fix: Fix VERSION expansion in Dockerfile

Use workflow_run trigger to wait for "Upload Python Package" workflow
to complete successfully before building the Docker image. This ensures
the version is available on PyPI when uv tries to install it.

.github/workflows/ci.yml

@@ -50,11 +50,5 @@ jobs:
       - name: Install dependencies
         run: uv sync --all-extras --dev
 
-      - name: Run ruff check
-        run: uv run ruff check .
-
-      - name: Run ruff format check
-        run: uv run ruff format --check .
-
-      - name: Run mypy
-        run: uv run mypy src/compose_farm
+      - name: Run pre-commit (via prek)
+        uses: j178/prek-action@v1

.github/workflows/docker.yml

@@ -0,0 +1,76 @@
+name: Build and Push Docker Image
+
+on:
+  workflow_run:
+    workflows: ["Upload Python Package"]
+    types: [completed]
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version to build (leave empty for latest)'
+        required: false
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    # Only run if PyPI upload succeeded (or manual dispatch)
+    if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract version
+        id: version
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_run" ]; then
+            # Get version from the tag that triggered the release
+            VERSION="${{ github.event.workflow_run.head_branch }}"
+            # Strip 'v' prefix if present
+            VERSION="${VERSION#v}"
+          elif [ -n "${{ github.event.inputs.version }}" ]; then
+            VERSION="${{ github.event.inputs.version }}"
+          else
+            VERSION=""
+          fi
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=semver,pattern={{version}},value=v${{ steps.version.outputs.version }}
+            type=semver,pattern={{major}}.{{minor}},value=v${{ steps.version.outputs.version }}
+            type=semver,pattern={{major}},value=v${{ steps.version.outputs.version }}
+            type=raw,value=latest
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            VERSION=${{ steps.version.outputs.version }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.pre-commit-config.yaml

@@ -10,7 +10,7 @@ repos:
       - id: debug-statements
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.8.4
+    rev: v0.14.9
     hooks:
       - id: ruff
         args: [--fix]

CLAUDE.md

@@ -10,19 +10,27 @@
 
 ```
 compose_farm/
-├── config.py  # Pydantic models, YAML loading
-├── ssh.py     # asyncssh execution, streaming
-└── cli.py     # Typer commands
+├── cli.py         # Typer commands (thin layer, delegates to operations)
+├── config.py      # Pydantic models, YAML loading
+├── compose.py     # Compose file parsing (.env, ports, volumes, networks)
+├── console.py     # Shared Rich console instances
+├── executor.py    # SSH/local command execution, streaming output
+├── operations.py  # Business logic (up, migrate, discover, preflight checks)
+├── state.py       # Deployment state tracking (which service on which host)
+├── logs.py        # Image digest snapshots (dockerfarm-log.toml)
+└── traefik.py     # Traefik file-provider config generation from labels
 ```
 
 ## Key Design Decisions
 
-1. **asyncssh over Paramiko/Fabric**: Native async support, built-in streaming
+1. **Hybrid SSH approach**: asyncssh for parallel streaming with prefixes; native `ssh -t` for raw mode (progress bars)
 2. **Parallel by default**: Multiple services run concurrently via `asyncio.gather`
-3. **Streaming output**: Real-time stdout/stderr with `[service]` prefix
+3. **Streaming output**: Real-time stdout/stderr with `[service]` prefix using Rich
 4. **SSH key auth only**: Uses ssh-agent, no password handling (YAGNI)
 5. **NFS assumption**: Compose files at same path on all hosts
-6. **Local execution**: When host is `localhost`/`local`, skip SSH and run locally
+6. **Local IP auto-detection**: Skips SSH when target host matches local machine's IP
+7. **State tracking**: Tracks where services are deployed for auto-migration
+8. **Pre-flight checks**: Verifies NFS mounts and Docker networks exist before starting/migrating
 
 ## Communication Notes
 
@@ -36,12 +44,19 @@ compose_farm/
 
 ## Commands Quick Reference
 
-| Command | Docker Compose Equivalent |
-|---------|--------------------------|
-| `up`    | `docker compose up -d`   |
-| `down`  | `docker compose down`    |
-| `pull`  | `docker compose pull`    |
-| `restart` | `down` + `up -d`       |
+CLI available as `cf` or `compose-farm`.
+
+| Command | Description |
+|---------|-------------|
+| `up`    | Start services (`docker compose up -d`), auto-migrates if host changed. Use `--migrate` for auto-detection |
+| `down`  | Stop services (`docker compose down`) |
+| `pull`  | Pull latest images |
+| `restart` | `down` + `up -d` |
 | `update` | `pull` + `down` + `up -d` |
-| `logs`  | `docker compose logs`    |
-| `ps`    | `docker compose ps`      |
+| `logs`  | Show service logs |
+| `ps`    | Show status of all services |
+| `stats` | Show overview (hosts, services, pending migrations; `--live` for container counts) |
+| `sync`  | Discover running services, update state, capture image digests |
+| `check` | Validate config, traefik labels, mounts, networks; show host compatibility |
+| `init-network` | Create Docker network on hosts with consistent subnet/gateway |
+| `traefik-file` | Generate Traefik file-provider config from compose labels |

Dockerfile

@@ -0,0 +1,16 @@
+# syntax=docker/dockerfile:1
+FROM ghcr.io/astral-sh/uv:python3.14-alpine
+
+# Install SSH client (required for remote host connections)
+RUN apk add --no-cache openssh-client
+
+# Install compose-farm from PyPI
+ARG VERSION
+RUN uv tool install compose-farm${VERSION:+==$VERSION}
+
+# Add uv tool bin to PATH
+ENV PATH="/root/.local/bin:$PATH"
+
+# Default entrypoint
+ENTRYPOINT ["cf"]
+CMD ["--help"]

PLAN.md

@@ -1,35 +0,0 @@
-# Compose Farm – Traefik Multihost Ingress Plan
-
-## Goal
-Generate a Traefik file-provider fragment from existing docker-compose Traefik labels (no config duplication) so a single front-door Traefik on 192.168.1.66 with wildcard `*.lab.mydomain.org` can route to services running on other hosts. Keep the current simplicity (SSH + docker compose); no Swarm/K8s.
-
-## Requirements
-- Traefik stays on main host; keep current `dynamic.yml` and Docker provider for local containers.
-- Add a watched directory provider (any path works) and load a generated fragment (e.g., `compose-farm.generated.yml`).
-- No edits to compose files: reuse existing `traefik.*` labels as the single source of truth; Compose Farm only reads them.
-- Generator infers routing from labels and reachability from `ports:` mappings; prefer host-published ports so Traefik can reach services across hosts. Upstreams point to `<host address>:<published host port>`; warn if no published port is found.
-- Only minimal data in `compose-farm.yaml`: hosts map and service→host mapping (already present).
-- No new orchestration/discovery layers; respect KISS/YAGNI/DRY.
-
-## Non-Goals
-- No Swarm/Kubernetes adoption.
-- No global Docker provider across hosts.
-- No health checks/service discovery layer.
-
-## Current State (Dec 2025)
-- Compose Farm: Typer CLI wrapping `docker compose` over SSH; config in `compose-farm.yaml`; parallel by default; snapshot/log tooling present.
-- Traefik: single instance on 192.168.1.66, wildcard `*.lab.mydomain.org`, Docker provider for local services, file provider via `dynamic.yml` already in use.
-
-## Proposed Implementation Steps
-1) Add generator command: `compose-farm traefik-file --output <path>`.
-2) Resolve per-service host from `compose-farm.yaml`; read compose file at `{compose_dir}/{service}/docker-compose.yml`.
-3) Parse `traefik.*` labels to build routers/services/middlewares as in compose; map container port to published host port (from `ports:`) to form upstream URLs with host address.
-4) Emit file-provider YAML to the watched directory (recommended default: `/mnt/data/traefik/dynamic.d/compose-farm.generated.yml`, but user chooses via `--output`).
-5) Warnings: if no published port is found, warn that cross-host reachability requires L3 reachability to container IPs.
-6) Tests: label parsing, port mapping, YAML render; scenario with published port; scenario without published port.
-7) Docs: update README/CLAUDE to describe directory provider flags and the generator workflow; note that compose files remain unchanged.
-
-## Open Questions
-- How to derive target host address: use `hosts.<name>.address` verbatim, or allow override per service? (Default: use host address.)
-- Should we support multiple hosts/backends per service for LB/HA? (Start with single server.)
-- Where to store generated file by default? (Default to user-specified `--output`; maybe fallback to `./compose-farm-traefik.yml`.)

README.md

@@ -1,5 +1,12 @@
 # Compose Farm
 
+[![PyPI](https://img.shields.io/pypi/v/compose-farm)](https://pypi.org/project/compose-farm/)
+[![Python](https://img.shields.io/pypi/pyversions/compose-farm)](https://pypi.org/project/compose-farm/)
+[![License](https://img.shields.io/github/license/basnijholt/compose-farm)](LICENSE)
+[![GitHub stars](https://img.shields.io/github/stars/basnijholt/compose-farm)](https://github.com/basnijholt/compose-farm/stargazers)
+
+<img src="http://files.nijho.lt/compose-farm.png" align="right" style="width: 300px;" />
+
 A minimal CLI tool to run Docker Compose commands across multiple hosts via SSH.
 
 > [!NOTE]
@@ -9,44 +16,79 @@ A minimal CLI tool to run Docker Compose commands across multiple hosts via SSH.
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 
 - [Why Compose Farm?](#why-compose-farm)
-- [Key Assumption: Shared Storage](#key-assumption-shared-storage)
+- [How It Works](#how-it-works)
+- [Requirements](#requirements)
 - [Limitations & Best Practices](#limitations--best-practices)
   - [What breaks when you move a service](#what-breaks-when-you-move-a-service)
   - [Best practices](#best-practices)
   - [What Compose Farm doesn't do](#what-compose-farm-doesnt-do)
 - [Installation](#installation)
 - [Configuration](#configuration)
+  - [Multi-Host Services](#multi-host-services)
 - [Usage](#usage)
   - [Auto-Migration](#auto-migration)
 - [Traefik Multihost Ingress (File Provider)](#traefik-multihost-ingress-file-provider)
-- [Requirements](#requirements)
-- [How It Works](#how-it-works)
+- [Comparison with Alternatives](#comparison-with-alternatives)
 - [License](#license)
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
 ## Why Compose Farm?
 
-I run 100+ Docker Compose stacks on an LXC container that frequently runs out of memory. I needed a way to distribute services across multiple machines without the complexity of:
+I used to run 100+ Docker Compose stacks on a single machine that kept running out of memory. I needed a way to distribute services across multiple machines without the complexity of:
 
 - **Kubernetes**: Overkill for my use case. I don't need pods, services, ingress controllers, or YAML manifests 10x the size of my compose files.
 - **Docker Swarm**: Effectively in maintenance mode—no longer being invested in by Docker.
 
-**Compose Farm is intentionally simple**: one YAML config mapping services to hosts, and a CLI that runs `docker compose` commands over SSH. That's it.
+Both require changes to your compose files. **Compose Farm requires zero changes**—your existing `docker-compose.yml` files work as-is.
 
-## Key Assumption: Shared Storage
+I also wanted a declarative setup—one config file that defines where everything runs. Change the config, run `up`, and services migrate automatically. See [Comparison with Alternatives](#comparison-with-alternatives) for how this compares to other approaches.
 
-Compose Farm assumes **all your compose files are accessible at the same path on all hosts**. This is typically achieved via:
+<p align="center">
+<a href="https://xkcd.com/927/">
+<img src="https://imgs.xkcd.com/comics/standards.png" alt="xkcd: Standards" width="400" />
+</a>
+</p>
+
+Before you say it—no, this is not a new standard. I changed nothing about my existing setup. When I added more hosts, I just mounted my drives at the same paths, and everything worked. You can do all of this manually today—SSH into a host and run `docker compose up`.
+
+Compose Farm just automates what you'd do by hand:
+- Runs `docker compose` commands over SSH
+- Tracks which service runs on which host
+- Auto-migrates services when you change the host assignment
+- Generates Traefik file-provider config for cross-host routing
+
+**It's a convenience wrapper, not a new paradigm.**
+
+## How It Works
+
+1. You run `cf up plex`
+2. Compose Farm looks up which host runs `plex` (e.g., `server-1`)
+3. It SSHs to `server-1` (or runs locally if `localhost`)
+4. It executes `docker compose -f /opt/compose/plex/docker-compose.yml up -d`
+5. Output is streamed back with `[plex]` prefix
+
+That's it. No orchestration, no service discovery, no magic.
+
+## Requirements
+
+- Python 3.11+ (we recommend [uv](https://docs.astral.sh/uv/) for installation)
+- SSH key-based authentication to your hosts (uses ssh-agent)
+- Docker and Docker Compose installed on all target hosts
+- **Shared storage**: All compose files must be accessible at the same path on all hosts
+- **Docker networks**: External networks must exist on all hosts (use `cf init-network` to create)
+
+Compose Farm assumes your compose files are accessible at the same path on all hosts. This is typically achieved via:
 
 - **NFS mount** (e.g., `/opt/compose` mounted from a NAS)
 - **Synced folders** (e.g., Syncthing, rsync)
 - **Shared filesystem** (e.g., GlusterFS, Ceph)
 
 ```
-# Example: NFS mount on all hosts
-nas:/volume1/compose  →  /opt/compose (on nas01)
-nas:/volume1/compose  →  /opt/compose (on nas02)
-nas:/volume1/compose  →  /opt/compose (on nas03)
+# Example: NFS mount on all Docker hosts
+nas:/volume1/compose  →  /opt/compose (on server-1)
+nas:/volume1/compose  →  /opt/compose (on server-2)
+nas:/volume1/compose  →  /opt/compose (on server-3)
 ```
 
 Compose Farm simply runs `docker compose -f /opt/compose/{service}/docker-compose.yml` on the appropriate host—it doesn't copy or sync files.
@@ -85,11 +127,27 @@ If you need containers on different hosts to communicate seamlessly, you need Do
 ## Installation
 
 ```bash
-pip install compose-farm
+uv tool install compose-farm
 # or
-uv pip install compose-farm
+pip install compose-farm
 ```
 
+<details><summary>🐳 Docker</summary>
+
+```bash
+docker run --rm \
+  -v $SSH_AUTH_SOCK:/ssh-agent -e SSH_AUTH_SOCK=/ssh-agent \
+  -v ./compose-farm.yaml:/root/.config/compose-farm/compose-farm.yaml:ro \
+  ghcr.io/basnijholt/compose-farm up --all
+```
+
+Or create an alias:
+```bash
+alias cf='docker run --rm -v $SSH_AUTH_SOCK:/ssh-agent -e SSH_AUTH_SOCK=/ssh-agent -v ./compose-farm.yaml:/root/.config/compose-farm/compose-farm.yaml:ro ghcr.io/basnijholt/compose-farm'
+```
+
+</details>
+
 ## Configuration
 
 Create `~/.config/compose-farm/compose-farm.yaml` (or `./compose-farm.yaml` in your working directory):
@@ -98,74 +156,138 @@ Create `~/.config/compose-farm/compose-farm.yaml` (or `./compose-farm.yaml` in y
 compose_dir: /opt/compose  # Must be the same path on all hosts
 
 hosts:
-  nas01:
+  server-1:
     address: 192.168.1.10
     user: docker
-  nas02:
+  server-2:
     address: 192.168.1.11
     # user defaults to current user
   local: localhost  # Run locally without SSH
 
 services:
-  plex: nas01
-  jellyfin: nas02
-  sonarr: nas01
+  plex: server-1
+  jellyfin: server-2
+  sonarr: server-1
   radarr: local  # Runs on the machine where you invoke compose-farm
+
+  # Multi-host services (run on multiple/all hosts)
+  autokuma: all              # Runs on ALL configured hosts
+  dozzle: [server-1, server-2]  # Explicit list of hosts
 ```
 
 Compose files are expected at `{compose_dir}/{service}/compose.yaml` (also supports `compose.yml`, `docker-compose.yml`, `docker-compose.yaml`).
 
+### Multi-Host Services
+
+Some services need to run on every host. This is typically required for tools that access **host-local resources** like the Docker socket (`/var/run/docker.sock`), which cannot be accessed remotely without security risks.
+
+Common use cases:
+- **AutoKuma** - auto-creates Uptime Kuma monitors from container labels (needs local Docker socket)
+- **Dozzle** - real-time log viewer (needs local Docker socket)
+- **Promtail/Alloy** - log shipping agents (needs local Docker socket and log files)
+- **node-exporter** - Prometheus host metrics (needs access to host /proc, /sys)
+
+This is the same pattern as Docker Swarm's `deploy.mode: global`.
+
+Use the `all` keyword or an explicit list:
+
+```yaml
+services:
+  # Run on all configured hosts
+  autokuma: all
+  dozzle: all
+
+  # Run on specific hosts
+  node-exporter: [server-1, server-2, server-3]
+```
+
+When you run `cf up autokuma`, it starts the service on all hosts in parallel. Multi-host services:
+- Are excluded from migration logic (they always run everywhere)
+- Show output with `[service@host]` prefix for each host
+- Track all running hosts in state
+
 ## Usage
 
+The CLI is available as both `compose-farm` and the shorter `cf` alias.
+
+| Command | Description |
+|---------|-------------|
+| `cf up <svc>` | Start service (auto-migrates if host changed) |
+| `cf down <svc>` | Stop service |
+| `cf restart <svc>` | down + up |
+| `cf update <svc>` | pull + down + up |
+| `cf pull <svc>` | Pull latest images |
+| `cf logs -f <svc>` | Follow logs |
+| `cf ps` | Show status of all services |
+| `cf sync` | Discover running services + capture image digests |
+| `cf check` | Validate config, mounts, networks |
+| `cf init-network` | Create Docker network on hosts |
+| `cf traefik-file` | Generate Traefik file-provider config |
+
+All commands support `--all` to operate on all services.
+
 ```bash
 # Start services (auto-migrates if host changed in config)
-compose-farm up plex jellyfin
-compose-farm up --all
+cf up plex jellyfin
+cf up --all
+cf up --migrate        # only services needing migration (state ≠ config)
 
 # Stop services
-compose-farm down plex
+cf down plex
 
 # Pull latest images
-compose-farm pull --all
+cf pull --all
 
 # Restart (down + up)
-compose-farm restart plex
+cf restart plex
 
 # Update (pull + down + up) - the end-to-end update command
-compose-farm update --all
+cf update --all
 
 # Sync state with reality (discovers running services + captures image digests)
-compose-farm sync              # updates state.yaml and dockerfarm-log.toml
-compose-farm sync --dry-run    # preview without writing
+cf sync              # updates state.yaml and dockerfarm-log.toml
+cf sync --dry-run    # preview without writing
+
+# Validate config, traefik labels, mounts, and networks
+cf check                 # full validation (includes SSH checks)
+cf check --local         # fast validation (skip SSH)
+cf check jellyfin        # check service + show which hosts can run it
+
+# Create Docker network on new hosts (before migrating services)
+cf init-network nuc hp   # create mynetwork on specific hosts
+cf init-network          # create on all hosts
 
 # View logs
-compose-farm logs plex
-compose-farm logs -f plex  # follow
+cf logs plex
+cf logs -f plex  # follow
 
 # Show status
-compose-farm ps
+cf ps
 ```
 
 ### Auto-Migration
 
 When you change a service's host assignment in config and run `up`, Compose Farm automatically:
-1. Runs `down` on the old host
-2. Runs `up -d` on the new host
-3. Updates state tracking
+1. Checks that required mounts and networks exist on the new host (aborts if missing)
+2. Runs `down` on the old host
+3. Runs `up -d` on the new host
+4. Updates state tracking
+
+Use `cf up --migrate` (or `-m`) to automatically find and migrate all services where the current state differs from config—no need to list them manually.
 
 ```yaml
-# Before: plex runs on nas01
+# Before: plex runs on server-1
 services:
-  plex: nas01
+  plex: server-1
 
-# After: change to nas02, then run `compose-farm up plex`
+# After: change to server-2, then run `cf up plex`
 services:
-  plex: nas02  # Compose Farm will migrate automatically
+  plex: server-2  # Compose Farm will migrate automatically
 ```
 
 ## Traefik Multihost Ingress (File Provider)
 
-If you run a single Traefik instance on one “front‑door” host and want it to route to
+If you run a single Traefik instance on one "front‑door" host and want it to route to
 Compose Farm services on other hosts, Compose Farm can generate a Traefik file‑provider
 fragment from your existing compose labels.
 
@@ -174,11 +296,11 @@ fragment from your existing compose labels.
 - Your `docker-compose.yml` remains the source of truth. Put normal `traefik.*` labels on
   the container you want exposed.
 - Labels and port specs may use `${VAR}` / `${VAR:-default}`; Compose Farm resolves these
-  using the stack’s `.env` file and your current environment, just like Docker Compose.
+  using the stack's `.env` file and your current environment, just like Docker Compose.
 - Publish a host port for that container (via `ports:`). The generator prefers
   host‑published ports so Traefik can reach the service across hosts; if none are found,
-  it warns and you’d need L3 reachability to container IPs.
-- If a router label doesn’t specify `traefik.http.routers.<name>.service` and there’s only
+  it warns and you'd need L3 reachability to container IPs.
+- If a router label doesn't specify `traefik.http.routers.<name>.service` and there's only
   one Traefik service defined on that container, Compose Farm wires the router to it.
 - `compose-farm.yaml` stays unchanged: just `hosts` and `services: service → host`.
 
@@ -211,7 +333,7 @@ providers:
 **Generate the fragment**
 
 ```bash
-compose-farm traefik-file --all --output /mnt/data/traefik/dynamic.d/compose-farm.yml
+cf traefik-file --all --output /mnt/data/traefik/dynamic.d/compose-farm.yml
 ```
 
 Re‑run this after changing Traefik labels, moving a service to another host, or changing
@@ -230,15 +352,15 @@ traefik_service: traefik  # skip services on same host (docker provider handles
 hosts:
   # ...
 services:
-  traefik: nas01  # Traefik runs here
-  plex: nas02     # Services on other hosts get file-provider entries
+  traefik: server-1  # Traefik runs here
+  plex: server-2     # Services on other hosts get file-provider entries
   # ...
 ```
 
 The `traefik_service` option specifies which service runs Traefik. Services on the same host
 are skipped in the file-provider config since Traefik's docker provider handles them directly.
 
-Now `compose-farm up plex` will update the Traefik config automatically—no separate
+Now `cf up plex` will update the Traefik config automatically—no separate
 `traefik-file` command needed.
 
 **Combining with existing config**
@@ -249,7 +371,7 @@ directory and Traefik will merge all files:
 ```bash
 mkdir -p /opt/traefik/dynamic.d
 mv /opt/traefik/dynamic.yml /opt/traefik/dynamic.d/manual.yml
-compose-farm traefik-file --all -o /opt/traefik/dynamic.d/compose-farm.yml
+cf traefik-file --all -o /opt/traefik/dynamic.d/compose-farm.yml
 ```
 
 Update your Traefik config to use directory watching instead of a single file:
@@ -263,22 +385,30 @@ Update your Traefik config to use directory watching instead of a single file:
 - --providers.file.watch=true
 ```
 
-## Requirements
+## Comparison with Alternatives
 
-- Python 3.11+
-- SSH key-based authentication to your hosts (uses ssh-agent)
-- Docker and Docker Compose installed on all target hosts
-- **Shared storage**: All compose files at the same path on all hosts (NFS, Syncthing, etc.)
+There are many ways to run containers on multiple hosts. Here is where Compose Farm sits:
 
-## How It Works
+| | Docker Contexts | K8s / Swarm | Ansible / Terraform | Portainer / Coolify | Compose Farm |
+|---|:---:|:---:|:---:|:---:|:---:|
+| No compose rewrites | ✅ | ❌ | ✅ | ✅ | ✅ |
+| Version controlled | ✅ | ✅ | ✅ | ❌ | ✅ |
+| State tracking | ❌ | ✅ | ✅ | ✅ | ✅ |
+| Auto-migration | ❌ | ✅ | ❌ | ❌ | ✅ |
+| Interactive CLI | ❌ | ❌ | ❌ | ❌ | ✅ |
+| Parallel execution | ❌ | ✅ | ✅ | ✅ | ✅ |
+| Agentless | ✅ | ❌ | ✅ | ❌ | ✅ |
+| High availability | ❌ | ✅ | ❌ | ❌ | ❌ |
 
-1. You run `compose-farm up plex`
-2. Compose Farm looks up which host runs `plex` (e.g., `nas01`)
-3. It SSHs to `nas01` (or runs locally if `localhost`)
-4. It executes `docker compose -f /opt/compose/plex/docker-compose.yml up -d`
-5. Output is streamed back with `[plex]` prefix
+**Docker Contexts** — You can use `docker context create remote ssh://...` and `docker compose --context remote up`. But it's manual: you must remember which host runs which service, there's no global view, no parallel execution, and no auto-migration.
 
-That's it. No orchestration, no service discovery, no magic.
+**Kubernetes / Docker Swarm** — Full orchestration that abstracts away the hardware. But they require cluster initialization, separate control planes, and often rewriting compose files. They introduce complexity (consensus, overlay networks) unnecessary for static "pet" servers.
+
+**Ansible / Terraform** — Infrastructure-as-Code tools that can SSH in and deploy containers. But they're push-based configuration management, not interactive CLIs. Great for setting up state, clumsy for day-to-day operations like `cf logs -f` or quickly restarting a service.
+
+**Portainer / Coolify** — Web-based management UIs. But they're UI-first and often require agents on your servers. Compose Farm is CLI-first and agentless.
+
+**Compose Farm is the middle ground:** a robust CLI that productizes the manual SSH pattern. You get the "cluster feel" (unified commands, state tracking) without the "cluster cost" (complexity, agents, control planes).
 
 ## License
 

compose-farm.example.yaml

@@ -3,23 +3,28 @@
 
 compose_dir: /opt/compose
 
+# Optional: Auto-regenerate Traefik file-provider config after up/down/restart/update
+traefik_file: /opt/traefik/dynamic.d/compose-farm.yml
+traefik_service: traefik  # Skip services on same host (docker provider handles them)
+
 hosts:
   # Full form with all options
-  nas01:
+  server-1:
     address: 192.168.1.10
     user: docker
     port: 22
 
   # Short form (just address, user defaults to current user)
-  nas02: 192.168.1.11
+  server-2: 192.168.1.11
 
   # Local execution (no SSH)
   local: localhost
 
 services:
   # Map service names to hosts
-  # Compose file expected at: {compose_dir}/{service}/docker-compose.yml
-  plex: nas01
-  jellyfin: nas02
-  sonarr: nas01
-  radarr: nas02
+  # Compose file expected at: {compose_dir}/{service}/compose.yaml
+  traefik: server-1    # Traefik runs here
+  plex: server-2       # Services on other hosts get file-provider entries
+  jellyfin: server-2
+  sonarr: server-1
+  radarr: local

docs/dev/future-improvements.md

@@ -0,0 +1,128 @@
+# Future Improvements
+
+Low-priority improvements identified during code review. These are not currently causing issues but could be addressed if they become pain points.
+
+## 1. State Module Efficiency (LOW)
+
+**Current:** Every state operation reads and writes the entire file.
+
+```python
+def set_service_host(config, service, host):
+    state = load_state(config)   # Read file
+    state[service] = host
+    save_state(config, state)    # Write file
+```
+
+**Impact:** With 87 services, this is fine. With 1000+, it would be slow.
+
+**Potential fix:** Add batch operations:
+```python
+def update_state(config, updates: dict[str, str | None]) -> None:
+    """Batch update: set services to hosts, None means remove."""
+    state = load_state(config)
+    for service, host in updates.items():
+        if host is None:
+            state.pop(service, None)
+        else:
+            state[service] = host
+    save_state(config, state)
+```
+
+**When to do:** Only if state operations become noticeably slow.
+
+---
+
+## 2. Remote-Aware Compose Path Resolution (LOW)
+
+**Current:** `config.get_compose_path()` checks if files exist on the local filesystem:
+
+```python
+def get_compose_path(self, service: str) -> Path:
+    for filename in ("compose.yaml", "compose.yml", ...):
+        candidate = service_dir / filename
+        if candidate.exists():  # Local check!
+            return candidate
+```
+
+**Why this works:** NFS/shared storage means local = remote.
+
+**Why it could break:** If running compose-farm from a machine without the NFS mount, it returns `compose.yaml` (the default) even if `docker-compose.yml` exists on the remote host.
+
+**Potential fix:** Query the remote host for file existence, or accept this limitation and document it.
+
+**When to do:** Only if users need to run compose-farm from non-NFS machines.
+
+---
+
+## 3. Add Integration Tests for CLI Commands (MEDIUM)
+
+**Current:** No integration tests for the actual CLI commands. Tests cover the underlying functions but not the Typer commands themselves.
+
+**Potential fix:** Add integration tests using `CliRunner` from Typer:
+
+```python
+from typer.testing import CliRunner
+from compose_farm.cli import app
+
+runner = CliRunner()
+
+def test_check_command_validates_config():
+    result = runner.invoke(app, ["check", "--local"])
+    assert result.exit_code == 0
+```
+
+**When to do:** When CLI behavior becomes complex enough to warrant dedicated testing.
+
+---
+
+## 4. Add Tests for operations.py (MEDIUM)
+
+**Current:** Operations module has 30% coverage. Most logic is tested indirectly through test_sync.py.
+
+**Potential fix:** Add dedicated tests for:
+- `up_services()` with migration scenarios
+- `preflight_check()`
+- `check_host_compatibility()`
+
+**When to do:** When adding new operations or modifying migration logic.
+
+---
+
+## 5. Consider Structured Logging (LOW)
+
+**Current:** Operations print directly to console using Rich. This couples the operations module to the Rich library.
+
+**Potential fix:** Use Python's logging module with a custom Rich handler:
+
+```python
+import logging
+
+logger = logging.getLogger(__name__)
+
+# In operations:
+logger.info("Migrating %s from %s to %s", service, old_host, new_host)
+
+# In cli.py - configure Rich handler:
+from rich.logging import RichHandler
+logging.basicConfig(handlers=[RichHandler()])
+```
+
+**Benefits:**
+- Operations become testable without capturing stdout
+- Logs can be redirected to files
+- Log levels provide filtering
+
+**When to do:** Only if console output coupling becomes a problem for testing or extensibility.
+
+---
+
+## Design Decisions to Keep
+
+These patterns are working well and should be preserved:
+
+1. **asyncio + asyncssh** - Solid async foundation
+2. **Pydantic models** - Clean validation
+3. **Rich for output** - Good UX
+4. **Test structure** - Good coverage
+5. **Module separation** - cli/operations/executor/compose pattern
+6. **KISS principle** - Don't over-engineer

docs/truenas-nested-nfs.md

@@ -0,0 +1,169 @@
+# TrueNAS NFS: Accessing Child ZFS Datasets
+
+When NFS-exporting a parent ZFS dataset on TrueNAS, child datasets appear as **empty directories** to NFS clients. This document explains the problem and provides a workaround.
+
+## The Problem
+
+TrueNAS structures storage as ZFS datasets. A common pattern is:
+
+```
+tank/data              <- parent dataset (NFS exported)
+tank/data/app1         <- child dataset
+tank/data/app2         <- child dataset
+```
+
+When you create an NFS share for `tank/data`, clients mount it and see the `app1/` and `app2/` directories—but they're empty. This happens because each ZFS dataset is a separate filesystem, and NFS doesn't traverse into child filesystems by default.
+
+## The Solution: `crossmnt`
+
+The NFS `crossmnt` export option tells the server to allow clients to traverse into child filesystems. However, TrueNAS doesn't expose this option in the UI.
+
+### Workaround Script
+
+This Python script injects `crossmnt` into `/etc/exports`:
+
+```python
+#!/usr/bin/env python3
+"""
+Add crossmnt to TrueNAS NFS exports for child dataset visibility.
+
+Usage: fix-nfs-crossmnt.py /mnt/pool/dataset
+
+Setup:
+  1. scp fix-nfs-crossmnt.py root@truenas.local:/root/
+  2. chmod +x /root/fix-nfs-crossmnt.py
+  3. Test: /root/fix-nfs-crossmnt.py /mnt/pool/dataset
+  4. Add cron job: TrueNAS UI > System > Advanced > Cron Jobs
+     Command: /root/fix-nfs-crossmnt.py /mnt/pool/dataset
+     Schedule: */5 * * * *
+"""
+
+import re
+import subprocess
+import sys
+from pathlib import Path
+
+EXPORTS_FILE = Path("/etc/exports")
+
+
+def main():
+    if len(sys.argv) != 2:
+        print(f"Usage: {sys.argv[0]} /mnt/pool/dataset", file=sys.stderr)
+        return 1
+
+    export_path = sys.argv[1]
+    content = EXPORTS_FILE.read_text()
+
+    if f'"{export_path}"' not in content:
+        print(f"ERROR: {export_path} not found in {EXPORTS_FILE}", file=sys.stderr)
+        return 1
+
+    lines = content.splitlines()
+    result = []
+    in_block = False
+    modified = False
+
+    for line in lines:
+        if f'"{export_path}"' in line:
+            in_block = True
+        elif line.startswith('"'):
+            in_block = False
+
+        if in_block and line[:1] in (" ", "\t") and "crossmnt" not in line:
+            line = re.sub(r"\)(\\\s*)?$", r",crossmnt)\1", line)
+            modified = True
+
+        result.append(line)
+
+    if not modified:
+        return 0  # Already applied
+
+    EXPORTS_FILE.write_text("\n".join(result) + "\n")
+    subprocess.run(["exportfs", "-ra"], check=True)
+    print(f"Added crossmnt to {export_path}")
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())
+```
+
+## Setup Instructions
+
+### 1. Copy the script to TrueNAS
+
+```bash
+scp fix-nfs-crossmnt.py root@truenas.local:/root/
+ssh root@truenas.local chmod +x /root/fix-nfs-crossmnt.py
+```
+
+### 2. Test manually
+
+```bash
+ssh root@truenas.local
+
+# Run the script
+/root/fix-nfs-crossmnt.py /mnt/tank/data
+
+# Verify crossmnt was added
+cat /etc/exports
+```
+
+You should see `,crossmnt` added to the client options:
+
+```
+"/mnt/tank/data"\
+    192.168.1.10(sec=sys,rw,no_subtree_check,crossmnt)\
+    192.168.1.11(sec=sys,rw,no_subtree_check,crossmnt)
+```
+
+### 3. Verify on NFS client
+
+```bash
+# Before: empty directory
+ls /mnt/data/app1/
+# (nothing)
+
+# After: actual contents visible
+ls /mnt/data/app1/
+# config.yaml  data/  logs/
+```
+
+### 4. Make it persistent
+
+TrueNAS regenerates `/etc/exports` when you modify NFS shares in the UI. To survive this, set up a cron job:
+
+1. Go to **TrueNAS UI → System → Advanced → Cron Jobs → Add**
+2. Configure:
+   - **Description:** Fix NFS crossmnt
+   - **Command:** `/root/fix-nfs-crossmnt.py /mnt/tank/data`
+   - **Run As User:** root
+   - **Schedule:** `*/5 * * * *` (every 5 minutes)
+   - **Enabled:** checked
+3. Save
+
+The script is idempotent—it only modifies the file if `crossmnt` is missing, and skips the write entirely if already applied.
+
+## How It Works
+
+1. Parses `/etc/exports` to find the specified export block
+2. Adds `,crossmnt` before the closing `)` on each client line
+3. Writes the file only if changes were made
+4. Runs `exportfs -ra` to reload the NFS configuration
+
+## Why Not Use SMB Instead?
+
+SMB handles child datasets seamlessly, but:
+
+- NFS is simpler for Linux-to-Linux with matching UIDs
+- SMB requires more complex permission mapping for Docker volumes
+- Many existing setups already use NFS
+
+## Related Links
+
+- [TrueNAS Forum: Add crossmnt option to NFS exports](https://forums.truenas.com/t/add-crossmnt-option-to-nfs-exports/10573)
+- [exports(5) man page](https://man7.org/linux/man-pages/man5/exports.5.html) - see `crossmnt` option
+
+## Tested On
+
+- TrueNAS SCALE 24.10

docs/truenas-nfs-root-squash.md

@@ -0,0 +1,65 @@
+# TrueNAS NFS: Disabling Root Squash
+
+When running Docker containers on NFS-mounted storage, containers that run as root will fail to write files unless root squash is disabled. This document explains the problem and solution.
+
+## The Problem
+
+By default, NFS uses "root squash" which maps the root user (UID 0) on clients to `nobody` on the server. This is a security feature to prevent remote root users from having root access to the NFS server's files.
+
+However, many Docker containers run as root internally. When these containers try to write to NFS-mounted volumes, the writes fail with "Permission denied" because the NFS server sees them as `nobody`, not `root`.
+
+Example error in container logs:
+```
+System.UnauthorizedAccessException: Access to the path '/data' is denied.
+Error: EACCES: permission denied, mkdir '/app/data'
+```
+
+## The Solution
+
+In TrueNAS, configure the NFS share to map remote root to local root:
+
+### TrueNAS SCALE UI
+
+1. Go to **Shares → NFS**
+2. Edit your share
+3. Under **Advanced Options**:
+   - **Maproot User**: `root`
+   - **Maproot Group**: `wheel`
+4. Save
+
+### Result in /etc/exports
+
+```
+"/mnt/pool/data"\
+    192.168.1.25(sec=sys,rw,no_root_squash,no_subtree_check)\
+    192.168.1.26(sec=sys,rw,no_root_squash,no_subtree_check)
+```
+
+The `no_root_squash` option means remote root is treated as root on the server.
+
+## Why `wheel`?
+
+On FreeBSD/TrueNAS, the root user's primary group is `wheel` (GID 0), not `root` like on Linux. So `root:wheel` = `0:0`.
+
+## Security Considerations
+
+Disabling root squash means any machine that can mount the NFS share has full root access to those files. This is acceptable when:
+
+- The NFS clients are on a trusted private network
+- Only known hosts (by IP) are allowed to mount the share
+- The data isn't security-critical
+
+For home lab setups with Docker containers, this is typically fine.
+
+## Alternative: Run Containers as Non-Root
+
+If you prefer to keep root squash enabled, you can run containers as a non-root user:
+
+1. **LinuxServer.io images**: Set `PUID=1000` and `PGID=1000` environment variables
+2. **Other images**: Add `user: "1000:1000"` to the compose service
+
+However, not all containers support running as non-root (they may need to bind to privileged ports, create system directories, etc.).
+
+## Tested On
+
+- TrueNAS SCALE 24.10

examples/README.md

@@ -1,42 +1,171 @@
 # Compose Farm Examples
 
-This folder contains example Docker Compose services for testing Compose Farm locally.
+Real-world examples demonstrating compose-farm patterns for multi-host Docker deployments.
+
+## Services
+
+| Service | Type | Demonstrates |
+|---------|------|--------------|
+| [traefik](traefik/) | Infrastructure | Reverse proxy, Let's Encrypt, file-provider |
+| [mealie](mealie/) | Single container | Traefik labels, resource limits, environment vars |
+| [uptime-kuma](uptime-kuma/) | Single container | Docker socket, user mapping, custom DNS |
+| [paperless-ngx](paperless-ngx/) | Multi-container | Redis + App stack (SQLite) |
+| [autokuma](autokuma/) | Multi-host | Demonstrates `all` keyword (runs on every host) |
+
+## Key Patterns
+
+### External Network
+
+All services connect to a shared external network for inter-service communication:
+
+```yaml
+networks:
+  mynetwork:
+    external: true
+```
+
+Create it on each host with consistent settings:
+
+```bash
+compose-farm init-network --network mynetwork --subnet 172.20.0.0/16
+```
+
+### Traefik Labels (Dual Routes)
+
+Services expose two routes for different access patterns:
+
+1. **HTTPS route** (`websecure` entrypoint): For your custom domain with Let's Encrypt TLS
+2. **HTTP route** (`web` entrypoint): For `.local` domains on your LAN (no TLS needed)
+
+This pattern allows accessing services via:
+- `https://mealie.example.com` - from anywhere, with TLS
+- `http://mealie.local` - from your local network, no TLS overhead
+
+```yaml
+labels:
+  # HTTPS route for custom domain (e.g., mealie.example.com)
+  - traefik.enable=true
+  - traefik.http.routers.myapp.rule=Host(`myapp.${DOMAIN}`)
+  - traefik.http.routers.myapp.entrypoints=websecure
+  - traefik.http.services.myapp.loadbalancer.server.port=8080
+  # HTTP route for .local domain (e.g., myapp.local)
+  - traefik.http.routers.myapp-local.rule=Host(`myapp.local`)
+  - traefik.http.routers.myapp-local.entrypoints=web
+```
+
+> **Note:** `.local` domains require local DNS (e.g., Pi-hole, Technitium) to resolve to your Traefik host.
+
+### Environment Variables
+
+Each service has a `.env` file for secrets and domain configuration.
+Edit these files to set your domain and credentials:
+
+```bash
+# Example: set your domain
+echo "DOMAIN=example.com" > mealie/.env
+```
+
+Variables like `${DOMAIN}` are substituted at runtime by Docker Compose.
+
+### NFS Volume Mounts
+
+All data is stored on shared NFS storage at `/mnt/data/`:
+
+```yaml
+volumes:
+  - /mnt/data/myapp:/app/data
+```
+
+This allows services to migrate between hosts without data loss.
+
+### Multi-Host Services
+
+Services that need to run on every host (e.g., monitoring agents):
+
+```yaml
+# In compose-farm.yaml
+services:
+  autokuma: all  # Runs on every configured host
+```
+
+### Multi-Container Stacks
+
+Database-backed apps with multiple services:
+
+```yaml
+services:
+  redis:
+    image: redis:7
+  app:
+    depends_on:
+      - redis
+```
+
+> **NFS + PostgreSQL Warning:** PostgreSQL should NOT run on NFS storage due to
+> fsync and file locking issues. Use SQLite (safe for single-writer on NFS) or
+> keep PostgreSQL data on local volumes (non-migratable).
+
+### AutoKuma Labels (Optional)
+
+The autokuma example demonstrates compose-farm's **multi-host feature** - running the same service on all hosts using the `all` keyword. AutoKuma itself is not part of compose-farm; it's just a good example because it needs to run on every host to monitor local Docker containers.
+
+[AutoKuma](https://github.com/BigBoot/AutoKuma) automatically creates Uptime Kuma monitors from Docker labels:
+
+```yaml
+labels:
+  - kuma.myapp.http.name=My App
+  - kuma.myapp.http.url=https://myapp.${DOMAIN}
+```
 
 ## Quick Start
 
