.rule=Host(`auth.swam.home`)"
+      - "traefik.http.routers.authentik.entrypoints=web,websecure"
+      - "traefik.http.routers.authentik.tls=true"
+      - "traefik.http.services.authentik.loadbalancer.server.port=9000"
+
+    depends_on:
+    - redis
+
+  authentik_worker:
+    image: ghcr.io/goauthentik/server:2025.10.0
+    command: worker
+    environment:
+      AUTHENTIK_SECRET_KEY: "file:///run/secrets/auth-key"
+      AUTHENTIK_REDIS__HOST: "redis"
+      AUTHENTIK_POSTGRESQL__HOST: "10.0.4.10"
+      AUTHENTIK_POSTGRESQL__PORT: "5432"
+      AUTHENTIK_POSTGRESQL__USER: "admin"
+      AUTHENTIK_POSTGRESQL__NAME: "authentik"
+      AUTHENTIK_POSTGRESQL__PASSWORD: "file:///run/secrets/postgres-master"
+      # Optional: Set error reporting (set to false for privacy)
+      AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
+    secrets:
+    - auth-key
+    - postgres-master
+    volumes:
+    - /home/doc/projects/swarm-data/appdata/authentik/media:/media
+    - /home/doc/projects/swarm-data/appdata/authentik/templates:/templates
+    - /var/run/docker.sock:/var/run/docker.sock
+    networks:
+    - homelab
+    deploy:
+      replicas: 1
+      resources:
+        limits:
+          memory: 1G
+          cpus: '1.0'
+        reservations:
+          memory: 512M
+    depends_on:
+    - redis
+
+networks:
+  homelab:
+    external: true
+secrets:
+  postgres-master:
+    external: true
+  auth-key:
+    external: true

stacks/core/portainer/stack.yml

@@ -17,10 +17,9 @@ services:
       labels:
       - "traefik.enable=true"
       - "traefik.swarm.network=homelab"
-      - "traefik.http.routers.portainer.rule=Host(`portainer.frostlabs.me`)"
-      - "traefik.http.routers.portainer.entrypoints=websecure"
-      - "traefik.http.routers.portainer.tls.certresolver=cloudflare"
-      - "traefik.http.routers.portainer.service=portainer"
+      - "traefik.http.routers.portainer.rule=Host(`portainer.swarm.home`)"
+      - "traefik.http.routers.portainer.entrypoints=web,websecure"
+      - "traefik.http.routers.portainer.tls=true"
       - "traefik.http.services.portainer.loadbalancer.server.port=9000"
 
   agent:

stacks/core/traefik/stack.yml

@@ -1,27 +1,18 @@
 services:
   traefik:
-    image: traefik:v3.5
+    image: traefik:v3.5.4
     # Remove all command arguments - using static config file instead
     ports:
-    - target: 80
-      published: 80
-      mode: host
-    - target: 443
-      published: 443
-      mode: host
-    - target: 8443
-      published: 8443
-      mode: host
-    - target: 8080
-      published: 8082
-      mode: host
+    - 80:80
+    - 443:443
+    - 8080:8080
     environment:
     - CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare_api_token
     volumes:
     - /var/run/docker.sock:/var/run/docker.sock:ro
-    - /home/doc/projects/swarm-data/appdata/traefik/certificates:/certificates
+    #
     - /home/doc/projects/swarm/conf/traefik-conf/static.yml:/etc/traefik/traefik.yml:ro
-    - /home/doc/projects/swarm/conf/traefik-conf/dynamic.yml:/etc/traefik/dynamic/dynamic.yml:ro
+    - /home/doc/projects/swarm/conf/traefik-conf/dynamic.yml:/etc/traefik/dynamic/dynamic.yml:rw
     secrets:
     - cloudflare_api_token
     networks:
@@ -37,20 +28,7 @@ services:
       replicas: 1
       placement:
         constraints:
-        - node.hostname == p0
-      resources:
-        limits:
-          memory: 512M
-          cpus: '0.5'
-        reservations:
-          memory: 256M
-      labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.traefik.rule=Host(`proxy.frostlabs.me`)"
-      - "traefik.http.routers.traefik.entrypoints=websecure"
-      - "traefik.http.routers.traefik.tls.certresolver=cloudflare"
-      - "traefik.http.routers.traefik.service=api@internal"
-      - "traefik.http.services.traefik.loadbalancer.server.port=8080"
+          - node.hostname == p0
 
 networks:
   homelab: