fix: replace variable bind mounts with hardcoded paths/named volumes

Coolify converts ${VAR}:/path bind mounts to named Docker volumes when
the variable is not resolved. Fixed per stack:

- adguard: -> named volumes (data already in Coolify-created volumes)
- authentik: -> named volumes (data already in Coolify-created volumes)
- gitea: -> /opt/gitea/{postgres,data,runner}
- mail-relay: -> /opt/mail-relay/{queue,opendkim,secrets/...}
- media-server: COMMON_PATH -> /opt/media (hardcoded)
- trilium: -> /opt/trilium/data
- wireguard: -> /opt/wg-easy + /lib/modules

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

adguard/docker-compose.yml

@@ -6,10 +6,10 @@ services:
     restart: unless-stopped
 
     volumes:
-      - ${ADGUARD_WORK_PATH}:/opt/adguardhome/work:Z
+      - adguard-work-path:/opt/adguardhome/work:Z
-      - ${ADGUARD_CONF_PATH}:/opt/adguardhome/conf:Z
+      - adguard-conf-path:/opt/adguardhome/conf:Z
-      - ${ADGUARD_CERT_CRT_PATH}:/certs/adguard.crt:ro,Z
+      - adguard-cert-crt-path:/certs/adguard.crt:ro,Z
-      - ${ADGUARD_CERT_KEY_PATH}:/certs/adguard.key:ro,Z
+      - adguard-cert-key-path:/certs/adguard.key:ro,Z
 
     # Solo DNS/DoT expuestos en el host
     ports:
@@ -25,6 +25,12 @@ services:
     labels:
       traefik.http.services.adguard.loadbalancer.server.port: "${ADGUARD_HTTP_PORT}"
 
+volumes:
+  adguard-work-path:
+  adguard-conf-path:
+  adguard-cert-crt-path:
+  adguard-cert-key-path:
+
 networks:
   proxy:
     external: true

authentik/docker-compose.yml

@@ -8,7 +8,7 @@ services:
       POSTGRES_USER: ${AUTHENTIK_DB_USER}
       POSTGRES_DB: ${AUTHENTIK_DB_NAME}
     volumes:
-      - ${AUTHENTIK_POSTGRES_PATH}:/var/lib/postgresql/data:Z
+      - authentik-postgres-path:/var/lib/postgresql/data:Z
     networks:
       - ths_authentik_internal
 
@@ -18,7 +18,7 @@ services:
     restart: unless-stopped
     command: ["redis-server", "--save", "60", "1", "--loglevel", "warning"]
     volumes:
-      - ${AUTHENTIK_REDIS_PATH}:/data:Z
+      - authentik-redis-path:/data:Z
     networks:
       - ths_authentik_internal
 
@@ -86,6 +86,10 @@ services:
     networks:
       - ths_authentik_internal
 
+volumes:
+  authentik-postgres-path:
+  authentik-redis-path:
+
 networks:
   proxy:
     external: true

gitea/docker-compose.yml

@@ -9,7 +9,7 @@ services:
       POSTGRES_PASSWORD: ${GITEA_DB_PASSWORD}
       TZ: ${TZ}
     volumes:
-      - ${GITEA_POSTGRES_PATH}:/var/lib/postgresql/data:Z
+      - /opt/gitea/postgres:/var/lib/postgresql/data:Z
     networks:
       - gitea
 
@@ -62,7 +62,7 @@ services:
       GITEA__ui__THEMES: ${GITEA_UI_THEMES}
 
     volumes:
-      - ${GITEA_DATA_PATH}:/data:Z
+      - /opt/gitea/data:/data:Z
     networks:
       - gitea
       - proxy
@@ -83,7 +83,7 @@ services:
       GITEA_RUNNER_NAME: ${GITEA_RUNNER_NAME}
       GITEA_RUNNER_LABELS: ${GITEA_RUNNER_LABELS}
     volumes:
-      - ${GITEA_RUNNER_DATA_PATH}:/data:Z
+      - /opt/gitea/runner:/data:Z
       - /var/run/docker.sock:/var/run/docker.sock:Z
     networks:
       - gitea

