Update Traefik Forward Auth for v2 (#169)

2025-12-13 01:36:23 +00:00 · 2021-01-29 23:09:22 +13:00
parent c72d3ae098
commit 892adb4704
75 changed files with 864 additions and 1198 deletions
--- a/_snippets/common-links.md
+++ b/_snippets/common-links.md
@@ -0,0 +1,26 @@
 [patreon]:	        https://www.patreon.com/bePatron?u=6982506
 [github_sponsor]:   https://github.com/sponsors/funkypenguin
 [tfa]:              /ha-docker-swarm/traefik-forward-auth/
 [autopirate]:       /recipes/autopirate/
 [sabnzbd]:          /recipes/autopirate/sabnzbd/
 [nzbget]:           /recipes/autopirate/nzbget/
 [mylar]:            /recipes/autopirate/mylar/
 [sonarr]:           /recipes/autopirate/sonarr/
 [radarr]:           /recipes/autopirate/radarr/
 [lidarr]:           /recipes/autopirate/lidarr/
 [bazarr]:           /recipes/autopirate/bazarr/
 [ombi]:             /recipes/autopirate/ombi/
 [oscarr]:           /recipes/autopirate/oscarr/
 [rtorrent]:         /recipes/autopirate/rtorrent/
 [headphones]:       /recipes/autopirate/headphones/
 [nzbhydra]:         /recipes/autopirate/nzbhydra/
 [lazylibrarian]:    /recipes/autopirate/lazylibrarian/
 [jackett]:          /recipes/autopirate/jackett/
 [funkwhale]:        /recipes/autopirate/funkwhale/
 [keycloak]:         /recipes/keycloak/
 [openldap]:         /recipes/openldap/
 [autopirate]:       /recipes/autopirate/
 [tfa-google]:       /ha-docker-swarm/traefik-forward-auth/google/
 [tfa-dex-static]:   /ha-docker-swarm/traefik-forward-auth/dex-static/
 [tfa-keycloak]:     /ha-docker-swarm/traefik-forward-auth/keycloak/
 [tfa]:              /ha-docker-swarm/traefik-forward-auth/
--- a/_snippets/recipe-autopirate-toc.md
+++ b/_snippets/recipe-autopirate-toc.md
@@ -0,0 +1,20 @@
 ## Assemble more tools..
 Continue through the list of tools below, adding whichever tools your want to use, and finishing with the **[end](/recipes/autopirate/end/)** section:
 * [Headphones](/recipes/autopirate/headphones/)
 * [Heimdall](/recipes/autopirate/heimdall/)
 * [Jackett](/recipes/autopirate/jackett/)
 * [Lazy Librarian](/recipes/autopirate/lazylibrarian/)
 * [Lidarr](/recipes/autopirate/lidarr/)
 * [Mylar](/recipes/autopirate/mylar/)
 * [NZBGet](/recipes/autopirate/nzbget.md)
 * [NZBHydra](/recipes/autopirate/nzbhydra/)
 * [Ombi](/recipes/autopirate/ombi/)
 * [Radarr](/recipes/autopirate/radarr/)
 * [RTorrent](/recipes/autopirate/rtorrent/)
 * [SABnzbd](/recipes/autopirate/sabnzbd.md)
 * [Sonarr](/recipes/autopirate/sonarr/)
 * [End](/recipes/autopirate/end/) (launch the stack)
 [^1]: In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition.
--- a/_snippets/recipe-footer.md
+++ b/_snippets/recipe-footer.md
@@ -27,7 +27,4 @@ Want to know now when this recipe gets updated, or when future recipes are added
  })();
 </script>
-
+--8<-- "common-links.md"
 [patreon]:	        https://www.patreon.com/bePatron?u=6982506
 [github_sponsor]:   https://github.com/sponsors/funkypenguin
--- a/_snippets/recipe-tfa-ingredients.md
+++ b/_snippets/recipe-tfa-ingredients.md
@@ -0,0 +1,11 @@
 ## Ingredients
 !!! summary "Ingredients"
    Already deployed:
    * [X] [Docker swarm cluster](/ha-docker-swarm/design/) with [persistent shared storage](/ha-docker-swarm/shared-storage-ceph.md)
    * [X] [Traefik](/ha-docker-swarm/traefik) configured per design
    New:
    * [ ] DNS entry for your auth host (*"auth.yourdomain.com" is a good choice*), pointed to your [keepalived](/ha-docker-swarm/keepalived/) IP
--- a/manuscript/CHANGELOG.md
+++ b/manuscript/CHANGELOG.md
@@ -19,6 +19,8 @@ Recipe                             | Description
 Recipe                                                         | Description                           | Date
 ---------------------------------------------------------------|---------------------------------------|--------------
 [Traefik Forward Auth][tfa] | Major update for Traefik v2, included instructions for Dex, Google, KeyCloak | _29 Jan 2021_
 [Autopirate][autopirate] | Updated all components for Traefik v2 labels | _29 Jan 2021_
 [Portainer](/recipes/portainer/) | Bump to version 2, bringing "expert simplicity" to your Docker stack management | _25 Jan 2021_
 [Traefik Forward Auth](/ha-docker-swarm/traefik-forward-auth/) | Now uses for latest @thomseddon image | _11 Jun 2020_
@@ -32,3 +34,5 @@ Also available via:
 * Mastodon: https://mastodon.social/@geekcookbook_changes
 * RSS: https://mastodon.social/@geekcookbook_changes.rss
 * The #changelog channel in our [Discord server](http://chat.funkypenguin.co.nz)
 --8<-- "common-links.md"
--- a/manuscript/ha-docker-swarm/traefik-forward-auth.md
+++ b/manuscript/ha-docker-swarm/traefik-forward-auth.md
@@ -4,107 +4,50 @@ Now that we have Traefik deployed, automatically exposing SSL access to our Dock
 ..Wait, why not? Well, Traefik doesn't provide any form of authentication, it simply secures the **transmission** of the service between Docker Swarm and the end user. If you were to deploy a service with no native security (*[Radarr](/recipes/autopirate/radarr/) or [Sonarr](/recipes/autopirate/sonarr/) come to mind*), then anybody would be able to use it! Even services which _may_ have a layer of authentication **might** not be safe to expose publically - often open source projects may be maintained by enthusiasts who happily add extra features, but just pay lip service to security, on the basis that "*it's the user's problem to secure it in their own network*".
-To give us confidence that **we** can access our services, but BadGuys(tm) cannot, we'll deploy a layer of authentication **in front** of Traefik, using [Forward Authentication](https://docs.traefik.io/configuration/entrypoints/#forward-authentication). You can use your own  [KeyCloak](/recipes/keycloak/) instance for authentication, but to lower the barrier to entry, this recipe will assume you're authenticating against your own Google account.
+Some of the platforms we use on our swarm may have strong, proven security to prevent abuse. Techniques such as rate-limiting (*to defeat brute force attacks*) or even support 2-factor authentication (*tiny-tiny-rss or Wallabag support this)*.
-## Ingredients
+Other platforms may provide **no authentication** (Traefik's web UI for example), or minimal, un-proven UI authentication which may have been added as an afterthought.
-!!! summary "Ingredients"
+Still other platforms may hold such sensitive data (*i.e., NextCloud*), that we'll feel more secure by putting an additional authentication layer in front of them.
    Existing:
-    * [X] [Docker swarm cluster](/ha-docker-swarm/design/) with [persistent shared storage](/ha-docker-swarm/shared-storage-ceph)
+This is the role of Traefik Forward Auth.
    * [X] [Traefik](/ha-docker-swarm/traefik/) configured per design
-    New:
+## How does it work?
-    * [ ] Client ID and secret from an OpenID-Connect provider (Google, [KeyCloak](/recipes/keycloak/), Microsoft, etc..)
+**Normally**, Traefik proxies web requests directly to individual web apps running in containers. The user talks directly to the webapp, and the webapp is responsible for ensuring appropriate authentication.
-## Preparation
+When employing Traefik Forward Auth as "[middleware](https://doc.traefik.io/traefik/middlewares/forwardauth/)", the forward-auth process sits in the middle of this transaction - traefik receives the incoming request, "checks in" with the auth server to determine whether or not further authentication is required. If the user is authenticated, the auth server returns a 200 response code, and Traefik is authorized to forward the request to the backend. If not, traefik passes the auth server response back to the user - this process will usually direct the user to an authentication provider (_GitHub, Google, etc_), so that they can perform a login.
-### Obtain OAuth credentials
+Illustrated below:
 ![Traefik Forward Auth](../images/traefik-forward-auth.png)
-!!! note
+The advantage under this design is additional security. If I'm deploying a web app which I expect only an authenticated user to require access to (*unlike something intended to be accessed publically, like [Linx](/recipes/linx/)*), I'll pass the request through Traefik Forward Auth. The overhead is negligible, and the additional layer of security is well-worth it.
    This recipe will demonstrate using Google OAuth for traefik forward authentication, but it's also possible to use a self-hosted KeyCloak instance - see the [KeyCloak OIDC Provider](/recipes/keycloak/setup-oidc-provider/) recipe for more details!
-Log into https://console.developers.google.com/, create a new project then search for and select "Credentials" in the search bar. 
+## What is AuthHost mode
-Fill out the "OAuth Consent Screen" tab, and then click, "**Create Credentials**" > "**OAuth client ID**". Select "**Web Application**", fill in the name of your app, skip "**Authorized JavaScript origins**" and fill "**Authorized redirect URIs**" with either all the domains you will allow authentication from, appended with the url-path (*e.g. https://radarr.example.com/_oauth, https://radarr.example.com/_oauth, etc*), or if you don't like frustration, use a "auth host" URL instead, like "*https://auth.example.com/_oauth*" (*see below for details*)
+Under normal OIDC auth, you have to tell your auth provider which URLs it may redirect an authenticated user back to, post-authentication. This is a security feture of the OIDC spec, preventing a malicious landing page from capturing your session and using it to impersonate you. When you're securing many URLs though, explicitly listing them can be a PITA.
-!!! tip
+[@thomaseddon's traefik-forward-auth](https://github.com/thomseddon/traefik-forward-auth) includes an ingenious mechanism to simulate an "_auth host_" in your OIDC authentication, so that you can protect an unlimited amount of DNS names (_with a common domain suffix_), without having to manually maintain a list.
    Store your client ID and secret safely - you'll need them for the next step.
 #### How does it work?
-### Prepare environment
+Say you're protecting **radarr.example.com**. When you first browse to **https://radarr.example.com**, Traefik forwards your session to traefik-forward-auth, to be authenticated. Traefik-forward-auth redirects you to your OIDC provider's login (_KeyCloak, in this case_), but instructs the OIDC provider to redirect a successfully authenticated session **back** to **https://auth.example.com/_oauth**, rather than to **https://radarr.example.com/_oauth**.
-Create `/var/data/config/traefik-forward-auth/traefik-forward-auth.env` as follows:
+When you successfully authenticate against the OIDC provider, you are redirected to the "_redirect_uri_" of https://auth.example.com. Again, your request hits Traefik, which forwards the session to traefik-forward-auth, which **knows** that you've just been authenticated (_cookies have a role to play here_). Traefik-forward-auth also knows the URL of your **original** request (_thanks to the X-Forwarded-Whatever header_). Traefik-forward-auth redirects you to your original destination, and everybody is happy.
-```
+This clever workaround only works under 2 conditions:
 GOOGLE_CLIENT_ID=<your client id>
 GOOGLE_CLIENT_SECRET=<your client secret>
 OIDC_ISSUER=https://accounts.google.com
 SECRET=<a random string, make it up>
 # uncomment this to use a single auth host instead of individual redirect_uris (recommended but advanced)
 #AUTH_HOST=auth.example.com
 COOKIE_DOMAINS=example.com
 ```
-### Prepare the docker service config
+1. Your "auth host" has the same domain name as the hosts you're protecting (_i.e., auth.example.com protecting radarr.example.com_)
 2. You explictly tell traefik-forward-auth to use a cookie authenticating your **whole** domain (_i.e. example.com_)
-Create `/var/data/config/traefik-forward-auth/traefik-forward-auth.yml` as follows:
+## Authentication Providers
-```
+Traefik Forward Auth needs to authenticate an incoming user against a provider. A provider can be something as simple as a self-hosted [dex][tfa-dex] instance with a single static username/password, or as complex as a [KeyCloak][keycloak] instance backed by [OpenLDAP][openldap]. Here are some options, in increasing order of complexity...
  traefik-forward-auth:
    image: thomseddon/traefik-forward-auth:2.1.0
    env_file: /var/data/config/traefik-forward-auth/traefik-forward-auth.env
    networks:
      - traefik_public
    # Uncomment these lines if you're using auth host mode
    #deploy:
    #  labels:
    #    - traefik.port=4181
    #    - traefik.frontend.rule=Host:auth.example.com
    #    - traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181
    #    - traefik.frontend.auth.forward.trustForwardHeader=true
 ```
-If you're not confident that forward authentication is working, add a simple "whoami" test container to the above .yml, to help debug traefik forward auth, before attempting to add it to a more complex container.
+* [Authenticate against a self-hosted Dex instance with static usernames and passwords][tfa-dex-static]
 * [Authenticate against a whitelist of Google accounts][tfa-google]
 * [Authenticate against a self-hosted KeyCloak instance][tfa-keycloak]
-```
+--8<-- "recipe-footer.md"
  # This simply validates that traefik forward authentication is working
  whoami:
    image: containous/whoami
    networks:
      - traefik_public
    deploy:
      labels:
        - traefik.frontend.rule=Host:whoami.example.com
        - traefik.port=80
        - traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181
        - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
        - traefik.frontend.auth.forward.trustForwardHeader=true
 ```
--8<-- "premix-cta.md"
+[^1]: Authhost mode is specifically handy for Google authentication, since Google doesn't permit wildcard redirect_uris, like [KeyCloak][keycloak] does.
 ## Serving
 ### Launch
 Redeploy traefik with ```docker stack deploy traefik-forward-auth -c /var/data/traefik-forward-auth/traefik-forward-auth.yml```, to launch the traefik-forward-auth stack. 
 ### Test
 Browse to https://whoami.example.com (*obviously, customized for your domain and having created a DNS record*), and all going according to plan, you should be redirected to a Google login. Once successfully logged in, you'll be directed to the basic whoami page.
 ## Summary
 What have we achieved? By adding an additional three simple labels to any service, we can secure any service behind our choice of OAuth provider, with minimal processing / handling overhead.
 !!! summary "Summary"
    Created:
    * [X] Traefik-forward-auth configured to authenticate against an OIDC provider
 [^1]: Traefik forward auth replaces the use of [oauth_proxy containers](/reference/oauth_proxy/) found in some of the existing recipes
 [^2]: I reviewed several implementations of forward authenticators for Traefik, but found most to be rather heavy-handed, or specific to a single auth provider. @thomaseddon's go-based docker image is 7MB in size, and can be extended to work with any OIDC provider.
 --8<-- "recipe-footer.md"
--- a/manuscript/ha-docker-swarm/traefik-forward-auth/dex-static.md
+++ b/manuscript/ha-docker-swarm/traefik-forward-auth/dex-static.md
@@ -0,0 +1,200 @@
 # Using Traefik Forward Auth with Dex (Static)
 [Traefik Forward Auth](/ha-docker-swarm/traefik-forward-auth/) is incredibly useful to secure services with an additional layer of authentication, provided by an OIDC-compatible provider. The simplest possible provider is a self-hosted instance of [CoreOS's Dex](https://github.com/dexidp/dex), configured with a static username and password. This recipe will "get you started" with Traefik Forward Auth, providing a basic authentication layer. In time, you might want to migrate to a "public" provider, like [Google][tfa-google], or GitHub, or to a [KeyCloak][keycloak] installation.
