Skip to main content

Version 1.12.1

Bug fixes:

  • Order of Traefik middleware to ensure error-pages is applied
  • Add 4K instance subdomain to Traefik Hosts list to fix Traefik security hardening issue
  • Add Cleanuparr to download_net so it can communicate with download clients
  • Fix missing middleware if traefik security hardening not enabled

Version 1.12.0

Breaking Changes

Containers Moved to Container Map

The containers below had variables to control enabling them instead of being in the container map.

These have now been moved to the container map and will be controlled from there. The existing variables to control enablement will exist for the time being, but will be removed at some point in the future.

  • Cloudflare Tunnel (cloudflare-tunnel)
  • Cloudflare DDNS (cloudflare-ddns)
  • Watchtower (watchtower)
  • Tailscale (tailscale)

Authentik

You will need to do manual steps BEFORE running the playbook, otherwise Authentik will fail to start. These steps are available in these Authentik docs

Authentik has been updated to its current latest available version, but going from the previously supported version by this project to the most recent is not a straight path due to a change in the postgresql version

Follow the steps in these Authentik docs

Wizarr

Fixed permissions to use non-root user and changed volume mount path. These items were to align it with the official documentation for installation.

New Containers

Error pages, for some fancy error pages in Traefik

Removed Containers

For the first time, a container has been removed.

Readarr - Officially retired and the docker image has been deprecated and will fail to download new images with the error no matching manifest for linux/amd64 in the manifest list entries. See more on the Readarr homepage: https://readarr.com/

New Variables

  • inventory/group_vars/all/traefik.yml: hmsdocker_traefik_errorpages_enabled, this will enable the error-pages container for better HTML error pages from Traefik. Enabled by default if this does not exist for existing setups since Traefik will fail to start without it, and it's a great quality of life improvement

  • inventory/group_vars/all/authentik.yml: hmsdocker_authentik_enabled_through_cftunnel, this will forcefully enable Authentik for all containers (if Authentik is also enabled)

  • inventory/group_vars/all/homepage_api_keys.yml:

    # Additional Homepage integration configuration options
    hmsdocker_homepage_backrest_user: 
    hmsdocker_homepage_backrest_pass: 

    hmsdocker_homepage_cftunnel_key: 
    hmsdocker_homepage_cftunnel_accountid: 
    hmsdocker_homepage_cftunnel_tunnelid: 

    hmsdocker_homepage_tailscale_api_key: 
    hmsdocker_homepage_tailscale_device_id: 

    hmsdocker_homepage_speedtest_api_key:

    hmsdocker_homepage_tubearchivist_api_key: 

    hmsdocker_homepage_uptimekuma_statuspage_slug:

Deprecated Variables

Everything related to Readarr due to it being deprecated

  • inventory/group_vars/all/authentik.yml: authentik_enabled, this was not in use anywhere that I could find, Authentik enablement is only handled by the container map (whereas it was either before)

  • inventory/group_vars/all/container_settings.yml: container_enable_auto_updates

  • inventory/group_vars/all/cloudflare.yml: cloudflare_ddns_enabled, this container has moved to the container map with the key cloudflare-tunnel

  • inventory/group_vars/all/cloudflare.yml: cloudflare_tunnel_enabled, this container has moved to the container map with the key cloudflare-ddns

  • inventory/group_vars/all/container_settings.yml: container_enable_auto_updates, the Watchtower container has moved to the container map with the key watchtower

  • inventory/group_vars/all/tailscale.yml: tailscale_enabled, the tailscale container has moved to the container map with the key tailscale

Bug Fixes

  • Fix Traefik middleware declarations, now all middleware should correctly apply
  • Fix Sabnzbd host_whitelist appending
  • Ensure qBittorrent config directory exists in prereqs so config can be written
  • Remove duplicate Authentik task runs
  • Remove Authentik protection from Authentik

Other changes

  • Massive overhaul to variables computed at runtime
    • This should have no impact to existing setups and paves the path for more dynamic control
  • Fix semantic version checking during playbook run
  • Tune health checks
  • New logos and images
  • Homepage now had read-only access to docker socket
  • Added more containers to Homepage
  • Updated Authentik Application/Provider documentation
  • Documentation around the custom scripts
  • Improved Actions tests around container prereqs and postreqs
  • Organize Authentik templates
  • Organize Traefik templates
  • Remove ad from Traefik dashboard
  • Remove Traefik static config backup to prevent auto-load issues since it looks at all files
  • Add more security to Traefik
    • Additional hardening options
    • read-only docker socket by default
    • read-only config file access
    • no-new-privileges:true compose security option
    • Route to traefik dashboard/API via api@internal service
    • permanent HTTPS redirection
  • Add ability to skip TLS/SSL verification for Traefik external hosts
    • the opposite of adding security, but may be needed depending on self-signed certs or proxy configs
  • Remove unused files
  • Prevent GPU tasks from being shown as "changed" during every run