Split monolithic compose into 5 independent stacks

- docker-compose.infra.yml: core infrastructure (portainer, npm, homepage, wud, etc.)
- docker-compose.media.yml: media stack (arrs, jellyfin, qbittorrent, scrobbling)
- docker-compose.documents.yml: paperless-ngx, onlyoffice, stirling, open-webui
- docker-compose.photo-roms.yml: immich, syncthing, retrom
- docker-compose.utils.yml: gitea, tandoor, speedtest, linkwarden, rustdesk, etc.

Each stack has its own project name (docker-infra, docker-media, etc.) to prevent
orphan warnings. Networks defined in infra.yml, referenced as external by others.
Original preserved as docker-compose.full.yaml.bak.
Updated .gitignore, README, AGENTS.md, and RESTORE.md to reflect new structure.

docker-compose.photo-roms.yml

@@ -0,0 +1,178 @@
+# =============================================================================
+# PHOTO & ROM LIBRARY STACK - Photo management, file sync, and ROM library
+# =============================================================================
+# DEPLOYMENT INSTRUCTIONS
+# =============================================================================
+# This is one of multiple compose files in the /docker/ directory.
+#
+# Deploy ALL stacks (from /docker/ directory):
+#   Get-ChildItem docker-compose.*.yml | ForEach-Object { docker compose -f $_ up -d }
+#
+# Deploy this stack only:
+#   docker compose -f docker-compose.photo-roms.yml up -d
+#
+# Stop this stack:
+#   docker compose -f docker-compose.photo-roms.yml down
+#
+# View logs for this stack:
+#   docker compose -f docker-compose.photo-roms.yml logs -f
+#
+# IMPORTANT: Requires infra stack to be deployed first (shared networks).
+# =============================================================================
+
+name: docker-photo-roms
+
+# Common configurations for re-use
+x-logging: &default-logging
+  driver: "json-file"
+  options:
+    max-size: "10m"
+    max-file: "3"
+
+x-security: &default-security
+  security_opt:
+    - no-new-privileges:true
+
+services:
+  immich-server:
+    image: ghcr.io/immich-app/immich-server:release
+    container_name: immich_server
+    restart: unless-stopped
+    networks:
+      - web_net
+      - db_net
+      - internal_net
+    ports:
+      - "2283:2283"
+    environment:
+      - TZ=${TZ}
+      - DB_USERNAME=postgres
+      - DB_PASSWORD=${IMMICH_POSTGRES_PASSWORD}
+      - DB_DATABASE_NAME=immich
+      - DB_HOSTNAME=immich-postgres
+      - REDIS_HOSTNAME=immich-redis
+      - UPLOAD_LOCATION=/data
+    volumes:
+      # LOCAL (SSD) - Config, Thumbs, Profile, and Backups
+      - /docker/immich:/usr/src/app/upload/library
+      - /docker/immich/thumbs:/usr/src/app/upload/thumbs
+      - /docker/immich/profile:/usr/src/app/upload/profile
+      - /docker/immich/backups:/usr/src/app/upload/backups
+      - /docker/immich/encoded-video:/usr/src/app/upload/encoded-video
+      - /docker/immich/upload:/usr/src/app/upload/upload
+    depends_on:
+      immich-postgres:
+        condition: service_healthy
+    logging: *default-logging
+
+  immich-postgres:
+    image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0
+    container_name: immich_postgres
+    restart: unless-stopped
+    networks:
+      - db_net
+    environment:
+      - POSTGRES_USER=postgres
+      - POSTGRES_DB=immich
+      - POSTGRES_PASSWORD=${IMMICH_POSTGRES_PASSWORD}
+    volumes:
+      - /docker/immich/postgres:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      interval: 10s
+    logging: *default-logging
+    labels:
+      - wud.watch=false
+
+  immich-machine-learning:
+    image: ghcr.io/immich-app/immich-machine-learning:release
+    container_name: immich-machine-learning
+    restart: unless-stopped
+    networks:
+      - internal_net
+    volumes:
+      - /docker/immich/model-cache:/cache
+    logging: *default-logging
+
+  immich-redis:
+    image: valkey/valkey:8-bookworm
+    container_name: immich_redis
+    restart: unless-stopped
+    networks:
+      - internal_net
+    logging: *default-logging
+
+  syncthing:
+    image: syncthing/syncthing
+    container_name: syncthing
+    restart: unless-stopped
+    networks:
+      - web_net
+      - internal_net
+    ports:
+      - "21027:21027/udp"
+      - "22000:22000"
+      - "8384:8384"
+    volumes:
+      - /docker/obsidian/vaults:/var/syncthing/obsidian
+      - /docker/syncthing:/var/syncthing
+    logging: *default-logging
+
+  retrom-db:
+    image: postgres
+    container_name: retrom-db
+    hostname: retrom-db
+    restart: always
+    shm_size: 128mb
+    ports:
+      - 5432:5432
+    environment:
+      TZ: "America/Los_Angeles"
+      PGTZ: "America/Los_Angeles"
+      POSTGRES_PASSWORD: ${DB_PASS:-password}
+      POSTGRES_USER: ${DB_USER:-postgres}
+      POSTGRES_DB: ${DB_NAME:-retrom-dev}
+
+  retrom-adminer:
+    container_name: retrom-adminer
+    image: adminer
+    restart: always
+    ports:
+      - 8080:8080
+
+  retrom:
+    container_name: retrom
+    hostname: retrom
+    image: ghcr.io/jmberesford/retrom-service:latest
+    ulimits:
+      nofile:
+        hard: 65536
+        soft: 65536
+    ports:
+      - 5111:5101
+    volumes:
+      - /mnt/nas-storage/data/media/romms:/app/library
+      - ./retrom/config:/app/config/
+      - ./retrom/data:/app/data/
+    depends_on:
+      - retrom-db
+
+  retrom-jaeger:
+    image: jaegertracing/jaeger:2.2.0
+    ports:
+      - 16686:16686
+      - 4317:4317
+      - 4318:4318
+      - 5778:5778
+      - 9411:9411
+
+networks:
+  web_net:
+    name: web_net
+    external: true
+  db_net:
+    name: db_net
+    external: true
+  internal_net:
+    name: internal_net
+    external: true