Stable.

.gitignore

@@ -0,0 +1,25 @@
+*
+
+!.gitignore
+!ddns.sh
+
+!nginx-proxy/
+!nginx-proxy/docker-compose.yml
+!nginx-proxy/conf.d
+!nginx-proxy/conf.d/*
+
+!mqtt-broker/
+!mqtt-broker/mosquitto/
+!mqtt-broker/mosquitto/config
+!mqtt-broker/mosquitto/config/mosquitto.conf
+!mqtt-broker/mosquitto/config/password.txt
+!mqtt-broker/docker-compose.yml
+
+!homeassistant/
+!homeassistant/docker-compose.yml
+
+!zwavejs/
+!zwavejs/docker-compose.yml
+
+!beszel/
+!beszel/docker-compose.yml

beszel/docker-compose.yml

@@ -0,0 +1,25 @@
+services:
+  beszel:
+    image: henrygd/beszel
+    container_name: beszel
+    restart: unless-stopped
+    ports:
+      - 8090:8090
+    volumes:
+      - ./beszel_data:/beszel_data
+
+  beszel-agent:
+    image: henrygd/beszel-agent
+    container_name: beszel-agent
+    restart: unless-stopped
+    network_mode: host
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./beszel_agent_data:/var/lib/beszel-agent
+      # monitor other disks / partitions by mounting a folder in /extra-filesystems
+      # - /mnt/disk/.beszel:/extra-filesystems/sda1:ro
+    environment:
+      LISTEN: 45876
+      KEY: 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+dzh2ruWrqxVsXXWKYM7FcajNV7+3cz/6V+Hkfzwvr'
+      TOKEN: 3ca1b-5cc7a7a4e-39f3e-f1dbbd32a
+      HUB_URL: http://192.168.1.98:8090