mail-relay/docker-compose.yml

@@ -31,9 +31,9 @@ services:
       DKIM_SELECTOR: ${MAIL_RELAY_DKIM_SELECTOR}
 
     volumes:
-      - ${MAIL_RELAY_QUEUE_PATH}:/var/spool/postfix:Z
+      - /opt/mail-relay/queue:/var/spool/postfix:Z
-      - ${MAIL_RELAY_DKIM_KEYS_PATH}:/etc/opendkim/keys:Z
+      - /opt/mail-relay/opendkim:/etc/opendkim/keys:Z
-      - ${MAIL_RELAY_PASSWORD_FILE_PATH}:/run/secrets/relayhost_password:ro,Z
+      - /opt/mail-relay/secrets/relayhost_password:/run/secrets/relayhost_password:ro,Z
 
     networks:
       mail_internal:

media-server/docker-compose.yml

@@ -27,7 +27,7 @@ services:
       - PGID=0
       - TZ=${TZ:-Europe/Madrid}
     volumes:
-      - ${COMMON_PATH}/configs/prowlarr:/config:Z
+      - /opt/media/configs/prowlarr:/config:Z
     restart: unless-stopped
     networks:
       - media
@@ -44,7 +44,7 @@ services:
       - PGID=0
       - TZ=${TZ:-Europe/Madrid}
     volumes:
-      - ${COMMON_PATH}/configs/jackett:/config:Z
+      - /opt/media/configs/jackett:/config:Z
     restart: unless-stopped
     networks:
       - media
@@ -61,7 +61,7 @@ services:
       - PGID=0
       - TZ=${TZ:-Europe/Madrid}
     volumes:
-      - ${COMMON_PATH}/configs/sonarr:/config:Z
+      - /opt/media/configs/sonarr:/config:Z
       - /mnt/media/tv:/tv
       - /mnt/media/downloads:/downloads
     restart: unless-stopped
@@ -80,7 +80,7 @@ services:
       - PGID=0
       - TZ=${TZ:-Europe/Madrid}
     volumes:
-      - ${COMMON_PATH}/configs/radarr:/config:Z
+      - /opt/media/configs/radarr:/config:Z
       - /mnt/media/movies:/movies
       - /mnt/media/downloads:/downloads
     restart: unless-stopped
@@ -98,7 +98,7 @@ services:
       - LOG_LEVEL=debug
       - TZ=${TZ:-Europe/Madrid}
     volumes:
-      - ${COMMON_PATH}/configs/jellyseerr:/app/config:Z
+      - /opt/media/configs/jellyseerr:/app/config:Z
     restart: unless-stopped
     networks:
       - media
@@ -116,8 +116,8 @@ services:
       - PGID=0
       - TZ=${TZ:-Europe/Madrid}
     volumes:
-      - ${COMMON_PATH}/configs/jellyfin-vps:/config:Z
+      - /opt/media/configs/jellyfin-vps:/config:Z
-      - ${COMMON_PATH}/jellyfin/cache-vps:/cache:Z
+      - /opt/media/jellyfin/cache-vps:/cache:Z
       - /mnt/media/tv:/data/tvshows
       - /mnt/media/movies:/data/movies
       - /mnt/media/downloads:/data/media_downloads

trilium/docker-compose.yml

@@ -10,7 +10,7 @@ services:
       TZ: ${TZ}
 
     volumes:
-      - ${TRILIUM_DATA_PATH}:/home/node/trilium-data:Z
+      - /opt/trilium/data:/home/node/trilium-data:Z
 
     expose:
       - "${TRILIUM_HTTP_PORT}"

wireguard/docker-compose.yml

@@ -27,8 +27,8 @@ services:
       DISABLE_IPV6: ${DISABLE_IPV6}
 
     volumes:
-      - ${WG_DATA_PATH}:/etc/wireguard:Z
+      - /opt/wg-easy:/etc/wireguard:Z
-      - ${WG_MODULES_PATH}:/lib/modules:ro,Z
+      - /lib/modules:/lib/modules:ro,Z
 
     # Puerto UDP de WireGuard expuesto al mundo
     ports: