Refactor services for dynamic ports and zero-downtime deployments#89
Open
ExtraToast wants to merge 7 commits intomainfrom
Open
Refactor services for dynamic ports and zero-downtime deployments#89ExtraToast wants to merge 7 commits intomainfrom
ExtraToast wants to merge 7 commits intomainfrom
Conversation
- Grafana: dynamic port with GF_SERVER_HTTP_PORT, remove static 3000 - N8N: dynamic port with N8N_PORT, remove static 5678 - Headscale: dynamic port, template listen_addr with NOMAD_PORT_http - Uptime-Kuma: bridge mode with dynamic host port mapped to 3001, add missing update stanza All services already route through Traefik via Consul catalog, which automatically discovers the new dynamic ports. Removing static ports allows Nomad to run old and new allocations simultaneously during rolling updates, eliminating downtime from port conflicts.
- Sonarr, Radarr, Bazarr, Jellyseerr: bridge networking with dynamic host ports mapped to fixed container ports - Add API key bypass routers for Sonarr, Radarr, Bazarr so inter-service communication (Prowlarr, Bazarr, Jellyseerr) can reach them via Traefik without forward-auth when using X-Api-Key headers - Browser access remains protected by forward-auth (MFA) - Jellyfin unchanged: stays on host networking with static port for GPU access and direct LAN streaming
- Architecture diagram reflects bridge mode for media services - Access patterns table: LAN URLs removed (except Jellyfin) - App configuration instructions use Traefik HTTPS domain URLs for inter-service communication instead of localhost/static ports - Document API key bypass for forward-auth on media services
- Add tailscaled systemd drop-in that waits for actual internet connectivity (ping 1.1.1.1) before starting, preventing the DNS deadlock where Tailscale can't resolve headscale and writes a broken MagicDNS resolv.conf - Remove UFW rules for jellyseerr/bazarr/sonarr/radarr static ports — these services now use bridge mode with dynamic ports, accessed via VPS Traefik over Tailscale - Remove AdGuard DNS rewrites for all media services except Jellyfin — only Jellyfin needs direct LAN access for streaming
- Skip mount unit creation if /etc/systemd/system/mnt-media.mount already exists (only written on first setup) - Validate that MEDIA_DISK_UUID resolves to a USB-attached device before creating the mount unit, refusing system drives
Netplan auto-generates 90-NM-*.yaml profiles that duplicate NetworkManager's own connection profiles. On USB ethernet dongles this causes two profiles to race for the same interface, leading to IP flapping and failed Tailscale connections at boot.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request makes significant changes to the home media server's networking, access, and deployment patterns. The main improvements are the migration of most media services (except Jellyfin) to Nomad bridge networking with dynamic ports, simplifying LAN access, tightening firewall rules, and improving deployment safety and documentation. Jellyfin remains directly accessible on the LAN for performance reasons, while all other services are now accessed via HTTPS through Traefik. Additional safety checks and systemd improvements are included for more robust setup and operation.
Networking and Access Pattern Changes:
ufw) rules to only allow direct LAN access to Jellyfin and Samba, removing exceptions for other media services [1] [2].Service Discovery and API Security:
X-Api-Keyheaders to bypass forward-auth for inter-service communication while maintaining security for user/admin access [1] [2] [3].Deployment and Systemd Improvements:
Documentation Updates:
README.mdto explain the new networking model, access patterns, and setup instructions for all services, emphasizing HTTPS access and dynamic port assignment [1] [2] [3] [4] [5] [6] [7].These changes collectively improve security, reliability, and maintainability of the home media server setup.