 --8<-- "recipe-tfa-ingredients.md"
 ## Preparation
 ### Setup dex config
 Create `/var/data/config/dex/config.yml` something like the following (*this is a bare-bones, [minimal example](https://github.com/dexidp/dex/blob/master/config.dev.yaml)*). At the very least, you want to replace all occurances of `example.com` with your own domain name. (*If you change nothing else, your ID is `foo`, your secret is `bar`, your username is `admin@yourdomain`, and your password is `password`*):
 ```yaml
 # The base path of dex and the external name of the OpenID Connect service.
 #
 # This is the canonical URL that all clients MUST use to refer to dex. If a
 # path is provided, dex's HTTP service will listen at a non-root URL.
 issuer: https://dex.example.com
 storage:
  type: sqlite3
  config:
    file: var/sqlite/dex.db
 web:
  http: 0.0.0.0:5556
 oauth2:
  skipApprovalScreen: true
 staticClients:
 - id: foo
  redirectURIs:
  - 'https://auth.example.com/_oauth'
  name: 'example.com'
  secret: bar
 staticPasswords:
 - email: "admin@example.com"
  # bcrypt hash of the string "password"
  hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
  username: "admin"
  userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
 ```
 ### Prepare Traefik Forward Auth environment
 Create `/var/data/config/traefik-forward-auth/traefik-forward-auth.env` as follows:
 ```
 DEFAULT_PROVIDER: oidc
 PROVIDERS_OIDC_CLIENT_ID: foo                         # This is the staticClients.id value in config.yml above
 PROVIDERS_OIDC_CLIENT_SECRET: bar                     # This is the staticClients.secret value in config.yml above
 PROVIDERS_OIDC_ISSUER_URL: https://dex.example.com    # This is the issuer value in config.yml above, and it has to be reachable via a browser
 SECRET: imtoosexyformyshorts                          # Make this up. It's not configured anywhere else
 AUTH_HOST: auth.example.com                           # This should match the value of the traefik hosts labels in Traefik Forward Auth
 COOKIE_DOMAIN: example.com                            # This should match your base domain
 ```
 ### Setup Docker Stack for Dex
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 --8<-- "premix-cta.md"
 ```yaml
 version: '3'
 services:
  dex:
    image: dexidp/dex
    volumes:
      - /etc/localtime:/etc/localtime:ro    
      - /var/data/config/dex/config.yml:/config.yml:ro
    networks:
      - traefik_public
    command: ['serve','/config.yml']
    deploy:
      labels:
      # traefik
      - traefik.enable=true
      - traefik.docker.network=traefik_public
      # traefikv1
      - traefik.frontend.rule=Host:dex.example.com
      - traefik.port=5556
      - traefik.docker.network=traefik_public
      # and for traefikv2:
      - "traefik.http.routers.dex.rule=Host(`dex.example.com`)"
      - "traefik.http.routers.dex.entrypoints=https"
      - "traefik.http.services.dex.loadbalancer.server.port=5556"  
 networks:
  traefik_public:
    external: true
 ```
 ### Setup Docker Stack for Traefik Forward Auth
 Now create a docker swarm config file in docker-compose syntax (v3), something like this:
 ```yaml
 version: "3.2"
 services:
  traefik-forward-auth:
    image: thomseddon/traefik-forward-auth:2.1.0
    env_file: /var/data/config/traefik-forward-auth/traefik-forward-auth.env
    volumes:
    - /var/data/config/traefik-forward-auth/config.ini:/config.ini:ro
    networks:
      - traefik_public
    deploy:
      labels:
        # traefikv1
        - "traefik.port=4181"
        - "traefik.frontend.rule=Host:auth.example.com"
        - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
        - "traefik.frontend.auth.forward.trustForwardHeader=true"
        # traefikv2
        - "traefik.docker.network=traefik_public"
        - "traefik.http.routers.auth.rule=Host(`auth.example.com`)"
        - "traefik.http.routers.auth.entrypoints=https"
        - "traefik.http.routers.auth.tls=true"
        - "traefik.http.routers.auth.tls.domains[0].main=example.com"
        - "traefik.http.routers.auth.tls.domains[0].sans=*.example.com"        
        - "traefik.http.routers.auth.tls.certresolver=main"
        - "traefik.http.routers.auth.service=auth@docker"
        - "traefik.http.services.auth.loadbalancer.server.port=4181"
        - "traefik.http.middlewares.forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
        - "traefik.http.middlewares.forward-auth.forwardauth.trustForwardHeader=true"
        - "traefik.http.middlewares.forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
        - "traefik.http.routers.auth.middlewares=forward-auth"
  # This simply validates that traefik forward authentication is working
  whoami:
    image: containous/whoami
    networks:
      - traefik_public
    deploy:
      labels:
        # traefik
        - "traefik.enable=true"
        - "traefik.docker.network=traefik_public"
        # traefikv1
        - "traefik.frontend.rule=Host:whoami.example.com"
        - "traefik.http.services.whoami.loadbalancer.server.port=80"
        - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
        - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
        - "traefik.frontend.auth.forward.trustForwardHeader=true"
        # traefikv2
        - "traefik.http.routers.whoami.rule=Host(`whoami.example.com`)"
        - "traefik.http.routers.whoami.entrypoints=https"
        - "traefik.http.services.whoami.loadbalancer.server.port=80"
        - "traefik.http.routers.whoami.middlewares=forward-auth"
 networks:
  traefik_public:
    external: true
 ```
 ## Serving
 ### Launch
 Deploy dex with `docker stack deploy dex -c /var/data/dex/dex.yml`, to launch dex, and then deploy Traefik Forward Auth with `docker stack deploy traefik-forward-auth -c /var/data/traefik-forward-auth/traefik-forward-auth.yml`
 Once you redeploy traefik-forward-auth with the above, it **should** use dex as an OIDC provider, authenticating you against the `staticPasswords` username and hashed password described in `config.yml` above.
 ### Test
 Browse to https://whoami.example.com (_obviously, customized for your domain and having created a DNS record_), and all going according to plan, you'll be redirected to a CoreOS Dex login. Once successfully logged in, you'll be directed to the basic whoami page :thumbsup:
 ### Protect services
 To protect any other service, ensure the service itself is exposed by Traefik (_if you were previously using an oauth_proxy for this, you may have to migrate some labels from the oauth_proxy serivce to the service itself_). Add the following label:
 ```yaml
 - "traefik.http.routers.radarr.middlewares=forward-auth"
 ```
 And re-deploy your services :)
 ## Summary
 What have we achieved? By adding an additional label to any service, we can secure any service behind our (static) OIDC provider, with minimal processing / handling overhead.
 !!! summary "Summary"
    Created:
    * [X] Traefik-forward-auth configured to authenticate against Dex (static)
 [^1]: You can remove the `whoami` container once you know Traefik Forward Auth is working properly
 --8<-- "recipe-footer.md"
--- a/manuscript/ha-docker-swarm/traefik-forward-auth/google.md
+++ b/manuscript/ha-docker-swarm/traefik-forward-auth/google.md
@@ -0,0 +1,130 @@
 # Traefik Forward Auth using Google
 [Traefik Forward Auth](/ha-docker-swarm/traefik-forward-auth/) is incredibly useful to secure services with an additional layer of authentication, provided by an OIDC-compatible provider. The simplest possible provider is a self-hosted instance of [Dex][dex], configured with a static username and password. This is not much use if you want to provide "normies" access to your services though - a better solution would be to validate their credentials against an existing trusted public source.
 This recipe will illustrate how to point Traefik Forward Auth to Google, confirming that the requestor has a valid Google account (*and that said account is permitted to access your services!*)
 --8<-- "recipe-tfa-ingredients.md"
 ## Preparation
 ### Obtain OAuth credentials
 #### TL;DR
 Log into https://console.developers.google.com/, create a new project then search for and select "**Credentials**" in the search bar. 
 Fill out the "OAuth Consent Screen" tab, and then click, "**Create Credentials**" > "**OAuth client ID**". Select "**Web Application**", fill in the name of your app, skip "**Authorized JavaScript origins**" and fill "**Authorized redirect URIs**" with either all the domains you will allow authentication from, appended with the url-path (*e.g. https://radarr.example.com/_oauth, https://radarr.example.com/_oauth, etc*), or if you don't like frustration, use a "auth host" URL instead, like "*https://auth.example.com/_oauth*" (*see below for details*)
 #### Monkey see, monkey do 🙈
 Here's a [screencast I recorded](https://static.funkypenguin.co.nz/2021/screencast_2021-01-29_22-29-33.gif) of the OIDC credentias setup in Google Developer Console
 !!! tip
    Store your client ID and secret safely - you'll need them for the next step.
 ### Prepare environment
 Create `/var/data/config/traefik-forward-auth/traefik-forward-auth.env` as follows:
 ```
 PROVIDERS_GOOGLE_CLIENT_ID=<your client id>
 PROVIDERS_GOOGLE_CLIENT_SECRET=<your client secret>
 SECRET=<a random string, make it up>
 # comment out AUTH_HOST if you'd rather use individual redirect_uris (slightly less complicated but more work)
 AUTH_HOST=auth.example.com
 COOKIE_DOMAINS=example.com
 WHITELIST=you@yourdomain.com, me@mydomain.com
 ```
 ### Prepare the docker service config
 Create `/var/data/config/traefik-forward-auth/traefik-forward-auth.yml` as follows:
 ```
  traefik-forward-auth:
    image: thomseddon/traefik-forward-auth:2.1.0
    env_file: /var/data/config/traefik-forward-auth/traefik-forward-auth.env
    networks:
      - traefik_public
    deploy:
      labels # you only need these if you're using an auth host
        # traefik
        - traefik.enable=true
        - traefik.docker.network=traefik_public
        # traefikv1
        - "traefik.port=4181"
        - "traefik.frontend.rule=Host:auth.example.com"
        - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
        - "traefik.frontend.auth.forward.trustForwardHeader=true"
        # traefikv2
        - "traefik.docker.network=traefik_public"
        - "traefik.http.routers.auth.rule=Host(`auth.example.com`)"
        - "traefik.http.routers.auth.entrypoints=https"
        - "traefik.http.routers.auth.tls=true"
        - "traefik.http.routers.auth.tls.domains[0].main=example.com"
        - "traefik.http.routers.auth.tls.domains[0].sans=*.example.com"        
        - "traefik.http.routers.auth.tls.certresolver=main"
        - "traefik.http.routers.auth.service=auth@docker"
        - "traefik.http.services.auth.loadbalancer.server.port=4181"
        - "traefik.http.middlewares.forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
        - "traefik.http.middlewares.forward-auth.forwardauth.trustForwardHeader=true"
        - "traefik.http.middlewares.forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
        - "traefik.http.routers.auth.middlewares=forward-auth"
 ```
 If you're not confident that forward authentication is working, add a simple "whoami" test container to the above .yml, to help debug traefik forward auth, before attempting to add it to a more complex container.
 ```
  # This simply validates that traefik forward authentication is working
  whoami:
    image: containous/whoami
    networks:
      - traefik_public
    deploy:
      labels:
        # traefik
        - traefik.enable=true
        - traefik.docker.network=traefik_public
        # traefikv1
        - traefik.frontend.rule=Host:whoami.example.com
        - "traefik.http.services.linx.loadbalancer.server.port=80"
        - traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181
        - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
        - traefik.frontend.auth.forward.trustForwardHeader=true        
        # traefikv2
        - "traefik.http.routers.whoami.rule=Host(`whoami.example.com`)"
        - "traefik.http.routers.whoami.entrypoints=https"
        - "traefik.http.services.whoami.loadbalancer.server.port=80"
        - "traefik.http.routers.whoami.middlewares=forward-auth" # this line enforces traefik-forward-auth  
 ```
 --8<-- "premix-cta.md"
 ## Serving
 ### Launch
 Deploy traefik-forward-auth with ```docker stack deploy traefik-forward-auth -c /var/data/traefik-forward-auth/traefik-forward-auth.yml```
 ### Test
 Browse to https://whoami.example.com (*obviously, customized for your domain and having created a DNS record*), and all going according to plan, you should be redirected to a Google login. Once successfully logged in, you'll be directed to the basic whoami page.
 ## Summary
 What have we achieved? By adding an additional three simple labels to any service, we can secure any service behind our choice of OAuth provider, with minimal processing / handling overhead.
 !!! summary "Summary"
    Created:
    * [X] Traefik-forward-auth configured to authenticate against an OIDC provider
 [^1]: Be sure to populate `WHITELIST` in `traefik-forward-auth.env`, else you'll happily be granting **any** authenticated Google account access to your services!
 --8<-- "recipe-footer.md"
--- a/manuscript/ha-docker-swarm/traefik-forward-auth/keycloak.md
+++ b/manuscript/ha-docker-swarm/traefik-forward-auth/keycloak.md
@@ -2,36 +2,10 @@
 While the [Traefik Forward Auth](/ha-docker-swarm/traefik-forward-auth/) recipe demonstrated a quick way to protect a set of explicitly-specified URLs using OIDC credentials from a Google account, this recipe will illustrate how to use your own KeyCloak instance to secure **any** URLs within your DNS domain.
-## Ingredients
+--8<-- "recipe-tfa-ingredients.md"
 !!! Summary
    Existing:
    * [X] [KeyCloak](/recipes/keycloak/) recipe deployed successfully, with a [local user](/recipes/keycloak/create-user/) and an [OIDC client](/recipes/keycloak/setup-oidc-provider/)
    New:
    * [ ] DNS entry for your auth host (*"auth.yourdomain.com" is a good choice*), pointed to your [keepalived](/ha-docker-swarm/keepalived/) IP
 ## Preparation
 ### What is AuthHost mode
 Under normal OIDC auth, you have to tell your auth provider which URLs it may redirect an authenticated user back to, post-authentication. This is a security feture of the OIDC spec, preventing a malicious landing page from capturing your session and using it to impersonate you. When you're securing many URLs though, explicitly listing them can be a PITA.
 [@thomaseddon's traefik-forward-auth](https://github.com/thomseddon/traefik-forward-auth) includes an ingenious mechanism to simulate an "_auth host_" in your OIDC authentication, so that you can protect an unlimited amount of DNS names (_with a common domain suffix_), without having to manually maintain a list.
 #### How does it work?
 Say you're protecting **radarr.example.com**. When you first browse to **https://radarr.example.com**, Traefik forwards your session to traefik-forward-auth, to be authenticated. Traefik-forward-auth redirects you to your OIDC provider's login (_KeyCloak, in this case_), but instructs the OIDC provider to redirect a successfully authenticated session **back** to **https://auth.example.com/_oauth**, rather than to **https://radarr.example.com/_oauth**.
 When you successfully authenticate against the OIDC provider, you are redirected to the "_redirect_uri_" of https://auth.example.com. Again, your request hits Traefik, whichforwards the session to traefik-forward-auth, which **knows** that you've just been authenticated (_cookies have a role to play here_). Traefik-forward-auth also knows the URL of your **original** request (_thanks to the X-Forwarded-Whatever header_). Traefik-forward-auth redirects you to your original destination, and everybody is happy.
 This clever workaround only works under 2 conditions:
 1. Your "auth host" has the same domain name as the hosts you're protecting (_i.e., auth.example.com protecting radarr.example.com_)
 2. You explictly tell traefik-forward-auth to use a cookie authenticating your **whole** domain (_i.e. example.com_)
 ### Setup environment
 Create `/var/data/config/traefik/traefik-forward-auth.env` as follows (_change "master" if you created a different realm_):
@@ -109,7 +83,7 @@ And re-deploy your services :)
 What have we achieved? By adding an additional three simple labels to any service, we can secure any service behind our KeyCloak OIDC provider, with minimal processing / handling overhead.
 !!! summary "Summary"
-Created:
+    Created:
    * [X] Traefik-forward-auth configured to authenticate against KeyCloak
--- a/manuscript/ha-docker-swarm/traefik.md
+++ b/manuscript/ha-docker-swarm/traefik.md
@@ -13,15 +13,20 @@ To deal with these gaps, we need a front-end load-balancer, and in this design,
 ![Traefik Screenshot](../images/traefik.png)
 !!! tip
    In 2021, this recipe was updated for Traefik v2. There's really no reason to be using Traefikv1 anymore ;)
 ## Ingredients
-!!! summary "You'll need"
+!!! summary "Ingredients"
-    Existing
+    Already deployed:
-    * [X] [Docker swarm cluster](/ha-docker-swarm/design/) with [persistent shared storage](/ha-docker-swarm/shared-storage-ceph)
+    * [X] [Docker swarm cluster](/ha-docker-swarm/design/) with [persistent shared storage](/ha-docker-swarm/shared-storage-ceph.md)
-
+    * [X] [Traefik](/ha-docker-swarm/traefik) configured per design
-    New
+    * [X] DNS entry for the hostname you intend to use (*or a wildcard*), pointed to your [keepalived](/ha-docker-swarm/keepalived/) IP
    New:
    * [ ] Access to update your DNS records for manual/automated [LetsEncrypt](https://letsencrypt.org/docs/challenge-types/) DNS-01 validation, or ingress HTTP/HTTPS for HTTP-01 validation
 ## Preparation
@@ -30,53 +35,58 @@ To deal with these gaps, we need a front-end load-balancer, and in this design,
 While it's possible to configure traefik via docker command arguments, I prefer to create a config file (`traefik.toml`). This allows me to change traefik's behaviour by simply changing the file, and keeps my docker config simple.
-Create `/var/data/traefikv1/traefik.toml` as follows:
+Create `/var/data/traefikv2/traefik.toml` as follows:
 ```
-checkNewVersion = true
+[global]
-defaultEntryPoints = ["http", "https"]
+  checkNewVersion = true
-# This section enable LetsEncrypt automatic certificate generation / renewal
+# Enable the Dashboard
-[acme]
+[api]
-email = "<your LetsEncrypt email address>"
+  dashboard = true
 storage = "acme.json" # or "traefik/acme/account" if using KV store
 entryPoint = "https"
 acmeLogging = true
 onDemand = true
 OnHostRule = true
-# Request wildcard certificates per https://docs.traefik.io/configuration/acme/#wildcard-domains
+# Write out Traefik logs
-[[acme.domains]]
+[log]
-  main = "*.example.com"
+  level = "INFO"
-  sans = ["example.com"]
+  filePath = "/traefik.log"
-# Redirect all HTTP to HTTPS (why wouldn't you?)
+[entryPoints.http]
 [entryPoints]
  [entryPoints.http]
  address = ":80"
-    [entryPoints.http.redirect]
+  # Redirect to HTTPS (why wouldn't you?)
-      entryPoint = "https"
+  [entryPoints.http.http.redirections.entryPoint]
-  [entryPoints.https]
+    to = "https"
    scheme = "https"
 [entryPoints.https]
  address = ":443"
-    [entryPoints.https.tls]
+  [entryPoints.https.http.tls]
    certResolver = "main"
-[web]
+# Let's Encrypt
-address = ":8080"
+[certificatesResolvers.main.acme]
-watch = true
+  email = "batman@example.com"
  storage = "acme.json"
  # uncomment to use staging CA for testing
  # caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
  [certificatesResolvers.main.acme.dnsChallenge]
    provider = "route53"
  # Uncomment to use HTTP validation, like a caveman!
  # [certificatesResolvers.main.acme.httpChallenge]
  #  entryPoint = "http"    
-[docker]
+# Docker Traefik provider
-endpoint = "tcp://127.0.0.1:2375"
+[providers.docker]
-domain = "example.com"
+  endpoint = "unix:///var/run/docker.sock"
-watch = true
+  swarmMode = true
-swarmmode = true
+  watch = true
 ```
 ### Prepare the docker service config
 !!! tip
-    "We'll want an overlay network, independent of our traefik stack, so that we can attach/detach all our other stacks (including traefik) to the overlay network. This way, we can undeploy/redepoly the traefik stack without having to bring every other stack first!" - voice of experience
+    "We'll want an overlay network, independent of our traefik stack, so that we can attach/detach all our other stacks (including traefik) to the overlay network. This way, we can undeploy/redepoly the traefik stack without having to bring down every other stack first!" - voice of hard-won experience
-Create `/var/data/config/traefik/traefik.yml` as follows:
+Create `/var/data/config/traefikv2/traefikv2.yml` as follows:
 ```
 version: "3.2"
@@ -105,18 +115,18 @@ networks:
 --8<-- "premix-cta.md"
-Create `/var/data/config/traefik/traefik-app.yml` as follows:
+Create `/var/data/config/traefikv2/traefikv2.yml` as follows:
 ```
 version: "3.2"
 services:
-  traefik:
+  app:
-    image: traefik:v1.7.16
+    image: traefik:v2.4
-    command: --web --docker --docker.swarmmode --docker.watch --docker.domain=example.com --logLevel=DEBUG
+    env_file: /var/data/config/traefikv2/traefikv2.env
    # Note below that we use host mode to avoid source nat being applied to our ingress HTTP/HTTPS sessions
    # Without host mode, all inbound sessions would have the source IP of the swarm nodes, rather than the
-    # original source IP, which would impact logging. If you don't care about this, you can expose ports the
+    # original source IP, which would impact logging. If you don't care about this, you can expose ports the 
    # "minimal" way instead
    ports:
      - target: 80
@@ -132,21 +142,30 @@ services:
        protocol: tcp
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - /var/data/traefikv1:/etc/traefik
+      - /var/data/config/traefikv2:/etc/traefik
-      - /var/data/traefikv1/traefik.log:/traefik.log
+      - /var/data/traefikv2/traefik.log:/traefik.log
-      - /var/data/traefikv1/acme.json:/acme.json
+      - /var/data/traefikv2/acme.json:/acme.json
    networks:
      - traefik_public
    # Global mode makes an instance of traefik listen on _every_ node, so that regardless of which
    # node the request arrives on, it'll be forwarded to the correct backend service.
    deploy:
      labels:
        - "traefik.enable=false"
      mode: global
      labels:
        - "traefik.docker.network=traefik_public"
        - "traefik.http.routers.api.rule=Host(`traefik.example.com`)"
        - "traefik.http.routers.api.entrypoints=https"
        - "traefik.http.routers.api.tls.domains[0].main=example.com"
        - "traefik.http.routers.api.tls.domains[0].sans=*.example.com"        
        - "traefik.http.routers.api.tls=true"
        - "traefik.http.routers.api.tls.certresolver=main"
        - "traefik.http.routers.api.service=api@internal"
        - "traefik.http.services.dummy.loadbalancer.server.port=9999"
        # uncomment this to enable forward authentication on the traefik api/dashboard
        #- "traefik.http.routers.api.middlewares=forward-auth"      
      placement:
        constraints: [node.role == manager]
      restart_policy:
        condition: on-failure     
 networks:
  traefik_public:
@@ -156,10 +175,10 @@ networks:
 Docker won't start a service with a bind-mount to a non-existent file, so prepare an empty acme.json and traefik.log (_with the appropriate permissions_) by running:
 ```
-touch /var/data/traefikv1/acme.json
+touch /var/data/traefikv2/acme.json
-touch /var/data/traefikv1/traefik.log
+touch /var/data/traefikv2/traefik.log
-chmod 600 /var/data/traefikv1/acme.json
+chmod 600 /var/data/traefikv2/acme.json
-chmod 600 /var/data/traefikv1/traefik.log
+chmod 600 /var/data/traefikv2/traefik.log
 ```
 !!! warning
@@ -182,26 +201,26 @@ Creating service traefik_scratch
 [root@kvm ~]#
 ```
-Now deploy the traefik appliation itself (*which will attach to the overlay network*) by running `docker stack deploy traefik-app -c /var/data/config/traefik/traefik-app.yml`
+Now deploy the traefik application itself (*which will attach to the overlay network*) by running `docker stack deploy traefikv2 -c /var/data/config/traefikv2/traefikv2.yml`
 ```
-[root@kvm ~]# docker stack deploy traefik-app -c traefik-app.yml
+[root@kvm ~]# docker stack deploy traefik-app -c traefikv2.yml
-Creating service traefik-app_app
+Creating service traefikv2_app
 [root@kvm ~]#
 ```
-Confirm traefik is running with `docker stack ps traefik-app`:
+Confirm traefik is running with `docker stack ps traefikv2`:
 ```
-[root@kvm ~]# docker stack ps traefik-app
+root@raphael:~# docker stack ps traefikv2
-ID                  NAME                                        IMAGE               NODE                     DESIRED STATE       CURRENT STATE            ERROR               PORTS
+ID             NAME                                          IMAGE          NODE        DESIRED STATE   CURRENT STATE                ERROR     PORTS
-74uipz4sgasm        traefik-app_app.t4vcm8siwc9s1xj4c2o4orhtx   traefik:alpine      kvm.funkypenguin.co.nz   Running             Running 33 seconds ago                       *:443->443/tcp,*:80->80/tcp
+lmvqcfhap08o   traefikv2_app.dz178s1aahv16bapzqcnzc03p       traefik:v2.4   donatello   Running         Running 2 minutes ago                  *:443->443/tcp,*:80->80/tcp
-[root@kvm ~]#
+root@raphael:~#
 ```
 ### Check Traefik Dashboard
-You should now be able to access[^1] your traefik instance on http://<node IP\>:8080 - It'll look a little lonely currently (*below*), but we'll populate it as we add recipes :)
+You should now be able to access[^1] your traefik instance on **https://traefik.<your domain\>** (*if your LetsEncrypt certificate is working*), or **http://<node IP\>:8080** (*if it's not*)- It'll look a little lonely currently (*below*), but we'll populate it as we add recipes :grin:
 ![Screenshot of Traefik, post-launch](/images/traefik-post-launch.png)
--- a/manuscript/images/traefik-forward-auth.png
+++ b/manuscript/images/traefik-forward-auth.png
--- a/manuscript/images/traefik-post-launch.png
+++ b/manuscript/images/traefik-post-launch.png
--- a/manuscript/images/traefik.png
+++ b/manuscript/images/traefik.png
--- a/manuscript/recipes/autopirate.md
+++ b/manuscript/recipes/autopirate.md
@@ -14,18 +14,29 @@ This recipe presents a method to combine these tools into a single swarm deploym
 Tools included in the AutoPirate stack are:
-* **[SABnzbd](http://sabnzbd.org)** : downloads data from usenet servers based on .nzb definitions
+* [SABnzbd][sabnzbd] is the workhorse. It takes `.nzb` files as input (_manually or from [Sonarr](/recipes/autopirate/sonarr/), [Radarr](/recipes/autopirate/radarr/), etc_), then connects to your chosen Usenet provider, downloads all the individual binaries referenced by the .nzb, and then tests/repairs/combines/uncompresses them all into the final result - media files, to be consumed by [Plex](/recipes/plex), [Emby](/recipes/emby/), [Komga](/recipes/komga/), [Calibre-Web](/recipes/calibre-web/), etc.
-* **[NZBGet](https://nzbget.net/)** : downloads data from usenet servers based on .nzb definitions, but written in C++ and designed with performance in mind to achieve maximum download speed by using very little system resources (_this is a popular alternative to SABnzbd_)
+  
-* **[RTorrent](https://github.com/rakshasa/rtorrent/wiki)** is a CLI-based torrent client, which when combined with **[ruTorrent](https://github.com/Novik/ruTorrent)** becomes a powerful and fully browser-managed torrent client. (_Yes, it's not Usenet, but Sonarr/Radarr will let fulfill your watchlist using either Usenet **or** torrents, so it's worth including_)
+* [NZBGet][nzbget] downloads data from usenet servers based on .nzb definitions. Like [SABnzbd][sabnzbd], but written in C++ and designed with performance in mind to achieve maximum download speed by using very little system resources (_this is a popular alternative to SABnzbd_)
-* **[NZBHydra](https://github.com/theotherp/nzbhydra)** : acts as a "meta-indexer", so that your downloading tools (_radarr, sonarr, etc_) only need to be setup for a single indexes. Also produces interesting stats on indexers, which helps when evaluating which indexers are performing well.
+  
-* **[NZBHydra2](https://github.com/theotherp/nzbhydra2)** : is a high-performance rewrite of the original NZBHydra, with extra features. While still in beta, this NZBHydra2 will eventually supercede NZBHydra
+* [RTorrent][rtorrent] is a popular CLI-based bittorrent client, and [ruTorrent](https://github.com/Novik/ruTorrent) is a powerful web interface for rtorrent. (_Yes, it's not Usenet, but Sonarr/Radarr will let fulfill your watchlist using either Usenet **or** torrents, so it's worth including_)
-* **[Sonarr](https://sonarr.tv)** : finds, downloads and manages TV shows
+  
-* **[Radarr](https://radarr.video)** : finds, downloads and manages movies
+* [NZBHydra][nzbhydra] is a meta search for NZB indexers. It provides easy access to a number of raw and newznab based indexers. You can search all your indexers from one place and use it as indexer source for tools like [Sonarr][sonarr] or [Radarr][radarr].
-* **[Mylar](https://github.com/evilhero/mylar)** : finds, downloads and manages comic books
+  
-* **[Headphones](https://github.com/rembo10/headphones)** : finds, downloads and manages music
+* [Sonarr][sonarr] finds, downloads and manages TV shows
-* **[Lazy Librarian](https://github.com/itsmegb/LazyLibrarian)** : finds, downloads and manages ebooks
+ 
-* **[Ombi](https://github.com/tidusjar/Ombi)** : provides an interface to request additions to a [Plex](/recipes/plex/)/[Emby](/recipes/emby/)/[Jellyfin](/recipes/jellyfin/) library using the above tools
+* [Radarr][radarr] finds, downloads and manages movies
-* **[Jackett](https://github.com/Jackett/Jackett)** : Provides an local, caching, API-based interface to torrent trackers, simplifying the way your tools search for torrents.
+
 * [Lidarr][lidarr] is an automated music downloader for NZB and Torrent. It performs the same function as [Headphones][headphones], but is written using the same(ish) codebase as [Radarr][radarr] and [Sonarr](/recipes/autopirate/sonarr). It's blazingly fast, and includes beautiful album/artist art. Lidarr supports [SABnzbd](/recipes/autopirate/sabnzbd/), [NZBGet](/recipes/autopirate/nzbget/), Transmission, µTorrent, Deluge and Blackhole (_just like Sonarr / Radarr_)
 * [Mylar][mylar] is a tool for downloading and managing digital comic books / "graphic novels"
 * [Headphones][headphones] is an automated music downloader for NZB and Torrent, written in Python. It supports SABnzbd, NZBget, Transmission, µTorrent, Deluge and Blackhole.
 * [Lazy Librarian][lazylibrarian] is a tool to follow authors and grab metadata for all your digital reading needs. It uses a combination of Goodreads Librarything and optionally GoogleBooks as sources for author info and book info.
 * [Ombi][ombi] provides an interface to request additions to a [Plex][plex]/[Emby][emby]/[Jellyfin][jellyfin] library using the above tools
 * [Jackett][jackett] works as a proxy server: it translates queries from apps (*[Sonarr][sonarr], [Radarr][radarr], [Mylar][mylar], etc*) into tracker-site-specific http queries, parses the html response, then sends results back to the requesting software.
 Since this recipe is so long, and so many of the tools are optional to the final result (_i.e., if you're not interested in comics, you won't want Mylar_), I've described each individual tool on its own sub-recipe page (_below_), even though most of them are deployed very similarly.
@@ -105,21 +116,5 @@ networks:
 ````
 --8<-- "reference-networks.md"
-
+--8<-- "recipe-autopirate-toc.md"
-#### Assemble the tools..
