diff --git a/proxmox/services/docker-based/authentik.yml b/proxmox/services/docker-based/authentik.yml
new file mode 100644
index 0000000..1c01dfb
--- /dev/null
+++ b/proxmox/services/docker-based/authentik.yml
@@ -0,0 +1,49 @@
+version: '3.8'
+
+# Deploy with:
+#   docker stack deploy -c authentik.yml authentik
+#
+# Runs on: docker-swarm-1
+# Authentik server + worker, using the shared postgres stack.
+# No Redis required as of 2026.2.x.
+# Initial setup wizard at http://<host>:9000/if/flow/initial-setup/
+
+services:
+  server:
+    image: ghcr.io/goauthentik/server:${AUTHENTIK_TAG:-2026.2.1}
+    command: server
+    environment:
+      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
+      AUTHENTIK_POSTGRESQL__HOST: pve-postgres
+      AUTHENTIK_POSTGRESQL__PORT: 5432
+      AUTHENTIK_POSTGRESQL__NAME: authentik_db
+      AUTHENTIK_POSTGRESQL__USER: authentik_user
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_DB_PASSWORD}
+    ports:
+      - 9000: 9000
+      - 9443: 9443
+    volumes:
+      - authentik_media:/media
+      - authentik_templates:/templates
+
+  worker:
+    image: ghcr.io/goauthentik/server:${AUTHENTIK_TAG:-2026.2.1}
+    command: worker
+    environment:
+      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
+      AUTHENTIK_POSTGRESQL__HOST: postgres-pve
+      AUTHENTIK_POSTGRESQL__PORT: 5432
+      AUTHENTIK_POSTGRESQL__NAME: authentik_db
+      AUTHENTIK_POSTGRESQL__USER: authentik_user
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_DB_PASSWORD}
+    volumes:
+      - authentik_media:/media
+      - authentik_templates:/templates
+      - authentik_certs:/certs
+
+
+volumes:
+  authentik_media:
+  authentik_templates:
+  authentik_certs:
+
diff --git a/proxmox/services/docker-based/forgejo.yml b/proxmox/services/docker-based/forgejo.yml
new file mode 100644
index 0000000..366cd60
--- /dev/null
+++ b/proxmox/services/docker-based/forgejo.yml
@@ -0,0 +1,28 @@
+version: '3.8'
+
+# Deploy with:
+#   docker stack deploy -c forgejo.yml forgejo
+#
+# Runs on: pve-social
+# Self-hosted Git forge (Gitea fork).
+# Web UI on port 3000. Uses shared PostgreSQL on pve-postgres.
+
+services:
+  forgejo:
+    image: codeberg.org/forgejo/forgejo:9
+    environment:
+      USER_UID: 1000
+      USER_GID: 1000
+      FORGEJO__database__DB_TYPE: postgres
+      FORGEJO__database__HOST: pve-postgres:5432
+      FORGEJO__database__NAME: forgejo_db
+      FORGEJO__database__USER: forgejo_user
+      FORGEJO__database__PASSWD: ${FORGEJO_DB_PASSWORD}
+      FORGEJO__server__HTTP_PORT: 3000
+    ports:
+      - 3000:3000
+    volumes:
+      - forgejo_data:/data
+
+volumes:
+  forgejo_data:
diff --git a/proxmox/services/game-interfaces b/proxmox/services/docker-based/game-interfaces
similarity index 100%
rename from proxmox/services/game-interfaces
rename to proxmox/services/docker-based/game-interfaces
diff --git a/proxmox/services/docker-based/ghost.yml b/proxmox/services/docker-based/ghost.yml
new file mode 100644
index 0000000..0016006
--- /dev/null
+++ b/proxmox/services/docker-based/ghost.yml
@@ -0,0 +1,63 @@
+version: '3.8'
+
+# Deploy with:
+#   docker stack deploy -c ghost.yml ghost
+#
+# Runs on: adder-ghost
+# Three Ghost blog instances, each with its own port and MariaDB database.
