diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
index 875a58f63..a7e301b07 100644
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -1,3 +1,4 @@
 # These are supported funding model platforms
 
 github: [l4rm4nd]
+buy_me_a_coffee: lrvt
diff --git a/.github/ISSUE_TEMPLATE/compose-request.md b/.github/ISSUE_TEMPLATE/compose-request.md
index 2a9bb0215..2a4a7f0c6 100644
--- a/.github/ISSUE_TEMPLATE/compose-request.md
+++ b/.github/ISSUE_TEMPLATE/compose-request.md
@@ -49,17 +49,11 @@ services:
     #  - proxy
     #labels:
     #  - traefik.enable=true
+    #  - traefik.docker.network=proxy    
     #  - traefik.http.routers.CHANGEME.rule=Host(`service.example.com`)
     #  - traefik.http.services.CHANGEME.loadbalancer.server.port=8080
-    #  - traefik.http.services.CHANGEME.loadbalancer.server.scheme=https # optional, but sometines necessary when proxying to https services
-    #  - traefik.http.services.CHANGEME.loadbalancer.serverstransport=insecureTransport@file # optional, but sometines necessary when proxying to https services
-    #  - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
-    #  - traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads
-    #  - traefik.http.middlewares.limit.buffering.memRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
-    #  - traefik.http.middlewares.limit.buffering.memResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads    
-    #  - traefik.docker.network=proxy
     #  # Part for optional traefik middlewares
-    #  - traefik.http.routers.CHANGEME.middlewares=local-ipwhitelist@file,basic-auth@file
+    #  - traefik.http.routers.CHANGEME.middlewares=local-ipwhitelist@file
 
 #networks:
 #  proxy:
diff --git a/0_skeleton/docker-compose.yml b/0_skeleton/docker-compose.yml
index ad867741a..94bea1b04 100644
--- a/0_skeleton/docker-compose.yml
+++ b/0_skeleton/docker-compose.yml
@@ -1,6 +1,5 @@
-version: '3.3'
-
 services:
+
   example:
     image: user/image:tag
     container_name: example
@@ -21,7 +20,7 @@ services:
     environment:
       - PUID=1000
       - PGID=1000
-      - TZ=Europe/Berlin     
+      - TZ=Europe/Berlin
     #networks:
     #  - proxy
     #labels:
@@ -29,16 +28,20 @@ services:
     #  - traefik.docker.network=proxy
     #  - traefik.http.routers.CHANGEME.rule=Host(`service.example.com`)
     #  - traefik.http.services.CHANGEME.loadbalancer.server.port=8080
+    #  # Optional part for selecting certificate resolver
+    #  - traefik.http.routers.CHANGEME.tls.certresolver=myresolver-http
     #  # Optional part when proxying to services that already provide ssl/tls  
     #  - traefik.http.services.CHANGEME.loadbalancer.server.scheme=https
     #  - traefik.http.services.CHANGEME.loadbalancer.serverstransport=insecureTransport@file
     #  # Optional part for file upload max sizes
-    #  - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=50000000
-    #  - traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=50000000
-    #  - traefik.http.middlewares.limit.buffering.memRequestBodyBytes=50000000
-    #  - traefik.http.middlewares.limit.buffering.memResponseBodyBytes=50000000
+    #  - traefik.http.middlewares.limit-CHANGEME.buffering.maxRequestBodyBytes=50000000
+    #  - traefik.http.middlewares.limit-CHANGEME.buffering.maxResponseBodyBytes=50000000
+    #  - traefik.http.middlewares.limit-CHANGEME.buffering.memRequestBodyBytes=50000000
+    #  - traefik.http.middlewares.limit-CHANGEME.buffering.memResponseBodyBytes=50000000
     #  # Optional part for traefik middlewares
-    #  - traefik.http.routers.CHANGEME.middlewares=local-ipwhitelist@file,authelia@docker
+    #  - traefik.http.routers.CHANGEME.middlewares=local-ipwhitelist@file,crowdsec@file,limit-CHANGEME
+    #  # Optional part to disable watchtower
+    #  - com.centurylinklabs.watchtower.enable=false
 
 #networks:
 #  proxy:
diff --git a/README.md b/README.md
index 09ba2a2a6..5d5baf019 100644
--- a/README.md
+++ b/README.md
@@ -19,7 +19,8 @@
 </div>
 
 ## ✨ Requirements
-- Docker Compose
+- [Docker Engine](https://docs.docker.com/engine/install/)
+- [Docker Compose](https://docs.docker.com/compose/install/)
 
 ## 🎓 Usage
 - Volume bind mounts are assumed to be located at `/mnt/docker-volumes/<container-name>/`. You can adjust the path via the global env variable `DOCKER_VOLUME_STORAGE` to your liking though. The compose examples will fall back to `/mnt/docker-volumes/<container-name>/` if the env variable is not set on your Docker server.
@@ -30,7 +31,7 @@
 
 Otherwise, it should be a matter of:
 ````
-git clone https://github.com/Haxxnet/Compose-Examples && cd Compose-Examples
+git clone https://github.com/Haxxnet/Compose-Examples && cd Compose-Examples/examples
 cd <container-of-interest>
 
 # read the notes, comments and adjust compose + volumes + configs
@@ -53,7 +54,7 @@ docker compose up
 - [Automation and Monitoring](#automation-and-monitoring)
 - [Backups](#backups)
 - [Blogging Platforms and Homepages](#blogging-platforms-and-homepages)
-- [Communication - Social Networks, Forums and Video Conferencing](#communication---social-networks-forums-and-video-conferencing)
+- [Communication - Social Networks, Webclients, Forums and Video Conferencing](#communication---social-networks-webclients-forums-and-video-conferencing)
 - [Document Management](#document-management)
 - [Domain Name Service (DNS)](#domain-name-service-dns)
 - [E-commerce](#e-commerce)
@@ -62,6 +63,7 @@ docker compose up
 - [Genealogy](#genealogy)
 - [Identity Management - Single Sign-On (SSO) & LDAP](#identity-management---single-sign-on-sso--ldap)
 - [LLM & AI](#large-language-models--ai)
+- [Metrics & Metric Collection](#metrics--metric-collection)
 - [Miscellaneous](#miscellaneous)
 - [Money, Budgeting & Management](#money-budgeting--management)
 - [Note-taking & Editors](#note-taking--editors)
@@ -120,7 +122,9 @@ A [proxy](https://en.wikipedia.org/wiki/Proxy_server) is a server application th
 
 - [Authelia](examples/authelia) - Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for your applications via a web portal. It acts as a companion for reverse proxies by allowing, denying, or redirecting requests. Recommended to combine with [Traefik](examples/traefik).
 - [Authentik](examples/authentik) - Authentik is an open-source Identity Provider focused on flexibility and versatility.
-- [Keycloak](https://github.com/keycloak/keycloak-containers/tree/main/docker-compose-examples) - Keycloak is an open-source Identity and Access Management (IAM) solution for modern applications and services.
+- [Keycloak](examples/keycloak) - Keycloak is an open-source Identity and Access Management (IAM) solution for modern applications and services.
+- [ZITADEL](examples/zitadel) - ZITADEL is an open-source identity and access management platform built for teams that need more than basic auth.
+- [Casdoor](examples/casdoor) - An open-source AI-first Identity and Access Management (IAM) /AI MCP gateway and auth server with web UI.
 - [lldap](examples/lldap) - lldap is a lightweight authentication server that provides an opinionated, simplified LDAP interface for authentication. It integrates with many backends, from KeyCloak to Authelia to Nextcloud and more.
 
 ### Large Language Models & AI
@@ -156,7 +160,7 @@ A [VPN](https://en.wikipedia.org/wiki/Virtual_private_network) is a mechanism fo
 - [AdGuard Home](examples/adguard-home) - AdGuard Home is a network-wide software for blocking ads and tracking.
 - [AdGuard Home Sync](examples/adguard-home-sync) - Synchronize AdGuardHome config to replica instances.
 - [Technitium DNS](examples/technitium-dns) - An open source authoritative as well as recursive DNS server that can be used for self hosting a DNS server for privacy & security.
-- [Pihole](examples/pihole) - Pi-hole is a Linux network-level advertisement and Internet tracker blocking application which acts as a DNS sinkhole and optionally a DHCP server, intended for use on a private network.
+- [Pi-hole](examples/pi-hole) - Pi-hole is a Linux network-level advertisement and Internet tracker blocking application which acts as a DNS sinkhole and optionally a DHCP server, intended for use on a private network.
 - [Cloudflare DDNS](examples/cloudflare-ddns) - Dynamic DNS (DDNS) is a service that keeps the DNS updated with a web property's correct IP address, even if that IP address is constantly being updated.
 
 ### Software Development - Project Management, DevOps
@@ -168,10 +172,12 @@ Tools and software for [software project management](https://en.wikipedia.org/wi
 - [JetBrains YouTrack](examples/jetbrains-youtrack) - YouTrack is a proprietary, commercial browser-based bug tracker, issue tracking system and project management software developed by JetBrains.
 - [Leantime](examples/leantime) - Leantime is an open source project management system for small teams and startups written in PHP, Javascript using MySQL.
 - [Gitea](examples/gitea) - Community managed fork of Gogs, lightweight code hosting solution.
+- [Forgejo](examples/forgejo) - Started as a soft-fork of Gitea and developed in the interest of the general public.
 - [Drone](examples/drone) - Drone is a continuous delivery system built on container technology. Drone uses a simple YAML build file, to define and execute build pipelines inside Docker containers.
-- [Gitlab Community](examples/gitlab-ce) -  Self Hosted Git repository management, code reviews, issue tracking, activity feeds and wikis.
+- [Gitlab Community](examples/gitlab) -  Self Hosted Git repository management, code reviews, issue tracking, activity feeds and wikis.
 - [Code-Server](examples/code-server) - VS Code in the browser, hosted on a remote server.
 - [Onedev](examples/onedev) - Self-hosted Git Server with CI/CD and Kanban.
+- [Atlassian Jira Core](examples/atlassian-jira-confluence) - Jira Core is a project and task management solution built for business teams.
 
 ### Automation and Monitoring
 
@@ -210,10 +216,12 @@ Software and tools for managing [recipes](https://en.wikipedia.org/wiki/Recipe).
 A [gallery](https://en.wikipedia.org/wiki/Gallery_Software) is software that helps the user publish or share photos, pictures, videos or other digital media.
 
 - [Immich](examples/immich) - Self-hosted photo and video backup solution directly from your mobile phone. Alternative to Google Photos.
+- [MemeLord](examples/memelord) - A taggable image meme board written in Python Django with OIDC SSO support.
 - [Photoprism](examples/photoprism) - Personal photo management powered by Go and Google TensorFlow. Browse, organize, and share your personal photo collection, using the latest technologies to automatically tag and find pictures.
 - [Stash](examples/stash) - Stash is a self-hosted webapp written in Go which organizes and serves your porn.
 - [LibrePhotos](examples/librephotos) - A self-hosted open source photo management service, with face recognition, geolocation, and more.
 - [Chevereto](examples/chevereto) - Ultimate image sharing software. Create your very own personal image hosting website in just minutes.
+- [WeddingShare](examples/weddingshare) - A place for guests to view and drop pictures of the big day.
 
 ### Audio and Video Management
 
@@ -221,7 +229,7 @@ A [gallery](https://en.wikipedia.org/wiki/Gallery_Software) is software that hel
 
 Software to manage audio and video material.
 
-- [Arr-Suite](examples/arr-suite) - Docker stack consisting of Prowlarr, Sonarr, Radarr, Lidarr, Readarr, Flaresolverr, Qbittorrent and Emby.
+- [Arr-Suite](examples/arr-suite) - Docker stack consisting of Prowlarr, Sonarr, Radarr, Lidarr, Readarr, Bazarr, Flaresolverr, Qbittorrent and Emby/Jellyfin.
 - [Raveberry](examples/raveberry) - A multi-user music server with a focus on participation.
 - [Deemix](examples/deemix) - deemix is a barebone deezer downloader library built from the ashes of Deezloader Remix.
 - [Forte](examples/forte) - forte is a self-hosted music platform. You can either connect to a forte server or create your own server for your friends & family. However, it is also very convenient to use forte on your local machine as a stand-alone music player. Supports group streaming sessions.
@@ -246,6 +254,7 @@ Digital [archiving](https://en.wikipedia.org/wiki/Archival_science) and [preserv
 - [Archivebox](examples/archivebox) - ArchiveBox is a powerful, self-hosted internet archiving solution to collect, save, and view websites offline.
 - [Shiori](examples/shiori) - Simple bookmark manager and website archiver built with Go.
 - [Readeck](examples/readeck) - Readeck is a simple web application that lets you save the precious readable content of web pages you like and want to keep forever.
+- [Linkwarden](examples/linkwarden) - Self-hosted collaborative bookmark manager to collect, organize, and preserve webpages, articles, and documents.
 
 ### Document Management
 
@@ -257,6 +266,7 @@ A [document management system](https://en.wikipedia.org/wiki/Document_management
 - [Papermerge](examples/papermerge) - Free and open source document management system with OCR designed for scanned documents, digital archives, pdf, tiff, jpeg.
 - [DocuSeal](examples/docuseal) - Create, fill, and sign digital documents (alternative to DocuSign).
 - [Koillection](examples/koillection) - Koillection is a self-hosted service allowing users to manage any kind of collections.
+- [VoucherVault](examples/vouchervault) - Django web application to store and manage vouchers, coupons, loyalty and gift cards digitally. Supports PWA, offline caching, expiry notifications, transaction histories, file uploads and OIDC SSO.
 
 ### Pastebins
 
@@ -266,6 +276,7 @@ A [pastebin](https://en.wikipedia.org/wiki/Pastebin) is a type of online content
 
 - [PrivateBin](examples/privatebin) - PrivateBin is a minimalist, opensource online pastebin/discussion board where the server has zero knowledge of hosted data.
 - [Hemmelig](examples/hemmelig) - Keep your sensitive information out of chat logs, emails, and more with encrypted secrets. Free encrypted secret sharing for everyone!
+- [Opengist](examples/opengist) - Self-hosted pastebin powered by Git, open-source alternative to Github Gist.
 
 ### File Transfer & Synchronization
 
@@ -281,7 +292,6 @@ A [pastebin](https://en.wikipedia.org/wiki/Pastebin) is a type of online content
 - [Gokapi](examples/gokapi) - Lightweight selfhosted Firefox Send alternative without public upload. AWS S3 supported.
 - [Projectsend](examples/projectsend) - ProjectSend is a free, open source software that lets you share files with your clients, focused on ease of use and privacy. It supports clients groups, system users roles, statistics, multiple languages, detailed logs and much more!
 - [Pwndrop](examples/pwndrop) - pwndrop is a self-deployable file hosting service for sending out red teaming payloads or securely sharing your private files over HTTP and WebDAV.
-- [Droppy](examples/droppy) (deprecated) - droppy is a self-hosted file storage server with a web interface and capabilities to edit files and view media directly in the browser. It is particularly well-suited to be run on low-end hardware like the Raspberry Pi.
 - [PairDrop](examples/pairdrop) - PairDrop is a sublime alternative to AirDrop that works on all platforms. Send images, documents or text via peer to peer connection to devices in the same local network/Wi-Fi or to paired devices.
 - [MinIO](examples/minio) - MinIO is an object storage server, compatible with Amazon S3 cloud storage service, mainly used for storing unstructured data (such as photos, videos, log files, etc.).
 - [Transfer.sh](examples/transfer.sh) - Easy and fast file sharing from the command-line.
@@ -327,17 +337,18 @@ A [blog](https://en.wikipedia.org/wiki/Blog) is a discussion or informational we
 - [WordPress](examples/wordpress) - WordPress is a free and open-source content management system written in hypertext preprocessor language and paired with a MySQL or MariaDB database with supported HTTPS.
 - [Nginx + PHP](examples/nginx-php) - Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. Combined with PHP, a general-purpose scripting language geared toward web development, server-side functions can be implemented for the webs.
 
-### Communication - Social Networks, Forums and Video Conferencing
+### Communication - Social Networks, Webclients, Forums and Video Conferencing
 
 **[`^        back to top        ^`](#-project-list)**
 
-[Social Networking](https://en.wikipedia.org/wiki/Social_networking_service) and [Forum](https://en.wikipedia.org/wiki/Internet_forum) software.
+[Social Networking](https://en.wikipedia.org/wiki/Social_networking_service), [Webmail clients](https://en.wikipedia.org/wiki/Webmail), [Video Conferencing](https://en.wikipedia.org/wiki/Web_conferencing) and [Forum](https://en.wikipedia.org/wiki/Internet_forum) software.
 
 - [Rocket.Chat](examples/rocketchat) - Rocket.Chat is an open-source fully customizable communications platform developed in JavaScript for organizations with high standards of data protection.
 - [Mattermost](examples/mattermost) - Mattermost is an open source platform for secure collaboration across the entire software development lifecycle.
-- [Answer](examples/answer) - An open-source knowledge-based community software. You can use it quickly to build Q&A community for your products, customers, teams, and more.
+- [Apache Answer](examples/apache-answer) - An open-source knowledge-based community software. You can use it quickly to build Q&A community for your products, customers, teams, and more.
 - [Mirotalk P2P](examples/mirotalk) - Simple, Secure, Fast Real-Time Video Conferences Up to 4k and 60fps, compatible with all browsers and platforms.
 - [Reactive-Resume](examples/rxresume) - A one-of-a-kind resume builder that keeps your privacy in mind. Completely secure, customizable, portable, open-source and free forever.
+- [Roundcube](examples/roundcube) - Roundcube Webmail is a browser-based multilingual IMAP client with an application-like user interface. It provides full functionality you expect from an email client, including MIME support, address book, folder management, message searching and spell checking.
 
 ### E-commerce
 
@@ -366,9 +377,9 @@ Software that helps to increase security and privacy.
 - [Greenbone](examples/greenbone) - Greenbone is the world's most trusted provider of open source vulnerability management.
 - [SonarQube](examples/sonarqube) - SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs and code smells on 29 programming languages.
 - [Fail2ban](examples/fail2ban) - Fail2ban is an intrusion prevention software framework. Written in the Python programming language, it is designed to prevent against brute-force attacks.
+- [CrowdSec](examples/crowdsec) - The open-source and participative security solution offering crowdsourced protection against malicious IPs and access to the most advanced real-world CTI.
 - [Tor-Browser](examples/tor-browser) - Running a Tor browser instance on any headless server.
 - [Firefox](examples/firefox) - Firefox by linuxserver.io allows you to run the popular Firefox web broser on a remote server.
-- [Bibliogram](examples/bibliogram) (deprecated) - Bibliogram is a private front-end frontend to Instagram, similar to Invidous.
 - [Nitter](examples/nitter) - Nitter is an alternative front-end to Twitter, and was inspired by Invidious.
 - [Unify Network Application](examples/unify-network-application) - The Unifi-network-application software is a powerful, enterprise wireless software engine ideal for high-density client deployments requiring low latency and high uptime performance.
 
@@ -380,12 +391,15 @@ A [wiki](https://en.wikipedia.org/wiki/Wiki) is a publication collaboratively ed
 
 - [Bookstack](examples/bookstack) - BookStack is a free and open-source wiki software aimed for a simple, self-hosted, and easy-to-use platform.
 - [Wiki.js](examples/wikijs) - Wiki.js is an open source project that has been made possible due to the generous contributions by community backers.
-- [Answer](examples/answer) - An open-source knowledge-based community software. You can use it quickly to build Q&A community for your products, customers, teams, and more.
+- [Apache Answer](examples/apache-answer) - An open-source knowledge-based community software. You can use it quickly to build Q&A community for your products, customers, teams, and more.
 - [Obsidian-Remote](examples/obsidian-remote) - This docker image allows you to run obsidian in docker as a container and access it via your web browser.
 - [Obsidian-Gitsync-Perlite](https://github.com/l4rm4nd/Obsidian-Gitsync-Perlite) - Continuously sync Obsidian markdown notes from GitHub and publish it for the webs.
 - [Memos](examples/memos) - An open-source, self-hosted memo hub with knowledge management and social networking.
 - [HedgeDoc](examples/hedgedoc) - HedgeDoc lets you create real-time collaborative markdown notes.
 - [Docmost](examples/docmost) - Docmost is an open source collaborative documentation and wiki software. It is an open-source alternative to the likes of Confluence and Notion.
+- [Atlassian Confluence](examples/atlassian-jira-confluence) - Confluence is a wiki solution built for business teams.
+- [Siyuan](examples/siyuan) - A privacy-first, self-hosted, fully open source personal knowledge management software, written in typescript and golang.
+- [Kiwix Serve](examples/kiwix) - Offline reader for Wikipedia and other web content stored in ZIM files, served through a lightweight web interface.
 
 ### Money, Budgeting & Management
 
@@ -395,8 +409,8 @@ A [wiki](https://en.wikipedia.org/wiki/Wiki) is a publication collaboratively ed
 
 - [TRSync](examples/trsync) - Django web frontend for pytr to download all Trade Republic depot data.
 - [Money-Balancer](examples/money-balancer) - A simple application for managing debt with your friends!
-- [Firefly III](examples/firefly-iii) - A self-hosted manager for your personal finances.
-- [VoucherVault](examples/vouchervault) - Django web application to store and manage vouchers, coupons and gift cards digitally. Supports expiry notifications and transaction histories.
+- [Firefly III](examples/firefly) - A self-hosted manager for your personal finances.
+- [VoucherVault](examples/vouchervault) - Django web application to store and manage vouchers, coupons, loyalty and gift cards digitally. Supports expiry notifications, transaction histories and file uploads.
 
 ### Genealogy
 
@@ -416,7 +430,8 @@ A [wiki](https://en.wikipedia.org/wiki/Wiki) is a publication collaboratively ed
 - [Domainmod](examples/domainmod) - DomainMOD is an open source application used to manage your domains and other internet assets in a central location.
 - [Snipe-IT](examples/snipe-it) - Snipe-IT is a free, open source IT asset management system written in PHP.
 - [Koillection](examples/koillection) - Koillection is a self-hosted service allowing users to manage any kind of collections.
-- [VoucherVault](examples/vouchervault) - Django web application to store and manage vouchers, coupons and gift cards digitally. Supports expiry notifications and transaction histories.
+- [VoucherVault](examples/vouchervault) - Django web application to store and manage vouchers, coupons, loyalty and gift cards digitally. Supports expiry notifications, transaction histories and file uploads.
+- [Atlas](examples/atlas) - Open-source tool for network discovery, visualization, and monitoring. Built with Go, FastAPI, and React, supports Docker host scanning.
 
 ### Request Bins
 
@@ -438,6 +453,16 @@ Multiplayer game servers, browser games and utilities for managing game servers.
 - [cs2-dedicated-server](examples/cs2-dedicated-server) - CS2 Dedicated Server Docker Image with an RCON web-based control panel.
 - [posio](examples/posio) - A multiplayer geography game using Websockets.
 - [Monkeytype](examples/monkeytype) - The most customizable typing website with a minimalistic design and a ton of features. Test yourself in various modes, track your progress and improve your speed.
+- [GZCTF](examples/gzctf) - The GZ::CTF project, an open source CTF platform.
+
+### Metrics & Metric Collection
+
+**[`^        back to top        ^`](#-project-list)**
+
+Metric gathering and display software.
+
+- [Grafana](examples/grafana) - The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many more.
+- [Grafana-LRVT](examples/grafana-monitoring) - Grafana combined with other open-source tools like Loki, Promtail, InfluxDB and Telegraf.
 
 ### Miscellaneous
 
@@ -447,6 +472,7 @@ Software that does not fit in another section.
 
 - [Network-Multitool](examples/network-multitool) - Multi-arch multitool for container network troubleshooting.
 - [IT-Tools](examples/it-tools) - Collection of handy online tools for developers, with great UX.
+- [Scratch-Map](examples/scratch-map) - An open-source scratch-off style map to track your travels.
 
 ## 🌟 Star History
 [![Star History Chart](https://api.star-history.com/svg?repos=Haxxnet/Compose-Examples&type=Date)](https://star-history.com/#Haxxnet/Compose-Examples&Date)
diff --git a/docs/index.html b/docs/index.html
index ca41a1472..52e782a25 100644
--- a/docs/index.html
+++ b/docs/index.html
@@ -1,174 +1,461 @@
 <!DOCTYPE html>
 <html lang="en">
-
 <head>
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>Haxxnet Compose Viewer</title>
-    <link rel="shortcut icon" href="data:image/x-icon;base64,iVBORw0KGgoAAAANSUhEUgAAAOEAAADhCAMAAAAJbSJIAAAAdVBMVEX///8GbaUAYp/U4uwAZaH3+/0AaKJ1o8TP4OutxNgAZqGWtM4AcqgAY6CwyNwAa6Ti6vGXudIAX57r8vdAhbPy9/oAWpufvtW90uKFrcpMi7amw9jn8PVXkbq0zN4vfK5mmb4yf69il715p8cAVpogdqrG2OZNO2NfAAAFM0lEQVR4nO3c62KiOAAFYElDqrEhGLH1Uq21q+//iAudzo4msRslNzrn+5mpyBkkdxiNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAO5UbSaXNuPUp+SZFPSSmqY+Jc+eCg1FwqFBwuFDwuFDwuFDwuFDwuFDwuFjilx6/mkJa8M89SnB32FsaAvn1lKz8DX12bvQaw/yXI5Gk2e9VLWlzPjTQdQ0UupNQJulolqhlOVgWwskREI31UvIDN+LknAuSJOsdxAl4ZoVTOyC5rguRsKl6g6hVmGTXBMj4dcHxTZslCsiJNz8PhpfBw5jFSHhnw/w98BpbMIn3ImziAmuYviEzfk30H3gPKbgCWty8Rm1CR5JEzzhjF8eSdTBM10i2so17UZP1bNeStpSqRc6rXK/a/+F8i14pkv67oPJps1S64WTSTdqNDz8//EXSr/ypAqfKqal0BMWRepz8mvKjYA0VGVTmqyl9r+94QDl+bcemJFQHgMllDo6s5WKrqYRRnFXlxoH6Goas3R2/q2NXld3d6LD/esvIdMKi8+EVC9ltoTcIeHRDFjwQKMMo+XjM1vpre2hUcovEloCFrL5QQlLW8JCtP+yeK3r+nW+GHpC6zUs2PZNckoIEYIXzWrnaYYjTULbfdgd78/XtlnV28pHXy5NQltdaknMVXMaaEJLe3glJFn3vY5pEk71Q32TUc3sZ553Qlu/9Krnfr/UNAnNscV1kvYKmCihMT78Bu+5DpIo4YvzjShpz+Y/UcK5c8Le3dVECd3bC1baTvsGlLNLZGYr7dazK6UV8i53YRzgM6G19Iw22XYVWfYMOHo0LK2lbZaTtfTDKOyWk8xS/UzdujV83zdgIouZcR/Yf6Kxp+D8qDdr4VbRyKf76tHxQyLj03Ky2kpFHRtDVty3NWf8j74DJhpB2yrMLV2Lvt3ZEk7ce70pSfV4X77RaGXOVWaIPt3f3350/52kIinrM2Ry7k0kwih577eIsc0yIftctxJEPe2rvpsbt+4Dl3jYYVm1Tg99e6HZXkOvU/o53ofS616FfYYJSf9JwzMZthaeV9YybPE97997yS6h78XRXXb9UuF5l8LJcf4gGu/r26+5Jew/FaMpWV6dGul/a+Ixr4TK/7tQ8urUsL33gPquubQk8blm/+V0y9JWaCLEMxe3LG2FFqCa6dywtBWaCrOv9CObG1EEekYqmxsx1DaoUek66RyYJMEeN81kIiPgvuA8hhchV87KHG7EYFtmP2XQcQv8AMIy/QhK+R4zaYydBLGR0E/Iuu9nCUPcvXTmqkx7I9JD6ICJ5xR5qL7MuTLhACNKwJQXMdYzo2WqviltfKyguajStIk04iOxbvuuPBMRatH/1Al6p+QjYsDRaBb9d6piv+tjHbfdl9TrQqiL0m2HoCf8mOANUg8kXsT7d3H1UsXq2jAaeLR01SxKREnWASbvHU0jRGTBHmN2sgoeUa0Tv0ox8A+VF6nelPTHJmBEluo1SZfGLFDTz8g+k3d9zpsQfVSmDrFfWfKNmfLc9kuuHjPK16obn/1wSdkqv7d8VtLXmhRTPfcxB7OivH9GJuRHoFdceLCYsl7XUTKqtqk6oK6qd3LnLJykRB52saaZ+qhXktz6a5VUqPfpeAjxfnlYNUI4pmScqqKZnoaT7sti2aYklF7b5ycl45wSUWxXy7zavZvUu+m+OVL1+djZb4IQJYrj+vDxsqzTDfu8WnSPDla/XmtWLU/jn5ILAAAAAAAAAAAAAAAAAAAAAAAAAAAAMvEv7od8ZXfpSw8AAAAASUVORK5CYII=" />
-    <!-- Bootstrap CSS -->
-    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/css/bootstrap.min.css" integrity="sha512-t4GWSVZO1eC8BM339Xd7Uphw5s17a86tIZIj8qRxhnKub6WoyhnrxeCIMeAqBPgdZGlCcG2PrZjMc+Wr78+5Xg==" crossorigin="anonymous">
-    <!-- Dark Mode CSS -->
+    <link rel="shortcut icon" href="data:image/x-icon;base64,iVBORw0KGgoAAAANSUhEUgAAAOEAAADhCAMAAAAJbSJIAAAAdVBMVEX///8GbaUAYp/U4uwAZaH3+/0AaKJ1o8TP4OutxNgAZqGWtM4AcqgAY6CwyNwAa6Ti6vGXudIAX57r8vdAhbPy9/oAWpufvtW90uKFrcpMi7amw9jn8PVXkbq0zN4vfK5mmb4yf69il715p8cAVpogdqrG2OZNO2NfAAAFM0lEQVR4nO3c62KiOAAFYElDqrEhGLH1Uq21q+//iAudzo4msRslNzrn+5mpyBkkdxiNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAO5UbSaXNuPUp+SZFPSSmqY+Jc+eCg1FwqFBwuFDwuFDwuFDwuFDwuFjilx6/mkJa8M89SnB32FsaAvn1lKz8DX12bvQaw/yXI5Gk2e9VLWlzPjTQdQ0UupNQJulolqhlOVgWwskREI31UvIDN+LknAuSJOsdxAl4ZoVTOyC5rguRsKl6g6hVmGTXBMj4dcHxTZslCsiJNz8PhpfBw5jFSHhnw/w98BpbMIn3ImziAmuYviEzfk30H3gPKbgCWty8Rm1CR5JEzzhjF8eSdTBM10i2so17UZP1bNeStpSqRc6rXK/a/+F8i14pkv67oPJps1S64WTSTdqNDz8//EXSr/ypAqfKqal0BMWRepz8mvKjYA0VGVTmqyl9r+94QDl+bcemJFQHgMllDo6s5WKrqYRRnFXlxoH6Goas3R2/q2NXld3d6LD/esvIdMKi8+EVC9ltoTcIeHRDFjwQKMMo+XjM1vpre2hUcovEloCFrL5QQlLW8JCtP+yeK3r+nW+GHpC6zUs2PZNckoIEYIXzWrnaYYjTULbfdgd78/XtlnV28pHXy5NQltdaknMVXMaaEJLe3glJFn3vY5pEk71Q32TUc3sZ553Qlu/9Krnfr/UNAnNscV1kvYKmCihMT78Bu+5DpIo4YvzjShpz+Y/UcK5c8Le3dVECd3bC1baTvsGlLNLZGYr7dazK6UV8i53YRzgM6G19Iw22XYVWfYMOHo0LK2lbZaTtfTDKOyWk8xS/UzdujV83zdgIouZcR/Yf6Kxp+D8qDdr4VbRyKf76tHxQyLj03Ky2kpFHRtDVty3NWf8j74DJhpB2yrMLV2Lvt3ZEk7ce70pSfV4X77RaGXOVWaIPt3f3350/52kIinrM2Ry7k0kwih577eIsc0yIftctxJEPe2rvpsbt+4Dl3jYYVm1Tg99e6HZXkOvU/o53ofS616FfYYJSf9JwzMZthaeV9YybPE97997yS6h78XRXXb9UuF5l8LJcf4gGu/r26+5Jew/FaMpWV6dGul/a+Ixr4TK/7tQ8urUsL33gPquubQk8blm/+V0y9JWaCLEMxe3LG2FFqCa6dywtBWaCrOv9CObG1EEekYqmxsx1DaoUek66RyYJMEeN81kIiPgvuA8hhchV87KHG7EYFtmP2XQcQv8AMIy/QhK+R4zaYydBLGR0E/Iuu9nCUPcvXTmqkx7I9JD6ICJ5xR5qL7MuTLhACNKwJQXMdYzo2WqviltfKyguajStIk04iOxbvuuPBMRatH/1Al6p+QjYsDRaBb9d6piv+tjHbfdl9TrQqiL0m2HoCf8mOANUg8kXsT7d3H1UsXq2jAaeLR01SxKREnWASbvHU0jRGTBHmN2sgoeUa0Tv0ox8A+VF6nelPTHJmBEluo1SZfGLFDTz8g+k3d9zpsQfVSmDrFfWfKNmfLc9kuuHjPK16obn/1wSdkqv7d8VtLXmhRTPfcxB7OivH9GJuRHoFdceLCYsl7XUTKqtqk6oK6qd3LnLJykRB52saaZ+qhXktz6a5VUqPfpeAjxfnlYNUI4pmScqqKZnoaT7sti2aYklF7b5ycl45wSUWxXy7zavZvUu+m+OVL1+djZb4IQJYrj+vDxsqzTDfu8WnSPDla/XmtWLU/jn5ILAAAAAAAAAAAAAAAAAAAAAAAAAAAAMvEv7od8ZXfpSw8AAAAASUVORK5CYII=" />
     <style>
+        * {
+            margin: 0;
+            padding: 0;
+            box-sizing: border-box;
+        }
+
         body {
-            background-color: #333;
+            background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
             color: #fff;
+            font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, Cantarell, sans-serif;
             min-height: 100vh;
-            display: flex;
-            flex-direction: column;
+            padding: 20px;
         }
 
         .container {
-            flex: 1;
+            max-width: 1400px;
+            margin: 0 auto;
         }
 
-        .project-tile {
-            border: 1px solid #555;
-            border-radius: 10px;
-            padding: 10px;
-            margin: 10px;
+        .header {
             text-align: center;
-            background-color: #2d2c2c;
-            cursor: pointer;
+            margin-bottom: 40px;
+            animation: fadeInDown 0.8s ease;
+        }
+
+        .header img {
+            width: 100px;
+            height: 100px;
+            border-radius: 20px;
+            box-shadow: 0 10px 30px rgba(0,0,0,0.3);
+            margin-bottom: 20px;
+            transition: transform 0.3s ease;
         }
 
-        .project-tile img {
-            max-width: 50px;
-            max-height: 50px;
+        .header img:hover {
+            transform: scale(1.1) rotate(5deg);
+        }
+
+        .header h1 {
+            font-size: 2.5rem;
             margin-bottom: 10px;
+            background: linear-gradient(45deg, #fff, #f0f0f0);
+            -webkit-background-clip: text;
+            -webkit-text-fill-color: transparent;
+            background-clip: text;
+        }
+
+        .stats {
+            display: flex;
+            justify-content: center;
+            gap: 20px;
+            flex-wrap: wrap;
+            margin: 20px 0;
+        }
+
+        .stat-badge {
+            background: rgba(255,255,255,0.1);
+            backdrop-filter: blur(10px);
+            padding: 10px 20px;
+            border-radius: 20px;
+            border: 1px solid rgba(255,255,255,0.2);
+            font-size: 0.9rem;
+            transition: all 0.3s ease;
         }
 
-        #searchBar {
-            width: 310px;
-            margin: 10px auto;
-            padding: 10px;
-            border-radius: 5px;
+        .stat-badge:hover {
+            background: rgba(255,255,255,0.2);
+            transform: translateY(-2px);
+        }
+
+        .controls {
+            display: flex;
+            justify-content: center;
+            gap: 15px;
+            margin-bottom: 30px;
+            flex-wrap: wrap;
+            animation: fadeIn 1s ease;
+        }
+
+        .btn {
+            padding: 12px 30px;
             border: none;
-            background-color: transparent;
-            color: #fff;
-            box-sizing: border-box;
+            border-radius: 25px;
+            font-size: 1rem;
+            cursor: pointer;
+            transition: all 0.3s ease;
+            font-weight: 600;
+            box-shadow: 0 5px 15px rgba(0,0,0,0.2);
+        }
+
+        .btn-primary {
+            background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+            color: white;
+        }
+
+        .btn-secondary {
+            background: linear-gradient(135deg, #f093fb 0%, #f5576c 100%);
+            color: white;
+        }
+
+        .btn:hover {
+            transform: translateY(-2px);
+            box-shadow: 0 8px 20px rgba(0,0,0,0.3);
+        }
+
+        .search-container {
+            max-width: 600px;
+            margin: 0 auto 30px;
+            position: relative;
+        }
+
+        .search-input {
+            width: 100%;
+            padding: 15px 50px 15px 20px;
+            border: none;
+            border-radius: 30px;
+            background: rgba(255,255,255,0.95);
+            color: #333;
+            font-size: 1rem;
+            box-shadow: 0 5px 20px rgba(0,0,0,0.2);
+            transition: all 0.3s ease;
+        }
+
+        .search-input:focus {
+            outline: none;
+            background: white;
+            box-shadow: 0 8px 30px rgba(0,0,0,0.3);
+            transform: translateY(-2px);
+        }
+
+        .search-icon {
+            position: absolute;
+            right: 20px;
+            top: 50%;
+            transform: translateY(-50%);
+            color: #667eea;
+            font-size: 1.2rem;
+        }
+
+        .view-toggle {
+            display: flex;
+            justify-content: center;
+            gap: 10px;
+            margin-bottom: 20px;
+        }
+
+        .view-btn {
+            padding: 8px 20px;
+            background: rgba(255,255,255,0.2);
+            border: 1px solid rgba(255,255,255,0.3);
+            border-radius: 20px;
+            color: white;
+            cursor: pointer;
+            transition: all 0.3s ease;
+        }
+
+        .view-btn.active {
+            background: rgba(255,255,255,0.4);
+            box-shadow: 0 4px 10px rgba(0,0,0,0.2);
+        }
+
+        .projects-grid {
+            display: grid;
+            grid-template-columns: repeat(auto-fill, minmax(180px, 1fr));
+            gap: 20px;
+            animation: fadeIn 1.2s ease;
+        }
+
+        .projects-grid.list-view {
+            grid-template-columns: 1fr;
+        }
+
+        .project-card {
+            background: rgba(255,255,255,0.1);
+            backdrop-filter: blur(10px);
+            border-radius: 15px;
+            padding: 20px;
+            text-align: center;
+            cursor: pointer;
+            transition: all 0.3s ease;
+            border: 1px solid rgba(255,255,255,0.2);
+            position: relative;
+            overflow: hidden;
+        }
+
+        .project-card::before {
+            content: '';
+            position: absolute;
+            top: 0;
+            left: -100%;
+            width: 100%;
+            height: 100%;
+            background: linear-gradient(90deg, transparent, rgba(255,255,255,0.2), transparent);
+            transition: left 0.5s ease;
+        }
+
+        .project-card:hover::before {
+            left: 100%;
         }
 
-        #repoContent .project-tile {
-            width: 20%; /* Set width to 20% for 5 tiles in a row by default */
+        .project-card:hover {
+            transform: translateY(-5px);
+            background: rgba(255,255,255,0.15);
+            box-shadow: 0 10px 30px rgba(0,0,0,0.3);
         }
 
-        /* Responsive adjustment for small screens */
-        @media (max-width: 576px) {
-            #repoContent .project-tile {
-                width: 40%; /* Set width to 45% for 2 tiles in a row on small screens */
+        .project-card.list-view {
+            display: flex;
+            align-items: center;
+            text-align: left;
+            gap: 20px;
+        }
+
+        .project-icon {
+            width: 60px;
+            height: 60px;
+            object-fit: contain;
+            margin-bottom: 15px;
+            transition: transform 0.3s ease;
+        }
+
+        .project-card:hover .project-icon {
+            transform: scale(1.1) rotate(5deg);
+        }
+
+        .project-card.list-view .project-icon {
+            margin-bottom: 0;
+            width: 50px;
+            height: 50px;
+        }
+
+        .project-name {
+            font-size: 1.1rem;
+            font-weight: 600;
+            word-break: break-word;
+        }
+
+        .project-info {
+            font-size: 0.8rem;
+            color: rgba(255,255,255,0.7);
+            margin-top: 5px;
+        }
+
+        .loading {
+            text-align: center;
+            font-size: 1.5rem;
+            padding: 50px;
+        }
+
+        .no-results {
+            text-align: center;
+            padding: 50px;
+            font-size: 1.2rem;
+            opacity: 0.7;
+        }
+
+        @keyframes fadeIn {
+            from { opacity: 0; }
+            to { opacity: 1; }
+        }
+
+        @keyframes fadeInDown {
+            from {
+                opacity: 0;
+                transform: translateY(-20px);
+            }
+            to {
+                opacity: 1;
+                transform: translateY(0);
+            }
+        }
+
+        .sort-dropdown {
+            padding: 10px 20px;
+            border-radius: 20px;
+            background: rgba(255,255,255,0.2);
+            color: white;
+            border: 1px solid rgba(255,255,255,0.3);
+            cursor: pointer;
+            font-size: 0.9rem;
+        }
+
+        @media (max-width: 768px) {
+            .header h1 {
+                font-size: 1.8rem;
+            }
+            
+            .projects-grid {
+                grid-template-columns: repeat(auto-fill, minmax(150px, 1fr));
+                gap: 15px;
+            }
+
+            .controls {
+                flex-direction: column;
+                align-items: stretch;
+            }
+
+            .btn {
+                width: 100%;
             }
         }
     </style>
 </head>
-
-<body class="container mt-5">
+<body>
     <div class="container">
-        <a target="_blank" href="https://github.com/Haxxnet/Compose-Examples" class="d-flex justify-content-center">
-            <img width="80px" src="https://avatars.githubusercontent.com/u/98923398?s=200&v=4" alt="Haxxnet Avatar">
-        </a><br>
-        <div align="center" width="100%">
-            <h1>Awesome Docker Compose Examples</h1>
-            <p>Various Docker Compose examples of selfhosted FOSS and proprietary projects.</p>
-            <img src="https://img.shields.io/github/stars/Haxxnet/Compose-Examples.svg?style=social&label=Star" /> |
-            <img src="https://img.shields.io/github/forks/Haxxnet/Compose-Examples.svg?style=social&label=Fork" /> |
-            <img src="https://img.shields.io/github/watchers/Haxxnet/Compose-Examples.svg?style=social&label=Watch" /><p>
-            <img src="https://img.shields.io/github/directory-file-count/Haxxnet/Compose-Examples/examples?label=Compose%20Examples&style=for-the-badge.svg&color=blue" />
-            <img src="https://img.shields.io/badge/maintainer-LRVT-red" /><p>
+        <div class="header">
+            <a href="https://github.com/Haxxnet/Compose-Examples" target="_blank">
+                <img src="https://avatars.githubusercontent.com/u/98923398?s=200&v=4" alt="Haxxnet Avatar">
+            </a>
+            <h1>🐳 Awesome Docker Compose</h1>
+            <p>Discover and explore selfhosted FOSS projects</p>
+            <div class="stats">
+                <div class="stat-badge">⭐ <span id="projectCount">Loading...</span> Projects</div>
+                <div class="stat-badge">🔍 Smart Search</div>
+                <div class="stat-badge">🎲 Random Discovery</div>
+            </div>
         </div>
-        <div class="text-center mt-3">
-            <button class="btn btn-primary" onclick="randomProject()">Random Project</button>
-            <button class="btn btn-danger" onclick="clearAndReload()">Clear Search</button>
+
+        <div class="controls">
+            <button class="btn btn-primary" onclick="randomProject()">🎲 Random Project</button>
+            <button class="btn btn-secondary" onclick="clearSearch()">✨ Show All</button>
+            <select class="sort-dropdown" id="sortSelect" onchange="sortProjects()">
+                <option value="name-asc">A → Z</option>
+                <option value="name-desc">Z → A</option>
+            </select>
         </div>
-        <div id="searchBar" class="text-center">
-            <input type="text" id="searchInput" class="form-control" placeholder="Search by project name...">
+
+        <div class="search-container">
+            <input type="text" class="search-input" id="searchInput" placeholder="Search projects... (e.g., 'traefik', 'nginx')">
+            <span class="search-icon">🔍</span>
         </div>
-        <div id="repoContent" class="row justify-content-center"></div>
 
+        <div class="view-toggle">
+            <button class="view-btn active" onclick="setView('grid')">Grid</button>
+            <button class="view-btn" onclick="setView('list')">List</button>
+        </div>
+
+        <div id="projectsContainer" class="projects-grid">
+            <div class="loading">Loading projects... 🚀</div>
+        </div>
     </div>
-    <!-- jQuery and Bootstrap JS -->
-    <script src="https://code.jquery.com/jquery-3.6.4.min.js" integrity="sha512-pumBsjNRGGqkPzKHndZMaAG+bir374sORyzM3uulLV14lN5LyykqNk8eEeUlUkB3U0M4FApyaHraT65ihJhDpQ==" crossorigin="anonymous"></script>
-    <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/js/bootstrap.bundle.min.js" integrity="sha512-VK2zcvntEufaimc+efOYi622VN5ZacdnufnmX7zIhCPmjhKnOi9ZDMtg1/ug5l183f19gG1/cBstPO4D8N/Img==" crossorigin="anonymous"></script>
-    <!-- Custom JavaScript -->
+
     <script>
-        var apiUrl = 'https://api.github.com/repos/Haxxnet/Compose-Examples/contents/examples';
-        var data; // Define the data variable globally
-        var dockericon = 'https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons/png/docker.png';
+        const apiUrl = 'https://api.github.com/repos/Haxxnet/Compose-Examples/contents/examples';
+        const dockerIcon = 'https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons/png/docker.png';
+        let allProjects = [];
+        let currentView = 'grid';
 
-        function clearAndReload() {
-            // Clear the search input field
-            document.getElementById('searchInput').value = '';
+        async function loadProjects() {
+            try {
+                const response = await fetch(apiUrl);
+                const data = await response.json();
+                
+                allProjects = data.filter(item => item.type === 'dir').map(project => ({
+                    name: project.name,
+                    url: project.html_url,
+                    size: project.size || 0
+                }));
 
-            // Reload all tiles (assuming loadProjects() is your initial load function)
-            loadProjects();
-        }
-
-        function loadProjects() {
-            $.get(apiUrl, function (data) {
-                data.forEach(function (project) {
-                    if (project.type === 'dir') {
-                        var projectName = project.name;
-                        var imageUrl = `https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons/png/${projectName}.png`;
-
-                        var projectTile = $('<div class="col-md-2 project-tile">' +
-                            '<img src="' + imageUrl + '" onerror="this.src=\'' + dockericon + '\'" alt="Icon">' +
-                            '<h5>' + project.name + '</h5>' +
-                            '</div>');
-
-                        projectTile.on('click', function () {
-                            window.open(project.html_url, '_blank');
-                        });
-
-                        $('#repoContent').append(projectTile);
-                    }
-                });
-            });
-        }
-
-    // Initial load
-    $.get(apiUrl, function (responseData) {
-        data = responseData;
-        loadProjects(); // Call the function to load projects after data is available
-    });
-
-    // Search functionality
-    $('#searchInput').on('input', function () {
-        var searchTerm = $(this).val().toLowerCase();
-        // Clear existing content
-        $('#repoContent').empty();
-        // Reload projects based on the search term
-        data.forEach(function (project) {
-            if (project.type === 'dir' && project.name.toLowerCase().includes(searchTerm)) {
-                var projectName = project.name;
-                        var imageUrl = `https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons/png/${projectName}.png`;
-
-                        var projectTile = $('<div class="col-md-2 project-tile">' +
-                            '<img src="' + imageUrl + '" onerror="this.src=\'' + dockericon + '\'" alt="Icon">' +
-                            '<h5>' + project.name + '</h5>' +
-                            '</div>');
-                projectTile.on('click', function () {
-                    window.open(project.html_url, '_blank');
-                });
-                $('#repoContent').append(projectTile);
+                document.getElementById('projectCount').textContent = allProjects.length;
+                renderProjects(allProjects);
+            } catch (error) {
+                document.getElementById('projectsContainer').innerHTML = 
+                    '<div class="no-results">Error loading projects. Please try again later.</div>';
             }
-        });
-    });
+        }
 
+        function renderProjects(projects) {
+            const container = document.getElementById('projectsContainer');
+            
+            if (projects.length === 0) {
+                container.innerHTML = '<div class="no-results">No projects found. Try a different search term!</div>';
+                return;
+            }
 
-    // Function to select a random project name and fill the search input
-    function randomProject() {
-        // Get a random project index
-        var randomIndex = Math.floor(Math.random() * data.length);
-        var randomProject = data[randomIndex];
-        
-        // Fill the search input with the random project name
-        $('#searchInput').val(randomProject.name);
+            container.innerHTML = projects.map(project => {
+                const imageUrl = `https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons/png/${project.name}.png`;
+                const viewClass = currentView === 'list' ? 'list-view' : '';
+                
+                return `
+                    <div class="project-card ${viewClass}" onclick="openProject('${project.url}')">
+                        <img class="project-icon" src="${imageUrl}" onerror="this.src='${dockerIcon}'" alt="${project.name}">
+                        <div>
+                            <div class="project-name">${project.name}</div>
+                            ${currentView === 'list' ? '<div class="project-info">Click to view compose file</div>' : ''}
+                        </div>
+                    </div>
+                `;
+            }).join('');
+        }
 
-        // Trigger the input event to initiate the search
-        $('#searchInput').trigger('input');
-    }
+        function openProject(url) {
+            window.open(url, '_blank');
+        }
+
+        function randomProject() {
+            if (allProjects.length === 0) return;
+            
+            const randomIndex = Math.floor(Math.random() * allProjects.length);
+            const project = allProjects[randomIndex];
+            
+            document.getElementById('searchInput').value = project.name;
+            searchProjects();
+        }
+
+        function clearSearch() {
+            document.getElementById('searchInput').value = '';
+            renderProjects(allProjects);
+        }
+
+        function searchProjects() {
+            const searchTerm = document.getElementById('searchInput').value.toLowerCase();
+            const filtered = allProjects.filter(project => 
+                project.name.toLowerCase().includes(searchTerm)
+            );
+            renderProjects(filtered);
+        }
+
+        function sortProjects() {
+            const sortValue = document.getElementById('sortSelect').value;
+            const sorted = [...allProjects];
+            
+            if (sortValue === 'name-asc') {
+                sorted.sort((a, b) => a.name.localeCompare(b.name));
+            } else if (sortValue === 'name-desc') {
+                sorted.sort((a, b) => b.name.localeCompare(a.name));
+            }
+            
+            allProjects = sorted;
+            searchProjects();
+        }
+
+        function setView(view) {
+            currentView = view;
+            document.querySelectorAll('.view-btn').forEach(btn => btn.classList.remove('active'));
+            event.target.classList.add('active');
+            
+            const container = document.getElementById('projectsContainer');
+            if (view === 'list') {
+                container.classList.add('list-view');
+            } else {
+                container.classList.remove('list-view');
+            }
+            
+            searchProjects();
+        }
 
+        document.getElementById('searchInput').addEventListener('input', searchProjects);
 
+        loadProjects();
     </script>
 </body>
 </html>
diff --git a/examples/adguard-home-sync/docker-compose.yml b/examples/adguard-home-sync/docker-compose.yml
index 14d592daf..26c7a44e3 100644
--- a/examples/adguard-home-sync/docker-compose.yml
+++ b/examples/adguard-home-sync/docker-compose.yml
@@ -1,5 +1,5 @@
-version: "2.1"
 services:
+
   adguardhome-sync:
     image: linuxserver/adguardhome-sync
     container_name: adguardhome-sync
@@ -18,4 +18,4 @@ services:
       - PGID=1000
     restart: unless-stopped
     volumes:
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/adguard-home-sync:/config
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/adguard-home-sync:/config
\ No newline at end of file
diff --git a/examples/adguard-home/docker-compose.yml b/examples/adguard-home/docker-compose.yml
index 193a761f6..95b0f5c2b 100644
--- a/examples/adguard-home/docker-compose.yml
+++ b/examples/adguard-home/docker-compose.yml
@@ -1,10 +1,9 @@
-version: "3"
-
 services:
+
   adguard:
+    image: adguard/adguardhome:latest
     container_name: adguard
     hostname: adguard
-    image: adguard/adguardhome:latest
     ports:
       - 3000:3000/tcp # only required during initial setup
       - 8080:80/tcp # web interface after setup
diff --git a/examples/answer/README.md b/examples/apache-answer/README.md
similarity index 100%
rename from examples/answer/README.md
rename to examples/apache-answer/README.md
diff --git a/examples/answer/docker-compose.yml b/examples/apache-answer/docker-compose.yml
similarity index 94%
rename from examples/answer/docker-compose.yml
rename to examples/apache-answer/docker-compose.yml
index 3e70826b6..d36d71be6 100644
--- a/examples/answer/docker-compose.yml
+++ b/examples/apache-answer/docker-compose.yml
@@ -1,11 +1,10 @@
-version: "3"
-
 services:
+
   answer:
+    image: answerdev/answer:latest
     container_name: answer
-    image: answerdev/answer
     ports:
-      - '9080:80'
+      - 9080:80
     expose:
       - 80
     restart: unless-stopped
diff --git a/examples/archivebox/docker-compose.yml b/examples/archivebox/docker-compose.yml
index 740c49d0e..4cabd33d2 100644
--- a/examples/archivebox/docker-compose.yml
+++ b/examples/archivebox/docker-compose.yml
@@ -1,6 +1,5 @@
-version: "3.9"
-
 services:
+
   archivebox:
     image: archivebox/archivebox:dev
     container_name: archivebox
diff --git a/examples/arr-suite/.env b/examples/arr-suite/.env
new file mode 100644
index 000000000..35b242915
--- /dev/null
+++ b/examples/arr-suite/.env
@@ -0,0 +1,7 @@
+# see https://github.com/qdm12/gluetun-wiki for more details
+
+VPN_SERVICE_PROVIDER=mullvad
+VPN_TYPE=wireguard
+WIREGUARD_PRIVATE_KEY=<PrivateKey>
+WIREGUARD_ADDRESSES=<Subnet>
+SERVER_CITIES=<Location>
diff --git a/examples/arr-suite/README.md b/examples/arr-suite/README.md
index c782755bb..4656017cf 100644
--- a/examples/arr-suite/README.md
+++ b/examples/arr-suite/README.md
@@ -5,6 +5,7 @@
 - https://docs.linuxserver.io/images/docker-radarr/
 - https://docs.linuxserver.io/images/docker-lidarr/
 - https://docs.linuxserver.io/images/docker-readarr/
+- https://docs.linuxserver.io/images/docker-bazarr/
 - https://github.com/FlareSolverr/FlareSolverr
 - https://docs.linuxserver.io/images/docker-qbittorrent/
 - https://hub.docker.com/r/qmcgaw/gluetun
@@ -33,47 +34,178 @@ Docker stack consisting of various arr-services like:
   - Used for music
 - Readarr
   - Used for books
+- Bazarr
+  - Used for subtitles 
 - Flaresolverr
-  - Used to bypass Cloudflare for prowlarr
-  - You must add it at prowlarr as indexer with the tag `flaresolverr`
+  - Used to bypass CloudFlare for indexers on Prowlarr
 - Qbittorrent
   - Used as download client; run behind gluetun vpn killswitch container
-  - A temporary password for the `admin` user will be printed to the container log on startup. Change it immediately to a static one that does not change again.
 - Gluetun
-  - Used for establishing an openvpn/wireguard killswitch vpn connection for qbittorrent
-  - Requires an active subscription for a vpn provider (e.g. Mullvad)
-- Emby / Jellyfin
-  - Used to manage your media libraries and stream it from various devices
+  - Used to establish a VPN killswitch connection for Qbittorrent to a commercial VPN provider (e.g. Mullvad)
+- Emby or Jellyfin
+  - Used to manage your media libraries and stream content from various devices
  
 The following bind mount volumes are defined:
 
 - `/arr-suite/configs/<container-name>`
   - holds the config files of an arr container
-- `/arr-suite/media/`
+- `/arr-suite/media/<folder>`
   - will hold your media files such as movies, music, books, tv-shows, qbittorrent downloads etc.
 
 ## Setup
 
-You can follow this Youtube tutorial on how to setup most of the arr applications:
+You can follow parts of [this Youtube tutorial](https://youtu.be/LD8-Qr3B2-o?si=49RQxJ5KRcoETCiQ&t=740) on how to configure most of the arr applications.
 
-https://www.youtube.com/watch?v=LD8-Qr3B2-o
+> **Note**:  As all arr containers live within the same Docker network, you can easily reference container names instead of IPs. Docker will resolve the container names automatically to the current docker containers' IP. No need for port mappings or defining your Docker server's IP address. Use Docker networks! The only exception is qbittorrent, which uses the vpn killswitch network of the gluetun container. Here, the gluetun container will expose qbittorrent's web ui on TCP/8080 and the IP address of your docker host server. Setup qbittorrent in all arr-applications using your server's local IP address, on which port 8080 is mapped to.
 
-**Note**:  As all arr containers live within the same Docker network, you can easily reference container names instead of IPs. Docker will resolve the container names automatically to the current docker containers' IP. No need for port mappings or defining your Docker server's IP address. Use Docker networks! The only exception is qbittorrent, which uses the vpn killswitch network of the gluetun container. Here, the gluetun container will expose qbittorrent's web ui on TCP/8080 and the IP address of your docker host server. Setup qbittorrent in all arr-applications using your server's local IP address, on which port 8080 is mapped to.
+Please make sure to configure authentication for all arr containers. Authentication is often optional and not enabled per default.
 
-> [!WARNING]
-> We configured qbittorrent to use the non-default path `/media/downloads` for downloads.
->
-> Please define this location path in the qbittorrent admin panel too!
+### Gluetun
 
-![image](https://github.com/Haxxnet/Compose-Examples/assets/21357789/278b800d-2b6b-45cb-a44c-7f56def7f9d3)
+Please refer to the official wiki of Gluetun to configure it for your commercial VPN provider in use.
+
+This must be done before spawning up the Docker Compose stack.
+
+For this compose example, we used Mullvad VPN, which is a privacy-friendly VPN provider that does not log. If you use another VPN provider, you have to adjust the environment variables typically.
+
+https://github.com/qdm12/gluetun-wiki
+
+### Volume Mappings
+
+The following bind mount volumes are defined within the Docker Compose stack:
+
+- `/arr-suite/configs/<container-name>`
+  - holds the config files of an arr container; automatically created during during compose stack start
+- `/arr-suite/media/<folder>`
+  - will hold your media files such as movies, music, books, tv-shows, qbittorrent downloads etc.
+  - only the downloads folder will be created automatically by Qbittorrent during compose stack start
+
+The media folders should be created before starting up the compose stack. To do so, issue these commands:
+
+````bash
+# create subfolders for our media library
+mkdir -p ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/media/{downloads,movies,tv-shows,music,books}
+
+# adjust permissions
+sudo chown -R 1000:1000 ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/media/
+sudo chmod -R 775 ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/media/
+````
+
+Afterwards, we can spawn up the stack via:
+
+````bash
+docker compose up -d
+````
+
+### Prowlarr
+
+#### API Connection to other Arrs
+
+After spawning up the compose stack, Prowlarr will be accessible on `http://<YOUR-IP>:9696`.
+
+Within Prowlarr, we have to configure API connectivity to Sonarr, Lidarr, Readarr and any other arrs. To do so, just log into Prowlarr via the HTTP UI and access `Settings > Apps` under `/settings/applications`. Hit the plus button and add your arr application.
+
+To add an arr application, you typically have to create an API key first. To do so, log into the other arr applications via the UI and create an API key. You can find the application area for this typically at `Settings > General > API Key` under `/settings/general`.
+
+Just make sure that the URL is correct and paste the API key. Should look something like this:
 
 ![image](https://github.com/Haxxnet/Compose-Examples/assets/21357789/8915f9f3-081f-41d2-9c5e-bdf9553e09c2)
 
 ![image](https://github.com/Haxxnet/Compose-Examples/assets/21357789/94de5802-3b26-420b-bb1d-ac82cd5a5cfb)
 
+> **Note**:  As all arr containers live within the same Docker network, you can easily reference container names instead of IPs. Docker will resolve the container names automatically to the current docker containers' IP. No need for port mappings or defining your Docker server's IP address. 
+
+#### FlareResolverr CloudFlare Bypass
+
+Moreover, we will add FlareResolverr to Prowlarr in order to bypass CloudFlare for some indexers. To do so, head over to `Settings > Indexer` under `/settings/indexers`. Hit the plus button and add FlareResolverr. 
+
+Ensure to define the correct URL and also the tag `flaresolverr`. The tag must be defined again when adding indexers that are protected by CloudFlare (e.g. 1337x).
+
 ![image](https://github.com/Haxxnet/Compose-Examples/assets/21357789/19a26a74-dae0-4381-9614-46d20f912542)
 
-## Traefik + Emby + HTTP Headers
+![image](https://github.com/user-attachments/assets/548c8e93-24da-41fb-8b4d-ba7d9061b51f)
+
+#### Qbittorrent Download Client
+
+Finally, add Qbittorrent as download client to Prowlarr. Head over to `Settings > Download Clients` and add a new one. 
+
+Define your server's IP address at `Host` (or the container name `arr-suite-gluetun`) and `8080` at `Port`.
+
+![image](https://github.com/user-attachments/assets/a21d117c-7ebf-4e01-a14e-11b8e3e59600)
+
+### Qbittorrent
+
+> [!WARNING]
+> Qbittorrent is run behind the Gluetun VPN killswitch container. Therefore, we have to port map the Qbittorrent port 8080 at the gluetun container.
+>
+> This is also the reason why we define `arr-suite-gluetun` as host when adding Qbittorent and its port 8080 as download client to other arr containers.
+
+Log into the Qbittorrent's web UI. The UI is typically accessible from `http://<YOUR-IP>:8080`. 
+
+The default username is `admin`. Make sure to change the password immediately. The initial password is printed in the container logs. If you do not change the password immediately, a new password will be printed and set upon each container restart.
+
+Then head over to `Settings > Downloads` and configure the custom download path `/media/downloads` as follows:
+
+![image](https://github.com/Haxxnet/Compose-Examples/assets/21357789/278b800d-2b6b-45cb-a44c-7f56def7f9d3)
+
+> [!TIP]
+> If you would like to ensure that Qbittorrent downloads stuff via the gluetun VPN killswitch and not your personal WAN IP, you may use [this GitHub project](https://github.com/AKK9/torrent-ip-checker). It is an example torrent file, which does not actually download something malicious but reports back your disclosed IP address. The reported IP address must be the one from your commercial VPN provider like Mullvad.
+>
+> Just [download the torrent file](https://vvdapo30eb.execute-api.eu-west-2.amazonaws.com/torrent) and upload it via Qbittorrent's web UI via `File > Add torrent file`.
+
+![image](https://github.com/user-attachments/assets/5c7531eb-2cd7-4b16-968d-32a00cc4020a)
+
+#### Indexers
+
+Add your preferred indexers such as 1337X and many others. Do not forget to add the `flaresolverr` tag to bypass CloudFlare.
+
+### Sonarr, Radarr, Lidarr, Readarr, Bazarr
+
+All other arr applications follow the same configuration steps.
+
+- Sonarr is accessible at `http://<YOUR-IP>:8989/`
+- Radarr is accessible at `http://<YOUR-IP>:7878/`
+- Lidarr is accessible at `http://<YOUR-IP>:8686/`
+- Readarr is accessible at `http://<YOUR-IP>:8787/`
+- Bazarr is accessible at `http://<YOUR-IP>:6767/`
+
+Follow these steps for each individuall arr container:
+
+1. Configure authentication for the arr's HTTP UI. Can be done regularly via `Settings > General`.
+2. Ensure to define your media location. Can be done regularly via `Settings > Media Management > Root Folders > Path`. Should point to `/media/music` for Lidarr, `/media/tv-shows` for Sonarr, `/media/movies` for Radarr and `/media/books` for Readarr and so on. If those subdirectories do not exist yet, go ahead and create them via the following command:
+    - `mkdir -p /mnt/docker-volumes/arr-suite/media/{downloads,movies,tv-shows,music,books}`
+4. Configure Qbittorrent as download client. Can be done regularly via `Settings > Download Clients`. Define your server's IP address at `Host` (or the container name `arr-suite-gluetun`) and `8080` at `Port`.
+5. Configure Bazarr for Radarr and Sonarr. See https://wiki.bazarr.media/Getting-Started/Setup-Guide/
+6. Fix all `System > Health` warnings and errors reported by each arr container. May refer to https://wiki.servarr.com/.
+
+### Emby / Jellyfin
+
+The Docker Compose stack makes use of Emby as default. 
+
+You can switch to Jellyfin by removing the Emby container service and uncommenting the Jellyfin one though.
+
+- Emby or Jellyfin is accessible at `http://<YOUR-IP>:8096/`
+
+Follow the below steps to configure one of these media streaming containers:
+
+1. Setup authentication for your media streaming app. Is done automatically during the HTTP setup wizard.
+2. Ensure to define your media location for your library. Can be done natively via the HTTP UI settings.
+3. Configure transcoding and passthrough your GPU into the container (optional)
+
+### Reverse Proxy
+
+It is recommended to run all containers with an HTTP UI behind a reverse proxy. The reverse proxy can enforce a TLS encrypted communication channel with valid SSL certificates. Also add access controls via IP whitelisting, IdP forward-auth and many more.
+
+This example Compose Stack includes labels for the Traefik reverse proxy. Uncomment those to make use of it. Otherwise, remove them.
+
+If you run a different reverse proxy, please refer to the official documentation on how to configure proxy hosts. The ports to proxy on are defined in the Docker Compose file using the `expose` directive.
+
+> [!TIP]
+> Once a reverse proxy is in use, you can typically remove all port mappings from the Docker Compose file. The reverse proxy will do the proxying and must be placed in the same Docker bridge network as the arr media stack.
+>
+> Note that the Qbittorrent TCP/8080 port is mapped at the Gluetun VPN killswitch container. So your reverse proxy must proxy to the 8080 port mapped on your docker server's IP address in order to access the Qbittorrent admin UI.
+
+#### Traefik + Emby + HTTP Headers
 
 During the setup of Emby in a web browser (HTTPS via Traefik) you may notice errors in the developer console, which prevent the web page from loading properly.
 
diff --git a/examples/arr-suite/docker-compose.yml b/examples/arr-suite/docker-compose.yml
index 2f0cf44f4..20f1f9ace 100644
--- a/examples/arr-suite/docker-compose.yml
+++ b/examples/arr-suite/docker-compose.yml
@@ -1,5 +1,3 @@
-version: "3.6"
-
 services:
 
   # image used to index torrent links from the internet
@@ -11,7 +9,7 @@ services:
       - PGID=1000
       - TZ=Europe/Berlin
     volumes:
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/configs/prowlarr:/config # database and Prowlarr configs
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/configs/prowlarr:/config # location of database and configs
     expose:
       - 9696/tcp # web ui
     ports:
@@ -36,8 +34,8 @@ services:
       - PGID=1000
       - TZ=Europe/Berlin
     volumes:
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/configs/sonarr:/config # database and Radarr configs
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/media:/media # location of media and qbittorrent download folder
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/configs/sonarr:/config # location of database and configs
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/media:/media # location of media library + qbittorrent download folder
     expose:
       - 8989/tcp # web ui
     ports:
@@ -62,8 +60,8 @@ services:
       - PGID=1000
       - TZ=Europe/Berlin
     volumes:
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/configs/radarr:/config
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/media:/media # location of media and qbittorrent download folder
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/configs/radarr:/config # location of database and configs
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/media:/media # location of media library + qbittorrent download folder
     expose:
       - 7878/tcp # web ui
     ports:
@@ -88,8 +86,8 @@ services:
       - PGID=1000
       - TZ=Europe/Berlin
     volumes:
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/configs/lidarr:/config
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/media:/media # location of media and qbittorrent download folder
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/configs/lidarr:/config # location of database and configs
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/media:/media # location of media library + qbittorrent download folder
     expose:
       - 8686/tcp # web ui
     ports:
@@ -114,8 +112,8 @@ services:
       - PGID=1000
       - TZ=Europe/Berlin
     volumes:
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/configs/readarr:/config
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/media:/media # location of media and qbittorrent download folder
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/configs/readarr:/config # location of database and configs
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/media:/media # location of media library + qbittorrent download folder
     expose:
       - 8787/tcp # web ui
     ports:
@@ -131,6 +129,32 @@ services:
     #  # Optional part for traefik middlewares
     #  - traefik.http.routers.readarr.middlewares=local-ipwhitelist@file
 
+  # image used to manage subtitles
+  bazarr:
+    image: lscr.io/linuxserver/bazarr:latest
+    container_name: arr-suite-bazarr
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/Berlin
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/configs/bazarr:/config # location of database and configs
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/media:/media # location of media library (optional)
+    expose:
+      - 6767/tcp # web ui
+    ports:
+      - 6767:6767/tcp # web ui
+    restart: unless-stopped
+    #networks:
+    #  - proxy
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=proxy
+    #  - traefik.http.routers.bazarr.rule=Host(`bazarr.example.com`)
+    #  - traefik.http.services.bazarr.loadbalancer.server.port=6767
+    #  # Optional part for traefik middlewares
+    #  - traefik.http.routers.bazarr.middlewares=local-ipwhitelist@file
+
   # image used to bypass cloudflare for prowlarr
   flaresolverr:
     image: flaresolverr/flaresolverr:latest
@@ -157,10 +181,11 @@ services:
     environment:
       # see https://github.com/qdm12/gluetun-wiki for more details
       # example envs based on https://github.com/qdm12/gluetun-wiki/blob/main/setup/providers/mullvad.md
-      - VPN_SERVICE_PROVIDER=mullvad # define the vpn provider
-      - VPN_TYPE=wireguard # define the vpn protocol to use
-      - WIREGUARD_PRIVATE_KEY=wOEI9rqqbDwnN8/Bpp22sVz48T71vJ4fYmFWujulwUU= # define your wireguard private key here
-      - WIREGUARD_ADDRESSES=10.64.222.21/32 # define the ipv4 vpn network subnet here
+      - VPN_SERVICE_PROVIDER=${VPN_SERVICE_PROVIDER:-mullvad} # define the vpn provider
+      - VPN_TYPE=${VPN_TYPE:-wireguard} # define the vpn protocol to use
+      - WIREGUARD_PRIVATE_KEY=${WIREGUARD_PRIVATE_KEY:?WIREGUARD_PRIVATE_KEY must be set} # define your wireguard private key here
+      - WIREGUARD_ADDRESSES=${WIREGUARD_ADDRESSES:?WIREGUARD_ADDRESSES must be set} # define the ipv4 vpn network subnet here
+      - SERVER_CITIES=${SERVER_CITIES:?SERVER_CITIES must be set} # define the server cities
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/configs/gluetun:/gluetun
     restart: unless-stopped
@@ -176,7 +201,7 @@ services:
 
   # image used to download stuff; run over gluetun network (vpn killswitch)
   qbittorrent:
-    image: linuxserver/qbittorrent:latest
+    image: linuxserver/qbittorrent:5.1.4-libtorrentv1
     container_name: arr-suite-qbittorrent
     environment:
       - PUID=1000
@@ -184,8 +209,8 @@ services:
       - TZ=Europe/Berlin
       - WEBUI_PORT=8080
     volumes:
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/configs/qbittorrent:/config
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/media/downloads:/media/downloads
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/configs/qbittorrent:/config # location of database and configs
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/media/downloads:/media/downloads # location of qbittorrent downloads
     depends_on:
       - gluetun
     network_mode: container:arr-suite-gluetun # use the gluetun container network (vpn killswitch)
@@ -200,9 +225,9 @@ services:
       - PGID=1000
       - TZ=Europe/Berlin
     volumes:
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/configs/emby:/config # emby data storage location; can grow very large
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/media:/data # media goes here
-      #- ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/configs/emby/lib:/opt/vc/lib # optional; path for Raspberry Pi OpenMAX libs
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/configs/emby:/config # location of database and configs; can grow very large
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/media:/data # location of media library
+      #- ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/configs/emby/lib:/opt/vc/lib # location for Raspberry Pi OpenMAX libs (optional)
     expose:
       - 8096/tcp # http web ui
       - 8920/tcp # https web ui
@@ -234,9 +259,9 @@ services:
   #    - PGID=1000
   #    - TZ=Europe/Berlin
   #  volumes:
-  #    - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/configs/jellyfin:/config # emby data storage location; can grow very large
-  #    - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/media:/data # media goes here
-  #    #- ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/configs/jellyfin/lib:/opt/vc/lib # optional; path for Raspberry Pi OpenMAX libs
+  #    - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/configs/jellyfin:/config # location of database and configs; can grow very large
+  #    - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/media:/data # location of media library
+  #    #- ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/arr-suite/configs/jellyfin/lib:/opt/vc/lib # location for Raspberry Pi OpenMAX libs (optional)
   #  expose:
   #    - 8096/tcp # http web ui
   #  ports:
diff --git a/examples/atlas/README.md b/examples/atlas/README.md
new file mode 100644
index 000000000..592e3081d
--- /dev/null
+++ b/examples/atlas/README.md
@@ -0,0 +1,3 @@
+# References
+
+- https://github.com/karam-ajaj/atlas
diff --git a/examples/atlas/docker-compose.yml b/examples/atlas/docker-compose.yml
new file mode 100644
index 000000000..66d8e9d5a
--- /dev/null
+++ b/examples/atlas/docker-compose.yml
@@ -0,0 +1,52 @@
+services:
+
+  atlas:
+    image: keinstien/atlas:latest
+    container_name: atlas
+    cap_add:
+      - NET_RAW
+      - NET_ADMIN
+    ports:
+      - 8888:8888/tcp # ui
+      - 8889:8889/tcp # api
+    expose:
+      - 8888
+      - 8889
+    environment:
+      - ATLAS_UI_PORT=8888
+      - ATLAS_API_PORT=8889
+      - FASTSCAN_INTERVAL=3600
+      - DOCKERSCAN_INTERVAL=3600
+      - DEEPSCAN_INTERVAL=7200
+      - SCAN_SUBNETS=192.168.0.0/24
+      - DOCKER_HOST=tcp://socket-proxy:2375
+    #networks:
+    #  - proxy
+    #  - atlas-internal
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=proxy
+    #  - traefik.http.routers.atlas.rule=Host(`atlas.example.com`)
+    #  - traefik.http.services.atlas.loadbalancer.server.port=8888
+    #  # Optional part for traefik middlewares
+    #  - traefik.http.routers.atlas.middlewares=local-ipwhitelist@file
+
+  socket-proxy:
+    image: lscr.io/linuxserver/socket-proxy:latest
+    container_name: socket-proxy-atlas
+    environment:
+      - CONTAINERS=1
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    #networks:
+    #  - atlas-internal
+    restart: always
+    read_only: true
+    tmpfs:
+      - /run
+
+#networks:
+#  proxy:
+#    external: true
+#  atlas-internal:
+#    internal: true
diff --git a/examples/atlassian-jira-confluence/README.md b/examples/atlassian-jira-confluence/README.md
new file mode 100644
index 000000000..dd92863f9
--- /dev/null
+++ b/examples/atlassian-jira-confluence/README.md
@@ -0,0 +1,17 @@
+# References
+
+- https://atlassian.github.io/data-center-helm-charts/containers/JIRA/
+- https://atlassian.github.io/data-center-helm-charts/containers/CONFLUENCE/
+- https://hub.docker.com/r/atlassian/jira-core
+- https://hub.docker.com/r/atlassian/confluence
+
+# Notes
+
+> [!CAUTION]
+> - **Jira Server** and **Confluence Server** support ended on **2024-02-15** (no security fixes). Check out the new Datacenter options.
+
+The Jira Core container requires a database.
+
+The compose stack will spawn up a postgresql database for this. You can configure the database connection from Jira's setup wizard via the HTTP UI.
+
+May use a dedicated `.env` file to provide your custom DB credentials. Ensure to use secure passwords!
diff --git a/examples/atlassian-jira-confluence/docker-compose.yml b/examples/atlassian-jira-confluence/docker-compose.yml
new file mode 100644
index 000000000..3f5801def
--- /dev/null
+++ b/examples/atlassian-jira-confluence/docker-compose.yml
@@ -0,0 +1,126 @@
+services:
+
+  confluence:
+    image: atlassian/confluence:9.0.3
+    container_name: confluence
+    hostname: confluence
+    restart: unless-stopped
+    environment:
+      # detailed debug messages during the container initialization
+      - VERBOSE_LOGS=false
+      # maximum number of days for access logs to be retained before being deleted
+      - ATL_TOMCAT_ACCESS_LOGS_MAXDAYS=360
+      # The maximum time a user can remain logged-in with remember me feature (in seconds; default 2 weeks).
+      - ATL_AUTOLOGIN_COOKIE_AGE=1209600
+      # The minimum heap size of the JVM
+      - JVM_MINIMUM_MEMORY=1024m
+      # maximum heap size of the JVM
+      - JVM_MAXIMUM_MEMORY=1024m
+      # reserved code cache size of the JVM
+      - JVM_RESERVED_CODE_CACHE_SIZE=256m
+      # reverse proxy setup
+      - ATL_PROXY_NAME=confluence.example.com
+      - ATL_PROXY_PORT=443
+      - ATL_TOMCAT_PORT=8090
+      - ATL_TOMCAT_SCHEME=https
+      - ATL_TOMCAT_SECURE=false
+      # list of trusted reverse proxy ips separated by a pipe character
+      - ATL_TOMCAT_TRUSTEDPROXIES=192.168.0.0/24|10.0.0.0/8|172.16.0.0/16
+    ports:
+      - 8090:8090/tcp
+    expose:
+      - 8090 # http web
+      - 8091 # synchrony api
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/confluence/data:/var/atlassian/application-data/confluence
+    networks:
+      - atlassian-network
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=atlassian-network
+    #  - traefik.http.routers.confluence.rule=Host(`confluence.example.com`)
+    #  - traefik.http.services.confluence.loadbalancer.server.port=8090
+    #  # Optional part for file upload max sizes
+    #  - traefik.http.middlewares.limit-confluence.buffering.maxRequestBodyBytes=50000000
+    #  - traefik.http.middlewares.limit-confluence.buffering.maxResponseBodyBytes=50000000
+    #  - traefik.http.middlewares.limit-confluence.buffering.memRequestBodyBytes=50000000
+    #  - traefik.http.middlewares.limit-confluence.buffering.memResponseBodyBytes=50000000
+    #  # Optional part for traefik middlewares
+    #  - traefik.http.routers.confluence.middlewares=limit-confluence
+
+  jira:
+    image: atlassian/jira-core:9.9.2
+    container_name: jira
+    hostname: jira
+    restart: unless-stopped
+    environment:
+      # detailed debug messages during the container initialization
+      - VERBOSE_LOGS=false
+      # maximum number of days for access logs to be retained before being deleted
+      - ATL_TOMCAT_ACCESS_LOGS_MAXDAYS=360
+      # The maximum time a user can remain logged-in with remember me feature (in seconds; default 2 weeks)
+      - ATL_AUTOLOGIN_COOKIE_AGE=1209600
+      # The minimum heap size of the JVM
+      - JVM_MINIMUM_MEMORY=1024m
+      # maximum heap size of the JVM
+      - JVM_MAXIMUM_MEMORY=1024m
+      # reserved code cache size of the JVM
+      - JVM_RESERVED_CODE_CACHE_SIZE=256m
+      # reverse proxy setup
+      - ATL_PROXY_NAME=jira.example.com
+      - ATL_PROXY_PORT=443
+      - ATL_TOMCAT_PORT=8090
+      - ATL_TOMCAT_SCHEME=https
+      - ATL_TOMCAT_SECURE=false
+      # list of trusted reverse proxy ips separated by a pipe character
+      - ATL_TOMCAT_TRUSTEDPROXIES=192.168.0.0/24|10.0.0.0/8|172.16.0.0/16
+    depends_on:
+      - postgresql
+    ports:
+      - 8080:8080/tcp
+    expose:
+      - 8080 # http web
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/jira/data:/var/atlassian/application-data/jira
+    networks:
+      - atlassian-network
+      - internal-db-network
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=atlassian-network
+    #  - traefik.http.routers.jira.rule=Host(`jira.example.com`)
+    #  - traefik.http.services.jira.loadbalancer.server.port=8080
+    #  # Optional part for file upload max sizes
+    #  - traefik.http.middlewares.limit-jira.buffering.maxRequestBodyBytes=50000000
+    #  - traefik.http.middlewares.limit-jira.buffering.maxResponseBodyBytes=50000000
+    #  - traefik.http.middlewares.limit-jira.buffering.memRequestBodyBytes=50000000
+    #  - traefik.http.middlewares.limit-jira.buffering.memResponseBodyBytes=50000000
+    #  # Optional part for traefik middlewares
+    #  - traefik.http.routers.jira.middlewares=limit-jira
+
+  postgresql:
+    image: docker.io/library/postgres:16-alpine
+    container_name: jira-psql
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    expose:
+      - 5432
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/jira/psql:/var/lib/postgresql/data
+    environment:
+      POSTGRES_PASSWORD: ${PG_PASS:-jira}
+      POSTGRES_USER: ${PG_USER:-jira}
+      POSTGRES_DB: ${PG_DB:-jira}
+    networks:
+      - internal-db-network
+
+networks:
+  atlassian-network:
+    external: true
+  internal-db-network:
+    internal: true
diff --git a/examples/authelia/config/configuration.yml b/examples/authelia/config/configuration.yml
index bbea53990..1689aa69c 100644
--- a/examples/authelia/config/configuration.yml
+++ b/examples/authelia/config/configuration.yml
@@ -103,4 +103,74 @@ notifier:
   #   sender: "MySender <admin@example.com>"
   filesystem:
     filename: /config/notifications.txt
+
+#identity_providers:
+#  oidc:
+#    hmac_secret: 'a-very-secure-hmac-secret'
+#    jwks:
+#      - key_id: 'authelia'
+#        algorithm: 'RS256'
+#        use: 'sig'
+#        certificate_chain: |
+#          -----BEGIN CERTIFICATE-----
+#          <PUBLIC-KEY-DATA-COMES-HERE>
+#          -----END CERTIFICATE-----
+#        key: |
+#          -----BEGIN PRIVATE KEY-----
+#          <PRIVATE-KEY-DATA-COMES-HERE>
+#          -----END PRIVATE KEY-----
+#    enable_client_debug_messages: false
+#    minimum_parameter_entropy: 8
+#    enforce_pkce: 'public_clients_only'
+#    enable_pkce_plain_challenge: false
+#    enable_jwt_access_token_stateless_introspection: false
+#    discovery_signed_response_alg: 'none'
+#    discovery_signed_response_key_id: ''
+#    require_pushed_authorization_requests: false
+#    lifespans:
+#      access_token: '1h'
+#      authorize_code: '1m'
+#      id_token: '1h'
+#      refresh_token: '90m'
+#    cors:
+#      endpoints:
+#        - 'authorization'
+#        - 'token'
+#        - 'revocation'
+#        - 'introspection'
+#      allowed_origins:
+#        - 'https://immich.example.com'
+#      allowed_origins_from_client_redirect_uris: false
+#    clients:
+#      - client_id: immich
+#        client_name: Immich OIDC
+#        client_secret: 'a-very-secure-client-secret'
+#        public: false
+#        authorization_policy: one_factor # may use two_factor to enforce 2FA
+#        consent_mode: explicit
+#        token_endpoint_auth_method: "client_secret_basic"
+#        pre_configured_consent_duration: 1w
+#        scopes:
+#          - openid
+#          - groups
+#          - email
+#          - profile
+#        redirect_uris: # adjust to your domains
+#          - https://authelia.example.com/
+#          - https://authelia.example.com/oauth2/callback
+#          - https://immich.example.com/oauth2/callback
+#          - https://immich.example.com/auth/login
+#          - https://immich.example.com/user-settings
+#          - https://immich.example.com
+#          - app.immich:/
+#          - https://immich.example.com/api/oauth/mobile-redirect
+#        grant_types:
+#          - refresh_token
+#          - authorization_code
+#        response_types:
+#          - code
+#        response_modes:
+#          - form_post
+#          - query
+#          - fragment    
 ...
diff --git a/examples/authelia/docker-compose.yml b/examples/authelia/docker-compose.yml
index 191c343f7..79daf14ae 100644
--- a/examples/authelia/docker-compose.yml
+++ b/examples/authelia/docker-compose.yml
@@ -1,13 +1,10 @@
-version: '3.3'
-
 services:
+
   authelia:
-    image: authelia/authelia
+    image: authelia/authelia:latest
     container_name: authelia
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/authelia/config:/config
-    networks:
-      - proxy
     labels:
       - 'traefik.enable=true'
       - 'traefik.http.routers.authelia.rule=Host(`auth.example.com`)'  # replace with your domain name
@@ -15,26 +12,30 @@ services:
       - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.example.com'  # replace with your domain name
       - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
       - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'  # yamllint disable-line rule:line-length
+    ports:
+      - 9091:9091/tcp
     expose:
       - 9091
     restart: unless-stopped
     environment:
       - TZ=Europe/Berlin
+    #networks:
+    #  - proxy      
 
   redis:
-    image: redis:alpine
+    image: redis:8-alpine
     container_name: authelia-redis
     command: redis-server --requirepass SuperSecureRedisAuthPassword # also reflect this in the authelia config file
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/authelia/redis:/data
-    networks:
-      - proxy
     expose:
       - 6379
     restart: unless-stopped
     environment:
       - TZ=Europe/Berlin
+    #networks:
+    #  - proxy
 
-networks:
-   proxy:
-      external: true
+#networks:
+#   proxy:
+#      external: true
\ No newline at end of file
diff --git a/examples/authentik/.env b/examples/authentik/.env
index 1b461d2c0..1e7ea4fd1 100644
--- a/examples/authentik/.env
+++ b/examples/authentik/.env
@@ -1,8 +1,12 @@
+# define the version to use
+AUTHENTIK_VERSION=2025.10
+
+# database credentials
 PG_USER=authentik
 PG_DB=authentik
 
-# generate via pwgen -s 40 1
+# generate via: pwgen -s 40 1
 PG_PASS=7jFjT4pUyf0YOlQ84LrO6JdLVWpzKEGiEMtdVwBE
 
-# generate via pwgen -s 50 1
+# generate via: pwgen -s 50 1
 AUTHENTIK_SECRET_KEY=YZRzXecsKQVEJ3Lr5uoKRGXZkETsYjUDT1qtQ28JjzWzDYvcoG
diff --git a/examples/authentik/README.md b/examples/authentik/README.md
index cfcbeaed7..5d2535c1f 100644
--- a/examples/authentik/README.md
+++ b/examples/authentik/README.md
@@ -1,14 +1,83 @@
 # References
 
-- https://goauthentik.io/docs/installation/
+- https://github.com/goauthentik/authentik
 - https://blog.lrvt.de/authentik-traefik-azure-ad/
 
 # Notes
 
-After spawning up this Authentik stack, you will be greeted by Authentik's login dashboard. However, you have to onboard an admin user first. 
+Adjust the `.env` file with your private secrets and spawn up the stack:
+
+````
+docker compose up -d
+````
+
+After spawning up the Authentik stack, you will be greeted by Authentik's login dashboard. However, you have to onboard an admin user first. 
 
 This is done by visiting the following URL: 
 
 ````
-http(s)://<myserver>/if/flow/initial-setup
+# with TLS reverse proxy
+https://<hostname>/if/flow/initial-setup/
+
+# without TLS reverse proxy
+https://<hostname>:9000/if/flow/initial-setup/
+````
+
+## Traefik Outpost on another server
+
+In case you want to protect containers with Authentik but your Authentik runs on another, totally different server, you can deploy an outpost container. This container will communicate with your offsite Authentik instance and provide a traefik forward-auth middleware.
+
+Follow these instructions:
+
+1. Create your to-be-protected application at your Authentik instance (provider + app) as usual.
+2. Create a new outpost at your Authentik instance at `/if/admin/#/outpost/outposts`.
+    - Make note of the deployment token. This one will later be used as env in `AUTHENTIK_TOKEN` for the outpost container.
+    - Add your previously to-be-protected application to this outpost.
+4. Spawn the outpost proxy container on your server, where Authentik is not running.
+
+````
+services:
+
+  authentik-outpost:
+    image: ghcr.io/goauthentik/proxy:2025.10
+    container_name: authentik-outpost
+    restart: unless-stopped
+    expose:
+       - 9000
+    environment:
+      AUTHENTIK_HOST: https://authentik.example.com # <-- adjust
+      AUTHENTIK_TOKEN: <YOUR-DEPLOYMENT-TOKEN> # <-- adjust
+      AUTHENTIK_INSECURE: "false"  # set to "true" if your Authentik domain uses self-signed certs
+    labels:
+      - traefik.enable=true
+      - traefik.http.middlewares.authentik.forwardauth.address=http://authentik-outpost:9000/outpost.goauthentik.io/auth/traefik
+      - traefik.http.middlewares.authentik.forwardauth.trustForwardHeader=true
+      - traefik.http.middlewares.authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-m>
+    networks:
+      - proxy
+
+networks:
+  proxy:
+    external: true
+````
+
+Afterwards, you can use the new middleware `authentik@docker` for your running containers. If enabled, you have to authenticate against the Authentik instance, which runs somewhere else. 
+
+Here an example on how to enable the middleware on a simplistic whoami container:
+
+````
+services:
+
+  whoami:
+    image: traefik/whoami
+    container_name: whoami
+    command:
+       - --name=whoami
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=dev
+      - traefik.http.routers.whoami.rule=Host(`whoami.example.com`)
+      - traefik.http.routers.whoami.service=whoami
+      - traefik.http.services.whoami.loadbalancer.server.port=80
+      - traefik.http.routers.whoami.middlewares=authentik@docker # <--- this is the relevant part
 ````
diff --git a/examples/authentik/docker-compose.yml b/examples/authentik/docker-compose.yml
index 7d67eb333..6fe8b5b1b 100644
--- a/examples/authentik/docker-compose.yml
+++ b/examples/authentik/docker-compose.yml
@@ -1,5 +1,3 @@
-version: "3.4"
-
 services:
 
   postgresql:
@@ -40,7 +38,7 @@ services:
       - authentik-internal
 
   authentik-proxy:
-    image: ghcr.io/goauthentik/server:2024.4
+    image: ghcr.io/goauthentik/server:${AUTHENTIK_VERSION:-2025.10}
     container_name: authentik
     restart: unless-stopped
     command: server
@@ -54,6 +52,9 @@ services:
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/authentik/media:/media
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/authentik/custom-templates:/templates
+    ports:
+      - 9000:9000/tcp # http
+      - 9443:9443/tcp # https
     expose:
       - 9000
       - 9443
@@ -65,17 +66,17 @@ services:
     networks:
       - proxy
       - authentik-internal
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.authentik.rule=Host(`authentik.example.com`) || HostRegexp(`{subdomain:[A-Za-z0-9](?:[A-Za-z0-9\-]{0,61}[A-Za-z0-9])?}.example.com`) && PathPrefix(`/outpost.goauthentik.io/`)
-      - traefik.http.services.authentik.loadbalancer.server.port=9000
-      - traefik.docker.network=proxy
-      - traefik.http.middlewares.authentik.forwardauth.address=http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik
-      - traefik.http.middlewares.authentik.forwardauth.trustForwardHeader=true
-      - traefik.http.middlewares.authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.http.routers.authentik.rule=Host(`authentik.example.com`) || HostRegexp(`{subdomain:[A-Za-z0-9](?:[A-Za-z0-9\-]{0,61}[A-Za-z0-9])?}.example.com`) && PathPrefix(`/outpost.goauthentik.io/`)
+    #  - traefik.http.services.authentik.loadbalancer.server.port=9000
+    #  - traefik.docker.network=proxy
+    #  - traefik.http.middlewares.authentik.forwardauth.address=http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik
+    #  - traefik.http.middlewares.authentik.forwardauth.trustForwardHeader=true
+    #  - traefik.http.middlewares.authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version
 
   worker:
-    image: ghcr.io/goauthentik/server:2024.4
+    image: ghcr.io/goauthentik/server:${AUTHENTIK_VERSION:-2025.10}
     container_name: authentik-worker
     restart: unless-stopped
     command: worker
@@ -95,12 +96,13 @@ services:
       - .env
     depends_on:
       - postgresql
-      - redis      
+      - redis
     networks:
+      - proxy
       - authentik-internal
 
 networks:
   proxy:
     external: true
   authentik-internal:
-    external: true
+    internal: true
diff --git a/examples/bibliogram/README.md b/examples/bibliogram/README.md
deleted file mode 100644
index 4c994689a..000000000
--- a/examples/bibliogram/README.md
+++ /dev/null
@@ -1,4 +0,0 @@
-# References
-
-- https://hub.docker.com/r/schklom/bibliogram
-- https://git.sr.ht/~cadence/bibliogram-docs/tree/master/docs/Configuring.md#files
\ No newline at end of file
diff --git a/examples/bibliogram/config.js b/examples/bibliogram/config.js
deleted file mode 100644
index 4e6754d89..000000000
--- a/examples/bibliogram/config.js
+++ /dev/null
@@ -1,3 +0,0 @@
-module.exports = {
-    website_origin: "https://mydomain.net"
-}
\ No newline at end of file
diff --git a/examples/bibliogram/docker-compose.yml b/examples/bibliogram/docker-compose.yml
deleted file mode 100644
index 94edacbd2..000000000
--- a/examples/bibliogram/docker-compose.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-version: '3.4'
-services:
-  bibliogram:
-    image: schklom/bibliogram
-    container_name: bibliogram
-    volumes:
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/bibliogram/config.js:/app/config.js:ro
-    ports:
-      - 10407:10407
-    restart: unless-stopped
-    #networks:
-    #  - proxy
-    #labels:
-    #  - traefik.enable=true
-    #  - traefik.docker.network=proxy
-    #  - traefik.http.routers.bibliogram.rule=Host(`bibliogram.example.com`)
-    #  - traefik.http.services.bibliogram.loadbalancer.server.port=10407
-    #  # Optional part for traefik middlewares
-    #  - traefik.http.routers.bibliogram.middlewares=local-ipwhitelist@file,authelia@docker
-
-#networks:
-#  proxy:
-#    external: true  
diff --git a/examples/bitwarden/README.md b/examples/bitwarden/README.md
index 0cabd266a..72773fa7a 100644
--- a/examples/bitwarden/README.md
+++ b/examples/bitwarden/README.md
@@ -1,7 +1,3 @@
 # References
 
-- https://bitwarden.com/help/install-and-deploy-unified-beta/
-
-# Note
-
-Does not work with MariaDB at the moment. See https://github.com/bitwarden/server/issues/2718
+- https://bitwarden.com/help/install-and-deploy-lite/#tab-docker-compose-5JDM3sqPaeOnRiPXhlVjSX
diff --git a/examples/bitwarden/docker-compose.yml b/examples/bitwarden/docker-compose.yml
index 309729bd0..8fa53fd41 100644
--- a/examples/bitwarden/docker-compose.yml
+++ b/examples/bitwarden/docker-compose.yml
@@ -1,26 +1,48 @@
-version: "3.8"
-
 services:
+
   bitwarden:
-    image: bitwarden/self-host:2023.10.1-beta
-    container_name: bitwarden_unified
+    image: ghcr.io/bitwarden/lite
+    container_name: bitwarden-lite
     restart: always
     depends_on:
-      - bitwarden-unified-db
+      - db
     env_file:
       - settings.env
     ports:
       - "8888:8080"
+    expose:
+      - 8080
     volumes:
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/bitwarden-unified/data:/etc/bitwarden
-
-  bitwarden-unified-db:
-    image: postgres:alpine3.18
-    container_name: bitwarden_unified_db
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/bitwarden-lite/data:/etc/bitwarden
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/bitwarden-lite/data/logs:/var/log/bitwarden
+    #networks:
+    #  - proxy
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=proxy
+    #  - traefik.http.routers.bitwarden.rule=Host(`bitwarden.example.com`)
+    #  - traefik.http.services.bitwarden.loadbalancer.server.port=8080
+    #  # Optional part for file upload max sizes
+    #  - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=50000000
+    #  - traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=50000000
+    #  - traefik.http.middlewares.limit.buffering.memRequestBodyBytes=50000000
+    #  - traefik.http.middlewares.limit.buffering.memResponseBodyBytes=50000000
+    #  # Optional part for traefik middlewares
+    #  - traefik.http.routers.bitwarden.middlewares=local-ipwhitelist@file
+  
+  db:
+    image: postgres:18-alpine
+    container_name: bitwarden-lite-db
     restart: always
     environment:
       POSTGRES_USER: "bitwarden"
-      POSTGRES_PASSWORD: "Secure_MariaDB_Password1"
+      POSTGRES_PASSWORD: "super_strong_password"
       POSTGRES_DB: "bitwarden_vault"    
     volumes:
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/bitwarden-unified/psql:/var/lib/postgresql/data
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/bitwarden-lite/psql:/var/lib/postgresql/data
+    #networks:
+    #  - proxy
+
+#networks:
+#  proxy:
+#    external: true
diff --git a/examples/bitwarden/settings.env b/examples/bitwarden/settings.env
index 811f93c84..6c2e31d6b 100644
--- a/examples/bitwarden/settings.env
+++ b/examples/bitwarden/settings.env
@@ -11,7 +11,7 @@ BW_DB_PROVIDER=postgresql
 BW_DB_SERVER=db
 BW_DB_DATABASE=bitwarden_vault
 BW_DB_USERNAME=bitwarden
-BW_DB_PASSWORD=Secure_MariaDB_Password1
+BW_DB_PASSWORD=super_strong_password
 
 # Installation information
 # Get your ID and key from https://bitwarden.com/host/
diff --git a/examples/bookstack/docker-compose.yml b/examples/bookstack/docker-compose.yml
index 43c5e8393..e28cb1cae 100644
--- a/examples/bookstack/docker-compose.yml
+++ b/examples/bookstack/docker-compose.yml
@@ -1,23 +1,27 @@
-version: "3"
-
 services:
+
   bookstack:
-    image: linuxserver/bookstack
+    image: linuxserver/bookstack:latest
     container_name: bookstack
     hostname: bookstack
     environment:
       - PUID=1000
       - PGID=1000
       - APP_URL=http://127.0.0.1:8099 # change this to your prod url with https
+      # you should generate a new app key using:
+      # docker run -it --rm --entrypoint /bin/bash lscr.io/linuxserver/bookstack:latest appkey
+      - APP_KEY=base64:Npczl7vKB0Y3AlNboNTD5f71bYVaAuVB8ay4UhZ3My0=
       - DB_HOST=bookstack_db
-      - DB_USER=bookstack
-      - DB_PASS=USERPW1
+      - DB_USERNAME=bookstack
+      - DB_PASSWORD=USERPW1
       - DB_DATABASE=bookstackapp
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/bookstack/config:/config
     restart: unless-stopped
     ports:
       - 8099:80
+    expose:
+      - 80
     depends_on:
       - bookstack_db
     #networks:
@@ -28,15 +32,15 @@ services:
     #  - traefik.http.routers.bookstack.rule=Host(`bookstack.example.com`)
     #  - traefik.http.services.bookstack.loadbalancer.server.port=80
     #  # Optional part for file upload max sizes
-    #  - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=50000000
-    #  - traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=50000000
-    #  - traefik.http.middlewares.limit.buffering.memRequestBodyBytes=50000000
-    #  - traefik.http.middlewares.limit.buffering.memResponseBodyBytes=50000000
+    #  - traefik.http.middlewares.limit-bookstack.buffering.maxRequestBodyBytes=50000000
+    #  - traefik.http.middlewares.limit-bookstack.buffering.maxResponseBodyBytes=50000000
+    #  - traefik.http.middlewares.limit-bookstack.buffering.memRequestBodyBytes=50000000
+    #  - traefik.http.middlewares.limit-bookstack.buffering.memResponseBodyBytes=50000000
     #  # Optional part for traefik middlewares
-    #  - traefik.http.routers.bookstack.middlewares=local-ipwhitelist@file,authelia@docker    
+    #  - traefik.http.routers.bookstack.middlewares=limit-bookstack
 
   bookstack_db:
-    image: linuxserver/mariadb
+    image: linuxserver/mariadb:latest
     container_name: bookstack_db
     hostname: bookstack_db
     environment:
@@ -47,6 +51,8 @@ services:
       - MYSQL_DATABASE=bookstackapp
       - MYSQL_USER=bookstack
       - MYSQL_PASSWORD=USERPW1
+    expose:
+      - 3306
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/bookstack/mariadb-config:/config
     restart: unless-stopped
diff --git a/examples/caddy/docker-compose.yml b/examples/caddy/docker-compose.yml
index 36a71799b..e6450aa31 100644
--- a/examples/caddy/docker-compose.yml
+++ b/examples/caddy/docker-compose.yml
@@ -1,5 +1,5 @@
-version: "3.7"
 services:
+
   caddy:
     image: caddy:latest
     container_name: caddy
@@ -9,6 +9,9 @@ services:
     ports:
       - "80:80"
       - "443:443"
+    expose:
+      - 80 # http
+      - 443 # https
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/caddy/CaddyFile:/etc/caddy/Caddyfile
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/caddy/data:/data
diff --git a/examples/casdoor/README.md b/examples/casdoor/README.md
new file mode 100644
index 000000000..88772d0b5
--- /dev/null
+++ b/examples/casdoor/README.md
@@ -0,0 +1,12 @@
+# References
+
+- https://github.com/casdoor/casdoor
+- https://casdoor.org/pl/docs/basic/try-with-docker/
+
+# Notes
+
+You have to manually supply an `app.conf` configuration file.
+
+Within this file, you have to define your postgresql database connection string.
+
+An example `app.conf` is provided in this repository. Adjust it to your needs and place it at the bind mount volume `/mnt/docker-volumes/casdoor/conf/app.conf`.
diff --git a/examples/casdoor/app.conf b/examples/casdoor/app.conf
new file mode 100644
index 000000000..1c228a38d
--- /dev/null
+++ b/examples/casdoor/app.conf
@@ -0,0 +1,18 @@
+# general
+appname = casdoor
+httpport = 8000
+runmode = prod
+
+# database
+driverName = postgres
+dataSourceName = host=db port=5432 user=casdoor password=pls-changeme-to-strong-pw dbname=casdoor sslmode=disable
+
+# logging and debugging
+showSql = true
+logPostOnly = true
+
+# more settings
+verificationCodeTimeout = 10
+inactiveTimeoutMinutes = 10
+staticBaseUrl = "https://cdn.casbin.org"
+enableGzip = true
diff --git a/examples/casdoor/docker-compose.yml b/examples/casdoor/docker-compose.yml
new file mode 100644
index 000000000..16cbfeb00
--- /dev/null
+++ b/examples/casdoor/docker-compose.yml
@@ -0,0 +1,47 @@
+services:
+
+  casdoor:
+    image: casbin/casdoor:2.353.0
+    container_name: casdoor
+    restart: unless-stopped
+    depends_on:
+      - db
+    ports:
+      - 8000:8000
+    expose:
+      - 8000
+    environment:
+      - GIN_MODE=release
+      - RUNNING_IN_DOCKER=true
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/casdoor/conf:/conf # config file `app.conf` must be created manually with postgres connection
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/casdoor/logs:/logs
+    #networks:
+    #  - proxy
+    #  - casdoor_net
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=proxy
+    #  - traefik.http.routers.casdoor.rule=Host(`casdoor.example.com`)
+    #  - traefik.http.services.casdoor.loadbalancer.server.port=8000
+    #  # Optional part for traefik middlewares
+    #  - traefik.http.routers.casdoor.middlewares=local-ipwhitelist@file,crowdsec@file,limit-CHANGEME
+
+  db:
+    image: postgres:18-alpine
+    container_name: casdoor-db
+    restart: unless-stopped
+    environment:
+      - POSTGRES_USER=casdoor
+      - POSTGRES_PASSWORD=pls-changeme-to-strong-pw
+      - POSTGRES_DB=casdoor
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/casdoor/db:/var/lib/postgresql
+    #networks:
+    #  - casdoor_net
+
+#networks:
+#  proxy:
+#    external: true
+#  casdoor_net:
+#    internal: true
diff --git a/examples/changedetection/README.md b/examples/changedetection/README.md
index 1ab800a14..fc2f07c96 100644
--- a/examples/changedetection/README.md
+++ b/examples/changedetection/README.md
@@ -1,3 +1,20 @@
 # References
 
 - https://github.com/linuxserver/docker-changedetection.io
+- https://github.com/dgtlmoon/sockpuppetbrowser
+- https://github.com/dockage/tor-privoxy
+
+# Notes
+
+You can optionally uncomment the tor socks proxy in the `docker-compose.yml`. 
+
+If so, you can configure changedetection to support watching .onion darknet websites.
+
+>[!CAUTION]
+> For this to work, you have to place the `proxies.json` file at the docker bind mount volume `/mnt/docker-volumes/changedetection/config/proxies.json`.
+>
+> Then restart the container.
+>
+> Within changedetection, you can now choose the proxy to use.
+
+<img width="1008" height="447" alt="image" src="https://github.com/user-attachments/assets/883cac36-380f-450e-80ee-925fed8a7667" />
diff --git a/examples/changedetection/docker-compose.yml b/examples/changedetection/docker-compose.yml
index 42cd54530..3f891cca1 100644
--- a/examples/changedetection/docker-compose.yml
+++ b/examples/changedetection/docker-compose.yml
@@ -1,5 +1,5 @@
-version: "2.1"
 services:
+
   changedetection:
     image: lscr.io/linuxserver/changedetection.io:latest
     container_name: changedetection
@@ -7,10 +7,14 @@ services:
       - PUID=1000
       - PGID=1000
       - TZ=Europe/Berlin
+      - HIDE_REFERER=true
+      - PLAYWRIGHT_DRIVER_URL=ws://playwright-chrome:3000
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/changedetection/config:/config
     ports:
       - 5000:5000
+    expose:
+      - 5000
     restart: unless-stopped
     #networks:
     #  - proxy
@@ -22,6 +26,35 @@ services:
     #  # Part for local lan services only; disable to expose externally
     #  - traefik.http.routers.changedetection.middlewares=local-ipwhitelist@file,basic-auth@file
 
+  playwright-chrome:
+    image: dgtlmoon/sockpuppetbrowser:latest
+    container_name: playwright-chrome
+    restart: unless-stopped
+    expose:
+      - 3000
+    tmpfs:
+      - /tmp    # This just keeps tmp data from being written to disk
+    environment:
+      - SCREEN_WIDTH=1920
+      - SCREEN_HEIGHT=1024
+      - SCREEN_DEPTH=16
+      - MAX_CONCURRENT_CHROME_PROCESSES=10
+      - STATS_REFRESH_SECONDS=120 # Default is 3 seconds which is way too much
+    #networks:
+    #  - proxy
+
+  #proxy:
+    #image: zhaowde/rotating-tor-http-proxy:latest
+    #container_name: torproxy
+    #environment:
+      #- TOR_INSTANCES=4
+      #- TOR_REBUILD_INTERVAL=36000
+    #expose:
+      #- 3128 # http proxy round-robin 
+    #restart: unless-stopped
+  #  #networks:
+  #  #  - proxy  
+
 #networks:
 #  proxy:
 #    external: true
diff --git a/examples/changedetection/proxies.json b/examples/changedetection/proxies.json
new file mode 100644
index 000000000..1a9c8538f
--- /dev/null
+++ b/examples/changedetection/proxies.json
@@ -0,0 +1 @@
+{"tor":{"label":"Tor Network","url":"http://proxy:3128"},"none":{"label":"Direct - No proxy"}}
diff --git a/examples/chevereto/README.md b/examples/chevereto/README.md
index fd5d96705..cc576648b 100644
--- a/examples/chevereto/README.md
+++ b/examples/chevereto/README.md
@@ -24,7 +24,7 @@ docker exec -it chevereto bash
 # fixing permissions to www-data
 mkdir -p /var/www/html/images/_assets
 chown -R www-data:www-data /var/www/html/images/*
-chmod -R 777 /var/www/html/images/*
+chmod -R 775 /var/www/html/images/*
 ````
 No container restart necessary. The web application should now work flawlessly.
 