ddns.sh

@@ -0,0 +1,98 @@
+#!/bin/bash
+
+# ============================================================================
+# DYNAMIC DNS UPDATER FOR NAMECHEAP (MULTI-DOMAIN)
+# ============================================================================
+# Configuration - Edit these values
+# ============================================================================
+
+# Define your domains/hosts as an array of space-separated strings
+# Format: "HOSTNAME:DOMAIN:PASSWORD"
+# Use '@' for root domain, 'sub' for subdomain (e.g., 'home', 'video')
+DOMAINS=(
+  "home:seanowiecki.com:d7b38fc4de474e81a79a309824aa8e2a"
+  "video:atomic6.net:2a687057401f4401b4248d1d31b2ba81"
+  "frigate:atomic6.net:2a687057401f4401b4248d1d31b2ba81"
+  "survey:atomic6.net:2a687057401f4401b4248d1d31b2ba81"
+  "memos:atomic6.net:2a687057401f4401b4248d1d31b2ba81"
+  "openwebui:atomic6.net:2a687057401f4401b4248d1d31b2ba81"
+  "immich:atomic6.net:2a687057401f4401b4248d1d31b2ba81"
+  "matrix:atomic6.net:2a687057401f4401b4248d1d31b2ba81"
+  "minecraft:atomic6.net:2a687057401f4401b4248d1d31b2ba81"
+  "chat:atomic6.net:2a687057401f4401b4248d1d31b2ba81"
+  "bentopdf:atomic6.net:2a687057401f4401b4248d1d31b2ba81"
+  "home:atomic6.net:2a687057401f4401b4248d1d31b2ba81"
+  "nextcloud:atomic6.net:2a687057401f4401b4248d1d31b2ba81"
+  "obico:atomic6.net:2a687057401f4401b4248d1d31b2ba81"
+  "obsidian:atomic6.net:2a687057401f4401b4248d1d31b2ba81"
+  "qr:atomic6.net:2a687057401f4401b4248d1d31b2ba81"
+  "cachet:atomic6.net:2a687057401f4401b4248d1d31b2ba81"
+  "grafana:atomic6.net:2a687057401f4401b4248d1d31b2ba81"
+  "valheim:atomic6.net:2a687057401f4401b4248d1d31b2ba81"
+  "satisfactory:atomic6.net:2a687057401f4401b4248d1d31b2ba81"
+  "vpn:atomic6.net:2a687057401f4401b4248d1d31b2ba81"
+  "salt:nase.dev:1fa7b1a67d404b339e38107db98c87f0"
+  "gitea:nase.dev:1fa7b1a67d404b339e38107db98c87f0"
+)
+
+# IP checking service (choose one that works reliably for you)
+IP_SERVICE="https://api.ipify.org"  # Alternatives: "https://ifconfig.io/ip", "https://icanhazip.com"
+
+# ============================================================================
+# Script Core - Do not edit below unless you know what you're doing
+# ============================================================================
+
+# Get current public IP
+echo "[$(date)] Checking public IP..."
+CURRENT_IP=$(curl -s "$IP_SERVICE")
+
+if [ -z "$CURRENT_IP" ]; then
+  echo "[$(date)] ERROR: Could not fetch public IP. Check network or IP service."
+  exit 1
+fi
+
+echo "[$(date)] Current public IP: $CURRENT_IP"
+
+# Process each domain entry
+for ENTRY in "${DOMAINS[@]}"; do
+  # Split the entry into components
+  IFS=":" read -r HOSTNAME DOMAIN PASSWORD <<< "$ENTRY"
+
+  # Create a unique identifier for this host/domain combination
+  RECORD_ID="${HOSTNAME}.${DOMAIN}"
+
+  # File to store last IP for this specific record
+  IP_FILE="/tmp/last_ip_${RECORD_ID//[^a-zA-Z0-9]/_}.txt"
+
+  # Read last recorded IP if file exists
+  if [ -f "$IP_FILE" ]; then
+    LAST_IP=$(cat "$IP_FILE")
+  else
+    LAST_IP=""
+  fi
+
+  # Update only if IP has changed
+  if [ "$CURRENT_IP" != "$LAST_IP" ]; then
+    echo "[$(date)] IP changed for $RECORD_ID ($LAST_IP → $CURRENT_IP). Updating..."
+
+    # Call Namecheap's API
+    RESPONSE=$(curl -s "https://dynamicdns.park-your-domain.com/update?host=$HOSTNAME&domain=$DOMAIN&password=$PASSWORD&ip=$CURRENT_IP")
+
+    # Check response for success
+    if echo "$RESPONSE" | grep -q "<ErrCount>0</ErrCount>"; then
+      echo "[$(date)] ✓ Successfully updated $RECORD_ID"
+      echo "$CURRENT_IP" > "$IP_FILE"
+    else
+      # Extract error message from response
+      ERROR=$(echo "$RESPONSE" | grep -o "<Err1>.*</Err1>" | sed 's/<Err1>\(.*\)<\/Err1>/\1/')
+      echo "[$(date)] ✗ Failed to update $RECORD_ID: $ERROR"
+    fi
+
+    # Optional: Log full response for debugging
+    # echo "API Response: $RESPONSE"
+  else
+    echo "[$(date)] IP unchanged for $RECORD_ID ($CURRENT_IP). Skipping."
+  fi
+done
+
+echo "[$(date)] DDNS update cycle completed."

mqtt-broker/docker-compose.yml

@@ -0,0 +1,21 @@
+services:
+  mosquitto:
+    image: eclipse-mosquitto:latest
+    container_name: mosquitto
+    labels:
+      - "beszel.monitor=true"
+      - "beszel.service=mosquitto"
+    restart: unless-stopped
+    ports:
+      - "1883:1883"       # Main MQTT port for all devices
+      - "9001:9001"       # WebSocket port (optional)
+    volumes:
+      - ./mosquitto/config:/mosquitto/config
+      - ./mosquitto/data:/mosquitto/data
+      - ./mosquitto/log:/mosquitto/log
+    networks:
+      - mqtt-network
+
+networks:
+  mqtt-network:
+    driver: bridge

mqtt-broker/mosquitto/config/mosquitto.conf

@@ -0,0 +1,8 @@
+persistence true
+persistence_location /mosquitto/data/
+log_dest file /mosquitto/log/mosquitto.log
+listener 1883 0.0.0.0  # Listen on all network interfaces
+
+# Authentication - Start with this to test, then add passwords
+allow_anonymous true
+password_file /mosquitto/config/password.txt

mqtt-broker/mosquitto/config/password.txt

@@ -0,0 +1 @@
+nase:$7$101$6qku4pTCy9Z/iAYo$NNZNmy3ZSRj9FVZG6rkfMJu8Lk4eD3HUaR8oYtdNwm8NCF99VE6PR9PXoviw9DDsfh1DtHpUt34QdxjW7ZvPTQ==

nginx-proxy/conf.d/00-acme-challenge.conf

@@ -0,0 +1,15 @@
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _; # Catch-all
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/html;
+        try_files $uri =404;
+    }
+
+    # Redirect ALL HTTP traffic to HTTPS (using the original host)
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}