+--8<-- "recipe-footer.md"
 Now work your way through the list of tools below, adding whichever tools your want to use, and finishing with the **end** section:
 * [SABnzbd](/recipes/autopirate/sabnzbd/)
 * [NZBGet](/recipes/autopirate/nzbget/)
 * [RTorrent](/recipes/autopirate/rtorrent/)
 * [Sonarr](/recipes/autopirate/sonarr/)
 * [Radarr](/recipes/autopirate/radarr/)
 * [Mylar](/recipes/autopirate/mylar/)
 * [Lazy Librarian](/recipes/autopirate/lazylibrarian/)
 * [Headphones](/recipes/autopirate/headphones/)
 * [NZBHydra](/recipes/autopirate/nzbhydra/)
 * [NZBHydra2](/recipes/autopirate/nzbhydra2/)
 * [Ombi](/recipes/autopirate/ombi/)
 * [Jackett](/recipes/autopirate/jackett/)
 * [End](/recipes/autopirate/end/) (launch the stack)
--- a/manuscript/recipes/autopirate/headphones.md
+++ b/manuscript/recipes/autopirate/headphones.md
@@ -9,9 +9,9 @@
 ## Inclusion into AutoPirate
-To include Headphones in your [AutoPirate](/recipes/autopirate/) stack, include the following in your autopirate.yml stack definition file:
+To include Headphones in your [AutoPirate][autopirate] stack, include the following in your autopirate.yml stack definition file:
-````
+```yaml
 headphones:
  image: linuxserver/headphones:latest
  env_file : /var/data/config/autopirate/headphones.env
@@ -29,43 +29,24 @@ headphones_proxy:
    - traefik_public
  deploy:
    labels:
-      - traefik.frontend.rule=Host:headphones.example.com
+      # traefik
      - traefik.enable=true
      - traefik.docker.network=traefik_public
-      - traefik.port=4180
+
-  volumes:
+      # traefikv1
-    - /var/data/config/autopirate/authenticated-emails.txt:/authenticated-emails.txt
+      - traefik.frontend.rule=Host:headphones.example.com
-  command: |
+      - traefik.port=8181
-    -cookie-secure=false
+      - traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181
-    -upstream=http://headphones:8181
+      - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
-    -redirect-url=https://headphones.example.com
+      - traefik.frontend.auth.forward.trustForwardHeader=true        
-    -http-address=http://0.0.0.0:4180
+
-    -email-domain=example.com
+      # traefikv2
-    -provider=github
+      - "traefik.http.routers.headphones.rule=Host(`headphones.example.com`)"
-    -authenticated-emails-file=/authenticated-emails.txt
+      - "traefik.http.routers.headphones.entrypoints=https"
-````
+      - "traefik.http.services.headphones.loadbalancer.server.port=8181"
      - "traefik.http.routers.headphones.middlewares=forward-auth"
 ```
 --8<-- "premix-cta.md"
-
+--8<-- "recipe-autopirate-toc.md"
 ## Assemble more tools..
 Continue through the list of tools below, adding whichever tools your want to use, and finishing with the **[end](/recipes/autopirate/end/)** section:
 * [SABnzbd](/recipes/autopirate/sabnzbd.md)
 * [NZBGet](/recipes/autopirate/nzbget.md)
 * [RTorrent](/recipes/autopirate/rtorrent/)
 * [Sonarr](/recipes/autopirate/sonarr/)
 * [Radarr](/recipes/autopirate/radarr/)
 * [Mylar](https://github.com/evilhero/mylar)
 * [Lazy Librarian](/recipes/autopirate/lazylibrarian/)
 * Headphones (this page)
 * [Lidarr](/recipes/autopirate/lidarr/)
 * [NZBHydra](/recipes/autopirate/nzbhydra/)
 * [NZBHydra2](/recipes/autopirate/nzbhydra2/)
 * [Ombi](/recipes/autopirate/ombi/)
 * [Jackett](/recipes/autopirate/jackett/)
 * [Heimdall](/recipes/autopirate/heimdall/)
 * [End](/recipes/autopirate/end/) (launch the stack)
 [^1]: In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition.
 --8<-- "recipe-footer.md"
--- a/manuscript/recipes/autopirate/heimdall.md
+++ b/manuscript/recipes/autopirate/heimdall.md
@@ -15,7 +15,7 @@ Heimdall provides a single URL to manage access to all of your autopirate tools,
 To include Heimdall in your [AutoPirate](/recipes/autopirate/) stack, include the following in your autopirate.yml stack definition file:
-```
+```yaml
  heimdall:
    image: linuxserver/heimdall:latest
    env_file: /var/data/config/autopirate/heimdall.env
@@ -24,58 +24,28 @@ To include Heimdall in your [AutoPirate](/recipes/autopirate/) stack, include th
      - /var/data/heimdall:/config
    networks:
      - internal
  heimdall_proxy:
    image: funkypenguin/oauth2_proxy:latest
    env_file : /var/data/config/autopirate/heimdall.env
    networks:
      - internal
      - traefik_public
    deploy:
      labels:
-        - traefik.frontend.rule=Host:heimdall.example.com
+        # traefik
        - traefik.enable=true
        - traefik.docker.network=traefik_public
        - traefik.port=4180
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/data/config/autopirate/authenticated-emails.txt:/authenticated-emails.txt
    command: |
      -cookie-secure=false
      -upstream=http://heimdall:80
      -redirect-url=https://heimdall.example.com
      -http-address=http://0.0.0.0:4180
      -email-domain=example.com
      -provider=github
      -authenticated-emails-file=/authenticated-emails.txt
        # traefikv1
        - traefik.frontend.rule=Host:heimdall.example.com
        - traefik.port=80
        - traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181
        - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
        - traefik.frontend.auth.forward.trustForwardHeader=true        
        # traefikv2
        - "traefik.http.routers.heimdall.rule=Host(`heimdall.example.com`)"
        - "traefik.http.routers.heimdall.entrypoints=https"
        - "traefik.http.services.heimdall.loadbalancer.server.port=80"
        - "traefik.http.routers.heimdall.middlewares=forward-auth"
 ```
 --8<-- "premix-cta.md"
-
+--8<-- "recipe-autopirate-toc.md"
 ## Assemble more tools..
 Continue through the list of tools below, adding whichever tools your want to use, and finishing with the **[end](/recipes/autopirate/end/)** section:
 - [SABnzbd](/recipes/autopirate/sabnzbd.md)
 - [NZBGet](/recipes/autopirate/nzbget.md)
 - [RTorrent](/recipes/autopirate/rtorrent/)
 - [Sonarr](/recipes/autopirate/sonarr/)
 - [Radarr](/recipes/autopirate/radarr/)
 - [Mylar](/recipes/autopirate/mylar/)
 - [Lazy Librarian](/recipes/autopirate/lazylibrarian/)
 - [Headphones](/recipes/autopirate/headphones)
 - [Lidarr](/recipes/autopirate/lidarr/)
 - [NZBHydra](/recipes/autopirate/nzbhydra/)
 - [NZBHydra2](/recipes/autopirate/nzbhydra2/)
 - [Ombi](/recipes/autopirate/ombi/)
 - [Jackett](/recipes/autopirate/jackett/)
 - Heimdall (this page)[^2]
 - [End](/recipes/autopirate/end/) (launch the stack)
 [^1]: In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition.
 [^2:] The inclusion of Heimdall was due to the efforts of @gkoerk in our [Discord server](http://chat.funkypenguin.co.nz). Thanks gkoerk!
 --8<-- "recipe-footer.md"
 [^2:] The inclusion of Heimdall was due to the efforts of @gkoerk in our [Discord server](http://chat.funkypenguin.co.nz). Thanks gkoerk!
--- a/manuscript/recipes/autopirate/jackett.md
+++ b/manuscript/recipes/autopirate/jackett.md
@@ -3,7 +3,7 @@ This is not a complete recipe - it's a component of the [autopirate](/recipes/au
 # Jackett
-[Jackett](https://github.com/Jackett/Jackett) works as a proxy server: it translates queries from apps (Sonarr, Radarr, Mylar, etc) into tracker-site-specific http queries, parses the html response, then sends results back to the requesting software.
+[Jackett](https://github.com/Jackett/Jackett) works as a proxy server: it translates queries from apps (*[Sonarr][sonarr], [Radarr][radarr], [Mylar][mylarr], etc*) into tracker-site-specific http queries, parses the html response, then sends results back to the requesting software.
 This allows for getting recent uploads (like RSS) and performing searches. Jackett is a single repository of maintained indexer scraping & translation logic - removing the burden from other apps.
@@ -13,7 +13,7 @@ This allows for getting recent uploads (like RSS) and performing searches. Jacke
 To include Jackett in your [AutoPirate](/recipes/autopirate/) stack, include the following in your autopirate.yml stack definition file:
-```
+```yaml
 jackett:
  image: linuxserver/jackett:latest
  env_file : /var/data/config/autopirate/jackett.env
@@ -21,53 +21,27 @@ jackett:
   - /var/data/autopirate/jackett:/config
  networks:
  - internal
 jackett_proxy:
  image: a5huynh/oauth2_proxy
  env_file : /var/data/config/autopirate/jackett.env
  networks:
    - internal
    - traefik_public
  deploy:
    labels:
-      - traefik.frontend.rule=Host:jackett.example.com
+      # traefik
      - traefik.enable=true
      - traefik.docker.network=traefik_public
-      - traefik.port=4180
+
-  volumes:
+      # traefikv1
-    - /var/data/config/autopirate/authenticated-emails.txt:/authenticated-emails.txt
+      - traefik.frontend.rule=Host:jackett.example.com
-  command: |
+      - traefik.port=9117    
-    -cookie-secure=false
+      - traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181
-    -upstream=http://jackett:9117
+      - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
-    -redirect-url=https://jackett.example.com
+      - traefik.frontend.auth.forward.trustForwardHeader=true        
-    -http-address=http://0.0.0.0:4180
+
-    -email-domain=example.com
+      # traefikv2
-    -provider=github
+      - "traefik.http.routers.jackett.rule=Host(`jackett.example.com`)"
-    -authenticated-emails-file=/authenticated-emails.txt
+      - "traefik.http.routers.jackett.entrypoints=https"
      - "traefik.http.services.jackett.loadbalancer.server.port=9117"
      - "traefik.http.routers.jackett.middlewares=forward-auth"
 ```
 --8<-- "premix-cta.md"
-
+--8<-- "recipe-autopirate-toc.md"
 ## Assemble more tools..
 Continue through the list of tools below, adding whichever tools your want to use, and finishing with the **[end](/recipes/autopirate/end/)** section:
 - [SABnzbd](/recipes/autopirate/sabnzbd.md)
 - [NZBGet](/recipes/autopirate/nzbget.md)
 - [RTorrent](/recipes/autopirate/rtorrent/)
 - [Sonarr](/recipes/autopirate/sonarr/)
 - [Radarr](/recipes/autopirate/radarr/)
 - [Mylar](/recipes/autopirate/mylar/)
 - [Lazy Librarian](/recipes/autopirate/lazylibrarian/)
 - [Headphones](/recipes/autopirate/headphones)
 - [Lidarr](/recipes/autopirate/lidarr/)
 - [NZBHydra](/recipes/autopirate/nzbhydra/)
 - [NZBHydra2](/recipes/autopirate/nzbhydra2/)
 - [Ombi](/recipes/autopirate/ombi/)
 - Jackett (this page)
 - [Heimdall](/recipes/autopirate/heimdall/)
 - [End](/recipes/autopirate/end/) (launch the stack)
 [^1]: In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition.
 --8<-- "recipe-footer.md"
--- a/manuscript/recipes/autopirate/lazylibrarian.md
+++ b/manuscript/recipes/autopirate/lazylibrarian.md
@@ -15,9 +15,9 @@
 ## Inclusion into AutoPirate
-To include LazyLibrarian in your [AutoPirate](/recipes/autopirate/) stack, include the following in your autopirate.yml stack definition file:
+To include LazyLibrarian in your [AutoPirate][autopirate] stack, include the following in your autopirate.yml stack definition file:
-````
+```yaml
 lazylibrarian:
  image: linuxserver/lazylibrarian:latest
  env_file : /var/data/config/autopirate/lazylibrarian.env
@@ -26,28 +26,24 @@ lazylibrarian:
   - /var/data/media:/media
  networks:
  - internal
 lazylibrarian_proxy:
  image: a5huynh/oauth2_proxy
  env_file : /var/data/config/autopirate/lazylibrarian.env
  networks:
    - internal
    - traefik_public
  deploy:
    labels:
-      - traefik.frontend.rule=Host:lazylibrarian.example.com
+      # traefik
      - traefik.enable=true
      - traefik.docker.network=traefik_public
-      - traefik.port=4180
+
-  volumes:
+      # traefikv1
-    - /var/data/config/autopirate/authenticated-emails.txt:/authenticated-emails.txt
+      - traefik.frontend.rule=Host:lazylibrarian.example.com
-  command: |
+      - traefik.port=5299
-    -cookie-secure=false
+      - traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181
-    -upstream=http://lazylibrarian:5299
+      - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
-    -redirect-url=https://lazylibrarian.example.com
+      - traefik.frontend.auth.forward.trustForwardHeader=true        
-    -http-address=http://0.0.0.0:4180
+
-    -email-domain=example.com
+      # traefikv2
-    -provider=github
+      - "traefik.http.routers.lazylibrarian.rule=Host(`lazylibrarian.example.com`)"
-    -authenticated-emails-file=/authenticated-emails.txt
+      - "traefik.http.routers.lazylibrarian.entrypoints=https"
      - "traefik.http.services.lazylibrarian.loadbalancer.server.port=5299"
      - "traefik.http.routers.lazylibrarian.middlewares=forward-auth"
 calibre-server:
  image: regueiro/calibre-server
@@ -56,31 +52,10 @@ calibre-server:
  networks:
  - internal    
-````
+```
 --8<-- "premix-cta.md"
 --8<-- "recipe-autopirate-toc.md"
 --8<-- "recipe-footer.md"
-## Assemble more tools..
+[^2]: The calibre-server container co-exists within the Lazy Librarian (LL) containers so that LL can automatically add a book to Calibre using the calibre-server interface. The calibre library can then be properly viewed using the [calibre-web](/recipes/calibre-web) recipe.
 Continue through the list of tools below, adding whichever tools your want to use, and finishing with the **[end](/recipes/autopirate/end/)** section:
 * [SABnzbd](/recipes/autopirate/sabnzbd.md)
 * [NZBGet](/recipes/autopirate/nzbget.md)
 * [RTorrent](/recipes/autopirate/rtorrent/)
 * [Sonarr](/recipes/autopirate/sonarr/)
 * [Radarr](/recipes/autopirate/radarr/)
 * [Mylar](https://github.com/evilhero/mylar)
 * Lazy Librarian (this page)
 * [Headphones](/recipes/autopirate/headphones)
 * [Lidarr](/recipes/autopirate/lidarr/)
 * [NZBHydra](/recipes/autopirate/nzbhydra/)
 * [NZBHydra2](/recipes/autopirate/nzbhydra2/)
 * [Ombi](/recipes/autopirate/ombi/)
 * [Jackett](/recipes/autopirate/jackett/)
 * [Heimdall](/recipes/autopirate/heimdall/)
 * [End](/recipes/autopirate/end/) (launch the stack)
 [^1]: In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition.
 [^2]: The calibre-server container co-exists within the Lazy Librarian (LL) containers so that LL can automatically add a book to Calibre using the calibre-server interface. The calibre library can then be properly viewed using the [calibre-web](/recipes/calibre-web) recipe.
 --8<-- "recipe-footer.md"
--- a/manuscript/recipes/autopirate/lidarr.md
+++ b/manuscript/recipes/autopirate/lidarr.md
@@ -13,63 +13,35 @@ hero: AutoPirate - A fully-featured recipe to automate finding, downloading, and
 To include Lidarr in your [AutoPirate](/recipes/autopirate/) stack, include the following in your autopirate.yml stack definition file:
-````
+````yaml
-lidarr:
+  lidarr:
-  image: linuxserver/lidarr:latest
+    image: linuxserver/lidarr:latest
-  env_file : /var/data/config/autopirate/lidarr.env
+    env_file: /var/data/config/lidarr/lidarr.env
-  volumes:
+    volumes:
-   - /var/data/autopirate/lidarr:/config
+      - /etc/localtime:/etc/localtime:ro
-   - /var/data/media:/media
+      - /var/data/media:/media
-  networks:
+      - /var/data/lidarr:/config
-  - internal
+    deploy:
      replicas: 1
      labels:
        # traefik
        - traefik.enable=true
        - traefik.docker.network=traefik_public
-lidarr_proxy:
+        # traefikv1
-  image: a5huynh/oauth2_proxy
+        - traefik.frontend.rule=Host:lidarr.example.com
-  env_file : /var/data/config/autopirate/lidarr.env
+        - traefik.port=8686
-  networks:
+        - traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181
-    - internal
+        - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
-    - traefik_public
+        - traefik.frontend.auth.forward.trustForwardHeader=true        
-  deploy:
+
-    labels:
+        # traefikv2
-      - traefik.frontend.rule=Host:lidarr.example.com
+        - "traefik.http.routers.lidarr.rule=Host(`lidarr.example.com`)"
-      - traefik.docker.network=traefik_public
+        - "traefik.http.routers.lidarr.entrypoints=https"
-      - traefik.port=4180
+        - "traefik.http.services.lidarr.loadbalancer.server.port=8686"
-  volumes:
+        - "traefik.http.routers.lidarr.middlewares=forward-auth"
    - /var/data/config/autopirate/authenticated-emails.txt:/authenticated-emails.txt
  command: |
    -cookie-secure=false
    -upstream=http://lidarr:8181
    -redirect-url=https://lidarr.example.com
    -http-address=http://0.0.0.0:4180
    -email-domain=example.com
    -provider=github
    -authenticated-emails-file=/authenticated-emails.txt
 ````
 --8<-- "premix-cta.md"
-
+--8<-- "recipe-autopirate-toc.md"
-## Assemble more tools..
+--8<-- "recipe-footer.md"
 Continue through the list of tools below, adding whichever tools your want to use, and finishing with the **[end](/recipes/autopirate/end/)** section:
 * [SABnzbd](/recipes/autopirate/sabnzbd.md)
 * [NZBGet](/recipes/autopirate/nzbget.md)
 * [RTorrent](/recipes/autopirate/rtorrent/)
 * [Sonarr](/recipes/autopirate/sonarr/)
 * [Radarr](/recipes/autopirate/radarr/)
 * [Mylar](https://github.com/evilhero/mylar)
 * [Lazy Librarian](/recipes/autopirate/lazylibrarian/)
 * [Headphones](/recipes/autopirate/headphones/)
 * Lidarr (this page)
 * [NZBHydra](/recipes/autopirate/nzbhydra/)
 * [NZBHydra](/recipes/autopirate/nzbhydra/)
 * [NZBHydra2](/recipes/autopirate/nzbhydra2/)
 * [Ombi](/recipes/autopirate/ombi/)
 * [Jackett](/recipes/autopirate/jackett/)
 * [Heimdall](/recipes/autopirate/heimdall/)
 * [End](/recipes/autopirate/end/) (launch the stack)
 [^1]: In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition.
 [^2]: The addition of the Lidarr recipe was contributed by our very own @gpulido in Discord (http://chat.funkypenguin.co.nz) - Thanks Gabriel!
 --8<-- "recipe-footer.md"
--- a/manuscript/recipes/autopirate/mylar.md
+++ b/manuscript/recipes/autopirate/mylar.md
@@ -11,7 +11,7 @@
 To include Mylar in your [AutoPirate](/recipes/autopirate/) stack, include the following in your autopirate.yml stack definition file:
-````
+```yaml
 mylar:
  image: linuxserver/mylar3:latest
  env_file : /var/data/config/autopirate/mylar.env
@@ -20,56 +20,28 @@ mylar:
   - /var/data/media:/media
  networks:
  - internal
 mylar_proxy:
  image: a5huynh/oauth2_proxy
  env_file : /var/data/config/autopirate/mylar.env
  networks:
    - internal
    - traefik_public
  deploy:
    labels:
-      - traefik.frontend.rule=Host:mylar.example.com
+      # traefik
      - traefik.enable=true
      - traefik.docker.network=traefik_public
-      - traefik.port=4180
+
-  volumes:
+      # traefikv1
-    - /var/data/config/autopirate/authenticated-emails.txt:/authenticated-emails.txt
+      - traefik.frontend.rule=Host:mylar.example.com
-  command: |
+      - traefik.port=8090
-    -cookie-secure=false
+      - traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181
-    -upstream=http://mylar:8090
+      - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
-    -redirect-url=https://mylar.example.com
+      - traefik.frontend.auth.forward.trustForwardHeader=true        
-    -http-address=http://0.0.0.0:4180
+
-    -email-domain=example.com
+      # traefikv2
-    -provider=github
+      - "traefik.http.routers.mylar.rule=Host(`mylar.example.com`)"
-    -authenticated-emails-file=/authenticated-emails.txt
+      - "traefik.http.routers.mylar.entrypoints=https"
-````
+      - "traefik.http.services.mylar.loadbalancer.server.port=8090"
      - "traefik.http.routers.mylar.middlewares=forward-auth"
 ```
 --8<-- "premix-cta.md"
 --8<-- "recipe-autopirate-toc.md"
 --8<-- "recipe-footer.md"
-## Assemble more tools..
+[^2]. If you intend to configure Mylar to perform its own NZB searches and push the hits to a downloader such as SABnzbd, then in addition to configuring the connection to SAB with host, port and api key, you will need to set the parameter `host_return` parameter to the fully qualified Mylar address (e.g. `http://mylar:8090`).
 Continue through the list of tools below, adding whichever tools your want to use, and finishing with the **[end](/recipes/autopirate/end/)** section:
 * [SABnzbd](/recipes/autopirate/sabnzbd.md)
 * [NZBGet](/recipes/autopirate/nzbget.md)
 * [RTorrent](/recipes/autopirate/rtorrent/)
 * [Sonarr](/recipes/autopirate/sonarr/)
 * [Radarr](/recipes/autopirate/radarr/)
 * Mylar (this page)
 * [Lazy Librarian](/recipes/autopirate/lazylibrarian/)
 * [Headphones](/recipes/autopirate/headphones)
 * [Lidarr](/recipes/autopirate/lidarr/)
 * [NZBHydra](/recipes/autopirate/nzbhydra/)
 * [NZBHydra2](/recipes/autopirate/nzbhydra2/)
 * [Ombi](/recipes/autopirate/ombi/)
 * [Jackett](/recipes/autopirate/jackett/)
 * [Heimdall](/recipes/autopirate/heimdall/)
 * [End](/recipes/autopirate/end/) (launch the stack)
 [^1]: In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition.
 [^2]. If you intend to configure Mylar to perform its own NZB searches and push the hits to a downloader such as SABnzbd, then in addition to configuring the connection to SAB with host, port and api key, you will need to set the parameter `host_return` parameter to the fully qualified Mylar address (e.g. `http://mylar:8090`).
    This will provide the link to the downloader necessary to initiate the download.  This parameter is not presented in the user interface so the config file (`$MYLAR_HOME/config.ini`) will need to be manually updated.  The parameter can be found under the [Interface] section of the file. ([Details](https://github.com/evilhero/mylar/issues/2242))
 --8<-- "recipe-footer.md"
--- a/manuscript/recipes/autopirate/nzbget.md
+++ b/manuscript/recipes/autopirate/nzbget.md
@@ -5,7 +5,7 @@
 ## Introduction
-NZBGet performs the same function as [SABnzbd](/recipes/autopirate/sabnzbd.md) (_downloading content from Usenet servers_), but it's lightweight and fast(er), written in C++ (_as opposed to Python_).
+NZBGet performs the same function as [SABnzbd][sabnzbd] (_downloading content from Usenet servers_), but it's lightweight and fast(er), written in C++ (_as opposed to Python_).
 ![NZBGet Screenshot](../../images/nzbget.jpg)
@@ -14,9 +14,7 @@ NZBGet performs the same function as [SABnzbd](/recipes/autopirate/sabnzbd.md) (
 To include NZBGet in your [AutoPirate](/recipes/autopirate/) stack
 (_The only reason you **wouldn't** use NZBGet, would be if you were using [SABnzbd](/recipes/autopirate/sabnzbd/) instead_), include the following in your autopirate.yml stack definition file:
--8<-- "premix-cta.md"
+```yaml
 ````
 nzbget:
  image: linuxserver/nzbget
  env_file : /var/data/config/autopirate/nzbget.env  
@@ -25,54 +23,29 @@ nzbget:
   - /var/data/media:/data
  networks:
  - internal
 nzbget_proxy:
  image: a5huynh/oauth2_proxy
  env_file : /var/data/config/autopirate/nzbget.env
  networks:
    - internal
    - traefik_public
  deploy:
    labels:
-      - traefik.frontend.rule=Host:nzbget.example.com
+      # traefik
      - traefik.enable=true
      - traefik.docker.network=traefik_public
      - traefik.port=4180
  volumes:
    - /var/data/config/autopirate/authenticated-emails.txt:/authenticated-emails.txt
  command: |
    -cookie-secure=false
    -upstream=http://nzbget:6789
    -redirect-url=https://nzbget.example.com
    -http-address=http://0.0.0.0:4180
    -email-domain=example.com
    -provider=github
    -authenticated-emails-file=/authenticated-emails.txt
 ````
-!!! note
+      # traefikv1
-    NZBGet uses a 401 header to prompt for authentication. When you use OAuth2_proxy, this seems to break. Since we trust OAuth to authenticate us, we can just disable NZGet's own authentication, by changing ControlPassword to null in nzbget.conf (i.e. ```ControlPassword=```)
+      - traefik.frontend.rule=Host:nzbget.example.com
      - traefik.port=6789
      - traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181
      - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
      - traefik.frontend.auth.forward.trustForwardHeader=true        
      # traefikv2
      - "traefik.http.routers.nzbget.rule=Host(`nzbget.example.com`)"
      - "traefik.http.routers.nzbget.entrypoints=https"
      - "traefik.http.services.nzbget.loadbalancer.server.port=6789"
      - "traefik.http.routers.nzbget.middlewares=forward-auth"
 ```
 [^tfa]: Since we're relying on [Traefik Forward Auth][tfa] to protect us, we can just disable NZGet's own authentication, by changing ControlPassword to null in nzbget.conf (i.e. ```ControlPassword=```)
-## Assemble more tools..
+--8<-- "premix-cta.md"
-
+--8<-- "recipe-autopirate-toc.md"
 Continue through the list of tools below, adding whichever tools your want to use, and finishing with the **[end](/recipes/autopirate/end/)** section:
 * [SABnzbd](/recipes/autopirate/sabnzbd.md)
 * NZBGet (this page)
 * [RTorrent](/recipes/autopirate/rtorrent/)
 * [Sonarr](/recipes/autopirate/sonarr/)
 * [Radarr](/recipes/autopirate/radarr/)
 * [Mylar](/recipes/autopirate/mylar/)
 * [Lazy Librarian](/recipes/autopirate/lazylibrarian/)
 * [Headphones](/recipes/autopirate/headphones/)
 * [Lidarr](/recipes/autopirate/lidarr/)
 * [NZBHydra](/recipes/autopirate/nzbhydra/)
 * [NZBHydra2](/recipes/autopirate/nzbhydra2/)
 * [Ombi](/recipes/autopirate/ombi/)
 * [Jackett](/recipes/autopirate/jackett/)
 * [Heimdall](/recipes/autopirate/heimdall/)
 * [End](/recipes/autopirate/end/) (launch the stack)
 [^1]: In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition.
 --8<-- "recipe-footer.md"
--- a/manuscript/recipes/autopirate/nzbhydra.md
+++ b/manuscript/recipes/autopirate/nzbhydra.md
@@ -1,77 +1,61 @@
 !!! warning
-    This is not a complete recipe - it's a component of the [AutoPirate](/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity.
+This is not a complete recipe - it's a component of the [AutoPirate](/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity.
 # NZBHydra 2
-# NZBHydra
+[NZBHydra 2](https://github.com/theotherp/nzbhydra2) is a meta search for NZB indexers. It provides easy access to a number of raw and newznab based indexers. You can search all your indexers from one place and use it as an indexer source for tools like Sonarr, Radarr or CouchPotato.
-[NZBHydra](https://github.com/theotherp/nzbhydra) is a meta search for NZB indexers. It provides easy access to a number of raw and newznab based indexers. You can search all your indexers from one place and use it as indexer source for tools like Sonarr or CouchPotato. Features include:
+![NZBHydra Screenshot](../../images/nzbhydra2.png)
-* Search by IMDB, TMDB, TVDB, TVRage and TVMaze ID (including season and episode) and filter by age and size. If an ID is not supported by an indexer it is attempted to be converted (e.g. TMDB to IMDB)
+Features include:
 * Query generation, meaning when you search for a movie using e.g. an IMDB ID a query will be generated for raw indexers. Searching for a series season 1 episode 2 will also generate queries for raw indexers, like s01e02 and 1x02
 * Grouping of results with the same title and of duplicate results, accounting for result posting time, size, group and poster. By default only one of the duplicates is shown. You can provide an indexer score to influence which one that might be
 * Compatible with Sonarr, CP, NZB 360, SickBeard, Mylar and Lazy Librarian (and others)
 * Statistics on indexers (average response time, share of results, access errors), searches and downloads per time of day and day of week, NZB download history and search history (both via internal GUI and API)
-![NZBHydra Screenshot](../../images/nzbhydra.png)
+- Searches Anizb, BinSearch, NZBIndex and any newznab compatible indexers. Merges all results, filters them by a number of configurable restrictions, recognizes duplicates and returns them all in one place
 - Add results to [NZBGet][nzbget] or [SABnzbd][sabnzbd]
 - Support for all relevant media IDs (IMDB, TMDB, TVDB, TVRage, TVMaze) and conversion between them
 - Query generation, meaning a query will be generated if only a media ID is provided in the search and the indexer doesn't support the ID or if no results were found
 - Compatible with [Sonarr][sonarr], [Radarr][radarr], [NZBGet][nzbget], [SABnzbd][sabnzbd], nzb360, CouchPotato, [Mylar][mylar], [Lazy Librarian][lazylibrarian], Sick Beard, [Jackett][jackett], Watcher, etc.
 - Search and download history and extensive stats. E.g. indexer response times, download shares, NZB age, etc.
 - Authentication and multi-user support
 - Automatic update of NZB download status by querying configured downloaders
 - RSS support with configurable cache times
 - Torrent support (_Although I prefer [Jackett][jackett] for this_):
  - For GUI searches, allowing you to download torrents to a blackhole folder
  - A separate Torznab compatible endpoint for API requests, allowing you to merge multiple trackers
 - Extensive configurability
 - Migration of database and settings from v1
 ## Inclusion into AutoPirate
-To include NZBHydra in your [AutoPirate](/recipes/autopirate/) stack, include the following in your autopirate.yml stack definition file:
+To include NZBHydra2 in your [AutoPirate][autopirate] stack, include the following in your autopirate.yml stack definition file:
-````
+```yaml
-nzbhydra:
+nzbhydra2:
-  image: linuxserver/hydra:latest
+  image: linuxserver/hydra2:latest
-  env_file : /var/data/config/autopirate/nzbhydra.env
+  env_file : /var/data/config/autopirate/nzbhydra2.env
  volumes:
-   - /var/data/autopirate/nzbhydra:/config
+   - /var/data/autopirate/nzbhydra2:/config
  networks:
  - internal
 nzbhydra_proxy:
  image: a5huynh/oauth2_proxy
  env_file : /var/data/config/autopirate/nzbhydra.env
  networks:
    - internal
    - traefik_public
  deploy:
    labels:
-      - traefik.frontend.rule=Host:nzbhydra.example.com
+      # traefik
      - traefik.enable=true
      - traefik.docker.network=traefik_public
-      - traefik.port=4180
+
-  volumes:
+      # traefikv1
-    - /var/data/config/autopirate/authenticated-emails.txt:/authenticated-emails.txt
+      - traefik.frontend.rule=Host:nzbhydra.example.com
-  command: |
+      - traefik.port=5076
-    -cookie-secure=false
+      - traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181
-    -upstream=http://nzbhydra:5075
+      - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
-    -redirect-url=https://nzbhydra.example.com
+      - traefik.frontend.auth.forward.trustForwardHeader=true        
-    -http-address=http://0.0.0.0:4180
+
-    -email-domain=example.com
+      # traefikv2
-    -provider=github
+      - "traefik.http.routers.nzbhydra.rule=Host(`nzbhydra.example.com`)"
-    -authenticated-emails-file=/authenticated-emails.txt
+      - "traefik.http.routers.nzbhydra.entrypoints=https"
-````
+      - "traefik.http.services.nzbhydra.loadbalancer.server.port=5076"
      - "traefik.http.routers.nzbhydra.middlewares=forward-auth"
 ```
 --8<-- "premix-cta.md"
-
+--8<-- "recipe-autopirate-toc.md"
 ## Assemble more tools..
 Continue through the list of tools below, adding whichever tools your want to use, and finishing with the **[end](/recipes/autopirate/end/)** section:
 * [SABnzbd](/recipes/autopirate/sabnzbd.md)
 * [NZBGet](/recipes/autopirate/nzbget.md)
 * [RTorrent](/recipes/autopirate/rtorrent/)
 * [Sonarr](/recipes/autopirate/sonarr/)
 * [Radarr](/recipes/autopirate/radarr/)
 * [Mylar](/recipes/autopirate/mylar/)
 * [Lazy Librarian](/recipes/autopirate/lazylibrarian/)
 * [Headphones](/recipes/autopirate/headphones/)
 * [Lidarr](/recipes/autopirate/lidarr/)
 * NZBHydra (this page)
 * [NZBHydra2](/recipes/autopirate/nzbhydra2/)
 * [Ombi](/recipes/autopirate/ombi/)
 * [Jackett](/recipes/autopirate/jackett/)
 * [Heimdall](/recipes/autopirate/heimdall/)
 * [End](/recipes/autopirate/end/) (launch the stack)
 [^1]: In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition.