diff --git a/examples/chevereto/docker-compose.yml b/examples/chevereto/docker-compose.yml
index 084ea8358..7f6f7363e 100644
--- a/examples/chevereto/docker-compose.yml
+++ b/examples/chevereto/docker-compose.yml
@@ -1,8 +1,7 @@
-version: "3.7"
-
 services:
+
   chevereto:
-    image: ghcr.io/chevereto/chevereto:4.0
+    image: ghcr.io/chevereto/chevereto:4.4
     container_name: chevereto
     init: true
     restart: unless-stopped
@@ -40,6 +39,8 @@ services:
     container_name: chevereto_mariadb
     restart: unless-stopped
     init: true
+    expose:
+      - 3306
     environment:
       MYSQL_DATABASE: chevereto
       MYSQL_USER: chevereto
diff --git a/examples/cloudflare-ddns/README.md b/examples/cloudflare-ddns/README.md
index 62a820b56..24e86e3c7 100644
--- a/examples/cloudflare-ddns/README.md
+++ b/examples/cloudflare-ddns/README.md
@@ -1,4 +1,3 @@
 # References
 
-- https://github.com/favonia/cloudflare-ddns
-- https://hub.docker.com/r/oznu/cloudflare-ddns/ (deprecated)
+- https://github.com/favonia/cloudflare-ddns
\ No newline at end of file
diff --git a/examples/cloudflare-ddns/docker-compose-oznu-deprecated.yml b/examples/cloudflare-ddns/docker-compose-oznu-deprecated.yml
deleted file mode 100644
index b8e3f0d6c..000000000
--- a/examples/cloudflare-ddns/docker-compose-oznu-deprecated.yml
+++ /dev/null
@@ -1,9 +0,0 @@
-version: '3.7'
-services:
-  ddns:
-    image: oznu/cloudflare-ddns:latest
-    restart: unless-stopped
-    environment:
-    - API_KEY=MyCloudflareApiToken # change this
-    - ZONE=example.com
-    - SUBDOMAIN=* # either subdomain or wildcard * to update root domain
diff --git a/examples/cloudflare-ddns/docker-compose.yml b/examples/cloudflare-ddns/docker-compose.yml
index f237dc94e..1a4078032 100644
--- a/examples/cloudflare-ddns/docker-compose.yml
+++ b/examples/cloudflare-ddns/docker-compose.yml
@@ -1,20 +1,19 @@
-version: "3"
 services:
+
   cloudflare-ddns:
     image: favonia/cloudflare-ddns:latest
     container_name: cloudflare-ddns
     #network_mode: host
     restart: always
+    user: "1000:1000"
     cap_drop:
       - all
     read_only: true
     security_opt:
       - no-new-privileges:true
     environment:
-      - PGID=1000
-      - PUID=1000
-      - CF_API_TOKEN=YOUR-CLOUDFLARE-API-TOKEN # pls adjust
+      - CLOUDFLARE_API_TOKEN=YOUR-CLOUDFLARE-API-TOKEN # pls adjust
       - DOMAINS=example.org,www.example.org,example.io # pls adjust; a list of fully qualified domain names separated by commas
-      - PROXIED=false # instructs Cloudflare to cache webpages on your machine and hide its actual IP addresses
+      - PROXIED=false # if true, instructs Cloudflare to cache webpages on your machine and hide its actual IP addresses
       - TZ=Europe/Berlin
       - IP6_PROVIDER=none # disbale IPv6
diff --git a/examples/code-server/docker-compose.yml b/examples/code-server/docker-compose.yml
index 5551a30b1..60c7a3c87 100644
--- a/examples/code-server/docker-compose.yml
+++ b/examples/code-server/docker-compose.yml
@@ -1,5 +1,3 @@
-version: "2.1"
-
 services:
 
   code-server:
@@ -18,6 +16,8 @@ services:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/vscode/config:/config
     ports:
       - 8443:8443
+    expose:
+      - 8443
     restart: unless-stopped
     #networks:
     #  - proxy
@@ -27,12 +27,12 @@ services:
     #  - traefik.http.routers.codeserver.rule=Host(`code.example.com`)
     #  - traefik.http.services.codeserver.loadbalancer.server.port=8443
     #  # Optional part for file upload max sizes
-    #  - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=50000000
-    #  - traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=50000000
-    #  - traefik.http.middlewares.limit.buffering.memRequestBodyBytes=50000000
-    #  - traefik.http.middlewares.limit.buffering.memResponseBodyBytes=50000000
+    #  - traefik.http.middlewares.limit-codeserver.buffering.maxRequestBodyBytes=50000000
+    #  - traefik.http.middlewares.limit-codeserver.buffering.maxResponseBodyBytes=50000000
+    #  - traefik.http.middlewares.limit-codeserver.buffering.memRequestBodyBytes=50000000
+    #  - traefik.http.middlewares.limit-codeserver.buffering.memResponseBodyBytes=50000000
     #  # Optional part for traefik middlewares
-    #  - traefik.http.routers.codeserver.middlewares=local-ipwhitelist@file,authelia@docker
+    #  - traefik.http.routers.codeserver.middlewares=limit-codeserver
 
 #networks:
 #  proxy:
diff --git a/examples/crowdsec/README.md b/examples/crowdsec/README.md
new file mode 100644
index 000000000..6a6a20595
--- /dev/null
+++ b/examples/crowdsec/README.md
@@ -0,0 +1,6 @@
+# References
+- https://github.com/crowdsecurity/crowdsec
+- https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
+- https://app.crowdsec.net/hub/collections
+- https://blog.lrvt.de/configuring-crowdsec-with-traefik/
+- https://www.reddit.com/r/selfhosted/comments/1dcn19v/standing_up_the_crowdsec_bouncer_plugin_in_traefik/
diff --git a/examples/crowdsec/docker-compose.yml b/examples/crowdsec/docker-compose.yml
new file mode 100644
index 000000000..696cb90f8
--- /dev/null
+++ b/examples/crowdsec/docker-compose.yml
@@ -0,0 +1,53 @@
+services:
+
+  crowdsec:
+    image: crowdsecurity/crowdsec:v1.7.6
+    container_name: crowdsec
+    restart: unless-stopped
+    ports:
+      - 127.0.0.1:9876:8080 # http api for local fw bouncers
+      - 127.0.0.1:6060:6060 # metrics endpoint for prometheus
+    expose:
+      - 8080 # http api for bouncers
+      - 6060 # metrics endpoint for prometheus
+      - 7422 # appsec waf endpoint
+    volumes:
+      # crowdsec container data
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/crowdsec/data:/var/lib/crowdsec/data
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/crowdsec/etc:/etc/crowdsec
+      # log bind mounts into crowdsec
+      - /var/log/auth.log:/var/log/auth.log:ro
+      - /var/log/syslog:/var/log/syslog:ro
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/traefik/logs:/var/log/traefik:ro
+    environment:
+      - GID=1000
+      - COLLECTIONS=crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/base-http-scenarios crowdsecurity/sshd crowdsecurity/linux crowdsecurity/appsec-crs crowdsecurity/appsec-generic-rules crowdsecurity/appsec-virtual-patching
+      #- BOUNCER_KEY_<NAME>=${CROWDSEC-BOUNCER-API-TOKEN:-FIXME-LAPI-KEY} # pre-supply a bouncer with api key
+      #- CUSTOM_HOSTNAME=crowdsec-host123
+    #security_opt:
+    #  - no-new-privileges=true
+    #networks:
+    #  - proxy
+
+  # - You can enable the below service to enhance crowdsec's blocklist
+  # - More info here: https://github.com/wolffcatskyy/crowdsec-blocklist-import
+  # ----------------------------------------------------------------------------
+  #crowdsec-blocklist-import:
+  #  image: ghcr.io/wolffcatskyy/crowdsec-blocklist-import:2.1.0
+  #  container_name: crowdsec-blocklist-import
+  #  restart: "no"
+  #  environment:
+  #    # setup: 
+  #    # docker exec -it crowdsec cscli machines add blocklist-importer --password secretpassphrase -f blocklist-importer
+  #    - CROWDSEC_LAPI_URL=http://crowdsec:8080
+  #    - CROWDSEC_MACHINE_ID=blocklist-importer
+  #    - CROWDSEC_MACHINE_PASSWORD=secretpassphrase
+  #    - DECISION_DURATION=24h
+  #    - TZ=Europe/Berlin
+  #    - TELEMETRY_ENABLED=false
+  #  #networks:
+  #  #  - proxy
+
+#networks:
+#  proxy:
+#    external: true
diff --git a/examples/cs2-dedicated-server/README.md b/examples/cs2-dedicated-server/README.md
index 2eb3cbbc8..48e84ec15 100644
--- a/examples/cs2-dedicated-server/README.md
+++ b/examples/cs2-dedicated-server/README.md
@@ -2,6 +2,7 @@
 
 - https://github.com/joedwards32/CS2
 - https://github.com/shobhit-pathak/cs2-rcon-panel
+- https://github.com/l4rm4nd/cs2-rcon-panel
 
 # Notes
 
@@ -11,4 +12,7 @@ Minimum system requirements are:
 - 2 GiB RAM
 - 40 GB of disk space for the container or mounted as a persistent volume on /home/steam/cs2-dedicated/
 
-Default login for the rcon panel is `cspanel:v67ic55x4ghvjfj`.
+Default login for the rcon panel is `cspanel:v67ic55x4ghvjfj`. You can change this via environment variables.
+
+> [!TIP]
+> If you restart the container, the CS2 server will automatically pull and install updates. So may configure a cronjob to regularly restart the container to keep your CS2 dedicated server up-to-date.
diff --git a/examples/cs2-dedicated-server/docker-compose.yml b/examples/cs2-dedicated-server/docker-compose.yml
index e82bde16c..f58f982d5 100644
--- a/examples/cs2-dedicated-server/docker-compose.yml
+++ b/examples/cs2-dedicated-server/docker-compose.yml
@@ -1,5 +1,3 @@
-version: '3.7'
-
 services:
 
   cs2-server:
@@ -43,8 +41,11 @@ services:
       #- 27020:27020/udp        # UDP
 
   cs2-rconpanel:
-    image: soren90/rcon-panel
+    image: ghcr.io/l4rm4nd/cs2-rcon-panel:latest
     container_name: cs2-rcon-panel
+    environment:
+      - USERNAME=cspanel # change this
+      - PASSWORD=v67ic55x4ghvjfj # change this
     ports:
       - 3000:3000
     restart: unless-stopped
diff --git a/examples/dashy/docker-compose.yml b/examples/dashy/docker-compose.yml
index 410b3b262..6e2b235c0 100644
--- a/examples/dashy/docker-compose.yml
+++ b/examples/dashy/docker-compose.yml
@@ -1,10 +1,9 @@
----
-version: "3.8"
 services:
+
   dashy:
+    image: lissy93/dashy:latest    
     container_name: dashy
     hostname: dashy
-    image: lissy93/dashy
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/dashy/config/config.yml:/app/public/conf.yml
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/dashy/icons:/app/public/item-icons
@@ -14,7 +13,9 @@ services:
       - GID=1000
     restart: unless-stopped
     ports:
-      - 4000:80    
+      - 4000:80
+    expose:
+      - 80
     healthcheck:
       test: ['CMD', 'node', '/app/services/healthcheck']
       interval: 1m30s
diff --git a/examples/deemix/docker-compose.yml b/examples/deemix/docker-compose.yml
index 9ea0b03be..7b15718a6 100644
--- a/examples/deemix/docker-compose.yml
+++ b/examples/deemix/docker-compose.yml
@@ -1,13 +1,12 @@
-version: "3"
-
 services:
+
   deemix:
+    image: registry.gitlab.com/bockiii/deemix-docker:latest    
     container_name: deemix
+    hostname: deemix    
     environment:
       - PUID=1000
       - PGID=1000
-    hostname: deemix
-    image: registry.gitlab.com/bockiii/deemix-docker:latest
     restart: unless-stopped
     ports:
       - 6595:6595
diff --git a/examples/docmost/docker-compose.yml b/examples/docmost/docker-compose.yml
index 405e0bf28..115e185f6 100644
--- a/examples/docmost/docker-compose.yml
+++ b/examples/docmost/docker-compose.yml
@@ -1,16 +1,14 @@
-version: '3'
-
 services:
 
   docmost:
-    image: docmost/docmost:0.2.3
+    image: docmost/docmost:0.25
     container_name: docmost
     depends_on:
       - db
       - redis
     environment:
       - APP_URL=http://127.0.0.1:3000
-      - APP_SECRET=A_VERY_SECURE_STRING
+      - APP_SECRET=SecureSecretKeySecureSecretKey12 # <-- change
       - DATABASE_URL=postgresql://docmost:STRONG_DB_PASSWORD@db:5432/docmost?schema=public
       - REDIS_URL=redis://redis:6379
       # --------- S3 Storage Configuration --------
@@ -53,15 +51,19 @@ services:
       - POSTGRES_USER=docmost
       - POSTGRES_PASSWORD=STRONG_DB_PASSWORD
     restart: unless-stopped
+    expose:
+      - 5432
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/docmost/database:/var/lib/postgresql/data
     #networks:
     #  - proxy
 
   redis:
-    image: redis:7.2-alpine
+    image: redis:8.6-alpine
     container_name: docmost-redis
     restart: unless-stopped
+    expose:
+      - 6379
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/docmost/redis:/data
     #networks:
diff --git a/examples/docuseal/docker-compose.yml b/examples/docuseal/docker-compose.yml
index 46c61d600..4c66f2bb7 100644
--- a/examples/docuseal/docker-compose.yml
+++ b/examples/docuseal/docker-compose.yml
@@ -1,5 +1,3 @@
-version: '3'
-
 services:
 
   app:
@@ -28,7 +26,7 @@ services:
     #  - traefik.http.routers.docuseal.middlewares=local-ipwhitelist@file,authelia@docker
 
   postgres:
-    image: postgres:15-alpine
+    image: postgres:18-alpine
     container_name: docuseal-db
     restart: unless-stopped
     environment:
@@ -36,7 +34,7 @@ services:
       - POSTGRES_PASSWORD=postgres
       - POSTGRES_DB=docuseal
     volumes:
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/docuseal/pg_data:/var/lib/postgresql/data
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/docuseal/pg_data:/var/lib/postgresql
     healthcheck:
       test: ["CMD-SHELL", "pg_isready -U postgres"]
       interval: 5s
diff --git a/examples/domainmod/docker-compose.yml b/examples/domainmod/docker-compose.yml
index 3acedeef6..87ea8e214 100644
--- a/examples/domainmod/docker-compose.yml
+++ b/examples/domainmod/docker-compose.yml
@@ -1,6 +1,5 @@
----
-version: '3.7'
 services:
+
   app:
     image: domainmod/domainmod:latest
     container_name: domainmod_app
@@ -20,6 +19,8 @@ services:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/domainmod/app:/var/www/html
     ports:
       - 8080:80
+    expose:
+      - 80
     restart: unless-stopped
 
   db:
diff --git a/examples/drone/docker-compose.yml b/examples/drone/docker-compose.yml
index f251cc2c6..d20e6aa4c 100644
--- a/examples/drone/docker-compose.yml
+++ b/examples/drone/docker-compose.yml
@@ -1,6 +1,5 @@
-version: "3.7"
-
 services:
+
   drone-server:
     image: drone/drone:latest
     container_name: drone-server
@@ -26,18 +25,18 @@ services:
       - DRONE_AGENTS_ENABLED=true
       - DRONE_GITEA_CLIENT_ID=XXX-XXX # change this to your client ID from Gitea; see https://docs.drone.io/server/provider/gitea/
       - DRONE_GITEA_CLIENT_SECRET=XXX-XXX # change this to your client secret from Gitea; see https://docs.drone.io/server/provider/gitea/
-    networks:
-      - proxy
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.drone-server.rule=Host(`drone.domain.tld`)
-      - traefik.http.services.drone-server.loadbalancer.server.port=80
-      - traefik.docker.network=proxy
-      # Part for local lan services only; disable to expose externally
-      - traefik.http.routers.drone-server.middlewares=local-ipwhitelist@file
+    #networks:
+    #  - proxy
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.http.routers.drone-server.rule=Host(`drone.domain.tld`)
+    #  - traefik.http.services.drone-server.loadbalancer.server.port=80
+    #  - traefik.docker.network=proxy
+    #  # Part for local lan services only; disable to expose externally
+    #  - traefik.http.routers.drone-server.middlewares=local-ipwhitelist@file
 
   drone-agent:
-    image: drone/agent:1.2.1
+    image: drone/agent:1.6
     command: agent
     restart: unless-stopped
     container_name: drone-agent
@@ -47,9 +46,9 @@ services:
       - DRONE_RPC_SERVER=http://drone-server:80
       - DRONE_RPC_SECRET=8aff725d2e16ef31fbc42
       - DRONE_RUNNER_CAPACITY=2
-    networks:
-      - proxy
+    #networks:
+    #  - proxy
 
-networks:
-  proxy:
-    external: true
+#networks:
+#  proxy:
+#    external: true
diff --git a/examples/droppy/README.md b/examples/droppy/README.md
deleted file mode 100644
index 66d64bc4a..000000000
--- a/examples/droppy/README.md
+++ /dev/null
@@ -1,3 +0,0 @@
-# References
-
-- https://github.com/silverwind/droppy (deprecated)
diff --git a/examples/droppy/docker-compose-deprecated.yml b/examples/droppy/docker-compose-deprecated.yml
deleted file mode 100644
index 11701a0b3..000000000
--- a/examples/droppy/docker-compose-deprecated.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-version: '2'
-
-services:
-  droppy:
-    container_name: droppy
-    image: silverwind/droppy
-    ports:
-      - 8989:8989
-    volumes:
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/droppy/config:/config
-      - /path/to/my/data/for/sharing:/files # path to shared files
-    environment:
-      - UID=1000
-      - GID=1000
-      - TZ="Europe/Berlin"
-    restart: unless-stopped
diff --git a/examples/duplicacy/docker-compose.yml b/examples/duplicacy/docker-compose.yml
index be355b8d0..85754bfc3 100644
--- a/examples/duplicacy/docker-compose.yml
+++ b/examples/duplicacy/docker-compose.yml
@@ -1,11 +1,9 @@
----
-version: '3.7'
-
 services:
+
   duplicacy-web:
+    image: saspus/duplicacy-web:mini    
     container_name: duplicacy-web
     hostname: myhost # pls adjust
-    image: saspus/duplicacy-web:mini
     environment:
       - USR_ID=1000 # user account id on the system
       - GRP_ID=1000 # group id on the system
@@ -13,9 +11,25 @@ services:
       - DUPLICACY_WEB_VERSION=latest
     ports:
       - "3875:3875/tcp"
+    expose:
+      - 3875
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/duplicacy-web/config:/config
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/duplicacy-web/logs:/logs
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/duplicacy-web/cache:/cache
       - /path/to/my/data/dir1:/data/dir1:ro # 1st path to your data for backup
       - /path/to/my/data/dir2:/data/dir2:ro # 2nd path to your data for backup
+    #networks:
+    #  - proxy
+    #labels:
+    #  - com.centurylinklabs.watchtower.enable=false
+    #  - traefik.enable=true
+    #  - traefik.http.routers.duplicacy.rule=Host(`duplicacy.example.com`)
+    #  - traefik.http.services.duplicacy.loadbalancer.server.port=3875
+    #  - traefik.docker.network=proxy
+    #  # Part for local lan services only
+    #  - traefik.http.routers.duplicacy.middlewares=local-ipwhitelist@file
+
+#networks:
+#  proxy:
+#     external: true
diff --git a/examples/duplicati/README.md b/examples/duplicati/README.md
index f90c80ac7..ae6ea2859 100644
--- a/examples/duplicati/README.md
+++ b/examples/duplicati/README.md
@@ -1,3 +1,4 @@
 # References
 
-- https://github.com/duplicati/duplicati
\ No newline at end of file
+- https://github.com/duplicati/duplicati
+- https://hub.docker.com/r/linuxserver/duplicati
diff --git a/examples/duplicati/docker-compose.yml b/examples/duplicati/docker-compose.yml
index 9440ebfd8..b37a69ea6 100644
--- a/examples/duplicati/docker-compose.yml
+++ b/examples/duplicati/docker-compose.yml
@@ -1,18 +1,28 @@
-version: "3"
-
 services:
+
   duplicati:
+    image: linuxserver/duplicati:latest
     container_name: duplicati
+    hostname: duplicati
     entrypoint:
       - /init
     ports:
       - 8200:8200 # MGMT UI
+    expose:
+      - 8200
     environment:
       - PUID=0
       - PGID=1000
       - TZ=Europe/Berlin
-    hostname: duplicati
-    image: linuxserver/duplicati:latest
+      - SETTINGS_ENCRYPTION_KEY=PleaseChangeMeToSecureValue # <-- change this
+      - DUPLICATI__WEBSERVICE_PASSWORD=MySecureAdminPasswordForLogin # <-- change this
+    restart: unless-stopped
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/duplicati/backups:/backups
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/duplicati/config:/config
+      - /path/to/my/data/to/backup:/source # <-- change this
+    #networks:
+    #  - proxy
     #labels:
     #  - com.centurylinklabs.watchtower.enable=false
     #  - traefik.enable=true
@@ -21,8 +31,8 @@ services:
     #  - traefik.docker.network=proxy
     #  # Part for local lan services only
     #  - traefik.http.routers.duplicati.middlewares=local-ipwhitelist@file
-    restart: unless-stopped
-    volumes:
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/duplicati/backups:/backups
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/duplicati/config:/config
-      - /path/to/my/data/to/backup:/source # change this
+
+#networks:
+#  proxy:
+#     external: true
+    
diff --git a/examples/evershop/docker-compose.yml b/examples/evershop/docker-compose.yml
index ca4eabe44..3ac1f25ea 100644
--- a/examples/evershop/docker-compose.yml
+++ b/examples/evershop/docker-compose.yml
@@ -1,5 +1,3 @@
-version: '3.8'
-
 services:
 
   app:
@@ -29,11 +27,11 @@ services:
     #  - traefik.http.routers.evershop.middlewares=local-ipwhitelist@file,authelia@docker 
 
   database:
-    image: postgres:16
+    image: postgres:18-alpine
     container_name: evershop-db
     restart: unless-stopped
     volumes:
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/evershop/psqldata:/var/lib/postgresql/data
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/evershop/psqldata:/var/lib/postgresql
     environment:
       POSTGRES_PASSWORD: postgres
       POSTGRES_USER: postgres
diff --git a/examples/excalidraw/README.md b/examples/excalidraw/README.md
index e98533b2e..875403b58 100644
--- a/examples/excalidraw/README.md
+++ b/examples/excalidraw/README.md
@@ -1,10 +1,13 @@
 # References
 
 - https://github.com/excalidraw/excalidraw
-
+- https://github.com/excalidraw/excalidraw-room
+  
 # Notes
 
-Collaboration is not yet supported natively. You would have to also host an Excalidraw collaboration room:
+If you selfhost your own excalidraw-room container, collaboration will be supported.
 
-- https://github.com/excalidraw/excalidraw-room
-- https://github.com/excalidraw/excalidraw/issues/4993#issuecomment-1783669768
\ No newline at end of file
+Fully selfhosted by applying an entrypoint overwrite trick to support it:
+
+- https://github.com/excalidraw/excalidraw/issues/5188#issuecomment-3848252703
+- https://blog.lrvt.de/selfhosting-excalidraw-with-collaboration-support/
diff --git a/examples/excalidraw/docker-compose.yml b/examples/excalidraw/docker-compose.yml
index f8ea5253c..c53f0b215 100644
--- a/examples/excalidraw/docker-compose.yml
+++ b/examples/excalidraw/docker-compose.yml
@@ -1,32 +1,75 @@
-version: "3.8"
-
 services:
+
   excalidraw:
-    container_name: excalidraw
     image: excalidraw/excalidraw:latest
+    container_name: excalidraw
     ports:
-      - "3000:80"
+      - 8888:80 # web-ui for drawing
+    expose:
+      - 80
     restart: unless-stopped
+    entrypoint: /bin/sh
+    command:
+      - -c
+      - |
+        echo "Replacing WebSocket URL with: $$VITE_APP_WS_SERVER_URL"
+        find /usr/share/nginx/html/assets -type f -name "*.js" -exec sed -i 's|https://oss-collab\.excalidraw\.com|'$$VITE_APP_WS_SERVER_URL'|g' {} +
+        echo "Starting nginx..."
+        nginx -g 'daemon off;'
     stdin_open: true
-    healthcheck:
-      disable: true
     environment:
       - NODE_ENV=production
+      - VITE_APP_WS_SERVER_URL=https://draw2gether.example.com
+    healthcheck:
+      test: ["CMD-SHELL", "wget -qO- http://127.0.0.1:80/ >/dev/null 2>&1 || exit 1"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 20s
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETGID
+      - SETUID
+    tmpfs:
+      - /tmp:rw,noexec,nosuid,size=64m
+      - /var/cache/nginx/client_temp:rw,noexec,nosuid,size=64m
     #networks:
     #  - proxy
-    #volumes:
-    #  - ./:/opt/node_app/app:delegated
-    #  - ./package.json:/opt/node_app/package.json
-    #  - ./yarn.lock:/opt/node_app/yarn.lock
-    #  - notused:/opt/node_app/app/node_modules
     #labels:
     #  - traefik.enable=true
     #  - traefik.http.routers.excalidraw.rule=Host(`draw.example.com`)
     #  - traefik.http.services.excalidraw.loadbalancer.server.port=80
     #  - traefik.docker.network=proxy
-    #  # Part for local lan services only; disable to expose externally
-    #  - traefik.http.routers.excalidraw.middlewares=local-ipwhitelist@file
 
-#networks:
-#  proxy:
-#   external: true
+  excalidraw-room:
+    image: excalidraw/excalidraw-room:latest
+    container_name: excalidraw-room
+    ports:
+      - 8889:80 # web-socket for collaboration
+    expose:
+      - 80
+    restart: unless-stopped
+    read_only: true
+    tmpfs:
+      - /tmp:rw,noexec,nosuid,size=64m
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    healthcheck:
+      test: ["CMD-SHELL", "wget -qO- http://127.0.0.1:80/ >/dev/null 2>&1 || exit 1"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 20s
+    #networks:
+    #  - proxy
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.http.routers.excalidraw-collab.rule=Host(`draw2gether.example.com`)
+    #  - traefik.http.services.excalidraw-collab.loadbalancer.server.port=80
+    #  - traefik.docker.network=proxy
\ No newline at end of file
diff --git a/examples/fail2ban/docker-compose.yml b/examples/fail2ban/docker-compose.yml
index cc0463541..56da88d1d 100644
--- a/examples/fail2ban/docker-compose.yml
+++ b/examples/fail2ban/docker-compose.yml
@@ -1,18 +1,17 @@
-version: "3"
-
 services:
+
   fail2ban:
+    image: crazymax/fail2ban:latest
     container_name: fail2ban
+    restart: unless-stopped
+    network_mode: host
     cap_add:
       - NET_ADMIN
       - NET_RAW
     environment:
       - TZ=Europe/Berlin
       - F2B_DB_PURGE_AGE=14d
-    image: crazymax/fail2ban:latest
-    network_mode: host
-    restart: unless-stopped
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/fail2Ban/data:/data
       - /path/to/my/logs/to/monitor:/var/log
-      #- ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/traefik/logs:/var/log/traefik
+      #- ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/traefik/logs:/var/log/traefik
\ No newline at end of file
diff --git a/examples/filebrowser/README.md b/examples/filebrowser/README.md
index 9f186c8b9..314361513 100644
--- a/examples/filebrowser/README.md
+++ b/examples/filebrowser/README.md
@@ -1,8 +1,7 @@
 # References
 
-- https://github.com/hurlenko/filebrowser-docker
 - https://github.com/filebrowser/filebrowser
 
 # Notes
 
-Default login is `admin:admin` as mentioned [here](https://filebrowser.org/installation#:~:text=You%20just%20need%20to%20go,Password%3A%20admin).
+Default username is `admin`. Password is auto-generated and displayed in container logs.
diff --git a/examples/filebrowser/docker-compose.yml b/examples/filebrowser/docker-compose.yml
index 9a733db4f..d92e5df4a 100644
--- a/examples/filebrowser/docker-compose.yml
+++ b/examples/filebrowser/docker-compose.yml
@@ -1,15 +1,30 @@
-version: "3"
-
 services:
+
   filebrowser:
-    image: hurlenko/filebrowser
+    image: filebrowser/filebrowser
     container_name: filebrowser
+    restart: unless-stopped    
     user: 1000:1000 # adjust to your needs
+    environment:
+      - FB_BASEURL=/filebrowser    
     ports:
-      - 8080:8080
+      - 8080:80
+    expose:
+      - 80
     volumes:
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/filebrowser/data:/data
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/filebrowser/data:/srv
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/filebrowser/config:/config
-    environment:
-      - FB_BASEURL=/filebrowser
-    restart: unless-stopped
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/filebrowser/database:/database
+    #networks:
+    #  - proxy
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=proxy
+    #  - traefik.http.routers.filebrowser.rule=Host(`filebrowser.example.com`)
+    #  - traefik.http.services.filebrowser.loadbalancer.server.port=80
+    #  # Optional part for traefik middlewares
+    #  - traefik.http.routers.filebrowser.middlewares=local-ipwhitelist@file
+
+#networks:
+#  proxy:
+#    external: true      
diff --git a/examples/filerun/docker-compose.yml b/examples/filerun/docker-compose.yml
index fefad3fda..36fbca589 100644
--- a/examples/filerun/docker-compose.yml
+++ b/examples/filerun/docker-compose.yml
@@ -1,19 +1,20 @@
-version: '2'
-
 services:
+
   db:
-    image: mariadb:10.1
+    image: mariadb:11.8
     container_name: filerun-db
     environment:
       - MYSQL_ROOT_PASSWORD=your_mysql_root_password
       - MYSQL_USER=your_filerun_username
       - MYSQL_PASSWORD=your_filerun_password
       - MYSQL_DATABASE=your_filerun_database
+    expose:
+      - 3306
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/filerun/db:/var/lib/mysql
 
   filerun:
-    image: filerun/filerun
+    image: filerun/filerun:8.4
     container_name: filerun
     environment:
       - FR_DB_HOST=db
@@ -26,7 +27,9 @@ services:
     links:
       - db:db
     ports:
-      - 8080:80
+      - 8088:80
+    expose:
+      - 80
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/filerun/html:/var/www/html
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/filerun/files:/user-files
diff --git a/examples/firefly/docker-compose.yml b/examples/firefly/docker-compose.yml
index 4b8567f4c..bb7f44511 100644
--- a/examples/firefly/docker-compose.yml
+++ b/examples/firefly/docker-compose.yml
@@ -1,6 +1,5 @@
-version: '3.3'
-
 services:
+
   app:
     image: fireflyiii/core:latest
     container_name: firefly
@@ -10,11 +9,13 @@ services:
     env_file: .env
     ports:
       - 80:8080
+    expose:
+      - 8080
     depends_on:
       - db
   
   db:
-    image: mariadb    
+    image: mariadb:lts
     container_name: firefly-db
     restart: unless-stopped
     environment:
@@ -23,4 +24,4 @@ services:
       - MYSQL_PASSWORD=MySecretDatabasePassword # if changed --> also update in .env file
       - MYSQL_DATABASE=firefly
     volumes:
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/firefly/mysql:/var/lib/mysql
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/firefly/mysql:/var/lib/mysql
\ No newline at end of file
diff --git a/examples/firefox/docker-compose.yml b/examples/firefox/docker-compose.yml
index bea9a2e52..bd323870c 100644
--- a/examples/firefox/docker-compose.yml
+++ b/examples/firefox/docker-compose.yml
@@ -1,6 +1,5 @@
-version: "3.3"
-
 services:
+
   firefox:
     image: lscr.io/linuxserver/firefox:latest
     container_name: firefox
@@ -16,6 +15,8 @@ services:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/firefox/config:/config
     ports:
       - 3210:3000
+    expose:
+      - 3000
     #networks:
     #  - proxy
     #labels:
diff --git a/examples/firezone/README.md b/examples/firezone/README.md
index cfb3cc534..4b282fa9d 100644
--- a/examples/firezone/README.md
+++ b/examples/firezone/README.md
@@ -1,23 +1,44 @@
 # Reference
 
-- https://www.firezone.dev/docs/deploy/docker
+- https://github.com/l4rm4nd/firezone (fork, maintained)
+- https://github.com/firezone/firezone/tree/legacy (EoL)
 
-# Notes
+> [!WARNING]
+> Firezone v0.7 has reached End-of-Life on 31st January 2024.
+>
+> It undergoes a complete redesign (zero-knowledge, cloud) for v1.0 and won't provide any updates for the v0.7 (legacy) branch anymore. More information can be found [here](https://www.firezone.dev/blog/firezone-1-0).
 
-1. Download the `docker-compose.yml` file from this repository.
-2. Create a firezone `.env` file via the command `docker run --rm firezone/firezone bin/gen-env > .env`
-3. Adjust `docker-compose.yml` and created `.env` to your needs. Especially change the environment variables `DEFAULT_ADMIN_EMAIL`, `DEFAULT_ADMIN_PASSWORD` and `EXTERNAL_URL` to secure values!
-4. Proceed by executing the below commands.
+> [!TIP]
+> A new fork (l4rm4nd/firezone) tries to fix outdated dependencies and keep the software alive.
+>
+> The fork starts with a new v7.0.0 release version and tag.
+
+# Notes
 
 ````
+# download compose file
+wget https://raw.githubusercontent.com/Haxxnet/Compose-Examples/main/examples/firezone/docker-compose.yml
+
+# generate an .env file
+docker run --rm ghcr.io/l4rm4nd/firezone:latest bin/gen-env > .env
+
+# adjust .env file to your needs
+# define EXTERNAL_URL + DEFAULT_ADMIN_EMAIL + DEFAULT_ADMIN_PASSWORD
+
+# disable telemetry via .env
+echo -e "\nTELEMETRY_ENABLED=false" >> .env
+
+# enable local auth
+echo -e "\nLOCAL_AUTH_ENABLED=true" >> .env
+
+# migrate database and create admin user
 docker compose run --rm firezone bin/migrate
 docker compose run --rm firezone bin/create-or-reset-admin
+
+# spawn the container stack
 docker compose up -d
 ````
 
-Note: It is recommended to run the Firezone web panel behind a reverse proxy (e.g. Traefik) if you want to expose it. Alternatively, keep it running on http://127.0.0.1:13000.
+Afterwards, the admin mgmt UI is accessible on http://127.0.0.1:13000.
 
-> [!WARNING]
-> Firezone v0.7 has reached End-of-Life on 31st January 2024.
->
-> It undergoes a complete redesign (zero-knowledge, cloud) for v1.0 and won't provide any updates for the v0.7 (legacy) branch anymore. More information can be found [here](https://www.firezone.dev/blog/firezone-1-0).
+It is recommended to combine Firezone with a TLS reverse proxy such as Traefik as well as with an Identity Provider (IdP) such as Keycloak or Authentik for Single-Sign-On (SSO). Once SSO is enabled, you should disable the possibility for local authentication via the .env file.
diff --git a/examples/firezone/docker-compose.yml b/examples/firezone/docker-compose.yml
index bc771fafe..093fda193 100644
--- a/examples/firezone/docker-compose.yml
+++ b/examples/firezone/docker-compose.yml
@@ -6,12 +6,10 @@ x-deploy: &default-deploy
   update_config:
     order: start-first
 
-version: "3.7"
-
 services:
 
   firezone:
-    image: firezone/firezone
+    image: l4rm4nd/firezone
     container_name: firezone-web
     ports:
       - 51820:51820/udp
@@ -26,14 +24,7 @@ services:
       # IMPORTANT: Persists WireGuard private key and other data. If
       # /var/firezone/private_key exists when Firezone starts, it is
       # used as the WireGuard private. Otherwise, one is generated.
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/firezone:/var/firezone
-    #labels:
-    # - traefik.enable=true
-    # - traefik.docker.network=dev
-    # - traefik.http.routers.firezone_https.rule=Host(`firezone.example.com`)
-    # - traefik.http.routers.firezone_https.tls=true
-    # - traefik.http.services.firezone.loadbalancer.server.port=13000
-    # #- traefik.http.routers.firezone.middlewares=local-ipwhitelist@file
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/firezone/data:/var/firezone
     cap_add:
       # Needed for WireGuard and firewall support.
       - NET_ADMIN
@@ -45,28 +36,37 @@ services:
       - net.ipv6.conf.all.forwarding=1
     depends_on:
       - postgres
-    networks:
-      - dev
+    #networks:
+    #  - proxy
+    #labels:
+    # - traefik.enable=true
+    # - traefik.docker.network=proxy
+    # - traefik.http.routers.firezone_https.rule=Host(`firezone.example.com`)
+    # - traefik.http.routers.firezone_https.tls=true
+    # - traefik.http.services.firezone.loadbalancer.server.port=13000
+    # #- traefik.http.routers.firezone.middlewares=local-ipwhitelist@file      
 
     deploy:
       <<: *default-deploy
 
   postgres:
-    image: postgres:15
+    image: postgres:18-alpine
     container_name: firezone-db
+    expose:
+      - 5432
     volumes:
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/postgres-data:/var/lib/postgresql/data
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/firezone/db:/var/lib/postgresql
     environment:
       POSTGRES_DB: ${DATABASE_NAME:-firezone}
       POSTGRES_USER: ${DATABASE_USER:-postgres}
       POSTGRES_PASSWORD: ${DATABASE_PASSWORD:?err}
-    networks:
-      - dev
     deploy:
       <<: *default-deploy
       update_config:
         order: stop-first
+    #networks:
+    #  - proxy        
 
-networks:
-  dev:
-    external: true
+#networks:
+#  proxy:
+#    external: true
diff --git a/examples/flame/docker-compose.yml b/examples/flame/docker-compose.yml
index debd47ecb..4b7843485 100644
--- a/examples/flame/docker-compose.yml
+++ b/examples/flame/docker-compose.yml
@@ -1,6 +1,5 @@
-version: '3.6'
-
 services:
+
   flame:
     image: pawelmalak/flame
     container_name: flame
@@ -9,6 +8,8 @@ services:
       #- /var/run/docker.sock:/var/run/docker.sock # optional but required for Docker integration
     ports:
       - 5005:5005
+    expose:
+      - 5005
     environment:
       - PASSWORD=MyStrongLoginPassword
     restart: unless-stopped
diff --git a/examples/flaresolverr/docker-compose.yml b/examples/flaresolverr/docker-compose.yml
index c00de3235..02b0ddfe1 100644
--- a/examples/flaresolverr/docker-compose.yml
+++ b/examples/flaresolverr/docker-compose.yml
@@ -1,14 +1,15 @@
-version: '3.3'
-
 services:
-    flaresolverr:
-        image: ghcr.io/flaresolverr/flaresolverr:latest
-        container_name: flaresolverr
-        ports:
-            - 8191:8191
-        environment:
-            - LOG_LEVEL=${LOG_LEVEL:-info}
-            - LOG_HTML=${LOG_HTML:-false}
-            - CAPTCHA_SOLVER=${CAPTCHA_SOLVER:-none}
-            - TZ=Europe/Berlin
-        restart: unless-stopped
+
+  flaresolverr:
+    image: ghcr.io/flaresolverr/flaresolverr:latest
+    container_name: flaresolverr
+    restart: unless-stopped
+    ports:
+      - 8191:8191/tcp
+    expose:
+      - 8191
+    environment:
+      - LOG_LEVEL=${LOG_LEVEL:-info}
+      - LOG_HTML=${LOG_HTML:-false}
+      - CAPTCHA_SOLVER=${CAPTCHA_SOLVER:-none}
+      - TZ=Europe/Berlin
\ No newline at end of file
diff --git a/examples/forgejo b/examples/forgejo
new file mode 100644
index 000000000..1b722344d
--- /dev/null
+++ b/examples/forgejo
@@ -0,0 +1,3 @@
+# References
+
+- https://forgejo.org/docs/latest/admin/installation/docker/
diff --git a/examples/forte/docker-compose.yml b/examples/forte/docker-compose.yml
index 13dc5e03f..b41c0ddec 100644
--- a/examples/forte/docker-compose.yml
+++ b/examples/forte/docker-compose.yml
@@ -1,12 +1,13 @@
-version: '3'
-
 services:
+
     app:
         image: kaangiray26/forte:4.3
         container_name: forte
         restart: on-failure
         ports:
             - 3000:3000
+        expose:
+            - 3000
         depends_on:
             postgres:
                 condition: service_healthy
@@ -40,6 +41,8 @@ services:
         image: kaangiray26/postgres:2.0
         container_name: forte-db
         restart: always
+        expose:
+            - 5432
         environment:
             POSTGRES_DB: forte       # Set Postgres Database Name
             POSTGRES_USER: forte     # Set Postgres Username
diff --git a/examples/ghost/docker-compose-rpi-arm.yml b/examples/ghost/docker-compose-rpi-arm.yml
index 22b166a29..b2eb04ba2 100644
--- a/examples/ghost/docker-compose-rpi-arm.yml
+++ b/examples/ghost/docker-compose-rpi-arm.yml
@@ -1,12 +1,13 @@
-version: '3.3'
-
 services:
+
   blog:
-    image: ghost:5
+    image: ghost:6
     container_name: ghost
     restart: always
     ports:
       - 8080:2368
+    expose:
+      - 2368
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/ghost/content:/var/lib/ghost/content
     environment:
@@ -28,6 +29,7 @@ services:
   database:
     image: linuxserver/mariadb
     container_name: ghost-db
+    restart: unless-stopped    
     environment:
       - PUID=1000
       - PGID=1000
@@ -36,6 +38,7 @@ services:
       - MYSQL_DATABASE=${DB_NAME:-ghost}
       - MYSQL_USER=${DB_USER:-ghost}
       - MYSQL_PASSWORD=${DB_USER_PASS:-DatabasePassword1234}
+    expose:
+      - 3306
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/ghost/mariadb/config:/config
-    restart: unless-stopped
diff --git a/examples/ghost/docker-compose.yml b/examples/ghost/docker-compose.yml
index 7ea724d57..a7b49cc86 100644
--- a/examples/ghost/docker-compose.yml
+++ b/examples/ghost/docker-compose.yml
@@ -1,9 +1,7 @@
-version: '3.3'
-
 services:
 
   blog:
-    image: ghost:5-alpine
+    image: ghost:6-alpine
     container_name: ghost
     restart: always
     depends_on:
@@ -47,7 +45,7 @@ services:
 
   database:
     image: mysql:8
-    container_name: ghost_db
+    container_name: ghost-db
     restart: always
     healthcheck:
       test: ["CMD", 'mysqladmin', 'ping', '-h', 'localhost', '-u', 'root', '-p$$DB_ROOT_PASS' ]
diff --git a/examples/gitea/docker-compose.yml b/examples/gitea/docker-compose.yml
index e71692e2e..3fea84147 100644
--- a/examples/gitea/docker-compose.yml
+++ b/examples/gitea/docker-compose.yml
@@ -1,8 +1,9 @@
-version: "3"
-
 services:
+
   gitea:
+    image: gitea/gitea:latest    
     container_name: gitea
+    restart: unless-stopped    
     environment:
       - USER_UID=1000
       - USER_GID=1000
@@ -10,8 +11,9 @@ services:
     ports:
       - 3000:3000 #webgui
       - 2222:22 #ssh
-    image: gitea/gitea:latest
-    restart: unless-stopped
+    expose:
+      - 3000
+      - 22
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/gitea/data:/data
     #networks:
diff --git a/examples/gitlab/docker-compose.yml b/examples/gitlab/docker-compose.yml
index 910d39751..efd8c672d 100644
--- a/examples/gitlab/docker-compose.yml
+++ b/examples/gitlab/docker-compose.yml
@@ -1,9 +1,9 @@
-version: '3.7'
 services:
+
   gitlab-ce:
     image: gitlab/gitlab-ce:latest
+    container_name: gitlab-ce    
     restart: unless-stopped
-    container_name: gitlab-ce
     environment:
       GITLAB_OMNIBUS_CONFIG: |
         external_url 'http://gitlab.example.com' # please adjust
@@ -11,6 +11,10 @@ services:
       - 8033:80 # HTTP
       - 8434:443 # HTTPS
       - 2222:22 # SSH
+    expose:
+      - 80
+      - 443
+      - 22
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/gitlab/config:/etc/gitlab
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/gitlab/logs:/var/log/gitlab
diff --git a/examples/gokapi/docker-compose.yml b/examples/gokapi/docker-compose.yml
index 15094b71a..1b31e3d5f 100644
--- a/examples/gokapi/docker-compose.yml
+++ b/examples/gokapi/docker-compose.yml
@@ -1,12 +1,13 @@
-version: "3.7"
-
 services:
+
   gokapi:
     image: f0rc3/gokapi:latest
     container_name: gokapi
     restart: unless-stopped
     ports:
       - 53842:53842
+    expose:
+      - 53842
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/gokapi/data:/app/data
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/gokapi/config:/app/config
diff --git a/examples/grafana-monitoring/docker-compose.yml b/examples/grafana-monitoring/docker-compose.yml
index d4d78e64e..ad2d1ae77 100644
--- a/examples/grafana-monitoring/docker-compose.yml
+++ b/examples/grafana-monitoring/docker-compose.yml
@@ -1,27 +1,28 @@
-version: "2"
-
 services:
 
   loki:
-    image: grafana/loki:2.9.9
-    hostname: loki
+    image: grafana/loki:2.9.17
     container_name: loki
+    hostname: loki
     volumes:
       - ./volume-data/loki:/etc/loki # place loki-config.yml
+      #- ./volume-data/loki/data:/tmp/loki # optional loki data storage
     ports:
       - "127.0.0.1:3100:3100"
+    expose:
+      - 3100
     restart: unless-stopped
     user: 1000:1000
-    command: -config.file=/etc/loki/loki-config.yml  
+    command: -config.file=/etc/loki/loki-config.yml
     #networks:
     #  - monitoring_default
 
   promtail:
     image: grafana/promtail:latest
     container_name: promtail
+    hostname: promtail
     depends_on:
       - loki
-    hostname: promtail
     volumes:
       - /var/log:/var/log:ro # let promtail access the docker host's log files
       - ./volume-data/promtail:/etc/promtail # place promtail-config.yml
@@ -32,7 +33,7 @@ services:
     #  - monitoring_default
 
   influxdb:
-    image: influxdb:1.8.10
+    image: influxdb:1.12
     container_name: influxdb
     hostname: influxdb
     restart: unless-stopped
@@ -46,12 +47,32 @@ services:
     #networks:
     #  - monitoring_default
 
+  #influxdb:
+  #  image: influxdb:2.7
+  #  container_name: influxdb2
+  #  restart: unless-stopped
+  #  expose:
+  #    - 8086
+  #  environment:
+  #    - DOCKER_INFLUXDB_INIT_USERNAME=admin
+  #    - DOCKER_INFLUXDB_INIT_PASSWORD=change-me-1 # <-- change this pw
+  #    - DOCKER_INFLUXDB_INIT_ORG=influx-org
+  #    - DOCKER_INFLUXDB_INIT_BUCKET=influx-bucket
+  #    - DOCKER_INFLUXDB_INIT_RETENTION=30d
+  #    - DOCKER_INFLUXDB_INIT_ADMIN_TOKEN=change-me-2 # <-- change this pw
+  #    - DOCKER_INFLUXDB_INIT_MODE=setup
+  #  volumes:
+  #    - ./volume-data/influxdb2/data:/var/lib/influxdb2
+  #    - ./volume-data/influxdb2/conf:/etc/influxdb2
+  #  networks:
+  #    - monitoring_default
+
   telegraf:
-    image: telegraf:latest
-    restart: unless-stopped
-    user: telegraf:$(stat -c '%g' /var/run/docker.sock) # see: https://www.influxdata.com/blog/docker-run-telegraf-as-non-root/
+    image: telegraf:1.37
     container_name: telegraf
     hostname: telegraf
+    restart: unless-stopped
+    user: telegraf:$(stat -c '%g' /var/run/docker.sock) # see: https://www.influxdata.com/blog/docker-run-telegraf-as-non-root/
     dns:
       - 1.1.1.1
       - 8.8.8.8
@@ -74,21 +95,24 @@ services:
     #  - monitoring_default
 
   grafana:
+    image: grafana/grafana:12.3.3
     container_name: grafana
     hostname: grafana
+    restart: unless-stopped
     user: 1000:1000
     depends_on:
       - influxdb
       - loki
       - promtail
-    image: grafana/grafana:latest
-    restart: unless-stopped
-    #environment:
-    #  - GF_SERVER_ROOT_URL=https://grafana.example.com # optional
+    environment:
+      - GF_SERVER_ROOT_URL=https://grafana.example.com # pls change this
     volumes:
       - ./volume-data/grafana:/var/lib/grafana
+      #- ./volume-data/defaults.ini:/etc/grafana/grafana.ini
     ports:
       - 3000:3000
+    expose:
+      - 3000
     #networks:
     #  - monitoring_default
     #labels:
@@ -99,6 +123,17 @@ services:
     #  # Part for local lan services only
     #  - traefik.http.routers.grafana.middlewares=local-ipwhitelist@file
 
+  #prometheus:
+  #  image: prom/prometheus
+  #  container_name: prometheus
+  #  restart: unless-stopped
+  #  expose:
+  #    - 9090
+  #  volumes:
+  #    - ./volume-data/prometheus/prometheus.yml:/etc/prometheus/prometheus.yml
+  #  #networks:
+  #  #  - monitoring_default
+
 #networks:
 #  monitoring_default:
 #   external: true
diff --git a/examples/grafana-monitoring/volume-data/loki/loki-config.yml b/examples/grafana-monitoring/volume-data/loki/loki-config.yml
index 1179a8bf0..582f3fe2d 100644
--- a/examples/grafana-monitoring/volume-data/loki/loki-config.yml
+++ b/examples/grafana-monitoring/volume-data/loki/loki-config.yml
@@ -1,9 +1,17 @@
 auth_enabled: false
 
+analytics:
+  reporting_enabled: false
+
 server:
   http_listen_port: 3100
   grpc_listen_port: 9096
 
+compactor:
+  working_directory: /tmp/loki/compactor
+  retention_enabled: true
+  retention_delete_delay: 2h
+
 common:
   path_prefix: /tmp/loki
   storage:
@@ -26,10 +34,10 @@ limits_config:
 
 schema_config:
   configs:
-    - from: 2020-10-24
-      store: boltdb-shipper
+    - from: 2023-07-01
+      store: tsdb
       object_store: filesystem
-      schema: v11
+      schema: v13
       index:
         prefix: index_
         period: 24h
diff --git a/examples/grafana-monitoring/volume-data/prometheus/prometheus.yml b/examples/grafana-monitoring/volume-data/prometheus/prometheus.yml
new file mode 100644
index 000000000..77da1f16b
--- /dev/null
+++ b/examples/grafana-monitoring/volume-data/prometheus/prometheus.yml
@@ -0,0 +1,17 @@
+
+# my global config
+global:
+  scrape_interval: 15s
+  evaluation_interval: 30s
+  body_size_limit: 15MB
+  sample_limit: 1500
+  target_limit: 30
+  label_limit: 30
+  label_name_length_limit: 200
+  label_value_length_limit: 200
+  # scrape_timeout is set to the global default (10s).
+
+scrape_configs:
+  - job_name: crowdsec_myMachine
+    static_configs:
+      - targets: ["crowdsec:6060"]
diff --git a/examples/grafana-monitoring/volume-data/telegraf/telegraf.conf b/examples/grafana-monitoring/volume-data/telegraf/telegraf.conf
index 227ac9310..f5c61256d 100644
--- a/examples/grafana-monitoring/volume-data/telegraf/telegraf.conf
+++ b/examples/grafana-monitoring/volume-data/telegraf/telegraf.conf
@@ -51,8 +51,10 @@
   timeout = "5s"
   docker_label_include = []
   docker_label_exclude = []
-  perdevice = true
-  total = false
+  #perdevice = true
+  perdevice_include = []
+  #total = false
+  total_include = []
   
 [[inputs.cpu]]
   percpu = true
diff --git a/examples/grafana/README.md b/examples/grafana/README.md
new file mode 100644
index 000000000..9452ff5ce
--- /dev/null
+++ b/examples/grafana/README.md
@@ -0,0 +1,5 @@
+# References
+
+- https://github.com/grafana/grafana
+
+# Notes
diff --git a/examples/grafana/docker-compose.yml b/examples/grafana/docker-compose.yml
new file mode 100644
index 000000000..0defce82f
--- /dev/null
+++ b/examples/grafana/docker-compose.yml
@@ -0,0 +1,28 @@
+services:
+
+  grafana:
+    image: grafana/grafana:latest
+    container_name: grafana
+    user: 1000:1000
+    restart: unless-stopped
+    environment:
+      - GF_SERVER_ROOT_URL=https://grafana.example.com # <-- adjust
+    expose:
+      - 3000
+    ports:
+      - 3000:3000
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/grafana:/var/lib/grafana
+    #networks:
+    #  - proxy
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=proxy
+    #  - traefik.http.routers.grafana.rule=Host(`grafana.example.com`)
+    #  - traefik.http.services.grafana.loadbalancer.server.port=3000
+    #  # Optional part for traefik middlewares
+    #  - traefik.http.routers.grafana.middlewares=local-ipwhitelist@file
+
+#networks:
+#  proxy:
+#    external: true
diff --git a/examples/gramps/docker-compose.yml b/examples/gramps/docker-compose.yml
index 55e644bb1..28ba2c974 100644
--- a/examples/gramps/docker-compose.yml
+++ b/examples/gramps/docker-compose.yml
@@ -1,5 +1,3 @@
-version: "3.7"
-
 services:
 
   grampsweb:
diff --git a/examples/greenbone/docker-compose.yml b/examples/greenbone/docker-compose.yml
index dc2efe912..0c1ae3632 100644
--- a/examples/greenbone/docker-compose.yml
+++ b/examples/greenbone/docker-compose.yml
@@ -1,7 +1,9 @@
-version: "3"
 services:
+
     gvm:
         image: securecompliance/gvm
+        container_name: gvm
+        restart: unless-stopped        
         volumes:
           - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/greenbone/database:/opt/database
           - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/greenbone/gvm:/var/lib/gvm
@@ -20,4 +22,7 @@ services:
           - "9392:9392"  # Web interface
           #- "5432:5432" # Access PostgreSQL database from external tools
           #- "2222:22"   # SSH for remote sensors
-        restart: unless-stopped
+        expose:
+          - 9392
+          - 5432
+          - 22
\ No newline at end of file
diff --git a/examples/guacamole/README.md b/examples/guacamole/README.md
index 7ed035f7f..0e2e8991d 100644
--- a/examples/guacamole/README.md
+++ b/examples/guacamole/README.md
@@ -7,21 +7,13 @@
 
 Before spawning up the Docker Compose stack you have to pre-supply an `initdb.sql` initialization file for the Postgresql database.
 
-The file is provided in this repository but can also be created dynamically via:
-
-````
-docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --postgresql > initdb.sql
-````
-
-Please go ahead and place this init file in the corresponding Docker Volume Bind Mount.
+Please go ahead and create this init file in the corresponding Docker Volume bind mount.
 
 ````
+# create volume dirs
 mkdir -p /mnt/docker-volumes/guacamole/psql/init
 
-# Option 1: move init file from this repo to the new location
-mv initdb.sql /mnt/docker-volumes/guacamole/psql/init/.
-
-# Option2: create it dynamically and place it to the new location
+# create init file dynamically and place it to the new location
 docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --postgresql > /mnt/docker-volumes/guacamole/psql/init/initdb.sql
 ````
 
@@ -34,3 +26,9 @@ docker compose up -d
 The Guacamole login is available at `http://<YOUR-IP>:8080/guacamole`.
 
 The default username is `guacadmin`. The default password is `guacadmin`.
+
+
+> [!TIP]
+> You can also access internal hosts somewhere else. Just use gluetun to force guacamole over vpn.
+>
+> See `docker-compose-gluetun-traefik-authentik-oidc.yml` for an example with wireguard and Authentik OIDC SSO.
diff --git a/examples/guacamole/docker-compose-gluetun-traefik-authentik-oidc.yml b/examples/guacamole/docker-compose-gluetun-traefik-authentik-oidc.yml
new file mode 100644
index 000000000..13b2e2884
--- /dev/null
+++ b/examples/guacamole/docker-compose-gluetun-traefik-authentik-oidc.yml
@@ -0,0 +1,87 @@
+services:
+
+  guacd:
+    image: guacamole/guacd
+    container_name: guacamole-guacd
+    restart: always
+    depends_on:
+      - gluetun
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/guacamole/guacd/drive:/drive:rw
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/guacamole/guacd/record:/record:rw
+    network_mode: container:gluetun
+
+  postgres:
+    image: postgres:16-alpine
+    container_name: guacamole-db
+    restart: always
+    depends_on:
+      - gluetun
+    environment:
+      - PGDATA=/var/lib/postgresql/data/guacamole
+      - POSTGRES_DB=guacamole_db
+      - POSTGRES_USER=guacamole_user
+      - POSTGRES_PASSWORD=ChooseYourOwnPasswordHere1234
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/guacamole/psql/init:/docker-entrypoint-initdb.d:z
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/guacamole/psql/data:/var/lib/postgresql/data:Z
+    network_mode: container:gluetun
+
+  guacamole:
+    image: guacamole/guacamole
+    container_name: guacamole-ui
+    restart: always
+    depends_on:
+      - guacd
+      - postgres
+      - gluetun
+    environment:
+      - GUACD_HOSTNAME=localhost
+      - POSTGRESQL_HOSTNAME=localhost
+      - POSTGRESQL_DATABASE=guacamole_db
+      - POSTGRESQL_USER=guacamole_user
+      - POSTGRESQL_PASSWORD=ChooseYourOwnPasswordHere1234
+      - OPENID_ENABLED=true
+      - OPENID_AUTHORIZATION_ENDPOINT=https://authentik.example.com/application/o/authorize/
+      - OPENID_JWKS_ENDPOINT=https://authentik.example.com/application/o/guacamole-oidc/jwks/
+      - OPENID_ISSUER=https://authentik.example.com/application/o/guacamole-oidc/
+      - OPENID_CLIENT_ID=<masked>
+      - OPENID_REDIRECT_URI=https://guacamole.example.com/guacamole
+      - OPENID_USERNAME_CLAIM_TYPE=preferred_username
+      - OPENID_SCOPE=openid email profile
+    network_mode: container:gluetun
+
+  gluetun:
+    image: qmcgaw/gluetun:latest
+    container_name: gluetun
+    cap_add:
+      - NET_ADMIN
+    expose:
+      - 8080 # guacamole
+      - 5432 # psql guac
+    environment:
+      - VPN_SERVICE_PROVIDER=custom
+      - VPN_TYPE=wireguard
+      - DNS_ADDRESS=1.1.1.1,1.0.0.1
+      - WIREGUARD_ENDPOINT_IP=127.0.0.1 # add your wan ipv4 here of wg server
+      - WIREGUARD_ENDPOINT_PORT=51820
+      - WIREGUARD_PUBLIC_KEY='<PUBKEY>' # add your wg public  key here
+      - WIREGUARD_PRIVATE_KEY='<PRIVKEY>' # add your wg private key here
+      - WIREGUARD_PRESHARED_KEY='<PSK>' # add your wg pre-shared key here
+      - WIREGUARD_ADDRESSES='0.0.0.0/32' # add your client ipv4/ipv6 here
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/gluetun/configs/gluetun:/gluetun
+    restart: always
+    networks:
+      - proxy
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=proxy
+      - traefik.http.routers.guacamole.rule=Host(`guacamole.example.com`) && PathPrefix(`/guacamole`) || Host(`guacamole.example.com`) && PathPrefix(`/outpost.goauthentik.io`)
+      - traefik.http.routers.guacamole.service=guacamole
+      - traefik.http.services.guacamole.loadbalancer.server.port=8080
+      - traefik.http.routers.guacamole.middlewares=authentik@docker
+
+networks:
+  proxy:
+    external: true
diff --git a/examples/guacamole/docker-compose.yml b/examples/guacamole/docker-compose.yml
index e0c7f3bb8..3ef71ed5d 100644
--- a/examples/guacamole/docker-compose.yml
+++ b/examples/guacamole/docker-compose.yml
@@ -1,5 +1,3 @@
-version: '2.0'
-
 services:
 
   guacd:
@@ -13,21 +11,22 @@ services:
     #  - proxy
 
   postgres:
-    image: postgres:15.2-alpine
+    image: postgres:16-alpine
     container_name: guacamole-db
     restart: always
+    expose:
+      - 5432
     environment:
       - PGDATA=/var/lib/postgresql/data/guacamole
       - POSTGRES_DB=guacamole_db
-      - POSTGRES_PASSWORD=ChooseYourOwnPasswordHere1234
       - POSTGRES_USER=guacamole_user
+      - POSTGRES_PASSWORD=ChooseYourOwnPasswordHere1234
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/guacamole/psql/init:/docker-entrypoint-initdb.d:z
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/guacamole/psql/data:/var/lib/postgresql/data:Z
     #networks:
     #  - proxy
 
-  # guacamole
   guacamole:
     image: guacamole/guacamole
     container_name: guacamole-ui
@@ -37,16 +36,16 @@ services:
       - postgres
     environment:
       - GUACD_HOSTNAME=guacd
-      - POSTGRES_DATABASE=guacamole_db
-      - POSTGRES_HOSTNAME=postgres
-      - POSTGRES_PASSWORD=ChooseYourOwnPasswordHere1234
-      - POSTGRES_USER=guacamole_user
+      - POSTGRESQL_HOSTNAME=postgres
+      - POSTGRESQL_DATABASE=guacamole_db
+      - POSTGRESQL_USER=guacamole_user
+      - POSTGRESQL_PASSWORD=ChooseYourOwnPasswordHere1234
     links:
       - guacd
     ports:
       # Guacamole is on :8080/guacamole, not /.
       # Default login is guacadmin:guacadmin
-      - 8080:8080/tcp 
+      - 8080:8080/tcp
     expose:
       - 8080
     #networks:
diff --git a/examples/guacamole/initdb.sql b/examples/guacamole/initdb.sql
deleted file mode 100644
index d9e915983..000000000
--- a/examples/guacamole/initdb.sql
+++ /dev/null
@@ -1,791 +0,0 @@
---
--- Licensed to the Apache Software Foundation (ASF) under one
--- or more contributor license agreements.  See the NOTICE file
--- distributed with this work for additional information
--- regarding copyright ownership.  The ASF licenses this file
--- to you under the Apache License, Version 2.0 (the
--- "License"); you may not use this file except in compliance
--- with the License.  You may obtain a copy of the License at
---
---   http://www.apache.org/licenses/LICENSE-2.0
---
--- Unless required by applicable law or agreed to in writing,
--- software distributed under the License is distributed on an
--- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
--- KIND, either express or implied.  See the License for the
--- specific language governing permissions and limitations
--- under the License.
---
-
---
--- Connection group types
---
-
-CREATE TYPE guacamole_connection_group_type AS ENUM(
-    'ORGANIZATIONAL',
-    'BALANCING'
-);
-
---
--- Entity types
---
-
-CREATE TYPE guacamole_entity_type AS ENUM(
-    'USER',
-    'USER_GROUP'
-);
-
---
--- Object permission types
---
-
-CREATE TYPE guacamole_object_permission_type AS ENUM(
-    'READ',
-    'UPDATE',
-    'DELETE',
-    'ADMINISTER'
-);
-
---
--- System permission types
---
-
-CREATE TYPE guacamole_system_permission_type AS ENUM(
-    'CREATE_CONNECTION',
-    'CREATE_CONNECTION_GROUP',
-    'CREATE_SHARING_PROFILE',
-    'CREATE_USER',
-    'CREATE_USER_GROUP',
-    'ADMINISTER'
-);
-
---
--- Guacamole proxy (guacd) encryption methods
---
-
-CREATE TYPE guacamole_proxy_encryption_method AS ENUM(
-    'NONE',
-    'SSL'
-);
-
---
--- Table of connection groups. Each connection group has a name.
---
-
-CREATE TABLE guacamole_connection_group (
-
-  connection_group_id   serial       NOT NULL,
-  parent_id             integer,
-  connection_group_name varchar(128) NOT NULL,
-  type                  guacamole_connection_group_type
-                        NOT NULL DEFAULT 'ORGANIZATIONAL',
-
-  -- Concurrency limits
-  max_connections          integer,
-  max_connections_per_user integer,
-  enable_session_affinity  boolean NOT NULL DEFAULT FALSE,
-
-  PRIMARY KEY (connection_group_id),
-
-  CONSTRAINT connection_group_name_parent
-    UNIQUE (connection_group_name, parent_id),
-
-  CONSTRAINT guacamole_connection_group_ibfk_1
-    FOREIGN KEY (parent_id)
-    REFERENCES guacamole_connection_group (connection_group_id)
-    ON DELETE CASCADE
-
-);
-
-CREATE INDEX guacamole_connection_group_parent_id
-    ON guacamole_connection_group(parent_id);
-
---
--- Table of connections. Each connection has a name, protocol, and
--- associated set of parameters.
--- A connection may belong to a connection group.
---
-
-CREATE TABLE guacamole_connection (
-
-  connection_id       serial       NOT NULL,
-  connection_name     varchar(128) NOT NULL,
-  parent_id           integer,
-  protocol            varchar(32)  NOT NULL,
-  
-  -- Concurrency limits
-  max_connections          integer,
-  max_connections_per_user integer,
-
-  -- Connection Weight
-  connection_weight        integer,
-  failover_only            boolean NOT NULL DEFAULT FALSE,
-
-  -- Guacamole proxy (guacd) overrides
-  proxy_port              integer,
-  proxy_hostname          varchar(512),
-  proxy_encryption_method guacamole_proxy_encryption_method,
-
-  PRIMARY KEY (connection_id),
-
-  CONSTRAINT connection_name_parent
-    UNIQUE (connection_name, parent_id),
-
-  CONSTRAINT guacamole_connection_ibfk_1
-    FOREIGN KEY (parent_id)
-    REFERENCES guacamole_connection_group (connection_group_id)
-    ON DELETE CASCADE
-
-);
-
-CREATE INDEX guacamole_connection_parent_id
-    ON guacamole_connection(parent_id);
-
---
--- Table of base entities which may each be either a user or user group. Other
--- tables which represent qualities shared by both users and groups will point
--- to guacamole_entity, while tables which represent qualities specific to
--- users or groups will point to guacamole_user or guacamole_user_group.
---
-
-CREATE TABLE guacamole_entity (
-
-  entity_id     serial                  NOT NULL,
-  name          varchar(128)            NOT NULL,
-  type          guacamole_entity_type   NOT NULL,
-
-  PRIMARY KEY (entity_id),
-
-  CONSTRAINT guacamole_entity_name_scope
-    UNIQUE (type, name)
-
-);
-
---
--- Table of users. Each user has a unique username and a hashed password
--- with corresponding salt. Although the authentication system will always set
--- salted passwords, other systems may set unsalted passwords by simply not
--- providing the salt.
---
-
-CREATE TABLE guacamole_user (
-
-  user_id       serial       NOT NULL,
-  entity_id     integer      NOT NULL,
-
-  -- Optionally-salted password
-  password_hash bytea        NOT NULL,
-  password_salt bytea,
-  password_date timestamptz  NOT NULL,
-
-  -- Account disabled/expired status
-  disabled      boolean      NOT NULL DEFAULT FALSE,
-  expired       boolean      NOT NULL DEFAULT FALSE,
-
-  -- Time-based access restriction
-  access_window_start    time,
-  access_window_end      time,
-
-  -- Date-based access restriction
-  valid_from  date,
-  valid_until date,
-
-  -- Timezone used for all date/time comparisons and interpretation
-  timezone varchar(64),
-
-  -- Profile information
-  full_name           varchar(256),
-  email_address       varchar(256),
-  organization        varchar(256),
-  organizational_role varchar(256),
-
-  PRIMARY KEY (user_id),
-
-  CONSTRAINT guacamole_user_single_entity
-    UNIQUE (entity_id),
-
-  CONSTRAINT guacamole_user_entity
-    FOREIGN KEY (entity_id)
-    REFERENCES guacamole_entity (entity_id)
-    ON DELETE CASCADE
-
-);
-
---
--- Table of user groups. Each user group may have an arbitrary set of member
--- users and member groups, with those members inheriting the permissions
--- granted to that group.
---
-
-CREATE TABLE guacamole_user_group (
-
-  user_group_id serial      NOT NULL,
-  entity_id     integer     NOT NULL,
-
-  -- Group disabled status
-  disabled      boolean     NOT NULL DEFAULT FALSE,
-
-  PRIMARY KEY (user_group_id),
-
-  CONSTRAINT guacamole_user_group_single_entity
-    UNIQUE (entity_id),
-
-  CONSTRAINT guacamole_user_group_entity
-    FOREIGN KEY (entity_id)
-    REFERENCES guacamole_entity (entity_id)
-    ON DELETE CASCADE
-
-);
-
---
--- Table of users which are members of given user groups.
---
-
-CREATE TABLE guacamole_user_group_member (
-
-  user_group_id    integer       NOT NULL,
-  member_entity_id integer       NOT NULL,
-
-  PRIMARY KEY (user_group_id, member_entity_id),
-
-  -- Parent must be a user group
-  CONSTRAINT guacamole_user_group_member_parent
-    FOREIGN KEY (user_group_id)
-    REFERENCES guacamole_user_group (user_group_id) ON DELETE CASCADE,
-
-  -- Member may be either a user or a user group (any entity)
-  CONSTRAINT guacamole_user_group_member_entity
-    FOREIGN KEY (member_entity_id)
-    REFERENCES guacamole_entity (entity_id) ON DELETE CASCADE
-
-);
-
---
--- Table of sharing profiles. Each sharing profile has a name, associated set
--- of parameters, and a primary connection. The primary connection is the
--- connection that the sharing profile shares, and the parameters dictate the
--- restrictions/features which apply to the user joining the connection via the
--- sharing profile.
---
-
-CREATE TABLE guacamole_sharing_profile (
-
-  sharing_profile_id    serial       NOT NULL,
-  sharing_profile_name  varchar(128) NOT NULL,
-  primary_connection_id integer      NOT NULL,
-
-  PRIMARY KEY (sharing_profile_id),
-
-  CONSTRAINT sharing_profile_name_primary
-    UNIQUE (sharing_profile_name, primary_connection_id),
-
-  CONSTRAINT guacamole_sharing_profile_ibfk_1
-    FOREIGN KEY (primary_connection_id)
-    REFERENCES guacamole_connection (connection_id)
-    ON DELETE CASCADE
-
-);
-
-CREATE INDEX guacamole_sharing_profile_primary_connection_id
-    ON guacamole_sharing_profile(primary_connection_id);
-
---
--- Table of connection parameters. Each parameter is simply a name/value pair
--- associated with a connection.
---
-
-CREATE TABLE guacamole_connection_parameter (
-
-  connection_id   integer       NOT NULL,
-  parameter_name  varchar(128)  NOT NULL,
-  parameter_value varchar(4096) NOT NULL,
-
-  PRIMARY KEY (connection_id,parameter_name),
-
-  CONSTRAINT guacamole_connection_parameter_ibfk_1
-    FOREIGN KEY (connection_id)
-    REFERENCES guacamole_connection (connection_id) ON DELETE CASCADE
-
-);
-
-CREATE INDEX guacamole_connection_parameter_connection_id
-    ON guacamole_connection_parameter(connection_id);
-
---
--- Table of sharing profile parameters. Each parameter is simply
--- name/value pair associated with a sharing profile. These parameters dictate
--- the restrictions/features which apply to the user joining the associated
--- connection via the sharing profile.
---
-
-CREATE TABLE guacamole_sharing_profile_parameter (
-
-  sharing_profile_id integer       NOT NULL,
-  parameter_name     varchar(128)  NOT NULL,
-  parameter_value    varchar(4096) NOT NULL,
-
-  PRIMARY KEY (sharing_profile_id, parameter_name),
-
-  CONSTRAINT guacamole_sharing_profile_parameter_ibfk_1
-    FOREIGN KEY (sharing_profile_id)
-    REFERENCES guacamole_sharing_profile (sharing_profile_id) ON DELETE CASCADE
-
-);
-
-CREATE INDEX guacamole_sharing_profile_parameter_sharing_profile_id
-    ON guacamole_sharing_profile_parameter(sharing_profile_id);
-
---
--- Table of arbitrary user attributes. Each attribute is simply a name/value
--- pair associated with a user. Arbitrary attributes are defined by other
--- extensions. Attributes defined by this extension will be mapped to
--- properly-typed columns of a specific table.
---
-
-CREATE TABLE guacamole_user_attribute (
-
-  user_id         integer       NOT NULL,
-  attribute_name  varchar(128)  NOT NULL,
-  attribute_value varchar(4096) NOT NULL,
-
-  PRIMARY KEY (user_id, attribute_name),
-
-  CONSTRAINT guacamole_user_attribute_ibfk_1
-    FOREIGN KEY (user_id)
-    REFERENCES guacamole_user (user_id) ON DELETE CASCADE
-
-);
-
-CREATE INDEX guacamole_user_attribute_user_id
-    ON guacamole_user_attribute(user_id);
-
---
--- Table of arbitrary user group attributes. Each attribute is simply a
--- name/value pair associated with a user group. Arbitrary attributes are
--- defined by other extensions. Attributes defined by this extension will be
--- mapped to properly-typed columns of a specific table.
---
-
-CREATE TABLE guacamole_user_group_attribute (
-
-  user_group_id   integer       NOT NULL,
-  attribute_name  varchar(128)  NOT NULL,
-  attribute_value varchar(4096) NOT NULL,
-
-  PRIMARY KEY (user_group_id, attribute_name),
-
-  CONSTRAINT guacamole_user_group_attribute_ibfk_1
-    FOREIGN KEY (user_group_id)
-    REFERENCES guacamole_user_group (user_group_id) ON DELETE CASCADE
-
-);
-
-CREATE INDEX guacamole_user_group_attribute_user_group_id
-    ON guacamole_user_group_attribute(user_group_id);
-
---
--- Table of arbitrary connection attributes. Each attribute is simply a
--- name/value pair associated with a connection. Arbitrary attributes are
--- defined by other extensions. Attributes defined by this extension will be
--- mapped to properly-typed columns of a specific table.
---
-
-CREATE TABLE guacamole_connection_attribute (
-
-  connection_id   integer       NOT NULL,
-  attribute_name  varchar(128)  NOT NULL,
-  attribute_value varchar(4096) NOT NULL,
-
-  PRIMARY KEY (connection_id, attribute_name),
-
-  CONSTRAINT guacamole_connection_attribute_ibfk_1
-    FOREIGN KEY (connection_id)
-    REFERENCES guacamole_connection (connection_id) ON DELETE CASCADE
-
-);
-
-CREATE INDEX guacamole_connection_attribute_connection_id
-    ON guacamole_connection_attribute(connection_id);
-
---
--- Table of arbitrary connection group attributes. Each attribute is simply a
--- name/value pair associated with a connection group. Arbitrary attributes are
--- defined by other extensions. Attributes defined by this extension will be
--- mapped to properly-typed columns of a specific table.
---
-
-CREATE TABLE guacamole_connection_group_attribute (
-
-  connection_group_id integer       NOT NULL,
-  attribute_name      varchar(128)  NOT NULL,
-  attribute_value     varchar(4096) NOT NULL,
-
-  PRIMARY KEY (connection_group_id, attribute_name),
-
-  CONSTRAINT guacamole_connection_group_attribute_ibfk_1
-    FOREIGN KEY (connection_group_id)
-    REFERENCES guacamole_connection_group (connection_group_id) ON DELETE CASCADE
-
-);
-
-CREATE INDEX guacamole_connection_group_attribute_connection_group_id
-    ON guacamole_connection_group_attribute(connection_group_id);
-
---
--- Table of arbitrary sharing profile attributes. Each attribute is simply a
--- name/value pair associated with a sharing profile. Arbitrary attributes are
--- defined by other extensions. Attributes defined by this extension will be
--- mapped to properly-typed columns of a specific table.
---
-
-CREATE TABLE guacamole_sharing_profile_attribute (
-
-  sharing_profile_id integer       NOT NULL,
-  attribute_name     varchar(128)  NOT NULL,
-  attribute_value    varchar(4096) NOT NULL,
-
-  PRIMARY KEY (sharing_profile_id, attribute_name),
-
-  CONSTRAINT guacamole_sharing_profile_attribute_ibfk_1
-    FOREIGN KEY (sharing_profile_id)
-    REFERENCES guacamole_sharing_profile (sharing_profile_id) ON DELETE CASCADE
-
-);
-
-CREATE INDEX guacamole_sharing_profile_attribute_sharing_profile_id
-    ON guacamole_sharing_profile_attribute(sharing_profile_id);
-
---
--- Table of connection permissions. Each connection permission grants a user or
--- user group specific access to a connection.
---
-
-CREATE TABLE guacamole_connection_permission (
-
-  entity_id     integer NOT NULL,
-  connection_id integer NOT NULL,
-  permission    guacamole_object_permission_type NOT NULL,
-
-  PRIMARY KEY (entity_id, connection_id, permission),
-
-  CONSTRAINT guacamole_connection_permission_ibfk_1
-    FOREIGN KEY (connection_id)
-    REFERENCES guacamole_connection (connection_id) ON DELETE CASCADE,
-
-  CONSTRAINT guacamole_connection_permission_entity
-    FOREIGN KEY (entity_id)
-    REFERENCES guacamole_entity (entity_id) ON DELETE CASCADE
-
-);
-
-CREATE INDEX guacamole_connection_permission_connection_id
-    ON guacamole_connection_permission(connection_id);
-
-CREATE INDEX guacamole_connection_permission_entity_id
-    ON guacamole_connection_permission(entity_id);
-
---
--- Table of connection group permissions. Each group permission grants a user
--- or user group specific access to a connection group.
---
-
-CREATE TABLE guacamole_connection_group_permission (
-
-  entity_id           integer NOT NULL,
-  connection_group_id integer NOT NULL,
-  permission          guacamole_object_permission_type NOT NULL,
-
-  PRIMARY KEY (entity_id, connection_group_id, permission),
-
-  CONSTRAINT guacamole_connection_group_permission_ibfk_1
-    FOREIGN KEY (connection_group_id)
-    REFERENCES guacamole_connection_group (connection_group_id) ON DELETE CASCADE,
-
-  CONSTRAINT guacamole_connection_group_permission_entity
-    FOREIGN KEY (entity_id)
-    REFERENCES guacamole_entity (entity_id) ON DELETE CASCADE
-
-);
-
-CREATE INDEX guacamole_connection_group_permission_connection_group_id
-    ON guacamole_connection_group_permission(connection_group_id);
-
-CREATE INDEX guacamole_connection_group_permission_entity_id
-    ON guacamole_connection_group_permission(entity_id);
-
---
--- Table of sharing profile permissions. Each sharing profile permission grants
--- a user or user group specific access to a sharing profile.
---
-
-CREATE TABLE guacamole_sharing_profile_permission (
-
-  entity_id          integer NOT NULL,
-  sharing_profile_id integer NOT NULL,
-  permission         guacamole_object_permission_type NOT NULL,
-
-  PRIMARY KEY (entity_id, sharing_profile_id, permission),
-
-  CONSTRAINT guacamole_sharing_profile_permission_ibfk_1
-    FOREIGN KEY (sharing_profile_id)
-    REFERENCES guacamole_sharing_profile (sharing_profile_id) ON DELETE CASCADE,
-
-  CONSTRAINT guacamole_sharing_profile_permission_entity
-    FOREIGN KEY (entity_id)
-    REFERENCES guacamole_entity (entity_id) ON DELETE CASCADE
-
-);
-
-CREATE INDEX guacamole_sharing_profile_permission_sharing_profile_id
-    ON guacamole_sharing_profile_permission(sharing_profile_id);
-
-CREATE INDEX guacamole_sharing_profile_permission_entity_id
-    ON guacamole_sharing_profile_permission(entity_id);
-
---
--- Table of system permissions. Each system permission grants a user or user
--- group a system-level privilege of some kind.
---
-
-CREATE TABLE guacamole_system_permission (
-
-  entity_id  integer NOT NULL,
-  permission guacamole_system_permission_type NOT NULL,
-
-  PRIMARY KEY (entity_id, permission),
-
-  CONSTRAINT guacamole_system_permission_entity
-    FOREIGN KEY (entity_id)
-    REFERENCES guacamole_entity (entity_id) ON DELETE CASCADE
-
-);
-
-CREATE INDEX guacamole_system_permission_entity_id
-    ON guacamole_system_permission(entity_id);
-
---
--- Table of user permissions. Each user permission grants a user or user group
--- access to another user (the "affected" user) for a specific type of
--- operation.
---
-
-CREATE TABLE guacamole_user_permission (
-
-  entity_id        integer NOT NULL,
-  affected_user_id integer NOT NULL,
-  permission       guacamole_object_permission_type NOT NULL,
-
-  PRIMARY KEY (entity_id, affected_user_id, permission),
-
-  CONSTRAINT guacamole_user_permission_ibfk_1
-    FOREIGN KEY (affected_user_id)
-    REFERENCES guacamole_user (user_id) ON DELETE CASCADE,
-
-  CONSTRAINT guacamole_user_permission_entity
-    FOREIGN KEY (entity_id)
-    REFERENCES guacamole_entity (entity_id) ON DELETE CASCADE
-
-);
-
-CREATE INDEX guacamole_user_permission_affected_user_id
-    ON guacamole_user_permission(affected_user_id);
-
-CREATE INDEX guacamole_user_permission_entity_id
-    ON guacamole_user_permission(entity_id);
-
---
--- Table of user group permissions. Each user group permission grants a user
--- or user group access to a another user group (the "affected" user group) for
--- a specific type of operation.
---
-
-CREATE TABLE guacamole_user_group_permission (
-
-  entity_id              integer NOT NULL,
-  affected_user_group_id integer NOT NULL,
-  permission             guacamole_object_permission_type NOT NULL,
-
-  PRIMARY KEY (entity_id, affected_user_group_id, permission),
-
-  CONSTRAINT guacamole_user_group_permission_affected_user_group
-    FOREIGN KEY (affected_user_group_id)
-    REFERENCES guacamole_user_group (user_group_id) ON DELETE CASCADE,
-
-  CONSTRAINT guacamole_user_group_permission_entity
-    FOREIGN KEY (entity_id)
-    REFERENCES guacamole_entity (entity_id) ON DELETE CASCADE
-
-);
-
-CREATE INDEX guacamole_user_group_permission_affected_user_group_id
-    ON guacamole_user_group_permission(affected_user_group_id);
-
-CREATE INDEX guacamole_user_group_permission_entity_id
-    ON guacamole_user_group_permission(entity_id);
-
---
--- Table of connection history records. Each record defines a specific user's
--- session, including the connection used, the start time, and the end time
--- (if any).
---
-
-CREATE TABLE guacamole_connection_history (
-
-  history_id           serial       NOT NULL,
-  user_id              integer      DEFAULT NULL,
-  username             varchar(128) NOT NULL,
-  remote_host          varchar(256) DEFAULT NULL,
-  connection_id        integer      DEFAULT NULL,
-  connection_name      varchar(128) NOT NULL,
-  sharing_profile_id   integer      DEFAULT NULL,
-  sharing_profile_name varchar(128) DEFAULT NULL,
-  start_date           timestamptz  NOT NULL,
-  end_date             timestamptz  DEFAULT NULL,
-
-  PRIMARY KEY (history_id),
-
-  CONSTRAINT guacamole_connection_history_ibfk_1
-    FOREIGN KEY (user_id)
-    REFERENCES guacamole_user (user_id) ON DELETE SET NULL,
-
-  CONSTRAINT guacamole_connection_history_ibfk_2
-    FOREIGN KEY (connection_id)
-    REFERENCES guacamole_connection (connection_id) ON DELETE SET NULL,
-
-  CONSTRAINT guacamole_connection_history_ibfk_3
-    FOREIGN KEY (sharing_profile_id)
-    REFERENCES guacamole_sharing_profile (sharing_profile_id) ON DELETE SET NULL
-
-);
-
-CREATE INDEX guacamole_connection_history_user_id
-    ON guacamole_connection_history(user_id);
-
-CREATE INDEX guacamole_connection_history_connection_id
-    ON guacamole_connection_history(connection_id);
-
-CREATE INDEX guacamole_connection_history_sharing_profile_id
-    ON guacamole_connection_history(sharing_profile_id);
-
-CREATE INDEX guacamole_connection_history_start_date
-    ON guacamole_connection_history(start_date);
-
-CREATE INDEX guacamole_connection_history_end_date
-    ON guacamole_connection_history(end_date);
-
-CREATE INDEX guacamole_connection_history_connection_id_start_date
-    ON guacamole_connection_history(connection_id, start_date);
-
---
--- User login/logout history
---
-
-CREATE TABLE guacamole_user_history (
-
-  history_id           serial       NOT NULL,
-  user_id              integer      DEFAULT NULL,
-  username             varchar(128) NOT NULL,
-  remote_host          varchar(256) DEFAULT NULL,
-  start_date           timestamptz  NOT NULL,
-  end_date             timestamptz  DEFAULT NULL,
-
-  PRIMARY KEY (history_id),
-
-  CONSTRAINT guacamole_user_history_ibfk_1
-    FOREIGN KEY (user_id)
-    REFERENCES guacamole_user (user_id) ON DELETE SET NULL
-
-);
-
-CREATE INDEX guacamole_user_history_user_id
-    ON guacamole_user_history(user_id);
-
-CREATE INDEX guacamole_user_history_start_date
-    ON guacamole_user_history(start_date);
-
-CREATE INDEX guacamole_user_history_end_date
-    ON guacamole_user_history(end_date);
-
-CREATE INDEX guacamole_user_history_user_id_start_date
-    ON guacamole_user_history(user_id, start_date);
-
---
--- User password history
---
-
-CREATE TABLE guacamole_user_password_history (
-
-  password_history_id serial  NOT NULL,
-  user_id             integer NOT NULL,
-
-  -- Salted password
-  password_hash bytea        NOT NULL,
-  password_salt bytea,
-  password_date timestamptz  NOT NULL,
-
-  PRIMARY KEY (password_history_id),
-
-  CONSTRAINT guacamole_user_password_history_ibfk_1
-    FOREIGN KEY (user_id)
-    REFERENCES guacamole_user (user_id) ON DELETE CASCADE
-
-);
-
-CREATE INDEX guacamole_user_password_history_user_id
-    ON guacamole_user_password_history(user_id);
-
---
--- Licensed to the Apache Software Foundation (ASF) under one
--- or more contributor license agreements.  See the NOTICE file
--- distributed with this work for additional information
--- regarding copyright ownership.  The ASF licenses this file
--- to you under the Apache License, Version 2.0 (the
--- "License"); you may not use this file except in compliance
--- with the License.  You may obtain a copy of the License at
---
---   http://www.apache.org/licenses/LICENSE-2.0
---
--- Unless required by applicable law or agreed to in writing,
--- software distributed under the License is distributed on an
--- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
--- KIND, either express or implied.  See the License for the
--- specific language governing permissions and limitations
--- under the License.
---
-
--- Create default user "guacadmin" with password "guacadmin"
-INSERT INTO guacamole_entity (name, type) VALUES ('guacadmin', 'USER');
-INSERT INTO guacamole_user (entity_id, password_hash, password_salt, password_date)
-SELECT
-    entity_id,
-    decode('CA458A7D494E3BE824F5E1E175A1556C0F8EEF2C2D7DF3633BEC4A29C4411960', 'hex'),  -- 'guacadmin'
-    decode('FE24ADC5E11E2B25288D1704ABE67A79E342ECC26064CE69C5B3177795A82264', 'hex'),
-    CURRENT_TIMESTAMP
-FROM guacamole_entity WHERE name = 'guacadmin' AND guacamole_entity.type = 'USER';
-
--- Grant this user all system permissions
-INSERT INTO guacamole_system_permission (entity_id, permission)
-SELECT entity_id, permission::guacamole_system_permission_type
-FROM (
-    VALUES
-        ('guacadmin', 'CREATE_CONNECTION'),
-        ('guacadmin', 'CREATE_CONNECTION_GROUP'),
-        ('guacadmin', 'CREATE_SHARING_PROFILE'),
-        ('guacadmin', 'CREATE_USER'),
-        ('guacadmin', 'CREATE_USER_GROUP'),
-        ('guacadmin', 'ADMINISTER')
-) permissions (username, permission)
-JOIN guacamole_entity ON permissions.username = guacamole_entity.name AND guacamole_entity.type = 'USER';
-
--- Grant admin permission to read/update/administer self
-INSERT INTO guacamole_user_permission (entity_id, affected_user_id, permission)
-SELECT guacamole_entity.entity_id, guacamole_user.user_id, permission::guacamole_object_permission_type
-FROM (
-    VALUES
-        ('guacadmin', 'guacadmin', 'READ'),
-        ('guacadmin', 'guacadmin', 'UPDATE'),
-        ('guacadmin', 'guacadmin', 'ADMINISTER')
-) permissions (username, affected_username, permission)
-JOIN guacamole_entity          ON permissions.username = guacamole_entity.name AND guacamole_entity.type = 'USER'
-JOIN guacamole_entity affected ON permissions.affected_username = affected.name AND guacamole_entity.type = 'USER'
-JOIN guacamole_user            ON guacamole_user.entity_id = affected.entity_id;
diff --git a/examples/gzctf/README.md b/examples/gzctf/README.md
new file mode 100644
index 000000000..0e76b1b80
--- /dev/null
+++ b/examples/gzctf/README.md
@@ -0,0 +1,15 @@
+# References
+
+- https://gzctf.gzti.me/guide/start/quick-start.html
+- https://github.com/GZTimeWalker/GZCTF
+- https://github.com/l4rm4nd/GZCTF-Cloner
+
+# Notes
+
+You have to pre-supply the `appsettings.json` in the bind mount volume dir.
+
+````
+sudo mkdir -p /mnt/docker-volumes/gzctf/config
+sudo chmod -R 775 /mnt/docker-volumes/gzctf/config
+cp appsettings.json /mnt/docker-volumes/gzctf/config/.
+````
diff --git a/examples/gzctf/appsettings.json b/examples/gzctf/appsettings.json
new file mode 100644
index 000000000..6300c0bd3
--- /dev/null
+++ b/examples/gzctf/appsettings.json
@@ -0,0 +1,46 @@
+{
+  "AllowedHosts": "*",
+  "ConnectionStrings": {
+    "Database": "Host=db:5432;Database=gzctf;Username=postgres;Password=secure-gzctf-db-password",
+    "RedisCache": "cache:6379,abortConnect=false"
+  },
+  "EmailConfig": {
+    "SenderAddress": "",
+    "SenderName": "",
+    "UserName": "",
+    "Password": "",
+    "Smtp": {
+      "Host": "localhost",
+      "Port": 587
+    }
+  },
+  "XorKey": "<YOUR-RANDOM-XOR-KEY>",
+  "ContainerProvider": {
+    "Type": "Docker", // or "Kubernetes"
+    "PortMappingType": "Default", // or "PlatformProxy"
+    "EnableTrafficCapture": false,
+    "PublicEntry": "ctf.example.com", // or "xxx.xxx.xxx.xxx"
+    // optional
+    "DockerConfig": {
+      "SwarmMode": false,
+      "Uri": "unix:///var/run/docker.sock"
+    }
+  },
+  "CaptchaConfig": {
+    "Provider": "None", // or "CloudflareTurnstile" or "HashPow"
+    "SiteKey": "<Your SITE_KEY>",
+    "SecretKey": "<Your SECRET_KEY>"
+  },
+  "Registries": {
+    "ghcr.io": {
+      "UserName": "your-username",
+      "Password": "ghp_..."
+    }
+  },  
+  "ForwardedOptions": {
+    "ForwardedHeaders": 7,
+    "ForwardLimit": 1,
+    "TrustedNetworks": ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
+  }
+}
+
diff --git a/examples/gzctf/docker-compose.yml b/examples/gzctf/docker-compose.yml
new file mode 100644
index 000000000..94d556296
--- /dev/null
+++ b/examples/gzctf/docker-compose.yml
@@ -0,0 +1,58 @@
+services:
+
+  gzctf:
+    image: gztime/gzctf:latest
+    container_name: gzctf-app
+    restart: always
+    environment:
+      - GZCTF_ADMIN_PASSWORD=My-Secure-Password5
+      - LC_ALL=de-DE.UTF-8
+    expose:
+      - 8080
+    ports:
+      - "8888:8080"
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/gzctf/data/files:/app/files
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/gzctf/config/appsettings.json:/app/appsettings.json:ro
+      - /var/run/docker.sock:/var/run/docker.sock
+    depends_on:
+      - db
+    #networks:
+    #  - internal
+    #  - proxy
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=proxy
+    #  - traefik.http.routers.ctf.rule=Host(`ctf.example.com`)
+    #  - traefik.http.services.ctf.loadbalancer.server.port=8080
+    #  # Optional part for traefik middlewares
+    #  - traefik.http.routers.ctf.middlewares=authentik@docker
+
+  db:
+    image: docker.io/library/postgres:16-alpine
+    container_name: gzctf-db
+    restart: always
+    environment:
+      - POSTGRES_USER=postgres
+      - POSTGRES_PASSWORD=secure-gzctf-db-password
+      - POSTGRES_DB=gzctf
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/gzctf/data/db:/var/lib/postgresql/data
+    #networks:
+    #  - internal
+
+  cache:
+    image: ghcr.io/microsoft/garnet-alpine:latest
+    container_name: gzctf-cache
+    expose:
+      - 6379
+    command: ["--bind", "0.0.0.0"]
+    restart: always
+    #networks:
+    #  - internal
+
+#networks:
+#  internal:
+#    internal: true
+#  proxy:
+#    external: true
diff --git a/examples/headscale/docker-compose.yml b/examples/headscale/docker-compose.yml
index a26b391b9..6aec55d3c 100644
--- a/examples/headscale/docker-compose.yml
+++ b/examples/headscale/docker-compose.yml
@@ -1,10 +1,9 @@
-version: '3.9'
-
 services:
+
   headscale:
-    image: headscale/headscale:0.22
+    image: headscale/headscale:v0.28
+    container_name: headscale    
     pull_policy: always
-    container_name: headscale
     restart: unless-stopped
     command: headscale serve
     expose:
@@ -18,16 +17,17 @@ services:
       - traefik.enable=true
       - traefik.http.routers.headscale-rtr.rule=Host(`headscale.example.com`) && PathPrefix(`/`)
       - traefik.http.services.headscale-svc.loadbalancer.server.port=8080
+      - traefik.http.routers.headscale-rtr.middlewares=limit-headscale
       # Optional part for file upload max sizes
-      - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
-      - traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads
-      - traefik.http.middlewares.limit.buffering.memRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
-      - traefik.http.middlewares.limit.buffering.memResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads
+      - traefik.http.middlewares.limit-headscale.buffering.maxRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
+      - traefik.http.middlewares.limit-headscale.buffering.maxResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads
+      - traefik.http.middlewares.limit-headscale.buffering.memRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
+      - traefik.http.middlewares.limit-headscale.buffering.memResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads
       
   headscale-ui:
     image: ghcr.io/gurucomputing/headscale-ui:latest
+    container_name: headscale-ui    
     pull_policy: always
-    container_name: headscale-ui
     networks:
       - proxy
     restart: unless-stopped
@@ -41,11 +41,6 @@ services:
       - traefik.http.services.headscale-ui-svc.loadbalancer.server.port=80
       # Optional part for traefik middlewares; protect the headscale ui interface; access from local lan only
       - traefik.http.routers.headscale-ui-rtr.middlewares=local-ipwhitelist@file
-      # Optional part for file upload max sizes
-      - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
-      - traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads
-      - traefik.http.middlewares.limit.buffering.memRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
-      - traefik.http.middlewares.limit.buffering.memResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads
       
 networks:
    proxy:
diff --git a/examples/hedgedoc/docker-compose.yml b/examples/hedgedoc/docker-compose.yml
index 162323291..90b3d3951 100644
--- a/examples/hedgedoc/docker-compose.yml
+++ b/examples/hedgedoc/docker-compose.yml
@@ -1,38 +1,55 @@
-version: '3'
-
 services:
 
