Skip to content
HMS-Docker

Version 1.12

Changes:

  • Replace Watchtower image with different, more maintained version
  • Change Traefik default tag to latest with variable to control
  • Authentik update to 2025.10
  • No longer fails the app bootstrap tasks if a service is unavailable or API key fails

New variables:

inventory/group_vars/all/traefik.yml: hmsdocker_traefik_version, this will specify the Traefik version to use

Version 1.12.2

Section titled “Version 1.12.2”

Bug fixes:

  • Tautulli API key extraction
  • Sabnzbd host whitelist appending
  • Fix FlareSolverr configuration in Prowlarr
  • Multiple qBittorrent config dir creation events
  • Fix how list of Authentik proxy enabled containers is built
  • Validate that container is enabled before running prereq tasks
  • Fix permissions flapping on qbittorrent and deluge config dirs
  • Add sabnzbd to Sabnzbd’s host_whitelist so that other apps can use the docker container name for connections

Other changes:

  • Overhaul how API keys are retrieved
    • No more regex search that wouldn’t match certain items (such as a Tautulli key with a - or _ in it, it was a very simple regex before because who doesn’t hate writing regex)
  • Additional GitHub Actions debugging
  • Move Plex SSL script file to /opt/hms-docker/scripts/ by default
  • Also moved Plex SSL script task file from a postreq task to custom scripts task
  • Create new .env symlink to /opt/hms-docker/scripts/.env
  • Fix insecure XML parser
  • Fix typo in custom monitoring script
  • Update docusaurus version

Version 1.12.1

Section titled “Version 1.12.1”

Bug fixes:

  • Order of Traefik middleware to ensure error-pages is applied
  • Add 4K instance subdomain to Traefik Hosts list to fix Traefik security hardening issue
  • Add Cleanuparr to download_net so it can communicate with download clients
  • Fix missing middleware if traefik security hardening not enabled

Version 1.12.0

Section titled “Version 1.12.0”

Breaking Changes

Section titled “Breaking Changes”

Containers Moved to Container Map

Section titled “Containers Moved to Container Map”

The containers below had variables to control enabling them instead of being in the container map.

These have now been moved to the container map and will be controlled from there. The existing variables to control enablement will exist for the time being, but will be removed at some point in the future.

  • Cloudflare Tunnel (cloudflare-tunnel)
  • Cloudflare DDNS (cloudflare-ddns)
  • Watchtower (watchtower)
  • Tailscale (tailscale)

Authentik

Section titled “Authentik”

You will need to do manual steps BEFORE running the playbook, otherwise Authentik will fail to start. These steps are available in these Authentik docs

Authentik has been updated to its current latest available version, but going from the previously supported version by this project to the most recent is not a straight path due to a change in the postgresql version

Follow the steps in these Authentik docs

Wizarr

Section titled “Wizarr”

Fixed permissions to use non-root user and changed volume mount path. These items were to align it with the official documentation for installation.

New Containers

Section titled “New Containers”

Error pages, for some fancy error pages in Traefik

Removed Containers

Section titled “Removed Containers”

For the first time, a container has been removed.

Readarr - Officially retired and the docker image has been deprecated and will fail to download new images with the error no matching manifest for linux/amd64 in the manifest list entries. See more on the Readarr homepage: https://readarr.com/

New Variables

Section titled “New Variables”

  • inventory/group_vars/all/traefik.yml: hmsdocker_traefik_errorpages_enabled, this will enable the error-pages container for better HTML error pages from Traefik. Enabled by default if this does not exist for existing setups since Traefik will fail to start without it, and it’s a great quality of life improvement

  • inventory/group_vars/all/authentik.yml: hmsdocker_authentik_enabled_through_cftunnel, this will forcefully enable Authentik for all containers (if Authentik is also enabled)

  • inventory/group_vars/all/homepage_api_keys.yml:

    # Additional Homepage integration configuration options
    hmsdocker_homepage_backrest_user:
    hmsdocker_homepage_backrest_pass:
    

    hmsdocker_homepage_cftunnel_key:
    hmsdocker_homepage_cftunnel_accountid:
    hmsdocker_homepage_cftunnel_tunnelid:
    

    hmsdocker_homepage_tailscale_api_key:
    hmsdocker_homepage_tailscale_device_id:
    

    hmsdocker_homepage_speedtest_api_key:
    

    hmsdocker_homepage_tubearchivist_api_key:
    

    hmsdocker_homepage_uptimekuma_statuspage_slug:

Deprecated Variables

Section titled “Deprecated Variables”

Everything related to Readarr due to it being deprecated

  • inventory/group_vars/all/authentik.yml: authentik_enabled, this was not in use anywhere that I could find, Authentik enablement is only handled by the container map (whereas it was either before)

  • inventory/group_vars/all/container_settings.yml: container_enable_auto_updates

  • inventory/group_vars/all/cloudflare.yml: cloudflare_ddns_enabled, this container has moved to the container map with the key cloudflare-tunnel

  • inventory/group_vars/all/cloudflare.yml: cloudflare_tunnel_enabled, this container has moved to the container map with the key cloudflare-ddns

  • inventory/group_vars/all/container_settings.yml: container_enable_auto_updates, the Watchtower container has moved to the container map with the key watchtower

  • inventory/group_vars/all/tailscale.yml: tailscale_enabled, the tailscale container has moved to the container map with the key tailscale

Bug Fixes

Section titled “Bug Fixes”
  • Fix Traefik middleware declarations, now all middleware should correctly apply
  • Fix Sabnzbd host_whitelist appending
  • Ensure qBittorrent config directory exists in prereqs so config can be written
  • Remove duplicate Authentik task runs
  • Remove Authentik protection from Authentik

Other changes

Section titled “Other changes”
  • Massive overhaul to variables computed at runtime
    • This should have no impact to existing setups and paves the path for more dynamic control
  • Fix semantic version checking during playbook run
  • Tune health checks
  • New logos and images
  • Homepage now had read-only access to docker socket
  • Added more containers to Homepage
  • Updated Authentik Application/Provider documentation
  • Documentation around the custom scripts
  • Improved Actions tests around container prereqs and postreqs
  • Organize Authentik templates
  • Organize Traefik templates
  • Remove ad from Traefik dashboard
  • Remove Traefik static config backup to prevent auto-load issues since it looks at all files
  • Add more security to Traefik
    • Additional hardening options
    • read-only docker socket by default
    • read-only config file access
    • no-new-privileges:true compose security option
    • Route to traefik dashboard/API via api@internal service
    • permanent HTTPS redirection
  • Add ability to skip TLS/SSL verification for Traefik external hosts
    • the opposite of adding security, but may be needed depending on self-signed certs or proxy configs
  • Remove unused files
  • Prevent GPU tasks from being shown as “changed” during every run