+# Ghost 1: port 2368, Ghost 2: port 2369, Ghost 3: port 2370
+
+services:
+  ghost1:
+    image: ghost:5-alpine
+    environment:
+      database__client: mysql
+      database__connection__host: localhost
+      database__connection__port: 3306
+      database__connection__user: ghost1_user
+      database__connection__password: ${GHOST1_DB_PASSWORD}
+      database__connection__database: ghost1_db
+      url: ${GHOST1_URL:-http://localhost:2368}
+    ports:
+      - 2368: 2368
+    volumes:
+      - ghost1_data:/var/lib/ghost/content
+
+  ghost2:
+    image: ghost:5-alpine
+    environment:
+      database__client: mysql
+      database__connection__host: localhost
+      database__connection__port: 3306
+      database__connection__user: ghost2_user
+      database__connection__password: ${GHOST2_DB_PASSWORD}
+      database__connection__database: ghost2_db
+      url: ${GHOST2_URL:-http://localhost:2369}
+      server__port: 2369
+    ports:
+      - 2368: 2369
+    volumes:
+      - ghost2_data:/var/lib/ghost/content
+
+  ghost3:
+    image: ghost:5-alpine
+    environment:
+      database__client: mysql
+      database__connection__host: localhost
+      database__connection__port: 3306
+      database__connection__user: ghost3_user
+      database__connection__password: ${GHOST3_DB_PASSWORD}
+      database__connection__database: ghost3_db
+      url: ${GHOST3_URL:-http://localhost:2370}
+      server__port: 2370
+    ports:
+      - 2370: 2370
+    volumes:
+      - ghost3_data:/var/lib/ghost/content
+
+
+volumes:
+  ghost1_data:
+  ghost2_data:
+  ghost3_data:
+
diff --git a/proxmox/services/docker-based/mariadb.yml b/proxmox/services/docker-based/mariadb.yml
new file mode 100644
index 0000000..5c39182
--- /dev/null
+++ b/proxmox/services/docker-based/mariadb.yml
@@ -0,0 +1,20 @@
+version: '3.8'
+
+# Deploy with:
+#   docker stack deploy -c mariadb.yml mariadb
+#
+# Runs on: adder-ghost
+
+services:
+  mariadb:
+    image: mariadb:11
+    environment:
+      MYSQL_ROOT_PASSWORD: ${MARIADB_ROOT_PASSWORD}
+    ports:
+      - 3306: 3306
+    volumes:
+      - mariadb_data:/var/lib/mysql
+
+volumes:
+  mariadb_data:
+
diff --git a/proxmox/services/monerod-ban-list.txt b/proxmox/services/docker-based/monerod-ban-list.txt
similarity index 100%
rename from proxmox/services/monerod-ban-list.txt
rename to proxmox/services/docker-based/monerod-ban-list.txt
diff --git a/proxmox/services/docker-based/monerod.yml b/proxmox/services/docker-based/monerod.yml
new file mode 100644
index 0000000..f0e9ffc
--- /dev/null
+++ b/proxmox/services/docker-based/monerod.yml
@@ -0,0 +1,28 @@
+version: '3.8'
+
+# Deploy with:
+#   docker stack deploy -c monerod.yml monerod
+#
+# Runs on: game node
+# Restricted RPC node with pruning enabled to reduce disk usage.
+# Blockchain data is bind-mounted from NAS at /mnt/nas/.bitmonero.
+# Restricted RPC exposed on port 18089 for external wallet access.