 ```bash
 cd examples
 
-# Check status of all services
+# 1. Create the shared network on all hosts
+compose-farm init-network
+
+# 2. Start Traefik first (the reverse proxy)
+compose-farm up traefik
+
+# 3. Start other services
+compose-farm up mealie uptime-kuma
+
+# 4. Check status
 compose-farm ps
 
-# Pull images
-compose-farm pull --all
+# 5. Generate Traefik file-provider config for cross-host routing
+compose-farm traefik-file --all
 
-# Start hello-world (runs and exits)
-compose-farm up hello
+# 6. View logs
+compose-farm logs mealie
 
-# Start nginx (stays running)
-compose-farm up nginx
-
-# Check nginx is running
-curl localhost:8080
-
-# View logs
-compose-farm logs nginx
-
-# Stop nginx
-compose-farm down nginx
-
-# Update all (pull + restart)
-compose-farm update --all
+# 7. Stop everything
+compose-farm down --all
 ```
 
-## Services
+## Configuration
 
-- **hello**: Simple hello-world container (exits immediately)
-- **nginx**: Nginx web server on port 8080
+The `compose-farm.yaml` shows a multi-host setup:
 
-## Config
+- **primary** (192.168.1.10): Runs Traefik and heavy services
+- **secondary** (192.168.1.11): Runs lighter services
+- **autokuma**: Runs on ALL hosts to monitor local containers
 
-The `compose-farm.yaml` in this directory configures both services to run locally (no SSH).
+When Traefik runs on `primary` and a service runs on `secondary`, compose-farm
+automatically generates file-provider config so Traefik can route to it.
+
+## Traefik File-Provider
+
+When services run on different hosts than Traefik, use `traefik-file` to generate routing config:
+
+```bash
+# Generate config for all services
+compose-farm traefik-file --all -o traefik/dynamic.d/compose-farm.yml
+
+# Or configure auto-generation in compose-farm.yaml:
+traefik_file: /opt/stacks/traefik/dynamic.d/compose-farm.yml
+traefik_service: traefik
+```
+
+With `traefik_file` configured, compose-farm automatically regenerates the config after `up`, `down`, `restart`, and `update` commands.

examples/autokuma/.env

@@ -0,0 +1,4 @@
+# Copy to .env and fill in your values
+DOMAIN=example.com
+UPTIME_KUMA_USERNAME=admin
+UPTIME_KUMA_PASSWORD=your-uptime-kuma-password

examples/autokuma/compose.yaml

@@ -0,0 +1,31 @@
+# AutoKuma - Automatic Uptime Kuma monitor creation from Docker labels
+# Demonstrates: Multi-host service (runs on ALL hosts)
+#
+# This service monitors Docker containers on each host and automatically
+# creates Uptime Kuma monitors based on container labels.
+#
+# In compose-farm.yaml, configure as:
+#   autokuma: all
+#
+# This runs the same container on every host, so each host's local
+# Docker socket is monitored.
+name: autokuma
+services:
+  autokuma:
+    image: ghcr.io/bigboot/autokuma:latest
+    container_name: autokuma
+    restart: unless-stopped
+    environment:
+      # Connect to your Uptime Kuma instance
+      AUTOKUMA__KUMA__URL: https://uptime.${DOMAIN}
+      AUTOKUMA__KUMA__USERNAME: ${UPTIME_KUMA_USERNAME}
+      AUTOKUMA__KUMA__PASSWORD: ${UPTIME_KUMA_PASSWORD}
+      # Tag for auto-created monitors
+      AUTOKUMA__TAG__NAME: autokuma
+      AUTOKUMA__TAG__COLOR: "#10B981"
+    volumes:
+      # Access local Docker socket to discover containers
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    # Custom DNS for resolving internal domains
+    dns:
+      - 192.168.1.1  # Your local DNS server

examples/compose-farm-state.yaml

@@ -0,0 +1,9 @@
+deployed:
+  autokuma:
+  - primary
+  - secondary
+  - local
+  mealie: secondary
+  paperless-ngx: primary
+  traefik: primary
+  uptime-kuma: secondary

examples/compose-farm.yaml

@@ -1,11 +1,40 @@
-# Example Compose Farm config for local testing
-# Run from the examples directory: cd examples && compose-farm ps
+# Example Compose Farm configuration
+# Demonstrates a multi-host setup with NFS shared storage
+#
+# To test locally: Update the host addresses and run from the examples directory
 
-compose_dir: .
+compose_dir: /opt/stacks/compose-farm/examples
+
+# Auto-regenerate Traefik file-provider config after up/down/restart/update
+traefik_file: /opt/stacks/compose-farm/examples/traefik/dynamic.d/compose-farm.yml
+traefik_service: traefik  # Skip Traefik's host in file-provider (docker provider handles it)
 
 hosts:
+  # Primary server - runs Traefik and most services
+  # Full form with all options
+  primary:
+    address: 192.168.1.10
+    user: deploy
+    port: 22
+
+  # Secondary server - runs some services for load distribution
+  # Short form (user defaults to current user, port defaults to 22)
+  secondary: 192.168.1.11
+
+  # Local execution (no SSH) - for testing or when running on the host itself
   local: localhost
 
 services:
-  hello: local
-  nginx: local
+  # Infrastructure (runs on primary where Traefik is)
+  traefik: primary
+
+  # Multi-host services (runs on ALL hosts)
+  # AutoKuma monitors Docker containers on each host
+  autokuma: all
+
+  # Primary server services
+  paperless-ngx: primary
+
+  # Secondary server services (distributed for performance)
+  mealie: secondary
+  uptime-kuma: secondary

examples/hello/docker-compose.yml

@@ -1,4 +0,0 @@
-services:
-  hello:
-    image: hello-world
-    container_name: sdc-hello

examples/mealie/.env

@@ -0,0 +1,2 @@
+# Copy to .env and fill in your values
+DOMAIN=example.com

examples/mealie/compose.yaml

@@ -0,0 +1,47 @@
+# Mealie - Recipe manager
+# Simple single-container service with Traefik labels
+#
+# Demonstrates:
+# - HTTPS route: mealie.${DOMAIN} (e.g., mealie.example.com) with Let's Encrypt
+# - HTTP route: mealie.local for LAN access without TLS
+# - External network, resource limits, environment variables
+name: mealie
+services:
+  mealie:
+    image: ghcr.io/mealie-recipes/mealie:latest
+    container_name: mealie
+    restart: unless-stopped
+    networks:
+      - mynetwork
+    ports:
+      - "9925:9000"
+    deploy:
+      resources:
+        limits:
+          memory: 1000M
+    volumes:
+      - /mnt/data/mealie:/app/data
+    environment:
+      ALLOW_SIGNUP: "false"
+      PUID: 1000
+      PGID: 1000
+      TZ: America/Los_Angeles
+      MAX_WORKERS: 1
+      WEB_CONCURRENCY: 1
+      BASE_URL: https://mealie.${DOMAIN}
+    labels:
+      # HTTPS route: mealie.example.com (requires DOMAIN in .env)
+      - traefik.enable=true
+      - traefik.http.routers.mealie.rule=Host(`mealie.${DOMAIN}`)
+      - traefik.http.routers.mealie.entrypoints=websecure
+      - traefik.http.services.mealie.loadbalancer.server.port=9000
+      # HTTP route: mealie.local (for LAN access, no TLS)
+      - traefik.http.routers.mealie-local.rule=Host(`mealie.local`)
+      - traefik.http.routers.mealie-local.entrypoints=web
+      # AutoKuma: automatically create Uptime Kuma monitor
+      - kuma.mealie.http.name=Mealie
+      - kuma.mealie.http.url=https://mealie.${DOMAIN}
+
+networks:
+  mynetwork:
+    external: true

examples/nginx/docker-compose.yml

@@ -1,6 +0,0 @@
-services:
-  nginx:
-    image: nginx:alpine
-    container_name: sdc-nginx
-    ports:
-      - "8080:80"

examples/paperless-ngx/.env

@@ -0,0 +1,3 @@
+# Copy to .env and fill in your values
+DOMAIN=example.com
+PAPERLESS_SECRET_KEY=change-me-to-a-random-string

examples/paperless-ngx/compose.yaml

@@ -0,0 +1,60 @@
+# Paperless-ngx - Document management system
+#
+# Demonstrates:
+# - HTTPS route: paperless.${DOMAIN} (e.g., paperless.example.com) with Let's Encrypt
+# - HTTP route: paperless.local for LAN access without TLS
+# - Multi-container stack (Redis + App with SQLite)
+#
+# NOTE: This example uses SQLite (the default) instead of PostgreSQL.
+# PostgreSQL should NOT be used with NFS storage due to fsync/locking issues.
+# If you need PostgreSQL, use local volumes for the database.
+name: paperless-ngx
+services:
+  redis:
+    image: redis:7
+    container_name: paperless-redis
+    restart: unless-stopped
+    networks:
+      - mynetwork
+    volumes:
+      - /mnt/data/paperless/redis:/data
+
+  paperless:
+    image: ghcr.io/paperless-ngx/paperless-ngx:latest
+    container_name: paperless
+    restart: unless-stopped
+    depends_on:
+      - redis
+    networks:
+      - mynetwork
+    ports:
+      - "8000:8000"
+    volumes:
+      # SQLite database stored here (safe on NFS for single-writer)
+      - /mnt/data/paperless/data:/usr/src/paperless/data
+      - /mnt/data/paperless/media:/usr/src/paperless/media
+      - /mnt/data/paperless/export:/usr/src/paperless/export
+      - /mnt/data/paperless/consume:/usr/src/paperless/consume
+    environment:
+      PAPERLESS_REDIS: redis://redis:6379
+      PAPERLESS_URL: https://paperless.${DOMAIN}
+      PAPERLESS_SECRET_KEY: ${PAPERLESS_SECRET_KEY}
+      USERMAP_UID: 1000
+      USERMAP_GID: 1000
+    labels:
+      # HTTPS route: paperless.example.com (requires DOMAIN in .env)
+      - traefik.enable=true
+      - traefik.http.routers.paperless.rule=Host(`paperless.${DOMAIN}`)
+      - traefik.http.routers.paperless.entrypoints=websecure
+      - traefik.http.services.paperless.loadbalancer.server.port=8000
+      - traefik.docker.network=mynetwork
+      # HTTP route: paperless.local (for LAN access, no TLS)
+      - traefik.http.routers.paperless-local.rule=Host(`paperless.local`)
+      - traefik.http.routers.paperless-local.entrypoints=web
+      # AutoKuma: automatically create Uptime Kuma monitor
+      - kuma.paperless.http.name=Paperless
+      - kuma.paperless.http.url=https://paperless.${DOMAIN}
+
+networks:
+  mynetwork:
+    external: true

examples/traefik/.env

@@ -0,0 +1,5 @@
+# Copy to .env and fill in your values
+DOMAIN=example.com
+ACME_EMAIL=you@example.com
+CF_API_EMAIL=you@example.com
+CF_API_KEY=your-cloudflare-api-key

examples/traefik/compose.yaml

@@ -0,0 +1,58 @@
+# Traefik reverse proxy with Let's Encrypt and file-provider support
+# This is the foundation service - other services route through it
+#
+# Entrypoints:
+# - web (port 80): HTTP for .local domains (no TLS needed on LAN)
+# - websecure (port 443): HTTPS with Let's Encrypt for custom domains
+name: traefik
+services:
+  traefik:
+    image: traefik:v3.2
+    container_name: traefik
+    command:
+      - --api.dashboard=true
+      - --providers.docker=true
+      - --providers.docker.exposedbydefault=false
+      - --providers.docker.network=mynetwork
+      # File provider for routing to services on other hosts
+      - --providers.file.directory=/dynamic.d
+      - --providers.file.watch=true
+      # HTTP entrypoint for .local domains (LAN access, no TLS)
+      - --entrypoints.web.address=:80
+      # HTTPS entrypoint for custom domains (with Let's Encrypt TLS)
+      - --entrypoints.websecure.address=:443
+      - --entrypoints.websecure.asDefault=true
+      - --entrypoints.websecure.http.tls.certresolver=letsencrypt
+      # Let's Encrypt DNS challenge (using Cloudflare as example)
+      - --certificatesresolvers.letsencrypt.acme.email=${ACME_EMAIL}
+      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
+      - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
+      - --certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=1.1.1.1:53
+    environment:
+      # Cloudflare API token for DNS challenge
+      CF_API_EMAIL: ${CF_API_EMAIL}
+      CF_API_KEY: ${CF_API_KEY}
+    restart: unless-stopped
+    ports:
+      - "80:80"
+      - "443:443"
+      - "8080:8080"  # Dashboard
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /mnt/data/traefik/letsencrypt:/letsencrypt
+      - ./dynamic.d:/dynamic.d:ro
+    networks:
+      - mynetwork
+    labels:
+      - traefik.enable=true
+      # Dashboard accessible at traefik.yourdomain.com
+      - traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)
+      - traefik.http.routers.traefik.entrypoints=websecure
+      - traefik.http.routers.traefik.service=api@internal
+      # AutoKuma: automatically create Uptime Kuma monitor
+      - kuma.traefik.http.name=Traefik
+      - kuma.traefik.http.url=https://traefik.${DOMAIN}
+
+networks:
+  mynetwork:
+    external: true

examples/traefik/dynamic.d/compose-farm.yml

@@ -0,0 +1,40 @@
+# Auto-generated by compose-farm
+# https://github.com/basnijholt/compose-farm
+#
+# This file routes traffic to services running on hosts other than Traefik's host.
+# Services on Traefik's host use the Docker provider directly.
+#
+# Regenerate with: compose-farm traefik-file --all -o <this-file>
+# Or configure traefik_file in compose-farm.yaml for automatic updates.
+
+http:
+  routers:
+    mealie:
+      rule: Host(`mealie.example.com`)
+      entrypoints:
+      - websecure
+      service: mealie
+    mealie-local:
+      rule: Host(`mealie.local`)
+      entrypoints:
+      - web
+      service: mealie
+    uptime:
+      rule: Host(`uptime.example.com`)
+      entrypoints:
+      - websecure
+      service: uptime
+    uptime-local:
+      rule: Host(`uptime.local`)
+      entrypoints:
+      - web
+      service: uptime
+  services:
+    mealie:
+      loadbalancer:
+        servers:
+        - url: http://192.168.1.11:9925
+    uptime:
+      loadbalancer:
+        servers:
+        - url: http://192.168.1.11:3001

examples/uptime-kuma/.env

@@ -0,0 +1,2 @@
+# Copy to .env and fill in your values
+DOMAIN=example.com

examples/uptime-kuma/compose.yaml

@@ -0,0 +1,43 @@
+# Uptime Kuma - Monitoring dashboard
+#
+# Demonstrates:
+# - HTTPS route: uptime.${DOMAIN} (e.g., uptime.example.com) with Let's Encrypt
+# - HTTP route: uptime.local for LAN access without TLS
+# - Docker socket access, user mapping for NFS, custom DNS
+name: uptime-kuma
+services:
+  uptime-kuma:
+    image: louislam/uptime-kuma:2
+    container_name: uptime-kuma
+    restart: unless-stopped
+    # Run as non-root user (important for NFS volumes)
+    user: "1000:1000"
+    networks:
+      - mynetwork
+    ports:
+      - "3001:3001"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /mnt/data/uptime-kuma:/app/data
+    environment:
+      PUID: 1000
+      PGID: 1000
+    # Custom DNS for internal domain resolution
+    dns:
+      - 192.168.1.1  # Your local DNS server
+    labels:
+      # HTTPS route: uptime.example.com (requires DOMAIN in .env)
+      - traefik.enable=true
+      - traefik.http.routers.uptime.rule=Host(`uptime.${DOMAIN}`)
+      - traefik.http.routers.uptime.entrypoints=websecure
+      - traefik.http.services.uptime.loadbalancer.server.port=3001
+      # HTTP route: uptime.local (for LAN access, no TLS)
+      - traefik.http.routers.uptime-local.rule=Host(`uptime.local`)
+      - traefik.http.routers.uptime-local.entrypoints=web
+      # AutoKuma: automatically create Uptime Kuma monitor
+      - kuma.uptime.http.name=Uptime Kuma
+      - kuma.uptime.http.url=https://uptime.${DOMAIN}
+
+networks:
+  mynetwork:
+    external: true

pyproject.toml

@@ -3,10 +3,41 @@ name = "compose-farm"
 dynamic = ["version"]
 description = "Compose Farm - run docker compose commands across multiple hosts"
 readme = "README.md"
+license = "MIT"
 authors = [
     { name = "Bas Nijholt", email = "bas@nijho.lt" }
 ]
+maintainers = [
+    { name = "Bas Nijholt", email = "bas@nijho.lt" }
+]
 requires-python = ">=3.11"
+keywords = [
+    "docker",
+    "docker-compose",
+    "ssh",
+    "devops",
+    "deployment",
+    "container",
+    "orchestration",
+    "multi-host",
+    "homelab",
+    "self-hosted",
+]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Environment :: Console",
+    "Intended Audience :: Developers",
+    "Intended Audience :: System Administrators",
+    "License :: OSI Approved :: MIT License",
+    "Operating System :: OS Independent",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Topic :: System :: Systems Administration",
+    "Topic :: Utilities",
+    "Typing :: Typed",
+]
 dependencies = [
     "typer>=0.9.0",
     "pydantic>=2.0.0",
@@ -15,6 +46,13 @@ dependencies = [
     "rich>=13.0.0",
 ]
 
+[project.urls]
+Homepage = "https://github.com/basnijholt/compose-farm"
+Repository = "https://github.com/basnijholt/compose-farm"
+Documentation = "https://github.com/basnijholt/compose-farm#readme"
+Issues = "https://github.com/basnijholt/compose-farm/issues"
+Changelog = "https://github.com/basnijholt/compose-farm/releases"
+
 [project.scripts]
 compose-farm = "compose_farm.cli:app"
 cf = "compose_farm.cli:app"

src/compose_farm/compose.py

@@ -0,0 +1,286 @@
+"""Compose file parsing utilities.
+
+Handles .env loading, variable interpolation, port/volume/network extraction.
+"""
+
+from __future__ import annotations
+
+import os
+import re
+from dataclasses import dataclass
+from typing import TYPE_CHECKING, Any
+
+import yaml
+
+if TYPE_CHECKING:
+    from pathlib import Path
+
+    from .config import Config
+
+# Port parsing constants
+_SINGLE_PART = 1
+_PUBLISHED_TARGET_PARTS = 2
+_HOST_PUBLISHED_PARTS = 3
+_MIN_VOLUME_PARTS = 2
+
+_VAR_PATTERN = re.compile(r"\$\{([A-Za-z_][A-Za-z0-9_]*)(?::-(.*?))?\}")
+
+
+@dataclass(frozen=True)
+class PortMapping:
+    """Port mapping for a compose service."""
+
+    target: int
+    published: int | None
+
+
+def _load_env(compose_path: Path) -> dict[str, str]:
+    """Load environment variables for compose interpolation.
+
+    Reads from .env file in the same directory as compose file,
+    then overlays current environment variables.
+    """
+    env: dict[str, str] = {}
+    env_path = compose_path.parent / ".env"
+    if env_path.exists():
+        for line in env_path.read_text().splitlines():
+            stripped = line.strip()
+            if not stripped or stripped.startswith("#") or "=" not in stripped:
+                continue
+            key, value = stripped.split("=", 1)
+            key = key.strip()
+            value = value.strip()
+            if (value.startswith('"') and value.endswith('"')) or (
+                value.startswith("'") and value.endswith("'")
+            ):
+                value = value[1:-1]
+            env[key] = value
+    env.update({k: v for k, v in os.environ.items() if isinstance(v, str)})
+    return env
+
+
+def _interpolate(value: str, env: dict[str, str]) -> str:
+    """Perform ${VAR} and ${VAR:-default} interpolation."""
+
+    def replace(match: re.Match[str]) -> str:
+        var = match.group(1)
+        default = match.group(2)
+        resolved = env.get(var)
+        if resolved:
+            return resolved
+        return default or ""
+
+    return _VAR_PATTERN.sub(replace, value)
+
+
+def _parse_ports(raw: Any, env: dict[str, str]) -> list[PortMapping]:  # noqa: PLR0912
+    """Parse port specifications from compose file.
+
+    Handles string formats like "8080", "8080:80", "0.0.0.0:8080:80",
+    and dict formats with target/published keys.
+    """
+    if raw is None:
+        return []
+    mappings: list[PortMapping] = []
+
+    items = raw if isinstance(raw, list) else [raw]
+
+    for item in items:
+        if isinstance(item, str):
+            interpolated = _interpolate(item, env)
+            port_spec, _, _ = interpolated.partition("/")
+            parts = port_spec.split(":")
+            published: int | None = None