   database:
-    image: postgres:13.4-alpine
+    image: postgres:16-alpine
     container_name: hedgedoc-db
+    restart: always    
+    expose:
+      - 5432
     environment:
       - POSTGRES_USER=hedgedoc
       - POSTGRES_PASSWORD=password
       - POSTGRES_DB=hedgedoc
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/hedgedoc/database:/var/lib/postgresql/data
-    restart: always
     #networks:
     #  - proxy
 
   app:
-    image: quay.io/hedgedoc/hedgedoc:1.9.9
+    image: quay.io/hedgedoc/hedgedoc:1.10.6
     container_name: hedgedoc-app
+    restart: always    
     environment:
       - CMD_DB_URL=postgres://hedgedoc:password@database:5432/hedgedoc
       - CMD_DOMAIN=collab.example.com
       - CMD_URL_ADDPORT=false
       - CMD_PROTOCOL_USESSL=true
+      - CMD_SESSION_LIFE=1209600000 # 14 days default
       - CMD_SESSION_SECRET="discolor-subtitle-seducing-result-ceramics" # define secret
-      - CMD_ALLOW_EMAIL_REGISTER="false" # disallow registration
       - CMD_EMAIL="false" # disallow login; only guest notes
+      - CMD_ALLOW_EMAIL_REGISTER="false" # disallow registration
+      - CMD_ALLOW_ANONYMOUS=false
+      - CMD_ALLOW_ANONYMOUS_EDITS=False
+      - CMD_DEFAULT_PERMISSION=locked
+      # ------- OAUTH SSO -------
+      # see https://docs.goauthentik.io/integrations/services/hedgedoc/
+      #- CMD_ALLOW_ANONYMOUS_EDITS=False
+      #- CMD_OAUTH2_USER_PROFILE_URL=https://authentik.example.com/application/o/userinfo/
+      #- CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
+      #- CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
+      #- CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
+      #- CMD_OAUTH2_TOKEN_URL=https://authentik.example.com/application/o/token/
+      #- CMD_OAUTH2_AUTHORIZATION_URL=https://authentik.example.com/application/o/authorize/
+      #- CMD_OAUTH2_CLIENT_ID=<ID>
+      #- CMD_OAUTH2_CLIENT_SECRET=<SECRET>
+      #- CMD_OAUTH2_PROVIDERNAME=Authentik
+      #- CMD_OAUTH2_SCOPE=openid email profile
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/hedgedoc/uploads:/hedgedoc/public/uploads
     ports:
       - 3000:3000/tcp
     expose:
       - 3000
-    restart: always
     depends_on:
       - database
     #networks:
diff --git a/examples/heimdall/docker-compose.yml b/examples/heimdall/docker-compose.yml
index 3e104e928..d83e8cf12 100644
--- a/examples/heimdall/docker-compose.yml
+++ b/examples/heimdall/docker-compose.yml
@@ -1,6 +1,5 @@
-version: "3"
-
 services:
+
   heimdall:
     image: linuxserver/heimdall:latest  
     container_name: heimdall
@@ -11,6 +10,8 @@ services:
       - TZ=Europe/Berlin
     ports:
       - 8099:80
+    expose:
+      - 80
     restart: unless-stopped
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/heimdall:/config
diff --git a/examples/hemmelig/docker-compose.yml b/examples/hemmelig/docker-compose.yml
index b7d61cb9e..3d9154b3b 100644
--- a/examples/hemmelig/docker-compose.yml
+++ b/examples/hemmelig/docker-compose.yml
@@ -1,4 +1,5 @@
 services:
+
   hemmelig:
     image: hemmeligapp/hemmelig:latest
     container_name: hemmelig
@@ -19,12 +20,16 @@ services:
       - SECRET_MAX_TEXT_SIZE=256          # The max text size for the secret. Is set in kb. i.e. 256 for 256kb
     ports:
       - "3000:3000"
+    expose:
+      - 3000
     restart: always
     stop_grace_period: 1m
     healthcheck:
       test: "wget -O /dev/null localhost:3000 || exit 1"
       timeout: 5s
       retries: 1
+    #networks:
+    #  - proxy
     #labels:
     #  - traefik.enable=true
     #  - traefik.http.routers.hemmelig.rule=Host(`hemmelig.example.com`)
@@ -32,3 +37,7 @@ services:
     #  - traefik.docker.network=proxy
     #  # Part for optional traefik middlewares
     #  - traefik.http.routers.hemmelig.middlewares=local-ipwhitelist@file,basic-auth@file  
+
+#networks:
+#  proxy:
+#    external: true
\ No newline at end of file
diff --git a/examples/homarr/docker-compose.yml b/examples/homarr/docker-compose.yml
index d515c8584..ef73b0782 100644
--- a/examples/homarr/docker-compose.yml
+++ b/examples/homarr/docker-compose.yml
@@ -1,8 +1,8 @@
-version: '3'
 services:
+
   homarr:
+    image: ghcr.io/ajnart/homarr:latest    
     container_name: homarr
-    image: ghcr.io/ajnart/homarr:latest
     restart: unless-stopped
     environment:
       - PASSWORD=MySecureLoginPassword
@@ -12,3 +12,5 @@ services:
       #- ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/homarr/icons:/app/public/icons # optional for custom icons
     ports:
       - '7575:7575'
+    expose:
+      - 7575
diff --git a/examples/home-assistant/docker-compose.yml b/examples/home-assistant/docker-compose.yml
index 507d5a244..06b62540a 100644
--- a/examples/home-assistant/docker-compose.yml
+++ b/examples/home-assistant/docker-compose.yml
@@ -1,10 +1,13 @@
----
-version: "2.1"
 services:
+
   homeassistant:
     image: linuxserver/homeassistant:latest
     container_name: homeassistant
     network_mode: host
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+    restart: unless-stopped    
     environment:
       - PUID=1000
       - PGID=1000
@@ -12,7 +15,11 @@ services:
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/homeassistant/config:/config
     #ports:
-    #  - 8123:8123 #optional
+    #  - 8123:8123 # optional if host network is used
     #devices:
     #  - /path/to/device:/path/to/device #optional
-    restart: unless-stopped
+    deploy:
+      resources:
+        limits:
+          cpus: '0.5'
+          memory: 500M
\ No newline at end of file
diff --git a/examples/homepage/docker-compose.yml b/examples/homepage/docker-compose.yml
index 35b1b783e..2e119e604 100644
--- a/examples/homepage/docker-compose.yml
+++ b/examples/homepage/docker-compose.yml
@@ -1,18 +1,23 @@
-version: "3.3"
 services:
+
   homepage:
     image: ghcr.io/gethomepage/homepage:latest
     container_name: homepage
     restart: unless-stopped
     ports:
       - 3000:3000
+    expose:
+      - 3000
     environment:
       - PUID=1000
       - PGID=1000
+      - HOMEPAGE_ALLOWED_HOSTS=home.example.com # add your FQDN here
     volumes:
+      #- /var/run/docker.sock:/var/run/docker.sock:ro # (optional) For docker integrations      
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/homepage/config:/app/config # Make sure your local config directory exists
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/homepage/icons:/app/public/icons
-    #  - /var/run/docker.sock:/var/run/docker.sock:ro # (optional) For docker integrations
+    #networks:
+    #  - proxy
     #labels:
     #  - traefik.enable=true
     #  - traefik.http.routers.homepage.rule=Host(`home.example.com`)
@@ -20,3 +25,7 @@ services:
     #  - traefik.docker.network=proxy
     #  # Part for local lan services only
     #  - traefik.http.routers.homepage.middlewares=local-ipwhitelist@file
+
+#networks:
+#  proxy:
+#    external: true
diff --git a/examples/homer/docker-compose.yml b/examples/homer/docker-compose.yml
index acc2ee536..340c544b1 100644
--- a/examples/homer/docker-compose.yml
+++ b/examples/homer/docker-compose.yml
@@ -1,6 +1,5 @@
-version: '3.6'
-
 services:
+
   homer:
     image: b4bz/homer:latest
     container_name: homer
@@ -8,6 +7,8 @@ services:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/homer:/www/assets
     ports:
       - "8080:8080"
+    expose:
+      - 8080
     restart: unless-stopped
     environment:
       - UID=1000
diff --git a/examples/immich/.env b/examples/immich/.env
index 12d657e6a..72a3116ae 100644
--- a/examples/immich/.env
+++ b/examples/immich/.env
@@ -1,5 +1,5 @@
 # Versioning
-IMMICH_VERSION=v1.109.2
+IMMICH_VERSION=v2.5.6
 
 # Database
 DB_HOSTNAME=immich-database
@@ -13,6 +13,3 @@ REDIS_HOSTNAME=immich-redis
 
 # Upload File Config
 UPLOAD_LOCATION=/mnt/docker-volumes/immich/uploads # change this
-
-# JWT SECRET
-JWT_SECRET=9C9E6EE5B56F137D2123123123123 # change this to a secure random secret
diff --git a/examples/immich/README.md b/examples/immich/README.md
index 03f9530ee..40c28d4f6 100644
--- a/examples/immich/README.md
+++ b/examples/immich/README.md
@@ -1,3 +1,4 @@
 # References
 
 - https://github.com/immich-app/immich
+- https://blog.lrvt.de/configuring-authelia-oidc-for-immich/
diff --git a/examples/immich/docker-compose.yml b/examples/immich/docker-compose.yml
index e70950bf1..75b225c4d 100644
--- a/examples/immich/docker-compose.yml
+++ b/examples/immich/docker-compose.yml
@@ -1,9 +1,8 @@
-version: "3.8"
-
 services:
+
   immich-server:
-    container_name: immich-server
-    image: altran1502/immich-server:${IMMICH_VERSION:-release}
+    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
+    container_name: immich-server    
     volumes:
       - ${UPLOAD_LOCATION}:/usr/src/app/upload
       - /etc/localtime:/etc/localtime:ro
@@ -12,31 +11,27 @@ services:
     environment:
       - NODE_ENV=production
     ports:
-      - 2283:3001
+      - 2283:2283
     expose:
-      - 3001
+      - 2283
     depends_on:
       - immich-redis
       - immich-database
     restart: unless-stopped
-    #networks:
-    #  - proxy
+    networks:
+      - proxy
+      - immich-internal
     #labels:
-    #  - traefik.enable=false
+    #  - traefik.enable=true
     #  - traefik.http.routers.immich.rule=Host(`immich.example.com`)
-    #  - traefik.http.services.immich.loadbalancer.server.port=3001
+    #  - traefik.http.services.immich.loadbalancer.server.port=2283
     #  - traefik.docker.network=proxy
-    #  # Optional part for file upload max sizes
-    #  - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=5000000000 # optional, only necessary for file uploads; allow 5000MB
-    #  - traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=5000000000 # optional, only necessary for file uploads; allow 5000MB
-    #  - traefik.http.middlewares.limit.buffering.memRequestBodyBytes=5000000000 # optional, only necessary for file uploads; allow 5000MB
-    #  - traefik.http.middlewares.limit.buffering.memResponseBodyBytes=5000000000 # optional, only necessary for file uploads; allow 5000MB
     #  # Part for local lan services only
-    #  - traefik.http.routers.immich.middlewares=local-ipwhitelist@file
-    #  - "com.centurylinklabs.watchtower.enable=true"    
+    #  - traefik.http.routers.immich-swagger.rule=Host(`immich.example.com`) && PathPrefix(`/doc`)
+    #  - traefik.http.routers.immich-swagger.middlewares=local-ipwhitelist@file
 
   immich-machine-learning:
-    image: altran1502/immich-machine-learning:${IMMICH_VERSION:-release}
+    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
     container_name: immich-ml
     volumes:
       - ${UPLOAD_LOCATION}:/usr/src/app/upload
@@ -46,41 +41,41 @@ services:
     environment:
       - NODE_ENV=production
     restart: unless-stopped
-    #labels:
-    #  - "com.centurylinklabs.watchtower.enable=true"
-    #networks:
-    #  - proxy
+    networks:
+      - proxy # machine learning requires internet connecting for model download
+      - immich-internal
 
   immich-redis:
+    image: docker.io/valkey/valkey:9@sha256:3eeb09785cd61ec8e3be35f8804c8892080f3ca21934d628abc24ee4ed1698f6
     container_name: immich-redis
-    image: redis:6.2-alpine
     restart: unless-stopped
-    #labels:
-    #  - "com.centurylinklabs.watchtower.enable=true"
-    #networks:
-    #  - proxy
+    healthcheck:
+      test: redis-cli ping || exit 1
+    networks:
+      - immich-internal
 
   immich-database:
+    image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23
     container_name: immich-database
-    image: tensorchord/pgvecto-rs:pg14-v0.2.0
     env_file:
       - .env
     environment:
       POSTGRES_PASSWORD: ${DB_PASSWORD}
       POSTGRES_USER: ${DB_USERNAME}
       POSTGRES_DB: ${DB_DATABASE_NAME}
+      POSTGRES_INITDB_ARGS: '--data-checksums'
       PG_DATA: /var/lib/postgresql/data
     volumes:
       - ${DB_DATABASE_LOCATION}:/var/lib/postgresql/data
     restart: unless-stopped
-    #labels:
-    #  - "com.centurylinklabs.watchtower.enable=true"
-    #networks:
-    #  - proxy
+    networks:
+      - immich-internal
     
 volumes:
   model-cache:
 
-#networks:
-#  proxy:
-#    external: true
+networks:
+  proxy:
+    external: true
+  immich-internal:
+    internal: true
diff --git a/examples/ipsec-vpn-server/docker-compose.yml b/examples/ipsec-vpn-server/docker-compose.yml
index 47bc6b179..3ea343c9c 100644
--- a/examples/ipsec-vpn-server/docker-compose.yml
+++ b/examples/ipsec-vpn-server/docker-compose.yml
@@ -1,10 +1,9 @@
-version: '3'
-
 services:
+
   vpn:
     image: hwdsl2/ipsec-vpn-server
+    container_name: ipsec-vpn-server    
     hostname: ipsec-vpn-server
-    container_name: ipsec-vpn-server
     environment:
       #- VPN_IPSEC_PSK=3gAW0sDYI2ARSMQIQRa2xpIHb42JS+ImsiHdf3jbTl8 # set a secure psk; e.g. via `openssl rand -base64 32`; only necessary if not IKEv2 only
       #- VPN_USER=vpn # define your vpn username; only necessary if not IKEv2 only
@@ -25,6 +24,9 @@ services:
     ports:
       - "500:500/udp"
       - "4500:4500/udp"
+    expose:
+      - 500
+      - 4500
     privileged: true
     volumes:
       -  ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/ipsec-vpn-server/data:/etc/ipsec.d # required to enable IKEv2
diff --git a/examples/it-tools/docker-compose.yml b/examples/it-tools/docker-compose.yml
index f9ac2987f..c0a945ec1 100644
--- a/examples/it-tools/docker-compose.yml
+++ b/examples/it-tools/docker-compose.yml
@@ -1,6 +1,5 @@
-version: '3.3'
-
 services:
+
   it-tools:
     image: corentinth/it-tools
     container_name: it-tools
@@ -8,6 +7,8 @@ services:
     restart: unless-stopped
     ports:
       - 8080:80/tcp
+    expose:
+      - 80
     #networks:
     #  - proxy # or use dev for testing purposes
     #labels:
diff --git a/examples/jackett/docker-compose.yml b/examples/jackett/docker-compose.yml
index 874bfece6..f36ef034c 100644
--- a/examples/jackett/docker-compose.yml
+++ b/examples/jackett/docker-compose.yml
@@ -1,6 +1,5 @@
-version: "2.1"
-
 services:
+
   jackett:
     image: lscr.io/linuxserver/jackett:latest
     container_name: jackett
@@ -14,4 +13,6 @@ services:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/jackett/downloads:/downloads
     ports:
       - 9117:9117
+    expose:
+      - 9117
     restart: unless-stopped
diff --git a/examples/jellyfin/docker-compose.yml b/examples/jellyfin/docker-compose.yml
index 626f98fac..349a44cd7 100644
--- a/examples/jellyfin/docker-compose.yml
+++ b/examples/jellyfin/docker-compose.yml
@@ -1,5 +1,5 @@
-version: '3.3'
 services:
+
     jellyfin:
         image: jellyfin/jellyfin:latest
         container_name: jellyfin
@@ -7,8 +7,11 @@ services:
             - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/jellyfin/config:/config
             - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/jellyfin/cache:/cache
             - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/jellyfin/media:/media
-        network_mode: host
         restart: unless-stopped
+        ports:
+            - 8096:8096/tcp
+        expose:
+            - 8096
         #environment:
         #    - JELLYFIN_PublishedServerUrl=http://example.com # Optional - alternative address used for autodiscovery
         #extra_hosts:
diff --git a/examples/jetbrains-youtrack/docker-compose.yml b/examples/jetbrains-youtrack/docker-compose.yml
index ee2fa7029..af928e676 100644
--- a/examples/jetbrains-youtrack/docker-compose.yml
+++ b/examples/jetbrains-youtrack/docker-compose.yml
@@ -1,25 +1,26 @@
-version: '3.5'
-
 services:
+
   youtrack:
-    image: jetbrains/youtrack:2022.3.65373
+    image: jetbrains/youtrack:2025.3.124603
     container_name: youtrack
     hostname: youtrack
     user: 13001:13001 # this is the default UID:GUID; see https://hub.docker.com/r/jetbrains/youtrack/
     restart: unless-stopped
     ports:
       - 8080:8080 # web ui
+    expose:
+      - 8080
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/youtrack/data:/opt/youtrack/data
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/youtrack/conf:/opt/youtrack/conf
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/youtrack/logs:/opt/youtrack/logs
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/youtrack/backups:/opt/youtrack/backups
-    #networks:
-    #  - proxy
     deploy:
       placement:
         constraints:
           - node.labels.youtrack.data == true
+    #networks:
+    #  - proxy
     #labels:
       #  - traefik.enable=true
       #  - traefik.docker.network=proxy
diff --git a/examples/keycloak/README.md b/examples/keycloak/README.md
new file mode 100644
index 000000000..b415b074f
--- /dev/null
+++ b/examples/keycloak/README.md
@@ -0,0 +1,23 @@
+# References
+
+- https://github.com/keycloak/keycloak
+- https://www.keycloak.org/getting-started/getting-started-docker
+
+# Notes
+
+````
+# copy example env file
+cp env.example .env
+
+# adjust env to your needs
+# adjust the compose.yml to your needs
+nano .env
+nano docker-compose.yml
+
+# create docker networks
+docker network create proxy
+docker network create keycloak-internal
+
+# spawn the stack
+docker compose up -d
+````
diff --git a/examples/keycloak/docker-compose.yml b/examples/keycloak/docker-compose.yml
new file mode 100644
index 000000000..eb5b91e71
--- /dev/null
+++ b/examples/keycloak/docker-compose.yml
@@ -0,0 +1,75 @@
+services:
+
+  postgres:
+    image: postgres:16-alpine
+    container_name: keycloak-db
+    restart: always
+    expose:
+      - 5432
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/keycloak/database:/var/lib/postgresql/data
+    environment:
+      POSTGRES_DB: ${POSTGRES_DB}
+      POSTGRES_USER: ${POSTGRES_USER}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+    healthcheck:
+      test: [ "CMD", "pg_isready", "-q", "-d", "${POSTGRES_DB}", "-U", "${POSTGRES_USER}" ]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 60s      
+    networks:
+      - keycloak-internal
+
+  keycloak:
+    image: quay.io/keycloak/keycloak:26.5
+    container_name: keycloak-app
+    command: start
+    environment:
+      KC_HOSTNAME: ${KEYCLOAK_HOSTNAME}
+      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
+      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
+      KC_DB: postgres
+      KC_DB_URL: jdbc:postgresql://postgres/${POSTGRES_DB}
+      KC_DB_USERNAME: ${POSTGRES_USER}
+      KC_DB_PASSWORD: ${POSTGRES_PASSWORD}
+      KC_PROXY_HEADERS: 'xforwarded'
+      KC_HTTP_ENABLED: true
+      KC_HEALTH_ENABLED: true
+      PROXY_ADDRESS_FORWARDING: 'true'
+    healthcheck:
+      test:
+      - "CMD-SHELL"
+      - |
+        exec 3<>/dev/tcp/localhost/9000 &&
+        echo -e 'GET /health/ready HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\n\r\n' >&3 &&
+        cat <&3 | tee /tmp/healthcheck.log | grep -q '200 OK'
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 90s
+    ports:
+      - 8080:8080
+    expose:
+      - 8080 # web ui http
+      - 9000 # health endpoint
+    restart: always
+    depends_on:
+      postgres:
+        condition: service_healthy
+    networks:
+      - keycloak-internal
+      - proxy
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=proxy
+    #  - traefik.http.routers.keycloak.rule=Host(`keycloak.example.com`)
+    #  - traefik.http.services.keycloak.loadbalancer.server.port=8080
+    #  # Optional part for traefik middlewares
+    #  - traefik.http.routers.keycloak.middlewares=local-ipwhitelist@file
+
+networks:
+  keycloak-internal:
+    internal: true
+  proxy:
+    external: true    
diff --git a/examples/keycloak/env.example b/examples/keycloak/env.example
new file mode 100644
index 000000000..a5ba4e939
--- /dev/null
+++ b/examples/keycloak/env.example
@@ -0,0 +1,11 @@
+# define FQDN hostname
+KEYCLOAK_HOSTNAME=keycloak.example.com
+
+# define login credentials
+KEYCLOAK_ADMIN=admin
+KEYCLOAK_ADMIN_PASSWORD=password
+
+# define database credentials
+POSTGRES_DB=keycloak_db
+POSTGRES_USER=keycloak_db_user
+POSTGRES_PASSWORD=keycloak_db_user_password
diff --git a/examples/kiwix/README.md b/examples/kiwix/README.md
new file mode 100644
index 000000000..939fd0b26
--- /dev/null
+++ b/examples/kiwix/README.md
@@ -0,0 +1,5 @@
+# References
+
+- https://github.com/kiwix/kiwix-tools
+- https://github.com/kiwix/kiwix-tools/blob/main/docker/server/README.md
+- https://github.com/kiwix/kiwix-tools/blob/main/docker/server/docker-compose.yml.example
diff --git a/examples/kiwix/docker-compose.yml b/examples/kiwix/docker-compose.yml
new file mode 100644
index 000000000..e2673e896
--- /dev/null
+++ b/examples/kiwix/docker-compose.yml
@@ -0,0 +1,18 @@
+services:
+
+  kiwix-serve:
+    image: ghcr.io/kiwix/kiwix-serve:latest
+    container_name: kiwix
+    restart: unless-stopped
+    ports:
+      - "8080:8080"
+    expose:
+      - 8080
+    # uncomment next 4 lines to use it with local zim file in /tmp/zim
+    # volumes:
+    #   - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/kiwix/data:/data
+    # command:
+    #   - '*.zim'
+    # uncomment next 2 lines to use it with remote zim file
+    # environment:
+    #   - DOWNLOAD=https://download.kiwix.org/zim/wikipedia_bm_all.zim
diff --git a/examples/koillection/docker-compose.yml b/examples/koillection/docker-compose.yml
index dab69b164..997d74e8e 100644
--- a/examples/koillection/docker-compose.yml
+++ b/examples/koillection/docker-compose.yml
@@ -1,5 +1,3 @@
-version: '3.3'
-
 services:
 
   db:
@@ -55,11 +53,6 @@ services:
     #  - traefik.docker.network=proxy
     #  - traefik.http.routers.koillection.rule=Host(`collection.example.com`)
     #  - traefik.http.services.koillection.loadbalancer.server.port=80
-    #  # Optional part for file upload max sizes
-    #  - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=50000000
-    #  - traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=50000000
-    #  - traefik.http.middlewares.limit.buffering.memRequestBodyBytes=50000000
-    #  - traefik.http.middlewares.limit.buffering.memResponseBodyBytes=50000000
     #  # Optional part for traefik middlewares
     #  - traefik.http.routers.koillection.middlewares=local-ipwhitelist@file,authelia@docker
 
diff --git a/examples/leantime/docker-compose.yml b/examples/leantime/docker-compose.yml
index a77b42a30..9facff632 100644
--- a/examples/leantime/docker-compose.yml
+++ b/examples/leantime/docker-compose.yml
@@ -1,16 +1,17 @@
-version: '3.3'
-
 services:
+
   leantime_db:
-    image: mysql:8.0
+    image: mysql:8.4
     container_name: leantime-mysql
+    expose:
+      - 3306
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/leantime/mysql:/var/lib/mysql
     restart: unless-stopped
     env_file: ./.env
     command: --character-set-server=UTF8MB4 --collation-server=UTF8MB4_unicode_ci
     #networks:
-    #  - proxy
+    #  - internal
 
   leantime:
     image: leantime/leantime:latest
@@ -20,24 +21,31 @@ services:
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/leantime/public_data:/var/www/html/public/userfiles
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/leantime/data:/var/www/html/userfiles
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/leantime/plugins:/var/www/html/app/Plugins
     ports:
-      - "8080:80"                                                       # The port to expose and access Leantime
+      - "8080:80" # The port to expose and access Leantime
+    expose:
+      - 80
     depends_on:
-      - leantime_db                                                     # Don't start Leantime unless leantime_db is running
+      - leantime_db
     #networks:
     #  - proxy
+    #  - internal    
     #labels:
     #  - traefik.enable=true
+    #  - traefik.docker.network=proxy    
     #  - traefik.http.routers.leantime.rule=Host(`leantime.example.com`)
     #  - traefik.http.services.leantime.loadbalancer.server.port=80
-    #  - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
-    #  - traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads
-    #  - traefik.http.middlewares.limit.buffering.memRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
-    #  - traefik.http.middlewares.limit.buffering.memResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads    
-    #  - traefik.docker.network=proxy
+    #  # Optional part for file upload max sizes
+    #  - traefik.http.middlewares.limit-leantime.buffering.maxRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
+    #  - traefik.http.middlewares.limit-leantime.buffering.maxResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads
+    #  - traefik.http.middlewares.limit-leantime.buffering.memRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
+    #  - traefik.http.middlewares.limit-leantime.buffering.memResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads    
     #  # Part for optional traefik middlewares
-    #  - traefik.http.routers.leantime.middlewares=local-ipwhitelist@file,authelia@file,basic-auth@file
+    #  - traefik.http.routers.leantime.middlewares=limit-leantime
 
 #networks:
 #  proxy:
 #    external: true
+#  internal:
+#    internal: true
diff --git a/examples/librephotos/docker-compose.yml b/examples/librephotos/docker-compose.yml
index 7f087223c..442c6fd6d 100644
--- a/examples/librephotos/docker-compose.yml
+++ b/examples/librephotos/docker-compose.yml
@@ -1,14 +1,5 @@
-# DO NOT EDIT
-# The .env file has everything you need to edit.
-# Run options:
-# 1. Use prebuilt images (preferred method):
-#   run cmd: docker-compose up -d
-# 2. Build images on your own machine:
-#   build cmd: COMPOSE_DOCKER_CLI_BUILD=1 DOCKER_BUILDKIT=1 docker-compose build
-#   run cmd: docker-compose up -d
-
-version: "3.8"
 services:
+
   proxy:
     image: reallibrephotos/librephotos-proxy:${tag}
     container_name: librephotos-proxy
@@ -23,7 +14,7 @@ services:
       - frontend
 
   db:
-    image: postgres:13
+    image: postgres:16-alpine
     container_name: librephotos-db
     restart: unless-stopped
     environment:
@@ -80,7 +71,7 @@ services:
         condition: service_healthy
 
   redis:
-    image: redis:6
+    image: redis:8-alpine
     container_name: librephotos-redis
     restart: unless-stopped
     healthcheck:
diff --git a/examples/lidarr/docker-compose.yml b/examples/lidarr/docker-compose.yml
index f950897e9..c74b795c8 100644
--- a/examples/lidarr/docker-compose.yml
+++ b/examples/lidarr/docker-compose.yml
@@ -1,6 +1,5 @@
-version: "2.1"
-
 services:
+
   lidarr:
     image: lscr.io/linuxserver/lidarr:latest
     container_name: lidarr
@@ -14,4 +13,6 @@ services:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/lidarr/downloads:/downloads # Should be the same as the download client's folder
     ports:
       - 8686:8686
+    expose:
+      - 8686
     restart: unless-stopped
diff --git a/examples/linkwarden/.env b/examples/linkwarden/.env
new file mode 100644
index 000000000..74d9dcafc
--- /dev/null
+++ b/examples/linkwarden/.env
@@ -0,0 +1,11 @@
+# change this env to your fqdn url
+NEXTAUTH_URL=http://localhost:3000/api/v1/auth
+#NEXTAUTH_URL=https://linkwarden.example.com/api/v1/auth
+
+# define a strong secret key
+NEXTAUTH_SECRET=unplug6-coherent-outlast-undergo-plow
+
+# database settings
+PG_PASS=linkwarden
+PG_USER=linkwarden
+PG_DB=linkwarden
diff --git a/examples/linkwarden/README.md b/examples/linkwarden/README.md
new file mode 100644
index 000000000..4a7505b6a
--- /dev/null
+++ b/examples/linkwarden/README.md
@@ -0,0 +1,8 @@
+# References
+
+- https://docs.linkwarden.app/self-hosting/installation
+- https://github.com/linkwarden/linkwarden
+
+# Notes
+
+
diff --git a/examples/linkwarden/docker-compose.yml b/examples/linkwarden/docker-compose.yml
new file mode 100644
index 000000000..9756b03b6
--- /dev/null
+++ b/examples/linkwarden/docker-compose.yml
@@ -0,0 +1,68 @@
+services:
+
+  linkwarden:
+    image: ghcr.io/linkwarden/linkwarden:latest
+    container_name: linkwarden-app
+    environment:
+      - DATABASE_URL=postgresql://${PG_USER:-linkwarden}:${PG_PASS:-linkwarden}@postgres:5432/${PG_DB:-linkwarden}
+    restart: unless-stopped
+    env_file: .env
+    ports:
+      - 3000:3000
+    expose:
+      - 3000
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/linkwarden/data:/data/data
+    depends_on:
+      - postgres
+      - meilisearch
+    #networks:
+    #  - internal
+    #  - tier-2
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=proxy
+    #  - traefik.http.routers.linkwarden.rule=Host(`linkwarden.example.com`)
+    #  - traefik.http.services.linkwarden.loadbalancer.server.port=3000
+    #  # Optional part for traefik middlewares
+    #  - traefik.http.routers.linkwarden.middlewares=local-ipwhitelist@file
+
+  postgres:
+    image: docker.io/library/postgres:16-alpine
+    container_name: linkwarden-psql
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/linkwarden/psql:/var/lib/postgresql/data
+    environment:
+      POSTGRES_PASSWORD: ${PG_PASS:-linkwarden}
+      POSTGRES_USER: ${PG_USER:-linkwarden}
+      POSTGRES_DB: ${PG_DB:-linkwarden}
+    expose:
+      - 5432
+    env_file:
+      - .env
+    #networks:
+    #  - internal
+
+  meilisearch:
+    image: getmeili/meilisearch:v1.12.8
+    container_name: linkwarden-search
+    restart: unless-stopped
+    env_file:
+      - .env
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/linkwarden/meili_data:/meili_data
+    #networks:
+    #  - internal
+
+#networks:
+#  tier-2:
+#    external: true
+#  internal:
+#    internal: true
diff --git a/examples/lldap/docker-compose.yml b/examples/lldap/docker-compose.yml
index ab905a0c0..a1f5ab054 100644
--- a/examples/lldap/docker-compose.yml
+++ b/examples/lldap/docker-compose.yml
@@ -1,6 +1,5 @@
-version: '3.3'
-
 services:
+
   lldap:
     image: lldap/lldap:stable
     container_name: lldap
@@ -17,10 +16,11 @@ services:
     ports:
       - 3890:3890 # LDAP
       - 17170:17170 # WEB UI
+    expose:
+      - 3890
+      - 17170
     #networks:
     #  - proxy
-    #expose:
-    #  - 17170
     #labels:
     #  - traefik.enable=true
     #  - traefik.http.routers.lldap.rule=Host(`lldap.example.com`)
diff --git a/examples/matomo/docker-compose.yml b/examples/matomo/docker-compose.yml
index 4a2796997..df30a4e74 100644
--- a/examples/matomo/docker-compose.yml
+++ b/examples/matomo/docker-compose.yml
@@ -1,11 +1,12 @@
-version: "2"
-
 services:
+
   matomo:
+    image: matomo:5-fpm-alpine 
     container_name: matomo
-    image: matomo
     ports:
       - 8099:80
+    expose:
+      - 80
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/matomo/apache/apache2.conf:/etc/apache2/apache2.conf:ro
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/matomo/html:/var/www/html
@@ -29,13 +30,15 @@ services:
 
 
   matomo_db:
+    image: mariadb:11.8
     container_name: matomo_db
-    image: mariadb
     command: --max-allowed-packet=64MB
     environment:
       - MYSQL_ROOT_PASSWORD=makeitup
     env_file:
       - ./db.env
+    expose:
+      - 3306
     restart: unless-stopped
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/matomo/database:/var/lib/mysql
diff --git a/examples/mattermost/.env b/examples/mattermost/.env
index f5a62b8f8..345559a1d 100644
--- a/examples/mattermost/.env
+++ b/examples/mattermost/.env
@@ -14,7 +14,7 @@ RESTART_POLICY=unless-stopped
 ## Please keep in mind this will create a superuser and it's recommended to use a less privileged
 ## user to connect to the database.
 ## A guide on how to change the database user to a nonsuperuser can be found in docs/creation-of-nonsuperuser.md
-POSTGRES_IMAGE_TAG=13-alpine
+POSTGRES_IMAGE_TAG=16-alpine
 #POSTGRES_DATA_PATH=./volumes/db/var/lib/postgresql/data
 POSTGRES_DATA_PATH=${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/mattermost/psql
 POSTGRES_USER=mmuser
@@ -36,7 +36,7 @@ MM_BLEVESETTINGS_INDEXDIR=/mattermost/bleve-indexes
 
 ## This will be 'mattermost-enterprise-edition' or 'mattermost-team-edition' based on the version of Mattermost you're installing.
 MATTERMOST_IMAGE=mattermost-enterprise-edition
-MATTERMOST_IMAGE_TAG=release-9.3
+MATTERMOST_IMAGE_TAG=release-9.11
 
 ## Make Mattermost container readonly. This interferes with the regeneration of root.html inside the container. Only use
 ## it if you know what you're doing.
diff --git a/examples/mattermost/docker-compose.yml b/examples/mattermost/docker-compose.yml
index 0b740e1ac..90acd00d8 100644
--- a/examples/mattermost/docker-compose.yml
+++ b/examples/mattermost/docker-compose.yml
@@ -1,6 +1,5 @@
-version: "2.4"
-
 services:
+
   postgres:
     image: postgres:${POSTGRES_IMAGE_TAG}
     container_name: mattermost-db
@@ -68,12 +67,12 @@ services:
     #  - traefik.docker.network=proxy
     #  - traefik.http.routers.mattermost.rule=Host(`mattermost.example.com`)
     #  - traefik.http.services.mattermost.loadbalancer.server.port=8065
-    #  - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=50000000 # optional, only necessary for file uploads; allow 50MB
-    #  - traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=50000000 # optional, only necessary for file uploads; allow 50MB
-    #  - traefik.http.middlewares.limit.buffering.memRequestBodyBytes=50000000 # optional, only necessary for file uploads; allow 50MB
-    #  - traefik.http.middlewares.limit.buffering.memResponseBodyBytes=50000000 # optional, only necessary for file uploads; allow 50MB
+    #  - traefik.http.middlewares.limit-mattermost.buffering.maxRequestBodyBytes=50000000 # optional, only necessary for file uploads; allow 50MB
+    #  - traefik.http.middlewares.limit-mattermost.buffering.maxResponseBodyBytes=50000000 # optional, only necessary for file uploads; allow 50MB
+    #  - traefik.http.middlewares.limit-mattermost.buffering.memRequestBodyBytes=50000000 # optional, only necessary for file uploads; allow 50MB
+    #  - traefik.http.middlewares.limit-mattermost.buffering.memResponseBodyBytes=50000000 # optional, only necessary for file uploads; allow 50MB
     #  # Part for optional traefik middlewares
-    #  - traefik.http.routers.mattermost.middlewares=local-ipwhitelist@file
+    #  - traefik.http.routers.mattermost.middlewares=limit-mattermost
 
 #networks:
 #  proxy:
diff --git a/examples/mealie/docker-compose.yml b/examples/mealie/docker-compose.yml
index 47c80e541..ce6b1eabb 100644
--- a/examples/mealie/docker-compose.yml
+++ b/examples/mealie/docker-compose.yml
@@ -1,6 +1,5 @@
-version: "3.7"
-
 services:
+
   mealie-frontend:
     image: hkotel/mealie:frontend-v1.0.0beta-5
     container_name: mealie-frontend
@@ -13,6 +12,8 @@ services:
     restart: unless-stopped
     ports:
       - "9925:3000" # adjust to your liking 
+    expose:
+      - 3000
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/mealie/data:/app/data/
     #networks:
diff --git a/examples/memelord/README.md b/examples/memelord/README.md
new file mode 100644
index 000000000..84bf8430e
--- /dev/null
+++ b/examples/memelord/README.md
@@ -0,0 +1,3 @@
+# References
+
+- https://github.com/l4rm4nd/MemeLord
diff --git a/examples/memelord/docker-compose.yml b/examples/memelord/docker-compose.yml
new file mode 100644
index 000000000..7002df5e3
--- /dev/null
+++ b/examples/memelord/docker-compose.yml
@@ -0,0 +1,86 @@
+services:
+
+  app:
+    image: ghcr.io/l4rm4nd/memelord:latest # pin a minor version series tag instead of latest
+    container_name: memelord
+    environment:
+      # your FQDN or IP; multiple ones supported by comma separation
+      - DOMAIN=memelord.example.com
+      # set to True if you use a reverse proxy with tls; enables secure cookie flag and hsts
+      - SECURE_COOKIES=False
+      # define the maximum session age in minutes
+      - SESSION_COOKIE_AGE=30
+      # decide whether session cookie is invalidated on browser close
+      - SESSION_EXPIRE_AT_BROWSER_CLOSE=False
+      # define the timezone
+      - TZ=Europe/Berlin
+      # define comma-separated list of sources for csp frame-ancestors directive
+      #- CSP_FRAME_ANCESTORS="'self', https://iframe.example.com, https://iframe2.example.com:5432"
+      # ------- OPTIONAL OIDC AUTH --------
+      # Set to 'True' to enable OIDC authentication
+      #- OIDC_ENABLED=True
+      # Decide whether login area triggers automatic OIDC login flow
+      #- OIDC_AUTOLOGIN=False
+      # Set to 'True' to allow the creation of new users through OIDC
+      #- OIDC_CREATE_USER=True
+      # The signing algorithm used by the OIDC provider (e.g., RS256, HS256)
+      #- OIDC_RP_SIGN_ALGO=RS256
+      # URL of the JWKS endpoint for the OIDC provider
+      #- OIDC_OP_JWKS_ENDPOINT=https://authentik.example.com/application/o/<slug>/jwks/
+      # Client ID for your OIDC RP
+      #- OIDC_RP_CLIENT_ID=<client-id>
+      # Client secret for your OIDC RP
+      #- OIDC_RP_CLIENT_SECRET=<client-secret>
+      # Authorization endpoint URL of the OIDC provider
+      #- OIDC_OP_AUTHORIZATION_ENDPOINT=https://authentik.example.com/application/o/authorize/
+      # Token endpoint URL of the OIDC provider
+      #- OIDC_OP_TOKEN_ENDPOINT=https://authentik.example.com/application/o/token/
+      # User info endpoint URL of the OIDC provider
+      #- OIDC_OP_USER_ENDPOINT=https://authentik.example.com/application/o/userinfo/
+      # Length of time it takes for an id token to expire in seconds	
+      #- OIDC_RENEW_ID_TOKEN_EXPIRY_SECONDS=900
+      # ------- PSQL DB ENVS --------
+      #- DB_ENGINE=postgres
+      #- POSTGRES_USER=memelord
+      #- POSTGRES_PASSWORD=memelord
+      #- POSTGRES_DB=memelord
+      #- POSTGRES_HOST=db
+      #- POSTGRES_PORT=5432
+    restart: unless-stopped
+    expose:
+      - 8000
+    ports:
+      - 8000:8000
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /etc/timezone:/etc/timezone:ro
+      - ./volume-data/database:/opt/app/database # persistent storage for sqlite3 database
+      - ./volume-data/media:/opt/app/media # persistent storage for uploaded media
+    #networks:
+    #  - proxy
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=proxy
+    #  - traefik.http.routers.memelord.rule=Host(`memelord.example.com`)
+    #  - traefik.http.services.memelord.loadbalancer.server.port=8000
+    #  # Optional part for traefik middlewares
+    #  - traefik.http.routers.memelord.middlewares=local-ipwhitelist@file
+
+#  db:
+#    container_name: memelord-psql
+#    image: postgres:16-alpine
+#    restart: unless-stopped
+#    expose:
+#      - 5432
+#    volumes:
+#      - ./volume-data/database/psql:/var/lib/postgresql/data/
+#    environment:
+#      - POSTGRES_USER=memelord
+#      - POSTGRES_PASSWORD=memelord
+#      - POSTGRES_DB=memelord    
+#    #networks:
+#    #  - proxy
+
+#networks:
+#  proxy:
+#    external: true      
diff --git a/examples/memos/docker-compose.yml b/examples/memos/docker-compose.yml
index 82c4cc6b5..6850ed6a6 100644
--- a/examples/memos/docker-compose.yml
+++ b/examples/memos/docker-compose.yml
@@ -1,6 +1,5 @@
-version: "3.0"
-
 services:
+
   memos:
     image: neosmemo/memos:latest
     container_name: memos
@@ -8,6 +7,8 @@ services:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/memos/data:/var/opt/memos
     ports:
       - 5230:5230
+    expose:
+      - 5230
     #networks:
     #  - proxy
     #labels:
diff --git a/examples/metube/docker-compose.yml b/examples/metube/docker-compose.yml
index 9576c8aa4..b1508cfce 100644
--- a/examples/metube/docker-compose.yml
+++ b/examples/metube/docker-compose.yml
@@ -1,13 +1,16 @@
-version: "3"
-
 services:
+
   metube:
     image: alexta69/metube
     container_name: metube
     hostname: metube
     restart: unless-stopped
+    environment:
+      - DELETE_FILE_ON_TRASHCAN=false
     ports:
       - "8081:8081" # web ui
+    expose:
+      - 8081
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/metube/downloads:/downloads
     #networks:
diff --git a/examples/minio/docker-compose.yml b/examples/minio/docker-compose.yml
index e7e00f41d..03906114c 100644
--- a/examples/minio/docker-compose.yml
+++ b/examples/minio/docker-compose.yml
@@ -1,31 +1,33 @@
-version: "3"
-
 services:
+
   minio-s3:
-    image: bitnami/minio:2023
+    image: minio/minio:latest
     container_name: minio
     hostname: minio
+    command: server /data --console-address ":9001"
     environment:
       - MINIO_ROOT_USER=minio # change this
       - MINIO_ROOT_PASSWORD=XscUJuDQP4WuWA55vfXNrc7 # change this
     ports:
       - 9001:9001/tcp
+    expose:
+      - 9001
     restart: unless-stopped
     volumes:
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/minio/data:/data
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/minio/data:/bitnami/minio/data
     #networks:
     #  - proxy
     #labels:
     #  - traefik.enable=true
     #  - traefik.http.routers.minio.rule=Host(`s3.example.com`)
     #  - traefik.http.services.minio.loadbalancer.server.port=9001
-    #  - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
-    #  - traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads
-    #  - traefik.http.middlewares.limit.buffering.memRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
-    #  - traefik.http.middlewares.limit.buffering.memResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads    
+    #  - traefik.http.middlewares.limit-minio.buffering.maxRequestBodyBytes=50000000 # optional, restrict file uploads
+    #  - traefik.http.middlewares.limit-minio.buffering.maxResponseBodyBytes=50000000 # optional, restrict file uploads
+    #  - traefik.http.middlewares.limit-minio.buffering.memRequestBodyBytes=50000000 # optional, restrict file uploads
+    #  - traefik.http.middlewares.limit-minio.buffering.memResponseBodyBytes=50000000 # optional, restrict file uploads 
     #  - traefik.docker.network=proxy
     #  # Part for optional traefik middlewares
-    #  - traefik.http.routers.minio.middlewares=local-ipwhitelist@file,basic-auth@file
+    #  - traefik.http.routers.minio.middlewares=limit-minio # optional, restrict file uploads
 
 #networks:
 #  proxy:
diff --git a/examples/mirotalk/docker-compose.yml b/examples/mirotalk/docker-compose.yml
index 0251f1761..3297f069e 100644
--- a/examples/mirotalk/docker-compose.yml
+++ b/examples/mirotalk/docker-compose.yml
@@ -1,16 +1,17 @@
-version: '3.7'
-
 services:
+
   mirotalk:
     image: mirotalk/p2p:latest
-    restart: unless-stopped
     container_name: mirotalk
     hostname: mirotalk
+    restart: unless-stopped    
     ports:
       # use a reverse proxy with SSL/TLS support
       # otherwise webrtc won't work with plaintext http after Chrome 47+
       # see https://stackoverflow.com/questions/52759992/how-to-access-camera-and-microphone-in-chrome-without-https/58449078#58449078
-      - 3000:3000 # WEB UI; 
+      - 3000:3000 # WEB UI
+    expose:
+      - 3000
     volumes:
       - .env:/src/.env:ro
       #- ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/mirotalk/app:/src/app:ro # only necessary if you want to adjust the code itself (js, css, etc.)
diff --git a/examples/money-balancer/docker-compose.yml b/examples/money-balancer/docker-compose.yml
index d40a37357..efe312948 100644
--- a/examples/money-balancer/docker-compose.yml
+++ b/examples/money-balancer/docker-compose.yml
@@ -1,11 +1,13 @@
-version: "3"
 services:
+
   money-balancer:
     image: ghcr.io/dorianim/money-balancer
-    restart: unless-stopped
     container_name: money-balancer
+    restart: unless-stopped    
     ports:
       - 8000:8000
+    expose:
+      - 8000
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/money-balancer/data:/data
     environment:
diff --git a/examples/monkeytype/docker-compose.yml b/examples/monkeytype/docker-compose.yml
index ca1ee87f3..c627dea59 100644
--- a/examples/monkeytype/docker-compose.yml
+++ b/examples/monkeytype/docker-compose.yml
@@ -1,6 +1,5 @@
-version: '3.3'
-
 services:
+
   monkeytype:
     image: themythologist/monkeytype:frontend-latest
     container_name: monkeytype
@@ -8,6 +7,8 @@ services:
     restart: unless-stopped
     ports:
       - 5000:5000/tcp
+    expose:
+      - 5000
     #networks:
     #  - proxy
     #labels:
diff --git a/examples/n8n/.env b/examples/n8n/.env
index 733d9dccd..d0128c58d 100644
--- a/examples/n8n/.env
+++ b/examples/n8n/.env
@@ -1,6 +1,22 @@
+## database settings
 POSTGRES_USER=postgres
 POSTGRES_PASSWORD=MySecureRootDbUserPassword
 POSTGRES_DB=n8n
-
 POSTGRES_NON_ROOT_USER=n8n
 POSTGRES_NON_ROOT_PASSWORD=MySecureDatabaseUserPassword
+
+## application settings
+N8N_NODE_ENV=production
+N8N_TZ=Europe/Berlin
+
+## tls proxy settings
+N8N_HOST=n8n.example.com
+N8N_PROTOCOL=http
+N8N_WEBHOOK_URL=https://n8n.example.com/
+
+## npm extra options
+# this will install additional npm packages during container start
+EXTRA_NODE_MODULES=lodash
+
+# this will whitelist additional npm packages
+NODE_FUNCTION_ALLOW_EXTERNAL=lodash
\ No newline at end of file
diff --git a/examples/n8n/README.md b/examples/n8n/README.md
index 4078d66e7..008c925e0 100644
--- a/examples/n8n/README.md
+++ b/examples/n8n/README.md
@@ -1,7 +1,7 @@
 # References
 
 - https://github.com/n8n-io/n8n
-- https://github.com/n8n-io/n8n/tree/master/docker/compose/withPostgres
+- https://github.com/n8n-io/n8n-hosting/tree/main/docker-compose/withPostgres
 
 # Notes
 
@@ -11,35 +11,21 @@ Please follow these steps to do so:
 
 ````
 # create new directory for database
-mkdir -p /mnt/docker-volumes/n8n
+mkdir -p /mnt/docker-volumes/n8n/storage
 
 # move the init file from this repo to the new location
 mv init-database.sh /mnt/docker-volumes/n8n/.
 
-# optional; adjust permissions
-sudo chmod -R 777 /mnt/docker-volumes/n8n/
+# fix permissions
+sudo chown -R 0:1000 /mnt/docker-volumes/n8n/
+sudo chmod -R 775 /mnt/docker-volumes/n8n/
+
+# adjust environment variables
+nano .env
 ````
 
-Afterwards, you can proceed spawning up the docker compose stack with:
+Afterwards, you can proceed spawning up the docker compose stack:
 
 ````
-docker compose up
+docker compose up -d
 ````
-
-> [!WARNING]
-> Upon starting the stack you may see n8n errors regarding permissions:
->
-> ````
-> [EACCES] Error Plugin: n8n: EACCES: permission denied, open '/home/node/.n8n/config'
-> ````
->
-> You can fix those my running:
-> ````
-> sudo chmod -R 777 /mnt/docker-volumes/n8n/database
-> ````
->
-> and restarting the stack:
->
-> ````
-> docker compose up --force-recreate
-> ````
diff --git a/examples/n8n/docker-compose.yml b/examples/n8n/docker-compose.yml
index 74d978d98..b2679c4fd 100644
--- a/examples/n8n/docker-compose.yml
+++ b/examples/n8n/docker-compose.yml
@@ -1,11 +1,11 @@
-version: '3.8'
-
 services:
 
   n8n-db:
-    image: postgres:11-alpine
+    image: postgres:16-alpine
     container_name: n8n-db
     restart: unless-stopped
+    expose:
+      - 5432
     environment:
       - POSTGRES_USER
       - POSTGRES_PASSWORD
@@ -19,7 +19,9 @@ services:
       test: ['CMD-SHELL', 'pg_isready -h localhost -U ${POSTGRES_USER} -d ${POSTGRES_DB}']
       interval: 5s
       timeout: 5s
-      retries: 10      
+      retries: 10
+    #networks:
+    #  - n8n-internal
 
   n8n:
     image: n8nio/n8n
@@ -27,24 +29,51 @@ services:
     hostname: n8n
     restart: unless-stopped
     environment:
+      # database settings
       - DB_TYPE=postgresdb
       - DB_POSTGRESDB_HOST=n8n-db
       - DB_POSTGRESDB_DATABASE=${POSTGRES_DB}
       - DB_POSTGRESDB_USER=${POSTGRES_NON_ROOT_USER}
       - DB_POSTGRESDB_PASSWORD=${POSTGRES_NON_ROOT_PASSWORD}
+      # application settings
+      - NODE_ENV=${N8N_NODE_ENV}
+      - GENERIC_TIMEZONE=${N8N_TZ}      
+      # tls proxy settings
+      - N8N_HOST=${N8N_HOST}
+      - N8N_PROTOCOL=${N8N_PROTOCOL}
+      - WEBHOOK_URL=${N8N_WEBHOOK_URL}
+      # npm extra options
+      - EXTRA_NODE_MODULES=${N8N_EXTRA_NODE_MODULES}
+      - NODE_FUNCTION_ALLOW_EXTERNAL=${N8N_NODE_FUNCTION_ALLOW_EXTERNAL}
+      # pruning
+      - EXECUTIONS_DATA_PRUNE=true
+      - EXECUTIONS_DATA_MAX_AGE=365
+      - EXECUTIONS_DATA_PRUNE_MAX_COUNT=50000
     ports:
       - 5678:5678
+    expose:
+      - 5678
     links:
       - n8n-db
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/n8n/storage:/home/node/.n8n
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/n8n/files:/files
     depends_on:
       n8n-db:
         condition: service_healthy
+    #networks:
+    #  - proxy
+    #  - n8n-internal        
     #labels:
     #  - traefik.enable=true
+    #  - traefik.docker.network=proxy    
     #  - traefik.http.routers.n8n.rule=Host(`n8n.example.com`)
     #  - traefik.http.services.n8n.loadbalancer.server.port=5678
-    #  - traefik.docker.network=proxy
     #  # Part for optional traefik middlewares
     #  - traefik.http.routers.n8n.middlewares=local-ipwhitelist@file,basic-auth@file
+
+#networks:
+#  proxy:
+#    external: true
+#  n8n-internal:
+#    internal: true
diff --git a/examples/n8n/init-database.sh b/examples/n8n/init-database.sh
index c35d592ef..f98a972ed 100644
--- a/examples/n8n/init-database.sh
+++ b/examples/n8n/init-database.sh
@@ -3,10 +3,11 @@ set -e;
 
 
 if [ -n "${POSTGRES_NON_ROOT_USER:-}" ] && [ -n "${POSTGRES_NON_ROOT_PASSWORD:-}" ]; then
-        psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
-                CREATE USER ${POSTGRES_NON_ROOT_USER} WITH PASSWORD '${POSTGRES_NON_ROOT_PASSWORD}';                                                      
-                GRANT ALL PRIVILEGES ON DATABASE ${POSTGRES_DB} TO ${POSTGRES_NON_ROOT_USER};                                                             
-        EOSQL                                                                
-else                                                                         
-        echo "SETUP INFO: No Environment variables given!"                   
-fi 
+	psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+		CREATE USER ${POSTGRES_NON_ROOT_USER} WITH PASSWORD '${POSTGRES_NON_ROOT_PASSWORD}';
+		GRANT ALL PRIVILEGES ON DATABASE ${POSTGRES_DB} TO ${POSTGRES_NON_ROOT_USER};
+		GRANT CREATE ON SCHEMA public TO ${POSTGRES_NON_ROOT_USER};
+	EOSQL
+else
+	echo "SETUP INFO: No Environment variables given!"
+fi
diff --git a/examples/nessus/docker-compose.yml b/examples/nessus/docker-compose.yml
index f180b2469..013eef823 100644
--- a/examples/nessus/docker-compose.yml
+++ b/examples/nessus/docker-compose.yml
@@ -1,11 +1,13 @@
-version: "3.7"
 services:
+
   nessus:
-    hostname: nessus
-    container_name: nessus
     image: tenableofficial/nessus:latest
+    container_name: nessus
+    hostname: nessus    
     ports:
       - 8834:8834/tcp # WEB UI
+    expose:
+      - 8834
     environment:
       - ACTIVATION_CODE=XXX-XXXXX-XXXXX-XXXX # change this
       - USERNAME=nessus
diff --git a/examples/network-multitool/docker-compose.yml b/examples/network-multitool/docker-compose.yml
index d2ca64fb1..193027512 100644
--- a/examples/network-multitool/docker-compose.yml
+++ b/examples/network-multitool/docker-compose.yml
@@ -1,6 +1,5 @@
-version: "3"
-
 services:
+
   network-multitool:
     image: wbitt/network-multitool:alpine-extra
     container_name: network-multitool
diff --git a/examples/nextcloud/docker-compose-mariadb-redis.yml b/examples/nextcloud/docker-compose-mariadb-redis.yml
index 58ce30b46..6c95fcb35 100644
--- a/examples/nextcloud/docker-compose-mariadb-redis.yml
+++ b/examples/nextcloud/docker-compose-mariadb-redis.yml
@@ -1,11 +1,13 @@
 services:
 
   nextcloud-db:
-    image: mariadb:lts
+    image: mariadb:11.8
     container_name: nextcloud-db
     hostname: nextcloud-db
     command: --transaction-isolation=READ-COMMITTED --innodb_read_only_compressed=OFF
     restart: unless-stopped
+    expose:
+      - 3306
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/nextcloud/database:/var/lib/mysql
     environment:
@@ -34,7 +36,7 @@ services:
     #  - proxy
 
   nextcloud-app:
-    image: nextcloud:29-apache
+    image: nextcloud:32-apache
     container_name: nextcloud-app
     hostname: nextcloud-app
     restart: unless-stopped
@@ -68,14 +70,14 @@ services:
     #  - traefik.enable=true
     #  - traefik.http.routers.nextcloud.rule=(Host(`cloud.example.com`)) # pls change
     #  - traefik.http.services.nextcloud.loadbalancer.server.port=80
-    #  - traefik.http.routers.nextcloud.middlewares=local-ipwhitelist@file,authelia@docker
-    #  - traefik.docker.network=proxy
+    #  - traefik.http.routers.nextcloud.middlewares=limit-nextcloud,nextcloud-dav
     #  - traefik.http.middlewares.nextcloud-dav.replacepathregex.regex=^/.well-known/ca(l|rd)dav
     #  - traefik.http.middlewares.nextcloud-dav.replacepathregex.replacement=/remote.php/dav/
-    #  - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=50000000 # only necessary for enabled file uploads
-    #  - traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=50000000 # only necessary for enabled file uploads
-    #  - traefik.http.middlewares.limit.buffering.memRequestBodyBytes=50000000 # only necessary for enabled file uploads
-    #  - traefik.http.middlewares.limit.buffering.memResponseBodyBytes=50000000 # only necessary for enabled file uploads
+    #  - traefik.http.middlewares.limit-nextcloud.buffering.maxRequestBodyBytes=50000000 # only necessary for enabled file uploads
+    #  - traefik.http.middlewares.limit-nextcloud.buffering.maxResponseBodyBytes=50000000 # only necessary for enabled file uploads
+    #  - traefik.http.middlewares.limit-nextcloud.buffering.memRequestBodyBytes=50000000 # only necessary for enabled file uploads
+    #  - traefik.http.middlewares.limit-nextcloud.buffering.memResponseBodyBytes=50000000 # only necessary for enabled file uploads
+    #  - traefik.docker.network=proxy
 
 #networks:
 #  proxy:
diff --git a/examples/nextcloud/docker-compose-sqlite.yml b/examples/nextcloud/docker-compose-sqlite.yml
index 0f3784d0c..9f7a1edd9 100644
--- a/examples/nextcloud/docker-compose-sqlite.yml
+++ b/examples/nextcloud/docker-compose-sqlite.yml
@@ -1,4 +1,5 @@
 services:
+
   nextcloud:
     image: linuxserver/nextcloud:latest
     container_name: nextcloud
@@ -22,14 +23,14 @@ services:
     #  - traefik.http.services.nextcloud.loadbalancer.server.port=443
     #  - traefik.http.services.nextcloud.loadbalancer.server.scheme=https
     #  - traefik.http.services.nextcloud.loadbalancer.serverstransport=insecureTransport@file
-    #  - traefik.http.routers.nextcloud.middlewares=local-ipwhitelist@file,authelia@docker
-    #  - traefik.docker.network=proxy
+    #  - traefik.http.routers.nextcloud.middlewares=limit-nextcloud,nextcloud-dav
     #  - traefik.http.middlewares.nextcloud-dav.replacepathregex.regex=^/.well-known/ca(l|rd)dav
     #  - traefik.http.middlewares.nextcloud-dav.replacepathregex.replacement=/remote.php/dav/
-    #  - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=50000000 # only necessary for enabled file uploads
-    #  - traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=50000000 # only necessary for enabled file uploads
-    #  - traefik.http.middlewares.limit.buffering.memRequestBodyBytes=50000000 # only necessary for enabled file uploads
-    #  - traefik.http.middlewares.limit.buffering.memResponseBodyBytes=50000000 # only necessary for enabled file uploads
+    #  - traefik.http.middlewares.limit-nextcloud.buffering.maxRequestBodyBytes=50000000 # only necessary for enabled file uploads
+    #  - traefik.http.middlewares.limit-nextcloud.buffering.maxResponseBodyBytes=50000000 # only necessary for enabled file uploads
+    #  - traefik.http.middlewares.limit-nextcloud.buffering.memRequestBodyBytes=50000000 # only necessary for enabled file uploads
+    #  - traefik.http.middlewares.limit-nextcloud.buffering.memResponseBodyBytes=50000000 # only necessary for enabled file uploads
+    #  - traefik.docker.network=proxy    
 
 #networks:
 #  proxy:
diff --git a/examples/nginx-php/docker-compose.yml b/examples/nginx-php/docker-compose.yml
index 97826e49e..c9a15f62a 100644
--- a/examples/nginx-php/docker-compose.yml
+++ b/examples/nginx-php/docker-compose.yml
@@ -1,34 +1,36 @@
-version: "3"
-
 services:
+
   web:
     image: nginx:stable-alpine
+    container_name: nginx    
     hostname: nginx
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/nginx/www-data:/var/www # place your files for web here
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/nginx/nginx-conf:/etc/nginx/conf.d # place provided nginx.conf here
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/nginx/logs:/var/log/nginx
-    container_name: nginx
     restart: unless-stopped
     ports:
       - 8080:80
+    expose:
+      - 80
     #networks:
     #   - proxy
     #labels:
     #  - traefik.enable=true
+    #  - traefik.docker.network=proxy
     #  - traefik.http.routers.nginx.rule=Host(`nginx.example.com`)
     #  - traefik.http.services.nginx.loadbalancer.server.port=80
-    #  - traefik.docker.network=proxy
-    #  # Part for local lan services only
+    #  - traefik.http.services.nginx.loadbalancer.server.scheme=h2c # force http/2
+    #  # Optional part for traefik middlewares
     #  #- traefik.http.routers.nginx.middlewares=error-pages-middleware@docker
   
   php:
     image: php:8-fpm-alpine
+    container_name: php    
     hostname: php
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/nginx/www-data:/var/www # must be same path to www-data as above
       #- ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/php/custom-php.ini:/usr/local/etc/php/conf.d/php.ini:ro
-    container_name: php
     restart: unless-stopped
     working_dir: /var/www
     expose:
diff --git a/examples/nginx-php/nginx.conf b/examples/nginx-php/nginx.conf
index 72b805288..5999f8374 100644
--- a/examples/nginx-php/nginx.conf
+++ b/examples/nginx-php/nginx.conf
@@ -1,17 +1,46 @@
 server {
-    listen 80;
+    listen 80 http2;
     server_name nginx.example.com;
     root /var/www/;
     index index.html index.php;
 	
     #error_page 404 /error/404.html;
 
-    client_max_body_size 10M; # change this
-    #set_real_ip_from  172.16.0.0/12;
-    #set_real_ip_from 192.168.0.0/16;
-    real_ip_header    X-Forwarded-For;
-    proxy_hide_header X-Powered-By;
+	## FILE UPLOADS
+    #client_max_body_size 10M;
 
+	## REAL VISITOR IP
+    # local
+    set_real_ip_from 172.16.0.0/12;
+    set_real_ip_from 10.0.0.0/8;
+    set_real_ip_from 192.168.0.0/16;
+    # cloudflare
+    #set_real_ip_from 103.21.244.0/22;
+    #set_real_ip_from 103.22.200.0/22;
+    #set_real_ip_from 103.31.4.0/22;
+    #set_real_ip_from 104.16.0.0/13;
+    #set_real_ip_from 104.24.0.0/14;
+    #set_real_ip_from 108.162.192.0/18;
+    #set_real_ip_from 131.0.72.0/22;
+    #set_real_ip_from 141.101.64.0/18;
+    #set_real_ip_from 162.158.0.0/15;
+    #set_real_ip_from 172.64.0.0/13;
+    #set_real_ip_from 173.245.48.0/20;
+    #set_real_ip_from 188.114.96.0/20;
+    #set_real_ip_from 190.93.240.0/20;
+    #set_real_ip_from 197.234.240.0/22;
+    #set_real_ip_from 198.41.128.0/17;
+    #set_real_ip_from 2400:cb00::/32;
+    #set_real_ip_from 2606:4700::/32;
+    #set_real_ip_from 2803:f800::/32;
+    #set_real_ip_from 2405:b500::/32;
+    #set_real_ip_from 2405:8100::/32;
+    #set_real_ip_from 2a06:98c0::/29;
+    #set_real_ip_from 2c0f:f248::/32;
+	# use XFF header to parse real IP
+    real_ip_header    X-Forwarded-For;
+    real_ip_recursive on;	
+    
     access_log /var/log/nginx/access.log;
     error_log /var/log/nginx/error.log;
 
@@ -24,7 +53,8 @@ server {
         fastcgi_buffer_size 32k;
         include fastcgi_params;
     }
-	
+
+	proxy_hide_header X-Powered-By;
 	server_tokens off;
 	etag off;
 }
diff --git a/examples/nginx-proxy-manager-goaccess/docker-compose.yml b/examples/nginx-proxy-manager-goaccess/docker-compose.yml
index ffc12720d..be47deb4c 100644
--- a/examples/nginx-proxy-manager-goaccess/docker-compose.yml
+++ b/examples/nginx-proxy-manager-goaccess/docker-compose.yml
@@ -1,17 +1,20 @@
-version: "3"
-
 services:
+
   goaccess:
     image: xavierh/goaccess-for-nginxproxymanager:latest
     container_name: goaccess
     restart: always
+    ports:
+      - '7880:7880'
+    expose:
+      - 7880
     volumes:
-        - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/nginx-proxy-manager/data/logs:/opt/log:ro
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/nginx-proxy-manager/data/logs:/opt/log:ro
     environment:
-        - PUID=1000
-        - PGID=1000
-        - TZ=Europe/Berlin
-        - SKIP_ARCHIVED_LOGS=False #optional
-        - BASIC_AUTH=False #optional
-        - BASIC_AUTH_USERNAME=user #optional
-        - BASIC_AUTH_PASSWORD=pass #optional
\ No newline at end of file
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/Berlin
+      - SKIP_ARCHIVED_LOGS=False #optional
+      - BASIC_AUTH=False #optional
+      - BASIC_AUTH_USERNAME=user #optional
+      - BASIC_AUTH_PASSWORD=pass #optional
\ No newline at end of file
diff --git a/examples/nginx-proxy-manager/docker-compose.yml b/examples/nginx-proxy-manager/docker-compose.yml
index 628e94440..41e9cb856 100644
--- a/examples/nginx-proxy-manager/docker-compose.yml
+++ b/examples/nginx-proxy-manager/docker-compose.yml
@@ -1,20 +1,21 @@
-version: "3"
-
 services:
+
   npm:
+    image: jc21/nginx-proxy-manager:latest    
     container_name: npm
+    hostname: npm    
     environment:
       - TZ=Europe/Berlin
       - PUID=1000 # see https://nginxproxymanager.com/advanced-config/
       - PGID=1000 # see https://nginxproxymanager.com/advanced-config/
-    hostname: npm
-    #networks:
-    #  - npm_proxy
-    image: jc21/nginx-proxy-manager:latest
     ports:
       - 80:80/tcp # HTTP
       - 443:443/tcp # HTTPS
       - 81:81/tcp # MGMT UI, do not expose publicly
+    expose:
+      - 80
+      - 443
+      - 81
     restart: unless-stopped
     healthcheck:
       test: ["CMD", "/bin/check-health"]
@@ -23,6 +24,8 @@ services:
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/nginx-proxy-manager/data:/data
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/nginx-proxy-manager/letsencrypt:/etc/letsencrypt
+    #networks:
+    #  - npm_proxy
 
 #networks:
 #  npm_proxy:
diff --git a/examples/nitter/docker-compose.yml b/examples/nitter/docker-compose.yml
index c4576456f..e7a29ff98 100644
--- a/examples/nitter/docker-compose.yml
+++ b/examples/nitter/docker-compose.yml
@@ -5,6 +5,8 @@ services:
     container_name: nitter
     ports:
       - "8080:8080"
+    expose:
+      - 8080
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/nitter/nitter.conf:/src/nitter.conf:ro
     depends_on:
@@ -17,7 +19,7 @@ services:
       retries: 2
 
   nitter-redis:
-    image: redis:6-alpine
+    image: redis:8-alpine
     container_name: nitter-redis
     command: redis-server --save 60 1 --loglevel warning
     volumes:
diff --git a/examples/obsidian-remote/docker-compose.yml b/examples/obsidian-remote/docker-compose.yml
index 875e4071c..036a0adca 100644
--- a/examples/obsidian-remote/docker-compose.yml
+++ b/examples/obsidian-remote/docker-compose.yml
@@ -1,5 +1,5 @@
-version: '3.8'
 services:
+
   obsidian:
     image: 'ghcr.io/sytone/obsidian-remote:latest'
     container_name: obsidian-remote
@@ -8,6 +8,10 @@ services:
       - 8080:8080 # Obsidian Web Interface
       #- 27123:27123 # Local REST API Plugin HTTP Server Port
       #- 27124:27124 # Local REST API Plugin HTTPS Server Port
+    expose:
+      - 8080
+      - 27123
+      - 27124
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/obsidian-remote/vaults:/vaults # The location on the host for your Obsidian Vaults
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/obsidian-remote/config:/config # The location to store Obsidan configuration and ssh data for obsidian-git
diff --git a/examples/ollama-ui/README.md b/examples/ollama-ui/README.md
index 3e79c5a23..3106228e2 100644
--- a/examples/ollama-ui/README.md
+++ b/examples/ollama-ui/README.md
@@ -21,3 +21,93 @@ Afterwards, we can browse Open WebUI on `http://127.0.0.1:8080` and register our
 > [!TIP]
 >
 > You likely want to pass a GPU into the Ollama container. Please read [this](https://hub.docker.com/r/ollama/ollama).
+
+
+## Windows WSL 2 Setup
+
+1. Enable `Nested/Hardware Virtualization` in your BIOS
+2. Install Nvidia drivers for Windows
+3. Install Docker Desktop for Windows
+
+Then open an administrative PowerShell and proceed as follows:
+
+````
+# install wsl
+wsl --install
+
+# configure wsl 2 as default
+wsl --set-default-version 2
+
+# install ubuntu
+wsl --install -d ubuntu
+````
+
+After Ubuntu installation, you are prompted for a `username` and `password`.
+
+Afterwards, you will find youself in a Ubuntu terminal.
+
+## Windows Docker Desktop Setup
+
+Open Docker Desktop and enable WSL 2 via the setting `Use WSL 2 based engine`:
+
+![image](https://github.com/user-attachments/assets/85d1270a-80f9-4801-b388-81372af19f43)
+
+Then open `Resources > WSL Integration` and enable Docker for your Ubuntu WSL VM(s):
+
+![image](https://github.com/user-attachments/assets/5b3c7ff2-d865-4e43-b867-cc931516c5d9)
+
+## WSL 2 Ubuntu Setup
+
+After Docker Desktop adjustments, return to the PowerShell with your Ubuntu terminal.
+
+Proceed in Ubuntu terminal with the following commands from [Ollama documentation](https://hub.docker.com/r/ollama/ollama):
+
+````
+# add repo
+curl -fsSL https://nvidia.github.io/libnvidia-container/gpgkey \
+    | sudo gpg --dearmor -o /usr/share/keyrings/nvidia-container-toolkit-keyring.gpg
+curl -s -L https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list \
+    | sed 's#deb https://#deb [signed-by=/usr/share/keyrings/nvidia-container-toolkit-keyring.gpg] https://#g' \
+    | sudo tee /etc/apt/sources.list.d/nvidia-container-toolkit.list
+sudo apt-get update
+
+# install nvidia container toolkit
+sudo apt-get install -y nvidia-container-toolkit
+
+# add your user to docker group
+sudo usermod -aG docker <your-username>
+newgrp docker
+
+# test docker and compose
+docker -v
+docker compose -v
+````
+
+> [!WARNING]
+> You likely have to restart Docker Desktop and re-open the Ubuntu WSL VM
+
+Now you can make use of Docker in your WSL 2 Ubuntu VM.
+
+1. Store the `docker-compose.yml` from this repo into your WSL 2 Ubuntu VM
+2. Start the Docker stack consisting of Ollama and OpenWebUI
+
+````
+docker compose up -d
+````
+
+Afterwards, you can open a web browser of your choice on your Windows and browse `http://127.0.0.1:8080`.
+
+You will be greeted by OpenWebUI and must setup your administrative user account.
+
+Afterwards:
+1. Browse the settings at `http://127.0.0.1:8080/admin/settings`
+2. Visit the `Connections` area
+3. Disable `OpenAI API`
+4. Click the `Manage` download button at Ollama and download your preferred models (see https://ollama.com/library)
+
+![image](https://github.com/user-attachments/assets/a3b03885-3605-439e-9536-82f1933aa5b1)
+
+Unsure which Deepseek R1 model your GPU can run? Read this [Reddit post](https://www.reddit.com/r/LocalLLaMA/comments/1i5wahr/comment/m8wi5tl/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button).
+
+Here my results on Windows 11 with RTX 3080 Ti 12GB VRAM
+![image](https://github.com/user-attachments/assets/e8886bfd-65f8-498d-b0e0-db68700352a5)
diff --git a/examples/ollama-ui/docker-compose.yml b/examples/ollama-ui/docker-compose.yml
index 694b7b1be..05db193bb 100644
--- a/examples/ollama-ui/docker-compose.yml
+++ b/examples/ollama-ui/docker-compose.yml
@@ -5,7 +5,7 @@ services:
     container_name: ollama-ui
     restart: always
     ports:
-      - 8080
+      - 8080:8080 # web ui
     expose:
       - 8080
     volumes:
@@ -31,6 +31,13 @@ services:
       - 11434
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/ollama/data:/root/.ollama
+    #deploy:
+    #  resources:
+    #    reservations:
+    #      devices:
+    #        - driver: nvidia
+    #          count: all
+    #          capabilities: [gpu]      
     #networks:
     #  - proxy
 
diff --git a/examples/ombi/docker-compose.yml b/examples/ombi/docker-compose.yml
index b89449239..f57224590 100644
--- a/examples/ombi/docker-compose.yml
+++ b/examples/ombi/docker-compose.yml
@@ -1,5 +1,5 @@
-version: "2.1"
 services:
+
   ombi:
     image: lscr.io/linuxserver/ombi:latest
     container_name: ombi
@@ -12,4 +12,6 @@ services:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/ombi/config:/config
     ports:
       - 3579:3579
+    expose:
+      - 3579
     restart: unless-stopped
\ No newline at end of file
diff --git a/examples/onedev/docker-compose.yml b/examples/onedev/docker-compose.yml
index 66da7a5d5..a796af5d6 100644
--- a/examples/onedev/docker-compose.yml
+++ b/examples/onedev/docker-compose.yml
@@ -1,6 +1,5 @@
-version: '3.3'
-
 services:
+
   onedev:
     image: 1dev/server:latest
     container_name: onedev
@@ -8,6 +7,8 @@ services:
     restart: unless-stopped
     ports:
       - 6610:6610/tcp
+    expose:
+      - 6610
     volumes:
       - /etc/localtime:/etc/localtime:ro
       - /etc/timezone:/etc/timezone:ro
diff --git a/examples/opengist/.env b/examples/opengist/.env
new file mode 100644
index 000000000..1632c77b6
--- /dev/null
+++ b/examples/opengist/.env
@@ -0,0 +1,13 @@
+OG_OIDC_CLIENT_KEY=<YOUR-KEY>
+OG_OIDC_SECRET=<YOUR-SECRET>
+OG_OIDC_DISCOVERY_URL=https://<YOUR-IDP-DOMAIN>/.well-known/openid-configuration
+
+# custom assets; see https://opengist.io/docs/configuration/custom-assets.html
+#OG_CUSTOM_LOGO=logo.png
+#OG_CUSTOM_FAVICON=logo.png
+
+# custom links; see https://opengist.io/docs/configuration/custom-links.html
+#OG_CUSTOM_STATIC_LINK_0_NAME="Legal Notices"
+#OG_CUSTOM_STATIC_LINK_0_PATH=legal.html
+#OG_CUSTOM_STATIC_LINK_1_NAME=Gitea
+#OG_CUSTOM_STATIC_LINK_1_PATH=https://gitea.com
diff --git a/examples/opengist/README.md b/examples/opengist/README.md
new file mode 100644
index 000000000..6b995b830
--- /dev/null
+++ b/examples/opengist/README.md
@@ -0,0 +1,4 @@
+# References
+
+- https://opengist.io/docs/
+- https://github.com/thomiceli/opengist
diff --git a/examples/opengist/docker-compose.yml b/examples/opengist/docker-compose.yml
new file mode 100644
index 000000000..e10e66fdd
--- /dev/null
+++ b/examples/opengist/docker-compose.yml
@@ -0,0 +1,32 @@
+services:
+
+  opengist:
+    image: ghcr.io/thomiceli/opengist:1.12
+    container_name: opengist
+    restart: unless-stopped
+    env_file:
+      - .env
+    environment:
+      - OG_OIDC_CLIENT_KEY=${OG_OIDC_CLIENT_KEY:-mykey}
+      - OG_OIDC_SECRET=${OG_OIDC_SECRET:-mysecret}
+      - OG_OIDC_DISCOVERY_URL=${OG_OIDC_DISCOVERY_URL:-https://sso.example.com}    
+    ports:
+      - 6157:6157
+    expose:
+      - 6157 # http ui
+      - 2222 # ssh
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/opengist:/opengist
+    #networks:
+    #  - proxy
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=proxy
+    #  - traefik.http.routers.opengist.rule=Host(`gist.example.com`)
+    #  - traefik.http.services.opengist.loadbalancer.server.port=6157
+    #  # Optional part for traefik middlewares
+    #  - traefik.http.routers.opengist.middlewares=local-ipwhitelist@file
+
+#networks:
+#  proxy:
+#    external: true
diff --git a/examples/openspeedtest/docker-compose.yml b/examples/openspeedtest/docker-compose.yml
index 00e69e563..b2cc08bd7 100644
--- a/examples/openspeedtest/docker-compose.yml
+++ b/examples/openspeedtest/docker-compose.yml
@@ -1,18 +1,21 @@
-version: "3"
 services:
+
   openspeedtest:
     image: openspeedtest/latest:latest
     container_name: openspeedtest
     ports:
       - 3380:3000 # HTTP
       - 3001:3001 # HTTPS
+    expose:
+      - 3000
+      - 3001
     restart: always
     #labels:
     #  - traefik.enable=true
-    #  - traefik.http.routers.openspeedtest.middlewares=local-ipwhitelist@file, limit
     #  - traefik.http.routers.openspeedtest.rule=Host(`speedtest.example.com`)
     #  - traefik.http.services.openspeedtest.loadbalancer.server.port=3000
+    #  - traefik.http.routers.openspeedtest.middlewares=local-ipwhitelist@file,limit-openspeedtest,test-compress
     #  - traefik.docker.network=proxy
     #  # Part for local lan services only
-    #  - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=10000000000
+    #  - traefik.http.middlewares.limit-openspeedtest.buffering.maxRequestBodyBytes=10000000000
     #  - traefik.http.middlewares.test-compress.compress=true
diff --git a/examples/openvpn/docker-compose.yml b/examples/openvpn/docker-compose.yml
index e45400f6c..4b1d1f5cf 100644
--- a/examples/openvpn/docker-compose.yml
+++ b/examples/openvpn/docker-compose.yml
@@ -1,6 +1,5 @@
-version: '3.3'
-
 services:
+
   openvpn-as:
     image: openvpn/openvpn-as
     container_name: openvpn-as
diff --git a/examples/overleaf/README.md b/examples/overleaf/README.md
index ccfb5b129..844809b11 100644
--- a/examples/overleaf/README.md
+++ b/examples/overleaf/README.md
@@ -1,3 +1,26 @@
 # References
 
 - https://github.com/overleaf/overleaf
+- https://github.com/overleaf/overleaf/blob/main/docker-compose.yml
+
+# Notes
+
+- Download `mongodb-init-replica-set.js` next to this compose file before first startup:
+```bash
+  curl -o mongodb-init-replica-set.js https://raw.githubusercontent.com/overleaf/overleaf/main/bin/shared/mongodb-init-replica-set.js
+```
+- MongoDB runs with a replica set (`--replSet overleaf`), which is required by newer Overleaf versions
+- If migrating from an older setup (mongo 5.0, no replica set), initialize the replica set manually on existing data rather than relying on the init script
+
+
+After spawning the stack, visit http://127.0.0.1:8888/launchpad to create your first admin user.
+
+> [!Note]
+> To save bandwidth, the Overleaf image only comes with a minimal install of TeXLive.
+
+To upgrade to a complete TeXLive installation, run the installation script in the Overleaf container with the following command:
+````
+docker exec sharelatex tlmgr install scheme-full
+````
+
+Alternatively you can install packages manually as you need by replacing scheme-full with the package name.
diff --git a/examples/overleaf/docker-compose.yml b/examples/overleaf/docker-compose.yml
index a6ea3f7a9..5d50cc8c1 100644
--- a/examples/overleaf/docker-compose.yml
+++ b/examples/overleaf/docker-compose.yml
@@ -1,8 +1,8 @@
-version: '2.2'
 services:
+
     sharelatex:
         restart: always
-        image: sharelatex/sharelatex
+        image: sharelatex/sharelatex:6.1.2
         container_name: sharelatex
         depends_on:
             mongo:
@@ -11,41 +11,27 @@ services:
                 condition: service_started
         ports:
             - 8888:80
+        expose:
+            - 80
         links:
             - mongo
             - redis
         stop_grace_period: 60s
         volumes:
             - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/sharelatex/data:/var/lib/overleaf
-            ########################################################################
-            ####  Server Pro: Uncomment the following line to mount the docker  ####
-            ####             socket, required for Sibling Containers to work    ####
-            ########################################################################
             # - /var/run/docker.sock:/var/run/docker.sock
         environment:
 
             OVERLEAF_APP_NAME: Overleaf Community Edition
-            OVERLEAF_MONGO_URL: mongodb://mongo/sharelatex
+            OVERLEAF_MONGO_URL: mongodb://mongo/sharelatex?replicaSet=overleaf
 
-            # Same property, unfortunately with different names in
-            # different locations
             OVERLEAF_REDIS_HOST: redis
             REDIS_HOST: redis
 
             ENABLED_LINKED_FILE_TYPES: 'project_file,project_output_file'
-
-            # Enables Thumbnail generation using ImageMagick
             ENABLE_CONVERSIONS: 'true'
-
-            # Disables email confirmation requirement
             EMAIL_CONFIRMATION_DISABLED: 'true'
-
-            # temporary fix for LuaLaTex compiles
-            # see https://github.com/overleaf/overleaf/issues/695
-            TEXMFVAR: /var/lib/sharelatex/tmp/texmf-var
-
-            ## Set for SSL via nginx-proxy
-            #VIRTUAL_HOST: 103.112.212.22
+            #TEXMFVAR: /var/lib/sharelatex/tmp/texmf-var
 
             # OVERLEAF_SITE_URL: http://overleaf.example.com
             # OVERLEAF_NAV_TITLE: Overleaf Community Edition
@@ -56,10 +42,8 @@ services:
             # OVERLEAF_RIGHT_FOOTER: '[{"text": "Hello I am on the Right"} ]'
 
             # OVERLEAF_EMAIL_FROM_ADDRESS: "hello@example.com"
-
             # OVERLEAF_EMAIL_AWS_SES_ACCESS_KEY_ID:
             # OVERLEAF_EMAIL_AWS_SES_SECRET_KEY:
-
             # OVERLEAF_EMAIL_SMTP_HOST: smtp.example.com
             # OVERLEAF_EMAIL_SMTP_PORT: 587
             # OVERLEAF_EMAIL_SMTP_SECURE: false
@@ -73,18 +57,6 @@ services:
 
             # ENABLE_CRON_RESOURCE_DELETION: true
 
-            ################
-            ## Server Pro ##
-            ################
-
-            # SANDBOXED_COMPILES: 'true'
-
-            # SANDBOXED_COMPILES_SIBLING_CONTAINERS: 'true'
-            # SANDBOXED_COMPILES_HOST_DIR: '/var/sharelatex_data/data/compiles'
-
-            # DOCKER_RUNNER: 'false'
-
-            ## Works with test LDAP server shown at bottom of docker compose
             # OVERLEAF_LDAP_URL: 'ldap://ldap:389'
             # OVERLEAF_LDAP_SEARCH_BASE: 'ou=people,dc=planetexpress,dc=com'
             # OVERLEAF_LDAP_SEARCH_FILTER: '(uid={{username}})'
@@ -97,27 +69,31 @@ services:
 
             # OVERLEAF_TEMPLATES_USER_ID: "578773160210479700917ee5"
             # OVERLEAF_NEW_PROJECT_TEMPLATE_LINKS: '[ {"name":"All Templates","url":"/templates/all"}]'
-
-
             # OVERLEAF_PROXY_LEARN: "true"
 
     mongo:
         restart: always
-        image: mongo:5.0
+        image: mongo:8.2
         container_name: sharelatex-mongo
+        command: "--replSet overleaf"
         expose:
             - 27017
         volumes:
             - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/sharelatex/mongo:/data/db
+            - ./mongodb-init-replica-set.js:/docker-entrypoint-initdb.d/mongodb-init-replica-set.js
+        environment:
+            MONGO_INITDB_DATABASE: sharelatex
+        extra_hosts:
+            - mongo:127.0.0.1
         healthcheck:
-            test: echo 'db.stats().ok' | mongo localhost:27017/test --quiet
+            test: echo 'db.stats().ok' | mongosh localhost:27017/test --quiet
             interval: 10s
             timeout: 10s
             retries: 5
 
     redis:
         restart: always
-        image: redis:6.2-alpine
+        image: redis:8-alpine
         container_name: sharelatex-redis
         expose:
             - 6379
diff --git a/examples/owncloud-ocis/docker-compose.yml b/examples/owncloud-ocis/docker-compose.yml
index 241d714ab..a9aa16eb0 100644
--- a/examples/owncloud-ocis/docker-compose.yml
+++ b/examples/owncloud-ocis/docker-compose.yml
@@ -1,6 +1,3 @@
----
-version: "3.7"
-
 services:
 
   ocis:
@@ -25,21 +22,21 @@ services:
       - 9200:9200
     expose:
       - 9200
+    #networks:
+    #  - dev      
     #labels:
     #  - traefik.enable=true
+    #  - traefik.docker.network=dev    
     #  - traefik.http.routers.ocis.rule=Host(`cloud.example.com`) # adjust to your domain
     #  - traefik.http.services.ocis.loadbalancer.server.port=9200
-    #  - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=50000000
-    #  - traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=50000000
-    #  - traefik.http.middlewares.limit.buffering.memRequestBodyBytes=50000000
-    #  - traefik.http.middlewares.limit.buffering.memResponseBodyBytes=50000000
-    #  - traefik.http.routers.ocis.middlewares=local-ipwhitelist@file,authelia@docker
-    #  - traefik.docker.network=dev
+    #  - traefik.http.middlewares.limit-ocis.buffering.maxRequestBodyBytes=50000000
+    #  - traefik.http.middlewares.limit-ocis.buffering.maxResponseBodyBytes=50000000
+    #  - traefik.http.middlewares.limit-ocis.buffering.memRequestBodyBytes=50000000
+    #  - traefik.http.middlewares.limit-ocis.buffering.memResponseBodyBytes=50000000
+    #  - traefik.http.routers.ocis.middlewares=limit-ocis
     #  # disallow listing version details via /status.php endpoint
     #  - traefik.http.routers.ocis-version-disclosure.rule=Host(`cloud.example.com`) && Path(`/status.php`)
     #  - traefik.http.routers.ocis-version-disclosure.middlewares=local-ipwhitelist@file
-    #networks:
-    #  - dev
 
 #networks:
 #  dev:
diff --git a/examples/pairdrop/docker-compose.yml b/examples/pairdrop/docker-compose.yml
index a96731142..7306a5fd0 100644
--- a/examples/pairdrop/docker-compose.yml
+++ b/examples/pairdrop/docker-compose.yml
@@ -1,6 +1,5 @@
-version: "2.1"
-
 services:
+
   pairdrop:
     image: linuxserver/pairdrop:latest
     container_name: pairdrop
@@ -13,6 +12,8 @@ services:
       - WS_FALLBACK=false #optional
     ports:
       - 3215:3000
+    expose:
+      - 3000
     restart: unless-stopped
     #networks:
     #  - proxy
@@ -22,11 +23,11 @@ services:
     #  - traefik.http.services.pairdrop.loadbalancer.server.port=3000
     #  - traefik.docker.network=proxy
     #  # Part for optional traefik middlewares
-    #  - traefik.http.routers.pairdrop.middlewares=local-ipwhitelist@file,basic-auth@file
-    #  - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=50000000 # only necessary for enabled file uploads
-    #  - traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=50000000 # only necessary for enabled file uploads
-    #  - traefik.http.middlewares.limit.buffering.memRequestBodyBytes=50000000 # only necessary for enabled file uploads
-    #  - traefik.http.middlewares.limit.buffering.memResponseBodyBytes=50000000 # only necessary for enabled file uploads    
+    #  - traefik.http.routers.pairdrop.middlewares=limit-pairdrop
+    #  - traefik.http.middlewares.limit-pairdrop.buffering.maxRequestBodyBytes=50000000 # only necessary for enabled file uploads
+    #  - traefik.http.middlewares.limit-pairdrop.buffering.maxResponseBodyBytes=50000000 # only necessary for enabled file uploads
+    #  - traefik.http.middlewares.limit-pairdrop.buffering.memRequestBodyBytes=50000000 # only necessary for enabled file uploads
+    #  - traefik.http.middlewares.limit-pairdrop.buffering.memResponseBodyBytes=50000000 # only necessary for enabled file uploads    
 
 #networks:
 #  proxy:
diff --git a/examples/paperless-ngx/docker-compose-deprecated.yml b/examples/paperless-ngx/docker-compose-deprecated.yml
deleted file mode 100644
index 4e58a79a8..000000000
--- a/examples/paperless-ngx/docker-compose-deprecated.yml
+++ /dev/null
@@ -1,24 +0,0 @@
-version: "2.1"
-services:
-  paperless-ngx:
-    image: lscr.io/linuxserver/paperless-ngx:latest
-    container_name: paperless-ngx
-    environment:
-      - PUID=1000
-      - PGID=1000
-      - TZ=Europe/Berlin
-      #- PAPERLESS_URL=https://docs.example.com # uncomment and adjust if behind reverse proxy
-      #- REDIS_URL= #optional
-    volumes:
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/paperless-ngx/config:/config
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/paperless-ngx/data:/data
-    ports:
-      - 8000:8000
-    restart: unless-stopped
-    #labels:
-    #  - traefik.enable=true
-    #  - traefik.http.routers.paperless-ngx.rule=Host(`docs.example.com`)
-    #  - traefik.http.services.paperless-ngx.loadbalancer.server.port=8000
-    #  - traefik.docker.network=proxy
-    #  # Part for optional traefik middlewares
-    #  - traefik.http.routers.paperless-ngx.middlewares=local-ipwhitelist@file    
diff --git a/examples/paperless-ngx/docker-compose.yml b/examples/paperless-ngx/docker-compose.yml
index 242db6782..1c6b24e0a 100644
--- a/examples/paperless-ngx/docker-compose.yml
+++ b/examples/paperless-ngx/docker-compose.yml
@@ -1,17 +1,16 @@
-version: "3.4"
-
 services:
+
   broker:
-    image: docker.io/library/redis:7
+    image: docker.io/library/redis:8-alpine
     container_name: paperless-ngx-redis
     restart: unless-stopped
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/paperless-ngx/redis:/data
     #networks:
-    #  - proxy      
+    #  - proxy
 
   db:
-    image: docker.io/library/postgres:13
+    image: docker.io/library/postgres:16-alpine
     container_name: paperless-ngx-db
     restart: unless-stopped
     volumes:
@@ -21,7 +20,7 @@ services:
       POSTGRES_USER: paperless
       POSTGRES_PASSWORD: paperless
     #networks:
-    #  - proxy      
+    #  - proxy
 
   webserver:
     image: ghcr.io/paperless-ngx/paperless-ngx:latest
@@ -32,6 +31,8 @@ services:
       - broker
     ports:
       - "8910:8000"
+    expose:
+      - 8000
     healthcheck:
       test: ["CMD", "curl", "-fs", "-S", "--max-time", "2", "http://localhost:8000"]
       interval: 30s
@@ -66,11 +67,11 @@ services:
     #  - traefik.http.services.paperless-ngx.loadbalancer.server.port=8000
     #  - traefik.docker.network=proxy
     #  # Part for optional traefik middlewares
-    #  - traefik.http.routers.paperless-ngx.middlewares=local-ipwhitelist@file,basic-auth@file
-    #  - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
-    #  - traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads
-    #  - traefik.http.middlewares.limit.buffering.memRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
-    #  - traefik.http.middlewares.limit.buffering.memResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads
+    #  - traefik.http.routers.paperless-ngx.middlewares=limit-paperless
+    #  - traefik.http.middlewares.limit-paperless.buffering.maxRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
+    #  - traefik.http.middlewares.limit-paperless.buffering.maxResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads
+    #  - traefik.http.middlewares.limit-paperless.buffering.memRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
+    #  - traefik.http.middlewares.limit-paperless.buffering.memResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads
     
 #networks:
 #  proxy:
diff --git a/examples/papermerge/docker-compose-deprecated.yml b/examples/papermerge/docker-compose-deprecated.yml
deleted file mode 100644
index 2aaa9e068..000000000
--- a/examples/papermerge/docker-compose-deprecated.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-version: "3"
-
-services:
-  papermerge:
-    container_name: papermerge
-    environment:
-      - PUID=1000
-      - PGID=1000
-      - TZ=Europe/Berlin
-    hostname: papermerge
-    image: linuxserver/papermerge:latest
-    restart: unless-stopped
-    volumes:
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/papermerge/importer_dir:/mnt/media/importer_dir
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/papermerge/config:/config
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/papermerge/data:/data
diff --git a/examples/papermerge/docker-compose.yml b/examples/papermerge/docker-compose.yml
index 39b36ec04..f0773b174 100644
--- a/examples/papermerge/docker-compose.yml
+++ b/examples/papermerge/docker-compose.yml
@@ -1,9 +1,7 @@
-version: '3.7'
-
 services:
 
   app:
-    image: eugenci/papermerge:2.0.0
+    image: eugenci/papermerge:2.0.1
     container_name: papermerge-app
     restart: unless-stopped
     expose:
@@ -31,15 +29,15 @@ services:
     #  - traefik.http.routers.papermerge.rule=Host(`papermerge.example.com`)
     #  - traefik.http.services.papermerge.loadbalancer.server.port=8000
     #  # Optional part for file upload max sizes
-    #  - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=50000000
-    #  - traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=50000000
-    #  - traefik.http.middlewares.limit.buffering.memRequestBodyBytes=50000000
-    #  - traefik.http.middlewares.limit.buffering.memResponseBodyBytes=50000000
+    #  - traefik.http.middlewares.limit-papermerge.buffering.maxRequestBodyBytes=50000000
+    #  - traefik.http.middlewares.limit-papermerge.buffering.maxResponseBodyBytes=50000000
+    #  - traefik.http.middlewares.limit-papermerge.buffering.memRequestBodyBytes=50000000
+    #  - traefik.http.middlewares.limit-papermerge.buffering.memResponseBodyBytes=50000000
     #  # Optional part for traefik middlewares
-    #  - traefik.http.routers.papermerge.middlewares=local-ipwhitelist@file,authelia@docker      
+    #  - traefik.http.routers.papermerge.middlewares=limit-papermerge     
 
   db:
-    image: postgres:12.3-alpine
+    image: postgres:16-alpine
     container_name: papermerge-db
     restart: unless-stopped
     expose:
@@ -54,8 +52,8 @@ services:
     #  - proxy
 
   redis:
+    image: redis:8-alpine    
     container_name: papermerge-redis
-    image: redis:6-alpine
     restart: unless-stopped
     expose:
       - 6379
@@ -65,7 +63,7 @@ services:
     #  - proxy
 
   worker:
-    image: eugenci/papermerge-worker:v2.0.0
+    image: eugenci/papermerge-worker:2.0.1
     container_name: papermerge-worker
     restart: unless-stopped
     volumes:
diff --git a/examples/passbolt/docker-compose.yml b/examples/passbolt/docker-compose.yml
index 64f6c923f..d535bfa69 100644
--- a/examples/passbolt/docker-compose.yml
+++ b/examples/passbolt/docker-compose.yml
@@ -1,11 +1,12 @@
-version: '3.9'
-
 services:
+
   db:
-    image: mariadb:10.3
+    image: mariadb:11.8
     container_name: passbolt-db
     hostname: passbolt-db
     restart: unless-stopped
+    expose:
+      - 3306
     environment:
       MYSQL_RANDOM_ROOT_PASSWORD: "true"
       MYSQL_DATABASE: "passbolt"
@@ -43,3 +44,8 @@ services:
       - 8432:443 # HTTPS
     # - 8543:8080 # alternative port mappings if rootless image is used
     # - 8432:4433 # alternative port mappings if rootless image is used
+    expose:
+      - 80
+      - 443
+      - 8080
+      - 4433
diff --git a/examples/photoprism/docker-compose.yml b/examples/photoprism/docker-compose.yml
index 26ce66803..ce0873dea 100644
--- a/examples/photoprism/docker-compose.yml
+++ b/examples/photoprism/docker-compose.yml
@@ -1,6 +1,5 @@
-version: "3"
-
 services:
+
   photoprism:
     image: photoprism/photoprism:latest  
     container_name: photoprism
@@ -16,6 +15,8 @@ services:
       - PHOTOPRISM_DATABASE_DRIVER=sqlite
     ports:
       - 2342:2342
+    expose:
+      - 2342
     restart: unless-stopped
     volumes:
       - /path/to/my/locally/stored/media/files:/photoprism/originals
diff --git a/examples/pi-hole/docker-compose.yml b/examples/pi-hole/docker-compose.yml
index 0904214a1..2d15c8bec 100644
--- a/examples/pi-hole/docker-compose.yml
+++ b/examples/pi-hole/docker-compose.yml
@@ -1,10 +1,9 @@
-version: "3"
-
-# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
 services:
+
   pihole:
     container_name: pihole
     image: pihole/pihole:latest
+    restart: unless-stopped    
     # For DHCP it is recommended to remove these ports and instead add: network_mode: "host"
     ports:
       - "53:53/tcp" # DNS TCP
@@ -14,11 +13,21 @@ services:
     environment:
       TZ: 'Europe/Berlin'
       WEBPASSWORD: 'MySecureLoginPasswordForWebApp'
-    # Volumes store your data between container upgrades
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/pihole/data:/etc/pihole
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/pihole/dnsmasq:/etc/dnsmasq.d
-    #   https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
-    cap_add:
-      - NET_ADMIN # Required if you are using Pi-hole as your DHCP server, else not needed
-    restart: unless-stopped
+    #cap_add:
+    #  - NET_ADMIN # Required if you are using Pi-hole as your DHCP server, else not needed
+    #networks:
+    #  - proxy
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=proxy
+    #  - traefik.http.routers.pihole.rule=Host(`pihole.example.com`)
+    #  - traefik.http.services.pihole.loadbalancer.server.port=80
+    #  # Optional part for traefik middlewares
+    #  - traefik.http.routers.pihole.middlewares=local-ipwhitelist@file
+
+#networks:
+#  proxy:
+#    external: true
diff --git a/examples/plausible/README.md b/examples/plausible/README.md
index 58188d5b3..28f80d0ef 100644
--- a/examples/plausible/README.md
+++ b/examples/plausible/README.md
@@ -1,17 +1,17 @@
 # References
 
-- https://github.com/plausible/analytics
+- https://github.com/plausible/community-edition
 
