Split monolithic compose into 5 independent stacks

- docker-compose.infra.yml: core infrastructure (portainer, npm, homepage, wud, etc.)
- docker-compose.media.yml: media stack (arrs, jellyfin, qbittorrent, scrobbling)
- docker-compose.documents.yml: paperless-ngx, onlyoffice, stirling, open-webui
- docker-compose.photo-roms.yml: immich, syncthing, retrom
- docker-compose.utils.yml: gitea, tandoor, speedtest, linkwarden, rustdesk, etc.

Each stack has its own project name (docker-infra, docker-media, etc.) to prevent
orphan warnings. Networks defined in infra.yml, referenced as external by others.
Original preserved as docker-compose.full.yaml.bak.
Updated .gitignore, README, AGENTS.md, and RESTORE.md to reflect new structure.

docker-compose.infra.yml

@@ -0,0 +1,207 @@
+# =============================================================================
+# INFRASTRUCTURE STACK - Core services & shared networks
+# =============================================================================
+# DEPLOYMENT INSTRUCTIONS
+# =============================================================================
+# This is one of multiple compose files in the /docker/ directory.
+#
+# Deploy ALL stacks (from /docker/ directory):
+#   Get-ChildItem docker-compose.*.yml | ForEach-Object { docker compose -f $_ up -d }
+#
+# Deploy this stack only:
+#   docker compose -f docker-compose.infra.yml up -d
+#
+# Stop this stack:
+#   docker compose -f docker-compose.infra.yml down
+#
+# View logs for this stack:
+#   docker compose -f docker-compose.infra.yml logs -f
+#
+# IMPORTANT: Deploy this stack FIRST - it defines the shared networks
+# (media_net, db_net, web_net, internal_net) that all other stacks require.
+# =============================================================================
+
+name: docker-infra
+
+# Common configurations for re-use
+x-logging: &default-logging
+  driver: "json-file"
+  options:
+    max-size: "10m"
+    max-file: "3"
+
+x-security: &default-security
+  security_opt:
+    - no-new-privileges:true
+
+services:
+  portainer:
+    image: portainer/portainer-ce:2.21.5
+    container_name: portainer
+    restart: unless-stopped
+    networks:
+      - web_net
+    ports:
+      - "8000:8000"
+      - "9443:9443"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - portainer_data:/data
+    deploy:
+      resources:
+        limits:
+          memory: 512M
+    logging: *default-logging
+
+  ntopng:
+    image: ntop/ntopng:latest
+    container_name: ntopng
+    restart: unless-stopped
+    network_mode: host
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+    command: >
+      --interface=eth0
+      --http-port=3939
+      --disable-login=1
+      --community
+    volumes:
+      - /docker-local/ntopng/data:/var/lib/ntopng
+      - /docker-local/ntopng/redis:/var/lib/redis
+    logging: *default-logging
+
+  whatsupdocker:
+    image: getwud/wud:latest
+    container_name: wud
+    restart: unless-stopped
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./wud/store:/store
+    environment:
+      - WUD_SERVER_ENABLED=true
+      - WUD_REGISTRY_HUB_0_LOGIN=${WUD_REGISTRY_HUB_0_LOGIN}
+      - WUD_REGISTRY_HUB_0_TOKEN=${WUD_REGISTRY_HUB_0_TOKEN}
+      - WUD_REGISTRY_HUB_0_AUTH=true
+      - WUD_REGISTRY_GHCR_0_USERNAME=${WUD_REGISTRY_GHCR_0_USERNAME}
+      - WUD_REGISTRY_GHCR_0_TOKEN=${WUD_REGISTRY_GHCR_0_TOKEN}
+      - WUD_REGISTRY_LSCR_0_USERNAME=${WUD_REGISTRY_GHCR_0_USERNAME}
+      - WUD_REGISTRY_LSCR_0_TOKEN=${WUD_REGISTRY_GHCR_0_TOKEN}
+      - WUD_TRIGGER_MQTT_MOSQUITTO_URL=${MQTT_MOSQUITTO_URL}
+      - WUD_TRIGGER_MQTT_MOSQUITTO_USER=${MQTT_MOSQUITTO_USER}
+      - WUD_TRIGGER_MQTT_MOSQUITTO_PASSWORD=${MQTT_MOSQUITTO_PASSWORD}
+      - WUD_TRIGGER_MQTT_MOSQUITTO_HASS_ENABLED=true
+      - WUD_TRIGGER_MQTT_MOSQUITTO_HASS_PREFIX=homeassistant
+    ports:
+      - 3666:3000
+    healthcheck:
+      test: curl --fail http://localhost:${WUD_SERVER_PORT:-3000}/health || exit 1
+      interval: 10s
+      timeout: 10s
+      retries: 3
+      start_period: 10s
+    labels:
+      - 'wud.tag.include=^\d+\.\d+\.\d+$$'
+      - 'wud.link.template=https://github.com/getwud/wud/releases/tag/$${major}.$${minor}.$${patch}'
+
+  homepage:
+    image: ghcr.io/gethomepage/homepage:latest
+    container_name: homepage
+    restart: unless-stopped
+    networks:
+      - web_net
+    ports:
+      - "7575:3000"
+    environment:
+      - PUID=${PUID}
+      - PGID=${PGID}
+      - TZ=${TZ}
+      - HOMEPAGE_ALLOWED_HOSTS=${HOMEPAGE_ALLOWED_HOSTS}
+    volumes:
+      - ./Homepage/config/icons:/app/public/icons
+      - ./Homepage/config/images:/app/public/images
+      - ./Homepage/config:/app/config
+    logging: *default-logging
+
+  dockerproxy:
+    image: ghcr.io/tecnativa/docker-socket-proxy:latest
+    container_name: dockerproxy
+    restart: unless-stopped
+    networks:
+      - internal_net
+    ports:
+      - "127.0.0.1:2375:2375"
+    environment:
+      - CONTAINERS=1
+      - SERVICES=1
+      - TASKS=1
+      - EVENTS=1
+      - PING=1
+      - VERSION=1
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    logging: *default-logging
+
+  newt:
+    image: fosrl/newt:latest
+    container_name: newt
+    restart: unless-stopped
+    environment:
+      - PANGOLIN_ENDPOINT=https://png.kansaigaijin.com
+      - NEWT_ID=cuvfw5hnsszh0gc
+      - NEWT_SECRET=iitbnuk2cevm40lt1xtrgmnehce4f2bdk4rnllj6ebeznf6h
+      - LOG_LEVEL=DEBUG
+
+  npm:
+    image: 'jc21/nginx-proxy-manager:latest'
+    container_name: npm
+    restart: unless-stopped
+    ports:
+      - '80:80'
+      - '443:443'
+      - '81:81'
+    environment:
+      DB_MYSQL_HOST: "npm-db"
+      DB_MYSQL_PORT: 3306
+      DB_MYSQL_USER: "npm"
+      DB_MYSQL_PASSWORD: ${NPM_PASSWORD}
+      DB_MYSQL_NAME: "npm"
+    volumes:
+      - ./npm/data:/data
+      - ./npm/letsencrypt:/etc/letsencrypt
+    networks:
+        web_net:
+        db_net:
+    depends_on:
+      - npm-db
+
+  npm-db:
+    image: 'jc21/mariadb-aria:latest'
+    container_name: npm-db
+    restart: unless-stopped
+    environment:
+      MYSQL_ROOT_PASSWORD: ${NPM_PASSWORD}
+      MYSQL_DATABASE: 'npm'
+      MYSQL_USER: 'npm'
+      MYSQL_PASSWORD: ${NPM_PASSWORD}
+    networks:
+        db_net:
+    volumes:
+      - ./npm/mysql:/var/lib/mysql
+
+networks:
+  media_net:
+    name: media_net
+    driver: bridge
+  db_net:
+    name: db_net
+    internal: true
+  web_net:
+    name: web_net
+    driver: bridge
+  internal_net:
+    name: internal_net
+    driver: bridge
+
+volumes:
+  portainer_data: