diff --git a/backend.md b/backend.md
new file mode 100644
index 0000000..af6ce13
--- /dev/null
+++ b/backend.md
@@ -0,0 +1,309 @@
+## Contents
+1. [*arr apps](#*arr-apps)
+2. [Nginx Proxy Manager](#Nginx-Proxy-Manager)
+ - [Authentik setup](#Authentik-setup)
+3. [Downloaders](#Downloaders)
+ - [Gluetun](#Gluetun)
+4. [Logging](#Logging)
+
+## *arr apps
+> For configuration see [TRaSH-Guides](https://trash-guides.info/)
+
+
+Sonarr
+
+```
+services:
+ sonarr:
+ container_name: sonarr
+ restart: unless-stopped
+ image: ghcr.io/hotio/sonarr
+ ports:
+ - "8989:8989"
+ environment:
+ - PUID=950
+ - PGID=950
+ volumes:
+ - /docker/config/sonarr:/config
+ - /data/media:/data/media
+```
+
+
+
+Radarr
+
+```
+ radarr:
+ container_name: radarr
+ restart: unless-stopped
+ image: ghcr.io/hotio/radarr
+ ports:
+ - "7878:7878"
+ environment:
+ - PUID=950
+ - PGID=950
+ volumes:
+ - /docker/config/radarr:/config
+ - /data/media:/data/media
+```
+
+
+
+Prowlarr
+
+```
+prowlarr:
+ container_name: prowlarr
+ restart: unless-stopped
+ image: ghcr.io/hotio/prowlarr
+ ports:
+ - "9696:9696"
+ environment:
+ - PUID=950
+ - PGID=950
+ volumes:
+ - /docker/config/prowlarr:/config
+```
+
+
+Bazarr
+
+```
+ bazarr:
+ container_name: bazarr
+ restart: unless-stopped
+ image: ghcr.io/hotio/bazarr
+ ports:
+ - "6767:6767"
+ environment:
+ - PUID=950
+ - PGID=950
+ volumes:
+ - /docker/config/bazarr:/config
+ - /data/media:/data/media
+```
+
+
+Doplarr
+
+```
+ doplarr:
+ container_name: doplarr
+ restart: unless-stopped
+ image: ghcr.io/hotio/doplarr:latest
+ env_file:
+ - ./env/doplarr
+ environment:
+ - SONARR__URL=http://sonarr:8989
+ - RADARR__URL=http://radarr:7878
+ - LOG_LEVEL=:report
+```
+
+
+
+## Nginx Proxy Manager
+
+Compose snippet
+
+```
+nginxproxymanager:
+ container_name: nginxpm
+ image: jc21/nginx-proxy-manager:latest
+ restart: unless-stopped
+ ports:
+ - "80:80"
+ - "81:81"
+ - "443:443"
+ - "25565:25565"
+ volumes:
+ - /docker/config/nginxpm:/data
+ - /docker/config/letsencrypt:/etc/letsencrypt
+ - /data/www:/data/www
+```
+
+
+
+### Authentik setup
+> edit [AUTHENTIK IP] and [AUTHENTIK port]
+
+ for proxy services add the following to the advanced section of the proxy host
+
+
+```
+# Increase buffer size for large headers
+# This is needed only if you get 'upstream sent too big header while reading response
+# header from upstream' error when trying to access an application protected by goauthentik
+proxy_buffers 8 16k;
+proxy_buffer_size 32k;
+
+location / {
+ # Put your proxy_pass to your application here
+ proxy_pass $forward_scheme://$server:$port;
+ # #########################################
+ # CUSTOM - START Websocket behind authenticated proxy
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_set_header Host $host;
+ # END Websockets FIX
+ # #########################################
+
+ # authentik-specific config
+ auth_request /outpost.goauthentik.io/auth/nginx;
+ error_page 401 = @goauthentik_proxy_signin;
+ auth_request_set $auth_cookie $upstream_http_set_cookie;
+ add_header Set-Cookie $auth_cookie;
+
+ # translate headers from the outposts back to the actual upstream
+ auth_request_set $authentik_username $upstream_http_x_authentik_username;
+ auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
+ auth_request_set $authentik_email $upstream_http_x_authentik_email;
+ auth_request_set $authentik_name $upstream_http_x_authentik_name;
+ auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
+
+ proxy_set_header X-authentik-username $authentik_username;
+ proxy_set_header X-authentik-groups $authentik_groups;
+ proxy_set_header X-authentik-email $authentik_email;
+ proxy_set_header X-authentik-name $authentik_name;
+ proxy_set_header X-authentik-uid $authentik_uid;
+}
+
+# all requests to /outpost.goauthentik.io must be accessible without authentication
+location /outpost.goauthentik.io {
+ # ################################
+ # CHANGE IP TO AUTHENTIK IP here.