nginx-proxy/conf.d/bentopdf.atomic6.net.conf

@@ -0,0 +1,27 @@
+server {
+    listen 80;
+    server_name bentopdf.atomic6.net;
+
+    # Let's Encrypt challenge path
+    location /.well-known/acme-challenge/ {
+        alias /var/www/html/.well-known/acme-challenge/;
+        try_files $uri =404;
+    }
+
+    # Redirect all other traffic to HTTPS
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name bentopdf.atomic6.net;
+
+    ssl_certificate /etc/letsencrypt/live/bentopdf.atomic6.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/bentopdf.atomic6.net/privkey.pem;
+    location / {
+        proxy_pass http://192.168.1.208:3000;
+        proxy_set_header Host $host;
+    }
+}

nginx-proxy/conf.d/frigate.atomic6.net.conf

@@ -0,0 +1,27 @@
+server {
+    listen 80;
+    server_name frigate.atomic6.net;
+
+    # Let's Encrypt challenge path
+    location /.well-known/acme-challenge/ {
+        alias /var/www/html/.well-known/acme-challenge/;
+        try_files $uri =404;
+    }
+
+    # Redirect ALL other HTTP traffic to HTTPS
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+# HTTPS server block (can remain as is)
+server {
+    listen 443 ssl;
+    server_name frigate.atomic6.net;
+    ssl_certificate /etc/letsencrypt/live/frigate.atomic6.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/frigate.atomic6.net/privkey.pem;
+    location / {
+        proxy_pass http://192.168.1.131:8971;
+        proxy_set_header Host $host;
+    }
+}

nginx-proxy/conf.d/gitea.nase.dev.conf

@@ -0,0 +1,27 @@
+server {
+    listen 80;
+    server_name gitea.nase.dev;
+
+    location /.well-known/acme-challenge/ {
+        alias /var/www/html/.well-known/acme-challenge/;
+        try_files $uri =404;
+    }
+
+    # Redirect all other traffic to HTTPS
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name gitea.nase.dev;
+
+    ssl_certificate /etc/letsencrypt/live/gitea.nase.dev/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/gitea.nase.dev/privkey.pem;
+
+    location / {
+        proxy_pass http://192.168.1.208:3005;
+        proxy_set_header Host $host;
+    }
+}

nginx-proxy/conf.d/home-assistant.conf

@@ -0,0 +1,84 @@
+# HTTP Server Block - REQUIRED for Let's Encrypt and redirects
+server {
+    listen 80;
+    # listen [::]:80;
+    server_name home.seanowiecki.com;
+
+    # Location for Let's Encrypt HTTP-01 challenge renewal
+    # This path must match the webroot path used by the certbot command
+    location /.well-known/acme-challenge/ {
+        root /var/www/html;
+        # Ensure this directory exists in your nginx container
+        try_files $uri =404;
+    }
+
+    # Redirect ALL other HTTP traffic to HTTPS
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+# HTTPS Server Block - Your existing config, corrected
+server {
+    listen 443 ssl;
+    http2 on;
+    server_name home.seanowiecki.com;
+
+    # SSL Configuration
+    ssl_certificate /etc/letsencrypt/live/home.seanowiecki.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/home.seanowiecki.com/privkey.pem;
+
+    # SSL Settings (your existing settings are good)
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 1d;
+
+    # Proxy configuration for Home Assistant
+    location / {
+        proxy_pass http://192.168.1.98:8123; # Use your Docker service name or IP
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # Essential WebSocket support headers[citation:2]
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        # DISABLE buffering for the initial response
+        proxy_buffering off;
+
+        # CRITICAL: Increase timeouts for the initial data load[citation:3]
+        proxy_read_timeout 86400s;  # Keep connections alive for a long time
+        proxy_send_timeout 86400s;
+        proxy_connect_timeout 30s;
+
+        # Optimize buffers for data transfer
+#        proxy_buffering off;
+#        proxy_buffer_size 128k;
+#        proxy_buffers 4 256k;
+#        proxy_busy_buffers_size 256k;
+
+        # Ensure nginx doesn't buffer WebSocket frames
+        proxy_http_version 1.1;
+    }
+
+    location /api/websocket {
+        proxy_pass http://192.168.1.98:8123;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 86400s; # Keep WS connection alive
+    }
+
+    # Security headers
+    add_header X-Frame-Options SAMEORIGIN;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+}