+
+services:
+  monerod:
+    image: ghcr.io/sethforprivacy/simple-monerod:latest
+    command:
+      - --rpc-restricted-bind-ip=0.0.0.0
+      - --rpc-restricted-bind-port=18089
+      - --no-igd
+      - --enable-dns-blocklist
+      - --ban-list=/home/monero/ban_list.txt
+      - --prune-blockchain
+    ports:
+      - "18080:18080"
+      - "18089:18089"
+    volumes:
+      - /mnt/nas/.bitmonero:/home/monero/.bitmonero
+      - ./monerod-ban-list.txt:/home/monero/ban_list.txt:ro
+
+
diff --git a/proxmox/services/docker-based/n8n.yml b/proxmox/services/docker-based/n8n.yml
new file mode 100644
index 0000000..b215f7a
--- /dev/null
+++ b/proxmox/services/docker-based/n8n.yml
@@ -0,0 +1,25 @@
+version: '3.8'
+
+# Deploy with:
+#   docker stack deploy -c n8n.yml n8n
+#
+# Runs on: pve-tools
+
+services:
+  n8n:
+    image: n8nio/n8n:latest
+    environment:
+      DB_TYPE: postgresdb
+      DB_POSTGRESDB_HOST: pve-postgres
+      DB_POSTGRESDB_PORT: 5432
+      DB_POSTGRESDB_DATABASE: n8n_db
+      DB_POSTGRESDB_USER: n8n_user
+      DB_POSTGRESDB_PASSWORD: ${N8N_DB_PASSWORD}
+    ports:
+      - 5678: 5678
+    volumes:
+      - n8n_data:/home/node/.n8n
+
+volumes:
+  n8n_data:
+
diff --git a/proxmox/services/nats.conf b/proxmox/services/docker-based/nats.conf
similarity index 100%
rename from proxmox/services/nats.conf
rename to proxmox/services/docker-based/nats.conf
diff --git a/proxmox/services/docker-based/nats.yml b/proxmox/services/docker-based/nats.yml
new file mode 100644
index 0000000..90c3b53
--- /dev/null
+++ b/proxmox/services/docker-based/nats.yml
@@ -0,0 +1,30 @@
+version: '3.8'
+
+# Deploy with:
+#   docker stack deploy -c nats.yml nats
+#
+# Runs on: pve-tools
+# JetStream enabled for persistent messaging.
+# Services connect to nats_nats:4222 via overlay, or host:4222 externally.
+
+services:
+  nats:
+    image: nats:latest
+    command:
+      - -c=/etc/nats/nats.conf
+    ports:
+      - 4222: 4222
+      - 8080: 8080
+      - 8222: 8223
+    volumes:
+      - nats_data:/data
+    configs:
+      - source: nats_conf
+        target: /etc/nats/nats.conf
+
+configs:
+  nats_conf:
+    file: ./nats.conf
+
+volumes:
+  nats_data:
diff --git a/proxmox/services/docker-based/postgres.yml b/proxmox/services/docker-based/postgres.yml
new file mode 100644
index 0000000..26a90e0
--- /dev/null
+++ b/proxmox/services/docker-based/postgres.yml
@@ -0,0 +1,23 @@
+version: '3.8'
+
+# Deploy with:
+#   docker stack deploy -c postgres.yml postgres
+#
+# Runs on: POSTGRES_INSTANCE (ip-10-0-1-173)
+# Creates databases and users for all services on first boot via init scripts.
+# Data is persisted in a named Docker volume on the postgres node.
+
+services:
+  postgres:
+    image: postgres:16
+    environment:
+      POSTGRES_USER: postgres
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+    ports:
+      - "5432:5432"
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+
+volumes:
+  postgres_data:
+
diff --git a/proxmox/services/docker-based/snikket.yml b/proxmox/services/docker-based/snikket.yml
new file mode 100644
index 0000000..d8eda37
--- /dev/null
+++ b/proxmox/services/docker-based/snikket.yml
@@ -0,0 +1,36 @@
+version: '3.8'
+
+# Deploy with:
+#   docker stack deploy -c snikket.yml snikket
+#
+# Runs on: pve-social
+# XMPP server (Prosody-based). TLS terminated externally by Caddy at the hub.
+# Certs must be bind-mounted into the container when ready.
+#
+# Web portal (invites/admin): port 80 — proxied by Caddy
+# XMPP client connections:    port 5222
+# XMPP federation:            port 5269
+# File transfer proxy:        port 5000
+
+services:
+  snikket-web:
+    image: snikket/snikket-server:latest
+    command: web
+    ports:
+      - 80: 80
+    volumes:
+      - snikket_data:/snikket
+
+  snikket-server:
+    image: snikket/snikket-server:latest
+    command: server
+    ports:
+      - 5222: 5222
+      - 5269: 5269
+      - 5000: 5000
+    volumes:
+      - snikket_data:/snikket
+
+volumes:
+  snikket_data:
+
diff --git a/proxmox/services/docker-based/synapse.yml b/proxmox/services/docker-based/synapse.yml
new file mode 100644
index 0000000..14ad911
--- /dev/null
+++ b/proxmox/services/docker-based/synapse.yml
@@ -0,0 +1,34 @@
+version: '3.8'
+
+# Deploy with:
+#   docker stack deploy -c synapse.yml synapse
+#
+# Runs on: pve-social
+# Matrix homeserver. Client/federation API on port 8008.
+#
+# First deploy generates /data/homeserver.yaml automatically.
+# After first boot, update homeserver.yaml on pve-social to add PostgreSQL:
+#   database:
+#     name: psycopg2
+#     args:
+#       user: synapse_user
+#       password: <from pass homelab/SYNAPSE_DB_PASSWORD>
+#       database: synapse_db
+#       host: postgres_postgres
+#       cp_min: 5
+#       cp_max: 10
+
+services:
+  synapse:
+    image: matrixdotorg/synapse:latest
+    environment:
+      SYNAPSE_SERVER_NAME: pve-social
+      SYNAPSE_REPORT_STATS: "no"
+    ports:
+      - 8008: 8008
+    volumes:
+      - synapse_data:/data
+
+volumes:
+  synapse_data:
+
diff --git a/proxmox/services/docker-based/vaultwarden.yml b/proxmox/services/docker-based/vaultwarden.yml
new file mode 100644
index 0000000..1167ae9
--- /dev/null
+++ b/proxmox/services/docker-based/vaultwarden.yml
@@ -0,0 +1,27 @@
+version: '3.8'
+
+# Deploy with:
+#   docker stack deploy -c vaultwarden.yml vaultwarden
+#
+# Runs on: pve-tools
+# Self-hosted Bitwarden-compatible password manager.
+# Uses default SQLite backend; data persisted in a named volume.
+# Web vault exposed on port 8222.
+
+services:
+  vaultwarden:
+    image: vaultwarden/server:latest
+    environment:
+      SIGNUPS_ALLOWED: "false"
+      INVITATIONS_ALLOWED: "true"
+      SHOW_PASSWORD_HINT: "false"
+      ROCKET_PORT: 8222
+      ADMIN_TOKEN: ${VAULT_ADMIN_TOKEN}
+    ports:
+      - 8222: 8222
+    volumes:
+      - vaultwarden_data:/data
+
+volumes:
+  vaultwarden_data:
+
diff --git a/proxmox/services/authentik.yml b/proxmox/services/swarm-based/authentik.yml
similarity index 100%
rename from proxmox/services/authentik.yml
rename to proxmox/services/swarm-based/authentik.yml
diff --git a/proxmox/services/caddy.yml b/proxmox/services/swarm-based/caddy.yml
similarity index 100%
rename from proxmox/services/caddy.yml
rename to proxmox/services/swarm-based/caddy.yml
diff --git a/proxmox/services/forgejo.yml b/proxmox/services/swarm-based/forgejo.yml
similarity index 100%
rename from proxmox/services/forgejo.yml
rename to proxmox/services/swarm-based/forgejo.yml
diff --git a/proxmox/services/fusionauth.yml b/proxmox/services/swarm-based/fusionauth.yml
similarity index 100%
rename from proxmox/services/fusionauth.yml
rename to proxmox/services/swarm-based/fusionauth.yml
diff --git a/proxmox/services/swarm-based/game-interfaces b/proxmox/services/swarm-based/game-interfaces
new file mode 100644
