Adding everything in Ansible in full.

.cache_ggshield

@@ -0,0 +1 @@
+{"last_found_secrets": [{"name": "Generic Password - /home/charish/app-configs/searxng_settings.yml.j2", "match": "6e0d657eb1f0fbc40cf0b8f3c3873ef627cc9cb7c4108d1c07d979c04bc8a4bb"}]}

ansible/app-configs/cloudflared_config.yml.j2

@@ -1,5 +1,5 @@
-{% set vault_addr = https://vault.trez.wtf %}
-{% set secrets_path = rinoa-docker/env %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
 
 tunnel: 52bdee6e-8ccb-47be-ba9e-f8010b905e41
 credentials-file: /etc/cloudflared/52bdee6e-8ccb-47be-ba9e-f8010b905e41.json

ansible/app-configs/grafana_beyla.yml.j2

@@ -1,5 +1,5 @@
-{% set vault_addr = https://vault.trez.wtf %}
-{% set secrets_path = rinoa-docker/env %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
 
 routes:
   patterns:

ansible/app-configs/grafana_mimir.yaml.j2

@@ -1,5 +1,5 @@
-{% set vault_addr = https://vault.trez.wtf %}
-{% set secrets_path = rinoa-docker/env %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
 
 multitenancy_enabled: false
 no_auth_tenant: rinoa_mimir

ansible/app-configs/grafana_pyroscope_config.yaml.j2

@@ -1,14 +1,11 @@
-{% set vault_addr = https://vault.trez.wtf %}
-{% set secrets_path = rinoa-docker/env %}
-
 storage:
   backend: s3
   s3:
     bucket_name: pyroscope
     endpoint: minio:9000
     region: us-east-fh-pln
-    access_key_id: "{{ lookup('community.hashi_vault.hashi_vault', secrets_path + '/access_key_id', url=vault_addr) }}"
-    secret_access_key: "{{ lookup('community.hashi_vault.hashi_vault', secrets_path + '/secret_access_key', url=vault_addr) }}"
+    access_key_id: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_PYROSCOPE_STORAGE_ACCESS_KEY'] }}
+    secret_access_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_PYROSCOPE_STORAGE_SECRET_KEY'] }}
     insecure: true
 
 analytics:

ansible/app-configs/grafana_tempo_config.yml.j2

@@ -1,5 +1,5 @@
-{% set vault_addr = https://vault.trez.wtf %}
-{% set secrets_path = rinoa-docker/env %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
 
 target: all
 http_api_prefix: ""

ansible/app-configs/homepage_bookmarks.yaml.j2

@@ -1,5 +1,5 @@
-{% set vault_addr = https://vault.trez.wtf %}
-{% set secrets_path = rinoa-docker/env %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
 
 
 ---

ansible/app-configs/homepage_docker.yaml.j2

@@ -1,5 +1,5 @@
-{% set vault_addr = https://vault.trez.wtf %}
-{% set secrets_path = rinoa-docker/env %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
 
 
 ---

ansible/app-configs/homepage_kubernetes.yaml.j2

@@ -1,5 +1,5 @@
-{% set vault_addr = https://vault.trez.wtf %}
-{% set secrets_path = rinoa-docker/env %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
 
 
 ---

ansible/app-configs/homepage_services.yaml.j2

@@ -1,5 +1,5 @@
-{% set vault_addr = https://vault.trez.wtf %}
-{% set secrets_path = rinoa-docker/env %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
 
 ---
 # For configuration options and examples, please see:

ansible/app-configs/homepage_widgets.yaml.j2

@@ -1,5 +1,5 @@
-{% set vault_addr = https://vault.trez.wtf %}
-{% set secrets_path = rinoa-docker/env %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
 
 ---
 # For configuration options and examples, please see:
@@ -15,9 +15,9 @@
 - resources:
     label: Storage
     expanded: true
-    disk: 
+    disk:
         - /
-        - /rinoa-storage 
+        - /rinoa-storage
 
 - search:
     provider: custom
@@ -30,4 +30,4 @@
     longitude: -73.85
     units: imperial
     provider: openweathermap
-    cache: 10                                         
+    cache: 10

ansible/app-configs/hugo_frontmatter.json.j2

@@ -1,87 +0,0 @@
-{% set vault_addr = https://vault.trez.wtf %}
-{% set secrets_path = rinoa-docker/env %}
-
-{
-  "$schema": "https://frontmatter.codes/frontmatter.schema.json",
-  "frontMatter.framework.id": "hugo",
-  "frontMatter.content.pageFolders": [
-    {
-      "title": "content",
-      "path": "[[workspace]]/it-services/content"
-    }
-  ],
-  "frontMatter.content.publicFolder": "static",
-  "frontMatter.preview.host": "http://192.168.1.254:1313",
-  "frontMatter.website.host": "https://it-services.trez.wtf",
-  "frontMatter.taxonomy.contentTypes": [
-    {
-      "name": "default",
-      "pageBundle": false,
-      "fields": [
-        {
-          "title": "Title",
-          "name": "title",
-          "type": "string"
-        },
-        {
-          "title": "Description",
-          "name": "description",
-          "type": "string"
-        },
-        {
-          "title": "Publishing date",
-          "name": "date",
-          "type": "datetime",
-          "default": "{{now}}",
-          "isPublishDate": true
-        },
-        {
-          "title": "Content preview",
-          "name": "preview",
-          "type": "image"
-        },
-        {
-          "title": "Is in draft",
-          "name": "draft",
-          "type": "boolean"
-        },
-        {
-          "title": "Tags",
-          "name": "tags",
-          "type": "tags"
-        },
-        {
-          "title": "Categories",
-          "name": "categories",
-          "type": "categories"
-        },
-        {
-          "title": "layout",
-          "name": "layout",
-          "type": "string"
-        }
-      ]
-    },
-    {
-      "name": "plain",
-      "pageBundle": true,
-      "fields": [
-        {
-          "title": "title",
-          "name": "title",
-          "type": "string"
-        },
-        {
-          "title": "draft",
-          "name": "draft",
-          "type": "draft"
-        },
-        {
-          "title": "layout",
-          "name": "layout",
-          "type": "string"
-        }
-      ]
-    }
-  ]
-}

ansible/app-configs/plausible_clickhouse-config.xml.j2

@@ -1,5 +1,5 @@
-{% set vault_addr = https://vault.trez.wtf %}
-{% set secrets_path = rinoa-docker/env %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
 
 <clickhouse>
     <profiles>

ansible/app-configs/radarec_settings_config.json.j2

@@ -1,11 +1,11 @@
-{% set vault_addr = https://vault.trez.wtf %}
-{% set secrets_path = rinoa-docker/env %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
 
 {
     "radarr_address": "http://radarr:7878",
-    "radarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', token=token, url=vault_url, mount_point=secrets_path, key='RADARR_API_KEY') }}",
+    "radarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['RADARR_API_KEY'] }}",
     "root_folder_path": "/data/media/movies",
-    "tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', token=token, url=vault_url, mount_point=secrets_path, key='TMDB_API_KEY') }}",
+    "tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['TMDB_API_KEY'] }}",
     "fallback_to_top_result": false,
     "radarr_api_timeout": 120.0,
     "quality_profile_id": 1,

ansible/app-configs/sabnzbd.ini.j2

@@ -1,5 +1,5 @@
-{% set vault_addr = https://vault.trez.wtf %}
-{% set secrets_path = rinoa-docker/env %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
 
 __version__ = 19
 __encoding__ = utf-8
@@ -22,7 +22,7 @@ host = 0.0.0.0
 port = 8080
 https_port = 8090
 username = thetrezuredone
-password = {{ lookup('community.hashi_vault.vault_kv2_get', token=token, url=vault_url, mount_point=secrets_path, key='SABNZBDVPN_PASSWORD') }}
+password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_PASSWORD'] }}
 bandwidth_max = 1000M
 cache_limit = 1G
 web_dir = Glitter
@@ -33,7 +33,7 @@ https_chain = ""
 enable_https = 1
 inet_exposure = 0
 local_ranges = ,
-api_key = {{ lookup('community.hashi_vault.vault_kv2_get', token=token, url=vault_url, mount_point=secrets_path, key='SABNZBDVPN_API_KEY') }}
+api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_API_KEY'] }}
 nzb_key = 3c0fa874bb2748b58c1bd7512e649946
 permissions = 775
 download_dir = /storage/downloads/incomplete
@@ -342,7 +342,7 @@ host = news.newshosting.com
 port = 563
 timeout = 60
 username = thetrezuredone
-password = "{{ lookup('community.hashi_vault.vault_kv2_get', token=token, url=vault_url, mount_point=secrets_path, key='SLSKD_PASSWORD') }}"
+password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_PASSWORD'] }}
 connections = 8
 ssl = 1
 ssl_verify = 3
@@ -363,7 +363,7 @@ host = news.easynews.com
 port = 443
 timeout = 60
 username = TrezOne
-password = "{{ lookup('community.hashi_vault.vault_kv2_get', token=token, url=vault_url, mount_point=secrets_path, key='SABNZBDVPN_EASYNEWS_PASSWORD') }}"
+password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_EASYNEWS_PASSWORD'] }}
 connections = 60
 ssl = 0
 ssl_verify = 3

ansible/app-configs/scrutiny_config.yaml.j2

@@ -1,5 +1,5 @@
-{% set vault_addr = https://vault.trez.wtf %}
-{% set secrets_path = rinoa-docker/env %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
 
 bolt-path: /opt/scrutiny/influxdb/influxd.bolt
 engine-path: /opt/scrutiny/influxdb/engine

ansible/app-configs/searxng_settings.yml.j2

@@ -1,5 +1,5 @@
-{% set vault_addr = https://vault.trez.wtf %}
-{% set secrets_path = rinoa-docker/env %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
 
 general:
   # Debug mode, only for development. Is overwritten by ${SEARXNG_DEBUG}
@@ -82,7 +82,7 @@ server:
   # If your instance owns a /etc/searxng/settings.yml file, then set the following
   # values there.
 
-  secret_key: "{{ lookup('community.hashi_vault.vault_kv2_get', token=token, url=vault_url, mount_point=secrets_path, key='SEARXNG_SECRET_KEY') }}"  # Is overwritten by ${SEARXNG_SECRET}
+  secret_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SEARXNG_SECRET_KEY'] }}  # Is overwritten by ${SEARXNG_SECRET}
   # Proxying image results through searx
   image_proxy: true
   # 1.0 and 1.1 are supported
@@ -1278,7 +1278,7 @@ engines:
     url: https://thepiratebay.org/
     timeout: 3.0
 
-  # Required dependency: psychopg2
+  {# # Required dependency: psychopg2
   #  - name: postgresql
   #    engine: postgresql
   #    database: postgres
@@ -1286,7 +1286,7 @@ engines:
   #    password: postgres
   #    limit: 10
   #    query_str: 'SELECT * from my_table WHERE my_column = %(query)s'
-  #    shortcut : psql
+  #    shortcut : psql #}
 
   - name: pub.dev
     engine: xpath
@@ -1362,7 +1362,7 @@ engines:
     categories: [videos, web]
     network: qwant
 
-  # - name: library
+  {# # - name: library
   #   engine: recoll
   #   shortcut: lib
   #   base_url: 'https://recoll.example.org/'
@@ -1382,7 +1382,7 @@ engines:
   #   shortcut: libr
   #   timeout: 30.0
   #   categories: files
-  #   disabled: true
+  #   disabled: true #}
 
   - name: radio browser
     engine: radio_browser
@@ -1393,7 +1393,7 @@ engines:
     shortcut: re
     page_size: 25
 
-  # Required dependency: redis
+  {# # Required dependency: redis
   # - name: myredis
   #   shortcut : rds
   #   engine: redis_server
@@ -1408,7 +1408,7 @@ engines:
   #  - name: scanr structures
   #    shortcut: scs
   #    engine: scanr_structures
-  #    disabled: true
+  #    disabled: true #}
 
   - name: sepiasearch
     engine: sepiasearch
@@ -1451,20 +1451,20 @@ engines:
     shortcut: frl
     disabled: true
 
-  # - name: searx
+  {# # - name: searx
   #   engine: searx_engine
   #   shortcut: se
   #   instance_urls :
   #       - http://127.0.0.1:8888/
   #       - ...
-  #   disabled: true
+  #   disabled: true #}
 
   - name: semantic scholar
     engine: semantic_scholar
     disabled: true
     shortcut: se
 
-  # Spotify needs API credentials
+  {# # Spotify needs API credentials
   # - name: spotify
   #   engine: spotify
   #   shortcut: stf
@@ -1488,7 +1488,7 @@ engines:
   #   # working API key, for test & debug: "a69685087d07eca9f13db62f65b8f601"
   #   api_key: 'unset'
   #   shortcut: springer
-  #   timeout: 15.0
+  #   timeout: 15.0 #}
 
   - name: startpage
     engine: startpage
@@ -2151,84 +2151,84 @@ engines:
       use_official_api: false
       require_api_key: false
       results: HTML
+{# 
+Doku engine lets you access to any Doku wiki instance:
+A public one or a privete/corporate one.
+ - name: ubuntuwiki
+   engine: doku
+   shortcut: uw
+   base_url: 'https://doc.ubuntu-fr.org'
 
-# Doku engine lets you access to any Doku wiki instance:
-# A public one or a privete/corporate one.
-#  - name: ubuntuwiki
-#    engine: doku
-#    shortcut: uw
-#    base_url: 'https://doc.ubuntu-fr.org'
+Be careful when enabling this engine if you are
+running a public instance. Do not expose any sensitive
+information. You can restrict access by configuring a list
+of access tokens under tokens.
+ - name: git grep
+   engine: command
+   command: ['git', 'grep', '{{QUERY}}']
+   shortcut: gg
+   tokens: []
+   disabled: true
+   delimiter:
+       chars: ':'
+       keys: ['filepath', 'code']
 
-# Be careful when enabling this engine if you are
-# running a public instance. Do not expose any sensitive
-# information. You can restrict access by configuring a list
-# of access tokens under tokens.
-#  - name: git grep
-#    engine: command
-#    command: ['git', 'grep', '{{QUERY}}']
-#    shortcut: gg
-#    tokens: []
-#    disabled: true
-#    delimiter:
-#        chars: ':'
-#        keys: ['filepath', 'code']
+Be careful when enabling this engine if you are
+running a public instance. Do not expose any sensitive
+information. You can restrict access by configuring a list
+of access tokens under tokens.
+ - name: locate
+   engine: command
+   command: ['locate', '{{QUERY}}']
+   shortcut: loc
+   tokens: []
+   disabled: true
+   delimiter:
+       chars: ' '
+       keys: ['line']
 
-# Be careful when enabling this engine if you are
-# running a public instance. Do not expose any sensitive
-# information. You can restrict access by configuring a list
-# of access tokens under tokens.
-#  - name: locate
-#    engine: command
-#    command: ['locate', '{{QUERY}}']
-#    shortcut: loc
-#    tokens: []
-#    disabled: true
-#    delimiter:
-#        chars: ' '
-#        keys: ['line']
+Be careful when enabling this engine if you are
+running a public instance. Do not expose any sensitive
+information. You can restrict access by configuring a list
+of access tokens under tokens.
+ - name: find
+   engine: command
+   command: ['find', '.', '-name', '{{QUERY}}']
+   query_type: path
+   shortcut: fnd
+   tokens: []
+   disabled: true
+   delimiter:
+       chars: ' '
+       keys: ['line']
 
-# Be careful when enabling this engine if you are
-# running a public instance. Do not expose any sensitive
-# information. You can restrict access by configuring a list
-# of access tokens under tokens.
-#  - name: find
-#    engine: command
-#    command: ['find', '.', '-name', '{{QUERY}}']
-#    query_type: path
-#    shortcut: fnd
-#    tokens: []
-#    disabled: true
-#    delimiter:
-#        chars: ' '
-#        keys: ['line']
+Be careful when enabling this engine if you are
+running a public instance. Do not expose any sensitive
+information. You can restrict access by configuring a list
+of access tokens under tokens.
+ - name: pattern search in files
+   engine: command
+   command: ['fgrep', '{{QUERY}}']
+   shortcut: fgr
+   tokens: []
+   disabled: true
+   delimiter:
+       chars: ' '
+       keys: ['line']
 
-# Be careful when enabling this engine if you are
-# running a public instance. Do not expose any sensitive
-# information. You can restrict access by configuring a list
-# of access tokens under tokens.
-#  - name: pattern search in files
-#    engine: command
-#    command: ['fgrep', '{{QUERY}}']
-#    shortcut: fgr
-#    tokens: []
-#    disabled: true
-#    delimiter:
-#        chars: ' '
-#        keys: ['line']
-
-# Be careful when enabling this engine if you are
-# running a public instance. Do not expose any sensitive
-# information. You can restrict access by configuring a list
-# of access tokens under tokens.
-#  - name: regex search in files
-#    engine: command
-#    command: ['grep', '{{QUERY}}']
-#    shortcut: gr
-#    tokens: []
-#    disabled: true
-#    delimiter:
-#        chars: ' '
-#        keys: ['line']
+Be careful when enabling this engine if you are
+running a public instance. Do not expose any sensitive
+information. You can restrict access by configuring a list
+of access tokens under tokens.
+ - name: regex search in files
+   engine: command
+   command: ['grep', '{{QUERY}}']
+   shortcut: gr
+   tokens: []
+   disabled: true
+   delimiter:
+       chars: ' '
+       keys: ['line'] #}
 
 doi_resolvers:
   oadoi.org: 'https://oadoi.org/'

ansible/app-configs/searxng_uwsgi.ini.j2

@@ -1,5 +1,5 @@
-{% set vault_addr = https://vault.trez.wtf %}
-{% set secrets_path = rinoa-docker/env %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
 
 [uwsgi]
 # Who will run the code

ansible/app-configs/sonashow_settings_config.json.j2

@@ -1,12 +1,12 @@
-{% set vault_addr = https://vault.trez.wtf %}
-{% set secrets_path = rinoa-docker/env %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
 
 {
     "sonarr_address": "http://192.168.1.2:8989",
-    "sonarr_api_key": "",
+    "sonarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SONARR_API_KEY'] }}",
     "root_folder_path": "/data/media/shows",
     "tvdb_api_key": "",
-    "tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', token=token, url=vault_url, mount_point=secrets_path, key='TMDB_API_KEY') }}",
+    "tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['TMDB_API_KEY'] }}",
     "fallback_to_top_result": false,
     "sonarr_api_timeout": 120.0,
     "quality_profile_id": 1,

ansible/app-configs/soulseek_slskd.yml.j2

@@ -1,5 +1,5 @@
-{% set vault_addr = https://vault.trez.wtf %}
-{% set secrets_path = rinoa-docker/env %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
 
 # debug: false
 # remote_configuration: false

ansible/app-configs/traccar_traccar.xml.j2

@@ -1,5 +1,5 @@
-{% set vault_addr = https://vault.trez.wtf %}
-{% set secrets_path = rinoa-docker/env %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
 