nginx-proxy/conf.d/immich.atomic6.net.conf

@@ -0,0 +1,28 @@
+server {
+    listen 80;
+    server_name immich.atomic6.net;
+
+    # Let's Encrypt challenge path
+    location /.well-known/acme-challenge/ {
+        alias /var/www/html/.well-known/acme-challenge/;
+        try_files $uri =404;
+    }
+
+    # Redirect all other traffic to HTTPS
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name immich.atomic6.net;
+    ssl_certificate /etc/letsencrypt/live/immich.atomic6.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/immich.atomic6.net/privkey.pem;
+    client_max_body_size 0;
+
+    location / {
+        proxy_pass http://192.168.1.208:2283;
+        proxy_set_header Host $host;
+    }
+}

nginx-proxy/conf.d/jellyfin.conf

@@ -0,0 +1,74 @@
+server {
+    listen 80;
+    server_name video.atomic6.net;
+
+    # Let's Encrypt challenge path
+    location /.well-known/acme-challenge/ {
+        alias /var/www/html/.well-known/acme-challenge/;
+        try_files $uri =404;
+    }
+
+    # Redirect all other traffic to HTTPS
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    http2 on;
+    server_name video.atomic6.net;
+
+    # SSL Configuration
+    ssl_certificate /etc/letsencrypt/live/home.seanowiecki.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/home.seanowiecki.com/privkey.pem;
+
+    # SSL Settings
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    # Media server proxy configuration
+    location / {
+        proxy_pass http://192.168.1.131:8096;
+
+        # Essential headers
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port 443;
+
+        # Disable SSL verification for backend
+        proxy_ssl_verify off;
+        proxy_ssl_server_name on;
+
+        # WebSocket support
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        # Timeouts for media streaming
+        proxy_connect_timeout 30s;
+        proxy_send_timeout 30s;
+        proxy_read_timeout 30s;
+        proxy_buffering off;
+
+        # Allow large file uploads/downloads
+        client_max_body_size 0;
+    }
+
+    # Explicit WebSocket endpoint
+    location /ws {
+        proxy_pass http://192.168.1.131:8096/ws;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_read_timeout 86400s;
+    }
+
+    # Security headers
+    add_header X-Frame-Options SAMEORIGIN;
+    add_header Referrer-Policy same-origin;
+}

nginx-proxy/conf.d/memos.atomic6.net.conf

@@ -0,0 +1,26 @@
+server {
+    listen 80;
+    server_name memos.atomic6.net;
+
+    # Let's Encrypt challenge path
+    location /.well-known/acme-challenge/ {
+        alias /var/www/html/.well-known/acme-challenge/;
+        try_files $uri =404;
+    }
+
+    # Redirect all other traffic to HTTPS
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name memos.atomic6.net;
+    ssl_certificate /etc/letsencrypt/live/memos.atomic6.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/memos.atomic6.net/privkey.pem;
+    location / {
+        proxy_pass http://192.168.1.208:5230;
+        proxy_set_header Host $host;
+    }
+}

nginx-proxy/conf.d/nextcloud.atomic6.net.conf

@@ -0,0 +1,26 @@
+server {
+    listen 80;
+    server_name nextcloud.atomic6.net;
+
+    # Let's Encrypt challenge path
+    location /.well-known/acme-challenge/ {
+        alias /var/www/html/.well-known/acme-challenge/;
+        try_files $uri =404;
+    }
+
+    # Redirect all other traffic to HTTPS
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name nextcloud.atomic6.net;
+    ssl_certificate /etc/letsencrypt/live/nextcloud.atomic6.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/nextcloud.atomic6.net/privkey.pem;
+    location / {
+        proxy_pass http://192.168.1.131:8081;
+        proxy_set_header Host $host;
+    }
+}

nginx-proxy/conf.d/openwebui.atomic6.net.conf

@@ -0,0 +1,29 @@
+server {
+    listen 80;
+    server_name openwebui.atomic6.net;
+
+    # Let's Encrypt challenge path
+    location /.well-known/acme-challenge/ {
+        alias /var/www/html/.well-known/acme-challenge/;
+        try_files $uri =404;
+    }
+
+    # Redirect all other traffic to HTTPS
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name openwebui.atomic6.net;
+    ssl_certificate /etc/letsencrypt/live/openwebui.atomic6.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/openwebui.atomic6.net/privkey.pem;
+    location / {
+        proxy_pass http://192.168.1.131:3000;
+        proxy_set_header Host $host;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+}