+            target: int | None = None
+
+            if len(parts) == _SINGLE_PART and parts[0].isdigit():
+                target = int(parts[0])
+            elif (
+                len(parts) == _PUBLISHED_TARGET_PARTS and parts[0].isdigit() and parts[1].isdigit()
+            ):
+                published = int(parts[0])
+                target = int(parts[1])
+            elif (
+                len(parts) == _HOST_PUBLISHED_PARTS and parts[-2].isdigit() and parts[-1].isdigit()
+            ):
+                published = int(parts[-2])
+                target = int(parts[-1])
+
+            if target is not None:
+                mappings.append(PortMapping(target=target, published=published))
+        elif isinstance(item, dict):
+            target_raw = item.get("target")
+            if isinstance(target_raw, str):
+                target_raw = _interpolate(target_raw, env)
+            if target_raw is None:
+                continue
+            try:
+                target_val = int(str(target_raw))
+            except (TypeError, ValueError):
+                continue
+
+            published_raw = item.get("published")
+            if isinstance(published_raw, str):
+                published_raw = _interpolate(published_raw, env)
+            published_val: int | None
+            try:
+                published_val = int(str(published_raw)) if published_raw is not None else None
+            except (TypeError, ValueError):
+                published_val = None
+            mappings.append(PortMapping(target=target_val, published=published_val))
+
+    return mappings
+
+
+def _resolve_host_path(host_path: str, compose_dir: Path) -> str | None:
+    """Resolve a host path from volume mount, returning None for named volumes."""
+    if host_path.startswith("/"):
+        return host_path
+    if host_path.startswith(("./", "../")):
+        return str((compose_dir / host_path).resolve())
+    return None  # Named volume
+
+
+def _parse_volume_item(
+    item: str | dict[str, Any],
+    env: dict[str, str],
+    compose_dir: Path,
+) -> str | None:
+    """Parse a single volume item and return host path if it's a bind mount."""
+    if isinstance(item, str):
+        interpolated = _interpolate(item, env)
+        parts = interpolated.split(":")
+        if len(parts) >= _MIN_VOLUME_PARTS:
+            return _resolve_host_path(parts[0], compose_dir)
+    elif isinstance(item, dict) and item.get("type") == "bind":
+        source = item.get("source")
+        if source:
+            interpolated = _interpolate(str(source), env)
+            return _resolve_host_path(interpolated, compose_dir)
+    return None
+
+
+def parse_host_volumes(config: Config, service: str) -> list[str]:
+    """Extract host bind mount paths from a service's compose file.
+
+    Returns a list of absolute host paths used as volume mounts.
+    Skips named volumes and resolves relative paths.
+    """
+    compose_path = config.get_compose_path(service)
+    if not compose_path.exists():
+        return []
+
+    env = _load_env(compose_path)
+    compose_data = yaml.safe_load(compose_path.read_text()) or {}
+    raw_services = compose_data.get("services", {})
+    if not isinstance(raw_services, dict):
+        return []
+
+    paths: list[str] = []
+    compose_dir = compose_path.parent
+
+    for definition in raw_services.values():
+        if not isinstance(definition, dict):
+            continue
+
+        volumes = definition.get("volumes")
+        if not volumes:
+            continue
+
+        items = volumes if isinstance(volumes, list) else [volumes]
+        for item in items:
+            host_path = _parse_volume_item(item, env, compose_dir)
+            if host_path:
+                paths.append(host_path)
+
+    # Return unique paths, preserving order
+    seen: set[str] = set()
+    unique: list[str] = []
+    for p in paths:
+        if p not in seen:
+            seen.add(p)
+            unique.append(p)
+    return unique
+
+
+def parse_external_networks(config: Config, service: str) -> list[str]:
+    """Extract external network names from a service's compose file.
+
+    Returns a list of network names marked as external: true.
+    """
+    compose_path = config.get_compose_path(service)
+    if not compose_path.exists():
+        return []
+
+    compose_data = yaml.safe_load(compose_path.read_text()) or {}
+    networks = compose_data.get("networks", {})
+    if not isinstance(networks, dict):
+        return []
+
+    external_networks: list[str] = []
+    for name, definition in networks.items():
+        if isinstance(definition, dict) and definition.get("external") is True:
+            external_networks.append(name)
+
+    return external_networks
+
+
+def load_compose_services(
+    config: Config,
+    stack: str,
+) -> tuple[dict[str, Any], dict[str, str], str]:
+    """Load services from a compose file with environment interpolation.
+
+    Returns (services_dict, env_dict, host_address).
+    """
+    compose_path = config.get_compose_path(stack)
+    if not compose_path.exists():
+        message = f"[{stack}] Compose file not found: {compose_path}"
+        raise FileNotFoundError(message)
+
+    env = _load_env(compose_path)
+    compose_data = yaml.safe_load(compose_path.read_text()) or {}
+    raw_services = compose_data.get("services", {})
+    if not isinstance(raw_services, dict):
+        return {}, env, config.get_host(stack).address
+    return raw_services, env, config.get_host(stack).address
+
+
+def normalize_labels(raw: Any, env: dict[str, str]) -> dict[str, str]:
+    """Normalize labels from list or dict format, with interpolation."""
+    if raw is None:
+        return {}
+    if isinstance(raw, dict):
+        return {
+            _interpolate(str(k), env): _interpolate(str(v), env)
+            for k, v in raw.items()
+            if k is not None
+        }
+    if isinstance(raw, list):
+        labels: dict[str, str] = {}
+        for item in raw:
+            if not isinstance(item, str) or "=" not in item:
+                continue
+            key_raw, value_raw = item.split("=", 1)
+            key = _interpolate(key_raw.strip(), env)
+            value = _interpolate(value_raw.strip(), env)
+            labels[key] = value
+        return labels
+    return {}
+
+
+def get_ports_for_service(
+    definition: dict[str, Any],
+    all_services: dict[str, Any],
+    env: dict[str, str],
+) -> list[PortMapping]:
+    """Get ports for a service, following network_mode: service:X if present."""
+    network_mode = definition.get("network_mode", "")
+    if isinstance(network_mode, str) and network_mode.startswith("service:"):
+        # Service uses another service's network - get ports from that service
+        ref_service = network_mode[len("service:") :]
+        if ref_service in all_services:
+            ref_def = all_services[ref_service]
+            if isinstance(ref_def, dict):
+                return _parse_ports(ref_def.get("ports"), env)
+    return _parse_ports(definition.get("ports"), env)

src/compose_farm/config.py

@@ -3,12 +3,18 @@
 from __future__ import annotations
 
 import getpass
+import os
 from pathlib import Path
 
 import yaml
 from pydantic import BaseModel, Field, model_validator
 
 
+def xdg_config_home() -> Path:
+    """Get XDG config directory, respecting XDG_CONFIG_HOME env var."""
+    return Path(os.environ.get("XDG_CONFIG_HOME", Path.home() / ".config"))
+
+
 class Host(BaseModel):
     """SSH host configuration."""
 
@@ -22,7 +28,7 @@ class Config(BaseModel):
 
     compose_dir: Path = Path("/opt/compose")
     hosts: dict[str, Host]
-    services: dict[str, str]  # service_name -> host_name
+    services: dict[str, str | list[str]]  # service_name -> host_name or list of hosts
     traefik_file: Path | None = None  # Auto-regenerate traefik config after up/down
     traefik_service: str | None = None  # Service name for Traefik (skip its host in file-provider)
     config_path: Path = Path()  # Set by load_config()
@@ -32,20 +38,60 @@ class Config(BaseModel):
         return self.config_path.parent / "compose-farm-state.yaml"
 
     @model_validator(mode="after")
-    def validate_service_hosts(self) -> Config:
-        """Ensure all services reference valid hosts."""
-        for service, host_name in self.services.items():
-            if host_name not in self.hosts:
-                msg = f"Service '{service}' references unknown host '{host_name}'"
-                raise ValueError(msg)
+    def validate_hosts_and_services(self) -> Config:
+        """Validate host names and service configurations."""
+        # "all" is reserved keyword, cannot be used as host name
+        if "all" in self.hosts:
+            msg = "'all' is a reserved keyword and cannot be used as a host name"
+            raise ValueError(msg)
+
+        for service, host_value in self.services.items():
+            # Validate list configurations
+            if isinstance(host_value, list):
+                if not host_value:
+                    msg = f"Service '{service}' has empty host list"
+                    raise ValueError(msg)
+                if len(host_value) != len(set(host_value)):
+                    msg = f"Service '{service}' has duplicate hosts in list"
+                    raise ValueError(msg)
+
+            # Validate all referenced hosts exist
+            host_names = self.get_hosts(service)
+            for host_name in host_names:
+                if host_name not in self.hosts:
+                    msg = f"Service '{service}' references unknown host '{host_name}'"
+                    raise ValueError(msg)
         return self
 
-    def get_host(self, service: str) -> Host:
-        """Get host config for a service."""
+    def get_hosts(self, service: str) -> list[str]:
+        """Get list of host names for a service.
+
+        Supports:
+        - Single host: "truenas-debian" -> ["truenas-debian"]
+        - All hosts: "all" -> list of all configured hosts
+        - Explicit list: ["host1", "host2"] -> ["host1", "host2"]
+        """
         if service not in self.services:
             msg = f"Unknown service: {service}"
             raise ValueError(msg)
-        return self.hosts[self.services[service]]
+        host_value = self.services[service]
+        if isinstance(host_value, list):
+            return host_value
+        if host_value == "all":
+            return list(self.hosts.keys())
+        return [host_value]
+
+    def is_multi_host(self, service: str) -> bool:
+        """Check if a service runs on multiple hosts."""
+        return len(self.get_hosts(service)) > 1
+
+    def get_host(self, service: str) -> Host:
+        """Get host config for a service (first host if multi-host)."""
+        if service not in self.services:
+            msg = f"Unknown service: {service}"
+            raise ValueError(msg)
+        host_names = self.get_hosts(service)
+        return self.hosts[host_names[0]]
 
     def get_compose_path(self, service: str) -> Path:
         """Get compose file path for a service.
@@ -104,11 +150,11 @@ def load_config(path: Path | None = None) -> Config:
     Search order:
     1. Explicit path if provided
     2. ./compose-farm.yaml
-    3. ~/.config/compose-farm/compose-farm.yaml
+    3. $XDG_CONFIG_HOME/compose-farm/compose-farm.yaml (defaults to ~/.config)
     """
     search_paths = [
         Path("compose-farm.yaml"),
-        Path.home() / ".config" / "compose-farm" / "compose-farm.yaml",
+        xdg_config_home() / "compose-farm" / "compose-farm.yaml",
     ]
 
     if path:

src/compose_farm/console.py

@@ -0,0 +1,6 @@
+"""Shared console instances for consistent output styling."""
+
+from rich.console import Console
+
+console = Console(highlight=False)
+err_console = Console(stderr=True, highlight=False)

src/compose_farm/executor.py

@@ -0,0 +1,448 @@
+"""Command execution via SSH or locally."""
+
+from __future__ import annotations
+
+import asyncio
+import socket
+import subprocess
+from dataclasses import dataclass
+from functools import lru_cache
+from typing import TYPE_CHECKING, Any
+
+import asyncssh
+from rich.markup import escape
+
+from .console import console, err_console
+
+if TYPE_CHECKING:
+    from collections.abc import Callable
+
+    from .config import Config, Host
+
+LOCAL_ADDRESSES = frozenset({"local", "localhost", "127.0.0.1", "::1"})
+_DEFAULT_SSH_PORT = 22
+
+
+@lru_cache(maxsize=1)
+def _get_local_ips() -> frozenset[str]:
+    """Get all IP addresses of the current machine."""
+    ips: set[str] = set()
+    try:
+        hostname = socket.gethostname()
+        # Get all addresses for hostname
+        for info in socket.getaddrinfo(hostname, None):
+            addr = info[4][0]
+            if isinstance(addr, str):
+                ips.add(addr)
+        # Also try getting the default outbound IP
+        with socket.socket(socket.AF_INET, socket.SOCK_DGRAM) as s:
+            s.connect(("8.8.8.8", 80))
+            ips.add(s.getsockname()[0])
+    except OSError:
+        pass
+    return frozenset(ips)
+
+
+@dataclass
+class CommandResult:
+    """Result of a command execution."""
+
+    service: str
+    exit_code: int
+    success: bool
+    stdout: str = ""
+    stderr: str = ""
+
+
+def is_local(host: Host) -> bool:
+    """Check if host should run locally (no SSH)."""
+    addr = host.address.lower()
+    if addr in LOCAL_ADDRESSES:
+        return True
+    # Check if address matches any of this machine's IPs
+    return addr in _get_local_ips()
+
+
+async def _run_local_command(
+    command: str,
+    service: str,
+    *,
+    stream: bool = True,
+    raw: bool = False,
+) -> CommandResult:
+    """Run a command locally with streaming output."""
+    try:
+        if raw:
+            # Run with inherited stdout/stderr for proper \r handling
+            proc = await asyncio.create_subprocess_shell(
+                command,
+                stdout=None,  # Inherit
+                stderr=None,  # Inherit
+            )
+            await proc.wait()
+            return CommandResult(
+                service=service,
+                exit_code=proc.returncode or 0,
+                success=proc.returncode == 0,
+            )
+
+        proc = await asyncio.create_subprocess_shell(
+            command,
+            stdout=asyncio.subprocess.PIPE,
+            stderr=asyncio.subprocess.PIPE,
+        )
+
+        if stream and proc.stdout and proc.stderr:
+
+            async def read_stream(
+                reader: asyncio.StreamReader,
+                prefix: str,
+                *,
+                is_stderr: bool = False,
+            ) -> None:
+                out = err_console if is_stderr else console
+                while True:
+                    line = await reader.readline()
+                    if not line:
+                        break
+                    text = line.decode()
+                    if text.strip():  # Skip empty lines
+                        out.print(f"[cyan]\\[{prefix}][/] {escape(text)}", end="")
+
+            await asyncio.gather(
+                read_stream(proc.stdout, service),
+                read_stream(proc.stderr, service, is_stderr=True),
+            )
+
+        stdout_data = b""
+        stderr_data = b""
+        if not stream:
+            stdout_data, stderr_data = await proc.communicate()
+        else:
+            await proc.wait()
+
+        return CommandResult(
+            service=service,
+            exit_code=proc.returncode or 0,
+            success=proc.returncode == 0,
+            stdout=stdout_data.decode() if stdout_data else "",
+            stderr=stderr_data.decode() if stderr_data else "",
+        )
+    except OSError as e:
+        err_console.print(f"[cyan]\\[{service}][/] [red]Local error:[/] {e}")
+        return CommandResult(service=service, exit_code=1, success=False)
+
+
+async def _run_ssh_command(
+    host: Host,
+    command: str,
+    service: str,
+    *,
+    stream: bool = True,
+    raw: bool = False,
+) -> CommandResult:
+    """Run a command on a remote host via SSH with streaming output."""
+    if raw:
+        # Use native ssh with TTY for proper progress bar rendering
+        ssh_args = ["ssh", "-t"]
+        if host.port != _DEFAULT_SSH_PORT:
+            ssh_args.extend(["-p", str(host.port)])
+        ssh_args.extend([f"{host.user}@{host.address}", command])
+        # Run in thread to avoid blocking the event loop
+        result = await asyncio.to_thread(subprocess.run, ssh_args, check=False)
+        return CommandResult(
+            service=service,
+            exit_code=result.returncode,
+            success=result.returncode == 0,
+        )
+
+    proc: asyncssh.SSHClientProcess[Any]
+    try:
+        async with asyncssh.connect(  # noqa: SIM117 - conn needed before create_process
+            host.address,
+            port=host.port,
+            username=host.user,
+            known_hosts=None,
+        ) as conn:
+            async with conn.create_process(command) as proc:
+                if stream:
+
+                    async def read_stream(
+                        reader: Any,
+                        prefix: str,
+                        *,
+                        is_stderr: bool = False,
+                    ) -> None:
+                        out = err_console if is_stderr else console
+                        async for line in reader:
+                            if line.strip():  # Skip empty lines
+                                out.print(f"[cyan]\\[{prefix}][/] {escape(line)}", end="")
+
+                    await asyncio.gather(
+                        read_stream(proc.stdout, service),
+                        read_stream(proc.stderr, service, is_stderr=True),
+                    )
+
+                stdout_data = ""
+                stderr_data = ""
+                if not stream:
+                    stdout_data = await proc.stdout.read()
+                    stderr_data = await proc.stderr.read()
+
+                await proc.wait()
+                return CommandResult(
+                    service=service,
+                    exit_code=proc.exit_status or 0,
+                    success=proc.exit_status == 0,
+                    stdout=stdout_data,
+                    stderr=stderr_data,
+                )
+    except (OSError, asyncssh.Error) as e:
+        err_console.print(f"[cyan]\\[{service}][/] [red]SSH error:[/] {e}")
+        return CommandResult(service=service, exit_code=1, success=False)
+
+
+async def run_command(
+    host: Host,
+    command: str,
+    service: str,
+    *,
+    stream: bool = True,
+    raw: bool = False,
+) -> CommandResult:
+    """Run a command on a host (locally or via SSH)."""
+    if is_local(host):
+        return await _run_local_command(command, service, stream=stream, raw=raw)
+    return await _run_ssh_command(host, command, service, stream=stream, raw=raw)
+
+
+async def run_compose(
+    config: Config,
+    service: str,
+    compose_cmd: str,