 --8<-- "recipe-footer.md"
--- a/manuscript/recipes/autopirate/nzbhydra2.md
+++ b/manuscript/recipes/autopirate/nzbhydra2.md
@@ -1,91 +0,0 @@
 !!! warning
 This is not a complete recipe - it's a component of the [AutoPirate](/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity.
 # NZBHydra 2
 [NZBHydra 2](https://github.com/theotherp/nzbhydra2) is a meta search for NZB indexers. It provides easy access to a number of raw and newznab based indexers. You can search all your indexers from one place and use it as an indexer source for tools like Sonarr, Radarr or CouchPotato.
 !!! note
 NZBHydra 2 is a complete rewrite of [NZBHydra (1)](/recipes/autopirate/nzbhydra/). It's currently in Beta. It works mostly fine but some functions might not be completely done and incompatibilities with some tools might still exist. You might want to run both in parallel for migration / testing purposes, but ultimately you'll probably want to switch over to NZBHydra 2 exclusively.
 ![NZBHydra Screenshot](../../images/nzbhydra2.png)
 Features include:
 - Searches Anizb, BinSearch, NZBIndex and any newznab compatible indexers. Merges all results, filters them by a number of configurable restrictions, recognizes duplicates and returns them all in one place
 - Add results to [NZBGet](/recipes/autopirate/nzbget/) or [SABnzbd](/recipes/autopirate/sabnzbd/)
 - Support for all relevant media IDs (IMDB, TMDB, TVDB, TVRage, TVMaze) and conversion between them
 - Query generation, meaning a query will be generated if only a media ID is provided in the search and the indexer doesn't support the ID or if no results were found
 - Compatible with [Sonarr](/recipes/autopirate/sonarr/), [Radarr](/recipes/autopirate/radarr/), [NZBGet](/recipes/autopirate/nzbget.md), [SABnzbd](/recipes/autopirate/sabnzbd/), nzb360, CouchPotato, [Mylar](/recipes/autopirate/mylar/), [Lazy Librarian](/recipes/autopirate/lazylibrarian/), Sick Beard, [Jackett/Cardigann](/recipes/autopirate/jackett/), Watcher, etc.
 - Search and download history and extensive stats. E.g. indexer response times, download shares, NZB age, etc.
 - Authentication and multi-user support
 - Automatic update of NZB download status by querying configured downloaders
 - RSS support with configurable cache times
 - Torrent support (_Although I prefer [Jackett](/recipes/autopirate/jackett/) for this_):
  - For GUI searches, allowing you to download torrents to a blackhole folder
  - A separate Torznab compatible endpoint for API requests, allowing you to merge multiple trackers
 - Extensive configurability
 - Migration of database and settings from v1
 ## Inclusion into AutoPirate
 To include NZBHydra2 in your [AutoPirate](/recipes/autopirate/) stack, include the following in your autopirate.yml stack definition file:
 ```
 nzbhydra2:
  image: linuxserver/hydra2:latest
  env_file : /var/data/config/autopirate/nzbhydra2.env
  volumes:
   - /var/data/autopirate/nzbhydra2:/config
  networks:
  - internal
 nzbhydra2_proxy:
  image: a5huynh/oauth2_proxy
  env_file : /var/data/config/autopirate/nzbhydra2.env
  networks:
    - internal
    - traefik_public
  deploy:
    labels:
      - traefik.frontend.rule=Host:nzbhydra2.example.com
      - traefik.docker.network=traefik_public
      - traefik.port=4180
  volumes:
    - /var/data/config/autopirate/authenticated-emails.txt:/authenticated-emails.txt
  command: |
    -cookie-secure=false
    -upstream=http://nzbhydra2:5076
    -redirect-url=https://nzbhydra2.example.com
    -http-address=http://0.0.0.0:4180
    -email-domain=example.com
    -provider=github
    -authenticated-emails-file=/authenticated-emails.txt
 ```
 --8<-- "premix-cta.md"
 ## Assemble more tools..
 Continue through the list of tools below, adding whichever tools your want to use, and finishing with the **[end](/recipes/autopirate/end/)** section:
 - [SABnzbd](/recipes/autopirate/sabnzbd.md)
 - [NZBGet](/recipes/autopirate/nzbget.md)
 - [RTorrent](/recipes/autopirate/rtorrent/)
 - [Sonarr](/recipes/autopirate/sonarr/)
 - [Radarr](/recipes/autopirate/radarr/)
 - [Mylar](/recipes/autopirate/mylar/)
 - [Lazy Librarian](/recipes/autopirate/lazylibrarian/)
 - [Headphones](/recipes/autopirate/headphones/)
 - [Lidarr](/recipes/autopirate/lidarr/)
 - [NZBHydra](/recipes/autopirate/nzbhydra/)
 - NZBHydra2 (this page)
 - [Ombi](/recipes/autopirate/ombi/)
 - [Jackett](/recipes/autopirate/jackett/)
 - [Heimdall](/recipes/autopirate/heimdall/)
 - [End](/recipes/autopirate/end/) (launch the stack)
 [^1]: In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition.
 [^2]: Note that NZBHydra2 _can_ co-exist with NZBHydra (1), but if you want your tools (Sonarr, Radarr, etc) to use NZBHydra2, you'll need to change both the target hostname (_to "hydra2"_) and the target port (_to 5076_).
 --8<-- "recipe-footer.md"
--- a/manuscript/recipes/autopirate/ombi.md
+++ b/manuscript/recipes/autopirate/ombi.md
@@ -3,7 +3,7 @@
 # Ombi
-[Ombi](https://github.com/tidusjar/Ombi) is a useful addition to the [autopirate](/recipes/autopirate/) stack. Features include:
+[Ombi](https://github.com/tidusjar/Ombi) is a useful addition to the [autopirate][autopirate]stack. Features include:
 * Lets users request Movies and TV Shows (_whether it being the entire series, an entire season, or even single episodes._)
 * Easily manage your requests
@@ -19,7 +19,7 @@ Automatically updates the status of requests when they are available on Plex/Emb
 To include Ombi in your [AutoPirate](/recipes/autopirate/) stack, include the following in your autopirate.yml stack definition file:
-````
+```yaml
 ombi:
  image: linuxserver/ombi:latest
  env_file : /var/data/config/autopirate/ombi.env
@@ -36,43 +36,24 @@ ombi_proxy:
    - traefik_public
  deploy:
    labels:
-      - traefik.frontend.rule=Host:ombi.example.com
+      # traefik
      - traefik.enable=true
      - traefik.docker.network=traefik_public
-      - traefik.port=4180
+
-  volumes:
+      # traefikv1
-    - /var/data/config/autopirate/authenticated-emails.txt:/authenticated-emails.txt
+      - traefik.frontend.rule=Host:ombi.example.com
-  command: |
+      - traefik.port=3579
-    -cookie-secure=false
+      - traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181
-    -upstream=http://ombi:3579
+      - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
-    -redirect-url=https://ombi.example.com
+      - traefik.frontend.auth.forward.trustForwardHeader=true        
-    -http-address=http://0.0.0.0:4180
+
-    -email-domain=example.com
+      # traefikv2
-    -provider=github
+      - "traefik.http.routers.ombi.rule=Host(`ombi.example.com`)"
-    -authenticated-emails-file=/authenticated-emails.txt
+      - "traefik.http.routers.ombi.entrypoints=https"
-````
+      - "traefik.http.services.ombi.loadbalancer.server.port=3579"
      - "traefik.http.routers.ombi.middlewares=forward-auth"
 ```
 --8<-- "premix-cta.md"
-
+--8<-- "recipe-autopirate-toc.md"
-## Assemble more tools..
+--8<-- "recipe-footer.md"
 Continue through the list of tools below, adding whichever tools your want to use, and finishing with the **[end](/recipes/autopirate/end/)** section:
 * [SABnzbd](/recipes/autopirate/sabnzbd.md)
 * [NZBGet](/recipes/autopirate/nzbget.md)
 * [RTorrent](/recipes/autopirate/rtorrent/)
 * [Sonarr](/recipes/autopirate/sonarr/)
 * [Radarr](/recipes/autopirate/radarr/)
 * [Mylar](/recipes/autopirate/mylar/)
 * [Lazy Librarian](/recipes/autopirate/lazylibrarian/)
 * [Headphones](/recipes/autopirate/headphones/)
 * [Lidarr](/recipes/autopirate/lidarr/)
 * [NZBHydra](/recipes/autopirate/nzbhydra/)
 * [NZBHydra2](/recipes/autopirate/nzbhydra2/)
 * Ombi (this page)
 * [Jackett](/recipes/autopirate/jackett/)
 * [Heimdall](/recipes/autopirate/heimdall/)
 * [End](/recipes/autopirate/end/) (launch the stack)
 [^1]: In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition.
 --8<-- "recipe-footer.md"
--- a/manuscript/recipes/autopirate/radarr.md
+++ b/manuscript/recipes/autopirate/radarr.md
@@ -24,9 +24,9 @@
 ## Inclusion into AutoPirate
-To include Radarr in your [AutoPirate](/recipes/autopirate/) stack, include the following in your autopirate.yml stack definition file:
+To include Radarr in your [AutoPirate][autopirate] stack, include the following in your autopirate.yml stack definition file:
-````
+```yaml
 radarr:
  image: linuxserver/radarr:latest
  env_file : /var/data/config/autopirate/radarr.env
@@ -35,52 +35,26 @@ radarr:
   - /var/data/media:/media
  networks:
  - internal
 radarr_proxy:
  image: a5huynh/oauth2_proxy
  env_file : /var/data/config/autopirate/radarr.env
  networks:
    - internal
    - traefik_public
  deploy:
    labels:
-      - traefik.frontend.rule=Host:radarr.example.com
+      # traefik
      - traefik.enable=true
      - traefik.docker.network=traefik_public
-      - traefik.port=4180
+
-  volumes:
+      # traefikv1
-    - /var/data/config/autopirate/authenticated-emails.txt:/authenticated-emails.txt
+      - traefik.frontend.rule=Host:radarr.example.com
-  command: |
+      - traefik.port=7878
-    -cookie-secure=false
+      - traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181
-    -upstream=http://radarr:7878
+      - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
-    -redirect-url=https://radarr.example.com
+      - traefik.frontend.auth.forward.trustForwardHeader=true        
-    -http-address=http://0.0.0.0:4180
+
-    -email-domain=example.com
+      # traefikv2
-    -provider=github
+      - "traefik.http.routers.radarr.rule=Host(`radarr.example.com`)"
-    -authenticated-emails-file=/authenticated-emails.txt
+      - "traefik.http.routers.radarr.entrypoints=https"
-````
+      - "traefik.http.services.radarr.loadbalancer.server.port=7878"
      - "traefik.http.routers.radarr.middlewares=forward-auth"
 ```
 --8<-- "premix-cta.md"
-
+--8<-- "recipe-autopirate-toc.md"
 ## Assemble more tools..
 Continue through the list of tools below, adding whichever tools your want to use, and finishing with the **[end](/recipes/autopirate/end/)** section:
 * [SABnzbd](/recipes/autopirate/sabnzbd.md)
 * [NZBGet](/recipes/autopirate/nzbget.md)
 * [RTorrent](/recipes/autopirate/rtorrent/)
 * [Sonarr](/recipes/autopirate/sonarr/)
 * Radarr (this page)
 * [Mylar](/recipes/autopirate/mylar/)
 * [Lazy Librarian](/recipes/autopirate/lazylibrarian/)
 * [Headphones](/recipes/autopirate/headphones/)
 * [Lidarr](/recipes/autopirate/lidarr/)
 * [NZBHydra](/recipes/autopirate/nzbhydra/)
 * [NZBHydra2](/recipes/autopirate/nzbhydra2/)
 * [Ombi](/recipes/autopirate/ombi/)
 * [Jackett](/recipes/autopirate/jackett/)
 * [Heimdall](/recipes/autopirate/heimdall/)
 * [End](/recipes/autopirate/end/) (launch the stack)
 [^1]: In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition.
 --8<-- "recipe-footer.md"
--- a/manuscript/recipes/autopirate/rtorrent.md
+++ b/manuscript/recipes/autopirate/rtorrent.md
@@ -9,13 +9,13 @@
 ## Choose incoming port
-When using a torrent client from behind NAT (_which swarm, by nature, is_), you typically need to set a static port for inbound torrent communications. In the example below, I've set the port to 36258. You'll need to configure /var/data/autopirate/rtorrent/rtorrent/rtorrent.rc with the equivalent port.
+When using a torrent client from behind NAT (_which swarm, by nature, is_), you typically need to set a static port for inbound torrent communications. In the example below, I've set the port to 36258. You'll need to configure `/var/data/autopirate/rtorrent/rtorrent/rtorrent.rc` with the equivalent port.
 ## Inclusion into AutoPirate
-To include ruTorrent in your [AutoPirate](/recipes/autopirate/) stack, include the following in your autopirate.yml stack definition file:
+To include ruTorrent in your [AutoPirate][autopirate] stack, include the following in your autopirate.yml stack definition file:
-```
+```yaml
 rtorrent:
  image: linuxserver/rutorrent
  env_file : /var/data/config/autopirate/rtorrent.env
@@ -26,52 +26,26 @@ rtorrent:
   - /var/data/autopirate/rtorrent:/config
  networks:
  - internal
 rtorrent_proxy:
  image: skippy/oauth2_proxy
  env_file : /var/data/config/autopirate/rtorrent.env
  networks:
    - internal
    - traefik_public
  deploy:
    labels:
-      - traefik.frontend.rule=Host:rtorrent.example.com
+      # traefik
      - traefik.enable=true
      - traefik.docker.network=traefik_public
-      - traefik.port=4180
+
-  volumes:
+      # traefikv1
-    - /var/data/config/autopirate/authenticated-emails.txt:/authenticated-emails.txt
+      - traefik.frontend.rule=Host:rtorrent.example.com
-  command: |
+      - "traefik.http.services.linx.loadbalancer.server.port=80"
-    -cookie-secure=false
+      - traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181
-    -upstream=http://rtorrent:80
+      - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
-    -redirect-url=https://rtorrent.example.com
+      - traefik.frontend.auth.forward.trustForwardHeader=true        
-    -http-address=http://0.0.0.0:4180
+
-    -email-domain=example.com
+      # traefikv2
-    -provider=github
+      - "traefik.http.routers.rtorrent.rule=Host(`rtorrent.example.com`)"
-    -authenticated-emails-file=/authenticated-emails.txt
+      - "traefik.http.routers.rtorrent.entrypoints=https"
      - "traefik.http.services.rtorrent.loadbalancer.server.port=80"
      - "traefik.http.routers.rtorrent.middlewares=forward-auth"
 ```
 --8<-- "premix-cta.md"
-
+--8<-- "recipe-autopirate-toc.md"
 ## Assemble more tools..
 Continue through the list of tools below, adding whichever tools your want to use, and finishing with the **[end](/recipes/autopirate/end/)** section:
 * [SABnzbd](/recipes/autopirate/sabnzbd.md)
 * [NZBGet](/recipes/autopirate/nzbget.md)
 * RTorrent (this page)
 * [Sonarr](/recipes/autopirate/sonarr/)
 * [Radarr](/recipes/autopirate/radarr/)
 * [Mylar](/recipes/autopirate/mylar/)
 * [Lazy Librarian](/recipes/autopirate/lazylibrarian/)
 * [Headphones](/recipes/autopirate/headphones/)
 * [Lidarr](/recipes/autopirate/lidarr/)
 * [NZBHydra](/recipes/autopirate/nzbhydra/)
 * [NZBHydra2](/recipes/autopirate/nzbhydra2/)
 * [Ombi](/recipes/autopirate/ombi/)
 * [Jackett](/recipes/autopirate/jackett/)
 * [Heimdall](/recipes/autopirate/heimdall/)
 * [End](/recipes/autopirate/end/) (launch the stack)
 [^1]: In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition.