+ proxy_pass http://[AUTHENTIK IP]:[AUTHENTIK PORT]/outpost.goauthentik.io;
+ # ################################
+ # ensure the host of this vserver matches your external URL you've configured
+ # in authentik
+ proxy_set_header Host $host;
+ proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+ add_header Set-Cookie $auth_cookie;
+ auth_request_set $auth_cookie $upstream_http_set_cookie;
+
+ # required for POST requests to work
+ proxy_pass_request_body off;
+ proxy_set_header Content-Length "";
+}
+
+# Special location for when the /auth endpoint returns a 401,
+# redirect to the /start URL which initiates SSO
+location @goauthentik_proxy_signin {
+ internal;
+ add_header Set-Cookie $auth_cookie;
+ return 302 /outpost.goauthentik.io/start?rd=$request_uri;
+ # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
+ # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
+}
+```
+
+
+
+## Downloaders
+
+qBittorrent
+
+```
+ gluetun:
+ container_name: gluetun
+ image: qmcgaw/gluetun
+ restart: unless-stopped
+ ports:
+ - "8080:8080"
+ cap_add:
+ - NET_ADMIN
+ env_file:
+ ./env/gluetun
+ environment:
+ - VPN_SERVICE_PROVIDER=airvpn
+ - VPN_TYPE=wireguard
+ - SERVER_COUNTRIES=Canada
+ - LOG_LEVEL=debug
+ - OPENVPN_VERSION=2.4
+ - FIREWALL_VPN_INPUT_PORTS=46575
+ privileged: true
+ devices:
+ - /dev/net/tun:/dev/net/tun
+ qbittorrent:
+ container_name: qbittorrent
+ image: ghcr.io/hotio/qbittorrent
+ restart: unless-stopped
+ network_mode: "service:gluetun"
+ environment:
+ - WEBUI_PORT=8080
+ - PUID=950
+ - PGID=950
+ volumes:
+ - /docker/config/qbittorent:/config
+ - /data/media:/data/media
+```
+
+
+
+### Gluetun
+Gluetun is used to pass qbittorrent connections through a vpn, if that's not necessary for you it can be omitted, just move the port statement to qbittorrent. If using gluetun research your provider on their [wiki](https://github.com/qdm12/gluetun-wiki/tree/main/setup) and edit the env file accordingly
+
+When using gluetun all references to qbittorrent (eg, qbittorrent:8080) must be done through gluetun (eg, gluetun:8080)
+
+
+SABnzbd
+
+```
+ sabnzbd:
+ container_name: sabnzbd
+ image: ghcr.io/hotio/sabnzbd
+ restart: unless-stopped
+ ports:
+ - "8090:8080"
+ environment:
+ - PUID=950
+ - PGID=950
+ volumes:
+ - /docker/config/sabnzbd:/config
+ - /data/media:/data/media
+```
+
+
+
+## Logging
+
+Grafana
+
+```
+grafana:
+ container_name: grafana
+ image: grafana/grafana:latest
+ restart: unless-stopped
+ ports:
+ - "3000:3000"
+```
+
+
+
+Loki
+
+```
+ loki:
+ container_name: loki
+ image: grafana/loki:latest
+ restart: unless-stopped
+ ports:
+ - "3100:3100"
+ volumes:
+ - /docker/config/loki-config.yml:/etc/loki/loki-config.yml
+```
+
+
+
+Promtail
+
+```
+promtail:
+ container_name: promtail
+ image: grafana/promtail:latest
+ restart: unless-stopped
+ volumes:
+ - /docker/config/promtail-config.yml:/etc/promtail/promtail-config.yml
+```
+
+
+