 <?xml version='1.0' encoding='UTF-8'?>
 
@@ -24,6 +24,6 @@
     <entry key='database.driver'>org.postgresql.Driver</entry>
     <entry key='database.url'>jdbc:postgresql://traccar-pg:5432/traccar-db</entry>
     <entry key='database.user'>traccar</entry>
-    <entry key='database.password'>"{{ lookup('community.hashi_vault.vault_kv2_get', token=token, url=vault_url, mount_point=secrets_path, key='WAZUH_API_PASSWORD') }}"</entry>
+    <entry key='database.password'>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['WAZUH_API_PASSWORD'] }}</entry>
 
 </properties>

ansible/app-configs/unmanic_settings.json.j2

@@ -1,5 +1,5 @@
-{% set vault_addr = https://vault.trez.wtf %}
-{% set secrets_path = rinoa-docker/env %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
 
 {
     "always_keep_failed_tasks": true,

ansible/app-configs/wazuh_certs.yml.j2

@@ -1,5 +1,5 @@
-{% set vault_addr = https://vault.trez.wtf %}
-{% set secrets_path = rinoa-docker/env %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
 
 nodes:
   # Wazuh indexer server nodes

ansible/app-configs/wazuh_wazuh.indexer.yml.j2

@@ -1,5 +1,5 @@
-{% set vault_addr = https://vault.trez.wtf %}
-{% set secrets_path = rinoa-docker/env %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
 
 network.host: "0.0.0.0"
 node.name: "wazuh.indexer"

ansible/app-configs/wazuh_wazuh.yml.j2

@@ -1,10 +1,10 @@
-{% set vault_addr = https://vault.trez.wtf %}
-{% set secrets_path = rinoa-docker/env %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
 
 hosts:
   - 1513629884013:
       url: "https://wazuh.manager"
       port: 55000
       username: wazuh-wui
-      password: "{{ lookup('community.hashi_vault.vault_kv2_get', token=token, url=vault_url, mount_point=secrets_path, key='WAZUH_API_PASSWORD') }}"
+      password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['WAZUH_API_PASSWORD'] }}
       run_as: false

ansible/app-configs/youtubedl_config.yml.j2

@@ -1,5 +1,5 @@
-{% set vault_addr = https://vault.trez.wtf %}
-{% set secrets_path = rinoa-docker/env %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
 
 ydl_server:   # youtube-dl-server specific settings
   port: 8080      # Port youtube-dl-server should listen on

ansible/app-configs/zitadel_config.yaml.j2

@@ -1,5 +1,5 @@
-{% set vault_addr = https://vault.trez.wtf %}
-{% set secrets_path = rinoa-docker/env %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
 
 # All possible options and their defaults: https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
 Log:
@@ -37,7 +37,7 @@ SMTPConfiguration:
     SMTP:
       # must include the port, like smtp.mailtrap.io:2525. IPv6 is also supported, like [2001:db8::1]:2525
       Host: 'postal-smtp:25'
-      User: "{{ lookup('community.hashi_vault.vault_kv2_get', token=token, url=vault_url, mount_point=secrets_path, key='POSTAL_SMTP_AUTH_USER') }}"
-      Password: "{{ lookup('community.hashi_vault.vault_kv2_get', token=token, url=vault_url, mount_point=secrets_path, key='POSTAL_SMTP_AUTH_PASSWORD') }}"
+      User: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}
+      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
     From: 'noreply@trez.wtf'
     FromName: 'Zitadel @ Rinoa'

ansible/app-configs/zitadel_init-steps.yaml.j2

@@ -1,5 +1,5 @@
-{% set vault_addr = https://vault.trez.wtf %}
-{% set secrets_path = rinoa-docker/env %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
 