index 0000000..10f489f
--- /dev/null
+++ b/proxmox/services/swarm-based/game-interfaces
@@ -0,0 +1,51 @@
+auto lo
+iface lo inet loopback
+
+iface nic0 inet manual
+
+iface nic1 inet manual
+
+iface wlp7s0 inet manual
+
+auto vmbr0
+iface vmbr0 inet static
+	address 192.168.40.109/24
+	gateway 192.168.40.1
+	bridge-ports nic0
+	bridge-stp off
+	bridge-fd 0
+	post-up ip link add vxlan10 type vxlan id 10 local 192.168.40.109 dstport 4790 || true
+	post-up bridge fdb append 00:00:00:00:00:00 dev vxlan10 dst 192.168.40.198 || true
+	post-up bridge fdb append 00:00:00:00:00:00 dev vxlan10 dst 192.168.40.150 || true
+	post-up ip link set vxlan10 up || true
+
+auto vmbr1
+iface vmbr1 inet static
+	address 10.10.10.172/24
+	bridge-ports none
+	bridge-stp off
+	bridge-fd 0
+	post-up brctl addif vmbr1 vxlan10 || true
+
+auto vmbr2
+iface vmbr2 inet manual
+	bridge-ports none
+	bridge-stp off
+	bridge-fd 0
+#openwrt me
+
+auto vmbr3
+iface vmbr3 inet manual
+	bridge-ports none
+	bridge-stp off
+	bridge-fd 0
+#openwrt donna
+
+auto vmbr4
+iface vmbr4 inet manual
+	bridge-ports none
+	bridge-stp off
+	bridge-fd 0
+#openwrt IoT
+
+source /etc/network/interfaces.d/*
diff --git a/proxmox/services/ghost.yml b/proxmox/services/swarm-based/ghost.yml
similarity index 100%
rename from proxmox/services/ghost.yml
rename to proxmox/services/swarm-based/ghost.yml
diff --git a/proxmox/services/mariadb.yml b/proxmox/services/swarm-based/mariadb.yml
similarity index 100%
rename from proxmox/services/mariadb.yml
rename to proxmox/services/swarm-based/mariadb.yml
diff --git a/proxmox/services/swarm-based/monerod-ban-list.txt b/proxmox/services/swarm-based/monerod-ban-list.txt
new file mode 100644
index 0000000..e69de29
diff --git a/proxmox/services/monerod.yml b/proxmox/services/swarm-based/monerod.yml
similarity index 100%
rename from proxmox/services/monerod.yml
rename to proxmox/services/swarm-based/monerod.yml
diff --git a/proxmox/services/n8n.yml b/proxmox/services/swarm-based/n8n.yml
similarity index 100%
rename from proxmox/services/n8n.yml
rename to proxmox/services/swarm-based/n8n.yml
diff --git a/proxmox/services/swarm-based/nats.conf b/proxmox/services/swarm-based/nats.conf
new file mode 100644
index 0000000..f6700fe
--- /dev/null
+++ b/proxmox/services/swarm-based/nats.conf
@@ -0,0 +1,10 @@
+jetstream {
+  store_dir: /data
+}
+
+http_port: 8222
+
+websocket {
+  port: 8080
+  no_tls: true
+}
diff --git a/proxmox/services/nats.yml b/proxmox/services/swarm-based/nats.yml
similarity index 100%
rename from proxmox/services/nats.yml
rename to proxmox/services/swarm-based/nats.yml
diff --git a/proxmox/services/postgres.yml b/proxmox/services/swarm-based/postgres.yml
similarity index 100%
rename from proxmox/services/postgres.yml
rename to proxmox/services/swarm-based/postgres.yml
diff --git a/proxmox/services/snikket.yml b/proxmox/services/swarm-based/snikket.yml
similarity index 100%
rename from proxmox/services/snikket.yml
rename to proxmox/services/swarm-based/snikket.yml
diff --git a/proxmox/services/synapse.yml b/proxmox/services/swarm-based/synapse.yml
similarity index 100%
rename from proxmox/services/synapse.yml
rename to proxmox/services/swarm-based/synapse.yml
diff --git a/proxmox/services/vaultwarden.yml b/proxmox/services/swarm-based/vaultwarden.yml
similarity index 100%
rename from proxmox/services/vaultwarden.yml
rename to proxmox/services/swarm-based/vaultwarden.yml