+    *,
+    stream: bool = True,
+    raw: bool = False,
+) -> CommandResult:
+    """Run a docker compose command for a service."""
+    host = config.get_host(service)
+    compose_path = config.get_compose_path(service)
+
+    command = f"docker compose -f {compose_path} {compose_cmd}"
+    return await run_command(host, command, service, stream=stream, raw=raw)
+
+
+async def run_compose_on_host(
+    config: Config,
+    service: str,
+    host_name: str,
+    compose_cmd: str,
+    *,
+    stream: bool = True,
+    raw: bool = False,
+) -> CommandResult:
+    """Run a docker compose command for a service on a specific host.
+
+    Used for migration - running 'down' on the old host before 'up' on new host.
+    """
+    host = config.hosts[host_name]
+    compose_path = config.get_compose_path(service)
+
+    command = f"docker compose -f {compose_path} {compose_cmd}"
+    return await run_command(host, command, service, stream=stream, raw=raw)
+
+
+async def run_on_services(
+    config: Config,
+    services: list[str],
+    compose_cmd: str,
+    *,
+    stream: bool = True,
+    raw: bool = False,
+) -> list[CommandResult]:
+    """Run a docker compose command on multiple services in parallel.
+
+    For multi-host services, runs on all configured hosts.
+    Note: raw=True only makes sense for single-service operations.
+    """
+    return await run_sequential_on_services(config, services, [compose_cmd], stream=stream, raw=raw)
+
+
+async def _run_sequential_commands(
+    config: Config,
+    service: str,
+    commands: list[str],
+    *,
+    stream: bool = True,
+    raw: bool = False,
+) -> CommandResult:
+    """Run multiple compose commands sequentially for a service."""
+    for cmd in commands:
+        result = await run_compose(config, service, cmd, stream=stream, raw=raw)
+        if not result.success:
+            return result
+    return CommandResult(service=service, exit_code=0, success=True)
+
+
+async def _run_sequential_commands_multi_host(
+    config: Config,
+    service: str,
+    commands: list[str],
+    *,
+    stream: bool = True,
+    raw: bool = False,
+) -> list[CommandResult]:
+    """Run multiple compose commands sequentially for a multi-host service.
+
+    Commands are run sequentially, but each command runs on all hosts in parallel.
+    """
+    host_names = config.get_hosts(service)
+    compose_path = config.get_compose_path(service)
+    final_results: list[CommandResult] = []
+
+    for cmd in commands:
+        command = f"docker compose -f {compose_path} {cmd}"
+        tasks = []
+        for host_name in host_names:
+            host = config.hosts[host_name]
+            label = f"{service}@{host_name}" if len(host_names) > 1 else service
+            tasks.append(run_command(host, command, label, stream=stream, raw=raw))
+
+        results = await asyncio.gather(*tasks)
+        final_results = list(results)
+
+        # Check if any failed
+        if any(not r.success for r in results):
+            return final_results
+
+    return final_results
+
+
+async def run_sequential_on_services(
+    config: Config,
+    services: list[str],
+    commands: list[str],
+    *,
+    stream: bool = True,
+    raw: bool = False,
+) -> list[CommandResult]:
+    """Run sequential commands on multiple services in parallel.
+
+    For multi-host services, runs on all configured hosts.
+    Note: raw=True only makes sense for single-service operations.
+    """
+    # Separate multi-host and single-host services for type-safe gathering
+    multi_host_tasks = []
+    single_host_tasks = []
+
+    for service in services:
+        if config.is_multi_host(service):
+            multi_host_tasks.append(
+                _run_sequential_commands_multi_host(
+                    config, service, commands, stream=stream, raw=raw
+                )
+            )
+        else:
+            single_host_tasks.append(
+                _run_sequential_commands(config, service, commands, stream=stream, raw=raw)
+            )
+
+    # Gather results separately to maintain type safety
+    flat_results: list[CommandResult] = []
+
+    if multi_host_tasks:
+        multi_results = await asyncio.gather(*multi_host_tasks)
+        for result_list in multi_results:
+            flat_results.extend(result_list)
+
+    if single_host_tasks:
+        single_results = await asyncio.gather(*single_host_tasks)
+        flat_results.extend(single_results)
+
+    return flat_results
+
+
+async def check_service_running(
+    config: Config,
+    service: str,
+    host_name: str,
+) -> bool:
+    """Check if a service has running containers on a specific host."""
+    host = config.hosts[host_name]
+    compose_path = config.get_compose_path(service)
+
+    # Use ps --status running to check for running containers
+    command = f"docker compose -f {compose_path} ps --status running -q"
+    result = await run_command(host, command, service, stream=False)
+
+    # If command succeeded and has output, containers are running
+    return result.success and bool(result.stdout.strip())
+
+
+async def _batch_check_existence(
+    config: Config,
+    host_name: str,
+    items: list[str],
+    cmd_template: Callable[[str], str],
+    context: str,
+) -> dict[str, bool]:
+    """Check existence of multiple items on a host using a command template."""
+    if not items:
+        return {}
+
+    host = config.hosts[host_name]
+    checks = []
+    for item in items:
+        escaped = item.replace("'", "'\\''")
+        checks.append(cmd_template(escaped))
+
+    command = "; ".join(checks)
+    result = await run_command(host, command, context, stream=False)
+
+    exists: dict[str, bool] = dict.fromkeys(items, False)
+    for raw_line in result.stdout.splitlines():
+        line = raw_line.strip()
+        if line.startswith("Y:"):
+            exists[line[2:]] = True
+        elif line.startswith("N:"):
+            exists[line[2:]] = False
+
+    return exists
+
+
+async def check_paths_exist(
+    config: Config,
+    host_name: str,
+    paths: list[str],
+) -> dict[str, bool]:
+    """Check if multiple paths exist on a specific host.
+
+    Returns a dict mapping path -> exists.
+    """
+    return await _batch_check_existence(
+        config,
+        host_name,
+        paths,
+        lambda esc: f"test -e '{esc}' && echo 'Y:{esc}' || echo 'N:{esc}'",
+        "mount-check",
+    )
+
+
+async def check_networks_exist(
+    config: Config,
+    host_name: str,
+    networks: list[str],
+) -> dict[str, bool]:
+    """Check if Docker networks exist on a specific host.
+
+    Returns a dict mapping network_name -> exists.
+    """
+    return await _batch_check_existence(
+        config,
+        host_name,
+        networks,
+        lambda esc: (
+            f"docker network inspect '{esc}' >/dev/null 2>&1 && echo 'Y:{esc}' || echo 'N:{esc}'"
+        ),
+        "network-check",
+    )

src/compose_farm/logs.py

@@ -6,20 +6,21 @@ import json
 import tomllib
 from dataclasses import dataclass
 from datetime import UTC, datetime
-from pathlib import Path
 from typing import TYPE_CHECKING, Any
 
-from .ssh import run_compose
+from .config import xdg_config_home
+from .executor import run_compose
 
 if TYPE_CHECKING:
     from collections.abc import Awaitable, Callable, Iterable
+    from pathlib import Path
 
     from .config import Config
-    from .ssh import CommandResult
+    from .executor import CommandResult
 
 
-DEFAULT_LOG_PATH = Path.home() / ".config" / "compose-farm" / "dockerfarm-log.toml"
-DIGEST_HEX_LENGTH = 64
+DEFAULT_LOG_PATH = xdg_config_home() / "compose-farm" / "dockerfarm-log.toml"
+_DIGEST_HEX_LENGTH = 64
 
 
 @dataclass(frozen=True)
@@ -46,7 +47,8 @@ class SnapshotEntry:
         }
 
 
-def _isoformat(dt: datetime) -> str:
+def isoformat(dt: datetime) -> str:
+    """Format a datetime as an ISO 8601 string with Z suffix for UTC."""
     return dt.astimezone(UTC).replace(microsecond=0).isoformat().replace("+00:00", "Z")
 
 
@@ -95,13 +97,13 @@ def _extract_image_fields(record: dict[str, Any]) -> tuple[str, str]:
         or ""
     )
 
-    if digest and not digest.startswith("sha256:") and len(digest) == DIGEST_HEX_LENGTH:
+    if digest and not digest.startswith("sha256:") and len(digest) == _DIGEST_HEX_LENGTH:
         digest = f"sha256:{digest}"
 
     return image, digest
 
 
-async def _collect_service_entries(
+async def collect_service_entries(
     config: Config,
     service: str,
     *,
@@ -116,7 +118,8 @@ async def _collect_service_entries(
         raise RuntimeError(error)
 
     records = _parse_images_output(result.stdout)
-    host_name = config.services[service]
+    # Use first host for snapshots (multi-host services use same images on all hosts)
+    host_name = config.get_hosts(service)[0]
     compose_path = config.get_compose_path(service)
 
     entries: list[SnapshotEntry] = []
@@ -137,19 +140,21 @@ async def _collect_service_entries(
     return entries
 
 
-def _load_existing_entries(log_path: Path) -> list[dict[str, str]]:
+def load_existing_entries(log_path: Path) -> list[dict[str, str]]:
+    """Load existing snapshot entries from a TOML log file."""
     if not log_path.exists():
         return []
     data = tomllib.loads(log_path.read_text())
     return list(data.get("entries", []))
 
 
-def _merge_entries(
+def merge_entries(
     existing: Iterable[dict[str, str]],
     new_entries: Iterable[SnapshotEntry],
     *,
     now_iso: str,
 ) -> list[dict[str, str]]:
+    """Merge new snapshot entries with existing ones, preserving first_seen timestamps."""
     merged: dict[tuple[str, str, str], dict[str, str]] = {
         (e["service"], e["host"], e["digest"]): dict(e) for e in existing
     }
@@ -162,7 +167,8 @@ def _merge_entries(
     return list(merged.values())
 
 
-def _write_toml(log_path: Path, *, meta: dict[str, str], entries: list[dict[str, str]]) -> None:
+def write_toml(log_path: Path, *, meta: dict[str, str], entries: list[dict[str, str]]) -> None:
+    """Write snapshot entries to a TOML log file."""
     lines: list[str] = ["[meta]"]
     lines.extend(f'{key} = "{_escape(meta[key])}"' for key in sorted(meta))
 
@@ -187,45 +193,3 @@ def _write_toml(log_path: Path, *, meta: dict[str, str], entries: list[dict[str,
     content = "\n".join(lines).rstrip() + "\n"
     log_path.parent.mkdir(parents=True, exist_ok=True)
     log_path.write_text(content)
-
-
-async def snapshot_services(
-    config: Config,
-    services: list[str],
-    *,
-    log_path: Path | None = None,
-    now: datetime | None = None,
-    run_compose_fn: Callable[..., Awaitable[CommandResult]] = run_compose,
-) -> Path:
-    """Capture current image digests for services and write them to a TOML log.
-
-    - Preserves the earliest `first_seen` per (service, host, digest)
-    - Updates `last_seen` for digests observed in this snapshot
-    - Leaves untouched digests that were not part of this run (history is kept)
-    """
-    if not services:
-        error = "No services specified for snapshot"
-        raise RuntimeError(error)
-
-    log_path = log_path or DEFAULT_LOG_PATH
-    now_dt = now or datetime.now(UTC)
-    now_iso = _isoformat(now_dt)
-
-    existing_entries = _load_existing_entries(log_path)
-
-    snapshot_entries: list[SnapshotEntry] = []
-    for service in services:
-        snapshot_entries.extend(
-            await _collect_service_entries(
-                config, service, now=now_dt, run_compose_fn=run_compose_fn
-            )
-        )
-
-    if not snapshot_entries:
-        error = "No image digests were captured"
-        raise RuntimeError(error)
-
-    merged_entries = _merge_entries(existing_entries, snapshot_entries, now_iso=now_iso)
-    meta = {"generated_at": now_iso, "compose_dir": str(config.compose_dir)}
-    _write_toml(log_path, meta=meta, entries=merged_entries)
-    return log_path

src/compose_farm/operations.py

@@ -0,0 +1,212 @@
+"""High-level operations for compose-farm.
+
+Contains the business logic for up, down, sync, check, and migration operations.
+CLI commands are thin wrappers around these functions.
+"""
+
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+
+from .compose import parse_external_networks, parse_host_volumes
+from .console import console, err_console
+from .executor import (
+    CommandResult,
+    check_networks_exist,
+    check_paths_exist,
+    run_command,
+    run_compose,
+    run_compose_on_host,
+)
+from .state import get_service_host, set_multi_host_service, set_service_host
+
+if TYPE_CHECKING:
+    from .config import Config
+
+
+def get_service_paths(cfg: Config, service: str) -> list[str]:
+    """Get all required paths for a service (compose_dir + volumes)."""
+    paths = [str(cfg.compose_dir)]
+    paths.extend(parse_host_volumes(cfg, service))
+    return paths
+
+
+async def _check_mounts_for_migration(
+    cfg: Config,
+    service: str,
+    target_host: str,
+) -> list[str]:
+    """Check if mount paths exist on target host. Returns list of missing paths."""
+    paths = get_service_paths(cfg, service)
+    exists = await check_paths_exist(cfg, target_host, paths)
+    return [p for p, found in exists.items() if not found]
+
+
+async def _check_networks_for_migration(
+    cfg: Config,
+    service: str,
+    target_host: str,
+) -> list[str]:
+    """Check if Docker networks exist on target host. Returns list of missing networks."""
+    networks = parse_external_networks(cfg, service)
+    if not networks:
+        return []
+    exists = await check_networks_exist(cfg, target_host, networks)
+    return [n for n, found in exists.items() if not found]
+
+
+async def _preflight_check(
+    cfg: Config,
+    service: str,
+    target_host: str,
+) -> tuple[list[str], list[str]]:
+    """Run pre-flight checks for a service on target host.
+
+    Returns (missing_paths, missing_networks).
+    """
+    missing_paths = await _check_mounts_for_migration(cfg, service, target_host)
+    missing_networks = await _check_networks_for_migration(cfg, service, target_host)
+    return missing_paths, missing_networks
+
+
+def _report_preflight_failures(
+    service: str,
+    target_host: str,
+    missing_paths: list[str],
+    missing_networks: list[str],
+) -> None:
+    """Report pre-flight check failures."""
+    err_console.print(
+        f"[cyan]\\[{service}][/] [red]✗[/] Cannot start on [magenta]{target_host}[/]:"
+    )
+    for path in missing_paths:
+        err_console.print(f"  [red]✗[/] missing path: {path}")
+    for net in missing_networks:
+        err_console.print(f"  [red]✗[/] missing network: {net}")
+
+
+async def _up_multi_host_service(
+    cfg: Config,
+    service: str,
+    prefix: str,
+    *,
+    raw: bool = False,
+) -> list[CommandResult]:
+    """Start a multi-host service on all configured hosts."""
+    host_names = cfg.get_hosts(service)
+    results: list[CommandResult] = []
+    compose_path = cfg.get_compose_path(service)
+    command = f"docker compose -f {compose_path} up -d"
+
+    # Pre-flight checks on all hosts
+    for host_name in host_names:
+        missing_paths, missing_networks = await _preflight_check(cfg, service, host_name)
+        if missing_paths or missing_networks:
+            _report_preflight_failures(service, host_name, missing_paths, missing_networks)
+            results.append(
+                CommandResult(service=f"{service}@{host_name}", exit_code=1, success=False)
+            )
+            return results
+
+    # Start on all hosts
+    hosts_str = ", ".join(f"[magenta]{h}[/]" for h in host_names)
+    console.print(f"{prefix} Starting on {hosts_str}...")
+
+    succeeded_hosts: list[str] = []
+    for host_name in host_names:
+        host = cfg.hosts[host_name]
+        label = f"{service}@{host_name}"
+        result = await run_command(host, command, label, stream=not raw, raw=raw)
+        if raw:
+            print()  # Ensure newline after raw output
+        results.append(result)
+        if result.success:
+            succeeded_hosts.append(host_name)
+
+    # Update state with hosts that succeeded (partial success is tracked)
+    if succeeded_hosts:
+        set_multi_host_service(cfg, service, succeeded_hosts)
+
+    return results
+
+
+async def up_services(
+    cfg: Config,
+    services: list[str],
+    *,
+    raw: bool = False,
+) -> list[CommandResult]:
+    """Start services with automatic migration if host changed."""
+    results: list[CommandResult] = []
+    total = len(services)
+
+    for idx, service in enumerate(services, 1):
+        prefix = f"[dim][{idx}/{total}][/] [cyan]\\[{service}][/]"
+
+        # Handle multi-host services separately (no migration)
+        if cfg.is_multi_host(service):
+            multi_results = await _up_multi_host_service(cfg, service, prefix, raw=raw)
+            results.extend(multi_results)
+            continue
+
+        target_host = cfg.get_hosts(service)[0]
+        current_host = get_service_host(cfg, service)
+
+        # Pre-flight check: verify paths and networks exist on target
+        missing_paths, missing_networks = await _preflight_check(cfg, service, target_host)
+        if missing_paths or missing_networks:
+            _report_preflight_failures(service, target_host, missing_paths, missing_networks)
+            results.append(CommandResult(service=service, exit_code=1, success=False))
+            continue
+
+        # If service is deployed elsewhere, migrate it
+        if current_host and current_host != target_host:
+            if current_host in cfg.hosts:
+                console.print(
+                    f"{prefix} Migrating from "
+                    f"[magenta]{current_host}[/] → [magenta]{target_host}[/]..."
+                )
+                down_result = await run_compose_on_host(cfg, service, current_host, "down", raw=raw)
+                if raw:
+                    print()  # Ensure newline after raw output
+                if not down_result.success:
+                    results.append(down_result)
+                    continue
+            else:
+                err_console.print(
+                    f"{prefix} [yellow]![/] was on "
+                    f"[magenta]{current_host}[/] (not in config), skipping down"
+                )
+
+        # Start on target host
+        console.print(f"{prefix} Starting on [magenta]{target_host}[/]...")
+        up_result = await run_compose(cfg, service, "up -d", raw=raw)
+        if raw:
+            print()  # Ensure newline after raw output (progress bars end with \r)
+        results.append(up_result)
+
+        # Update state on success
+        if up_result.success:
+            set_service_host(cfg, service, target_host)
+
+    return results
+
+
+async def check_host_compatibility(
+    cfg: Config,
+    service: str,
+) -> dict[str, tuple[int, int, list[str]]]:
+    """Check which hosts can run a service based on mount paths.
+
+    Returns dict of host_name -> (found_count, total_count, missing_paths).
+    """