 --8<-- "recipe-footer.md"
--- a/manuscript/recipes/autopirate/sabnzbd.md
+++ b/manuscript/recipes/autopirate/sabnzbd.md
@@ -16,38 +16,34 @@ To include SABnzbd in your [AutoPirate](/recipes/autopirate/) stack
 --8<-- "premix-cta.md"
-````
+```yaml
 sabnzbd:
  image: linuxserver/sabnzbd:latest
  env_file : /var/data/config/autopirate/sabnzbd.env  
  volumes:
-   - /var/data/autopirate/sabnzbd:/config
+    - /var/data/autopirate/sabnzbd:/config
-   - /var/data/media:/media
+    - /var/data/media:/media
-  networks:
+    networks:
  - internal
 sabnzbd_proxy:
  image: a5huynh/oauth2_proxy
  env_file : /var/data/config/autopirate/sabnzbd.env
  networks:
    - internal
    - traefik_public
  deploy:
    labels:
-      - traefik.frontend.rule=Host:sabnzbd.example.com
+      # traefik
      - traefik.enable=true
      - traefik.docker.network=traefik_public
-      - traefik.port=4180
+
-  volumes:
+      # traefikv1
-    - /var/data/config/autopirate/authenticated-emails.txt:/authenticated-emails.txt
+      - traefik.frontend.rule=Host:sabnzbd.example.com
-  command: |
+      - traefik.port=8080
-    -cookie-secure=false
+      - traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181
-    -upstream=http://sabnzbd:8080
+      - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
-    -redirect-url=https://sabnzbd.example.com
+      - traefik.frontend.auth.forward.trustForwardHeader=true        
-    -http-address=http://0.0.0.0:4180
+
-    -email-domain=example.com
+      # traefikv2
-    -provider=github
+      - "traefik.http.routers.sabnzbd.rule=Host(`sabnzbd.example.com`)"
-    -authenticated-emails-file=/authenticated-emails.txt
+      - "traefik.http.routers.sabnzbd.entrypoints=https"
-````
+      - "traefik.http.services.sabnzbd.loadbalancer.server.port=8080"
      - "traefik.http.routers.sabnzbd.middlewares=forward-auth"
 ```
 !!! warning "Important Note re hostname validation"
@@ -57,26 +53,5 @@ sabnzbd_proxy:
    For example, mine simply reads ```host_whitelist = sabnzbd.funkypenguin.co.nz, sabnzbd```
-## Assemble more tools..
+--8<-- "recipe-autopirate-toc.md"
 Continue through the list of tools below, adding whichever tools your want to use, and finishing with the **[end](/recipes/autopirate/end/)** section:
 * SABnzbd (this page)
 * [NZBGet](/recipes/autopirate/nzbget.md)
 * [RTorrent](/recipes/autopirate/rtorrent/)
 * [Sonarr](/recipes/autopirate/sonarr/)
 * [Radarr](/recipes/autopirate/radarr/)
 * [Mylar](/recipes/autopirate/mylar/)
 * [Lazy Librarian](/recipes/autopirate/lazylibrarian/)
 * [Headphones](/recipes/autopirate/headphones/)
 * [Lidarr](/recipes/autopirate/lidarr/)
 * [NZBHydra](/recipes/autopirate/nzbhydra/)
 * [NZBHydra2](/recipes/autopirate/nzbhydra2/)
 * [Ombi](/recipes/autopirate/ombi/)
 * [Jackett](/recipes/autopirate/jackett/)
 * [Heimdall](/recipes/autopirate/heimdall/)
 * [End](/recipes/autopirate/end/) (launch the stack)
 [^1]: In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition.
 --8<-- "recipe-footer.md"
--- a/manuscript/recipes/autopirate/sonarr.md
+++ b/manuscript/recipes/autopirate/sonarr.md
@@ -10,9 +10,9 @@
 ## Inclusion into AutoPirate
-To include Sonarr in your [AutoPirate](/recipes/autopirate/) stack, include the following in your autopirate.yml stack definition file:
+To include Sonarr in your [AutoPirate][autopirate] stack, include the following in your autopirate.yml stack definition file:
-````
+```yaml
 sonarr:
  image: linuxserver/sonarr:latest
  env_file : /var/data/config/autopirate/sonarr.env
@@ -21,52 +21,26 @@ sonarr:
   - /var/data/media:/media
  networks:
  - internal
 sonarr_proxy:
  image: a5huynh/oauth2_proxy
  env_file : /var/data/config/autopirate/sonarr.env
  networks:
    - internal
    - traefik_public
  deploy:
    labels:
-      - traefik.frontend.rule=Host:sonarr.example.com
+      # traefik
      - traefik.enable=true
      - traefik.docker.network=traefik_public
-      - traefik.port=4180
+
-  volumes:
+      # traefikv1
-    - /var/data/config/autopirate/authenticated-emails.txt:/authenticated-emails.txt
+      - traefik.frontend.rule=Host:sonarr.example.com
-  command: |
+      - traefik.port=8989
-    -cookie-secure=false
+      - traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181
-    -upstream=http://sonarr:8989
+      - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
-    -redirect-url=https://sonarr.example.com
+      - traefik.frontend.auth.forward.trustForwardHeader=true        
-    -http-address=http://0.0.0.0:4180
+
-    -email-domain=example.com
+      # traefikv2
-    -provider=github
+      - "traefik.http.routers.sonarr.rule=Host(`sonarr.example.com`)"
-    -authenticated-emails-file=/authenticated-emails.txt
+      - "traefik.http.routers.sonarr.entrypoints=https"
-````
+      - "traefik.http.services.sonarr.loadbalancer.server.port=8989"
      - "traefik.http.routers.sonarr.middlewares=forward-auth"
 ```
 --8<-- "premix-cta.md"
-
+--8<-- "recipe-autopirate-toc.md"
 ## Assemble more tools..
 Continue through the list of tools below, adding whichever tools your want to use, and finishing with the **[end](/recipes/autopirate/end/)** section:
 * [SABnzbd](/recipes/autopirate/sabnzbd.md)
 * [NZBGet](/recipes/autopirate/nzbget.md)
 * [RTorrent](/recipes/autopirate/rtorrent/)
 * Sonarr (this page)
 * [Radarr](/recipes/autopirate/radarr/)
 * [Mylar](/recipes/autopirate/mylar/)
 * [Lazy Librarian](/recipes/autopirate/lazylibrarian/)
 * [Headphones](/recipes/autopirate/headphones/)
 * [Lidarr](/recipes/autopirate/lidarr/)
 * [NZBHydra](/recipes/autopirate/nzbhydra/)
 * [NZBHydra2](/recipes/autopirate/nzbhydra2/)
 * [Ombi](/recipes/autopirate/ombi/)
 * [Jackett](/recipes/autopirate/jackett/)
 * [Heimdall](/recipes/autopirate/heimdall/)
 * [End](/recipes/autopirate/end/) (launch the stack)
 [^1]: In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition.
 --8<-- "recipe-footer.md"
--- a/manuscript/recipes/bitwarden.md
+++ b/manuscript/recipes/bitwarden.md
@@ -44,7 +44,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: "3"
 services:
  bitwarden:
--- a/manuscript/recipes/bookstack.md
+++ b/manuscript/recipes/bookstack.md
@@ -50,7 +50,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: '3'
 services:
--- a/manuscript/recipes/calibre-web.md
+++ b/manuscript/recipes/calibre-web.md
@@ -57,7 +57,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: '3'
 services:
--- a/manuscript/recipes/collabora-online.md
+++ b/manuscript/recipes/collabora-online.md
@@ -67,7 +67,7 @@ termination=true
 Create ```/var/data/config/collabora/docker-compose.yml``` as follows:
-```
+```yaml
 version: "3.0"
 services:
--- a/manuscript/recipes/cyberchef.md
+++ b/manuscript/recipes/cyberchef.md
@@ -27,7 +27,7 @@ CyberChef doesn't require any persistent storage, or fancy configuration, so sim
 --8<-- "premix-cta.md"
-```
+```yaml
 version: "3.2" # https://docs.docker.com/compose/compose-file/compose-versioning/#version-3
 services:
--- a/manuscript/recipes/duplicati.md
+++ b/manuscript/recipes/duplicati.md
@@ -59,7 +59,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: "3"
 services:
  duplicati:
--- a/manuscript/recipes/duplicity.md
+++ b/manuscript/recipes/duplicity.md
@@ -35,7 +35,7 @@ So what does this mean for our stack? It means we can leverage Duplicity to back
 We'll need a folder to store a docker-compose .yml file, and an associated .env file. If you're following my filesystem layout, create `/var/data/config/duplicity` (_for the config_), and `/var/data/duplicity` (_for the metadata_) as follows:
-```
+```bash
 mkdir /var/data/config/duplicity
 mkdir /var/data/duplicity
 cd /var/data/config/duplicity
@@ -90,7 +90,7 @@ Depending on what tier of storage you chose from your provider (_i.e., Google Co
 Run a variation of the following to confirm a file you expect to be backed up, **is** backed up. (_I used traefik.yml from the [traefik recipie](/ha-docker-swarm/traefik/), since this is likely to exist for every reader_).
-```
+```yaml
 docker run --env-file duplicity.env -it --rm \
 -v /var/data:/var/data:ro \
 -v /var/data/duplicity/tmp:/tmp \
--- a/manuscript/recipes/elkarbackup.md
+++ b/manuscript/recipes/elkarbackup.md
@@ -58,13 +58,13 @@ Create ```/var/data/config/elkarbackup/elkarbackup-db-backup.env```, and populat
    No, me either :shrug:
-````
+```
 # For database backup (keep 7 days daily backups)
 MYSQL_PWD=<same as SYMFONY__DATABASE__PASSWORD above>
 MYSQL_USER=root
 BACKUP_NUM_KEEP=7
 BACKUP_FREQUENCY=1d
-````
+```
 ### Setup Docker Swarm
@@ -72,7 +72,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: "3"
 services:
--- a/manuscript/recipes/emby.md
+++ b/manuscript/recipes/emby.md
@@ -33,7 +33,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: "3.0"
 services:
--- a/manuscript/recipes/ghost.md
+++ b/manuscript/recipes/ghost.md
@@ -24,7 +24,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: '3'
 services:
--- a/manuscript/recipes/gitlab-runner.md
+++ b/manuscript/recipes/gitlab-runner.md
@@ -33,7 +33,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: '3'
 services:
--- a/manuscript/recipes/gitlab.md
+++ b/manuscript/recipes/gitlab.md
@@ -56,7 +56,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-````
+```yaml
 version: '3'
 services:
@@ -105,7 +105,7 @@ networks:
    ipam:
      config:
        - subnet: 172.16.2.0/24
-````
+```
 --8<-- "reference-networks.md"
--- a/manuscript/recipes/gollum.md
+++ b/manuscript/recipes/gollum.md
@@ -61,7 +61,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: '3'
 services:
--- a/manuscript/recipes/homeassistant.md
+++ b/manuscript/recipes/homeassistant.md
@@ -43,7 +43,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: "3"
 services:
--- a/manuscript/recipes/huginn.md
+++ b/manuscript/recipes/huginn.md
@@ -67,7 +67,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: '3'
 services:
--- a/manuscript/recipes/instapy.md
+++ b/manuscript/recipes/instapy.md
@@ -26,7 +26,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: '3'
 services:
  web:
--- a/manuscript/recipes/ipfs-cluster.md
+++ b/manuscript/recipes/ipfs-cluster.md
@@ -43,7 +43,7 @@ IPFS_API=/ip4/172.17.0.1/tcp/5001
 Yes, I know. It's not as snazzy as docker swarm. Maybe we'll get there. But this implementation uses docker-compose, so create the following (_identical_) docker-compose.yml on each node:
-```
+```yaml
 version: "3"
 services:
--- a/manuscript/recipes/jellyfin.md
+++ b/manuscript/recipes/jellyfin.md
@@ -39,7 +39,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: "3.0"
 services:
--- a/manuscript/recipes/kanboard.md
+++ b/manuscript/recipes/kanboard.md
@@ -48,7 +48,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: '3'
 services:
--- a/manuscript/recipes/keycloak.md
+++ b/manuscript/recipes/keycloak.md
@@ -58,7 +58,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: '3'
 services:
--- a/manuscript/recipes/komga.md
+++ b/manuscript/recipes/komga.md
@@ -27,7 +27,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: "3.2"
 services:
--- a/manuscript/recipes/linx.md
+++ b/manuscript/recipes/linx.md
@@ -44,7 +44,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: "3.2" # https://docs.docker.com/compose/compose-file/compose-versioning/#version-3
 services:
--- a/manuscript/recipes/mail.md
+++ b/manuscript/recipes/mail.md
@@ -95,7 +95,7 @@ Create a docker swarm config file in docker-compose syntax (_v3.2 - because we n
 --8<-- "premix-cta.md"
-```
+```yaml
 version: '3.2'
 services:
--- a/manuscript/recipes/mattermost.md
+++ b/manuscript/recipes/mattermost.md
@@ -46,7 +46,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: '3'
 services:
--- a/manuscript/recipes/miniflux.md
+++ b/manuscript/recipes/miniflux.md
@@ -66,7 +66,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: '3'
 services:
--- a/manuscript/recipes/minio.md
+++ b/manuscript/recipes/minio.md
@@ -43,8 +43,8 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
-version: '3.1'
+version: '3.2'
 services:
  app:
--- a/manuscript/recipes/mqtt.md
+++ b/manuscript/recipes/mqtt.md
@@ -49,7 +49,7 @@ kubectl create -f /var/data/mqtt/namespace.yaml
 Persistent volume claims are a streamlined way to create a persistent volume and assign it to a container in a pod. Create a claim for the certbot data:
-```
+```yaml
 cat <<EOF > /var/data/mqtt/persistent-volumeclaim.yml
 kind: PersistentVolumeClaim
 apiVersion: v1
--- a/manuscript/recipes/munin.md
+++ b/manuscript/recipes/munin.md
@@ -70,7 +70,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: '3'
 services:
--- a/manuscript/recipes/nextcloud.md
+++ b/manuscript/recipes/nextcloud.md
@@ -63,7 +63,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: "3.0"
 services:
--- a/manuscript/recipes/openldap.md
+++ b/manuscript/recipes/openldap.md
@@ -327,7 +327,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: '3'
 services:
--- a/manuscript/recipes/owntracks.md
+++ b/manuscript/recipes/owntracks.md
@@ -41,7 +41,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: "3.0"
 services:
--- a/manuscript/recipes/photoprism.md
+++ b/manuscript/recipes/photoprism.md
@@ -89,7 +89,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: '3.3'
 services:
--- a/manuscript/recipes/phpipam.md
+++ b/manuscript/recipes/phpipam.md
@@ -105,7 +105,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: '3'
 services:
--- a/manuscript/recipes/plex.md
+++ b/manuscript/recipes/plex.md
@@ -35,7 +35,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: "3.0"
 services:
--- a/manuscript/recipes/portainer.md
+++ b/manuscript/recipes/portainer.md
@@ -29,7 +29,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: '3.2'
 services:
--- a/manuscript/recipes/privatebin.md
+++ b/manuscript/recipes/privatebin.md
@@ -23,7 +23,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: '3'
 services:
--- a/manuscript/recipes/realms.md
+++ b/manuscript/recipes/realms.md
@@ -45,7 +45,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: "3"
 services:
--- a/manuscript/recipes/restic.md
+++ b/manuscript/recipes/restic.md
@@ -101,7 +101,7 @@ Create a docker swarm config file in docker-compose syntax (v3) in `/var/data/re
 --8<-- "premix-cta.md"
-```
+```yaml
 version: "3.2"
 services:
--- a/manuscript/recipes/swarmprom.md
+++ b/manuscript/recipes/swarmprom.md
@@ -96,7 +96,7 @@ Create a docker swarm config file in docker-compose syntax (v3), based on the or
 {% raw %}
 ???+ note "This example is 274 lines long. Click here to collapse it for better readability"
-      ```
+      ```yaml
      version: "3.3"
      networks:
--- a/manuscript/recipes/template.md
+++ b/manuscript/recipes/template.md
@@ -44,7 +44,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: "3.2" # https://docs.docker.com/compose/compose-file/compose-versioning/#version-3
 services:
--- a/manuscript/recipes/tiny-tiny-rss.md
+++ b/manuscript/recipes/tiny-tiny-rss.md
@@ -58,7 +58,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: '3'
 services:
--- a/manuscript/recipes/wallabag.md
+++ b/manuscript/recipes/wallabag.md
@@ -74,7 +74,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: '3'
 services:
--- a/manuscript/recipes/wekan.md
+++ b/manuscript/recipes/wekan.md
@@ -52,7 +52,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: '3'
 services:
--- a/manuscript/recipes/wetty.md
+++ b/manuscript/recipes/wetty.md
@@ -39,7 +39,7 @@ Create a docker swarm config file in docker-compose syntax (v3), something like
 --8<-- "premix-cta.md"
-```
+```yaml
 version: "3"
 services:
  wetty:
--- a/manuscript/reference/oauth_proxy.md
+++ b/manuscript/reference/oauth_proxy.md
@@ -1,79 +1,3 @@
-# OAuth proxy
+# Oauth2 proxy
-Some of the platforms we use on our swarm may have strong, proven security to prevent abuse. Techniques such as rate-limiting (to defeat brute force attacks) or even support 2-factor authentication (tiny-tiny-rss or Wallabag support this).
