refactor(settings): audit env/ports/volumes across all apps (#2090)

`apps/*/settings.yaml` exposed many env vars that aren't end-user knobs
(toolchain/locale plumbing, build metadata, hard-coded internal paths)
while missing common ones users actually want. Also surveyed each app
for ports and persistence worth surfacing.

### Removed (not end-user-facing)
- Toolchain/runtime: `PATH`, `HOME`, `LANG*`, `JAVA_HOME`, `XDG_*`,
`PYTHON*`, `NODE_ENV/OPTIONS`, `PIP_*`, `UV_*`, `S6_STAGE2_HOOK`,
`DEBIAN_FRONTEND`, `MAKEFLAGS`, `MALLOC_*`,
`QTWEBENGINE_CHROMIUM_FLAGS`, `PUPPETEER_SKIP_DOWNLOAD`, …
- Build/release metadata: `*_PACKAGE_AUTHOR`, `*_PACKAGE_VERSION`,
`*_VERSION`, `RELEASE_URL`, `WORKDIR`, devcontainer `*Version` pins
- Hard-coded internal paths: `*_HOME=/config`,
`DUPLICATI__SERVER_DATAFOLDER`, `KOPIA_*_DIR/PATH`, `DISKOVERDIR`,
`PLEX_MEDIA_SERVER_*`, `THELOUNGE_HOME`, `TRANSMISSION_WEB_HOME`,
`MYSQL_DIR`, `PGDATA`, `ESPHOME_*_DIR`, …
- arr-stack: `DOTNET_EnableDiagnostics`, `COMPlus_EnableDiagnostics`,
`*__UPDATE__BRANCH`, `*__SERVER__PORT`
- Duplicate-of-port vars: `BAZARR__PORT`, `NZBGET__PORT`,
`WEBHOOK__PORT`, `SABNZBD__PORT`, `VALKEY_PORT`, `WEBUI_PORTS`,
`KOPIA_WEB_PORT`, `DUPLICATI__WEBSERVICE_PORT`, raneto `PORT`,
`TAUTULLI_PORT`, `AUTOSCAN_PORT`
- Broken yaml fragments left in originals (ubuntu
`detection`/`dotnet`/`in`, plex `Support"`, python `https://...`,
minisatip `-type`)

Dockerfile `ENV` lines are untouched, so runtime behaviour is unchanged
— these vars are simply no longer advertised in the rendered
docker-compose.

### Added
- `TZ=Etc/UTC` on every time-aware app (skipped pure
base/library/sysadmin images: golang, java*, python, node, ubuntu,
scratch, mongosh, kubectl, *-client, valkey-tools, yq, go-yq,
shellcheck, qemu-static, irqbalance, cni-plugins, lvm-disk-watcher,
mergerfs, socket-proxy, kube-sa-proxy, k8s-sidecar, smartctl-exporter,
fail2ban, devcontainer)
- `UMASK=002` on apps that write user files (arr-stack, downloaders,
media servers, sync/backup, kometa, mylar3, …)
- Per-app end-user knobs cross-checked against TrueCharts,
`truenas/apps`, and the upstream URL in each `docker-bake.hcl`.
Highlights:
- **gluetun**: `OPENVPN_USER/PASSWORD`,
`WIREGUARD_PRIVATE_KEY/ADDRESSES`, `SERVER_REGIONS/COUNTRIES`,
`FIREWALL_OUTBOUND_SUBNETS`, `HTTPPROXY`, `SHADOWSOCKS`, `DOT`,
`LOG_LEVEL`
- **tailscale**: `TS_AUTHKEY`, `TS_HOSTNAME`, `TS_ROUTES`,
`TS_EXTRA_ARGS`, `TS_ACCEPT_DNS`, `TS_USERSPACE`
- **plex**: `PLEX_CLAIM`, `ADVERTISE_IP`, `ALLOWED_NETWORKS` +
DLNA/discovery UDP ports
  - **jellyfin/emby**: `*PublishedServerUrl` + 1900/7359 UDP discovery
  - **qbittorrent / transmission / deluge**: BT peer ports, web-UI knobs
  - **postgresql/mariadb/valkey**: admin user/password/db
- **netbox/healthchecks/snipe-it/monica/wikijs/speedtest-tracker**:
`SECRET_KEY`/`APP_KEY`/`DB_*`/admin bootstrap
- **openssh-server**: `USER_NAME`, `PUBLIC_KEY`, `SUDO_ACCESS`,
`PASSWORD_ACCESS`
  - **duckdns/cloudflareddns/ddclient**: provider creds
  - **foldingathome**: `USER`/`TEAM`/`PASSKEY` + viewer port
- **hedgedoc / kometa / esphome / ngircd / znc / smokeping / netbootxyz
/ freshrss / apprise-api / nextcloud-imaginary / k8s-sidecar /
actions-runner / changedetection / pwndrop / nzbget / pyload-ng / cops /
diskover / adguardhome-sync / overseerr/jellyseerr/seerr / caddy / nginx
/ webhook / wud / watchtower / socket-proxy**: see diff

### Persistence
Reviewed every Dockerfile's `VOLUME` declaration; all are already
represented in `settings.yaml` (`/config` plus pre-existing per-app
extras: duplicacy `/cache`+`/logs`, duplicati `/backups`+`/source`,
kometa `/app`, resilio-sync `/sync`, sealskin `/storage`, smokeping
`/data`, tailscale `/var/lib/tailscale`). No additions needed; nothing
derived from external chart repos.

### Validation
All 158 `settings.yaml` files validate against the published
`container-settings.schema.json`. No `Dockerfile` or `docker-bake.hcl`
changes.

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Crow-Control <7613738+Crow-Control@users.noreply.github.com>

Author: Copilot

apps/actions-runner/settings.yaml

@@ -4,32 +4,23 @@ upstream_env_url: "https://github.com/actions/runner"
 ports:
   []
 env:
-  - name: ACTIONS_RUNNER_CONTAINER_HOOKS
-    default: "/home/runner/k8s/index.js"
+  - name: RUNNER_LABELS
+    default: ""
     required: false
-  - name: ACTIONS_RUNNER_PRINT_LOG_TO_STDOUT
-    default: "1"
+  - name: RUNNER_NAME
+    default: ""
     required: false
-  - name: GOPATH
-    default: "/tmp/go"
+  - name: RUNNER_REPOSITORY_URL
+    default: ""
     required: false
-  - name: HOMEBREW_NO_ANALYTICS
-    default: "1"
+  - name: RUNNER_TOKEN
+    default: ""
     required: false
-  - name: HOMEBREW_NO_ENV_HINTS
-    default: "1"
+  - name: RUNNER_WORKDIR
+    default: "/tmp/runner/work"
     required: false
-  - name: HOMEBREW_NO_INSTALL_CLEANUP
-    default: "1"
-    required: false
-  - name: ImageOS
-    default: "ubuntu22"
-    required: false
-  - name: RUNNER_ALLOW_RUNASROOT
-    default: "1"
-    required: false
-  - name: RUNNER_MANUALLY_TRAP_SIG
-    default: "1"
+  - name: TZ
+    default: "Etc/UTC"
     required: false
 volumes:
   - path: /config

apps/adguardhome-sync/settings.yaml

@@ -6,8 +6,11 @@ ports:
     protocol: tcp
     required: false
 env:
-  - name: HOME
-    default: "/config"
+  - name: LOG_LEVEL
+    default: "info"
+    required: false
+  - name: TZ
+    default: "Etc/UTC"
     required: false
 volumes:
   - path: /config

apps/airsonic-advanced/settings.yaml

@@ -5,15 +5,15 @@ ports:
   - port: 4040
     protocol: tcp
     required: false
-env:
-  - name: AIRSONIC_ADVANCED_HOME
-    default: "/app"
+  - port: 4041
+    protocol: tcp
     required: false
-  - name: AIRSONIC_ADVANCED_SETTINGS
-    default: "/config"
+env:
+  - name: TZ
+    default: "Etc/UTC"
     required: false
-  - name: LANG
-    default: "C.UTF-8"
+  - name: UMASK
+    default: "002"
     required: false
 volumes:
   - path: /config

apps/apprise-api/settings.yaml

@@ -6,14 +6,20 @@ ports:
     protocol: tcp
     required: false
 env:
-  - name: APPRISE_ATTACH_DIR
-    default: "/attachments"
-    required: false
   - name: APPRISE_ATTACH_SIZE
     default: "0"
     required: false
-  - name: APPRISE_CONFIG_DIR
-    default: "/config"
+  - name: APPRISE_DEFAULT_THEME
+    default: "default"
+    required: false
+  - name: APPRISE_STATEFUL_MODE
+    default: "simple"
+    required: false
+  - name: LOG_LEVEL
+    default: "INFO"
+    required: false
+  - name: TZ
+    default: "Etc/UTC"
     required: false
 volumes:
   - path: /config

apps/autoscan/settings.yaml

@@ -6,11 +6,11 @@ ports:
     protocol: tcp
     required: false
 env:
-  - name: IMAGE_STATS
-    default: "${IMAGE_STATS}"
+  - name: TZ
+    default: "Etc/UTC"
     required: false
-  - name: WEBUI_PORTS
-    default: "3030/tcp,3030/udp"
+  - name: UMASK
+    default: "002"
     required: false
 volumes:
   - path: /config

apps/babybuddy/settings.yaml

@@ -6,8 +6,8 @@ ports:
     protocol: tcp
     required: false
 env:
-  - name: S6_STAGE2_HOOK
-    default: "/init-hook"
+  - name: TZ
+    default: "Etc/UTC"
     required: false
 volumes:
   - path: /config

apps/balfolk-ics/settings.yaml

@@ -6,7 +6,9 @@ ports:
     protocol: tcp
     required: false
 env:
-  []
+  - name: TZ
+    default: "Etc/UTC"
+    required: false
 volumes:
   - path: /config
     required: true

apps/bazarr/settings.yaml

@@ -6,17 +6,11 @@ ports:
     protocol: tcp
     required: false
 env:
-  - name: BAZARR_PACKAGE_AUTHOR
-    default: "${VENDOR}"
+  - name: TZ
+    default: "Etc/UTC"
     required: false
-  - name: BAZARR_PACKAGE_VERSION
-    default: "${VERSION}"
-    required: false
-  - name: BAZARR_VERSION
-    default: "${VERSION}"
-    required: false
-  - name: BAZARR__PORT
-    default: "6767"
+  - name: UMASK
+    default: "002"
     required: false
 volumes:
   - path: /config

apps/budge/settings.yaml

@@ -6,11 +6,8 @@ ports:
     protocol: tcp
     required: false
 env:
-  - name: BUDGE_DATABASE
-    default: "/config/budge.db"
-    required: false
-  - name: S6_STAGE2_HOOK
-    default: "/init-hook"
+  - name: TZ
+    default: "Etc/UTC"
     required: false
 volumes:
   - path: /config

apps/caddy/settings.yaml

@@ -9,7 +9,12 @@ ports:
     protocol: tcp
     required: false
 env:
-  []
+  - name: CADDY_INGRESS_NETWORKS
+    default: ""
+    required: false
+  - name: TZ
+    default: "Etc/UTC"
+    required: false
 volumes:
   - path: /config
     required: true