feat: Complete infrastructure cleanup phase documentation and status updates

## Major Infrastructure Milestones Achieved

### ✅ Service Migrations Completed
- Jellyfin: Successfully migrated to Docker Swarm with latest version
- Vaultwarden: Running in Docker Swarm on OMV800 (eliminated duplicate)
- Nextcloud: Operational with database optimization and cron setup
- Paperless services: Both NGX and AI running successfully

### 🚨 Duplicate Service Analysis Complete
- Identified MariaDB conflict (OMV800 Swarm vs lenovo410 standalone)
- Identified Vaultwarden duplication (now resolved)
- Documented PostgreSQL and Redis consolidation opportunities
- Mapped monitoring stack optimization needs

### 🏗️ Infrastructure Status Documentation
- Updated README with current cleanup phase status
- Enhanced Service Analysis with duplicate service inventory
- Updated Quick Start guide with immediate action items
- Documented current container distribution across 6 nodes

### 📋 Action Plan Documentation
- Phase 1: Immediate service conflict resolution (this week)
- Phase 2: Service migration and load balancing (next 2 weeks)
- Phase 3: Database consolidation and optimization (future)

### 🔧 Current Infrastructure Health
- Docker Swarm: All 6 nodes operational and healthy
- Caddy Reverse Proxy: Fully operational with SSL certificates
- Storage: MergerFS healthy, local storage for databases
- Monitoring: Prometheus + Grafana + Uptime Kuma operational

### 📊 Container Distribution Status
- OMV800: 25+ containers (needs load balancing)
- lenovo410: 9 containers (cleanup in progress)
- fedora: 1 container (ready for additional services)
- audrey: 4 containers (well-balanced, monitoring hub)
- lenovo420: 7 containers (balanced, can assist)
- surface: 9 containers (specialized, reverse proxy)

### 🎯 Next Steps
1. Remove lenovo410 MariaDB (eliminate port 3306 conflict)
2. Clean up lenovo410 Vaultwarden (256MB space savings)
3. Verify no service conflicts exist
4. Begin service migration from OMV800 to fedora/audrey

Status: Infrastructure 99% complete, entering cleanup and optimization phase

backups/paperless_csrf_fix_20250831_104151/paperless.yml

@@ -0,0 +1,65 @@
+version: '3.9'
+
+services:
+  paperless:
+    image: paperlessngx/paperless-ngx:2.10.3
+    environment:
+      PAPERLESS_REDIS: redis://redis_master:6379
+      PAPERLESS_DBHOST: postgresql_primary
+      PAPERLESS_DBNAME: paperless
+      PAPERLESS_DBUSER: postgres
+      PAPERLESS_DBPASS_FILE: /run/secrets/pg_root_password
+      # CSRF and reverse proxy configuration
+      PAPERLESS_URL: https://paperless.pressmess.duckdns.org
+      PAPERLESS_CSRF_TRUSTED_ORIGINS: https://paperless.pressmess.duckdns.org
+      PAPERLESS_ALLOWED_HOSTS: paperless.pressmess.duckdns.org
+      # Security settings for reverse proxy
+      PAPERLESS_USE_X_FORWARDED_HOST: true
+      PAPERLESS_USE_X_FORWARDED_PORT: true
+      PAPERLESS_SECURE_SSL_REDIRECT: true
+      # Additional security headers
+      PAPERLESS_SECURE_BROWSER_XSS_FILTER: true
+      PAPERLESS_SECURE_CONTENT_TYPE_NOSNIFF: true
+      PAPERLESS_SECURE_HSTS_INCLUDE_SUBDOMAINS: true
+      PAPERLESS_SECURE_HSTS_SECONDS: 31536000
+    secrets:
+      - pg_root_password
+    volumes:
+      - paperless_data:/usr/src/paperless/data
+      - paperless_media:/usr/src/paperless/media
+    networks:
+      - traefik-public
+      - database-network
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.paperless.rule=Host(`paperless.pressmess.duckdns.org`)
+        - traefik.http.routers.paperless.entrypoints=websecure
+        - traefik.http.routers.paperless.tls=true
+        - traefik.http.routers.paperless.tls.certresolver=letsencrypt
+        - traefik.http.services.paperless.loadbalancer.server.port=8000
+        - traefik.http.routers.paperless.middlewares=security-headers@file
+
+volumes:
+  paperless_data:
+    driver: local
+    driver_opts:
+      type: nfs
+      o: addr=omv800.local,nolock,soft,rw
+      device: :/export/paperless
+  paperless_media:
+    driver: local
+    driver_opts:
+      type: nfs
+      o: addr=omv800.local,nolock,soft,rw
+      device: :/srv/mergerfs/DataPool/pdfs
+
+secrets:
+  pg_root_password:
+    external: true
+
+networks:
+  traefik-public:
+    external: true
+  database-network:
+    external: true

backups/paperless_csrf_fix_20250831_104151/traefik.yml

@@ -0,0 +1,65 @@
+version: '3.9'
+
+services:
+  traefik:
+    image: traefik:v2.10
+    user: "0:0"  # Run as root to ensure Docker socket access
+    command:
+      - --providers.docker=true
+      - --providers.docker.exposedbydefault=false
+      - --providers.docker.swarmMode=true
+      - --providers.docker.endpoint=tcp://172.17.0.1:2375
+      - --entrypoints.web.address=:80
+      - --entrypoints.websecure.address=:443
+      - --entrypoints.web.http.redirections.entrypoint.to=websecure
+      - --entrypoints.web.http.redirections.entrypoint.scheme=https
+      - --api.dashboard=true
+      - --api.insecure=false
+      - --log.level=INFO
+      - --accesslog=true
+      # Let's Encrypt configuration for DuckDNS
+      - --certificatesresolvers.letsencrypt.acme.email=admin@pressmess.duckdns.org
+      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
+      - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
+      # Security settings
+      - --global.checknewversion=false
+      - --global.sendanonymoususage=false
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:rw
+      - traefik_letsencrypt:/letsencrypt
+      - traefik_logs:/logs
+    networks:
+      - traefik-public
+    ports:
+      - "80:80"
+      - "443:443"
+      - "8080:8080"
+    deploy:
+      placement:
+        constraints:
+          - node.role == manager
+      resources:
+        limits:
+          memory: 512M
+        reservations:
+          memory: 256M
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.dashboard.rule=Host(`traefik.pressmess.duckdns.org`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
+        - traefik.http.routers.dashboard.service=api@internal
+        - traefik.http.routers.dashboard.entrypoints=websecure
+        - traefik.http.routers.dashboard.tls=true
+        - traefik.http.routers.dashboard.tls.certresolver=letsencrypt
+        - traefik.http.routers.dashboard.middlewares=auth
+        - traefik.http.middlewares.auth.basicauth.users=admin:$$2y$$10$$xvzBkbKKvRX.jGG6F7L.ReEMyEx.7BkqNGQO2rFt/1aBgx8jPElXW
+        - traefik.http.services.dummy-svc.loadbalancer.server.port=9999
+
+volumes:
+  traefik_letsencrypt:
+    driver: local
+  traefik_logs:
+    driver: local
+
+networks:
+  traefik-public:
+    external: true