+I've deprecated the oauth2-proxy recipe in favor of [Traefik Forward Auth](/ha-docker-swarm/traefik-forward-auth/). It's infinitely more scalable and easier to manage!
 Other platforms may provide **no authentication** (Traefik's web UI for example), or minimal, un-proven UI authentication which may have been added as an afterthought.
 Still platforms may hold such sensitive data (i.e., NextCloud), that we'll feel more secure by putting an additional authentication layer in front of them.
 This is the role of the OAuth proxy.
 ## How does it work?
 **Normally**, Traefik proxies web requests directly to individual web apps running in containers. The user talks directly to the webapp, and the webapp is responsible for ensuring appropriate authentication.
 When employing the **OAuth proxy** , the proxy sits in the middle of this transaction - traefik sends the web client to the OAuth proxy, the proxy authenticates the user against a 3rd-party source (_GitHub, Google, etc_), and then passes authenticated requests on to the web app in the container.
 Illustrated below:
 ![OAuth proxy](/images/oauth_proxy.png)
 The advantage under this design is additional security. If I'm deploying a web app which I expect only myself to require access to, I'll put the oauth_proxy in front of it. The overhead is negligible, and the additional layer of security is well-worth it.
 ## Ingredients
 ## Preparation
 ### OAuth provider
 OAuth Proxy currently supports the following OAuth providers:
 * Google (default)
 * Azure
 * Facebook
 * GitHub
 * GitLab
 * LinkedIn
 * MyUSA
 Follow the [instructions](https://github.com/bitly/oauth2_proxy) to setup your oauth provider. You need to setup a unique key/secret for **each** instance of the proxy you want to run, since in each case the callback URL will differ.
 ### Authorized emails file
 There are a variety of options with oauth_proxy re which email addresses (authenticated against your oauth provider) should be permitted access. You can permit access based on email domain (*@gmail.com), individual email address (batman@gmail.com), or based on provider-specific groups (_i.e., a GitHub organization_)
 The most restrictive configuration allows access on a per-email address basis, which is illustrated below:
 I created **/var/data/oauth_proxy/authenticated-emails.txt**, and add my own email address to the first line.
 ### Configure stack
 You'll need to define a service for the oauth_proxy in every stack which you want to protect. Here's an example from the [Wekan](/recipes/wekan/) recipe:
 ```
 proxy:
  image: a5huynh/oauth2_proxy
  env_file : /var/data/wekan/wekan.env
  networks:
    - traefik
    - internal
  deploy:
    labels:
      - traefik.frontend.rule=Host:wekan.funkypenguin.co.nz
      - traefik.docker.network=traefik
      - traefik.port=4180
  volumes:
    - /var/data/oauth_proxy/authenticated-emails.txt:/authenticated-emails.txt
  command: |
    -cookie-secure=false
    -upstream=http://wekan:80
    -redirect-url=https://wekan.funkypenguin.co.nz
    -http-address=http://0.0.0.0:4180
    -email-domain=funkypenguin.co.nz
    -provider=github
    -authenticated-emails-file=/authenticated-emails.txt
 ```
 Note above how:
 * Labels are required to tell Traefik to forward the traffic to the proxy, rather than the backend container running the app
 * An environment file is defined, but..
 * The redirect URL must still be passed to the oauth_proxy in the command argument
--- a/manuscript/test.html
+++ b/manuscript/test.html
@@ -1,168 +0,0 @@
 <h1 id="phpipam">phpIPAM</h1>
 <p>phpIPAM is an open-source web IP address management application (<em>IPAM</em>). Its goal is to provide light, modern and useful IP address management. It is php-based application with MySQL database backend, using jQuery libraries, ajax and HTML5/CSS3 features.</p>
 <figure>
 <img src="../images/phpipam.png" alt="phpIPAM Screenshot" /><figcaption>phpIPAM Screenshot</figcaption>
 </figure>
 <p>phpIPAM fulfils a non-sexy, but important role - It helps you manage your IP address allocation.</p>
 <h2 id="why-should-you-care-about-this">Why should you care about this?</h2>
 <p>You probably have a home network, with 20-30 IP addresses, for your family devices, your <img src="/recipe/home-assistant" alt="IoT devices" />, your smart TV, etc. If you want to (a) monitor them, and (b) audit who does what, you care about what IPs they’re assigned by your DHCP server.</p>
 <p>You could simple keep track of all devices with leases in your DHCP server, but what happens if your (<em>hypothetical?</em>) Ubiquity Edge Router X crashes and burns due to lack of disk space, and you loose track of all your leases? Well, you have to start from scratch, is what!</p>
 <p>And that <a href="/recipes/homeassistant/">HomeAssistant</a> config, which you so carefully compiled, refers to each device by IP/DNS name, so you’d better make sure you recreate it consistently!</p>
 <p>Enter phpIPAM. A tool designed to help home keeps as well as large organisations keep track of their IP (<em>and VLAN, VRF, and AS number</em>) allocations.</p>
 <h2 id="ingredients">Ingredients</h2>
 <ol type="1">
 <li><a href="/ha-docker-swarm/design/">Docker swarm cluster</a> with <a href="/ha-docker-swarm/shared-storage-ceph.md">persistent shared storage</a></li>
 <li><a href="/ha-docker-swarm/traefik_public">Traefik</a> configured per design</li>
 <li>DNS entry for the hostname (<em>i.e. “phpipam.your-domain.com”</em>) you intend to use for phpIPAM, pointed to your <a href="ha-docker-swarm/keepalived/">keepalived</a> IPIP</li>
 </ol>
 <h2 id="preparation">Preparation</h2>
 <h3 id="setup-data-locations">Setup data locations</h3>
 <p>We’ll need several directories to bind-mount into our container, so create them in /var/data/phpipam:</p>
 <pre><code>mkdir /var/data/phpipam/databases-dump -p
 mkdir /var/data/runtime/phpipam -p</code></pre>
 <h3 id="prepare-environment">Prepare environment</h3>
 <p>Create phpipam.env, and populate with the following variables</p>
 <pre><code># Setup for github, phpipam application
 OAUTH2_PROXY_CLIENT_ID=
 OAUTH2_PROXY_CLIENT_SECRET=
 OAUTH2_PROXY_COOKIE_SECRET=
 # For MariaDB/MySQL database
 MYSQL_ROOT_PASSWORD=imtoosecretformyshorts
 MYSQL_DATABASE=phpipam
 MYSQL_USER=phpipam
 MYSQL_PASSWORD=secret
 # phpIPAM-specific variables
 MYSQL_ENV_MYSQL_USER=phpipam
 MYSQL_ENV_MYSQL_PASSWORD=secret
 MYSQL_ENV_MYSQL_DB=phpipam
 MYSQL_ENV_MYSQL_HOST=db
 # For backup
 BACKUP_NUM_KEEP=7
 BACKUP_FREQUENCY=1d</code></pre>
 <p>Additionally, create phpipam-backup.env, and populate with the following variables:</p>
 <pre><code># For MariaDB/MySQL database
 MYSQL_ROOT_PASSWORD=imtoosecretformyshorts
 MYSQL_DATABASE=phpipam
 MYSQL_USER=phpipam
 MYSQL_PASSWORD=secret
 # For backup
 BACKUP_NUM_KEEP=7
 BACKUP_FREQUENCY=1d</code></pre>
 <h3 id="create-nginx.conf">Create nginx.conf</h3>
 <p>I usually protect my stacks using an <a href="/reference/oauth_proxy/">oauth proxy</a> container in front of the app. This protects me from either accidentally exposing a platform to the world, or having a insecure platform accessed and abused.</p>
 <p>In the case of phpIPAM, the oauth_proxy creates an additional complexity, since it passes the “Authorization” HTTP header to the phpIPAM container. phpIPAH then examines the header, determines that the provided username (<em>my email address associated with my oauth provider</em>) doesn’t match a local user account, and denies me access without the opportunity to retry.</p>
 <p>The (<em>dirty</em>) solution I’ve come up with is to insert an Nginx instance in the path between the oauth_proxy and the phpIPAM container itself. Nginx can remove the authorization header, so that phpIPAM can prompt me to login with a web-based form.</p>
 <p>Create /var/data/phpipam/nginx.conf as follows:</p>
 <pre><code>upstream app-upstream {
    server app:80;
 }
 server {
    listen 80;
    server_name ~.;
    # Just redirect everything to the upstream
    # Yes, it&#39;s embarassing. We are just a mechanism to strip an AUTH header :(
    location ^~ / {
        proxy_pass http://app-upstream;
    proxy_set_header       Authorization &quot;&quot;;
    }
 }</code></pre>
 <h3 id="setup-docker-swarm">Setup Docker Swarm</h3>
 <p>Create a docker swarm config file in docker-compose syntax (v3), something like this:</p>
 <p>!!! tip I share (<em>with my <a href="https://www.patreon.com/funkypenguin">patreon patrons</a></em>) a private “<em>premix</em>” git repository, which includes necessary docker-compose and env files for all published recipes. This means that sponsors can launch any recipe with just a <code>git pull</code> and a <code>docker stack deploy</code> 👍</p>
 <pre><code>version: &#39;3&#39;
 services:
  db:
    image: mariadb:10
    env_file: /var/data/config/phpipam/phpipam.env
    networks:
      - internal
    volumes:
      - /var/data/runtime/phpipam/db:/var/lib/mysql
  proxy:
    image: funkypenguin/oauth2_proxy
    env_file: /var/data/config/phpipam/phpipam.env
    networks:
      - internal
      - traefik_public
    deploy:
      labels:
        - traefik.frontend.rule=Host:phpipam.example.com
        - traefik.docker.network=traefik_public
        - traefik.port=4180
    volumes:
      - /var/data/config/phpipam/authenticated-emails.txt:/authenticated-emails.txt
    command: |
      -cookie-secure=false
      -upstream=http://nginx
      -redirect-url=https://phpipam.example.com
      -http-address=http://0.0.0.0:4180
      -email-domain=example.com
      -provider=github
      -authenticated-emails-file=/authenticated-emails.txt
  # Wait, what? Why do we have an oauth_proxy _and_ an nginx frontend for a simple webapp?
  # Well, it&#39;s a long story. Basically, the phpipam container sees the &quot;auth&quot; headers passed by the
  # oauth_proxy, and decides to use these exclusively to authenticate users. So no web-based login form, just &quot;access denied&quot;
  # To work around this, we add nginx reverse proxy to the mix. A PITA, but an easy way to solve without altering the PHPIPAM code
  nginx:
    image: nginx:latest
    networks:
      - internal
    volumes:
      - /var/data/phpipam/nginx.conf:/etc/nginx/conf.d/default.conf:ro
  app:
    image: pierrecdn/phpipam
    env_file: /var/data/config/phpipam/phpipam.env
    networks:
      - internal
  db-backup:
    image: mariadb:10
    env_file: /var/data/config/phpipam/phpipam.env
    volumes:
      - /var/data/phpipam/database-dump:/dump
      - /etc/localtime:/etc/localtime:ro
    entrypoint: |
      bash -c &#39;bash -s &lt;&lt;EOF
      trap &quot;break;exit&quot; SIGHUP SIGINT SIGTERM
      sleep 2m
      while /bin/true; do
        mysqldump -h db --all-databases | gzip -c &gt; /dump/dump_\`date +%d-%m-%Y&quot;_&quot;%H_%M_%S\`.sql.gz
        (ls -t /dump/dump*.sql.gz|head -n $$BACKUP_NUM_KEEP;ls /dump/dump*.sql.gz)|sort|uniq -u|xargs rm -- {}
        sleep $$BACKUP_FREQUENCY
      done
      EOF&#39;
    networks:
      - internal
 networks:
  traefik_public:
    external: true
  internal:
    driver: overlay
    ipam:
      config:
        - subnet: 172.16.47.0/24</code></pre>
 <p>!!! note Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you’re creating/removing stacks a lot. See <a href="/reference/networks/">my list</a> here.</p>
 <h2 id="serving">Serving</h2>
 <h3 id="launch-phpipam-stack">Launch phpIPAM stack</h3>
 <p>Launch the phpIPAM stack by running <code>docker stack deploy phpipam -c &lt;path -to-docker-compose.yml&gt;</code></p>
 <p>Log into your new instance at https://<strong>YOUR-FQDN</strong>, and follow the on-screen prompts to set your first user/password.</p>
 <h2 id="chefs-notes">Chef’s Notes</h2>
 <ol type="1">
 <li>If you wanted to expose the phpIPAM UI directly, you could remove the oauth2_proxy and the nginx services from the design, and move the traefik_public-related labels directly to the phpipam container. You’d also need to add the traefik_public network to the phpipam container.</li>
 </ol>
 <h3 id="tip-your-waiter-donate">Tip your waiter (support me) 👏</h3>
 <p>Did you receive excellent service? Want to make your waiter happy? (<em>..and support development of current and future recipes!</em>) See the <a href="/support/">support</a> page for (<em>free or paid)</em> ways to say thank you! 👏</p>
 <h3 id="your-comments">Your comments? 💬</h3>
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -46,6 +46,7 @@ nav:
        - Traefik: ha-docker-swarm/traefik.md
        - Traefik Forward Auth: 
            - Start: ha-docker-swarm/traefik-forward-auth.md 
            - Dex (static): ha-docker-swarm/traefik-forward-auth/dex-static.md    
            - Google: ha-docker-swarm/traefik-forward-auth/google.md      
            - KeyCloak: ha-docker-swarm/traefik-forward-auth/keycloak.md
        - Registry: ha-docker-swarm/registry.md
@@ -120,7 +121,9 @@ nav:
        - Tiny Tiny RSS: recipes/tiny-tiny-rss.md
        - Traefik: ha-docker-swarm/traefik.md
        - Traefik Forward Auth: 
-            - Start: ha-docker-swarm/traefik-forward-auth.md      
+            - Start: ha-docker-swarm/traefik-forward-auth.md 
            - Dex (static): ha-docker-swarm/traefik-forward-auth/dex-static.md    
            - Google: ha-docker-swarm/traefik-forward-auth/google.md      
            - KeyCloak: ha-docker-swarm/traefik-forward-auth/keycloak.md
        - Wallabag: recipes/wallabag.md
        - Wekan: recipes/wekan.md