 # Notes
 
 You have to place two clickhouse configuration files at the corresponding Docker bind volume mounts before starting the stack:
 
 ````
-wget https://raw.githubusercontent.com/plausible/hosting/master/clickhouse/clickhouse-config.xml
-wget https://raw.githubusercontent.com/plausible/hosting/master/clickhouse/clickhouse-user-config.xml
+wget https://raw.githubusercontent.com/plausible/community-edition/refs/heads/v3.2.0/clickhouse/ipv4-only.xml
+wget https://raw.githubusercontent.com/plausible/community-edition/refs/heads/v3.2.0/clickhouse/logs.xml
 
-mv clickhouse-config.xml /mnt/docker-volumes/plausible/clickhouse/.
-mv clickhouse-user-config.xml /mnt/docker-volumes/plausible/clickhouse/.
+mv ipv4-only.xml /mnt/docker-volumes/plausible/clickhouse/.
+mv logs.xml /mnt/docker-volumes/plausible/clickhouse/.
 
 docker compose up
 ````
diff --git a/examples/plausible/docker-compose.yml b/examples/plausible/docker-compose.yml
index 79a2c420d..8d0e1dccc 100644
--- a/examples/plausible/docker-compose.yml
+++ b/examples/plausible/docker-compose.yml
@@ -1,51 +1,67 @@
-version: "3.3"
 services:
-  #mail:
-  #  image: bytemark/smtp
-  #  restart: always
-  #  container_name: plausible-smtp
 
   plausible_db:
-    # supported versions are 12, 13, and 14
-    image: postgres:14-alpine
+    image: postgres:16-alpine
     container_name: plausible-db
-    restart: always   
+    restart: always
+    expose:
+      - 5432
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/plausible/database/:/var/lib/postgresql/data
     environment:
       - POSTGRES_PASSWORD=${PSQL_PASS:-password}
+    healthcheck:
+      test: ["CMD-SHELL", "PGPASSWORD='${PSQL_PASS:-password}' pg_isready -U '${PSQL_USER:-postgres}' -d postgres"]
+      start_period: 1m 
     #networks:
     #  - proxy
 
   plausible_events_db:
+    image: clickhouse/clickhouse-server:26.2-alpine
     container_name: plausible-events-db
-    image: clickhouse/clickhouse-server:24.3.3.102-alpine
     restart: always
+    user: "101:1000"
     environment:
-      - CLICKHOUSE_UID=1000
-      - CLICKHOUSE_GID=1000
+      - CLICKHOUSE_SKIP_USER_SETUP=1
     volumes:
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/plausible/event-data:/var/lib/clickhouse
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/plausible/clickhouse/clickhouse-config.xml:/etc/clickhouse-server/config.d/logging.xml:ro
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/plausible/clickhouse/clickhouse-user-config.xml:/etc/clickhouse-server/users.d/logging.xml:ro
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/plausible/clickhouse/event-data:/var/lib/clickhouse
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/plausible/clickhouse/event-logs:/var/log/clickhouse-server
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/plausible/clickhouse/logs.xml:/etc/clickhouse-server/config.d/logs.xml:ro
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/plausible/clickhouse/ipv4-only.xml:/etc/clickhouse-server/config.d/ipv4-only.xml:ro
     ulimits:
       nofile:
         soft: 262144
         hard: 262144
+    healthcheck:
+      test:
+        [
+          "CMD-SHELL",
+          "wget --no-verbose --tries=1 -O - http://127.0.0.1:8123/ping || exit 1",
+        ]
+      start_period: 1m        
     #networks:
     #  - proxy
 
   plausible:
+    image: ghcr.io/plausible/community-edition:v3.2.0 
     container_name: plausible
-    image: ghcr.io/plausible/community-edition:v2.1.1
     restart: always
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/plausible/data:/var/lib/plausible    
     command: sh -c "sleep 10 && /entrypoint.sh db createdb && /entrypoint.sh db migrate && /entrypoint.sh run"
     depends_on:
-      - plausible_db
-      - plausible_events_db
-    #  - mail
+      plausible_db:
+        condition: service_healthy
+      plausible_events_db:
+        condition: service_healthy
+    ulimits:
+      nofile:
+        soft: 65535
+        hard: 65535        
     ports:
       - 8000:8000 # WEB UI
+    expose:
+      - 8000
     env_file:
       - .env
     #networks:
diff --git a/examples/plex/docker-compose.yml b/examples/plex/docker-compose.yml
index 527471e55..a2205335a 100644
--- a/examples/plex/docker-compose.yml
+++ b/examples/plex/docker-compose.yml
@@ -1,6 +1,5 @@
-version: '3.3'
-
 services:
+
     pms-docker:
         image: plexinc/pms-docker
         container_name: plex
@@ -14,3 +13,5 @@ services:
         restart: unless-stopped
         ports:
             - '32400:32400'
+        expose:
+            - 32400
diff --git a/examples/portainer/docker-compose.yml b/examples/portainer/docker-compose.yml
index dbdf8c72a..0c866581d 100644
--- a/examples/portainer/docker-compose.yml
+++ b/examples/portainer/docker-compose.yml
@@ -1,9 +1,8 @@
-version: '3'
-
 services:
+
   portainer:
-    image: portainer/portainer-ee:latest # or use community edition via portainer/portainer-ce
-    container_name: portainer-ee # may rename to portainer-ce if community edition is used
+    image: portainer/portainer-ce:alpine # or portainer-ee for enterprise edition
+    container_name: portainer-ce # or portainer-ee for enterprise edition
     restart: unless-stopped
     volumes:
       - /etc/localtime:/etc/localtime:ro
diff --git a/examples/posio/docker-compose.yml b/examples/posio/docker-compose.yml
index fdc8abfd2..d07915900 100644
--- a/examples/posio/docker-compose.yml
+++ b/examples/posio/docker-compose.yml
@@ -1,6 +1,5 @@
-version: '3.3'
-
 services:
+
   posio:
     image: l4rm4nd/posio:latest
     container_name: posio
diff --git a/examples/privatebin/docker-compose.yml b/examples/privatebin/docker-compose.yml
index 01707e6d5..1e47a97b5 100644
--- a/examples/privatebin/docker-compose.yml
+++ b/examples/privatebin/docker-compose.yml
@@ -1,6 +1,5 @@
-version: "3.7"
-
 services:
+
   privatebin:
     hostname: privatebin
     container_name: privatebin
@@ -8,6 +7,8 @@ services:
     read_only: true # not in compose 3.0 documentation but appears supported based
     ports:
       - 8080:8080
+    expose:
+      - 8080
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/privatebin/data:/srv/data # volume for persisted data pastes
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/privatebin/configs/config.php:/srv/cfg/conf.php:ro # volume for custom privatebin config; please place the config.php file here
@@ -16,12 +17,12 @@ services:
     restart: always
     #labels:
     #  - traefik.enable=true
+    #  - traefik.docker.network=proxy    
     #  - traefik.http.routers.privatebin.rule=Host(`privatebin.example.com`)
     #  - traefik.http.services.privatebin.loadbalancer.server.port=8080
-    #  - traefik.docker.network=proxy
     #  # Part for local lan services only
-    #  # - traefik.http.routers.privatebin.middlewares=local-ipwhitelist@file
-    #  - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=1000000000 # necessary to enable large file uploads
-    #  - traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=1000000000 # necessary to enable large file uploads
-    #  - traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000000 # necessary to enable large file uploads
-    #  - traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000000 # necessary to enable large file uploads
+    #  # - traefik.http.routers.privatebin.middlewares=local-ipwhitelist@file,limit-privatebin
+    #  - traefik.http.middlewares.limit-privatebin.buffering.maxRequestBodyBytes=1000000000 # necessary to enable large file uploads
+    #  - traefik.http.middlewares.limit-privatebin.buffering.maxResponseBodyBytes=1000000000 # necessary to enable large file uploads
+    #  - traefik.http.middlewares.limit-privatebin.buffering.memRequestBodyBytes=2000000000 # necessary to enable large file uploads
+    #  - traefik.http.middlewares.limit-privatebin.buffering.memResponseBodyBytes=2000000000 # necessary to enable large file uploads
\ No newline at end of file
diff --git a/examples/projectsend/docker-compose.yml b/examples/projectsend/docker-compose.yml
index 9ce6de6de..6630fd515 100644
--- a/examples/projectsend/docker-compose.yml
+++ b/examples/projectsend/docker-compose.yml
@@ -1,5 +1,5 @@
-version: "2.1"
 services:
+
   projectsend:
     image: lscr.io/linuxserver/projectsend:latest
     container_name: projectsend
@@ -13,15 +13,19 @@ services:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/projectsend/data:/data
     ports:
       - 8080:80 # WEB UI
+    expose:
+      - 80
     restart: unless-stopped
     depends_on:
       - database
 
   database:
-    image: mariadb:10.5
+    image: mariadb:11.8
     container_name: projectsend-db
     command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
     restart: unless-stopped
+    expose:
+      - 3306
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/projectsend/database:/var/lib/mysql
     environment:
diff --git a/examples/prowlarr/docker-compose.yml b/examples/prowlarr/docker-compose.yml
index 2796542cb..cea8bf331 100644
--- a/examples/prowlarr/docker-compose.yml
+++ b/examples/prowlarr/docker-compose.yml
@@ -1,6 +1,5 @@
-version: "2.1"
-
 services:
+
   prowlarr:
     image: lscr.io/linuxserver/prowlarr:latest
     container_name: prowlarr
@@ -12,4 +11,6 @@ services:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/prowlarr/config:/config
     ports:
       - 9696:9696
+    expose:
+      - 9696
     restart: unless-stopped
diff --git a/examples/pwndrop/docker-compose.yml b/examples/pwndrop/docker-compose.yml
index a46c0ef09..2ec764860 100644
--- a/examples/pwndrop/docker-compose.yml
+++ b/examples/pwndrop/docker-compose.yml
@@ -1,6 +1,5 @@
-version: "3"
-
 services:
+
   pwndrop:
     image: linuxserver/pwndrop:latest
     container_name: pwndrop
diff --git a/examples/radarr/docker-compose.yml b/examples/radarr/docker-compose.yml
index 01bbbedef..702fc4e91 100644
--- a/examples/radarr/docker-compose.yml
+++ b/examples/radarr/docker-compose.yml
@@ -1,6 +1,5 @@
-version: "2.1"
-
 services:
+
   radarr:
     image: lscr.io/linuxserver/radarr:latest
     container_name: radarr
@@ -14,4 +13,6 @@ services:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/radarr/downloads:/downloads # Should be the same as the download client's folder
     ports:
       - 7878:7878
+    expose:
+      - 7878
     restart: unless-stopped
diff --git a/examples/raveberry/docker-compose.yml b/examples/raveberry/docker-compose.yml
index a74c4bbd7..03266c6b1 100644
--- a/examples/raveberry/docker-compose.yml
+++ b/examples/raveberry/docker-compose.yml
@@ -1,8 +1,7 @@
-version: '3'
-
 services:
+
   db:
-    image: postgres:13
+    image: postgres:16-alpine
     container_name: raveberry-db
     environment:
       - POSTGRES_DB=raveberry
@@ -15,7 +14,7 @@ services:
     #  - proxy
 
   redis:
-    image: redis
+    image: redis:8-alpine
     container_name: raveberry-redis
     restart: unless-stopped
     #networks:
@@ -144,8 +143,10 @@ services:
   nginx:
     image: raveberry/raveberry-nginx
     container_name: raveberry-nginx
-    #ports:
-    #  - 9870:80
+    ports:
+      - 9870:80
+    expose:
+      - 80
     environment:
       - DAPHNE_HOST
       - DAPHNE_PORT
diff --git a/examples/requestbin/docker-compose.yml b/examples/requestbin/docker-compose.yml
index df4743c89..ed28cb8e0 100644
--- a/examples/requestbin/docker-compose.yml
+++ b/examples/requestbin/docker-compose.yml
@@ -1,6 +1,5 @@
-version: "3.3"
-
 services:
+
   app:
     image: l4rm4nd/requestbin:latest
     hostname: requestbin
@@ -27,8 +26,8 @@ services:
 
   redis:
     image: redis:alpine
-    hostname: redis
     container_name: requestbin_redis
+    hostname: redis    
     restart: unless-stopped
     #volumes:
     #  - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/requestbin/redis:/data
diff --git a/examples/rocketchat/docker-compose.yml b/examples/rocketchat/docker-compose.yml
index d83017a3a..80ac4776a 100644
--- a/examples/rocketchat/docker-compose.yml
+++ b/examples/rocketchat/docker-compose.yml
@@ -1,24 +1,14 @@
-version: "3.7"
-
 services:
+
   rocketchat:
+    image: registry.rocket.chat/rocketchat/rocket.chat:latest    
     container_name: rocketchat
     hostname: rocketchat
-    image: registry.rocket.chat/rocketchat/rocket.chat:latest
     restart: unless-stopped
     expose:
       - 3000
     ports:
       - 3000:3000 # web ui
-    #labels:
-    #  - traefik.enable=true
-    #  - traefik.http.routers.rocketchat.rule=Host(`chat.example.com`) # pls change
-    #  - traefik.http.services.rocketchat.loadbalancer.server.port=3000
-    #  - traefik.docker.network=proxy
-    #  # Part for local lan services only; disable to expose externally
-    #  - traefik.http.routers.rocketchat.middlewares=local-ipwhitelist@file
-    #networks:
-    #  - proxy
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/rocketchat/uploads:/app/uploads # only use if you enable filesystem upload in the admin area; see https://docs.rocket.chat/use-rocket.chat/workspace-administration/settings/file-upload#storage-type
     environment:
@@ -34,11 +24,20 @@ services:
       DEPLOY_PLATFORM: ${DEPLOY_PLATFORM:-linux}
     depends_on:
       - mongodb
+    #networks:
+    #  - proxy      
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.http.routers.rocketchat.rule=Host(`chat.example.com`) # pls change
+    #  - traefik.http.services.rocketchat.loadbalancer.server.port=3000
+    #  - traefik.docker.network=proxy
+    #  # Part for local lan services only; disable to expose externally
+    #  - traefik.http.routers.rocketchat.middlewares=local-ipwhitelist@file     
 
   mongodb:
+    image: docker.io/bitnami/mongodb:${MONGODB_VERSION:-4.4}    
     container_name: rocketchat-db
     hostname: rocketchat-db
-    image: docker.io/bitnami/mongodb:${MONGODB_VERSION:-4.4}
     restart: unless-stopped
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/rocketchat/mongodb:/bitnami/mongodb
diff --git a/examples/roundcube/README.md b/examples/roundcube/README.md
new file mode 100644
index 000000000..6de1e3a91
--- /dev/null
+++ b/examples/roundcube/README.md
@@ -0,0 +1,4 @@
+# References
+
+- https://github.com/roundcube/roundcubemail-docker
+- https://hub.docker.com/r/roundcube/roundcubemail
diff --git a/examples/roundcube/docker-compose.yml b/examples/roundcube/docker-compose.yml
new file mode 100644
index 000000000..9c16347fa
--- /dev/null
+++ b/examples/roundcube/docker-compose.yml
@@ -0,0 +1,36 @@
+services:
+
+  roundcube:
+    image: roundcube/roundcubemail:latest
+    container_name: roundcube
+    restart: unless-stopped
+    expose:
+      - 80/tcp
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/roundcube/database:/var/roundcube/db
+      #- ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/roundcube/config:/var/roundcube/config
+      #- ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/roundcube/enigma:/var/roundcube/enigma
+    environment:
+      - ROUNDCUBEMAIL_DEFAULT_HOST=ssl://imap.web.de
+      - ROUNDCUBEMAIL_DEFAULT_PORT=993
+      - ROUNDCUBEMAIL_SMTP_SERVER=tls://smtp.web.de
+      - ROUNDCUBEMAIL_SMTP_PORT=587
+      - ROUNDCUBEMAIL_DB_TYPE=sqlite
+      - ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE=50M
+      - ROUNDCUBEMAIL_ASPELL_DICTS=de,en
+      # Custom plugins; see https://packagist.org/?type=roundcube-plugin
+      - ROUNDCUBEMAIL_COMPOSER_PLUGINS=johndoh/contextmenu,weird-birds/thunderbird_labels,jfcherng-roundcube/show-folder-size,germancoding/tls_icon,texxasrulez/advanced_search,johndoh/swipe
+      - ROUNDCUBEMAIL_PLUGINS=contextmenu,thunderbird_labels,show_folder_size,tls_icon,advanced_search,swipe
+    #networks:
+    #  - proxy
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=proxy
+    #  - traefik.http.routers.roundcube.rule=Host(`roundcube.example.com`)
+    #  - traefik.http.services.roundcube.loadbalancer.server.port=80
+    #  # Optional part for traefik middlewares
+    #  - traefik.http.routers.roundcube.middlewares=local-ipwhitelist@file
+
+#networks:
+#  proxy:
+#    external: true
diff --git a/examples/rxresume/docker-compose-v3.yml b/examples/rxresume/docker-compose-v3.yml
index 9d6ee6366..dcfd8e078 100644
--- a/examples/rxresume/docker-compose-v3.yml
+++ b/examples/rxresume/docker-compose-v3.yml
@@ -1,5 +1,3 @@
-version: "3.8"
-
 # This docker compose example targets rxresume < 4.0
 # For a newer version, please see https://github.com/AmruthPillai/Reactive-Resume/tree/main/tools/compose
 
@@ -22,8 +20,9 @@ version: "3.8"
 # https://github.com/AmruthPillai/Reactive-Resume/issues/721#issuecomment-1405283786
 
 services:
+
   postgres:
-    image: postgres:alpine
+    image: postgres:16-alpine
     container_name: rxresume-db
     restart: always
     expose:
@@ -118,7 +117,7 @@ services:
       #- traefik.http.routers.rxresume-client.middlewares=local-ipwhitelist@file # may enable this middleware for access control
       
   traefik:
-    image: traefik:v2.10.1
+    image: traefik:v2.11
     container_name: rxresume-traefik
     restart: unless-stopped
     command:
diff --git a/examples/rxresume/docker-compose-v4.yml b/examples/rxresume/docker-compose-v4.yml
index 17520b0db..bf53b97ef 100644
--- a/examples/rxresume/docker-compose-v4.yml
+++ b/examples/rxresume/docker-compose-v4.yml
@@ -1,6 +1,5 @@
-version: "3.8"
-
 services:
+
   postgres:
     image: postgres:16-alpine
     container_name: rx-db
diff --git a/examples/scratch-map/README.md b/examples/scratch-map/README.md
new file mode 100644
index 000000000..b746a4195
--- /dev/null
+++ b/examples/scratch-map/README.md
@@ -0,0 +1,11 @@
+# References
+
+- https://github.com/ad3m3r5/scratch-map
+
+# Notes
+
+May require you to fix permissions of the bind mount volume:
+
+````
+sudo chown -R 1000:1000 ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/scratch-map
+````
diff --git a/examples/scratch-map/docker-compose.yml b/examples/scratch-map/docker-compose.yml
new file mode 100644
index 000000000..3a0dd5ad0
--- /dev/null
+++ b/examples/scratch-map/docker-compose.yml
@@ -0,0 +1,28 @@
+services:
+
+  scratchmap:
+    image: ad3m3r5/scratch-map:latest
+    container_name: scratch-map
+    restart: unless-stopped
+    ports:
+      - 8080:8080/tcp # http ui
+    expose:
+      - 8080/tcp
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/scratch-map:/data
+    environment:
+      - DBLOCATION=/data
+      - PORT=8080
+    #networks:
+    #  - proxy
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=proxy
+    #  - traefik.http.routers.scratchmap.rule=Host(`earth.example.com`)
+    #  - traefik.http.services.scratchmap.loadbalancer.server.port=8080
+    #  # Optional part for traefik middlewares
+    #  - traefik.http.routers.scratchmap.middlewares=local-ipwhitelist@file
+
+#networks:
+#  proxy:
+#    external: true
diff --git a/examples/seafile/docker-compose.yml b/examples/seafile/docker-compose.yml
index 00716fbdd..177c3cc51 100644
--- a/examples/seafile/docker-compose.yml
+++ b/examples/seafile/docker-compose.yml
@@ -1,8 +1,7 @@
-version: '3.6'
-
 services:
+
   db:
-    image: mariadb:10.11
+    image: mariadb:11.8
     container_name: seafile-mysql
     environment:
       - MYSQL_ROOT_PASSWORD=db_dev  # Requested, set the root's password of MySQL service.
@@ -14,7 +13,7 @@ services:
     #  - proxy
     
   memcached:
-    image: memcached:1.6.18
+    image: memcached:1.6.40
     container_name: seafile-memcached
     entrypoint: memcached -m 256
     restart: unless-stopped
@@ -28,6 +27,9 @@ services:
     ports:
       - "7780:80" # HTTP
       - "7443:443"  # HTTPS
+    expose:
+      - 80
+      - 443
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/seafile/data:/shared   # Requested, specifies the path to Seafile data persistent store.
     environment:
diff --git a/examples/send/docker-compose.yml b/examples/send/docker-compose.yml
index 20d227fb3..0fdf01865 100644
--- a/examples/send/docker-compose.yml
+++ b/examples/send/docker-compose.yml
@@ -1,5 +1,3 @@
-version: "3"
-
 services:
 
   send:
@@ -67,10 +65,11 @@ services:
     #  - traefik.docker.network=proxy
     #  - traefik.http.routers.send.rule=Host(`send.example.com`)
     #  - traefik.http.services.send.loadbalancer.server.port=1234
-    #  - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=5000000000 # optional, only necessary for file uploads; allow 5GB
-    #  - traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=5000000000 # optional, only necessary for file uploads; allow 5GB
-    #  - traefik.http.middlewares.limit.buffering.memRequestBodyBytes=5000000000 # optional, only necessary for file uploads; allow 5GB
-    #  - traefik.http.middlewares.limit.buffering.memResponseBodyBytes=5000000000 # optional, only necessary for file uploads; allow 5GB
+    #  - traefik.http.middlewares.limit-send.buffering.maxRequestBodyBytes=5000000000 # optional, only necessary for file uploads; allow 5GB
+    #  - traefik.http.middlewares.limit-send.buffering.maxResponseBodyBytes=5000000000 # optional, only necessary for file uploads; allow 5GB
+    #  - traefik.http.middlewares.limit-send.buffering.memRequestBodyBytes=5000000000 # optional, only necessary for file uploads; allow 5GB
+    #  - traefik.http.middlewares.limit-send.buffering.memResponseBodyBytes=5000000000 # optional, only necessary for file uploads; allow 5GB
+    #  - traefik.http.routers.send.middlewares=limit-send
 
   redis:
     image: redis:alpine
diff --git a/examples/sftpgo/docker-compose.yml b/examples/sftpgo/docker-compose.yml
index 204dc4a0a..639cd2c3d 100644
--- a/examples/sftpgo/docker-compose.yml
+++ b/examples/sftpgo/docker-compose.yml
@@ -2,13 +2,16 @@ services:
 
   sftpgo:
     image: drakkan/sftpgo:v2-alpine
+    container_name: sftpgo
     user: 1000:1000
     restart: unless-stopped
     ports:
       - 8888:8080 # HTTP
-      #- 2022:2022" # SFTP
-      #- 8443:443" # HTTPS
-      #- 5007:5007 # WEBDAV
+    expose:
+      - 8080 # HTTP
+      - 2022 # SFTP
+      - 443 # HTTPS
+      - 5007 # WEBDAV
     environment:
       # These are the settings to access your db
       SFTPGO_WEBDAVD__BINDINGS__0__PORT: 5007
@@ -28,7 +31,10 @@ services:
 
   mysql:
     image: mysql:latest
+    container_name: sftpgo-db
     restart: always
+    expose:
+      - 3306
     environment:
       MYSQL_DATABASE: sftpgo
       MYSQL_USER: sftpgo # please change    
diff --git a/examples/shiori/docker-compose.yml b/examples/shiori/docker-compose.yml
index d8b1db159..52e02f045 100644
--- a/examples/shiori/docker-compose.yml
+++ b/examples/shiori/docker-compose.yml
@@ -1,5 +1,3 @@
-version: "2.1"
-
 services:
 
   shiori:
diff --git a/examples/siyuan/.env b/examples/siyuan/.env
new file mode 100644
index 000000000..caee29cfd
--- /dev/null
+++ b/examples/siyuan/.env
@@ -0,0 +1,7 @@
+TZ=Europe/Berlin
+PUID=1000
+PGID=1000
+
+# please create a random secret
+# openssl rand -base64 12
+AuthCode=ExampleSecretKey
diff --git a/examples/siyuan/README.md b/examples/siyuan/README.md
new file mode 100644
index 000000000..03e08b8e2
--- /dev/null
+++ b/examples/siyuan/README.md
@@ -0,0 +1,3 @@
+# References
+
+- https://github.com/siyuan-note/siyuan
diff --git a/examples/siyuan/docker-compose.yml b/examples/siyuan/docker-compose.yml
new file mode 100644
index 000000000..2cf34b60a
--- /dev/null
+++ b/examples/siyuan/docker-compose.yml
@@ -0,0 +1,30 @@
+services:
+
+  siyuan:
+    image: b3log/siyuan:latest
+    container_name: siyuan
+    command: ['--workspace=/siyuan/workspace/', '--accessAuthCode=${AuthCode:-S3cr3t}']
+    ports:
+      - 6806:6806/tcp # web ui
+    expose:
+      - 6806
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/siyuan/workspace:/siyuan/workspace
+    restart: unless-stopped
+    environment:
+      - TZ=${PUID:-Europe/Berlin}
+      - PUID=${PUID:-1000}
+      - PGID=${PGID:-1000}
+    #networks:
+    #  - proxy
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=proxy
+    #  - traefik.http.routers.siyuan.rule=Host(`wiki.example.com`)
+    #  - traefik.http.services.siyuan.loadbalancer.server.port=6806
+    #  # Optional part for traefik middlewares
+    #  - traefik.http.routers.siyuan.middlewares=local-ipwhitelist@file
+
+#networks:
+#  proxy:
+#    external: true
\ No newline at end of file
diff --git a/examples/snipe-it/docker-compose.yml b/examples/snipe-it/docker-compose.yml
index 44270eb8d..426b2c48d 100644
--- a/examples/snipe-it/docker-compose.yml
+++ b/examples/snipe-it/docker-compose.yml
@@ -1,9 +1,8 @@
----
-version: "2.1"
 services:
+
   snipe-it:
     image: lscr.io/linuxserver/snipe-it:latest
-    container_name: snipe-it
+    container_name: snipeit
     environment:
       - PUID=1000
       - PGID=1000
@@ -18,11 +17,15 @@ services:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/snipeit/config:/config
     ports:
       - 8080:80
+    expose:
+      - 80
     restart: unless-stopped
 
   mariadb:
     image: lscr.io/linuxserver/mariadb:latest
-    container_name: mariadb
+    container_name: snipeit-mariadb
+    expose:
+      - 3306
     environment:
       - PUID=1000
       - PGID=1000
diff --git a/examples/sonarqube/docker-compose.yml b/examples/sonarqube/docker-compose.yml
index 4ee79234f..81b434546 100644
--- a/examples/sonarqube/docker-compose.yml
+++ b/examples/sonarqube/docker-compose.yml
@@ -1,11 +1,12 @@
-version: "3"
-
 services:
+
   sonarqube:
-    image: sonarqube:8.5.1-community
+    image: sonarqube:lts-community
     container_name: sonarqube
     ports:
       - 9000:9000 # WEB UI
+    expose:
+      - 9000
     environment:
       - sonar.jdbc.username=sonar
       - sonar.jdbc.password=sonar
@@ -16,9 +17,11 @@ services:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/sonarqube/extensions:/opt/sonarqube/extensions
 
   db:
-    image: postgres:13.1
+    image: postgres:16-alpine
     container_name: sonarqube_db
     hostname: db
+    expose:
+      - 5432
     environment:
       - POSTGRES_USER=sonar
       - POSTGRES_PASSWORD=sonar
diff --git a/examples/sonarr/docker-compose.yml b/examples/sonarr/docker-compose.yml
index 9151cbdaf..a8c7f0f9a 100644
--- a/examples/sonarr/docker-compose.yml
+++ b/examples/sonarr/docker-compose.yml
@@ -1,6 +1,5 @@
-version: "2.1"
-
 services:
+
   sonarr:
     image: lscr.io/linuxserver/sonarr:latest
     container_name: sonarr
@@ -14,4 +13,6 @@ services:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/sonarr/downloads:/downloads # Should be the same as the download client's folder
     ports:
       - 8989:8989
+    expose:
+      - 8989
     restart: unless-stopped
diff --git a/examples/speedtest-tracker/docker-compose.yml b/examples/speedtest-tracker/docker-compose.yml
index 30fadbb3e..90ea6b14d 100644
--- a/examples/speedtest-tracker/docker-compose.yml
+++ b/examples/speedtest-tracker/docker-compose.yml
@@ -1,20 +1,23 @@
-version: '3.3'
 services:
-    speedtest:
-        container_name: speedtest
-        image: henrywhitaker3/speedtest-tracker
-        ports:
-            - 8765:80
-        volumes:
-            - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/speedtest-tracker/config:/config
-        environment:
-            - TZ=Europe/Berlin
-            - PGID=1000
-            - PUID=1000
-            - OOKLA_EULA_GDPR=true
-        logging:
-            driver: "json-file"
-            options:
-                max-file: "10"
-                max-size: "200k"
-        restart: unless-stopped
+
+  speedtest:
+    image: henrywhitaker3/speedtest-tracker
+    container_name: speedtest
+    hostname: speedtest
+    restart: unless-stopped
+    ports:
+      - 8765:80/tcp
+    expose:
+      - 80
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/speedtest-tracker/config:/config
+    environment:
+      - TZ=Europe/Berlin
+      - PGID=1000
+      - PUID=1000
+      - OOKLA_EULA_GDPR=true
+    logging:
+      driver: "json-file"
+      options:
+        max-file: "10"
+        max-size: "200k"
\ No newline at end of file
diff --git a/examples/stash/docker-compose.yml b/examples/stash/docker-compose.yml
index e305b5d58..7d0ea19b2 100644
--- a/examples/stash/docker-compose.yml
+++ b/examples/stash/docker-compose.yml
@@ -1,7 +1,5 @@
-# APPNICENAME=Stash
-version: '3.4'
-
 services:
+
   stash:
     image: stashapp/stash:latest
     container_name: stash
@@ -10,6 +8,8 @@ services:
     ## the container's port must be the same with the STASH_PORT in the environment section
     ports:
       - "9999:9999"
+    expose:
+      - 9999
     ## If you intend to use stash's DLNA functionality uncomment the below network mode and comment out the above ports section
     # network_mode: host
     logging:
@@ -36,10 +36,16 @@ services:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/stash/cache:/cache
       ## Where to store generated content (screenshots,previews,transcodes,sprites)
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/stash/generated:/generated
+    #networks:
+    #  - proxy
     #labels:
     #  - traefik.enable=true
+    #  - traefik.docker.network=proxy    
     #  - traefik.http.routers.stash.rule=Host(`stash.example.com`)
     #  - traefik.http.services.stash.loadbalancer.server.port=9999
-    #  - traefik.docker.network=proxy
     #  # Part for optional traefik middlewares
     #  - traefik.http.routers.stash.middlewares=local-ipwhitelist@file,basic-auth@file
+
+#networks:
+#  proxy:
+#    external: true
\ No newline at end of file
diff --git a/examples/syncthing/docker-compose.yml b/examples/syncthing/docker-compose.yml
index 9894cfe53..c1d493dd7 100644
--- a/examples/syncthing/docker-compose.yml
+++ b/examples/syncthing/docker-compose.yml
@@ -1,6 +1,5 @@
-version: "3"
-
 services:
+
   syncthing:
     image: syncthing/syncthing
     container_name: syncthing
diff --git a/examples/tandoor/docker-compose.yml b/examples/tandoor/docker-compose.yml
index 60209d7c8..17f53f8f0 100644
--- a/examples/tandoor/docker-compose.yml
+++ b/examples/tandoor/docker-compose.yml
@@ -1,32 +1,47 @@
-version: "3"
 services:
+
   db_recipes:
-    restart: always
+    image: postgres:16-alpine    
     container_name: tandoor_db
-    image: postgres:11-alpine
+    restart: always
+    expose:
+      - 5432
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/tandoor/postgresql:/var/lib/postgresql/data
     env_file:
       - ./.env
+    #networks:
+    #  - internal
 
   web_recipes:
-    restart: always
+    image: vabene1111/recipes:2
     container_name: tandoor_recipes
+    restart: always    
     ports:
-      - 8080:8080
-    image: vabene1111/recipes:latest
+      - 8080:80
+    expose:
+      - 80
     env_file:
       - ./.env
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/tandoor/staticfiles:/opt/recipes/staticfiles
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/tandoor/nginx_config:/opt/recipes/nginx/conf.d
+      #- ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/tandoor/nginx_config:/opt/recipes/nginx/conf.d
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/tandoor/mediafiles:/opt/recipes/mediafiles
     depends_on:
       - db_recipes
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.tandoor.rule=Host(`tandoor.example.com`)
-      - traefik.http.services.tandoor.loadbalancer.server.port=8080
-      - traefik.docker.network=proxy
-      # Part for local lan services only
-      #- traefik.http.routers.tandoor.middlewares=local-ipwhitelist@file
+    #networks:
+    #  - proxy
+    #  - internal
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.http.routers.tandoor.rule=Host(`tandoor.example.com`)
+    #  - traefik.http.services.tandoor.loadbalancer.server.port=80
+    #  - traefik.docker.network=proxy
+    #  # Part for local lan services only
+    #  #- traefik.http.routers.tandoor.middlewares=local-ipwhitelist@file
+
+#networks:
+#  proxy:
+#    external: true
+#  internal:
+#    internal: true
\ No newline at end of file
diff --git a/examples/technitium/docker-compose.yml b/examples/technitium/docker-compose.yml
index 3bfb292bc..39ac5f02a 100644
--- a/examples/technitium/docker-compose.yml
+++ b/examples/technitium/docker-compose.yml
@@ -1,9 +1,9 @@
-version: "3"
 services:
+
   dns-server:
+    image: technitium/dns-server:latest    
     container_name: dns-server
     hostname: dns-server
-    image: technitium/dns-server:latest
     # Use "host" network mode for DHCP deployments
     # network_mode: "host"
     ports:
@@ -33,10 +33,16 @@ services:
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/technitium/config:/etc/dns/config
     restart: unless-stopped
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.technitium.rule=Host(`technitium.example.com`)
-      - traefik.http.services.technitium.loadbalancer.server.port=5380
-      - traefik.docker.network=proxy
-      # Part for local lan services only
-      #- traefik.http.routers.technitium.middlewares=local-ipwhitelist@file
+    #networks:
+    #  - proxy
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=proxy      
+    #  - traefik.http.routers.technitium.rule=Host(`technitium.example.com`)
+    #  - traefik.http.services.technitium.loadbalancer.server.port=5380
+    #  # Part for local lan services only
+    #  #- traefik.http.routers.technitium.middlewares=local-ipwhitelist@file
+
+#networks:
+#  proxy:
+#    external: true
\ No newline at end of file
diff --git a/examples/tor-browser/docker-compose.yml b/examples/tor-browser/docker-compose.yml
index 43156bdae..1eddbd94b 100644
--- a/examples/tor-browser/docker-compose.yml
+++ b/examples/tor-browser/docker-compose.yml
@@ -1,10 +1,15 @@
 services:
+
   torbrowser:
     image: domistyle/tor-browser:latest
+    container_name: torbrowser
     restart: unless-stopped
     ports:
       - 5800:5800 # Provides a web interface to access the Tor browser
       #- 5900:5900 # Provides direct access to the VNC server; optional
+    expose:
+      - 5800
+      - 5900
     environment:
       #- DISPLAY_WIDTH=1280 # default; optional
       #- DISPLAY_HEIGHT=768 # default; optional
diff --git a/examples/traefik/README.md b/examples/traefik/README.md
index dfb663a22..51bae8809 100644
--- a/examples/traefik/README.md
+++ b/examples/traefik/README.md
@@ -14,15 +14,20 @@ There are options to outsource the Traefik configuration into static and dynamic
 
 Please remember to configure logrotation on your Docker host server if you've enabled Traefik access logs. See `logrotate_example.txt` as example. The logs will increase in size and may cause disk space issues, if not handled properly.
 
+> [!TIP]
+> The provided compose examples make use of a separate socket-proxy container.
+> 
+> Socket Proxy is a security-enhanced proxy, which allows you to apply access rules to the Docker socket, limiting the attack surface for containers such as Traefik that need to use it.
+
 ### Spawning up Traefik with outsourced configuration files
 
 1. Put the provided `traefik.yml` (static) and `fileConfig.yml` (dynamic) configuration files to your volume bind mount (here `/mnt/docker-volumes/traefik`). 
-2. Add your Cloudflare API token as environment variable to the `docker-compose.yml` file and define your Cloudflare email address in the `traefik.yml` file. May adjust to your preferred certresolver. The example given is for Cloudflare.
-3. Adjust the static and dynamic configuration files to your needs. Especially replace the `example.com` strings with your domain name in the `traefik.yml` static configuration file. Also adjust the authelia and basic auth definitions in the `fileConfig.yml` dynamic configuration file with secure values and your domain names.
+2. Add your Cloudflare API token as environment variable to the `docker-compose.yml` file and define your Cloudflare email address in the `traefik.yml` file. May adjust to your preferred certresolver. The example given is for Cloudflare, using the ACME DNS challenge to obtain wildcard certificates.
+3. Adjust the static and dynamic configuration files to your needs. Especially replace the `example.com` strings with your domain name in the `traefik.yml` static configuration file. Also adjust the middleware definitions in the `fileConfig.yml` dynamic configuration file with secure values and your domain names.
 
 ### Spawning up Traefik with configuration command definitions
 
 1. Use the `docker-compose-command-config.yml` example as a reference point.
 2. Put the provided `fileConfig.yml` (dynamic) configuration file to your volume bind mount (here `/mnt/docker-volumes/traefik`).
-3. Add your Cloudflare API token as environment variable in the compose file. Define your Cloudflare email address in the command definitions of the compose file. May adjust to your preferred certresolver. The example given is for Cloudflare.
+3. Add your Cloudflare API token as environment variable in the compose file. Define your Cloudflare email address in the command definitions of the compose file. May adjust to your preferred certresolver. The example given is for Cloudflare, using the ACME DNS challenge to obtain wildcard certificates.
 4. Adjust the dynamic configuration file `fileConfig.yml` to your needs. Especially adjust the authelia and basic auth definitions with secure values and your domain names.
diff --git a/examples/traefik/docker-compose-command-config.yml b/examples/traefik/docker-compose-command-config.yml
index bf5401468..8ac0cc6d0 100644
--- a/examples/traefik/docker-compose-command-config.yml
+++ b/examples/traefik/docker-compose-command-config.yml
@@ -1,49 +1,51 @@
 # This docker compose example configures traefik by command definitions.
 # This makes the traefik.yml static configuration obsolete.
 # Note that we still reference a dynamic configuration for best practice
-
-version: '3.8'
-
 services:
+
   traefik:
-    image: traefik:2.11
+    image: traefik:v3.6
     container_name: traefik
+    restart: always
     command:
-      - --providers.docker=true # enable docker provider
-      - --providers.docker.network=proxy # define default network to monitor for docker provider
-      - --providers.docker.exposedbydefault=false # do not expose docker hosts per default
-      - --providers.file.watch=true # monitor file provider for changes
-      - --providers.file.filename=/etc/traefik/fileConfig.yml # location of the dynamic configuration
-      - --entrypoints.http.address=:80 # entrypoint for unencrypted http
-      - --entrypoints.http.forwardedHeaders.trustedIPs=103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/13,104.24.0.0/14,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32 # define cloudflare ip ranges as trusted
-      - --entrypoints.http.http.redirections.entryPoint.to=https # automatic redirect from http to https
-      - --entrypoints.http.http.redirections.entryPoint.scheme=https # automatic redirect from http to https
-      - --entrypoints.https.address=:443 # entrypoint for encrypted https
-      - --entrypoints.https.forwardedHeaders.trustedIPs=103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/13,104.24.0.0/14,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32 # define cloudflare ip ranges as trusted
-      - --entrypoints.https.http.middlewares=security-headers@file,rate-limit@file # define default middlewares for all proxy entries
-      - --api.dashboard=true # enable traefik api dashboard
-      - --api.insecure=true # expose traefik api dashboard on TCP/8080 without need for router
+      - "--providers.docker=true" # enable docker provider
+      - "--providers.docker.network=proxy" # define default network to monitor for docker provider
+      - "--providers.docker.endpoint=tcp://socket-proxy:2375" # define socket-proxy as docker socket
+      - "--providers.docker.exposedbydefault=false" # do not expose docker hosts per default
+      - "--providers.file.watch=true" # monitor file provider for changes
+      - "--providers.file.filename=/etc/traefik/fileConfig.yml" # location of the dynamic configuration
+      - "--entrypoints.http.address=:80" # entrypoint for unencrypted http
+      - "--entrypoints.http.forwardedHeaders.trustedIPs=103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/13,104.24.0.0/14,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32" # define cloudflare ip ranges as trusted
+      - "--entrypoints.http.http.redirections.entryPoint.to=https" # automatic redirect from http to https
+      - "--entrypoints.http.http.redirections.entryPoint.scheme=https" # automatic redirect from http to https
+      - "--entrypoints.https.address=:443" # entrypoint for encrypted https
+      - "--entrypoints.https.forwardedHeaders.trustedIPs=103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/13,104.24.0.0/14,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32" # define cloudflare ip ranges as trusted
+      - "--entrypoints.https.http.middlewares=security-headers@file,rate-limit@file" # define default middlewares for all proxy entries
+      - "--api.dashboard=true" # enable traefik api dashboard
+      - "--api.insecure=true" # expose traefik api dashboard on TCP/8080 without need for router
       ####################################################
       # !!! ADJUST TO YOUR INFRASTRUCTURE SETUP BELOW !!!!
-      - --entrypoints.https.http.tls.certresolver=myresolver # define default cert resolver
-      - --entrypoints.https.http.tls.domains[0].main=example.com # define main domain, change to your domain
-      - --entrypoints.https.http.tls.domains[0].sans=*.example.com # define sans domain, change to your domain
-      - --certificatesresolvers.myresolver.acme.email=myemail@domain.tld # define your email address
-      #- --certificatesresolvers.myresolver.acme.httpchallenge=true # use http challenge
-      #- --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=http # define entrypoint for http challenge
-      - --certificatesresolvers.myresolver.acme.dnschallenge=true # enable dns challenge to obtain wildcard certificates
-      - --certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare # define provider for certificates
-      - --certificatesresolvers.myresolver.acme.storage=/etc/traefik/acme.json # define acme path for certificate information
-      - --certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53 # define dns servers for your resolver, here cloudflare
+      - "--entrypoints.https.http.tls={}" # use dynamically generated cert
+      #- "--entrypoints.https.http.tls.certresolver=myresolver-dns" # define default cert resolver
+      #- "--entrypoints.https.http.tls.domains[0].main=example.com" # define main domain, change to your domain
+      #- "--entrypoints.https.http.tls.domains[0].sans=*.example.com" # define sans domain, change to your domain
+      - "--certificatesresolvers.myresolver-dns.acme.email=myemail@domain.tld" # define your email address
+      - "--certificatesresolvers.myresolver-dns.acme.dnschallenge=true" # enable dns challenge to obtain wildcard certificates
+      - "--certificatesresolvers.myresolver-dns.acme.dnschallenge.provider=cloudflare" # define provider for certificates
+      - "--certificatesresolvers.myresolver-dns.acme.storage=/etc/traefik/acme.json" # define acme path for certificate information
+      - "--certificatesresolvers.myresolver-dns.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53" # define dns servers for your resolver, here cloudflare
+      - "--certificatesresolvers.myresolver-http.acme.httpchallenge=true" # use http challenge
+      - "--certificatesresolvers.myresolver-http.acme.httpchallenge.entrypoint=http" # define entrypoint for http challenge
       ####################################################
-      - --log.level=INFO # enable log level
-      - --accesslog=true # enable access logs
-      - --accesslog.filepath=/logs/traefik.log # define access log path
-      - --accesslog.format=json # set access log format to json instead clm
-      - --accesslog.bufferingsize=0 # set access log buffer size to 0
-      - --accesslog.filters.statuscodes=400-599 # only log http errors in logs; alternatively set 200-599 to include successful http requests
-      - --accesslog.fields.headers.defaultmode=drop # drop all headers
-      - --serversTransport.insecureSkipVerify=true # set insecureSkipVerify to true to allow self-signed certificates
+      - "--log.level=INFO" # enable log level
+      - "--accesslog=true" # enable access logs
+      - "--accesslog.filepath=/logs/traefik.log" # define access log path
+      - "--accesslog.format=json" # set access log format to json instead clm
+      - "--accesslog.bufferingsize=0" # set access log buffer size to 0
+      - "--accesslog.filters.statuscodes=400-599" # only log http errors in logs; alternatively set 200-599 to include successful http requests
+      - "--accesslog.fields.headers.defaultmode=drop" # drop all headers
+      - "--accesslog.fields.headers.names.user-agent=keep" # keep user-agent header
+      - "--serversTransport.insecureSkipVerify=true" # set insecureSkipVerify to true to allow self-signed certificates
     labels:
       - traefik.enable=true # enable traefik
       - traefik.http.routers.api.rule=Host(`traefik.example.com`) # define subdomain for the traefik api dashboard
@@ -52,20 +54,45 @@ services:
     ports:
       - 80:80 # http
       - 443:443 # https
-      - 127.0.0.1:8080:8080 # traefik api dashboard
-    networks:
-      - proxy # define traefik docker network
+      - 127.0.0.1:8080:8080 # http api dashboard
+    expose:
+      - 80 # http
+      - 443 # https
+      - 8080 # http api dashboard
     environment:
       - TZ=Europe/Berlin # define timezone
       - CF_DNS_API_TOKEN=<MY-CF-API-TOKEN> # define your cloudflare api token
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro # pass docker socket as read-only
+      #- /var/run/docker.sock:/var/run/docker.sock:ro # pass docker socket as read-only
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/traefik:/etc/traefik/ # bind mount volume for persistent traefik data
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/traefik/logs:/logs # bind mount volume for persistent traefik logs
-    restart: always # always restart traefik
     extra_hosts:
       - host.docker.internal:172.17.0.1 # define internal ip; helps traefik to resolve containers running in host network mode
+    security_opt:
+      - no-new-privileges:true
+    networks:
+      - proxy # define traefik docker network
+      - docker-proxynet
+
+  socket-proxy:
+    image: lscr.io/linuxserver/socket-proxy:latest
+    container_name: socket-proxy
+    environment:
+      - CONTAINERS=1
+      - EVENTS=1
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - docker-proxynet
+    restart: always
+    labels:
+      - com.centurylinklabs.watchtower.enable=false    
+    read_only: true
+    tmpfs:
+      - /run
 
 networks:
   proxy:
     external: true
+  docker-proxynet:
+    internal: true
diff --git a/examples/traefik/docker-compose.yml b/examples/traefik/docker-compose.yml
index 9beb945cc..0420077f8 100644
--- a/examples/traefik/docker-compose.yml
+++ b/examples/traefik/docker-compose.yml
@@ -1,19 +1,22 @@
-version: '3'
 services:
+
   traefik:
+    image: traefik:v3.6
     container_name: traefik
-    image: traefik:v3.1
+    restart: always
     ports:
-      - 80:80/tcp # HTTP
-      - 443:443/tcp # HTTPS
-      - 443:443/udp # HTTPS via HTTP/3 QUIC UDP
-      - 127.0.0.1:8080:8080 # MGMT WEB UI
+      - 80:80/tcp # http
+      - 443:443/tcp # https
+      - 443:443/udp # https http3 quic
+      - 127.0.0.1:8080:8080 # http api dashboard
+    expose:
+      - 80 # http
+      - 443 # https
+      - 8080 # http api dashboard
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro # ro = read-only access to the docker.sock
+      #- /var/run/docker.sock:/var/run/docker.sock:ro # better use socket-proxy instead
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/traefik:/etc/traefik/ # put the provided traefik.yml and fileConfig.yml files at this location
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/traefik/logs:/logs
-    networks:
-      - proxy
     environment:
       - TZ=Europe/Berlin
       - CF_DNS_API_TOKEN=MyCloudflareApiToken # change this if you use Cloudflare
@@ -23,10 +26,33 @@ services:
       - traefik.http.routers.api.service=api@internal # Enable Traefik API.
       - traefik.http.routers.api.middlewares=local-ipwhitelist@file,basic-auth@file # protect dashboard with basic auth and restrict access to private class subnets only
       #- traefik.http.middlewares.basic-auth-global.basicauth.users=admin:$$apr1$$epoKf5li$$QfTMJZOCS/halv3CiIUEu0 # protect the traefik dashboard by basic auth (pw=password)
-    restart: always
     extra_hosts:
       - host.docker.internal:172.17.0.1
+    security_opt:
+      - no-new-privileges:true
+    networks:
+      - proxy
+      - docker-proxynet
+
+  socket-proxy:
+    image: lscr.io/linuxserver/socket-proxy:latest
+    container_name: socket-proxy
+    environment:
+      - CONTAINERS=1
+      - EVENTS=1
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - docker-proxynet
+    restart: always
+    labels:
+      - com.centurylinklabs.watchtower.enable=false 
+    read_only: true
+    tmpfs:
+      - /run
 
 networks:
   proxy:
     external: true
+  docker-proxynet:
+    internal: true
diff --git a/examples/traefik/fileConfig.yml b/examples/traefik/fileConfig.yml
index 967ba2670..cacc080d5 100644
--- a/examples/traefik/fileConfig.yml
+++ b/examples/traefik/fileConfig.yml
@@ -64,12 +64,13 @@ http:
           #Cross-Origin-Embedder-Policy: "unsafe-none"
           #Cross-Origin-Opener-Policy: "same-origin"
           #Cross-Origin-Resource-Policy: "same-site"
+          #X-Permitted-Cross-Domain-Policies: "none"
         sslProxyHeaders:
           X-Forwarded-Proto: "https"
         hostsProxyHeaders:
           - "X-Forwarded-Host"
-        customRequestHeaders:
-          X-Forwarded-Proto: "https"
+        #customRequestHeaders:
+        #  X-Forwarded-Proto: "https"
         contentTypeNosniff: true # X-Content-Type-Options
         customFrameOptionsValue: "SAMEORIGIN" # X-Frame-Options
         browserXssFilter: false # X-XSS-Protection; deprecated
@@ -91,6 +92,55 @@ http:
     #      - Remote-Name
     #      - Remote-Email
 
+    #crowdsec:
+    #  plugin:
+    #    bouncer:
+    #      enabled: true
+    #      defaultDecisionSeconds: 60
+    #      crowdsecMode: live
+    #      crowdsecAppsecEnabled: false
+    #      crowdsecAppsecHost: crowdsec:7422
+    #      crowdsecAppsecFailureBlock: true
+    #      crowdsecAppsecUnreachableBlock: true
+    #      crowdsecLapiKey: FIXME-LAPI-KEY # <--- replace this later
+    #      crowdsecLapiHost: crowdsec:8080
+    #      crowdsecLapiScheme: http
+    #      crowdsecLapiTLSInsecureVerify: false
+    #      forwardedHeadersTrustedIPs:
+    #        # private class ranges
+    #        - 10.0.0.0/8
+    #        - 172.16.0.0/12
+    #        - 192.168.0.0/16
+    #        ## cloudflare ipv4
+    #        #- 103.21.244.0/22
+    #        #- 103.22.200.0/22
+    #        #- 103.31.4.0/22
+    #        #- 104.16.0.0/13
+    #        #- 104.24.0.0/14
+    #        #- 108.162.192.0/18
+    #        #- 131.0.72.0/22
+    #        #- 141.101.64.0/18
+    #        #- 162.158.0.0/15
+    #        #- 172.64.0.0/13
+    #        #- 173.245.48.0/20
+    #        #- 188.114.96.0/20
+    #        #- 190.93.240.0/20
+    #        #- 197.234.240.0/22
+    #        #- 198.41.128.0/17
+    #        ## cloudflare ipv6
+    #        #- 2400:cb00::/32
+    #        #- 2606:4700::/32
+    #        #- 2803:f800::/32
+    #        #- 2405:b500::/32
+    #        #- 2405:8100::/32
+    #        #- 2a06:98c0::/29
+    #        #- 2c0f:f248::/32
+    #      clientTrustedIPs:
+    #        # private class ranges
+    #        - 10.0.0.0/8
+    #        - 172.16.0.0/12
+    #        - 192.168.0.0/16
+
     # rate limiting
     rate-limit:
       rateLimit:
@@ -102,7 +152,7 @@ http:
     basic-auth:
       basicAuth:
         # https://hostingcanada.org/htpasswd-generator/
-        users: "admin:$$apr1$$epoKf5li$$QfTMJZOCS/halv3CiIUEu0" # admin:password
+        users: "admin:$apr1$76boeqjp$tVQUCSSQky300AS.kgbZX/" # admin:password
 
 # Only use secure ciphers - https://ssl-config.mozilla.org/#server=traefik&version=2.9&config=intermediate&guideline=5.6
 tls:
diff --git a/examples/traefik/traefik.yml b/examples/traefik/traefik.yml
index 601702990..5bf9168e7 100644
--- a/examples/traefik/traefik.yml
+++ b/examples/traefik/traefik.yml
@@ -12,6 +12,13 @@ api:
 log:
   level: INFO
 