nginx-proxy/conf.d/qr.atomic6.net.conf

@@ -0,0 +1,29 @@
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name qr.atomic6.net;
+
+    ssl_certificate /etc/letsencrypt/live/qr.atomic6.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/qr.atomic6.net/privkey.pem;
+
+    location / {
+        proxy_pass http://192.168.1.208:3002;
+        
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        
+        # Standard headers for potential API/upgrade support
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+    }
+}
+
+# HTTP redirect (optional but recommended)
+server {
+    listen 80;
+    listen [::]:80;
+    server_name qr.atomic6.net;
+    return 301 https://$server_name$request_uri;
+}

nginx-proxy/conf.d/salt.nase.dev.conf

@@ -0,0 +1,28 @@
+server {
+    listen 80;
+    server_name salt.nase.dev;
+
+    # Let's Encrypt challenge path
+    location /.well-known/acme-challenge/ {
+        alias /var/www/html/.well-known/acme-challenge/;
+        try_files $uri =404;
+    }
+
+    # Redirect all other traffic to HTTPS
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name salt.nase.dev;
+
+    ssl_certificate /etc/letsencrypt/live/salt.nase.dev/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/salt.nase.dev/privkey.pem;
+
+    location / {
+        proxy_pass http://192.168.1.6:3005;
+        proxy_set_header Host $host;
+    }
+}

nginx-proxy/conf.d/survey.atomic6.net.conf

@@ -0,0 +1,59 @@
+server {
+    listen 80;
+    server_name survey.atomic6.net;
+
+    # Let's Encrypt challenge path
+    location /.well-known/acme-challenge/ {
+        alias /var/www/html/.well-known/acme-challenge/;
+        try_files $uri =404;
+    }
+
+    # Redirect all other traffic to HTTPS
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    http2 on;
+    server_name survey.atomic6.net;
+    add_header X-Debug-Server "survey-config";
+
+    ssl_certificate /etc/letsencrypt/live/survey.atomic6.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/survey.atomic6.net/privkey.pem;
+
+    # LimeSurvey proxy
+    location / {
+        proxy_pass http://192.168.1.208:8080;
+
+        # CRITICAL HEADERS for LimeSurvey
+        proxy_set_header Host $host;
+        proxy_set_header Accept-Encoding "";
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port 443;
+
+        # LimeSurvey specific headers
+        proxy_set_header X-Url-Scheme $scheme;
+        proxy_set_header X-Forwarded-Ssl on;
+
+        # Timeouts
+        proxy_connect_timeout 300s;
+        proxy_send_timeout 300s;
+        proxy_read_timeout 300s;
+    }
+
+    # Cache static files
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
+        proxy_pass http://192.168.1.208:8080;
+        proxy_set_header Host $host;
+        proxy_set_header Accept-Encoding "";
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+    }
+}

nginx-proxy/docker-compose.yml

@@ -0,0 +1,21 @@
+services:
+  nginx-proxy:
+    image: nginx:alpine
+    container_name: nginx-proxy
+    labels:
+      - "beszel.monitor=true"
+      - "beszel.service=nginx"
+    restart: unless-stopped
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - /var/www/html/.well-known/acme-challenge:/var/www/html/.well-known/acme-challenge:ro
+      - /home/nase/nginx-proxy/conf.d:/etc/nginx/conf.d:ro
+      - /etc/letsencrypt:/etc/letsencrypt:ro  # Mount Let's Encrypt certificates
+    networks:
+      - proxy-network
+
+networks:
+  proxy-network:
+    driver: bridge

zwavejs/docker-compose.yml

@@ -0,0 +1,24 @@
+services:
+  zwave-js-ui:
+    container_name: zwave-js-ui
+    image: zwavejs/zwave-js-ui:latest
+    restart: unless-stopped
+    tty: true
+    stop_signal: SIGINT
+    environment:
+      - SESSION_SECRET=pacifier-cash-achiness5-reprise
+      - TZ=America/Chicago
+#    devices:
+      # 🔧 CRITICAL: Replace with your Z-Wave stick's path
+#      - '/dev/serial/by-id/usb-<YOUR_SPECIFIC_STICK_REFERENCE>:/dev/zwave'
+    volumes:
+      # 💾 Persists Z-Wave network data and configuration
+      - ./zwavejs-store:/usr/src/app/store
+    ports:
+      - "8091:8091"  # Web interface
+      - "3000:3000"  # Z-Wave JS WebSocket server (for HA)
+    networks:
+      - homeautomation_net
+networks:
+  homeautomation_net:
+    external: true