 # All possible options and their defaults: https://github.com/zitadel/zitadel/blob/main/cmd/setup/steps.yaml
 FirstInstance:
@@ -8,6 +8,6 @@ FirstInstance:
       # use the loginname root@my-org.my.domain
       Username: 'root'
       Password: 'RootPassword1!'
-      Email: 
+      Email:
         Address: 'charish.patel@trez.wtf'
         Verified: true

ansible/app-configs/zitadel_secrets.yaml.j2

@@ -1,5 +1,5 @@
-{% set vault_addr = https://vault.trez.wtf %}
-{% set secrets_path = rinoa-docker/env %}
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
 
 # If not using the docker compose example, adjust these values for connecting ZITADEL to your PostgreSQL
 Database:
@@ -7,7 +7,7 @@ Database:
     User:
       # If the user doesn't exist already, it is created
       Username: 'zitadel'
-      Password: "{{ lookup('community.hashi_vault.vault_kv2_get', token=token, url=vault_url, mount_point=secrets_path, key='ZITADEL_DB_PASSWORD') }}"
+      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ZITADEL_DB_PASSWORD'] }}
     Admin:
       Username: 'root'
-      Password: "{{ lookup('community.hashi_vault.vault_kv2_get', token=token, url=vault_url, mount_point=secrets_path, key='ZITADEL_DB_ADMIN_PASSWORD') }}"
+      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ZITADEL_DB_ADMIN_PASSWORD'] }}

ansible/docker_config_deploy.yml

@@ -1,34 +1,20 @@
 ---
 - name: Deploy config templates and trigger GitHub workflow
-  hosts: rinoa
+  hosts: all
   vars:
-    appdata_base_path: "/home/charish/.docker/config/appdata"
+    appdata_base_path: "~/.docker/config/appdata"
+
   tasks:
     - name: Ensure target directories exist
       ansible.builtin.file:
-        path: "{{ appdata_base_path }}/{{ item | basename | regex_replace('\\.j2$', '') | regex_replace('_', '/') | regex_replace('/[^/]+$', '') }}"
+        path: "{{ appdata_base_path }}/{{ (item | basename | regex_replace('\\.j2$', '') | regex_replace('_', '/') | regex_replace('/[^/]+$', '')) }}"
         state: directory
         mode: '0755'
-      loop: "{{ lookup('fileglob', 'app-configs/*.j2') }}"
+      loop: "{{ query('fileglob', 'app-configs/*.j2') }}"
 
     - name: Deploy configuration templates
       ansible.builtin.template:
         src: "{{ item }}"
         dest: "{{ appdata_base_path }}/{{ item | basename | regex_replace('\\.j2$', '') | regex_replace('_', '/') }}"
         mode: '0644'
-      loop: "{{ lookup('fileglob', 'app-configs/*.j2') }}"
-
-    # - name: Trigger GitHub workflow
-    #   uri:
-    #     url: "https://api.github.com/repos/<owner>/<repo>/actions/workflows/<workflow_id>/dispatches"
-    #     method: POST
-    #     headers:
-    #       Authorization: "Bearer {{ github_token }}"
-    #       Accept: "application/vnd.github.v3+json"
-    #     body:
-    #       ref: "main"
-    #     body_format: json
-    #   vars:
-    #     github_token: "YOUR_GITHUB_PERSONAL_ACCESS_TOKEN"
-    #     # Replace <owner>, <repo>, and <workflow_id> with actual values
-    #   delegate_to: localhost
+      loop: "{{ query('fileglob', 'app-configs/*.j2') }}"

ansible/secrets.yml

@@ -1,7 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-38346631616139316365316566386362396661323163306339303635646331373061323531626431
-3435373031363739356261656239633835393963636663370a613166653463656337666366633639
-37373637326633363430633336646165343764303063663636313835326130663532323037663331
-6332353339656134370a353435396532663932313535646636333262353238386331313764633635
-63383065623930653134666261353439366535646661383434386261393232373432353937636535
-3432336137393737643735346665303832653630316439333565