+    paths = get_service_paths(cfg, service)
+    results: dict[str, tuple[int, int, list[str]]] = {}
+
+    for host_name in cfg.hosts:
+        exists = await check_paths_exist(cfg, host_name, paths)
+        found = sum(1 for v in exists.values() if v)
+        missing = [p for p, v in exists.items() if not v]
+        results[host_name] = (found, len(paths), missing)
+
+    return results

src/compose_farm/ssh.py

@@ -1,275 +0,0 @@
-"""Command execution via SSH or locally."""
-
-from __future__ import annotations
-
-import asyncio
-import socket
-from dataclasses import dataclass
-from functools import lru_cache
-from typing import TYPE_CHECKING, Any
-
-import asyncssh
-from rich.console import Console
-from rich.markup import escape
-
-if TYPE_CHECKING:
-    from .config import Config, Host
-
-_console = Console(highlight=False)
-_err_console = Console(stderr=True, highlight=False)
-
-LOCAL_ADDRESSES = frozenset({"local", "localhost", "127.0.0.1", "::1"})
-
-
-@lru_cache(maxsize=1)
-def _get_local_ips() -> frozenset[str]:
-    """Get all IP addresses of the current machine."""
-    ips: set[str] = set()
-    try:
-        hostname = socket.gethostname()
-        # Get all addresses for hostname
-        for info in socket.getaddrinfo(hostname, None):
-            ips.add(info[4][0])
-        # Also try getting the default outbound IP
-        with socket.socket(socket.AF_INET, socket.SOCK_DGRAM) as s:
-            s.connect(("8.8.8.8", 80))
-            ips.add(s.getsockname()[0])
-    except OSError:
-        pass
-    return frozenset(ips)
-
-
-@dataclass
-class CommandResult:
-    """Result of a command execution."""
-
-    service: str
-    exit_code: int
-    success: bool
-    stdout: str = ""
-    stderr: str = ""
-
-
-def _is_local(host: Host) -> bool:
-    """Check if host should run locally (no SSH)."""
-    addr = host.address.lower()
-    if addr in LOCAL_ADDRESSES:
-        return True
-    # Check if address matches any of this machine's IPs
-    return addr in _get_local_ips()
-
-
-async def _run_local_command(
-    command: str,
-    service: str,
-    *,
-    stream: bool = True,
-) -> CommandResult:
-    """Run a command locally with streaming output."""
-    try:
-        proc = await asyncio.create_subprocess_shell(
-            command,
-            stdout=asyncio.subprocess.PIPE,
-            stderr=asyncio.subprocess.PIPE,
-        )
-
-        if stream and proc.stdout and proc.stderr:
-
-            async def read_stream(
-                reader: asyncio.StreamReader,
-                prefix: str,
-                *,
-                is_stderr: bool = False,
-            ) -> None:
-                console = _err_console if is_stderr else _console
-                while True:
-                    line = await reader.readline()
-                    if not line:
-                        break
-                    text = line.decode()
-                    if text.strip():  # Skip empty lines
-                        console.print(f"[cyan]\\[{prefix}][/] {escape(text)}", end="")
-
-            await asyncio.gather(
-                read_stream(proc.stdout, service),
-                read_stream(proc.stderr, service, is_stderr=True),
-            )
-
-        stdout_data = b""
-        stderr_data = b""
-        if not stream:
-            stdout_data, stderr_data = await proc.communicate()
-        else:
-            await proc.wait()
-
-        return CommandResult(
-            service=service,
-            exit_code=proc.returncode or 0,
-            success=proc.returncode == 0,
-            stdout=stdout_data.decode() if stdout_data else "",
-            stderr=stderr_data.decode() if stderr_data else "",
-        )
-    except OSError as e:
-        _err_console.print(f"[cyan]\\[{service}][/] [red]Local error:[/] {e}")
-        return CommandResult(service=service, exit_code=1, success=False)
-
-
-async def _run_ssh_command(
-    host: Host,
-    command: str,
-    service: str,
-    *,
-    stream: bool = True,
-) -> CommandResult:
-    """Run a command on a remote host via SSH with streaming output."""
-    proc: asyncssh.SSHClientProcess[Any]
-    try:
-        async with (
-            asyncssh.connect(
-                host.address,
-                port=host.port,
-                username=host.user,
-                known_hosts=None,
-            ) as conn,
-            conn.create_process(command) as proc,
-        ):
-            if stream:
-
-                async def read_stream(
-                    reader: Any,
-                    prefix: str,
-                    *,
-                    is_stderr: bool = False,
-                ) -> None:
-                    console = _err_console if is_stderr else _console
-                    async for line in reader:
-                        if line.strip():  # Skip empty lines
-                            console.print(f"[cyan]\\[{prefix}][/] {escape(line)}", end="")
-
-                await asyncio.gather(
-                    read_stream(proc.stdout, service),
-                    read_stream(proc.stderr, service, is_stderr=True),
-                )
-
-            stdout_data = ""
-            stderr_data = ""
-            if not stream:
-                stdout_data = await proc.stdout.read()
-                stderr_data = await proc.stderr.read()
-
-            await proc.wait()
-            return CommandResult(
-                service=service,
-                exit_code=proc.exit_status or 0,
-                success=proc.exit_status == 0,
-                stdout=stdout_data,
-                stderr=stderr_data,
-            )
-    except (OSError, asyncssh.Error) as e:
-        _err_console.print(f"[cyan]\\[{service}][/] [red]SSH error:[/] {e}")
-        return CommandResult(service=service, exit_code=1, success=False)
-
-
-async def run_command(
-    host: Host,
-    command: str,
-    service: str,
-    *,
-    stream: bool = True,
-) -> CommandResult:
-    """Run a command on a host (locally or via SSH)."""
-    if _is_local(host):
-        return await _run_local_command(command, service, stream=stream)
-    return await _run_ssh_command(host, command, service, stream=stream)
-
-
-async def run_compose(
-    config: Config,
-    service: str,
-    compose_cmd: str,
-    *,
-    stream: bool = True,
-) -> CommandResult:
-    """Run a docker compose command for a service."""
-    host = config.get_host(service)
-    compose_path = config.get_compose_path(service)
-
-    command = f"docker compose -f {compose_path} {compose_cmd}"
-    return await run_command(host, command, service, stream=stream)
-
-
-async def run_compose_on_host(
-    config: Config,
-    service: str,
-    host_name: str,
-    compose_cmd: str,
-    *,
-    stream: bool = True,
-) -> CommandResult:
-    """Run a docker compose command for a service on a specific host.
-
-    Used for migration - running 'down' on the old host before 'up' on new host.
-    """
-    host = config.hosts[host_name]
-    compose_path = config.get_compose_path(service)
-
-    command = f"docker compose -f {compose_path} {compose_cmd}"
-    return await run_command(host, command, service, stream=stream)
-
-
-async def run_on_services(
-    config: Config,
-    services: list[str],
-    compose_cmd: str,
-    *,
-    stream: bool = True,
-) -> list[CommandResult]:
-    """Run a docker compose command on multiple services in parallel."""
-    tasks = [run_compose(config, service, compose_cmd, stream=stream) for service in services]
-    return await asyncio.gather(*tasks)
-
-
-async def run_sequential_commands(
-    config: Config,
-    service: str,
-    commands: list[str],
-    *,
-    stream: bool = True,
-) -> CommandResult:
-    """Run multiple compose commands sequentially for a service."""
-    for cmd in commands:
-        result = await run_compose(config, service, cmd, stream=stream)
-        if not result.success:
-            return result
-    return CommandResult(service=service, exit_code=0, success=True)
-
-
-async def run_sequential_on_services(
-    config: Config,
-    services: list[str],
-    commands: list[str],
-    *,
-    stream: bool = True,
-) -> list[CommandResult]:
-    """Run sequential commands on multiple services in parallel."""
-    tasks = [
-        run_sequential_commands(config, service, commands, stream=stream) for service in services
-    ]
-    return await asyncio.gather(*tasks)
-
-
-async def check_service_running(
-    config: Config,
-    service: str,
-    host_name: str,
-) -> bool:
-    """Check if a service has running containers on a specific host."""
-    host = config.hosts[host_name]
-    compose_path = config.get_compose_path(service)
-
-    # Use ps --status running to check for running containers
-    command = f"docker compose -f {compose_path} ps --status running -q"
-    result = await run_command(host, command, service, stream=False)
-
-    # If command succeeded and has output, containers are running
-    return result.success and bool(result.stdout.strip())

src/compose_farm/state.py

@@ -2,18 +2,22 @@
 
 from __future__ import annotations
 
+import contextlib
 from typing import TYPE_CHECKING, Any
 
 import yaml
 
 if TYPE_CHECKING:
+    from collections.abc import Generator
+
     from .config import Config
 
 
-def load_state(config: Config) -> dict[str, str]:
+def load_state(config: Config) -> dict[str, str | list[str]]:
     """Load the current deployment state.
 
-    Returns a dict mapping service names to host names.
+    Returns a dict mapping service names to host name(s).
+    Multi-host services store a list of hosts.
     """
     state_path = config.get_state_path()
     if not state_path.exists():
@@ -22,32 +26,119 @@ def load_state(config: Config) -> dict[str, str]:
     with state_path.open() as f:
         data: dict[str, Any] = yaml.safe_load(f) or {}
 
-    deployed: dict[str, str] = data.get("deployed", {})
+    deployed: dict[str, str | list[str]] = data.get("deployed", {})
     return deployed
 
 
-def save_state(config: Config, deployed: dict[str, str]) -> None:
+def _sorted_dict(d: dict[str, str | list[str]]) -> dict[str, str | list[str]]:
+    """Return a dictionary sorted by keys."""
+    return dict(sorted(d.items(), key=lambda item: item[0]))
+
+
+def save_state(config: Config, deployed: dict[str, str | list[str]]) -> None:
     """Save the deployment state."""
     state_path = config.get_state_path()
     with state_path.open("w") as f:
-        yaml.safe_dump({"deployed": deployed}, f, sort_keys=False)
+        yaml.safe_dump({"deployed": _sorted_dict(deployed)}, f, sort_keys=False)
+
+
+@contextlib.contextmanager
+def _modify_state(config: Config) -> Generator[dict[str, str | list[str]], None, None]:
+    """Context manager to load, modify, and save state."""
+    state = load_state(config)
+    yield state
+    save_state(config, state)
 
 
 def get_service_host(config: Config, service: str) -> str | None:
-    """Get the host where a service is currently deployed."""
+    """Get the host where a service is currently deployed.
+
+    For multi-host services, returns the first host or None.
+    """
     state = load_state(config)
-    return state.get(service)
+    value = state.get(service)
+    if value is None:
+        return None
+    if isinstance(value, list):
+        return value[0] if value else None
+    return value
 
 
 def set_service_host(config: Config, service: str, host: str) -> None:
     """Record that a service is deployed on a host."""
-    state = load_state(config)
-    state[service] = host
-    save_state(config, state)
+    with _modify_state(config) as state:
+        state[service] = host
+
+
+def set_multi_host_service(config: Config, service: str, hosts: list[str]) -> None:
+    """Record that a multi-host service is deployed on multiple hosts."""
+    with _modify_state(config) as state:
+        state[service] = hosts
 
 
 def remove_service(config: Config, service: str) -> None:
     """Remove a service from the state (after down)."""
-    state = load_state(config)
-    state.pop(service, None)
-    save_state(config, state)
+    with _modify_state(config) as state:
+        state.pop(service, None)
+
+
+def add_service_to_host(config: Config, service: str, host: str) -> None:
+    """Add a specific host to a service's state.
+
+    For multi-host services, adds the host to the list if not present.
+    For single-host services, sets the host.
+    """
+    with _modify_state(config) as state:
+        current = state.get(service)
+
+        if config.is_multi_host(service):
+            # Multi-host: add to list if not present
+            if isinstance(current, list):
+                if host not in current:
+                    state[service] = [*current, host]
+            else:
+                state[service] = [host]
+        else:
+            # Single-host: just set it
+            state[service] = host
+
+
+def remove_service_from_host(config: Config, service: str, host: str) -> None:
+    """Remove a specific host from a service's state.
+
+    For multi-host services, removes just that host from the list.
+    For single-host services, removes the service entirely if host matches.
+    """
+    with _modify_state(config) as state:
+        current = state.get(service)
+        if current is None:
+            return
+
+        if isinstance(current, list):
+            # Multi-host: remove this host from list
+            remaining = [h for h in current if h != host]
+            if remaining:
+                state[service] = remaining
+            else:
+                state.pop(service, None)
+        elif current == host:
+            # Single-host: remove if matches
+            state.pop(service, None)
+
+
+def get_services_needing_migration(config: Config) -> list[str]:
+    """Get services where current host differs from configured host.
+
+    Multi-host services are never considered for migration.
+    """
+    needs_migration = []
+    for service in config.services:
+        # Skip multi-host services
+        if config.is_multi_host(service):
+            continue
+
+        configured_host = config.get_hosts(service)[0]
+        current_host = get_service_host(config, service)
+        if current_host and current_host != configured_host:
+            needs_migration.append(service)
+    return needs_migration

src/compose_farm/traefik.py

@@ -8,32 +8,25 @@ use host-published ports for cross-host reachability.
 
 from __future__ import annotations
 
-import os
-import re
 from dataclasses import dataclass
 from typing import TYPE_CHECKING, Any
 
 import yaml
 
-from .ssh import LOCAL_ADDRESSES
+from .compose import (
+    PortMapping,
+    get_ports_for_service,
+    load_compose_services,
+    normalize_labels,
+)
+from .executor import LOCAL_ADDRESSES
 
 if TYPE_CHECKING:
-    from pathlib import Path
-
     from .config import Config
 
 
-@dataclass(frozen=True)
-class PortMapping:
-    """Port mapping for a compose service."""
-
-    target: int
-    published: int | None
-    protocol: str | None = None
-
-
 @dataclass
-class TraefikServiceSource:
+class _TraefikServiceSource:
     """Source information to build an upstream for a Traefik service."""
 
     traefik_service: str
@@ -45,129 +38,9 @@ class TraefikServiceSource:
     scheme: str | None = None
 
 
-LIST_VALUE_KEYS = {"entrypoints", "middlewares"}
-SINGLE_PART = 1
-PUBLISHED_TARGET_PARTS = 2
-HOST_PUBLISHED_PARTS = 3
-MIN_ROUTER_PARTS = 3
-MIN_SERVICE_LABEL_PARTS = 6
-_VAR_PATTERN = re.compile(r"\$\{([A-Za-z_][A-Za-z0-9_]*)(?::-(.*?))?\}")
-
-
-def _load_env(compose_path: Path) -> dict[str, str]:
-    """Load environment variables for compose interpolation."""
-    env: dict[str, str] = {}
-    env_path = compose_path.parent / ".env"
-    if env_path.exists():
-        for line in env_path.read_text().splitlines():
-            stripped = line.strip()
-            if not stripped or stripped.startswith("#") or "=" not in stripped:
-                continue
-            key, value = stripped.split("=", 1)
-            key = key.strip()
-            value = value.strip()
-            if (value.startswith('"') and value.endswith('"')) or (
-                value.startswith("'") and value.endswith("'")
-            ):
-                value = value[1:-1]
-            env[key] = value
-    env.update({k: v for k, v in os.environ.items() if isinstance(v, str)})
-    return env
-
-
-def _interpolate(value: str, env: dict[str, str]) -> str:
-    """Perform a minimal `${VAR}`/`${VAR:-default}` interpolation."""
-
-    def replace(match: re.Match[str]) -> str:
-        var = match.group(1)
-        default = match.group(2)
-        resolved = env.get(var)
-        if resolved:
-            return resolved
-        return default or ""
-
-    return _VAR_PATTERN.sub(replace, value)
-
-
-def _normalize_labels(raw: Any, env: dict[str, str]) -> dict[str, str]:
-    if raw is None:
-        return {}
-    if isinstance(raw, dict):
-        return {
-            _interpolate(str(k), env): _interpolate(str(v), env)
-            for k, v in raw.items()
-            if k is not None
-        }
-    if isinstance(raw, list):
-        labels: dict[str, str] = {}
-        for item in raw:
-            if not isinstance(item, str) or "=" not in item:
-                continue
-            key_raw, value_raw = item.split("=", 1)
-            key = _interpolate(key_raw.strip(), env)
-            value = _interpolate(value_raw.strip(), env)
-            labels[key] = value
-        return labels
-    return {}
-
-
-def _parse_ports(raw: Any, env: dict[str, str]) -> list[PortMapping]:  # noqa: PLR0912
-    if raw is None:
-        return []
-    mappings: list[PortMapping] = []
-
-    items = raw if isinstance(raw, list) else [raw]
-
-    for item in items:
-        if isinstance(item, str):
-            interpolated = _interpolate(item, env)
-            port_spec, _, protocol = interpolated.partition("/")
-            parts = port_spec.split(":")
-            published: int | None = None
-            target: int | None = None
-
-            if len(parts) == SINGLE_PART and parts[0].isdigit():
-                target = int(parts[0])
-            elif len(parts) == PUBLISHED_TARGET_PARTS and parts[0].isdigit() and parts[1].isdigit():
-                published = int(parts[0])
-                target = int(parts[1])
-            elif len(parts) == HOST_PUBLISHED_PARTS and parts[-2].isdigit() and parts[-1].isdigit():
-                published = int(parts[-2])
-                target = int(parts[-1])
-
-            if target is not None:
-                mappings.append(
-                    PortMapping(target=target, published=published, protocol=protocol or None)
-                )
-        elif isinstance(item, dict):
-            target_raw = item.get("target")
-            if isinstance(target_raw, str):
-                target_raw = _interpolate(target_raw, env)
-            if target_raw is None:
-                continue
-            try:
-                target_val = int(str(target_raw))
-            except (TypeError, ValueError):
-                continue
-
-            published_raw = item.get("published")
-            if isinstance(published_raw, str):
-                published_raw = _interpolate(published_raw, env)
-            published_val: int | None
-            try:
-                published_val = int(str(published_raw)) if published_raw is not None else None
-            except (TypeError, ValueError):
-                published_val = None
-            protocol_val = item.get("protocol")
-            mappings.append(
-                PortMapping(
-                    target=target_val,
-                    published=published_val,
-                    protocol=str(protocol_val) if protocol_val else None,
-                )
-            )
-
-    return mappings
+_LIST_VALUE_KEYS = {"entrypoints", "middlewares"}
+_MIN_ROUTER_PARTS = 3
+_MIN_SERVICE_LABEL_PARTS = 6
 
 
 def _parse_value(key: str, raw_value: str) -> Any:
@@ -178,7 +51,7 @@ def _parse_value(key: str, raw_value: str) -> Any:
     if value.isdigit():
         return int(value)
     last_segment = key.rsplit(".", 1)[-1]
-    if last_segment in LIST_VALUE_KEYS:
+    if last_segment in _LIST_VALUE_KEYS:
         parts = [v.strip() for v in value.split(",")] if "," in value else [value]
         return [part for part in parts if part]
     return value
@@ -229,7 +102,7 @@ def _insert(root: dict[str, Any], key_path: list[str], value: Any) -> None:  # n
             current = container_list[list_index]
 
 
-def _resolve_published_port(source: TraefikServiceSource) -> tuple[int | None, str | None]:
+def _resolve_published_port(source: _TraefikServiceSource) -> tuple[int | None, str | None]:
     """Resolve host-published port for a Traefik service.
 
     Returns (published_port, warning_message).
@@ -265,23 +138,9 @@ def _resolve_published_port(source: TraefikServiceSource) -> tuple[int | None, s
     )
 
 
-def _load_stack(config: Config, stack: str) -> tuple[dict[str, Any], dict[str, str], str]:
-    compose_path = config.get_compose_path(stack)
-    if not compose_path.exists():
-        message = f"[{stack}] Compose file not found: {compose_path}"
-        raise FileNotFoundError(message)
-
-    env = _load_env(compose_path)
-    compose_data = yaml.safe_load(compose_path.read_text()) or {}
-    raw_services = compose_data.get("services", {})
-    if not isinstance(raw_services, dict):
-        return {}, env, config.get_host(stack).address
-    return raw_services, env, config.get_host(stack).address
-
-
 def _finalize_http_services(
     dynamic: dict[str, Any],
-    sources: dict[str, TraefikServiceSource],
+    sources: dict[str, _TraefikServiceSource],
     warnings: list[str],
 ) -> None:
     for traefik_service, source in sources.items():
@@ -352,7 +211,7 @@ def _process_router_label(
     if not key_without_prefix.startswith("http.routers."):
         return
     router_parts = key_without_prefix.split(".")
-    if len(router_parts) < MIN_ROUTER_PARTS:
+    if len(router_parts) < _MIN_ROUTER_PARTS:
         return
     router_name = router_parts[2]
     router_remainder = router_parts[3:]
@@ -370,12 +229,12 @@ def _process_service_label(
     host_address: str,
     ports: list[PortMapping],
     service_names: set[str],
-    sources: dict[str, TraefikServiceSource],
+    sources: dict[str, _TraefikServiceSource],
 ) -> None:
     if not key_without_prefix.startswith("http.services."):
         return
     parts = key_without_prefix.split(".")
-    if len(parts) < MIN_SERVICE_LABEL_PARTS:
+    if len(parts) < _MIN_SERVICE_LABEL_PARTS:
         return
     traefik_service = parts[2]
     service_names.add(traefik_service)
@@ -383,7 +242,7 @@ def _process_service_label(
 
     source = sources.get(traefik_service)
     if source is None:
-        source = TraefikServiceSource(
+        source = _TraefikServiceSource(
             traefik_service=traefik_service,
             stack=stack,
             compose_service=compose_service,
@@ -400,23 +259,6 @@ def _process_service_label(
         source.scheme = str(_parse_value(key_without_prefix, label_value))
 
 
-def _get_ports_for_service(
-    definition: dict[str, Any],
-    all_services: dict[str, Any],
-    env: dict[str, str],
-) -> list[PortMapping]:
-    """Get ports for a service, following network_mode: service:X if present."""
-    network_mode = definition.get("network_mode", "")
-    if isinstance(network_mode, str) and network_mode.startswith("service:"):
-        # Service uses another service's network - get ports from that service
-        ref_service = network_mode[len("service:") :]
-        if ref_service in all_services:
-            ref_def = all_services[ref_service]
-            if isinstance(ref_def, dict):
-                return _parse_ports(ref_def.get("ports"), env)
-    return _parse_ports(definition.get("ports"), env)
-
-
 def _process_service_labels(
     stack: str,
     compose_service: str,
@@ -425,17 +267,17 @@ def _process_service_labels(
     host_address: str,
     env: dict[str, str],
     dynamic: dict[str, Any],
-    sources: dict[str, TraefikServiceSource],
+    sources: dict[str, _TraefikServiceSource],
     warnings: list[str],
 ) -> None:
-    labels = _normalize_labels(definition.get("labels"), env)
+    labels = normalize_labels(definition.get("labels"), env)
     if not labels:
         return
     enable_raw = labels.get("traefik.enable")
     if enable_raw is not None and _parse_value("enable", enable_raw) is False:
         return
 
-    ports = _get_ports_for_service(definition, all_services, env)
+    ports = get_ports_for_service(definition, all_services, env)
     routers: dict[str, bool] = {}
     service_names: set[str] = set()
 
@@ -470,29 +312,40 @@ def _process_service_labels(
 def generate_traefik_config(
     config: Config,
     services: list[str],
+    *,
+    check_all: bool = False,
 ) -> tuple[dict[str, Any], list[str]]:
     """Generate Traefik dynamic config from compose labels.
 
+    Args:
+        config: The compose-farm config.
+        services: List of service names to process.
+        check_all: If True, check all services for warnings (ignore host filtering).
+                   Used by the check command to validate all traefik labels.
+
     Returns (config_dict, warnings).
+
     """
     dynamic: dict[str, Any] = {}
     warnings: list[str] = []
-    sources: dict[str, TraefikServiceSource] = {}
+    sources: dict[str, _TraefikServiceSource] = {}
 
     # Determine Traefik's host from service assignment
     traefik_host = None
-    if config.traefik_service:
+    if config.traefik_service and not check_all:
         traefik_host = config.services.get(config.traefik_service)
 
     for stack in services:
-        raw_services, env, host_address = _load_stack(config, stack)
+        raw_services, env, host_address = load_compose_services(config, stack)
         stack_host = config.services.get(stack)
 
         # Skip services on Traefik's host - docker provider handles them directly
-        if host_address.lower() in LOCAL_ADDRESSES:
-            continue
-        if traefik_host and stack_host == traefik_host:
-            continue
+        # (unless check_all is True, for validation purposes)
+        if not check_all:
+            if host_address.lower() in LOCAL_ADDRESSES:
+                continue
+            if traefik_host and stack_host == traefik_host:
+                continue
 
         for compose_service, definition in raw_services.items():
             if not isinstance(definition, dict):
@@ -511,3 +364,22 @@ def generate_traefik_config(
 
     _finalize_http_services(dynamic, sources, warnings)
     return dynamic, warnings
+
+
+_TRAEFIK_CONFIG_HEADER = """\
+# Auto-generated by compose-farm
+# https://github.com/basnijholt/compose-farm
+#
+# This file routes traffic to services running on hosts other than Traefik's host.
+# Services on Traefik's host use the Docker provider directly.
+#
+# Regenerate with: compose-farm traefik-file --all -o <this-file>
+# Or configure traefik_file in compose-farm.yaml for automatic updates.
+
+"""
+
+
+def render_traefik_config(dynamic: dict[str, Any]) -> str:
+    """Render Traefik dynamic config as YAML with a header comment."""
+    body = yaml.safe_dump(dynamic, sort_keys=False)
+    return _TRAEFIK_CONFIG_HEADER + body

tests/test_cli_logs.py

@@ -0,0 +1,207 @@
+"""Tests for CLI logs command."""
+
+from collections.abc import Coroutine
+from pathlib import Path
+from typing import Any
+from unittest.mock import patch
+
+import pytest
+import typer
+
+from compose_farm.cli import logs
+from compose_farm.config import Config, Host
+from compose_farm.executor import CommandResult
+
+
+def _make_config(tmp_path: Path) -> Config:
+    """Create a minimal config for testing."""
+    compose_dir = tmp_path / "compose"
+    compose_dir.mkdir()
+    for svc in ("svc1", "svc2", "svc3"):
+        svc_dir = compose_dir / svc
+        svc_dir.mkdir()
+        (svc_dir / "docker-compose.yml").write_text("services: {}\n")
+
+    return Config(
+        compose_dir=compose_dir,
+        hosts={"local": Host(address="localhost"), "remote": Host(address="192.168.1.10")},
+        services={"svc1": "local", "svc2": "local", "svc3": "remote"},
+    )
+
+
+def _make_result(service: str) -> CommandResult:
+    """Create a successful command result."""
+    return CommandResult(service=service, exit_code=0, success=True, stdout="", stderr="")
+
+
+def _mock_run_async_factory(
+    services: list[str],
+) -> tuple[Any, list[CommandResult]]:
+    """Create a mock _run_async that returns results for given services."""
+    results = [_make_result(s) for s in services]
+
+    def mock_run_async(_coro: Coroutine[Any, Any, Any]) -> list[CommandResult]:
+        return results
+
+    return mock_run_async, results
+
+
+class TestLogsContextualDefault:
+    """Tests for logs --tail contextual default behavior."""
+
+    def test_logs_all_services_defaults_to_20(self, tmp_path: Path) -> None:
+        """When --all is specified, default tail should be 20."""
+        cfg = _make_config(tmp_path)
+        mock_run_async, _ = _mock_run_async_factory(["svc1", "svc2", "svc3"])
+
+        with (
+            patch("compose_farm.cli._load_config_or_exit", return_value=cfg),
+            patch("compose_farm.cli._run_async", side_effect=mock_run_async),
+            patch("compose_farm.cli.run_on_services") as mock_run,
+        ):
+            mock_run.return_value = None
+
+            logs(services=None, all_services=True, host=None, follow=False, tail=None, config=None)
+
+            mock_run.assert_called_once()
+            call_args = mock_run.call_args
+            assert call_args[0][2] == "logs --tail 20"
+
+    def test_logs_single_service_defaults_to_100(self, tmp_path: Path) -> None:
+        """When specific services are specified, default tail should be 100."""
+        cfg = _make_config(tmp_path)
+        mock_run_async, _ = _mock_run_async_factory(["svc1"])
+
+        with (
+            patch("compose_farm.cli._load_config_or_exit", return_value=cfg),
+            patch("compose_farm.cli._run_async", side_effect=mock_run_async),
+            patch("compose_farm.cli.run_on_services") as mock_run,
+        ):
+            logs(
+                services=["svc1"],
+                all_services=False,
+                host=None,
+                follow=False,
+                tail=None,
+                config=None,
+            )
+
+            mock_run.assert_called_once()
+            call_args = mock_run.call_args
+            assert call_args[0][2] == "logs --tail 100"
+
+    def test_logs_explicit_tail_overrides_default(self, tmp_path: Path) -> None:
+        """When --tail is explicitly provided, it should override the default."""
+        cfg = _make_config(tmp_path)
+        mock_run_async, _ = _mock_run_async_factory(["svc1", "svc2", "svc3"])
+
+        with (
+            patch("compose_farm.cli._load_config_or_exit", return_value=cfg),
+            patch("compose_farm.cli._run_async", side_effect=mock_run_async),
+            patch("compose_farm.cli.run_on_services") as mock_run,
+        ):
+            logs(
+                services=None,
+                all_services=True,
+                host=None,
+                follow=False,
+                tail=50,
+                config=None,
+            )
+
+            mock_run.assert_called_once()
+            call_args = mock_run.call_args
+            assert call_args[0][2] == "logs --tail 50"
+
+    def test_logs_follow_appends_flag(self, tmp_path: Path) -> None:
+        """When --follow is specified, -f should be appended to command."""
+        cfg = _make_config(tmp_path)
+        mock_run_async, _ = _mock_run_async_factory(["svc1"])
+
+        with (
+            patch("compose_farm.cli._load_config_or_exit", return_value=cfg),
+            patch("compose_farm.cli._run_async", side_effect=mock_run_async),
+            patch("compose_farm.cli.run_on_services") as mock_run,
+        ):
+            logs(
+                services=["svc1"],
+                all_services=False,
+                host=None,
+                follow=True,
+                tail=None,
+                config=None,
+            )
+
+            mock_run.assert_called_once()
+            call_args = mock_run.call_args
+            assert call_args[0][2] == "logs --tail 100 -f"
+
+
+class TestLogsHostFilter:
+    """Tests for logs --host filter behavior."""
+
+    def test_logs_host_filter_selects_services_on_host(self, tmp_path: Path) -> None:
+        """When --host is specified, only services on that host are included."""
+        cfg = _make_config(tmp_path)
+        mock_run_async, _ = _mock_run_async_factory(["svc1", "svc2"])
+
+        with (
+            patch("compose_farm.cli._load_config_or_exit", return_value=cfg),
+            patch("compose_farm.cli._run_async", side_effect=mock_run_async),
+            patch("compose_farm.cli.run_on_services") as mock_run,
+        ):
+            logs(
+                services=None,
+                all_services=False,
+                host="local",
+                follow=False,
+                tail=None,
+                config=None,
+            )
+
+            mock_run.assert_called_once()
+            call_args = mock_run.call_args
+            # svc1 and svc2 are on "local", svc3 is on "remote"
+            assert set(call_args[0][1]) == {"svc1", "svc2"}
+
+    def test_logs_host_filter_defaults_to_20_lines(self, tmp_path: Path) -> None:
+        """When --host is specified, default tail should be 20 (multiple services)."""
+        cfg = _make_config(tmp_path)
+        mock_run_async, _ = _mock_run_async_factory(["svc1", "svc2"])
+
+        with (
+            patch("compose_farm.cli._load_config_or_exit", return_value=cfg),
+            patch("compose_farm.cli._run_async", side_effect=mock_run_async),
+            patch("compose_farm.cli.run_on_services") as mock_run,
+        ):
+            logs(
+                services=None,
+                all_services=False,
+                host="local",
+                follow=False,
+                tail=None,
+                config=None,
+            )
+
+            mock_run.assert_called_once()
+            call_args = mock_run.call_args
+            assert call_args[0][2] == "logs --tail 20"
+
+    def test_logs_all_and_host_mutually_exclusive(self, tmp_path: Path) -> None:
+        """Using --all and --host together should error."""
+        cfg = _make_config(tmp_path)
+
+        with (
+            patch("compose_farm.cli._load_config_or_exit", return_value=cfg),
+            pytest.raises(typer.Exit) as exc_info,
+        ):
+            logs(
+                services=None,
+                all_services=True,
+                host="local",
+                follow=False,
+                tail=None,
+                config=None,
+            )
+
+        assert exc_info.value.exit_code == 1

tests/test_executor.py

@@ -0,0 +1,241 @@
+"""Tests for executor module."""
+
+import sys
+from pathlib import Path
+
+import pytest
+
+from compose_farm.config import Config, Host
+from compose_farm.executor import (
+    CommandResult,
+    _run_local_command,
+    check_networks_exist,
+    check_paths_exist,
+    is_local,
+    run_command,
+    run_compose,
+    run_on_services,
+)
+
+# These tests run actual shell commands that only work on Linux
+linux_only = pytest.mark.skipif(sys.platform != "linux", reason="Linux-only shell commands")
+
+
+class TestIsLocal:
+    """Tests for is_local function."""
+
+    @pytest.mark.parametrize(
+        "address",
+        ["local", "localhost", "127.0.0.1", "::1", "LOCAL", "LOCALHOST"],
+    )
+    def test_local_addresses(self, address: str) -> None:
+        host = Host(address=address)
+        assert is_local(host) is True
+
+    @pytest.mark.parametrize(
+        "address",
+        ["192.168.1.10", "nas01.local", "10.0.0.1", "example.com"],
+    )
+    def test_remote_addresses(self, address: str) -> None:
+        host = Host(address=address)
+        assert is_local(host) is False
+
+
+class TestRunLocalCommand:
+    """Tests for local command execution."""
+
+    async def test_run_local_command_success(self) -> None:
+        result = await _run_local_command("echo hello", "test-service")
+        assert result.success is True
+        assert result.exit_code == 0
+        assert result.service == "test-service"
+
+    async def test_run_local_command_failure(self) -> None:
+        result = await _run_local_command("exit 1", "test-service")
+        assert result.success is False
+        assert result.exit_code == 1
+
+    async def test_run_local_command_not_found(self) -> None:
+        result = await _run_local_command("nonexistent_command_xyz", "test-service")
+        assert result.success is False
+        assert result.exit_code != 0
+
+    async def test_run_local_command_captures_output(self) -> None:
+        result = await _run_local_command("echo hello", "test-service", stream=False)
+        assert "hello" in result.stdout
+
+
+class TestRunCommand:
+    """Tests for run_command dispatcher."""
+
+    async def test_run_command_local(self) -> None:
+        host = Host(address="localhost")
+        result = await run_command(host, "echo test", "test-service")
+        assert result.success is True
+
+    async def test_run_command_result_structure(self) -> None:
+        host = Host(address="local")
+        result = await run_command(host, "true", "my-service")
+        assert isinstance(result, CommandResult)
+        assert result.service == "my-service"
+        assert result.exit_code == 0
+        assert result.success is True
+
+
+class TestRunCompose:
+    """Tests for compose command execution."""
+
+    async def test_run_compose_builds_correct_command(self, tmp_path: Path) -> None:
+        # Create a minimal compose file
+        compose_dir = tmp_path / "compose"
+        service_dir = compose_dir / "test-service"
+        service_dir.mkdir(parents=True)