+# crowdsec bouncer
+#experimental:
+#  plugins:
+#    bouncer:
+#      moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
+#      version: v1.5.1
+
 #metrics:
 #  influxDB2:
 #     address: http://influxdb2:8086
@@ -29,7 +36,7 @@ accessLog:
   format: json
   filters:
     statusCodes:
-    #  - "200" # log successful http requests
+      - "200-299" # log successful http requests
       - "400-599" # log failed http requests
     #retryAttempts: true
     #minDuration: "10ms"
@@ -52,7 +59,7 @@ entryPoints:
     address: :80
     forwardedHeaders:
       trustedIPs: &trustedIps
-        # Start of Clouflare public IP list for HTTP requests, remove this if you don't use it; https://www.cloudflare.com/de-de/ips/
+        # start of Clouflare public IP list for HTTP requests, remove this if you don't use it; https://www.cloudflare.com/de-de/ips/
         - 103.21.244.0/22
         - 103.22.200.0/22
         - 103.31.4.0/22
@@ -75,7 +82,7 @@ entryPoints:
         - 2405:8100::/32
         - 2a06:98c0::/29
         - 2c0f:f248::/32
-        # End of Cloudlare public IP list
+        # end of Cloudlare public IP list
     http:
       redirections:
         entryPoint:
@@ -86,22 +93,26 @@ entryPoints:
   https:
     address: :443
     forwardedHeaders:
-      # Reuse list of Cloudflare Trusted IP's above for HTTPS requests
+      # reuse list of Cloudflare Trusted IP's above for HTTPS requests
       trustedIPs: *trustedIps
     # enable HTTP3 QUIC via UDP/443
     #http3:
     #  advertisedPort: '443'      
     http:
-      tls:
-        # Generate a wildcard domain certificate
-        certResolver: myresolver
-        domains:
-          - main: example.com # change this to your proxy domain
-            sans:
-              - '*.example.com' # change this to your proxy domain
+      # use dynamically generated self-signed certificate
+      tls: {}
+      # or use a pre-defined certificate resolver from below
+      # if so, remove above line with tls: {}
+      #tls:
+      #  certResolver: myresolver-dns
+      #  domains:
+      #    - main: example.com # change this to your proxy domain
+      #      sans:
+      #        - '*.example.com' # change this to your proxy domain
       middlewares:
         - security-headers@file # reference to a dynamic middleware for setting http security headers per default
         - rate-limit@file # reference to a dynamic middleware for enabling rate limiting per default
+        #- crowdsec@file # reference to a dynamic middleware for enabling crowdsec bouncer
 
 providers:
   providersThrottleDuration: 2s
@@ -114,22 +125,27 @@ providers:
   # Docker provider for connecting all apps that are inside of the docker network
   docker:
     watch: true
-    network: proxy # Add Your Docker Network Name Here
-    # Default host rule to containername.domain.example
+    network: proxy # add Your Docker Network Name Here
+    endpoint: "tcp://socket-proxy:2375" # use socket-proxy for secure access to docker api
     defaultRule: "Host(`{{ index .Labels \"com.docker.compose.service\"}}.example.com`)" # change 'example.com' to your proxy domain
     exposedByDefault: false
 
 # Use letsencrypt to generate ssl certificates
 certificatesResolvers:
-  myresolver:
+  # ACME HTTP CHALLENGE
+  myresolver-http:
+    acme:
+      email: example@example.com  # the email address used for ssl certificate registration
+      storage: /etc/traefik/acme.json
+      httpChallenge: # acme http challenge; requires port 80 and proper dns entries
+        entryPoint: http # specify the entry point for the HTTP challenge (adjust if needed)
+  # ACME DNS CHALLENGE
+  myresolver-dns:
     acme:
       email: example@example.com  # the email address used for ssl certificate registration
       storage: /etc/traefik/acme.json
-      #httpChallenge: # acme http challenge; requires port 80 and proper dns entries
-      #  entryPoint: http # specify the entry point for the HTTP challenge (adjust if needed)
       dnsChallenge: # acme dns challenge; requires api token of dns provider
         provider: cloudflare
-        # Used to make sure the dns challenge is propagated to the right dns servers
         resolvers:
           - "1.1.1.1:53"
           - "1.0.0.1:53"
diff --git a/examples/transfer.sh/docker-compose.yml b/examples/transfer.sh/docker-compose.yml
index fcdb6b0c2..1902734c1 100644
--- a/examples/transfer.sh/docker-compose.yml
+++ b/examples/transfer.sh/docker-compose.yml
@@ -1,6 +1,5 @@
-version: '3.3'
-
 services:
+
   transfer:
     image: dutchcoders/transfer.sh:latest-noroot
     container_name: transfer
@@ -16,19 +15,19 @@ services:
       - --provider=local
       - --basedir=/tmp/
     #networks:
-    #  - dev # or use dev for testing purposes
+    #  - proxy
     #labels:
     #  - traefik.enable=true
+    #  - traefik.docker.network=proxy    
     #  - traefik.http.routers.transfer.rule=Host(`transfer.example.com`)
     #  - traefik.http.services.transfer.loadbalancer.server.port=8080
-    #  - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
-    #  - traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads
-    #  - traefik.http.middlewares.limit.buffering.memRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
-    #  - traefik.http.middlewares.limit.buffering.memResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads    
-    #  - traefik.docker.network=proxy
+    #  - traefik.http.middlewares.limit-transfersh.buffering.maxRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
+    #  - traefik.http.middlewares.limit-transfersh.buffering.maxResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads
+    #  - traefik.http.middlewares.limit-transfersh.buffering.memRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
+    #  - traefik.http.middlewares.limit-transfersh.buffering.memResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads    
     #  # Part for optional traefik middlewares
-    #  - traefik.http.routers.transfer.middlewares=local-ipwhitelist@file
+    #  - traefik.http.routers.transfer.middlewares=limit-transfersh
 
 #networks:
-#  dev: # or use dev for testing purposes
+#  proxy:
 #    external: true
diff --git a/examples/transfer.zip/docker-compose.yml b/examples/transfer.zip/docker-compose.yml
index e93b340b9..0525d96ee 100644
--- a/examples/transfer.zip/docker-compose.yml
+++ b/examples/transfer.zip/docker-compose.yml
@@ -1,37 +1,36 @@
-version: '3.3'
-
 services:
+
   web-server:
     #build: web-server
     image: l4rm4nd/transferzip:web-server
     hostname: web-server
     container_name: transferzip-web
     restart: unless-stopped
+    ports:
+      - 9001:80    
     expose:
       - 80
     depends_on:
       - signaling-server
-    ports:
-      - 9001:80
     #networks:
     #  - proxy
     #labels:
     #  - traefik.enable=true
+    #  - traefik.docker.network=proxy    
     #  - traefik.http.routers.transferzip.rule=Host(`transfer.example.com`)
     #  - traefik.http.services.transferzip.loadbalancer.server.port=80
-    #  - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
-    #  - traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads
-    #  - traefik.http.middlewares.limit.buffering.memRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
-    #  - traefik.http.middlewares.limit.buffering.memResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads    
-    #  - traefik.docker.network=proxy
+    #  - traefik.http.middlewares.limit-transferzip.buffering.maxRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
+    #  - traefik.http.middlewares.limit-transferzip.buffering.maxResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads
+    #  - traefik.http.middlewares.limit-transferzip.buffering.memRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
+    #  - traefik.http.middlewares.limit-transferzip.buffering.memResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads    
     #  # Part for optional traefik middlewares
-    #  - traefik.http.routers.transferzip.middlewares=local-ipwhitelist@file,authelia@file,basic-auth@file      
+    #  - traefik.http.routers.transferzip.middlewares=limit-transferzip   
 
   signaling-server:
     #build: signaling-server
     image: l4rm4nd/transferzip:signaling-server
-    hostname: signaling-server
     container_name: transferzip-signaling
+    hostname: signaling-server    
     restart: unless-stopped
     #networks:
     #  - proxy
diff --git a/examples/transmission/docker-compose.yml b/examples/transmission/docker-compose.yml
index c7231e5b4..130e1244f 100644
--- a/examples/transmission/docker-compose.yml
+++ b/examples/transmission/docker-compose.yml
@@ -1,9 +1,9 @@
-version: "2.1"
-
 services:
+
   transmission:
     image: lscr.io/linuxserver/transmission:latest
     container_name: transmission
+    restart: unless-stopped    
     environment:
       - PUID=1000
       - PGID=1000
@@ -16,4 +16,6 @@ services:
       - 9091:9091 # web ui
       - 51413:51413 # torrent port tcp
       - 51413:51413/udp # torrent port udp
-    restart: unless-stopped
+    expose:
+      - 9091
+      - 51413
\ No newline at end of file
diff --git a/examples/trsync/docker-compose.yml b/examples/trsync/docker-compose.yml
index 64d483422..e143d83d3 100644
--- a/examples/trsync/docker-compose.yml
+++ b/examples/trsync/docker-compose.yml
@@ -1,10 +1,26 @@
-version: '3.3'
 services:
-    trsync:
-        image: l4rm4nd/trsync:latest
-        container_name: trsync
-        ports:
-            - '8000:8000'
-        environment:
-            - SECRET_KEY=ChooseStrongSecretKeyHere # pls change
-            - DOMAIN=trsync.example.com # your hostname to put in Django's ALLOW_HOSTS
+
+  trsync:
+    image: l4rm4nd/trsync:latest
+    container_name: trsync
+    restart: unless-stopped
+    ports:
+      - 8000:8000/tcp
+    expose:
+      - 8000
+    environment:
+      - SECRET_KEY=ChooseStrongSecretKeyHere # pls change
+      - DOMAIN=trsync.example.com # your hostname to put in Django's ALLOW_HOSTS  
+    #networks:
+    #  - proxy
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=proxy
+    #  - traefik.http.routers.trsync.rule=Host(`trsync.example.com`)
+    #  - traefik.http.services.trsync.loadbalancer.server.port=8000
+    #  # Optional part for traefik middlewares
+    #  - traefik.http.routers.trsync.middlewares=local-ipwhitelist@file
+
+#networks:
+#  proxy:
+#    external: true
diff --git a/examples/unify-network-application/README.md b/examples/unify-network-application/README.md
index 395bb247e..8e7a8b873 100644
--- a/examples/unify-network-application/README.md
+++ b/examples/unify-network-application/README.md
@@ -1,12 +1,10 @@
 # References
 
 - https://hub.docker.com/r/linuxserver/unifi-network-application
-- https://github.com/Haxxnet/Compose-Examples/issues/16#issuecomment-1733524477
 
 # Notes
 
-Note that you are mounting a file named init-mongo.js into the mongo db container. This file is necessary to initialize the mongo database (see https://hub.docker.com/_/mongo/ at "Initializing a fresh instance"). 
+>[!TIP]
+> Starting with version 8.1 of Unifi Network Application, mongodb 3.6 through 7.0 are supported. Starting with version 9.0 of Unifi Network Application, mongodb 8.0 is also supported.
 
-It basically defines the database name and user credentials for the unifi-network-application container.
-
-These parameters are also referenced in the docker-compose.yml file. So either leave as is or adjust everywhere accordingly.
+Note that you are mounting a file named init-mongo.sh into the mongo db container. This file is necessary to initialize the mongo database (see https://hub.docker.com/_/mongo/ at "Initializing a fresh instance"). It basically defines the database name and user credentials for the unifi-network-application container.
diff --git a/examples/unify-network-application/docker-compose-v7.yml b/examples/unify-network-application/docker-compose-v7.yml
new file mode 100644
index 000000000..4a6699f9d
--- /dev/null
+++ b/examples/unify-network-application/docker-compose-v7.yml
@@ -0,0 +1,46 @@
+services:
+
+  unifi-network-application:
+    image: lscr.io/linuxserver/unifi-network-application:7.5.187
+    container_name: unifi-network-application
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Etc/UTC
+      - MONGO_USER=unifi
+      - MONGO_PASS=unifi
+      - MONGO_HOST=unifi-db
+      - MONGO_PORT=27017
+      - MONGO_DBNAME=unifi-db
+      - MEM_LIMIT=1024 #optional
+      - MEM_STARTUP=1024 #optional
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/unifi-network-application/config:/config
+    depends_on:
+      - unifi-db
+    ports:
+      - 8443:8443
+      - 3478:3478/udp
+      - 10001:10001/udp
+      - 8080:8080
+      - 1900:1900/udp #optional
+      - 8843:8843 #optional
+      - 8880:8880 #optional
+      - 6789:6789 #optional
+      - 5514:5514/udp #optional
+    restart: unless-stopped
+
+  unifi-db:
+    image: mongo:4.4
+    container_name: unifi-network-application-mongodb
+    restart: unless-stopped
+    expose:
+      - 27017
+    environment:
+      - MONGO_INITDB_DATABASE=unifi-db
+      - MONGO_USER=unifi
+      - MONGO_PASS=unifi
+      - MONGO_DBNAME=unifi-db
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/unifi-network-application/mongodb_v7_data:/data/db
+      - ./init-mongo-v7.sh:/docker-entrypoint-initdb.d/init-mongo.sh:ro
diff --git a/examples/unify-network-application/docker-compose.yml b/examples/unify-network-application/docker-compose.yml
index 7d6280548..d14bad0d5 100644
--- a/examples/unify-network-application/docker-compose.yml
+++ b/examples/unify-network-application/docker-compose.yml
@@ -1,20 +1,21 @@
-version: "2.1"
-
 services:
+
   unifi-network-application:
-    image: lscr.io/linuxserver/unifi-network-application:latest
+    image: lscr.io/linuxserver/unifi-network-application:10.1.85
     container_name: unifi-network-application
     environment:
       - PUID=1000
       - PGID=1000
       - TZ=Etc/UTC
       - MONGO_USER=unifi
-      - MONGO_PASS=unifi
+      - MONGO_PASS=unify
       - MONGO_HOST=unifi-db
       - MONGO_PORT=27017
       - MONGO_DBNAME=unifi-db
+      - MONGO_AUTHSOURCE=admin
       - MEM_LIMIT=1024 #optional
       - MEM_STARTUP=1024 #optional
+      - MONGO_TLS= #optional
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/unifi-network-application/config:/config
     depends_on:
@@ -32,13 +33,18 @@ services:
     restart: unless-stopped
 
   unifi-db:
-    image: mongo:4.4
+    image: docker.io/mongo:8.2
     container_name: unifi-network-application-mongodb
     restart: unless-stopped
     expose:
       - 27017
     environment:
-      - MONGO_INITDB_DATABASE=unifi-db
+      - MONGO_INITDB_ROOT_USERNAME=root
+      - MONGO_INITDB_ROOT_PASSWORD=unify
+      - MONGO_USER=unifi
+      - MONGO_PASS=unify
+      - MONGO_DBNAME=unifi-db
+      - MONGO_AUTHSOURCE=admin
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/unifi-network-application/mongodb_data:/data/db
-      - ./init-mongo.js:/docker-entrypoint-initdb.d/init-mongo.js:ro
+      - ./init-mongo.sh:/docker-entrypoint-initdb.d/init-mongo.sh:ro
diff --git a/examples/unify-network-application/init-mongo-v7.sh b/examples/unify-network-application/init-mongo-v7.sh
new file mode 100644
index 000000000..8862b8479
--- /dev/null
+++ b/examples/unify-network-application/init-mongo-v7.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+set -e
+
+: "${MONGO_USER:?Missing MONGO_USER}"
+: "${MONGO_PASS:?Missing MONGO_PASS}"
+: "${MONGO_DBNAME:?Missing MONGO_DBNAME}"
+
+mongo --quiet <<EOF
+db.getSiblingDB("${MONGO_DBNAME}").createUser({
+  user: "${MONGO_USER}",
+  pwd:  "${MONGO_PASS}",
+  roles: [{ role: "readWrite", db: "${MONGO_DBNAME}" }]
+});
+
+db.getSiblingDB("${MONGO_DBNAME}_stat").createUser({
+  user: "${MONGO_USER}",
+  pwd:  "${MONGO_PASS}",
+  roles: [{ role: "readWrite", db: "${MONGO_DBNAME}_stat" }]
+});
+EOF
diff --git a/examples/unify-network-application/init-mongo.js b/examples/unify-network-application/init-mongo.js
deleted file mode 100644
index f6c4d9e95..000000000
--- a/examples/unify-network-application/init-mongo.js
+++ /dev/null
@@ -1,2 +0,0 @@
-db.getSiblingDB("unifi-db").createUser({user: "unifi", pwd: "unifi", roles: [{role: "readWrite", db: "unifi-db"}]});
-db.getSiblingDB("unifi-db_stat").createUser({user: "unifi", pwd: "unifi", roles: [{role: "readWrite", db: "unifi-db_stat"}]});
diff --git a/examples/unify-network-application/init-mongo.sh b/examples/unify-network-application/init-mongo.sh
new file mode 100644
index 000000000..7313c613c
--- /dev/null
+++ b/examples/unify-network-application/init-mongo.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+if which mongosh > /dev/null 2>&1; then
+  mongo_init_bin='mongosh'
+else
+  mongo_init_bin='mongo'
+fi
+"${mongo_init_bin}" <<EOF
+use ${MONGO_AUTHSOURCE}
+db.auth("${MONGO_INITDB_ROOT_USERNAME}", "${MONGO_INITDB_ROOT_PASSWORD}")
+db.createUser({
+  user: "${MONGO_USER}",
+  pwd: "${MONGO_PASS}",
+  roles: [
+    { db: "${MONGO_DBNAME}", role: "dbOwner" },
+    { db: "${MONGO_DBNAME}_stat", role: "dbOwner" },
+    { db: "${MONGO_DBNAME}_audit", role: "dbOwner" }
+  ]
+})
+EOF
diff --git a/examples/upsnap/docker-compose.yml b/examples/upsnap/docker-compose.yml
index b352c963b..e48d5857a 100644
--- a/examples/upsnap/docker-compose.yml
+++ b/examples/upsnap/docker-compose.yml
@@ -1,8 +1,7 @@
-version: "3"
-
 services:
+
   upsnap:
-    image: ghcr.io/seriousm4x/upsnap:3
+    image: ghcr.io/seriousm4x/upsnap:5
     container_name: upsnap
     network_mode: host
     restart: unless-stopped
@@ -10,11 +9,16 @@ services:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/upsnap/data:/app/pb_data
     environment:
       - TZ=Europe/Berlin # Set container timezone for cron schedules
-      - UPSNAP_INTERVAL=@every 10s # Sets the interval in which the devices are pinged
+      - UPSNAP_INTERVAL=*/10 * * * * * # Sets the interval in which the devices are pinged
       - UPSNAP_SCAN_RANGE=192.168.178.0/24 # Scan range is used for device discovery on local network
       - UPSNAP_WEBSITE_TITLE=UpSnap # Custom website title
-    entrypoint: /bin/sh -c "./upsnap serve --http 0.0.0.0:5000"
-    healthcheck:
-      test: curl -fs "http://localhost:5000/api/health" || exit 1
-      interval: 10s
+      - TZ=Europe/Berlin # Set container timezone for cron schedules
+      #- UPSNAP_HTTP_LISTEN=127.0.0.1:8090
+      #- UPSNAP_SCAN_TIMEOUT=500ms # Scan timeout is nmap's --host-timeout value to wait for devices (https://nmap.org/book/man-performance.html)
+      #- UPSNAP_PING_PRIVILEGED=true # Set to false if non-root user and no NET_RAW capability *requires host setting net.ipv4.ping_group_range="0   2147483647"
+      #- UPSNAP_WEBSITE_TITLE=Custom name # Custom website title
+    #entrypoint: /bin/sh -c "./upsnap serve --http 0.0.0.0:5000"
+    #healthcheck:
+    #  test: curl -fs "http://localhost:5000/api/health" || exit 1
+    #  interval: 10s
     #entrypoint: /bin/sh -c "apk update && apk add --no-cache <YOUR_PACKAGE> && rm -rf /var/cache/apk/* && ./upsnap serve --http 0.0.0.0:8090"
diff --git a/examples/uptime-kuma/docker-compose.yml b/examples/uptime-kuma/docker-compose.yml
index a71d2b6d1..8d3e4d8b1 100644
--- a/examples/uptime-kuma/docker-compose.yml
+++ b/examples/uptime-kuma/docker-compose.yml
@@ -1,10 +1,9 @@
-version: "3.8"
-
 services:
+
   app:
+    image: louislam/uptime-kuma:2
     container_name: uptime-kuma
     hostname: uptime-kuma
-    image: louislam/uptime-kuma
     restart: always
     ports:
       - 3001:3001
@@ -19,9 +18,9 @@ services:
     #  - proxy
     #labels:
     #  - traefik.enable=true
+    #  - traefik.docker.network=proxy    
     #  - traefik.http.routers.uptimekuma.rule=Host(`uptimekuma.example.com`)
     #  - traefik.http.services.uptimekuma.loadbalancer.server.port=3001
-    #  - traefik.docker.network=proxy
     #  # Part for local lan services only
     #  #- traefik.http.routers.uptimekuma.middlewares=local-ipwhitelist@file
 
diff --git a/examples/vaultwarden/docker-compose.yml b/examples/vaultwarden/docker-compose.yml
index a95892583..3a7eba9b7 100644
--- a/examples/vaultwarden/docker-compose.yml
+++ b/examples/vaultwarden/docker-compose.yml
@@ -1,6 +1,5 @@
-version: "3"
-
 services:
+
   vaultwarden:
     image: vaultwarden/server:latest-alpine
     container_name: vaultwarden
@@ -28,6 +27,11 @@ services:
       - EXTENDED_LOGGING=true
     ports:
       - 8888:80
+    expose:
+      - 80
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/vaultwarden/data:/data
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/vaultwarden/logs:/data/logs      
     #networks:
     #  - proxy
     #labels:
@@ -37,13 +41,16 @@ services:
     #  - traefik.http.routers.vaultwarden.rule=Host(`bitwarden.example.com`)
     #  - traefik.http.routers.vaultwarden.service=vaultwarden
     #  - traefik.http.services.vaultwarden.loadbalancer.server.port=80
+    ## Block access to the /admin dashboard from public ip ranges
     #  - traefik.http.routers.vaultwarden-admin.rule=Host(`bitwarden.example.com`) && Path(`/admin`)
     #  - traefik.http.routers.vaultwarden-admin.service=vaultwarden
     #  - traefik.http.services.vaultwarden-admin.loadbalancer.server.port=80
-    #  - traefik.http.routers.vaultwarden-admin.middlewares=local-ipwhitelist@file,authelia@file
-    volumes:
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/vaultwarden/data:/data
-      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/vaultwarden/logs:/data/logs
+    #  - traefik.http.routers.vaultwarden-admin.middlewares=local-ipwhitelist@file
+    ## Block access to the /api/version endpoint from public ip ranges
+    #  - traefik.http.routers.vaultwarden-admin.rule=Host(`bitwarden.example.com`) && Path(`/api/version`)
+    #  - traefik.http.routers.vaultwarden-admin.service=vaultwarden
+    #  - traefik.http.services.vaultwarden-admin.loadbalancer.server.port=80
+    #  - traefik.http.routers.vaultwarden-admin.middlewares=local-ipwhitelist@file
 
   # this service will backup your vaultwarden instance correctly
   # see https://github.com/Bruceforce/vaultwarden-backup for more information
@@ -55,15 +62,11 @@ services:
     init: true
     depends_on:
       - vaultwarden
-    #labels:
-    #  com.centurylinklabs.watchtower.monitor-only: true
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/vaultwarden/data:/data/
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/vaultwarden/backup:/myBackup
       - /etc/localtime:/etc/localtime:ro
       - /etc/timezone:/etc/timezone:ro
-    #networks:
-    #  - proxy
     environment:
       - TIMESTAMP=true
       - DELETE_AFTER=30
@@ -72,6 +75,8 @@ services:
       - TZ=Europe/Berlin
       - BACKUP_DIR=/myBackup
       - CRON_TIME=50 3 * * * # see https://crontab.guru/, define without quotes!
+    #networks:
+    #  - proxy      
 
 #networks:
 #  proxy:
diff --git a/examples/vouchervault/README.md b/examples/vouchervault/README.md
index 1343dea90..0dabf9640 100644
--- a/examples/vouchervault/README.md
+++ b/examples/vouchervault/README.md
@@ -1,3 +1,20 @@
 # References
 
 - https://github.com/l4rm4nd/VoucherVault
+- https://github.com/l4rm4nd/VoucherVault/wiki/01-%E2%80%90-Installation
+
+# Notes
+
+> [!WARNING]
+> The container runs as low-privileged `www-data` user (UID/GID 33). So you have to adjust the permissions for the persistent database bind mount volume.
+
+````
+# create volume dir for persistence
+mkdir -p /mnt/docker-volumes/vouchervault/database
+
+# adjust permissions
+sudo chown -R 33:33 /mnt/docker-volumes/vouchervault/*
+
+# spawn the container stack
+docker compose up
+````
diff --git a/examples/vouchervault/docker-compose.yml b/examples/vouchervault/docker-compose.yml
index 1c8037193..0b046754e 100644
--- a/examples/vouchervault/docker-compose.yml
+++ b/examples/vouchervault/docker-compose.yml
@@ -1,23 +1,44 @@
 services:
 
   vouchervault:
-    image: l4rm4nd/vouchervault:latest
+    image: l4rm4nd/vouchervault:1.26.x
     container_name: vouchervault
     environment:
-      - DOMAIN=vouchervault.example.com # your FQDN or IP; used to define ALLOWED_HOSTS and CSRF_TRUSTED_ORIGINS
-      - SECURE_COOKIES=False # set to True if you use a reverse proxy with tls; enables secure cookie flag and hsts
-      - EXPIRY_THRESHOLD_DAYS=90 # send notifications xx days prior expiry; default is 30
-      - SECRET_KEY=ChooseSuperSecretKey # optional; if not defined, a secure secret is auto-generated
-      - PORT=8000 # optional; only relevant if you use a custom port; used to define CSRF_TRUSTED_ORIGINS
-      - REDIS_HOST=redis # optional; only change if you use another redis container
+      # your FQDN or IP; multiple ones supported via comma delimiter
+      - DOMAIN=vouchervault.example.com
+      # set to True if you use a reverse proxy with tls; enables secure cookie flag and hsts
+      - SECURE_COOKIES=False
+      # send notifications xx days prior expiry
+      - EXPIRY_THRESHOLD_DAYS=90
+      # define the timezone
+      - TZ=Europe/Berlin
+      # ------- OPTIONAL OIDC AUTH --------
+      # Set to 'True' to enable OIDC authentication
+      #- OIDC_ENABLED=True
+      # Decide whether login area triggers automatic OIDC login flow
+      #- OIDC_AUTOLOGIN=False
+      # Set to 'True' to allow the creation of new users through OIDC
+      #- OIDC_CREATE_USER=True
+      # The signing algorithm used by the OIDC provider (e.g., RS256, HS256)
+      #- OIDC_RP_SIGN_ALGO=RS256
+      # URL of the JWKS endpoint for the OIDC provider
+      #- OIDC_OP_JWKS_ENDPOINT=https://authentik.example.com/application/o/vouchervault/jwks/
+      # Client ID for your OIDC RP
+      #- OIDC_RP_CLIENT_ID=vouchervault
+      # Client secret for your OIDC RP
+      #- OIDC_RP_CLIENT_SECRET=super-secure-secret-key
+      # Authorization endpoint URL of the OIDC provider
+      #- OIDC_OP_AUTHORIZATION_ENDPOINT=https://authentik.example.com/application/o/authorize/
+      # Token endpoint URL of the OIDC provider
+      #- OIDC_OP_TOKEN_ENDPOINT=https://authentik.example.com/application/o/token/
+      # User info endpoint URL of the OIDC provider
+      #- OIDC_OP_USER_ENDPOINT=https://authentik.example.com/application/o/userinfo/
     restart: unless-stopped
     expose:
       - 8000
     ports:
-      - 8888:8000
+      - 8000:8000
     volumes:
-      - /etc/localtime:/etc/localtime:ro
-      - /etc/timezone:/etc/timezone:ro
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/vouchervault/database:/opt/app/database
     #networks:
     #  - proxy
@@ -30,8 +51,8 @@ services:
     #  - traefik.http.routers.vouchervault.middlewares=local-ipwhitelist@file
 
   redis:
+    image: redis:8-alpine
     container_name: vouchervault-redis
-    image: redis:7.2-alpine
     restart: unless-stopped
     #networks:
     #  - proxy
diff --git a/examples/watchtower/README.md b/examples/watchtower/README.md
index 124a432f2..ff9f0f08b 100644
--- a/examples/watchtower/README.md
+++ b/examples/watchtower/README.md
@@ -1,8 +1,12 @@
 # References
 
-- https://github.com/containrrr/watchtower
-- https://containrrr.dev/watchtower/
+- https://github.com/nicholas-fedor/watchtower
 
 # Notes
 
 Running multiple Watchtower instances is only possible by using scope definitions. Please read [here](https://containrrr.dev/watchtower/running-multiple-instances/). Otherwise, any new Watchtower container will remove and clean up older instances.
+
+> [!TIP]
+> The provided compose example makes use of a separate socket-proxy container.
+> 
+> Socket Proxy is a security-enhanced proxy, which allows you to apply access rules to the Docker socket, limiting the attack surface for containers such as Watchtower that need to use it.
diff --git a/examples/watchtower/docker-compose.yml b/examples/watchtower/docker-compose.yml
index d4bea0d1f..29f8ccc23 100644
--- a/examples/watchtower/docker-compose.yml
+++ b/examples/watchtower/docker-compose.yml
@@ -1,7 +1,7 @@
-version: "3.9"
-
 services:
+
   watchtower:
+    image: nickfedor/watchtower:latest
     container_name: watchtower
     hostname: watchtower
     environment:
@@ -16,12 +16,40 @@ services:
       #- WATCHTOWER_MONITOR_ONLY=true
       - WATCHTOWER_SCHEDULE=0 0 6 * * * # requires a go cron syntax of 6 space-separated fields; see https://containrrr.dev/watchtower/arguments/#scheduling
       - WATCHTOWER_CLEANUP=true # remove unused images afterwards
-    image: containrrr/watchtower:latest
-    labels:
-      com.centurylinklabs.watchtower: true
+      - DOCKER_HOST=tcp://socket-proxy:2375 # use socket-proxy for secure docker api access
     restart: always
-    network_mode: "host"
+    networks:
+      - watchtower
+      - proxynet
     volumes:
       - /etc/localtime:/etc/localtime:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
     working_dir: /
+    labels:
+      - com.centurylinklabs.watchtower.enable=false
+
+  socket-proxy:
+    image: lscr.io/linuxserver/socket-proxy:latest
+    container_name: socket-proxy-watchtower
+    environment:
+      - ALLOW_START=1
+      - ALLOW_STOP=1
+      - ALLOW_RESTARTS=1
+      - CONTAINERS=1
+      - IMAGES=1
+      - NETWORKS=1
+      - POST=1
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - proxynet
+    labels:
+      - com.centurylinklabs.watchtower.enable=false
+    restart: always
+    read_only: true
+    tmpfs:
+      - /run
+
+networks:
+  proxynet:
+    internal: true
+  watchtower:
diff --git a/examples/watchyourlan/docker-compose.yml b/examples/watchyourlan/docker-compose-v1.yml
similarity index 85%
rename from examples/watchyourlan/docker-compose.yml
rename to examples/watchyourlan/docker-compose-v1.yml
index 513908964..4091a0cbd 100644
--- a/examples/watchyourlan/docker-compose.yml
+++ b/examples/watchyourlan/docker-compose-v1.yml
@@ -1,12 +1,12 @@
-version: "3"
 services:
+
   wyl:
-    image: aceberg/watchyourlan
+    image: aceberg/watchyourlan:1.0.6
     container_name: watchyourlan
     network_mode: "host"
     restart: unless-stopped
     volumes:
-    - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/watchyourlan:/data
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/watchyourlan-v1:/data
     environment:
       TZ: Europe/Berlin                 # required: needs your TZ for correct time
       IFACE: "ens18"                    # required: 1 or more interface
diff --git a/examples/watchyourlan/docker-compose-v2.yml b/examples/watchyourlan/docker-compose-v2.yml
new file mode 100644
index 000000000..98360b8bd
--- /dev/null
+++ b/examples/watchyourlan/docker-compose-v2.yml
@@ -0,0 +1,16 @@
+services:
+
+  wyl:
+    image: aceberg/watchyourlan:v2
+    container_name: watchyourlan-v2
+    network_mode: "host"
+    restart: unless-stopped
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/watchyourlan-v2:/data/WatchYourLAN
+    environment:
+      TZ: Europe/Beelin                 # required: needs your TZ for correct time
+      IFACES: "ens18"                   # required: 1 or more interface
+      THEME: "sand"                     # optional
+      COLOR: "dark"                     # optional
+      #SHOUTRRR_URL: "telegram://"      # optional, set url to notify
+      PORT: 8840                        # optional, default: 8840
diff --git a/examples/webhook.site/docker-compose.yml b/examples/webhook.site/docker-compose.yml
index e4fbfb292..ed47f7be4 100644
--- a/examples/webhook.site/docker-compose.yml
+++ b/examples/webhook.site/docker-compose.yml
@@ -1,11 +1,12 @@
-version: '3'
-
 services:
+
   webhook:
     image: webhooksite/webhook.site
     container_name: webhook
     restart: unless-stopped
     command: php artisan queue:work --daemon --tries=3 --timeout=10
+    ports:
+      - 8084:80
     expose:
       - 80
     environment:
@@ -23,13 +24,13 @@ services:
       - redis
     #labels:
     #  - traefik.enable=true
-    #  - traefik.docker.network=dev
+    #  - traefik.docker.network=proxy
     #  - traefik.http.routers.webhook.rule=Host(`hook.example.com`)
     #  - traefik.http.services.webhook.loadbalancer.server.port=80
     #  # Optional part for traefik middlewares
     #  - traefik.http.routers.webhook.middlewares=local-ipwhitelist@file,authelia@docker
     #networks:
-    #  - dev
+    #  - proxy
 
   redis:
     image: redis:alpine
@@ -38,7 +39,7 @@ services:
     #volumes:
     #  - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/requestbin/redis:/data
     #networks:
-    #  - dev
+    #  - proxy
 
   laravel-echo-server:
     image: webhooksite/laravel-echo-server
@@ -56,8 +57,8 @@ services:
       - ECHO_ALLOW_METHODS=*
       - ECHO_ALLOW_HEADERS=*
     #networks:
-    #  - dev
+    #  - proxy
 
 #networks:
-#  dev:
+#  proxy:
 #    external: true
diff --git a/examples/webtrees/docker-compose.yml b/examples/webtrees/docker-compose.yml
index 4ed017942..eb250c2a0 100644
--- a/examples/webtrees/docker-compose.yml
+++ b/examples/webtrees/docker-compose.yml
@@ -1,5 +1,3 @@
-version: "3"
-
 services:
 
   app:
@@ -49,8 +47,10 @@ services:
       MARIADB_ROOT_PASSWORD: "badpassword"
       MARIADB_PASSWORD: "badpassword"
     restart: unless-stopped
+    expose:
+      - 3306
     volumes:
-       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/webtrees/db:/var/lib/mysql
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/webtrees/db:/var/lib/mysql
     #networks:
     #  - webtrees-default
 
diff --git a/examples/weddingshare/README.md b/examples/weddingshare/README.md
new file mode 100644
index 000000000..e3fc5a5bb
--- /dev/null
+++ b/examples/weddingshare/README.md
@@ -0,0 +1,4 @@
+# References
+
+- https://docs.wedding-share.org/docs
+- https://github.com/Cirx08/WeddingShare
diff --git a/examples/weddingshare/docker-compose.yml b/examples/weddingshare/docker-compose.yml
new file mode 100644
index 000000000..8d8095fb3
--- /dev/null
+++ b/examples/weddingshare/docker-compose.yml
@@ -0,0 +1,46 @@
+services:
+
+  wedding-share:
+    image: cirx08/wedding_share:1.8.2
+    container_name: WeddingShare
+    restart: always
+    ports:
+      - 5000:5000/tcp
+    expose:
+      - 5000
+    environment:
+      - TITLE=WeddingShare
+      - ACCOUNT_OWNER_USERNAME=admin
+      - ACCOUNT_OWNER_PASSWORD=ChangeMe
+      - DATABASE_TYPE=sqlite
+      - ENCRYPTION_KEY=ChangeMe
+      - ENCRYPTION_SALT=ChangeMe
+      - THEMES_DEFAULT=dark
+      - GALLERY_COLUMNS=4
+      - GALLERY_ALLOWED_FILE_TYPES=.jpg,.jpeg,.png,.heic
+      - GALLERY_MAX_SIZE_MB=10
+      - GALLERY_REQUIRE_REVIEW=true
+      - GALLERY_REVIEW_COUNTER=false
+      - GALLERY_QR_CODE_ENABLED=false
+      - GALLERY_MAX_SIZE_MB=4096
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/weddingshare/config:/app/config
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/weddingshare/uploads/thumbnails:/app/wwwroot/thumbnails
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/weddingshare/uploads:/app/wwwroot/uploads
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/weddingshare/custom_resources:/app/wwwroot/custom_resources
+    #networks:
+    #  - proxy
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=proxy
+    #  - traefik.http.routers.weddingshare.rule=Host(`weddingshare.example.com`)
+    #  - traefik.http.services.weddingshare.loadbalancer.server.port=5000
+    #  # Optional part for file upload max sizes
+    #  - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=50000000
+    #  - traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=50000000
+    #  - traefik.http.middlewares.limit.buffering.memRequestBodyBytes=50000000
+    #  - traefik.http.middlewares.limit.buffering.memResponseBodyBytes=50000000
+
+#networks:
+#  proxy:
+#    external: true
diff --git a/examples/wg-easy/README.md b/examples/wg-easy/README.md
index 377bc795b..ebf61c912 100644
--- a/examples/wg-easy/README.md
+++ b/examples/wg-easy/README.md
@@ -1,3 +1,9 @@
 # References
 
 - https://github.com/WeeJeWel/wg-easy
+
+# Notes
+
+Since v14 wg-easy does not support defining plaintext passwords anymore. You have to define a password hash instead.
+
+Although v15 was already released with an administrative UI, it still has some bugs regarding IPv6/NAT.
diff --git a/examples/wg-easy/docker-compose-v14.yml b/examples/wg-easy/docker-compose-v14.yml
new file mode 100644
index 000000000..432583c71
--- /dev/null
+++ b/examples/wg-easy/docker-compose-v14.yml
@@ -0,0 +1,37 @@
+services:
+
+  wg-easy:
+    image: ghcr.io/wg-easy/wg-easy:14
+    container_name: wg-easy
+    hostname: wireguard-easy
+    restart: unless-stopped    
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    environment:
+      - WG_HOST=vpn.example.com # your hostname or ip address
+      - PASSWORD_HASH=$$2a$$12$$FGHsQAGm9N9sxJ54RiWiMumk2QkRVjyueCv9mRbrdc1f8y6pN36mq # password: foobar123
+      - WG_DEFAULT_DNS=1.1.1.1,8.8.8.8 # add your local dns like pihole
+      - WG_ALLOWED_IPS=0.0.0.0/0, ::/0
+      - WG_DEVICE=eth0
+    ports:
+      - 51820:51820/udp # wireguard vpn
+      - 51821:51821/tcp # admin web ui
+    expose:
+      - 51820/udp # wireguard vpn
+      - 51821/tcp # admin web ui
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/wg-easy:/etc/wireguard
+    #networks:
+    #  - proxy
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=proxy    
+    #  - traefik.http.routers.wireguard.rule=Host(`vpn.example.com`)
+    #  - traefik.http.services.wireguard.loadbalancer.server.port=51821
+    #  # Part for local lan services only
+    #  - traefik.http.routers.wireguard.middlewares=local-ipwhitelist@file
+
+#networks:
+#  proxy:
+#    external: true
diff --git a/examples/wg-easy/docker-compose.yml b/examples/wg-easy/docker-compose.yml
index be36881fb..b8f32b947 100644
--- a/examples/wg-easy/docker-compose.yml
+++ b/examples/wg-easy/docker-compose.yml
@@ -1,34 +1,37 @@
-version: "3"
-
 services:
+
   wg-easy:
+    image: ghcr.io/wg-easy/wg-easy:15
+    container_name: wg-easy
+    hostname: wireguard-easy
+    restart: unless-stopped    
     cap_add:
       - NET_ADMIN
       - SYS_MODULE
-    container_name: wg-easy
-    environment:
-      - WG_HOST=vpn.example.com # your hostname or ip address
-      - PASSWORD=MyStrongPasswordForWebUi # change this
-      - WG_DEFAULT_DNS=1.1.1.1,8.8.8.8 # add your local dns like pihole
-      - WG_ALLOWED_IPS=0.0.0.0/0, ::/0
-      - WG_DEVICE=eth0
-    hostname: wireguard-easy
-    image: ghcr.io/wg-easy/wg-easy
     ports:
-      - 51820:51820/udp #VPN
-      - 51821:51821/tcp #WEBGUI
-    restart: unless-stopped
+      - 51820:51820/udp # wireguard vpn
+      - 51821:51821/tcp # admin web ui
+    expose:
+      - 51820/udp # wireguard vpn
+      - 51821/tcp # admin web ui
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/wg-easy:/etc/wireguard
+      - /lib/modules:/lib/modules:ro
+    sysctls:
+      - net.ipv4.ip_forward=1
+      - net.ipv4.conf.all.src_valid_mark=1
+      - net.ipv6.conf.all.disable_ipv6=0
+      - net.ipv6.conf.all.forwarding=1
+      - net.ipv6.conf.default.forwarding=1
     #networks:
     #  - proxy
-#    labels:
-#      - traefik.enable=true
-#      - traefik.http.routers.wireguard.rule=Host(`vpn.example.com`)
-#      - traefik.http.services.wireguard.loadbalancer.server.port=51821
-#      - traefik.docker.network=proxy
-#      # Part for local lan services only
-#      - traefik.http.routers.wireguard.middlewares=local-ipwhitelist@file
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=proxy    
+    #  - traefik.http.routers.wireguard.rule=Host(`vpn.example.com`)
+    #  - traefik.http.services.wireguard.loadbalancer.server.port=51821
+    #  # Part for local lan services only
+    #  - traefik.http.routers.wireguard.middlewares=local-ipwhitelist@file
 
 #networks:
 #  proxy:
diff --git a/examples/whoogle/docker-compose.yml b/examples/whoogle/docker-compose.yml
index a1620dd94..e5526b2e8 100644
--- a/examples/whoogle/docker-compose.yml
+++ b/examples/whoogle/docker-compose.yml
@@ -1,12 +1,16 @@
 # can't use mem_limit in a 3.x docker-compose file in non swarm mode
 # see https://github.com/docker/compose/issues/4513
-version: "2.4"
 
 services:
+
   whoogle-search:
     image: benbusby/whoogle-search
     container_name: whoogle-search
     restart: unless-stopped
+    ports:
+      - 5000:5000
+    expose:
+      - 5000    
     pids_limit: 50
     mem_limit: 256mb
     memswap_limit: 256mb
@@ -43,6 +47,4 @@ services:
       #- WHOOGLE_ALT_IMDB=farside.link/libremdb
       #- WHOOGLE_ALT_QUORA=farside.link/quetre
     #env_file: # Alternatively, load variables from whoogle.env
-      #- whoogle.env
-    ports:
-      - 5000:5000
+      #- whoogle.env
\ No newline at end of file
diff --git a/examples/wikijs/docker-compose.yml b/examples/wikijs/docker-compose.yml
index 031ff9060..1860c613b 100644
--- a/examples/wikijs/docker-compose.yml
+++ b/examples/wikijs/docker-compose.yml
@@ -1,14 +1,21 @@
-version: "3"
-
 services:
+
   wikijs:
+    image: linuxserver/wikijs:latest
+    container_name: wikijs
+    restart: unless-stopped
     environment:
       - PUID=1000
       - PGID=1000
       - TZ=Europe/Berlin
-    image: linuxserver/wikijs:latest
-    container_name: wikijs
-    restart: unless-stopped
+      - DB_TYPE=postgres
+      - DB_HOST=db
+      - DB_PORT=5432
+      - DB_NAME=wikijs
+      - DB_USER=wikijs
+      - DB_PASS=MySecureDatabasePassword
+    expose:
+      - 3000
     ports:
       - 8888:3000 # WEB UI
     volumes:
@@ -16,14 +23,36 @@ services:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/wikijs/data:/data
     links:
       - db
+    #networks:
+    #  - proxy
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.docker.network=proxy
+    #  - traefik.http.routers.wikijs.rule=Host(`wikijs.example.com`)
+    #  - traefik.http.services.wikijs.loadbalancer.server.port=3000
+    #  # Optional part for file upload max sizes
+    #  - traefik.http.middlewares.limit-wikijs.buffering.maxRequestBodyBytes=50000000
+    #  - traefik.http.middlewares.limit-wikijs.buffering.maxResponseBodyBytes=50000000
+    #  - traefik.http.middlewares.limit-wikijs.buffering.memRequestBodyBytes=50000000
+    #  - traefik.http.middlewares.limit-wikijs.buffering.memResponseBodyBytes=50000000
+    #  # Optional part for traefik middlewares
+    #  - traefik.http.routers.wikijs.middlewares=limit-wikijs
 
   db:
+    image: postgres:16-alpine
+    container_name: postgresql
     environment:
       - POSTGRES_PASSWORD=MySecureDatabasePassword
       - POSTGRES_USER=wikijs
       - POSTGRES_DB=wikijs
-    container_name: postgresql
-    image: postgres:13.4-bullseye
+    expose:
+      - 5432
     restart: unless-stopped
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/wikijs/database:/var/lib/postgresql/data
+    #networks:
+    #  - proxy
+
+#networks:
+#  proxy:
+#    external: true  
\ No newline at end of file
diff --git a/examples/wireguard/docker-compose.yml b/examples/wireguard/docker-compose.yml
index 757e89133..2c57c6770 100644
--- a/examples/wireguard/docker-compose.yml
+++ b/examples/wireguard/docker-compose.yml
@@ -1,28 +1,29 @@
-version: "3.7"
+services:
 
-services: 
    wireguard: 
-     image: linuxserver/wireguard 
-     container_name: wireguard 
+     image: linuxserver/wireguard
+     container_name: wireguard
+     restart: unless-stopped     
      cap_add: 
-       - NET_ADMIN 
-       - SYS_MODULE 
+       - NET_ADMIN
+       - SYS_MODULE
      environment: 
-       - PUID=1000 
-       - PGID=1000 
+       - PUID=1000
+       - PGID=1000
        - TZ=Europe/Berlin
-       - SERVERURL=vpn.example.com #optional 
-       - SERVERPORT=51820 #optional 
-       - PEERS=1 #optional 
-       - PEERDNS=auto #optional 
-       - INTERNAL_SUBNET=10.13.13.0 #optional 
-       - ALLOWEDIPS=0.0.0.0/0 #optional 
-     volumes: 
-       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/wireguard/config:/config 
-       - /usr/src:/usr/src # location of kernel headers 
-       - /lib/modules:/lib/modules 
-     ports: 
-       - 51820:51820/udp 
-     sysctls: 
-       - net.ipv4.conf.all.src_valid_mark=1 
-     restart: unless-stopped
\ No newline at end of file
+       - SERVERURL=vpn.example.com #optional
+       - SERVERPORT=51820 #optional
+       - PEERS=1 #optional
+       - PEERDNS=auto #optional
+       - INTERNAL_SUBNET=10.13.13.0 #optional
+       - ALLOWEDIPS=0.0.0.0/0 #optional
+     volumes:
+       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/wireguard/config:/config
+       - /usr/src:/usr/src # location of kernel headers
+       - /lib/modules:/lib/modules
+     ports:
+       - 51820:51820/udp # wireguard vpn
+     expose:
+       - 51820
+     sysctls:
+       - net.ipv4.conf.all.src_valid_mark=1
diff --git a/examples/wordpress/docker-compose.yml b/examples/wordpress/docker-compose.yml
index 0b299999e..c624d2ddf 100644
--- a/examples/wordpress/docker-compose.yml
+++ b/examples/wordpress/docker-compose.yml
@@ -1,22 +1,23 @@
-version: '3.3'
-
 services:
+
   wordpress-db:
     image: mariadb:10.11
     container_name: wordpress-db
     hostname: wordpress-db
+    restart: unless-stopped
     command: '--default-authentication-plugin=mysql_native_password'
+    expose:
+      - 3306
     volumes:
       - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/wordpress/mysql:/var/lib/mysql
-    restart: unless-stopped
     environment:
       - MYSQL_ROOT_PASSWORD=wordpressroot
       - MYSQL_DATABASE=wordpress
       - MYSQL_USER=wordpress
       - MYSQL_PASSWORD=wordpress
     #networks:
-    #  - proxy      
-  
+    #  - proxy
+
   wordpress:
     image: wordpress:latest
     container_name: wordpress
@@ -34,18 +35,18 @@ services:
       - WORDPRESS_DB_PASSWORD=wordpress
       - WORDPRESS_DB_NAME=wordpress
     #networks:
-    #  - proxy       
+    #  - proxy
     #labels:
     #  - traefik.enable=true
     #  - traefik.docker.network=proxy
     #  - traefik.http.routers.wordpress.rule=Host(`wordpress.example.com`) # please adjust
     #  - traefik.http.services.wordpress.loadbalancer.server.port=80
-    #  - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
-    #  - traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads
-    #  - traefik.http.middlewares.limit.buffering.memRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
-    #  - traefik.http.middlewares.limit.buffering.memResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads    
+    #  - traefik.http.middlewares.limit-wordpress.buffering.maxRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
+    #  - traefik.http.middlewares.limit-wordpress.buffering.maxResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads
+    #  - traefik.http.middlewares.limit-wordpress.buffering.memRequestBodyBytes=50000000 # optional, only necessary for enabled file uploads
+    #  - traefik.http.middlewares.limit-wordpress.buffering.memResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads    
     #  # Part for optional traefik middlewares
-    #  - traefik.http.routers.wordpress.middlewares=local-ipwhitelist@file
+    #  - traefik.http.routers.wordpress.middlewares=limit-wordpress
 
 #networks:
 #  proxy:
diff --git a/examples/yourls/docker-compose.yml b/examples/yourls/docker-compose.yml
index 8da752f72..e964cee49 100644
--- a/examples/yourls/docker-compose.yml
+++ b/examples/yourls/docker-compose.yml
@@ -1,5 +1,3 @@
-version: '3.1'
-
 services:
 
   yourls:
@@ -34,6 +32,8 @@ services:
     image: mysql:latest
     container_name: yourls-db
     restart: unless-stopped
+    expose:
+      - 3306
     environment:
       MYSQL_DATABASE: yourls
       MYSQL_USER: yourls
diff --git a/examples/zitadel/README.md b/examples/zitadel/README.md
new file mode 100644
index 000000000..c3ae9daf4
--- /dev/null
+++ b/examples/zitadel/README.md
@@ -0,0 +1,3 @@
+# References
+
+- https://zitadel.com/docs/self-hosting/deploy/compose
diff --git a/renovate.json b/renovate.json
new file mode 100644
index 000000000..4ddae5951
--- /dev/null
+++ b/renovate.json
@@ -0,0 +1,23 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+
+  "extends": ["config:base"],
+
+  "enabledManagers": ["docker-compose"],
+
+  "includePaths": ["examples/**"],
+
+  "ignorePaths": [
+    "**/node_modules/**",
+    "**/vendor/**"
+  ],
+
+  "docker-compose": {
+    "managerFilePatterns": [
+      "/(^|/)examples\\/.*\\/(?:docker-)?compose\\.ya?ml$/"
+    ]
+  },
+
+  "separateMajorMinor": true,
+  "separateMinorPatch": true
+}