+        compose_file = service_dir / "docker-compose.yml"
+        compose_file.write_text("services: {}")
+
+        config = Config(
+            compose_dir=compose_dir,
+            hosts={"local": Host(address="localhost")},
+            services={"test-service": "local"},
+        )
+
+        # This will fail because docker compose isn't running,
+        # but we can verify the command structure works
+        result = await run_compose(config, "test-service", "config", stream=False)
+        # Command may fail due to no docker, but structure is correct
+        assert result.service == "test-service"
+
+
+class TestRunOnServices:
+    """Tests for parallel service execution."""
+
+    async def test_run_on_services_parallel(self) -> None:
+        config = Config(
+            compose_dir=Path("/tmp"),
+            hosts={"local": Host(address="localhost")},
+            services={"svc1": "local", "svc2": "local"},
+        )
+
+        # Use a simple command that will work without docker
+        # We'll test the parallelism structure
+        results = await run_on_services(config, ["svc1", "svc2"], "version", stream=False)
+        assert len(results) == 2
+        assert results[0].service == "svc1"
+        assert results[1].service == "svc2"
+
+
+@linux_only
+class TestCheckPathsExist:
+    """Tests for check_paths_exist function (uses 'test -e' shell command)."""
+
+    async def test_check_existing_paths(self, tmp_path: Path) -> None:
+        """Check paths that exist."""
+        config = Config(
+            compose_dir=tmp_path,
+            hosts={"local": Host(address="localhost")},
+            services={},
+        )
+        # Create test paths
+        (tmp_path / "dir1").mkdir()
+        (tmp_path / "file1").touch()
+
+        result = await check_paths_exist(
+            config, "local", [str(tmp_path / "dir1"), str(tmp_path / "file1")]
+        )
+
+        assert result[str(tmp_path / "dir1")] is True
+        assert result[str(tmp_path / "file1")] is True
+
+    async def test_check_missing_paths(self, tmp_path: Path) -> None:
+        """Check paths that don't exist."""
+        config = Config(
+            compose_dir=tmp_path,
+            hosts={"local": Host(address="localhost")},
+            services={},
+        )
+
+        result = await check_paths_exist(
+            config, "local", [str(tmp_path / "missing1"), str(tmp_path / "missing2")]
+        )
+
+        assert result[str(tmp_path / "missing1")] is False
+        assert result[str(tmp_path / "missing2")] is False
+
+    async def test_check_mixed_paths(self, tmp_path: Path) -> None:
+        """Check mix of existing and missing paths."""
+        config = Config(
+            compose_dir=tmp_path,
+            hosts={"local": Host(address="localhost")},
+            services={},
+        )
+        (tmp_path / "exists").mkdir()
+
+        result = await check_paths_exist(
+            config, "local", [str(tmp_path / "exists"), str(tmp_path / "missing")]
+        )
+
+        assert result[str(tmp_path / "exists")] is True
+        assert result[str(tmp_path / "missing")] is False
+
+    async def test_check_empty_paths(self, tmp_path: Path) -> None:
+        """Empty path list returns empty dict."""
+        config = Config(
+            compose_dir=tmp_path,
+            hosts={"local": Host(address="localhost")},
+            services={},
+        )
+
+        result = await check_paths_exist(config, "local", [])
+        assert result == {}
+
+
+@linux_only
+class TestCheckNetworksExist:
+    """Tests for check_networks_exist function (requires Docker)."""
+
+    async def test_check_bridge_network_exists(self, tmp_path: Path) -> None:
+        """The 'bridge' network always exists on Docker hosts."""
+        config = Config(
+            compose_dir=tmp_path,
+            hosts={"local": Host(address="localhost")},
+            services={},
+        )
+
+        result = await check_networks_exist(config, "local", ["bridge"])
+        assert result["bridge"] is True
+
+    async def test_check_nonexistent_network(self, tmp_path: Path) -> None:
+        """Check a network that doesn't exist."""
+        config = Config(
+            compose_dir=tmp_path,
+            hosts={"local": Host(address="localhost")},
+            services={},
+        )
+
+        result = await check_networks_exist(config, "local", ["nonexistent_network_xyz_123"])
+        assert result["nonexistent_network_xyz_123"] is False
+
+    async def test_check_mixed_networks(self, tmp_path: Path) -> None:
+        """Check mix of existing and non-existing networks."""
+        config = Config(
+            compose_dir=tmp_path,
+            hosts={"local": Host(address="localhost")},
+            services={},
+        )
+
+        result = await check_networks_exist(
+            config, "local", ["bridge", "nonexistent_network_xyz_123"]
+        )
+        assert result["bridge"] is True
+        assert result["nonexistent_network_xyz_123"] is False
+
+    async def test_check_empty_networks(self, tmp_path: Path) -> None:
+        """Empty network list returns empty dict."""
+        config = Config(
+            compose_dir=tmp_path,
+            hosts={"local": Host(address="localhost")},
+            services={},
+        )
+
+        result = await check_networks_exist(config, "local", [])
+        assert result == {}

tests/test_logs.py

@@ -8,8 +8,15 @@ from pathlib import Path
 import pytest
 
 from compose_farm.config import Config, Host
-from compose_farm.logs import _parse_images_output, snapshot_services
-from compose_farm.ssh import CommandResult
+from compose_farm.executor import CommandResult
+from compose_farm.logs import (
+    _parse_images_output,
+    collect_service_entries,
+    isoformat,
+    load_existing_entries,
+    merge_entries,
+    write_toml,
+)
 
 
 def test_parse_images_output_handles_list_and_lines() -> None:
@@ -55,26 +62,29 @@ async def test_snapshot_preserves_first_seen(tmp_path: Path) -> None:
 
     log_path = tmp_path / "dockerfarm-log.toml"
 
+    # First snapshot
     first_time = datetime(2025, 1, 1, tzinfo=UTC)
-    await snapshot_services(
-        config,
-        ["svc"],
-        log_path=log_path,
-        now=first_time,
-        run_compose_fn=fake_run_compose,
+    first_entries = await collect_service_entries(
+        config, "svc", now=first_time, run_compose_fn=fake_run_compose
     )
+    first_iso = isoformat(first_time)
+    merged = merge_entries([], first_entries, now_iso=first_iso)
+    meta = {"generated_at": first_iso, "compose_dir": str(config.compose_dir)}
+    write_toml(log_path, meta=meta, entries=merged)
 
     after_first = tomllib.loads(log_path.read_text())
     first_seen = after_first["entries"][0]["first_seen"]
 
+    # Second snapshot
     second_time = datetime(2025, 2, 1, tzinfo=UTC)
-    await snapshot_services(
-        config,
-        ["svc"],
-        log_path=log_path,
-        now=second_time,
-        run_compose_fn=fake_run_compose,
+    second_entries = await collect_service_entries(
+        config, "svc", now=second_time, run_compose_fn=fake_run_compose
     )
+    second_iso = isoformat(second_time)
+    existing = load_existing_entries(log_path)
+    merged = merge_entries(existing, second_entries, now_iso=second_iso)
+    meta = {"generated_at": second_iso, "compose_dir": str(config.compose_dir)}
+    write_toml(log_path, meta=meta, entries=merged)
 
     after_second = tomllib.loads(log_path.read_text())
     entry = after_second["entries"][0]

tests/test_ssh.py

@@ -1,118 +0,0 @@
-"""Tests for ssh module."""
-
-from pathlib import Path
-
-import pytest
-
-from compose_farm.config import Config, Host
-from compose_farm.ssh import (
-    CommandResult,
-    _is_local,
-    _run_local_command,
-    run_command,
-    run_compose,
-    run_on_services,
-)
-
-
-class TestIsLocal:
-    """Tests for _is_local function."""
-
-    @pytest.mark.parametrize(
-        "address",
-        ["local", "localhost", "127.0.0.1", "::1", "LOCAL", "LOCALHOST"],
-    )
-    def test_local_addresses(self, address: str) -> None:
-        host = Host(address=address)
-        assert _is_local(host) is True
-
-    @pytest.mark.parametrize(
-        "address",
-        ["192.168.1.10", "nas01.local", "10.0.0.1", "example.com"],
-    )
-    def test_remote_addresses(self, address: str) -> None:
-        host = Host(address=address)
-        assert _is_local(host) is False
-
-
-class TestRunLocalCommand:
-    """Tests for local command execution."""
-
-    async def test_run_local_command_success(self) -> None:
-        result = await _run_local_command("echo hello", "test-service")
-        assert result.success is True
-        assert result.exit_code == 0
-        assert result.service == "test-service"
-
-    async def test_run_local_command_failure(self) -> None:
-        result = await _run_local_command("exit 1", "test-service")
-        assert result.success is False
-        assert result.exit_code == 1
-
-    async def test_run_local_command_not_found(self) -> None:
-        result = await _run_local_command("nonexistent_command_xyz", "test-service")
-        assert result.success is False
-        assert result.exit_code != 0
-
-    async def test_run_local_command_captures_output(self) -> None:
-        result = await _run_local_command("echo hello", "test-service", stream=False)
-        assert "hello" in result.stdout
-
-
-class TestRunCommand:
-    """Tests for run_command dispatcher."""
-
-    async def test_run_command_local(self) -> None:
-        host = Host(address="localhost")
-        result = await run_command(host, "echo test", "test-service")
-        assert result.success is True
-
-    async def test_run_command_result_structure(self) -> None:
-        host = Host(address="local")
-        result = await run_command(host, "true", "my-service")
-        assert isinstance(result, CommandResult)
-        assert result.service == "my-service"
-        assert result.exit_code == 0
-        assert result.success is True
-
-
-class TestRunCompose:
-    """Tests for compose command execution."""
-
-    async def test_run_compose_builds_correct_command(self, tmp_path: Path) -> None:
-        # Create a minimal compose file
-        compose_dir = tmp_path / "compose"
-        service_dir = compose_dir / "test-service"
-        service_dir.mkdir(parents=True)
-        compose_file = service_dir / "docker-compose.yml"
-        compose_file.write_text("services: {}")
-
-        config = Config(
-            compose_dir=compose_dir,
-            hosts={"local": Host(address="localhost")},
-            services={"test-service": "local"},
-        )
-
-        # This will fail because docker compose isn't running,
-        # but we can verify the command structure works
-        result = await run_compose(config, "test-service", "config", stream=False)
-        # Command may fail due to no docker, but structure is correct
-        assert result.service == "test-service"
-
-
-class TestRunOnServices:
-    """Tests for parallel service execution."""
-
-    async def test_run_on_services_parallel(self) -> None:
-        config = Config(
-            compose_dir=Path("/tmp"),
-            hosts={"local": Host(address="localhost")},
-            services={"svc1": "local", "svc2": "local"},
-        )
-
-        # Use a simple command that will work without docker
-        # We'll test the parallelism structure
-        results = await run_on_services(config, ["svc1", "svc2"], "version", stream=False)
-        assert len(results) == 2
-        assert results[0].service == "svc1"
-        assert results[1].service == "svc2"

tests/test_sync.py

@@ -1,16 +1,15 @@
 """Tests for sync command and related functions."""
 
 from pathlib import Path
-from typing import Any
 from unittest.mock import AsyncMock, patch
 
 import pytest
 
 from compose_farm import cli as cli_module
-from compose_farm import ssh as ssh_module
+from compose_farm import executor as executor_module
 from compose_farm import state as state_module
 from compose_farm.config import Config, Host
-from compose_farm.ssh import CommandResult, check_service_running
+from compose_farm.executor import CommandResult, check_service_running
 
 
 @pytest.fixture
@@ -58,7 +57,7 @@ class TestCheckServiceRunning:
     @pytest.mark.asyncio
     async def test_service_running(self, mock_config: Config) -> None:
         """Returns True when service has running containers."""
-        with patch.object(ssh_module, "run_command", new_callable=AsyncMock) as mock_run:
+        with patch.object(executor_module, "run_command", new_callable=AsyncMock) as mock_run:
             mock_run.return_value = CommandResult(
                 service="plex",
                 exit_code=0,
@@ -71,7 +70,7 @@ class TestCheckServiceRunning:
     @pytest.mark.asyncio
     async def test_service_not_running(self, mock_config: Config) -> None:
         """Returns False when service has no running containers."""
-        with patch.object(ssh_module, "run_command", new_callable=AsyncMock) as mock_run:
+        with patch.object(executor_module, "run_command", new_callable=AsyncMock) as mock_run:
             mock_run.return_value = CommandResult(
                 service="plex",
                 exit_code=0,
@@ -84,7 +83,7 @@ class TestCheckServiceRunning:
     @pytest.mark.asyncio
     async def test_command_failed(self, mock_config: Config) -> None:
         """Returns False when command fails."""
-        with patch.object(ssh_module, "run_command", new_callable=AsyncMock) as mock_run:
+        with patch.object(executor_module, "run_command", new_callable=AsyncMock) as mock_run:
             mock_run.return_value = CommandResult(
                 service="plex",
                 exit_code=1,
@@ -94,42 +93,6 @@ class TestCheckServiceRunning:
             assert result is False
 
 
-class TestDiscoverRunningServices:
-    """Tests for _discover_running_services function."""
-
-    @pytest.mark.asyncio
-    async def test_discovers_on_assigned_host(self, mock_config: Config) -> None:
-        """Discovers service running on its assigned host."""
-        with patch.object(
-            cli_module, "check_service_running", new_callable=AsyncMock
-        ) as mock_check:
-            # plex running on nas01, jellyfin not running, sonarr on nas02
-            async def check_side_effect(_cfg: Any, service: str, host: str) -> bool:
-                return (service == "plex" and host == "nas01") or (
-                    service == "sonarr" and host == "nas02"
-                )
-
-            mock_check.side_effect = check_side_effect
-
-            result = await cli_module._discover_running_services(mock_config)
-            assert result == {"plex": "nas01", "sonarr": "nas02"}
-
-    @pytest.mark.asyncio
-    async def test_discovers_on_different_host(self, mock_config: Config) -> None:
-        """Discovers service running on non-assigned host (after migration)."""
-        with patch.object(
-            cli_module, "check_service_running", new_callable=AsyncMock
-        ) as mock_check:
-            # plex migrated to nas02
-            async def check_side_effect(_cfg: Any, service: str, host: str) -> bool:
-                return service == "plex" and host == "nas02"
-
-            mock_check.side_effect = check_side_effect
-
-            result = await cli_module._discover_running_services(mock_config)
-            assert result == {"plex": "nas02"}
-
-
 class TestReportSyncChanges:
     """Tests for _report_sync_changes function."""
 

tests/test_traefik.py

@@ -4,6 +4,7 @@ from pathlib import Path
 
 import yaml
 
+from compose_farm.compose import parse_external_networks
 from compose_farm.config import Config, Host
 from compose_farm.traefik import generate_traefik_config
 
@@ -241,3 +242,97 @@ def test_generate_follows_network_mode_service_for_ports(tmp_path: Path) -> None
     assert torrent_servers == [{"url": "http://192.168.1.10:5080"}]
     prowlarr_servers = dynamic["http"]["services"]["prowlarr"]["loadbalancer"]["servers"]
     assert prowlarr_servers == [{"url": "http://192.168.1.10:9696"}]
+
+
+def test_parse_external_networks_single(tmp_path: Path) -> None:
+    """Extract a single external network from compose file."""
+    cfg = Config(
+        compose_dir=tmp_path,
+        hosts={"host1": Host(address="192.168.1.10")},
+        services={"app": "host1"},
+    )
+    compose_path = tmp_path / "app" / "compose.yaml"
+    _write_compose(
+        compose_path,
+        {
+            "services": {"app": {"image": "nginx"}},
+            "networks": {"mynetwork": {"external": True}},
+        },
+    )
+
+    networks = parse_external_networks(cfg, "app")
+    assert networks == ["mynetwork"]
+
+
+def test_parse_external_networks_multiple(tmp_path: Path) -> None:
+    """Extract multiple external networks from compose file."""
+    cfg = Config(
+        compose_dir=tmp_path,
+        hosts={"host1": Host(address="192.168.1.10")},
+        services={"app": "host1"},
+    )
+    compose_path = tmp_path / "app" / "compose.yaml"
+    _write_compose(
+        compose_path,
+        {
+            "services": {"app": {"image": "nginx"}},
+            "networks": {
+                "frontend": {"external": True},
+                "backend": {"external": True},
+                "internal": {"driver": "bridge"},  # not external
+            },
+        },
+    )
+
+    networks = parse_external_networks(cfg, "app")
+    assert set(networks) == {"frontend", "backend"}
+
+
+def test_parse_external_networks_none(tmp_path: Path) -> None:
+    """No external networks returns empty list."""
+    cfg = Config(
+        compose_dir=tmp_path,
+        hosts={"host1": Host(address="192.168.1.10")},
+        services={"app": "host1"},
+    )
+    compose_path = tmp_path / "app" / "compose.yaml"
+    _write_compose(
+        compose_path,
+        {
+            "services": {"app": {"image": "nginx"}},
+            "networks": {"internal": {"driver": "bridge"}},
+        },
+    )
+
+    networks = parse_external_networks(cfg, "app")
+    assert networks == []
+
+
+def test_parse_external_networks_no_networks_section(tmp_path: Path) -> None:
+    """No networks section returns empty list."""
+    cfg = Config(
+        compose_dir=tmp_path,
+        hosts={"host1": Host(address="192.168.1.10")},
+        services={"app": "host1"},
+    )
+    compose_path = tmp_path / "app" / "compose.yaml"
+    _write_compose(
+        compose_path,
+        {"services": {"app": {"image": "nginx"}}},
+    )
+
+    networks = parse_external_networks(cfg, "app")
+    assert networks == []
+
+
+def test_parse_external_networks_missing_compose(tmp_path: Path) -> None:
+    """Missing compose file returns empty list."""
+    cfg = Config(
+        compose_dir=tmp_path,
+        hosts={"host1": Host(address="192.168.1.10")},
+        services={"app": "host1"},
+    )
+    # Don't create compose file
+
+    networks = parse_external_networks(cfg, "app")
+    assert networks == []