Trez/rinoa-docker
4
0
Fork 0
Code Issues 1 Pull Requests 9 Actions Activity

Removing Ansible-related items (migrated all Ansible to separate repo).

Browse Source
This commit is contained in:
Trez.One
2025-08-31 22:20:59 -04:00
parent d664969987
commit 9a0a498d42
74 changed files with 1 additions and 10047 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/pr-ansible-config-deployment.yml
-226
View File
@@ -1,226 +0,0 @@
name: Gitea Branch PR & Ansible Deployment
on:
workflow_dispatch:
push:
branches-ignore:
- 'main'
paths:
- '**.j2'
- '**/pr-ansible-config-deployment.yaml'
- 'ansible/**.yml'
jobs:
check-and-create-pr:
if: github.ref != 'refs/heads/main'
name: Check and Create PR
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v5
with:
fetch-depth: 1
- name: Cache tea CLI
id: cache-tea
uses: actions/cache@v4
with:
path: /opt/hostedtoolcache/tea/0.9.2/x64
key: tea-${{ runner.os }}-0.9.2
- name: Install tea
uses: supplypike/setup-bin@v4
with:
uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64'
name: 'tea'
version: '0.9.2'
- name: Gotify Notification
uses: eikendev/gotify-action@master
with:
gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
notification_title: 'GITEA: PR Check'
notification_message: 'Checking for existing PR... 🔍'
- name: Check if open PR exists
id: check-opened-pr-step
continue-on-error: true
run: |
tea login add --name gitea-rinoa --url "${{ secrets.RINOA_GITEA_URL }}" --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep '\[ANSIBLE\].*${{ github.ref_name }}' | tail -1 | wc -l)
echo "exists=$pr_exists" >> $GITHUB_OUTPUT
- name: Create PR
if: ${{ steps.check-opened-pr-step.outputs.exists == '0' }}
run: |
tea login default gitea-rinoa
pr_index_old=$(tea pr ls --repo ${{ github.repository }} --state all --fields index,title,head --output csv | sed -e 's|"||g' | egrep '^[0-9]' | head -1 | awk -F"," '{print $1}')
pr_index_new=$(expr ${pr_index_old} + 1)
tea pr c -r ${{ github.repository }} -t "[ANSIBLE] Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Ansible Configs.j2"
- name: Gotify Notification
uses: eikendev/gotify-action@master
with:
gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
notification_title: 'GITEA: PR Check'
notification_message: 'PR Created 🎟️'
ansible-dry-run:
name: Ansible Dry Run
needs: [check-and-create-pr]
runs-on: ubuntu-latest
env:
VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
VAULT_NAMESPACE: ""
steps:
- name: Checkout
uses: actions/checkout@v5
- name: Cache Ansible Galaxy Collections
uses: actions/cache@v3
with:
path: ansible/collections
key: ${{ runner.os }}-ansible-${{ hashFiles('./ansible/collections/requirements.yml') }}
restore-keys: |
${{ runner.os }}-ansible-
- name: Install Ansible
uses: alex-oleshkevich/setup-ansible@v1.0.1
with:
version: "11.4.0"
- name: Install Vault
uses: cpanato/vault-installer@main
- name: Install hvac
run: |
pip install hvac
- name: Gotify Notification
uses: eikendev/gotify-action@master
with:
gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
notification_title: 'GITEA: Ansible Config Dry Run @ Rinoa'
notification_message: 'Starting Ansible dry run...'
- name: Ansible Playbook Dry Run
uses: dawidd6/action-ansible-playbook@v3
with:
directory: ansible/
playbook: docker_config_deploy.yml
key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
requirements: collections/requirements.yml
options: |
--check
--inventory inventory/hosts.yml
- name: Gotify Notification
uses: eikendev/gotify-action@master
with:
gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
notification_title: 'GITEA: Ansible Dry Run @ Rinoa'
notification_message: 'Ansible dry run completed successfully.'
pr-merge:
name: PR Merge
needs: [ansible-dry-run]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v5
- name: Install tea
uses: supplypike/setup-bin@v4
with:
uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64'
name: 'tea'
version: '0.9.2'
- name: PR Merge
id: pr_merge
run: |
tea login add --name gitea-rinoa --url ${{ secrets.RINOA_GITEA_URL }} --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
tea login default gitea-rinoa
echo "Merging PR..."
pr_index=$(tea pr ls --repo ${{ github.repository }} --state open --fields index,title,head,state --output csv | egrep ${{ github.ref_name }} | awk -F"," '{print $1}' | sed -e 's|"||g')
tea pr m --repo ${{ github.repository }} --title "Auto Merge of PR ${pr_index} - ${{ github.ref_name }}" --message "Merged by ${{ github.actor }}" ${pr_index}
echo "pr_index=${pr_index}" >> $GITHUB_OUTPUT
- name: Gotify Notification
uses: eikendev/gotify-action@master
with:
gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
notification_title: 'GITEA: PR Merge Successful'
notification_message: 'PR #${{ steps.pr_merge.outputs.pr_index }} merged.'
ansible-config-deploy:
name: Ansible Config Deployment
runs-on: ubuntu-latest
needs: [pr-merge]
env:
VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
DOCKER_HOST: tcp://dockerproxy:2375
steps:
- name: Checkout
uses: actions/checkout@v5
with:
ref: main
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: 3.12
- name: Cache Vault install
id: cache-vault
uses: actions/cache@v4
with:
path: /opt/hostedtoolcache/vault/1.18.0/x64
key: vault-${{ runner.os }}-1.18.0
- name: Install Ansible
uses: alex-oleshkevich/setup-ansible@v1.0.1
with:
version: "11.4.0"
- name: Install Vault
uses: cpanato/vault-installer@main
- name: Install hvac
run: |
pip install hvac
- name: Gotify Notification
uses: eikendev/gotify-action@master
with:
gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
notification_message: 'Starting config deployment with Ansible...'
- name: Ansible Playbook Config Deploy
uses: dawidd6/action-ansible-playbook@v3
with:
directory: ansible/
playbook: docker_config_deploy.yml
key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
requirements: collections/requirements.yml
options: |
--inventory inventory/hosts.yml
- name: Gotify Notification
uses: eikendev/gotify-action@master
with:
gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
notification_message: 'Deployment completed successfully.'
.gitignore
-2
View File
@@ -1,4 +1,2 @@
**/.cache_ggshield
ansible/collections/ansible_collections/
**/.env
**/netbird_openid-configuration.json.j2
ansible/.gitignore
-167
View File
@@ -1,167 +0,0 @@
.logs/*
*.retry
*.vault
# https://raw.githubusercontent.com/github/gitignore/main/Python.gitignore
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class
.cache_ggshield
# Ansible Vault Password Files
*.pass
# C extensions
*.so
# Distribution / packaging
.Python
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
wheels/
share/python-wheels/
*.egg-info/
.installed.cfg
*.egg
MANIFEST
# PyInstaller
# Usually these files are written by a python script from a template
# before PyInstaller builds the exe, so as to inject date/other infos into it.
*.manifest
*.spec
# Installer logs
pip-log.txt
pip-delete-this-directory.txt
# Unit test / coverage reports
htmlcov/
.tox/
.nox/
.coverage
.coverage.*
.cache
nosetests.xml
coverage.xml
*.cover
*.py,cover
.hypothesis/
.pytest_cache/
cover/
# Translations
*.mo
*.pot
# Django stuff:
*.log
local_settings.py
db.sqlite3
db.sqlite3-journal
# Flask stuff:
instance/
.webassets-cache
# Scrapy stuff:
.scrapy
# Sphinx documentation
docs/_build/
# PyBuilder
.pybuilder/
target/
# Jupyter Notebook
.ipynb_checkpoints
# IPython
profile_default/
ipython_config.py
# pyenv
# For a library or package, you might want to ignore these files since the code is
# intended to run in multiple environments; otherwise, check them in:
# .python-version
# pipenv
# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
# However, in case of collaboration, if having platform-specific dependencies or dependencies
# having no cross-platform support, pipenv may install dependencies that don't work, or not
# install all needed dependencies.
#Pipfile.lock
# poetry
# Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
# This is especially recommended for binary packages to ensure reproducibility, and is more
# commonly ignored for libraries.
# https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
#poetry.lock
# pdm
# Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
#pdm.lock
# pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
# in version control.
# https://pdm.fming.dev/#use-with-ide
.pdm.toml
# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
__pypackages__/
# Celery stuff
celerybeat-schedule
celerybeat.pid
# SageMath parsed files
*.sage.py
# Environments
.env
.venv
env/
venv/
ENV/
env.bak/
venv.bak/
# Spyder project settings
.spyderproject
.spyproject
# Rope project settings
.ropeproject
# mkdocs documentation
/site
# mypy
.mypy_cache/
.dmypy.json
dmypy.json
# Pyre type checker
.pyre/
# pytype static type analyzer
.pytype/
# Cython debug symbols
cython_debug/
# PyCharm
# JetBrains specific template is maintained in a separate JetBrains.gitignore that can
# be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
# and can be added to the global gitignore or merged into this file. For a more nuclear
# option (not recommended) you can uncomment the following to ignore the entire idea folder.
#.idea/
ansible/ansible.cfg
-25
View File
@@ -1,25 +0,0 @@
[defaults]
# Specify the inventory file
inventory = inventory/hosts.yml
collections_path = ./collections
# Set the logging verbosity level
verbosity = 2
# Set the default user for SSH connections
remote_user = charish
# Define the default become method
become_method = sudo
host_key_checking = false
[persistent_connection]
# Controls how long the persistent connection will remain idle before it is destroyed
connect_timeout=30
# Controls the amount of time to wait for response from remote device before timing out persistent connection
command_timeout=30
[hashi_vault_collection]
auth_method = token
ansible/app-configs/adguardhome/AdGuardHome.yaml.j2
-199
View File
@@ -1,199 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
http:
pprof:
port: 6060
enabled: false
address: 0.0.0.0:8008
session_ttl: 720h
users:
- name: admin
password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ADGUARD_BCRYPT'] }}
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
theme: auto
dns:
bind_hosts:
- 0.0.0.0
port: 53
anonymize_client_ip: false
ratelimit: 20
ratelimit_subnet_len_ipv4: 24
ratelimit_subnet_len_ipv6: 56
ratelimit_whitelist: []
refuse_any: true
upstream_dns:
- 94.140.14.14
- 94.140.15.15
- https://dns.adguard-dns.com/dns-query
- tls://dns.adguard-dns.com
- quic://dns.adguard-dns.com
- 1.1.1.1
- 1.0.0.1
- 1.1.1.2
- 1.0.0.2
- 185.228.168.9
- 185.228.169.9
- 76.76.2.3
- tls://getdnsapi.net
- 185.49.141.37
- tls://dot.seby.io
upstream_dns_file: ""
bootstrap_dns:
- 9.9.9.10
- 149.112.112.10
- 2620:fe::10
- 2620:fe::fe:10
fallback_dns: []
upstream_mode: load_balance
fastest_timeout: 1s
allowed_clients: []
disallowed_clients: []
blocked_hosts:
- version.bind
- id.server
- hostname.bind
trusted_proxies:
- 127.0.0.0/8
- ::1/128
cache_size: 4194304
cache_ttl_min: 0
cache_ttl_max: 0
cache_optimistic: false
bogus_nxdomain: []
aaaa_disabled: false
enable_dnssec: false
edns_client_subnet:
custom_ip: ""
enabled: false
use_custom: false
max_goroutines: 300
handle_ddr: true
ipset: []
ipset_file: ""
bootstrap_prefer_ipv6: false
upstream_timeout: 10s
private_networks: []
use_private_ptr_resolvers: false
local_ptr_upstreams: []
use_dns64: false
dns64_prefixes: []
serve_http3: false
use_http3_upstreams: false
serve_plain_dns: true
hostsfile_enabled: true
pending_requests:
enabled: true
tls:
enabled: true
server_name: ""
force_https: false
port_https: 446
port_dns_over_tls: 853
port_dns_over_quic: 853
port_dnscrypt: 0
dnscrypt_config_file: ""
allow_unencrypted_doh: false
certificate_chain: ""
private_key: ""
certificate_path: /opt/adguardhome/certs/live/trez.wtf/priv-fullchain-bundle.pem
private_key_path: /opt/adguardhome/certs/live/trez.wtf/priv-fullchain-bundle.pem
strict_sni_check: false
querylog:
dir_path: ""
ignored: []
interval: 2160h
size_memory: 1000
enabled: true
file_enabled: true
statistics:
dir_path: ""
ignored: []
interval: 24h
enabled: true
filters:
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
name: AdGuard DNS filter
id: 1
- enabled: false
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
name: AdAway Default Blocklist
id: 2
whitelist_filters: []
user_rules: []
dhcp:
enabled: false
interface_name: ""
local_domain_name: lan
dhcpv4:
gateway_ip: 192.168.1.1
subnet_mask: 255.255.255.0
range_start: 192.168.1.2
range_end: 192.168.1.240
lease_duration: 86400
icmp_timeout_msec: 1000
options: []
dhcpv6:
range_start: ""
lease_duration: 86400
ra_slaac_only: false
ra_allow_slaac: false
filtering:
blocking_ipv4: ""
blocking_ipv6: ""
blocked_services:
schedule:
time_zone: America/New_York
ids: []
protection_disabled_until: null
safe_search:
enabled: false
bing: true
duckduckgo: true
ecosia: true
google: true
pixabay: true
yandex: true
youtube: true
blocking_mode: default
parental_block_host: family-block.dns.adguard.com
safebrowsing_block_host: standard-block.dns.adguard.com
rewrites: []
safe_fs_patterns:
- /opt/adguardhome/work/userfilters/*
safebrowsing_cache_size: 1048576
safesearch_cache_size: 1048576
parental_cache_size: 1048576
cache_time: 30
filters_update_interval: 24
blocked_response_ttl: 10
filtering_enabled: true
parental_enabled: false
safebrowsing_enabled: false
protection_enabled: true
clients:
runtime_sources:
whois: true
arp: true
rdns: true
dhcp: true
hosts: true
persistent: []
log:
enabled: true
file: ""
max_backups: 0
max_size: 100
max_age: 3
compress: false
local_time: false
verbose: false
os:
group: ""
user: ""
rlimit_nofile: 0
schema_version: 29
ansible/app-configs/apprise/conf/apprise.yml.j2
-7
View File
@@ -1,7 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
urls:
- gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}
- hassio://192.168.1.252/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
- mailto://postal-smtp:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}@postal-smtp:25?from=noreply@trez.wtf
ansible/app-configs/argus/config.yml.j2
-337
View File
@@ -1,337 +0,0 @@
settings:
log:
level: INFO
timestamps: true
data:
database_file: data/argus.db
web:
listen_host: 0.0.0.0
listen_port: 8080
route_prefix: /
basic_auth:
username: 'admin'
password: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ARGUS_WEB_PASSWORD'] }}"
disabled_routes: []
favicon:
png: ''
svg: ''
notify:
rinoa-gotify:
type: gotify
url_fields:
Host: gotify
Token: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ARGUS_WEB_PASSWORD'] }}
params:
Title: Argus @ Rinoa
service:
AdguardTeam/AdGuardHome:
latest_version:
type: github
url: AdguardTeam/AdGuardHome
url_commands:
- type: regex
regex: v([0-9.]+)$
deployed_version:
url: "https://adguard.trez.wtf/control/status"
basic_auth:
username: admin
password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ADGUARD_PASSWORD'] }}
json: version
regex: v([0-9.]+)
dashboard:
web_url: "https://github.com/AdguardTeam/AdGuardHome/releases/v{% raw %}{{ version }}{% endraw %}"
icon: "https://avatars.githubusercontent.com/u/8361145?s=200&v=4"
advplyr/audiobookshelf:
latest_version:
type: github
url: advplyr/audiobookshelf
url_commands:
- type: regex
regex: v([0-9.]+)$
deployed_version:
method: GET
url: "https://abs.trez.wtf/status"
json: serverVersion
dashboard:
icon: "https://raw.githubusercontent.com/advplyr/audiobookshelf/master/client/static/icon.svg"
web_url: "https://github.com/advplyr/audiobookshelf/releases/tag/v{% raw %}{{ version }}{% endraw %}"
dani-garcia/vaultwarden:
latest_version:
type: github
url: dani-garcia/vaultwarden
deployed_version:
url: "https://bitwarden.trez.wtf/api/version"
regex: ([0-9.]+)
dashboard:
web_url: "https://github.com/dani-garcia/vaultwarden/releases/{% raw %}{{ version }}{% endraw %}"
icon: "https://raw.githubusercontent.com/dani-garcia/vaultwarden/main/src/static/images/vaultwarden-icon.png"
ellite/Wallos:
latest_version:
type: github
url: ellite/Wallos
deployed_version:
method: GET
url: http://wallos.com/api/status/version.php?api_key=xxx
json: version_number
dashboard:
icon: "https://github.com/ellite/Wallos/raw/main/images/siteicons/wallos.png"
web_url: "https://github.com/ellite/Wallos/releases"
FlareSolverr/FlareSolverr:
latest_version:
type: github
url: FlareSolverr/FlareSolverr
url_commands:
- type: regex
regex: v([0-9.]+)$
deployed_version:
method: GET
url: "https://flaresolverr.trez.wtf"
json: version
dashboard:
icon: "https://raw.githubusercontent.com/FlareSolverr/FlareSolverr/master/resources/flaresolverr_logo.png"
web_url: "https://github.com/FlareSolverr/FlareSolverr/releases/tag/v{% raw %}{{ version }}{% endraw %}"
go-gitea/gitea:
latest_version:
type: github
url: go-gitea/gitea
url_commands:
- type: regex
regex: v([0-9.]+)$
require:
regex_content: gitea-{% raw %}{{ version }}{% endraw %}-linux-amd64
regex_version: ^[0-9.]+[0-9]$
deployed_version:
url: "https://git.trez.wtf"
regex: 'Powered by Gitea\s+Version:\s+([0-9.]+) '
dashboard:
web_url: "https://github.com/go-gitea/gitea/releases/v{% raw %}{{ version }}{% endraw %}"
icon: "https://raw.githubusercontent.com/go-gitea/gitea/main/public/img/logo.png"
gohugoio/hugo:
latest_version:
type: github
url: gohugoio/hugo
url_commands:
- type: regex
regex: v([0-9.]+)$
require:
regex_content: hugo_{% raw %}{{ version }}{% endraw %}_Linux-64bit\.deb
dashboard:
web_url: "https://github.com/gohugoio/hugo/releases/v{% raw %}{{ version }}{% endraw %}"
icon: "https://raw.githubusercontent.com/gohugoio/hugo/master/docs/static/img/hugo.png"
gotify/server:
latest_version:
type: github
url: gotify/server
url_commands:
- type: regex
regex: v([0-9.]+)$
deployed_version:
url: "https://gotify.trez.wtf/version"
json: version
dashboard:
web_url: "https://github.com/gotify/server/releases/v{% raw %}{{ version }}{% endraw %}"
icon: "https://github.com/gotify/logo/raw/master/gotify-logo.png"
hashicorp/vault:
latest_version:
type: github
url: hashicorp/vault
url_commands:
- type: regex
regex: v([0-9.]+)$
deployed_version:
url: "https://vault.trez.wtf/v1/sys/health"
json: version
dashboard:
web_url: "https://github.com/hashicorp/vault/releases/v{% raw %}{{ version }}{% endraw %}"
icon: "https://raw.githubusercontent.com/hashicorp/vault/main/ui/public/vault-logo.svg"
immich-app/immich:
latest_version:
type: github
url: immich-app/immich
deployed_version:
url: "https://pics.trez.wtf/api/server/about"
json: version
regex: ^v([0-9.]+)$
headers:
- key: x-api-key
value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['IMMICH_POWER_TOOLS_KEY'] }}
dashboard:
icon: "https://raw.githubusercontent.com/immich-app/immich/main/web/static/immich-logo.svg"
web_url: "https://github.com/immich-app/immich/releases/tag/v{% raw %}{{ version }}{% endraw %}"
influxdata/influxdb:
latest_version:
type: github
url: influxdata/influxdb
url_commands:
- type: regex
regex: v([0-9.]+)$
deployed_version:
url: "https://influxdb.trez.wtf/health"
json: version
dashboard:
web_url: "https://github.com/influxdata/influxdb/releases/tag/v{% raw %}{{ version }}{% endraw %}"
icon: "https://github.com/influxdata/ui/raw/master/src/writeData/graphics/influxdb.svg"
jellyfin/jellyfin:
latest_version:
type: github
url: jellyfin/jellyfin
url_commands:
- type: regex
regex: v([0-9.]+)$
deployed_version:
url: "https://jellyfin.trez.wtf/System/Info/Public"
json: Version
dashboard:
web_url: "https://github.com/jellyfin/jellyfin/releases/v{% raw %}{{ version }}{% endraw %}"
icon: "https://avatars.githubusercontent.com/u/45698031?s=200&v=4"
Lidarr/Lidarr:
options:
semantic_versioning: false
latest_version:
type: github
url: Lidarr/Lidarr
url_commands:
- type: regex
regex: v([0-9.]+)$
deployed_version:
method: GET
url: "https://lidarr.trez.wtf/api/v1/system/status"
headers:
- key: X-Api-Key
value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}
json: version
dashboard:
icon: "https://raw.githubusercontent.com/Lidarr/Lidarr/develop/Logo/1024.png"
web_url: "https://github.com/Lidarr/Lidarr/releases/v{% raw %}{{ version }}{% endraw %}"
louislam/uptime-kuma:
latest_version:
type: github
url: louislam/uptime-kuma
deployed_version:
url: "https://status.trez.wtf/metrics"
regex: app_version{version=\"([0-9.]+)\",major=\"[0-9]+\",minor=\"[0-9]+\",patch=\"[0-9]+\"}
dashboard:
web_url: "https://github.com/louislam/uptime-kuma/releases/{% raw %}{{ version }}{% endraw %}"
icon: "https://raw.githubusercontent.com/louislam/uptime-kuma/master/public/icon.png"
morpheus65535/bazarr:
latest_version:
type: github
url: morpheus65535/bazarr
url_commands:
- type: regex
regex: v([0-9.]+)$
deployed_version:
url: "https://bazarr.trez.wtf/api/system/status"
headers:
- key: X-API-KEY
value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['BAZARR_API_KEY'] }}
json: data.bazarr_version
dashboard:
web_url: "https://github.com/morpheus65535/bazarr/releases/v{% raw %}{{ version }}{% endraw %}"
icon: "https://raw.githubusercontent.com/morpheus65535/bazarr/master/frontend/public/images/logo128.png"
n8n-io/n8n:
latest_version:
type: url
url: "https://github.com/n8n-io/n8n/tags"
url_commands:
- type: regex
regex: n8n\%40([0-9.]+)
dashboard:
web_url: "https://github.com/n8n-io/n8n/blob/master/CHANGELOG.md"
icon: "https://raw.githubusercontent.com/n8n-io/n8n-docs/main/docs/_images/n8n-docs-icon.svg"
nextcloud/server:
latest_version:
type: github
url: nextcloud/server
url_commands:
- type: regex
regex: v([0-9.]+)$
deployed_version:
url: "https://cloud.trez.wtf/status.php"
json: versionstring
dashboard:
web_url: "https://nextcloud.com/changelog/"
icon: "https://github.com/nextcloud/server/raw/master/core/img/favicon.png"
Prowlarr/Prowlarr:
options:
semantic_versioning: false
latest_version:
type: github
url: Prowlarr/Prowlarr
url_commands:
- type: regex
regex: v([0-9.]+)$
use_prerelease: true
deployed_version:
url: "https://prowlarr.trez.wtf/api/v1/system/status"
headers:
- key: X-Api-Key
value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PROWLARR_API_KEY'] }}
json: version
dashboard:
web_url: "https://github.com/Prowlarr/Prowlarr/releases/v{% raw %}{{ version }}{% endraw %}"
icon: "https://avatars.githubusercontent.com/u/73049443?s=200&v=4"
Radarr/Radarr:
options:
semantic_versioning: false
latest_version:
type: github
url: Radarr/Radarr
url_commands:
- type: regex
regex: v([0-9.]+)$
deployed_version:
url: "https://radarr.trez.wtf/api/v3/system/status"
headers:
- key: X-Api-Key
value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['RADARR_API_KEY'] }}
json: version
dashboard:
web_url: "https://github.com/Radarr/Radarr/releases/v{% raw %}{{ version }}{% endraw %}"
icon: "https://avatars.githubusercontent.com/u/25025331?s=200&v=4"
Readarr/Readarr:
options:
semantic_versioning: false
latest_version:
type: github
url: Readarr/Readarr
use_prerelease: true
url_commands:
- type: regex
regex: v([0-9.]+)$
deployed_version:
method: GET
url: "https://readarr.trez.wtf/api/v1/system/status"
headers:
- key: X-Api-Key
value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['READARR_API_KEY'] }}
json: version
dashboard:
icon: "https://raw.githubusercontent.com/Readarr/Readarr/develop/Logo/1024.png"
web_url: "https://github.com/Readarr/Readarr/releases/v{% raw %}{{ version }}{% endraw %}"
Sonarr/Sonarr:
options:
semantic_versioning: false
latest_version:
type: url
url: "https://github.com/Sonarr/Sonarr/tags"
url_commands:
- type: regex
regex: \/releases\/tag\/v?([0-9.]+)\"
deployed_version:
url: "https://sonarr.trez.wtf/api/v3/system/status"
headers:
- key: X-Api-Key
value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SONARR_API_KEY'] }}
json: version
dashboard:
web_url: "https://sonarr.trez.wtf/system/updates"
icon: "https://raw.githubusercontent.com/Sonarr/Sonarr/develop/Logo/256.png"
release-argus/argus:
latest_version:
type: github
url: release-argus/argus
dashboard:
icon: "https://raw.githubusercontent.com/release-argus/Argus/master/web/ui/react-app/public/favicon.svg"
icon_link-to: "https://release-argus.io"
web_url: "https://github.com/release-argus/Argus/blob/master/CHANGELOG.md"
ansible/app-configs/authelia/configuration.yml.j2
-181
View File
@@ -1,181 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
# yaml-language-server: $schema=https://www.authelia.com/schemas/latest/json-schema/configuration.json
---
theme: auto
default_2fa_method: "totp"
server:
address: '0.0.0.0:9091'
endpoints:
enable_pprof: false
enable_expvars: false
disable_healthcheck: false
tls:
key: ""
certificate: ""
client_certificates: []
headers:
csp_template: ""
log:
level: debug
telemetry:
metrics:
enabled: true
address: tcp://0.0.0.0:9959
totp:
disable: false
issuer: authelia.com
algorithm: sha256
digits: 6
period: 30
skew: 1
secret_size: 32
webauthn:
disable: false
timeout: 60s
display_name: Authelia
attestation_conveyance_preference: indirect
selection_criteria:
user_verification: preferred
ntp:
address: "time.cloudflare.com:123"
version: 4
max_desync: 3s
disable_startup_check: false
disable_failure: false
authentication_backend:
password_reset:
disable: false
custom_url: ""
ldap:
implementation: custom
address: ldap://lldap:3890
timeout: 5s
start_tls: false
base_dn: dc=trez,dc=wtf
additional_users_dn: ou=people
users_filter: "(&({username_attribute}={input})(objectClass=person))"
additional_groups_dn: ou=groups
groups_filter: "(member={dn})"
attributes:
username: uid
group_name: cn
mail: mail
display_name: displayName
user: uid=authelia,ou=people,dc=trez,dc=wtf
password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_AUTH_BIND_LDAP_PASSWORD'] }}'
refresh_interval: 5m
identity_validation:
reset_password:
jwt_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_JWT_SECRET'] }}'
password_policy:
standard:
enabled: true
min_length: 8
max_length: 0
require_uppercase: true
require_lowercase: true
require_number: true
require_special: false
zxcvbn:
enabled: false
min_score: 3
access_control:
default_policy: deny
networks:
- name: 'internal'
networks:
- '172.17.0.0/16'
- '172.18.0.0/16'
- '192.168.1.0/24'
rules:
- domain_regex:
- '^trez.wtf$'
- ^www.trez.wtf$''
policy: bypass
- domain: '*.trez.wtf'
policy: bypass
networks:
- 'internal'
- domain: '*.trez.wtf'
policy: one_factor
subject:
- ['user:the.trezured.one']
- domain: wizarr.trez.wtf
resources:
- '^/join(/.*)?$'
- '^/j(/.*)?$'
- '^/static(/.*)?$'
- '^/setup(/.*)?$'
- '^/wizard(/.*)?$'
policy: bypass
session:
name: authelia_session
secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_SESSION_SECRET'] }}'
expiration: 1h
inactivity: 5m
remember_me: 1M
cookies:
- domain: 'trez.wtf'
authelia_url: 'https://auth.trez.wtf'
redis:
host: authelia-valkey
port: 6379
database_index: 0
storage:
encryption_key: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_ENCRYPTION_KEY'] }}'
postgres:
address: 'tcp://authelia-pg:5432'
database: authelia
username: authelia
password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_POSTGRES_PASSWORD'] }}'
timeout: '5s'
regulation:
max_retries: 3
find_time: 2m
ban_time: 5m
notifier:
disable_startup_check: true
smtp:
address: 'smtp://postal-smtp:25'
timeout: '5s'
username: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}'
password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}'
sender: "Authelia <noreply@trez.wtf>"
identifier: 'localhost'
subject: "[Authelia] {title}"
startup_check_address: 'test@authelia.com'
disable_require_tls: true
disable_starttls: true
disable_html_emails: false
identity_providers:
oidc:
hmac_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_OIDC_HMAC_SECRET'] }}'
jwks:
- key: |
{{ lookup("community.hashi_vault.vault_kv2_get", "env", engine_mount_point="rinoa-docker", url=vault_addr, token=vault_token_cleaned)["secret"]["AUTHELIA_OIDC_JWKS_KEY"] | replace("\\n", "\n") | indent(10) }}
cors:
allowed_origins_from_client_redirect_uris: true
endpoints:
- 'userinfo'
- 'authorization'
- 'token'
- 'revocation'
- 'introspection'
clients:
- client_id: 'netbird'
client_name: 'NetBird'
client_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}'
public: false
authorization_policy: 'two_factor'
redirect_uris:
- 'https://vpn.trez.wtf/peers'
- 'https://vpn.trez.wtf/add-peers'
- 'http://localhost'
scopes:
- 'openid'
- 'email'
- 'profile'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_post'
ansible/app-configs/cloudflared/config.yml.j2
-16
View File
@@ -1,16 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
tunnel: 52bdee6e-8ccb-47be-ba9e-f8010b905e41
credentials-file: /etc/cloudflared/52bdee6e-8ccb-47be-ba9e-f8010b905e41.json
warp-routing:
enabled: true
ingress:
- hostname: git-ssh.trez.wtf
service: ssh://gitea:22
- hostname: gist-ssh.trez.wtf
service: ssh://gitea-opengist:2222
- hostname: ssh.trez.wtf
service: ssh://192.168.1.254:22
- service: http_status:404 # Default for unmatched requests
ansible/app-configs/crowdsec/acquis.yaml.j2
-65
View File
@@ -1,65 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
source: journalctl
journalctl_filter:
- "--directory=/var/log/host/"
labels:
type: syslog
---
filenames:
- /var/log/swag/*
labels:
type: nginx
---
filenames:
- /var/log/auth/auth.log
labels:
type: syslog
---
filenames:
- /var/lib/mysql/log/mysql/*
- /var/lib/mysql/databases/*.err
- /var/lib/mysql/databases/*.log
labels:
type: mariadb
---
source: docker
container_name:
- adguard
labels:
type: adguardhome
---
source: docker
container_name:
- mongodb
labels:
type: mongodb
---
source: docker
container_name:
- immich-server
labels:
type: immich
---
source: docker
container_name:
- uptimekuma
labels:
type: uptime-kuma
---
source: docker
container_name:
- jellyfin
labels:
type: jellyfin
---
source: docker
container_name:
- navidrome
labels:
type: navidrome
---
filenames:
- /var/log/audiobookshelf/*.txt
labels:
type: audiobookshelf
ansible/app-configs/crowdsec/config.yaml.j2
-51
View File
@@ -1,51 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
common:
daemonize: false
log_media: stdout
log_level: info
log_dir: /var/log/
config_paths:
config_dir: /etc/crowdsec/
data_dir: /var/lib/crowdsec/data/
simulation_path: /etc/crowdsec/simulation.yaml
hub_dir: /etc/crowdsec/hub/
index_path: /etc/crowdsec/hub/.index.json
notification_dir: /etc/crowdsec/notifications/
plugin_dir: /usr/local/lib/crowdsec/plugins/
crowdsec_service:
acquisition_path: /etc/crowdsec/acquis.yaml
acquisition_dir: /etc/crowdsec/acquis.d
parser_routines: 1
plugin_config:
user: nobody
group: nobody
cscli:
output: human
db_config:
log_level: info
type: sqlite
db_path: /var/lib/crowdsec/data/crowdsec.db
flush:
max_items: 5000
max_age: 7d
use_wal: false
api:
client:
insecure_skip_verify: false
credentials_path: /etc/crowdsec/local_api_credentials.yaml
server:
log_level: info
listen_uri: 0.0.0.0:8080
profiles_path: /etc/crowdsec/profiles.yaml
trusted_ips: # IP ranges, or IPs which can have admin API access
- 127.0.0.1
- ::1
online_client: # Central API credentials (to push signals and receive bad IPs)
credentials_path: /etc/crowdsec/online_api_credentials.yaml
enable: true
prometheus:
enabled: true
level: full
listen_addr: 0.0.0.0
listen_port: 6060
ansible/app-configs/crowdsec/local-api-credentials.yaml.j2
-6
View File
@@ -1,6 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
url: http://0.0.0.0:8080
login: localhost
password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_LOCAL_API_KEY'] }}
ansible/app-configs/crowdsec/online-api-credentials.yaml.j2
-6
View File
@@ -1,6 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
url: https://api.crowdsec.net/
login: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_ONLINE_PASSWORD'] }}
password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_ONLINE_PASSWORD'] }}
ansible/app-configs/crowdsec/profiles.yaml.j2
-17
View File
@@ -1,17 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
name: default_ip_remediation
#debug: true
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
# notifications:
# - slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
# - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
# - http_default # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
# - email_default # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
on_success: break
ansible/app-configs/explo/local.env.j2
-25
View File
@@ -1,25 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
EXPLO_SYSTEM: subsonic
SYSTEM_URL: http://navidrome:4533
SYSTEM_USERNAME: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NAVIDROME_USERNAME'] }}
SYSTEM_PASSWORD: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NAVIDROME_PASSWORD'] }}
DOWNLOAD_DIR: /downloads
PLAYLIST_DIR: /playlists
LISTENBRAINZ_USER: Trez.One
YOUTUBE_API_KEY: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUTUBE_DATA_API_V3_KEY'] }}
# Assign a custom path to yt-dlp
# YTDLP_PATH=
# Keywords to ignore on videos downloaded by youtube (separated by only commas)
FILTER_LIST: live,remix,instrumental,extended
# Define a custom filename sepatator for special characters
# FILENAME_SEPARATOR=
# true to keep pervious weeks discoveries, only set to false if the parent folder only contains discovered songs (deletes every file in folder)
PERSIST: true
# 'playlist' to get tracks from Weekly Exploration playlist, anything else gets it from API (not the best recommendations). 'test' will download 1 song
LISTENBRAINZ_DISCOVERY: playlist
# Time to sleep (in minutes) between scanning and querying tracks from your system (If using Subsonic, Jellyfin)
SLEEP: 5
# Whether to provide additional info for debugging
DEBUG: true
SINGLE_ARTIST: true
ansible/app-configs/garage/garage.toml.j2
-26
View File
@@ -1,26 +0,0 @@
metadata_dir = "/var/lib/garage/meta"
data_dir = "/var/lib/garage/data"
db_engine = "lmdb"
metadata_auto_snapshot_interval = "6h"
replication_factor = 1
compression_level = 10
rpc_bind_addr = "[::]:3901"
rpc_public_addr = "localhost:3901"
rpc_secret = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GARAGE_RPC_SECRET'] }}"
[s3_api]
s3_region = "us-east-fh-pln"
api_bind_addr = "[::]:3900"
root_domain = ".s3.trez.wtf"
[s3_web]
bind_addr = "[::]:3902"
root_domain = ".garage.trez.wtf"
[admin]
api_bind_addr = "[::]:3903"
admin_token = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GARAGE_ADMIN_TOKEN'] }}"
metrics_token = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GARAGE_METRICS_TOKEN'] }}"
ansible/app-configs/ghost/ghost_config.production.json.j2
-42
View File
@@ -1,42 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
{
"url": "blog.trez.wtf",
"database": {
"client": "mysql",
"connection": {
"host" : "mariadb",
"port" : 3306,
"user" : "ghost",
"password" : "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GHOST_DB_PASSWORD'] }}",
"database" : "ghost_db"
}
},
"mail": {
"from": "'Ghost @ Rinoa' <noreply@trez.wtf>",
"transport": "SMTP",
"options": {
"host": "postal-smtp",
"port": 25,
"secure": false,
"auth": {
"user": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}",
"pass": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}"
}
}
},
"paths": {
"contentPath": "content/"
},
"privacy": {
"useGravatar": true
},
"logging": {
"level": "info",
"rotation": {
"enabled": true
},
"transports": ["file"]
}
}
ansible/app-configs/gitea/act-runner/config.yaml.j2
-101
View File
@@ -1,101 +0,0 @@
# Example configuration file, it's safe to copy this as the default config file without any modification.
# You don't have to copy this file to your instance,
# just run `./act_runner generate-config > config.yaml` to generate a config file.
log:
# The level of logging, can be trace, debug, info, warn, error, fatal
level: info
runner:
# Where to store the registration result.
file: .runner
# Execute how many tasks concurrently at the same time.
capacity: 3
# Extra environment variables to run jobs.
# envs:
# A_TEST_ENV_NAME_1: a_test_env_value_1
# A_TEST_ENV_NAME_2: a_test_env_value_2
# Extra environment variables to run jobs from a file.
# It will be ignored if it's empty or the file doesn't exist.
# env_file: .env
# The timeout for a job to be finished.
# Please note that the Gitea instance also has a timeout (3h by default) for the job.
# So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
timeout: 3h
# The timeout for the runner to wait for running jobs to finish when shutting down.
# Any running jobs that haven't finished after this timeout will be cancelled.
shutdown_timeout: 0s
# Whether skip verifying the TLS certificate of the Gitea instance.
insecure: false
# The timeout for fetching the job from the Gitea instance.
fetch_timeout: 5s
# The interval for fetching the job from the Gitea instance.
fetch_interval: 2s
# The labels of a runner are used to determine which jobs the runner can run, and how to run them.
# Like: "macos-arm64:host" or "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
# Find more images provided by Gitea at https://gitea.com/gitea/runner-images .
# If it's empty when registering, it will ask for inputting labels.
# If it's empty when execute `daemon`, will use labels in `.runner` file.
labels:
- "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
- "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04"
- "ubuntu-20.04:docker://gitea/runner-images:ubuntu-20.04"
cache:
# Enable cache server to use actions/cache.
enabled: true
# The directory to store the cache data.
# If it's empty, the cache data will be stored in $HOME/.cache/actcache.
dir: ""
# The host of the cache server.
# It's not for the address to listen, but the address to connect from job containers.
# So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
host: "192.168.1.254"
# The port of the cache server.
# 0 means to use a random available port.
port: 63604
# The external cache server URL. Valid only when enable is true.
# If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
# The URL should generally end with "/".
external_server: ""
container:
# Specifies the network to which the container will connect.
# Could be host, bridge or the name of a custom network.
# If it's empty, act_runner will create a network automatically.
network: "compose_default"
# Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
privileged: false
# And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
options:
# The parent directory of a job's working directory.
# NOTE: There is no need to add the first '/' of the path as act_runner will add it automatically.
# If the path starts with '/', the '/' will be trimmed.
# For example, if the parent directory is /path/to/my/dir, workdir_parent should be path/to/my/dir
# If it's empty, /workspace will be used.
workdir_parent:
# Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
# You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
# For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
# valid_volumes:
# - data
# - /src/*.json
# If you want to allow any volume, please use the following configuration:
# valid_volumes:
# - '**'
valid_volumes: []
# overrides the docker client host with the specified one.
# If it's empty, act_runner will find an available docker host automatically.
# If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
# If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
docker_host: ""
# Pull docker image(s) even if already present
force_pull: false
# Rebuild docker image(s) even if already present
force_rebuild: false
host:
# The parent directory of a job's working directory.
# If it's empty, $HOME/.cache/act/ will be used.
workdir_parent:
ansible/app-configs/gitea/app.ini.j2
-125
View File
@@ -1,125 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
APP_NAME = Gitea: Git with a cup of tea
RUN_MODE = prod
RUN_USER = git
WORK_PATH = /data/gitea
[repository]
ROOT = /data/git/repositories
DEFAULT_PRIVATE = last
EMABLE_PUSH_CREATE_USER = true
[repository.local]
LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
[repository.upload]
TEMP_PATH = /data/gitea/uploads
[server]
APP_DATA_PATH = /data/gitea
DOMAIN = git.trez.wtf
SSH_DOMAIN = git-ssh.trez.wtf
HTTP_PORT = 3000
ROOT_URL = https://git.trez.wtf/
DISABLE_SSH = false
SSH_PORT = 22
SSH_LISTEN_PORT = 22
LFS_START_SERVER = true
LFS_JWT_SECRET = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_LFS_JWT_SECRET'] }}
OFFLINE_MODE = true
[database]
PATH = /data/gitea/gitea.db
DB_TYPE = postgres
HOST = gitea-db:5432
NAME = gitea
USER = gitea
PASSWD = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_PG_DB_PASSWORD'] }}
LOG_SQL = false
SCHEMA =
SSL_MODE = disable
[indexer]
ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
REPO_INDEXER_ENABLED = true
REPO_INDEXER_PATH = indexers/repos.bleve
MAX_FILE_SIZE = 1048576
REPO_INDEXER_INCLUDE =
REPO_INDEXER_EXCLUDE = resources/bin/**
[session]
PROVIDER_CONFIG = /data/gitea/sessions
PROVIDER = file
[picture]
AVATAR_UPLOAD_PATH = /data/gitea/avatars
REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
[attachment]
PATH = /data/gitea/attachments
[log]
MODE = console
LEVEL = info
ROOT_PATH = root
[security]
INSTALL_LOCK = true
SECRET_KEY =
REVERSE_PROXY_LIMIT = 1
REVERSE_PROXY_TRUSTED_PROXIES = *
INTERNAL_TOKEN = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_INTERNAL_TOKEN'] }}
PASSWORD_HASH_ALGO = pbkdf2
[service]
DISABLE_REGISTRATION = false
REQUIRE_SIGNIN_VIEW = false
REGISTER_EMAIL_CONFIRM = true
ENABLE_NOTIFY_MAIL = true
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
ENABLE_CAPTCHA = true
DEFAULT_KEEP_EMAIL_PRIVATE = true
DEFAULT_ALLOW_CREATE_ORGANIZATION = false
DEFAULT_ENABLE_TIMETRACKING = false
NO_REPLY_ADDRESS = noreply@trez.wtf
[lfs]
PATH = /data/git/lfs
[mailer]
PASSWD = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
PROTOCOL = smtp
ENABLED = true
FROM = '"Gitea" <noreply@trez.wtf>'
SMTP_PORT = 25
USER = rinoa/postal-smtp
SMTP_ADDR = postal-smtp
IS_TLS_ENABLED = faLse
[openid]
ENABLE_OPENID_SIGNIN = true
ENABLE_OPENID_SIGNUP = true
[cron.update_checker]
ENABLED = false
[repository.pull-request]
DEFAULT_MERGE_STYLE = merge
[repository.signing]
DEFAULT_TRUST_MODEL = committer
[oauth2]
JWT_SECRET = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_OAUTH2_JWT_SECRET'] }}
[ui]
THEMES =
[actions]
ENABLED = true
[webhook]
ALLOWED_HOST_LIST = private,104.21.1.234,172.67.152.146
SKIP_TLS_VERIFY = true
ansible/app-configs/gitea/gitea-sonarqube-bot/config.yaml.j2
-81
View File
@@ -1,81 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
# Gitea related configuration. Necessary for adding/updating comments on repository pull requests
gitea:
# Endpoint of your Gitea instance. Must be expandable by '/api/v1' to form the API base path as shown in Swagger UI.
url: https://git.trez.wtf
# Created access token for the user that shall be used as bot account.
# User needs "Read project" permissions with access to "Pull Requests"
token:
value: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}"
# # or path to file containing the plain text secret
# file: /path/to/gitea/token
# If the sent webhook has a signature header, the bot validates the request payload. If the value does not match, the
# request will be ignored.
# The bot looks for `X-Gitea-Signature` header containing the sha256 hmac hash of the plain text secret. If the header
# exists and no webhookSecret is defined here, the bot will ignore the request, because it cannot be validated.
webhook:
secret: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_WEBHOOK_SECRET'] }}"
# # or path to file containing the plain text secret
# secretFile: /path/to/gitea/webhook/secret
# Pull Request status check settings.
statusCheck:
# Configure the label/name of the PR status check.
name: "gitea-sonarqube-bot"
# SonarQube related configuration. Necessary for requesting data from the API and processing the webhook.
sonarqube:
# Endpoint of your SonarQube instance. Must be expandable by '/api' to form the API base path.
url: https://sqube.trez.wtf
# Created access token for the user that shall be used as bot account.
# User needs "Browse on project" permissions
token:
value: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_SQUBE_TOKEN'] }}"
# # or path to file containing the plain text secret
# file: /path/to/sonarqube/token
# If the sent webhook has a signature header, the bot validates the request payload. If the value does not match, the
# request will be ignored.
# The bot looks for `X-Sonar-Webhook-HMAC-SHA256` header containing the sha256 hmac hash of the plain text secret.
# If the header exists and no webhookSecret is defined here, the bot will ignore the request, because it cannot be
# validated.
webhook:
secret: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_SQUBE_WEBHOOK_SECRET'] }}"
# # or path to file containing the plain text secret
# secretFile: /path/to/sonarqube/webhook/secret
# Some useful metrics depend on the edition in use. There are various ones like code_smells, vulnerabilities, bugs, etc.
# By default, the bot will extract "bugs,vulnerabilities,code_smells"
# Setting this option you can extend that default list by your own metrics.
# additionalMetrics: []
# - "new_security_hotspots"
# List of project mappings to take care of. Webhooks for other projects will be ignored.
# At least one must be configured. Otherwise, all webhooks (no matter which source) because the bot cannot map on its own.
projects:
- sonarqube:
key: rinoa-docker
# A repository specification contains the owner name and the repository name itself. The owner can be the name of a
# real account or an organization in which the repository is located.
gitea:
owner: Trez.One
name: rinoa-docker
# Define pull request names from SonarScanner analysis. Default pattern matches the Jenkins Gitea plugin schema.
namingPattern:
# Regular expression that MUST HAVE exactly ONE GROUP that matches the integer part of the PR.
# That integer part is identical to the pull request ID in Gitea.
regex: "^.*$"
# Valid Go format string. It MUST have one integer placeholder which will be replaced by the pull request ID.
# See: https://pkg.go.dev/fmt#hdr-Printing
template: "%s"
# Example for integer-only names
# # regex: "^(\\d+)$"
# # template: "%d"
ansible/app-configs/grafana/alloy/alloy_config.alloy
-404
View File
@@ -1,404 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
/////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Agent globals
/////////////////////////////////////////////////////////////////////////////////////////////////////////////
local.file "endpoints" {
// The endpoints file is used to define the endpoints, credentials and options
// for the Agent export to.
filename = "/etc/alloy/endpoints.json"
}
discovery.docker "rinoadocker" {
host = env("DOCKER_HOST")
}
tracing {
write_to = [otelcol.exporter.otlp.tempo.input]
}
/////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Metrics
/////////////////////////////////////////////////////////////////////////////////////////////////////////////
prometheus.remote_write "mimir" {
endpoint {
url = json_path(local.file.endpoints.content, ".metrics.url")[0]
basic_auth {
username = json_path(local.file.endpoints.content, ".metrics.basicAuth.username")[0]
password = json_path(local.file.endpoints.content, ".metrics.basicAuth.password")[0]
}
}
}
prometheus.scrape "prometheus" {
targets = [{
__address__ = "localhost:12345",
}]
forward_to = [prometheus.remote_write.mimir.receiver]
job_name = "prometheus"
}
prometheus.exporter.unix "rinoa" {
procfs_path = "/host/proc"
sysfs_path = "/host/sys"
rootfs_path = "/rootfs"
}
prometheus.scrape "rinoa" {
targets = prometheus.exporter.unix.rinoa.targets
forward_to = [prometheus.remote_write.mimir.receiver]
job_name = "rinoa_host"
}
prometheus.exporter.cadvisor "docker" {
docker_host = env("DOCKER_HOST")
storage_duration = "5m"
}
prometheus.scrape "docker" {
targets = prometheus.exporter.cadvisor.docker.targets
forward_to = [prometheus.remote_write.mimir.receiver]
job_name = "docker_stats"
}
/////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Logging
/////////////////////////////////////////////////////////////////////////////////////////////////////////////
loki.write "loki" {
endpoint {
url = json_path(local.file.endpoints.content, ".logs.url")[0]
basic_auth {
username = json_path(local.file.endpoints.content, ".logs.basicAuth.username")[0]
password = json_path(local.file.endpoints.content, ".logs.basicAuth.password")[0]
}
}
external_labels = {}
}
loki.source.journal "hostjournal" {
forward_to = [loki.write.loki.receiver]
max_age = "24h"
path = "/rootfs/var/log/journal/"
labels = {
job = "host-journal",
}
}
local.file_match "system" {
path_targets = [{
__address__ = "localhost",
__path__ = "/rootfs/var/log/*log",
job = "varlogs",
}]
}
loki.source.file "system" {
targets = local.file_match.system.targets
forward_to = [loki.write.loki.receiver]
}
loki.source.docker "containers" {
host = env("DOCKER_HOST")
targets = discovery.docker.rinoadocker.targets
forward_to = [loki.write.loki.receiver]
labels = {
job = "containerlogs",
}
}
loki.process "containers" {
forward_to = [loki.write.loki.receiver]
// stage.docker {}
stage.json {
expressions = {
attrs = "",
output = "log",
stream = "stream",
}
}
stage.json {
expressions = {
tag = "",
}
source = "attrs"
}
stage.regex {
expression = "(?P<image_name>(?:[^|]*[^|])).(?P<container_name>(?:[^|]*[^|])).(?P<image_id>(?:[^|]*[^|])).(?P<container_id>(?:[^|]*[^|]))"
source = "tag"
}
stage.timestamp {
source = "time"
format = "RFC3339Nano"
}
stage.labels {
values = {
container_id = null,
container_name = null,
image_id = null,
image_name = null,
stream = null,
tag = null,
}
}
stage.output {
source = "output"
}
}
/////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Traces
/////////////////////////////////////////////////////////////////////////////////////////////////////////////
beyla.ebpf "rinoadocker" {
open_port = "80-65535"
routes {
unmatched = "heauristic"
}
output {
traces = [
otelcol.connector.servicegraph.tracemetrics.input,
otelcol.connector.spanmetrics.tracemetrics.input,
otelcol.processor.batch.default.input,
otelcol.connector.spanlogs.autologging.input,
]
}
}
prometheus.scrape "beyla" {
targets = beyla.ebpf.rinoadocker.targets
forward_to = [prometheus.remote_write.mimir.receiver]
}
otelcol.auth.headers "tempo" {
header {
key = "Authorization"
value = join(["Basic ", json_path(local.file.endpoints.content, ".traces.basicAuthToken")[0]], "")
}
}
otelcol.processor.batch "default" {
// Wait until we've received 16K of data.
send_batch_size = 16384
send_batch_max_size = 16384
// Or until 2 seconds have elapsed.
timeout = "2s"
// When the Agent has enough batched data, send it to the OpenTelemetry exporter named 'tempo'.
output {
traces = [otelcol.exporter.otlp.tempo.input]
}
}
otelcol.exporter.otlp "tempo" {
// Define the client for exporting.
client {
// Authentication block.
auth = otelcol.auth.headers.tempo.handler
// Send to the locally running Tempo instance, on port 4317 (OTLP gRPC).
endpoint = json_path(local.file.endpoints.content, ".traces.url")[0]
// Configure TLS settings for communicating with the endpoint.
tls {
// The connection is insecure.
insecure = json_path(local.file.endpoints.content, ".traces.tls.insecure")[0]
// Do not verify TLS certificates when connecting.
insecure_skip_verify = json_path(local.file.endpoints.content, ".traces.tls.insecureSkipVerify")[0]
}
}
}
otelcol.connector.spanlogs "autologging" {
// We only want to output a line for each root span (ie. every single trace), and not for every
// process or span (outputting a line for every span would be extremely verbose).
spans = false
roots = true
processes = false
// We want to ensure that the following three span attributes are included in the log line, if
// present.
span_attributes = [ "http.method", "http.target", "http.status_code" ]
// Overrides the default key in the log line to be `traceId`, which is then used by Grafana to
// identify the trace ID for correlation with the Tempo datasource.
overrides {
trace_id_key = "traceId"
}
// Send to the OpenTelemetry Loki exporter.
output {
logs = [otelcol.exporter.loki.autologging.input]
}
}
// Simply forwards the incoming OpenTelemetry log format out as a Loki log.
// We need this stage to ensure we can then process the logline as a Loki object.
otelcol.exporter.loki "autologging" {
forward_to = [loki.process.autologging.receiver]
}
// The Loki processor allows us to accept a correctly formatted Loki log and mutate it into
// a set of fields for output.
loki.process "autologging" {
// The JSON stage simply extracts the `body` (the actual logline) from the Loki log, ignoring
// all other fields.
stage.json {
expressions = { "body" = "" }
}
// The output stage takes the body (the main logline) and uses this as the source for the output
// logline. In this case, it essentially turns it into logfmt.
stage.output {
source = "body"
}
// Finally send the processed logline onto the Loki exporter.
forward_to = [loki.write.autologging.receiver]
}
// The Loki writer receives a processed Loki log and then writes it to a Loki instance.
loki.write "autologging" {
// Add the `agent` value to the `job` label, so we can identify it as having been generated
// by Grafana Agent when querying.
external_labels = {
job = "agent",
}
// Output the Loki log to the local Loki instance.
endpoint {
url = json_path(local.file.endpoints.content, ".logs.url")[0]
// The basic auth credentials for the Loki instance.
basic_auth {
username = json_path(local.file.endpoints.content, ".logs.basicAuth.username")[0]
password = json_path(local.file.endpoints.content, ".logs.basicAuth.password")[0]
}
}
}
// The Tail Sampling processor will use a set of policies to determine which received traces to keep
// and send to Tempo.
otelcol.processor.tail_sampling "errors" {
// Total wait time from the start of a trace before making a sampling decision. Note that smaller time
// periods can potentially cause a decision to be made before the end of a trace has occurred.
decision_wait = "30s"
// The following policies follow a logical OR pattern, meaning that if any of the policies match,
// the trace will be kept. For logical AND, you can use the `and` policy. Every span of a trace is
// examined by each policy in turn. A match will cause a short-circuit.
// This policy defines that traces that contain errors should be kept.
policy {
// The name of the policy can be used for logging purposes.
name = "sample-erroring-traces"
// The type must match the type of policy to be used, in this case examing the status code
// of every span in the trace.
type = "status_code"
// This block determines the error codes that should match in order to keep the trace,
// in this case the OpenTelemetry 'ERROR' code.
status_code {
status_codes = [ "ERROR" ]
}
}
// This policy defines that only traces that are longer than 200ms in total should be kept.
policy {
// The name of the policy can be used for logging purposes.
name = "sample-long-traces"
// The type must match the policy to be used, in this case the total latency of the trace.
type = "latency"
// This block determines the total length of the trace in milliseconds.
latency {
threshold_ms = 200
}
}
// The output block forwards the kept traces onto the batch processor, which will marshall them
// for exporting to Tempo.
output {
traces = [otelcol.processor.batch.default.input]
}
}
// The Spanmetrics Connector will generate RED metrics based on the incoming trace span data.
otelcol.connector.spanmetrics "tracemetrics" {
// The namespace explicit adds a prefix to all the generated span metrics names.
// In this case, we'll ensure they match as closely as possible those generated by Tempo.
namespace = "traces.spanmetrics"
// Each extra dimension (metrics label) to be added to the generated metrics from matching span attributes. These
// need to be defined with a name and optionally a default value (in the following cases, we do not want a default
// value if the span attribute is not present).
dimension {
name = "http.method"
}
dimension {
name = "http.target"
}
dimension {
name = "http.status_code"
}
dimension {
name = "service.version"
}
// A histogram block must be present, either explicitly defining bucket values or via an exponential block.
// We do the latter here.
histogram {
explicit {
}
}
// The exemplar block is added to ensure we generate exemplars for traces on relevant metric values.
exemplars {
enabled = true
}
// Generated metrics data is in OTLP format. We send this data to the OpenTelemetry Prometheus exporter to ensure
// it gets transformed into Prometheus format data.
output {
metrics = [otelcol.exporter.prometheus.tracemetrics.input]
}
}
// The Servicegraph Connector will generate service graph metrics (edges and nodes) based on incoming trace spans.
otelcol.connector.servicegraph "tracemetrics" {
// Extra dimensions (metrics labels) to be added to the generated metrics from matching span attributes.
// For this component, this is defined as an array. There are no default values and the labels will not be generated
// for missing span attributes.
dimensions = [
"http.method",
"http.target",
"http.status_code",
"service.version",
]
// Generated metrics data is in OTLP format. We send this data to the OpenTelemetry Prometheus exporter to ensure
// it gets transformed into Prometheus format data.
output {
metrics = [otelcol.exporter.prometheus.tracemetrics.input]
}
}
otelcol.exporter.prometheus "tracemetrics" {
// Forward to our local Prometheus remote writer which will send the metrics to Mimir.
forward_to = [prometheus.remote_write.mimir.receiver]
}
/////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Profiling
/////////////////////////////////////////////////////////////////////////////////////////////////////////////
pyroscope.write "pyroscope" {
endpoint {
url = json_path(local.file.endpoints.content, ".profiles.url")[0]
basic_auth {
username = json_path(local.file.endpoints.content, ".profiles.basicAuth.username")[0]
password = json_path(local.file.endpoints.content, ".profiles.basicAuth.password")[0]
}
}
external_labels = {}
}
pyroscope.ebpf "rinoadocker" {
forward_to = [pyroscope.write.pyroscope.receiver]
targets = discovery.docker.rinoadocker.targets
}
ansible/app-configs/grafana/alloy/alloy_endpoints.json.j2
-34
View File
@@ -1,34 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
{
"metrics": {
"url": "http://grafana-mimir:9009/api/v1/push",
"basicAuth": {
"username": "",
"password": ""
}
},
"logs": {
"url": "http://grafana-loki:3100/loki/api/v1/push",
"basicAuth": {
"username": "",
"password": ""
}
},
"traces": {
"url": "http://grafana-tempo:4317",
"basicAuthToken": "",
"tls": {
"insecure": true,
"insecureSkipVerify": true
}
},
"profiles": {
"url": "http://grafana-pyroscope:4040",
"basicAuth": {
"username": "",
"password": ""
}
}
}
ansible/app-configs/grafana/beyla/beyla.yml.j2
-7
View File
@@ -1,7 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
routes:
patterns:
- /*
unmatched: heuristic
ansible/app-configs/grafana/mimir/mimir.yaml.j2
-77
View File
@@ -1,77 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
multitenancy_enabled: false
no_auth_tenant: rinoa_mimir
# target: query-frontend
# api:
# prometheus_http_prefix: '/prometheus'
server:
http_listen_port: 9009
# frontend:
# split_queries_by_interval: 24h
# align_queries_with_step: true
# cache_results: true
# results_cache:
# backend: "memcached"
# memcached:
# addresses: "memcached-mimir:11211"
# downstream_url: http://grafana-agent:12345
common:
storage:
backend: s3
s3:
endpoint: minio:9000
access_key_id: "Q8KAihuXtGgmretKNh7C"
secret_access_key: "hOlRODtnvFlNlL26Bj3GizZG6Ys3rlpG8p6Vo3NX"
bucket_name: "mimir"
insecure: true
blocks_storage:
storage_prefix: rinoa
tsdb:
dir: /tmp/mimir/tsdb
memberlist:
tls_enabled: false
compactor:
# Directory to temporarily store blocks underdoing compaction.
data_dir: /tmp/mimir/compactor
# The sharding ring type used to share the hashed ring for the compactor.
sharding_ring:
# Use memberlist backend store (the default).
kvstore:
store: memberlist
# The distributor receives incoming metrics data for the system.
distributor:
# The ring to share hash ring data across instances.
ring:
# The address advertised in the ring. Localhost.
instance_addr: 127.0.0.1
# Use memberlist backend store (the default).
kvstore:
store: memberlist
# The ingester receives data from the distributor and processes it into indices and blocks.
ingester:
# The ring to share hash ring data across instances.
ring:
# The address advertised in the ring. Localhost.
instance_addr: 127.0.0.1
# Use memberlist backend store (the default).
kvstore:
store: memberlist
# Only run one instance of the ingesters.
# Note: It is highly recommended to run more than one ingester in production, the default is an RF of 3.
replication_factor: 1
# The store gateway block configures gateway storage.
store_gateway:
# Configuration for the hash ring.
sharding_ring:
# Only run a single instance. In production setups, the replication factor must
# be set on the querier and ruler as well.
replication_factor: 1
ansible/app-configs/grafana/pyroscope/config.yaml.j2
-12
View File
@@ -1,12 +0,0 @@
storage:
backend: s3
s3:
bucket_name: pyroscope
endpoint: minio:9000
region: us-east-fh-pln
access_key_id: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_PYROSCOPE_STORAGE_ACCESS_KEY'] }}
secret_access_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_PYROSCOPE_STORAGE_SECRET_KEY'] }}
insecure: true
analytics:
reporting_enabled: false
ansible/app-configs/grafana/tempo/config.yml.j2
-787
View File
@@ -1,787 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
target: all
http_api_prefix: ""
autocomplete_filtering_enabled: true
server:
http_listen_network: tcp
http_listen_address: ""
http_listen_port: 80
http_listen_conn_limit: 0
grpc_listen_network: tcp
grpc_listen_address: ""
grpc_listen_port: 9095
grpc_listen_conn_limit: 0
tls_cipher_suites: ""
tls_min_version: ""
http_tls_config:
cert: ""
key: null
client_ca: ""
cert_file: ""
key_file: ""
client_auth_type: ""
client_ca_file: ""
grpc_tls_config:
cert: ""
key: null
client_ca: ""
cert_file: ""
key_file: ""
client_auth_type: ""
client_ca_file: ""
register_instrumentation: true
report_grpc_codes_in_instrumentation_label_enabled: false
graceful_shutdown_timeout: 30s
http_server_read_timeout: 30s
http_server_read_header_timeout: 0s
http_server_write_timeout: 30s
http_server_idle_timeout: 2m0s
http_log_closed_connections_without_response_enabled: false
grpc_server_max_recv_msg_size: 16777216
grpc_server_max_send_msg_size: 16777216
grpc_server_max_concurrent_streams: 100
grpc_server_max_connection_idle: 2562047h47m16.854775807s
grpc_server_max_connection_age: 2562047h47m16.854775807s
grpc_server_max_connection_age_grace: 2562047h47m16.854775807s
grpc_server_keepalive_time: 2h0m0s
grpc_server_keepalive_timeout: 20s
grpc_server_min_time_between_pings: 10s
grpc_server_ping_without_stream_allowed: true
grpc_server_num_workers: 0
log_format: logfmt
log_level: info
log_source_ips_enabled: false
log_source_ips_header: ""
log_source_ips_regex: ""
log_request_headers: false
log_request_at_info_level_enabled: false
log_request_exclude_headers_list: ""
http_path_prefix: ""
internal_server:
http_listen_network: tcp
http_listen_address: ""
http_listen_port: 3101
http_listen_conn_limit: 0
grpc_listen_network: ""
grpc_listen_address: ""
grpc_listen_port: 0
grpc_listen_conn_limit: 0
tls_cipher_suites: ""
tls_min_version: ""
http_tls_config:
cert: ""
key: null
client_ca: ""
cert_file: ""
key_file: ""
client_auth_type: ""
client_ca_file: ""
grpc_tls_config:
cert: ""
key: null
client_ca: ""
cert_file: ""
key_file: ""
client_auth_type: ""
client_ca_file: ""
register_instrumentation: false
report_grpc_codes_in_instrumentation_label_enabled: false
graceful_shutdown_timeout: 30s
http_server_read_timeout: 30s
http_server_read_header_timeout: 0s
http_server_write_timeout: 30s
http_server_idle_timeout: 2m0s
http_log_closed_connections_without_response_enabled: false
grpc_server_max_recv_msg_size: 0
grpc_server_max_send_msg_size: 0
grpc_server_max_concurrent_streams: 0
grpc_server_max_connection_idle: 0s
grpc_server_max_connection_age: 0s
grpc_server_max_connection_age_grace: 0s
grpc_server_keepalive_time: 0s
grpc_server_keepalive_timeout: 0s
grpc_server_min_time_between_pings: 0s
grpc_server_ping_without_stream_allowed: false
grpc_server_num_workers: 0
log_format: logfmt
log_level: info
log_source_ips_enabled: false
log_source_ips_header: ""
log_source_ips_regex: ""
log_request_headers: false
log_request_at_info_level_enabled: false
log_request_exclude_headers_list: ""
http_path_prefix: ""
enable: false
distributor:
ring:
kvstore:
store: memberlist
prefix: collectors/
consul:
host: localhost:8500
acl_token: ""
http_client_timeout: 20s
consistent_reads: false
watch_rate_limit: 1
watch_burst_size: 1
cas_retry_delay: 1s
etcd:
endpoints: []
dial_timeout: 10s
max_retries: 10
tls_enabled: false
tls_cert_path: ""
tls_key_path: ""
tls_ca_path: ""
tls_server_name: ""
tls_insecure_skip_verify: false
tls_cipher_suites: ""
tls_min_version: ""
username: ""
password: ""
multi:
primary: ""
secondary: ""
mirror_enabled: false
mirror_timeout: 2s
heartbeat_period: 5s
heartbeat_timeout: 5m0s
instance_id: local-instance
instance_interface_names:
- eth0
- en0
instance_port: 0
instance_addr: ""
receivers: {}
override_ring_key: distributor
forwarders: []
extend_writes: true
retry_after_on_resource_exhausted: 0s
ingester_client:
pool_config:
checkinterval: 15s
healthcheckenabled: true
healthchecktimeout: 1s
maxconcurrenthealthchecks: 0
remote_timeout: 5s
grpc_client_config:
max_recv_msg_size: 104857600
max_send_msg_size: 104857600
grpc_compression: snappy
rate_limit: 0
rate_limit_burst: 0
backoff_on_ratelimits: false
backoff_config:
min_period: 100ms
max_period: 10s
max_retries: 10
initial_stream_window_size: 63KiB1023B
initial_connection_window_size: 63KiB1023B
tls_enabled: false
tls_cert_path: ""
tls_key_path: ""
tls_ca_path: ""
tls_server_name: ""
tls_insecure_skip_verify: false
tls_cipher_suites: ""
tls_min_version: ""
connect_timeout: 5s
connect_backoff_base_delay: 1s
connect_backoff_max_delay: 5s
metrics_generator_client:
pool_config:
checkinterval: 15s
healthcheckenabled: true
healthchecktimeout: 1s
maxconcurrenthealthchecks: 0
remote_timeout: 5s
grpc_client_config:
max_recv_msg_size: 104857600
max_send_msg_size: 104857600
grpc_compression: snappy
rate_limit: 0
rate_limit_burst: 0
backoff_on_ratelimits: false
backoff_config:
min_period: 100ms
max_period: 10s
max_retries: 10
initial_stream_window_size: 63KiB1023B
initial_connection_window_size: 63KiB1023B
tls_enabled: false
tls_cert_path: ""
tls_key_path: ""
tls_ca_path: ""
tls_server_name: ""
tls_insecure_skip_verify: false
tls_cipher_suites: ""
tls_min_version: ""
connect_timeout: 5s
connect_backoff_base_delay: 1s
connect_backoff_max_delay: 5s
querier:
search:
query_timeout: 30s
prefer_self: 10
external_hedge_requests_at: 8s
external_hedge_requests_up_to: 2
external_backend: ""
google_cloud_run: null
external_endpoints: []
trace_by_id:
query_timeout: 10s
max_concurrent_queries: 20
frontend_worker:
frontend_address: 127.0.0.1:9095
dns_lookup_duration: 10s
parallelism: 2
match_max_concurrent: true
id: ""
grpc_client_config:
max_recv_msg_size: 104857600
max_send_msg_size: 16777216
grpc_compression: gzip
rate_limit: 0
rate_limit_burst: 0
backoff_on_ratelimits: false
backoff_config:
min_period: 100ms
max_period: 1s
max_retries: 5
initial_stream_window_size: 0B
initial_connection_window_size: 0B
tls_enabled: false
tls_cert_path: ""
tls_key_path: ""
tls_ca_path: ""
tls_server_name: ""
tls_insecure_skip_verify: false
tls_cipher_suites: ""
tls_min_version: ""
connect_timeout: 0s
connect_backoff_base_delay: 0s
connect_backoff_max_delay: 0s
query_relevant_ingesters: false
query_frontend:
max_outstanding_per_tenant: 2000
querier_forget_delay: 0s
max_batch_size: 5
max_retries: 2
search:
concurrent_jobs: 1000
target_bytes_per_job: 104857600
default_result_limit: 20
max_result_limit: 0
max_duration: 168h0m0s
query_backend_after: 15m0s
query_ingesters_until: 30m0s
trace_by_id:
query_shards: 50
hedge_requests_at: 2s
hedge_requests_up_to: 2
metrics:
concurrent_jobs: 1000
target_bytes_per_job: 104857600
max_duration: 0s
query_backend_after: 1h0m0s
interval: 5m0s
multi_tenant_queries_enabled: true
compactor:
ring:
kvstore:
store: ""
prefix: collectors/
consul:
host: localhost:8500
acl_token: ""
http_client_timeout: 20s
consistent_reads: false
watch_rate_limit: 1
watch_burst_size: 1
cas_retry_delay: 1s
etcd:
endpoints: []
dial_timeout: 10s
max_retries: 10
tls_enabled: false
tls_cert_path: ""
tls_key_path: ""
tls_ca_path: ""
tls_server_name: ""
tls_insecure_skip_verify: false
tls_cipher_suites: ""
tls_min_version: ""
username: ""
password: ""
multi:
primary: ""
secondary: ""
mirror_enabled: false
mirror_timeout: 2s
heartbeat_period: 5s
heartbeat_timeout: 1m0s
wait_stability_min_duration: 1m0s
wait_stability_max_duration: 5m0s
instance_id: local-instance
instance_interface_names:
- eth0
- en0
instance_port: 0
instance_addr: ""
enable_inet6: false
wait_active_instance_timeout: 10m0s
compaction:
v2_in_buffer_bytes: 5242880
v2_out_buffer_bytes: 20971520
v2_prefetch_traces_count: 1000
compaction_window: 1h0m0s
max_compaction_objects: 6000000
max_block_bytes: 107374182400
block_retention: 336h0m0s
compacted_block_retention: 1h0m0s
retention_concurrency: 10
max_time_per_tenant: 5m0s
compaction_cycle: 30s
override_ring_key: compactor
ingester:
lifecycler:
ring:
kvstore:
store: inmemory
prefix: collectors/
consul:
host: localhost:8500
acl_token: ""
http_client_timeout: 20s
consistent_reads: false
watch_rate_limit: 1
watch_burst_size: 1
cas_retry_delay: 1s
etcd:
endpoints: []
dial_timeout: 10s
max_retries: 10
tls_enabled: false
tls_cert_path: ""
tls_key_path: ""
tls_ca_path: ""
tls_server_name: ""
tls_insecure_skip_verify: false
tls_cipher_suites: ""
tls_min_version: ""
username: ""
password: ""
multi:
primary: ""
secondary: ""
mirror_enabled: false
mirror_timeout: 2s
heartbeat_timeout: 5m0s
replication_factor: 1
zone_awareness_enabled: false
excluded_zones: ""
num_tokens: 128
heartbeat_period: 5s
heartbeat_timeout: 1m0s
observe_period: 0s
join_after: 0s
min_ready_duration: 15s
interface_names:
- en0
- bridge100
enable_inet6: false
final_sleep: 0s
tokens_file_path: ""
availability_zone: ""
unregister_on_shutdown: true
readiness_check_ring_health: true
address: 127.0.0.1
port: 0
id: local-instance
concurrent_flushes: 4
flush_check_period: 10s
flush_op_timeout: 5m0s
trace_idle_period: 10s
max_block_duration: 30m0s
max_block_bytes: 524288000
complete_block_timeout: 15m0s
override_ring_key: ring
flush_all_on_shutdown: false
metrics_generator:
ring:
kvstore:
store: inmemory
prefix: collectors/
consul:
host: localhost:8500
acl_token: ""
http_client_timeout: 20s
consistent_reads: false
watch_rate_limit: 1
watch_burst_size: 1
cas_retry_delay: 1s
etcd:
endpoints: []
dial_timeout: 10s
max_retries: 10
tls_enabled: false
tls_cert_path: ""
tls_key_path: ""
tls_ca_path: ""
tls_server_name: ""
tls_insecure_skip_verify: false
tls_cipher_suites: ""
tls_min_version: ""
username: ""
password: ""
multi:
primary: ""
secondary: ""
mirror_enabled: false
mirror_timeout: 2s
heartbeat_period: 5s
heartbeat_timeout: 1m0s
instance_id: local-instance
instance_interface_names:
- eth0
- en0
instance_addr: 127.0.0.1
instance_port: 0
enable_inet6: false
processor:
service_graphs:
wait: 10s
max_items: 10000
workers: 10
histogram_buckets:
- 0.1
- 0.2
- 0.4
- 0.8
- 1.6
- 3.2
- 6.4
- 12.8
dimensions: []
enable_client_server_prefix: false
peer_attributes:
- peer.service
- db.name
- db.system
span_multiplier_key: ""
span_metrics:
histogram_buckets:
- 0.002
- 0.004
- 0.008
- 0.016
- 0.032
- 0.064
- 0.128
- 0.256
- 0.512
- 1.024
- 2.048
- 4.096
- 8.192
- 16.384
intrinsic_dimensions:
service: true
span_name: true
span_kind: true
status_code: true
dimensions: []
dimension_mappings: []
enable_target_info: false
span_multiplier_key: ""
subprocessors:
0: true
1: true
2: true
filter_policies: []
target_info_excluded_dimensions: []
local_blocks:
block:
bloom_filter_false_positive: 0.01
bloom_filter_shard_size_bytes: 102400
version: vParquet3
search_encoding: snappy
search_page_size_bytes: 1048576
v2_index_downsample_bytes: 1048576
v2_index_page_size_bytes: 256000
v2_encoding: zstd
parquet_row_group_size_bytes: 100000000
parquet_dedicated_columns: []
search:
chunk_size_bytes: 1000000
prefetch_trace_count: 1000
read_buffer_count: 32
read_buffer_size_bytes: 1048576
cache_control:
footer: false
column_index: false
offset_index: false
flush_check_period: 10s
trace_idle_period: 10s
max_block_duration: 1m0s
max_block_bytes: 500000000
complete_block_timeout: 1h0m0s
max_live_traces: 0
concurrent_blocks: 10
filter_server_spans: true
registry:
collection_interval: 15s
stale_duration: 15m0s
max_label_name_length: 1024
max_label_value_length: 2048
storage:
path: ""
wal:
wal_segment_size: 134217728
wal_compression: none
stripe_size: 16384
truncate_frequency: 2h0m0s
min_wal_time: 300000
max_wal_time: 14400000
no_lockfile: false
remote_write_flush_deadline: 1m0s
remote_write_add_org_id_header: true
traces_storage:
path: ""
completedfilepath: ""
blocksfilepath: ""
v2_encoding: none
search_encoding: none
ingestion_time_range_slack: 0s
version: vParquet3
metrics_ingestion_time_range_slack: 30s
query_timeout: 30s
override_ring_key: metrics-generator
storage:
trace:
pool:
max_workers: 400
queue_depth: 20000
wal:
path: /tmp/tempo/wal
completedfilepath: /tmp/tempo/wal/completed
blocksfilepath: /tmp/tempo/wal/blocks
v2_encoding: snappy
search_encoding: none
ingestion_time_range_slack: 2m0s
version: vParquet3
block:
bloom_filter_false_positive: 0.01
bloom_filter_shard_size_bytes: 102400
version: vParquet3
search_encoding: snappy
search_page_size_bytes: 1048576
v2_index_downsample_bytes: 1048576
v2_index_page_size_bytes: 256000
v2_encoding: zstd
parquet_row_group_size_bytes: 100000000
parquet_dedicated_columns: []
search:
chunk_size_bytes: 1000000
prefetch_trace_count: 1000
read_buffer_count: 32
read_buffer_size_bytes: 1048576
cache_control:
footer: false
column_index: false
offset_index: false
blocklist_poll: 5m0s
blocklist_poll_concurrency: 50
blocklist_poll_fallback: true
blocklist_poll_tenant_index_builders: 2
blocklist_poll_stale_tenant_index: 0s
blocklist_poll_jitter_ms: 0
blocklist_poll_tolerate_consecutive_errors: 1
backend: local
local:
path: /tmp/tempo/traces
gcs:
bucket_name: ""
prefix: ""
chunk_buffer_size: 10485760
endpoint: ""
hedge_requests_at: 0s
hedge_requests_up_to: 2
insecure: false
object_cache_control: ""
object_metadata: {}
list_blocks_concurrency: 3
s3:
tls_cert_path: ""
tls_key_path: ""
tls_ca_path: ""
tls_server_name: ""
tls_insecure_skip_verify: false
tls_cipher_suites: ""
tls_min_version: VersionTLS12
bucket: ""
prefix: ""
endpoint: ""
region: ""
access_key: ""
secret_key: ""
session_token: ""
insecure: false
part_size: 0
hedge_requests_at: 0s
hedge_requests_up_to: 2
signature_v2: false
forcepathstyle: false
bucket_lookup_type: 0
tags: {}
storage_class: ""
metadata: {}
native_aws_auth_enabled: false
list_blocks_concurrency: 3
azure:
storage_account_name: ""
storage_account_key: ""
use_managed_identity: false
use_federated_token: false
user_assigned_id: ""
container_name: ""
prefix: ""
endpoint_suffix: blob.core.windows.net
max_buffers: 4
buffer_size: 3145728
hedge_requests_at: 0s
hedge_requests_up_to: 2
use_v2_sdk: false
cache: ""
background_cache:
writeback_goroutines: 10
writeback_buffer: 10000
memcached: null
redis: null
cache_min_compaction_level: 0
cache_max_block_age: 0s
overrides:
defaults:
ingestion:
rate_strategy: local
rate_limit_bytes: 15000000
burst_size_bytes: 20000000
max_traces_per_user: 10000
read:
max_bytes_per_tag_values_query: 5000000
global:
max_bytes_per_trace: 5000000
per_tenant_override_config: ""
per_tenant_override_period: 10s
user_configurable_overrides:
enabled: false
poll_interval: 1m0s
client:
backend: ""
confirm_versioning: true
local:
path: ""
gcs:
bucket_name: ""
prefix: ""
chunk_buffer_size: 10485760
endpoint: ""
hedge_requests_at: 0s
hedge_requests_up_to: 2
insecure: false
object_cache_control: ""
object_metadata: {}
list_blocks_concurrency: 3
s3:
tls_cert_path: ""
tls_key_path: ""
tls_ca_path: ""
tls_server_name: ""
tls_insecure_skip_verify: false
tls_cipher_suites: ""
tls_min_version: VersionTLS12
bucket: ""
prefix: ""
endpoint: ""
region: ""
access_key: ""
secret_key: ""
session_token: ""
insecure: false
part_size: 0
hedge_requests_at: 0s
hedge_requests_up_to: 2
signature_v2: false
forcepathstyle: false
bucket_lookup_type: 0
tags: {}
storage_class: ""
metadata: {}
native_aws_auth_enabled: false
list_blocks_concurrency: 3
azure:
storage_account_name: ""
storage_account_key: ""
use_managed_identity: false
use_federated_token: false
user_assigned_id: ""
container_name: ""
prefix: ""
endpoint_suffix: blob.core.windows.net
max_buffers: 4
buffer_size: 3145728
hedge_requests_at: 0s
hedge_requests_up_to: 2
use_v2_sdk: false
api:
check_for_conflicting_runtime_overrides: false
memberlist:
node_name: ""
randomize_node_name: true
stream_timeout: 2s
retransmit_factor: 2
pull_push_interval: 30s
gossip_interval: 1s
gossip_nodes: 2
gossip_to_dead_nodes_time: 30s
dead_node_reclaim_time: 0s
compression_enabled: false
advertise_addr: ""
advertise_port: 7946
cluster_label: ""
cluster_label_verification_disabled: false
join_members: []
min_join_backoff: 1s
max_join_backoff: 1m0s
max_join_retries: 10
abort_if_cluster_join_fails: false
rejoin_interval: 0s
left_ingesters_timeout: 5m0s
leave_timeout: 20s
message_history_buffer_bytes: 0
bind_addr: []
bind_port: 7946
packet_dial_timeout: 2s
packet_write_timeout: 5s
tls_enabled: false
tls_cert_path: ""
tls_key_path: ""
tls_ca_path: ""
tls_server_name: ""
tls_insecure_skip_verify: false
tls_cipher_suites: ""
tls_min_version: ""
usage_report:
reporting_enabled: true
backoff:
min_period: 100ms
max_period: 10s
max_retries: 0
cache:
background:
writeback_goroutines: 10
writeback_buffer: 10000
caches: []
ansible/app-configs/grafana/tempo/tempo.yaml.j2
-54
View File
@@ -1,54 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
server:
http_listen_port: 3200
distributor:
receivers: # this configuration will listen on all ports and protocols that tempo is capable of.
jaeger: # the receives all come from the OpenTelemetry collector. more configuration information can
protocols: # be found there: https://github.com/open-telemetry/opentelemetry-collector/tree/main/receiver
thrift_http: #
grpc: # for a production deployment you should only enable the receivers you need!
thrift_binary:
thrift_compact:
zipkin:
otlp:
protocols:
http:
grpc:
opencensus:
ingester:
max_block_duration: 5m # cut the headblock when this much time passes. this is being set for demo purposes and should probably be left alone normally
compactor:
compaction:
block_retention: 1h # overall Tempo trace retention. set for demo purposes
# metrics_generator:
# registry:
# external_labels:
# source: tempo
# cluster: docker-compose
# storage:
# path: /tmp/tempo/generator/wal
# remote_write:
# - url: http://grafana-alloy:12345/api/v1/write
# send_exemplars: true
storage:
trace:
backend: s3 # backend configuration to use
wal:
path: /tmp/tempo/wal # where to store the the wal locally
s3:
bucket: tempo # how to store data in s3
endpoint: minio:9000
access_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_TEMPO_STORAGE_ACCESS_KEY'] }}
secret_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_TEMPO_STORAGE_SECRET_KEY'] }}
insecure: true
usage_report:
reporting_enabled: false
ansible/app-configs/hashicorp-vault/config/vault-config.hcl.j2
-22
View File
@@ -1,22 +0,0 @@
ui = true
disable_clustering = true
log_level = "debug"
api_addr = "http://127.0.0.1:8200"
// storage "raft" {
// path = "/path/to/raft/data"
// node_id = "raft_node_id"
// }
storage "s3" {
endpoint = "minio:9000"
bucket = "secrets-vault"
region = "us-east-fh-pln"
s3_force_path_style = "true"
disable_ssl = "true"
}
listener "tcp" {
address = "0.0.0.0:8200"
proxy_protocol_behavior = "use_always"
tls_disable = 1
}
ansible/app-configs/homepage/bookmarks.yaml.j2
-22
View File
@@ -1,22 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
---
# For configuration options and examples, please see:
# https://gethomepage.dev/en/configs/bookmarks
#- Developer:
# - Github:
# - abbr: GH
# href: https://github.com/
#
#- Social:
# - Reddit:
# - abbr: RE
# href: https://reddit.com/
#
#- Entertainment:
# - YouTube:
# - abbr: YT
# href: https://youtube.com/
ansible/app-configs/homepage/docker.yaml.j2
-15
View File
@@ -1,15 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
---
# For configuration options and examples, please see:
# https://gethomepage.dev/en/configs/docker/
# my-docker:
# host: 127.0.0.1
# port: 2375
my-docker:
host: dockerproxy
port: 2375
ansible/app-configs/homepage/kubernetes.yaml.j2
-6
View File
@@ -1,6 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
---
# sample kubernetes config
ansible/app-configs/homepage/services.yaml.j2
-33
View File
@@ -1,33 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
---
# For configuration options and examples, please see:
# https://gethomepage.dev/en/configs/services
#- My First Group:
# - My First Service:
# href: http://localhost/
# description: Homepage is awesome
#
#- My Second Group:
# - My Second Service:
# href: http://localhost/
# description: Homepage is the best
#
#- My Third Group:
# - My Third Service:
# href: http://localhost/
# description: Homepage is 😎
- Automation:
- Home Assistant (Rikku):
href: https://ha.trez.wtf
description: Smart Home
icon: home-assistant.png
weight: 0
widget:
type: homeassistant
url: http://192.168.1.252:8123
key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_HOME_ASSISTANT_API_KEY'] }}
ansible/app-configs/homepage/settings.yaml.j2
-59
View File
@@ -1,59 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
---
# For configuration options and examples, please see:
# https://gethomepage.dev/en/configs/settings
providers:
openweathermap: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
# weatherapi: weatherapiapikey
title: Rinoa Dashboard (trez.WTF)
headerStyle: underlined
color: slate
showStats: false
statusStyle: "dot"
favicon: /icons/favicon.ico
useEqualHeights: true
hideErrors: true
searchDescriptions: true
showSearchSuggestions: true
provider: duckduckgo
layout:
System Administration:
style: row
columns: 5
Infrastructure/App Performance Monitoring:
style: row
columns: 5
Code/DevOps:
style: row
columns: 3
Social:
style: row
columns: 4
Lifestyle:
style: row
columns: 5
Automation:
style: row
columns: 5
Privacy/Security:
style: row
columns: 5
Personal Tools:
style: row
columns: 4
Professional Services:
style: row
columns: 5
Servarr Stack:
style: row
columns: 5
Downloaders:
style: row
columns: 5
Media Library:
style: row
columns: 3
ansible/app-configs/homepage/widgets.yaml.j2
-33
View File
@@ -1,33 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
---
# For configuration options and examples, please see:
# https://gethomepage.dev/en/configs/widgets
- resources:
label: System
cpu: true
memory: true
cputemp: true
uptime: true
- resources:
label: Storage
expanded: true
disk:
- /
- /rinoa-storage
- search:
provider: custom
url: https://search.trez.wtf/search?q=
target: _blank
- openweathermap:
label: New York
latitude: 40.72
longitude: -73.85
units: imperial
provider: openweathermap
cache: 10
ansible/app-configs/invidious/config.yml.j2
-952
View File
@@ -1,952 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
#########################################
#
# Database and other external servers
#
#########################################
##
## Database configuration with separate parameters.
## This setting is MANDATORY, unless 'database_url' is used.
##
db:
user: kemal
host: invidious-db
port: 5432
dbname: invidious
password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_PG_DB_PASSWORD'] }}
##
## Database configuration using a single URI. This is an
## alternative to the 'db' parameter above. If both forms
## are used, then only database_url is used.
## This setting is MANDATORY, unless 'db' is used.
##
## Note: The 'database_url' setting allows the use of UNIX
## sockets. To do so, remove the IP address (or FQDN) and port
## and append the 'host' parameter. E.g:
## postgres://kemal:kemal@/invidious?host=/var/run/postgresql
##
## Accepted values: a postgres:// URI
## Default: postgres://kemal:kemal@localhost:5432/invidious
##
#database_url: postgres://kemal:kemal@localhost:5432/invidious
##
## Enable automatic table integrity check. This will create
## the required tables and columns if anything is missing.
##
## Accepted values: true, false
## Default: false
##
check_tables: true
##
## Path to an external signature resolver, used to emulate
## the Youtube client's Javascript. If no such server is
## available, some videos will not be playable.
##
## When this setting is commented out, no external
## resolver will be used.
##
## Accepted values: a path to a UNIX socket or "<IP>:<Port>"
## Default: <none>
##
signature_server: invidious-sig-helper:12999
#########################################
#
# Server config
#
#########################################
# -----------------------------
# Network (inbound)
# -----------------------------
##
## Port to listen on for incoming connections.
##
## Note: Ports lower than 1024 requires either root privileges
## (not recommended) or the "CAP_NET_BIND_SERVICE" capability
## (See https://stackoverflow.com/a/414258 and `man capabilities`)
##
## Accepted values: 1-65535
## Default: 3000
##
#port: 3000
##
## When the invidious instance is behind a proxy, and the proxy
## listens on a different port than the instance does, this lets
## invidious know about it. This is used to craft absolute URLs
## to the instance (e.g in the API).
##
## Note: This setting is MANDATORY if invidious is behind a
## reverse proxy.
##
## Accepted values: 1-65535
## Default: <none>
##
#external_port:
##
## Interface address to listen on for incoming connections.
##
## Accepted values: a valid IPv4 or IPv6 address.
## default: 0.0.0.0 (listen on all interfaces)
##
#host_binding: 0.0.0.0
##
## Domain name under which this instance is hosted. This is
## used to craft absolute URLs to the instance (e.g in the API).
## The domain MUST be defined if your instance is accessed from
## a domain name (like 'example.com').
##
## Accepted values: a fully qualified domain name (FQDN)
## Default: <none>
##
# domain:
##
## Tell Invidious that it is behind a proxy that provides only
## HTTPS, so all links must use the https:// scheme. This
## setting MUST be set to true if invidious is behind a
## reverse proxy serving HTTPs.
##
## Accepted values: true, false
## Default: false
##
https_only: false
##
## Enable/Disable 'Strict-Transport-Security'. Make sure that
## the domain specified under 'domain' is served securely.
##
## Accepted values: true, false
## Default: true
##
#hsts: true
# -----------------------------
# Network (outbound)
# -----------------------------
##
## Disable proxying server-wide. Can be disable as a whole, or
## only for a single function.
##
## Accepted values: true, false, dash, livestreams, downloads, local
## Default: false
##
#disable_proxy: false
##
## Size of the HTTP pool used to connect to youtube. Each
## domain ('youtube.com', 'ytimg.com', ...) has its own pool.
##
## Accepted values: a positive integer
## Default: 100
##
#pool_size: 100
##
## Additional cookies to be sent when requesting the youtube API.
##
## Accepted values: a string in the format "name1=value1; name2=value2..."
## Default: <none>
##
#cookies:
##
## Force connection to youtube over a specific IP family.
##
## Note: This may sometimes resolve issues involving rate-limiting.
## See https://github.com/ytdl-org/youtube-dl/issues/21729.
##
## Accepted values: ipv4, ipv6
## Default: <none>
##
#force_resolve:
##
## Configuration for using a HTTP proxy
##
## If unset, then no HTTP proxy will be used.
##
#http_proxy:
# user:
# password:
# host:
# port:
##
## Use Innertube's transcripts API instead of timedtext for closed captions
##
## Useful for larger instances as InnerTube is **not ratelimited**. See https://github.com/iv-org/invidious/issues/2567
##
## Subtitle experience may differ slightly on Invidious.
##
## Accepted values: true, false
## Default: false
##
# use_innertube_for_captions: false
##
## Send Google session informations. This is useful when Invidious is blocked
## by the message "This helps protect our community."
## See https://github.com/iv-org/invidious/issues/4734.
##
## Warning: These strings gives much more identifiable information to Google!
##
## Accepted values: String
## Default: <none>
##
po_token: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_PO_TOKEN'] }}
visitor_data: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_VISITOR_DATA'] }}
# -----------------------------
# Logging
# -----------------------------
##
## Path to log file. Can be absolute or relative to the invidious
## binary. This is overridden if "-o OUTPUT" or "--output=OUTPUT"
## are passed on the command line.
##
## Accepted values: a filesystem path or 'STDOUT'
## Default: STDOUT
##
#output: STDOUT
##
## Logging Verbosity. This is overridden if "-l LEVEL" or
## "--log-level=LEVEL" are passed on the command line.
##
## Accepted values: All, Trace, Debug, Info, Warn, Error, Fatal, Off
## Default: Info
##
#log_level: Info
##
## Enables colors in logs. Useful for debugging purposes
## This is overridden if "-k" or "--colorize"
## are passed on the command line.
## Colors are also disabled if the environment variable
## NO_COLOR is present and has any value
##
## Accepted values: true, false
## Default: true
##
#colorize_logs: false
# -----------------------------
# Features
# -----------------------------
##
## Enable/Disable the "Popular" tab on the main page.
##
## Accepted values: true, false
## Default: true
##
#popular_enabled: true
##
## Enable/Disable statstics (available at /api/v1/stats).
## The following data is available:
## - Software name ("invidious") and version+branch (same data as
## displayed in the footer, e.g: "2021.05.13-75e5b49" / "master")
## - The value of the 'registration_enabled' config (true/false)
## - Number of currently registered users
## - Number of registered users who connected in the last month
## - Number of registered users who connected in the last 6 months
## - Timestamp of the last server restart
## - Timestamp of the last "Channel Refresh" job execution
##
## Warning: This setting MUST be set to true if you plan to run
## a public instance. It is used by api.invidious.io to refresh
## your instance's status.
##
## Accepted values: true, false
## Default: false
##
#statistics_enabled: false
# -----------------------------
# Users and accounts
# -----------------------------
##
## Allow/Forbid Invidious (local) account creation. Invidious
## accounts allow users to subscribe to channels and to create
## playlists without a Google account.
##
## Accepted values: true, false
## Default: true
##
#registration_enabled: true
##
## Allow/Forbid users to log-in.
##
## Accepted values: true, false
## Default: true
##
#login_enabled: true
##
## Enable/Disable the captcha challenge on the login page.
##
## Note: this is a basic captcha challenge that doesn't
## depend on any third parties.
##
## Accepted values: true, false
## Default: true
##
#captcha_enabled: true
##
## List of usernames that will be granted administrator rights.
## A user with administrator rights will be able to change the
## server configuration options listed below in /preferences,
## in addition to the usual user preferences.
##
## Server-wide settings:
## - popular_enabled
## - captcha_enabled
## - login_enabled
## - registration_enabled
## - statistics_enabled
## Default user preferences:
## - default_home
## - feed_menu
##
## Accepted values: an array of strings
## Default: [""]
##
#admins: [""]
##
## Enable/Disable the user notifications for all users
##
## Note: On large instances, it is recommended to set this option to 'false'
## in order to reduce the amount of data written to the database, and hence
## improve the overall performance of the instance.
##
## Accepted values: true, false
## Default: true
##
#enable_user_notifications: true
# -----------------------------
# Background jobs
# -----------------------------
##
## Number of threads to use when crawling channel videos (during
## subscriptions update).
##
## Notes: This setting is overridden if either "-c THREADS" or
## "--channel-threads=THREADS" is passed on the command line.
##
## Accepted values: a positive integer
## Default: 1
##
channel_threads: 1
##
## Time interval between two executions of the job that crawls
## channel videos (subscriptions update).
##
## Accepted values: a valid time interval (like 1h30m or 90m)
## Default: 30m
##
#channel_refresh_interval: 30m
##
## Forcefully dump and re-download the entire list of uploaded
## videos when crawling channel (during subscriptions update).
##
## Accepted values: true, false
## Default: false
##
full_refresh: false
##
## Number of threads to use when updating RSS feeds.
##
## Notes: This setting is overridden if either "-f THREADS" or
## "--feed-threads=THREADS" is passed on the command line.
##
## Accepted values: a positive integer
## Default: 1
##
feed_threads: 1
jobs:
## Options for the database cleaning job
clear_expired_items:
## Enable/Disable job
##
## Accepted values: true, false
## Default: true
##
enable: true
## Options for the channels updater job
refresh_channels:
## Enable/Disable job
##
## Accepted values: true, false
## Default: true
##
enable: true
## Options for the RSS feeds updater job
refresh_feeds:
## Enable/Disable job
##
## Accepted values: true, false
## Default: true
##
enable: true
# -----------------------------
# Miscellaneous
# -----------------------------
##
## custom banner displayed at the top of every page. This can
## used for instance announcements, e.g.
##
## Accepted values: any string. HTML is accepted.
## Default: <none>
##
#banner:
##
## Subscribe to channels using PubSubHub (Google PubSubHubbub service).
## PubSubHub allows Invidious to be instantly notified when a new video
## is published on any subscribed channels. When PubSubHub is not used,
## Invidious will check for new videos every minute.
##
## Note: This setting is recommended for public instances.
##
## Note 2:
## - Requires a public instance (it uses /feed/webhook/v1)
## - Requires 'domain' and 'hmac_key' to be set.
## - Setting this parameter to any number greater than zero will
## enable channel subscriptions via PubSubHub, but will limit the
## amount of concurrent subscriptions.
##
## Accepted values: true, false, a positive integer
## Default: false
##
#use_pubsub_feeds: false
##
## HMAC signing key used for CSRF tokens, cookies and pubsub
## subscriptions verification.
##
## Note: This parameter is mandatory and should be a random string.
## Such random string can be generated on linux with the following
## command: `pwgen 20 1`
##
## Accepted values: a string
## Default: <none>
##
hmac_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_HMAC_KEY'] }}
##
## List of video IDs where the "download" widget must be
## disabled, in order to comply with DMCA requests.
##
## Accepted values: an array of string
## Default: <none>
##
#dmca_content:
##
## Cache video annotations in the database.
##
## Warning: empty annotations or annotations that only contain
## cards won't be cached.
##
## Accepted values: true, false
## Default: false
##
#cache_annotations: false
##
## Source code URL. If your instance is running a modified source
## code, you MUST publish it somewhere and set this option.
##
## Accepted values: a string
## Default: <none>
##
#modified_source_code_url: ""
##
## Maximum custom playlist length limit.
##
## Accepted values: Integer
## Default: 500
##
#playlist_length_limit: 500
#########################################
#
# Default user preferences
#
#########################################
##
## NOTE: All the settings below define the default user
## preferences. They will apply to ALL users connecting
## without a preferences cookie (so either on the first
## connection to the instance or after clearing the
## browser's cookies).
##
default_user_preferences:
# -----------------------------
# Internationalization
# -----------------------------
##
## Default user interface language (locale).
##
## Note: When hosting a public instance, overriding the
## default (english) is not recommended, as it may
## people using other languages.
##
## Accepted values:
## ar (Arabic)
## da (Danish)
## de (German)
## en-US (english, US)
## el (Greek)
## eo (Esperanto)
## es (Spanish)
## fa (Persian)
## fi (Finnish)
## fr (French)
## he (Hebrew)
## hr (Hungarian)
## id (Indonesian)
## is (Icelandic)
## it (Italian)
## ja (Japanese)
## nb-NO (Norwegian, Bokmål)
## nl (Dutch)
## pl (Polish)
## pt-BR (Portuguese, Brazil)
## pt-PT (Portuguese, Portugal)
## ro (Romanian)
## ru (Russian)
## sv (Swedish)
## tr (Turkish)
## uk (Ukrainian)
## zh-CN (Chinese, China) (a.k.a "Simplified Chinese")
## zh-TW (Chinese, Taiwan) (a.k.a "Traditional Chinese")
##
## Default: en-US
##
#locale: en-US
##
## Default geographical location for content.
##
## Accepted values:
## AE, AR, AT, AU, AZ, BA, BD, BE, BG, BH, BO, BR, BY, CA, CH, CL, CO, CR,
## CY, CZ, DE, DK, DO, DZ, EC, EE, EG, ES, FI, FR, GB, GE, GH, GR, GT, HK,
## HN, HR, HU, ID, IE, IL, IN, IQ, IS, IT, JM, JO, JP, KE, KR, KW, KZ, LB,
## LI, LK, LT, LU, LV, LY, MA, ME, MK, MT, MX, MY, NG, NI, NL, NO, NP, NZ,
## OM, PA, PE, PG, PH, PK, PL, PR, PT, PY, QA, RO, RS, RU, SA, SE, SG, SI,
## SK, SN, SV, TH, TN, TR, TW, TZ, UA, UG, US, UY, VE, VN, YE, ZA, ZW
##
## Default: US
##
#region: US
##
## Top 3 preferred languages for video captions.
##
## Note: overriding the default (no preferred
## caption language) is not recommended, in order
## to not penalize people using other languages.
##
## Accepted values: a three-entries array.
## Each entry can be one of:
## "English", "English (auto-generated)",
## "Afrikaans", "Albanian", "Amharic", "Arabic",
## "Armenian", "Azerbaijani", "Bangla", "Basque",
## "Belarusian", "Bosnian", "Bulgarian", "Burmese",
## "Catalan", "Cebuano", "Chinese (Simplified)",
## "Chinese (Traditional)", "Corsican", "Croatian",
## "Czech", "Danish", "Dutch", "Esperanto", "Estonian",
## "Filipino", "Finnish", "French", "Galician", "Georgian",
## "German", "Greek", "Gujarati", "Haitian Creole", "Hausa",
## "Hawaiian", "Hebrew", "Hindi", "Hmong", "Hungarian",
## "Icelandic", "Igbo", "Indonesian", "Irish", "Italian",
## "Japanese", "Javanese", "Kannada", "Kazakh", "Khmer",
## "Korean", "Kurdish", "Kyrgyz", "Lao", "Latin", "Latvian",
## "Lithuanian", "Luxembourgish", "Macedonian",
## "Malagasy", "Malay", "Malayalam", "Maltese", "Maori",
## "Marathi", "Mongolian", "Nepali", "Norwegian Bokmål",
## "Nyanja", "Pashto", "Persian", "Polish", "Portuguese",
## "Punjabi", "Romanian", "Russian", "Samoan",
## "Scottish Gaelic", "Serbian", "Shona", "Sindhi",
## "Sinhala", "Slovak", "Slovenian", "Somali",
## "Southern Sotho", "Spanish", "Spanish (Latin America)",
## "Sundanese", "Swahili", "Swedish", "Tajik", "Tamil",
## "Telugu", "Thai", "Turkish", "Ukrainian", "Urdu",
## "Uzbek", "Vietnamese", "Welsh", "Western Frisian",
## "Xhosa", "Yiddish", "Yoruba", "Zulu"
##
## Default: ["", "", ""]
##
#captions: ["", "", ""]
# -----------------------------
# Interface
# -----------------------------
##
## Enable/Disable dark mode.
##
## Accepted values: "dark", "light", "auto"
## Default: "auto"
##
#dark_mode: "auto"
##
## Enable/Disable thin mode (no video thumbnails).
##
## Accepted values: true, false
## Default: false
##
#thin_mode: false
##
## List of feeds available on the home page.
##
## Note: "Subscriptions" and "Playlists" are only visible
## when the user is logged in.
##
## Accepted values: A list of strings
## Each entry can be one of: "Popular", "Trending",
## "Subscriptions", "Playlists"
##
## Default: ["Popular", "Trending", "Subscriptions", "Playlists"] (show all feeds)
##
#feed_menu: ["Popular", "Trending", "Subscriptions", "Playlists"]
##
## Default feed to display on the home page.
##
## Note: setting this option to "Popular" has no
## effect when 'popular_enabled' is set to false.
##
## Accepted values: Popular, Trending, Subscriptions, Playlists, <none>
## Default: Popular
##
#default_home: Popular
##
## Default number of results to display per page.
##
## Note: this affects invidious-generated pages only, such
## as watch history and subscription feeds. Playlists, search
## results and channel videos depend on the data returned by
## the Youtube API.
##
## Accepted values: any positive integer
## Default: 40
##
#max_results: 40
##
## Show/hide annotations.
##
## Accepted values: true, false
## Default: false
##
#annotations: false
##
## Show/hide annotation.
##
## Accepted values: true, false
## Default: false
##
#annotations_subscribed: false
##
## Type of comments to display below video.
##
## Accepted values: a two-entries array.
## Each entry can be one of: "youtube", "reddit", ""
##
## Default: ["youtube", ""]
##
#comments: ["youtube", ""]
##
## Default player style.
##
## Accepted values: invidious, youtube
## Default: invidious
##
#player_style: invidious
##
## Show/Hide the "related videos" sidebar when
## watching a video.
##
## Accepted values: true, false
## Default: true
##
#related_videos: true
# -----------------------------
# Video player behavior
# -----------------------------
##
## This option controls the value of the HTML5 <video> element's
## "preload" attribute.
##
## If set to 'false', no video data will be loaded until the user
## explicitly starts the video by clicking the "Play" button.
## If set to 'true', the web browser will buffer some video data
## while the page is loading.
##
## See: https://www.w3schools.com/tags/att_video_preload.asp
##
## Accepted values: true, false
## Default: true
##
#preload: true
##
## Automatically play videos on page load.
##
## Accepted values: true, false
## Default: false
##
#autoplay: false
##
## Automatically load the "next" video (either next in
## playlist or proposed) when the current video ends.
##
## Accepted values: true, false
## Default: false
##
#continue: false
##
## Autoplay next video by default.
##
## Note: Only effective if 'continue' is set to true.
##
## Accepted values: true, false
## Default: true
##
#continue_autoplay: true
##
## Play videos in Audio-only mode by default.
##
## Accepted values: true, false
## Default: false
##
#listen: false
##
## Loop videos automatically.
##
## Accepted values: true, false
## Default: false
##
#video_loop: false
# -----------------------------
# Video playback settings
# -----------------------------
##
## Default video quality.
##
## Accepted values: dash, hd720, medium, small
## Default: hd720
##
#quality: hd720
##
## Default dash video quality.
##
## Note: this setting only takes effet if the
## 'quality' parameter is set to "dash".
##
## Accepted values:
## auto, best, 4320p, 2160p, 1440p, 1080p,
## 720p, 480p, 360p, 240p, 144p, worst
## Default: auto
##
#quality_dash: auto
##
## Default video playback speed.
##
## Accepted values: 0.25, 0.5, 0.75, 1.0, 1.25, 1.5, 1.75, 2.0
## Default: 1.0
##
#speed: 1.0
##
## Default volume.
##
## Accepted values: 0-100
## Default: 100
##
#volume: 100
##
## Allow 360° videos to be played.
##
## Note: This feature requires a WebGL-enabled browser.
##
## Accepted values: true, false
## Default: true
##
#vr_mode: true
##
## Save the playback position
## Allow to continue watching at the previous position when
## watching the same video.
##
## Accepted values: true, false
## Default: false
##
#save_player_pos: false
# -----------------------------
# Subscription feed
# -----------------------------
##
## In the "Subscription" feed, only show the latest video
## of each channel the user is subscribed to.
##
## Note: when combined with 'unseen_only', the latest unseen
## video of each channel will be displayed instead of the
## latest by date.
##
## Accepted values: true, false
## Default: false
##
#latest_only: false
##
## Enable/Disable user subscriptions desktop notifications.
##
## Accepted values: true, false
## Default: false
##
#notifications_only: false
##
## In the "Subscription" feed, Only show the videos that the
## user haven't watched yet (i.e which are not in their watch
## history).
##
## Accepted values: true, false
## Default: false
##
#unseen_only: false
##
## Default sorting parameter for subscription feeds.
##
## Accepted values:
## 'alphabetically'
## 'alphabetically - reverse'
## 'channel name'
## 'channel name - reverse'
## 'published'
## 'published - reverse'
##
## Default: published
##
#sort: published
# -----------------------------
# Miscellaneous
# -----------------------------
##
## Proxy videos through instance by default.
##
## Warning: As most users won't change this setting in their
## preferences, defaulting to true will significantly
## increase the instance's network usage, so make sure that
## your server's connection can handle it.
##
## Accepted values: true, false
## Default: false
##
#local: false
##
## Show the connected user's nick at the top right.
##
## Accepted values: true, false
## Default: true
##
#show_nick: true
##
## Automatically redirect to a random instance when the user uses
## any "switch invidious instance" link (For videos, it's the plane
## icon, next to "watch on youtube" and "listen"). When set to false,
## the user is sent to https://redirect.invidious.io instead, where
## they can manually select an instance.
##
## Accepted values: true, false
## Default: false
##
#automatic_instance_redirect: false
##
## Show the entire video description by default (when set to 'false',
## only the first few lines of the description are shown and a
## "show more" button allows to expand it).
##
## Accepted values: true, false
## Default: false
##
#extend_desc: false
ansible/app-configs/invoice-ninja/invoice-ninja.env.j2
-52
View File
@@ -1,52 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
# IN application vars
IN_APP_URL=https://biz.trez.wtf
IN_APP_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['IN_APP_KEY'] }}
IN_APP_DEBUG=true
IN_REQUIRE_HTTPS=false
IN_PHANTOMJS_PDF_GENERATION=false
IN_PDF_GENERATOR=snappdf
IN_TRUSTED_PROXIES='*'
IN_QUEUE_CONNECTION=database
# DB connection
IN_DB_HOST=mariadb
IN_DB_PORT=3306
IN_DB_DATABASE=invoice_ninja
IN_DB_USERNAME=ininja
IN_DB_PASSWORD={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['IN_MYSQL_PASSWORD'] }}
# Create initial user
# Default to these values if empty
# IN_USER_EMAIL=admin@example.com
# IN_PASSWORD=changeme!
IN_USER_EMAIL=
IN_PASSWORD=
# Mail options
IN_MAIL_MAILER=log
IN_MAIL_HOST=postal-smtp
IN_MAIL_PORT=25
IN_MAIL_USERNAME={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}
IN_MAIL_PASSWORD={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
IN_MAIL_ENCRYPTION=null
IN_MAIL_FROM_ADDRESS='noreply@trez.wtf'
IN_MAIL_FROM_NAME='Treasured IT'
# MySQL
IN_MYSQL_ROOT_PASSWORD=ninjaAdm1nPassword
IN_MYSQL_USER=ninja
IN_MYSQL_PASSWORD=ninja
IN_MYSQL_DATABASE=ninja
# GoCardless/Nordigen API key for banking integration
NORDIGEN_SECRET_ID=
NORDIGEN_SECRET_KEY=
# V4 env vars
# DB_STRICT=false
# APP_CIPHER=AES-256-CBC
ansible/app-configs/librechat/librechat.yaml.j2
-33
View File
@@ -1,33 +0,0 @@
version: 1.2.8
endpoints:
custom:
- name: "rinoa-ollama"
apiKey: "ollama"
baseURL: "http://ollama:11434/v1/chat/completions"
models:
default: [
"codellama:7b",
"deepseek-coder-v2:16b",
"deepseek-r1:1.5b",
"deepseek-v3:671b",
"dolphin-mistral:7b",
"llama2:7b",
"llama3.3:70b",
"mistral-openorca:7b",
"mistral:7b",
"orca-mini:3b",
"phi4:14b",
"qwen2.5",
"smollm2:1.7b",
"starcoder2:3b",
"tinyllama:1.1b",
]
# fetching list of models is supported but the `name` field must start
# with `ollama` (case-insensitive), as it does in this example.
fetch: true
titleConvo: true
titleModel: "current_model"
summarize: false
summaryModel: "current_model"
forcePrompt: false
modelDisplayLabel: "Ollama"
ansible/app-configs/libredesk/config.toml.j2
-124
View File
@@ -1,124 +0,0 @@
[app]
# Log level: info, debug, warn, error, fatal
log_level = "debug"
# Environment: dev, prod.
# Setting to "dev" will enable color logging in terminal.
env = "dev"
# Whether to automatically check for application updates on start up, app updates are shown as a banner in the admin panel.
check_updates = true
# HTTP server.
[app.server]
# Address to bind the HTTP server to.
address = "0.0.0.0:9000"
# Unix socket path (leave empty to use TCP address instead)
socket = ""
# Do NOT disable secure cookies in production environment if you don't know exactly what you're doing!
disable_secure_cookies = false
# Request read and write timeouts.
read_timeout = "5s"
write_timeout = "5s"
# Maximum request body size in bytes (100MB)
# If you are using proxy, you may need to configure them to allow larger request bodies.
max_body_size = 104857600
# Size of the read buffer for incoming requests
read_buffer_size = 4096
# Keepalive settings.
keepalive_timeout = "10s"
# File upload provider to use, either `fs` or `s3`.
[upload]
provider = "s3"
# Filesystem provider.
[upload.fs]
# Directory where uploaded files are stored, make sure this directory exists and is writable by the application.
upload_path = 'uploads'
# S3 provider.
[upload.s3]
# S3 endpoint URL (required only for non-AWS S3-compatible providers like MinIO).
# Leave empty to use default AWS endpoints.
url = "http://minio:9000"
# AWS S3 credentials, keep empty to use attached IAM roles.
access_key = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBREDESK_S3_ACCESS_KEY'] }}"
secret_key = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBREDESK_S3_SECRET_KEY'] }}"
# AWS region, e.g., "us-east-1", "eu-west-1", etc.
region = "us-east-fh-pln"
# S3 bucket name where files will be stored.
bucket = "libredesk"
# Optional prefix path within the S3 bucket where files will be stored.
# Example, if set to "uploads/media", files will be stored under that path.
# Useful for organizing files inside a shared bucket.
bucket_path = ""
# S3 signed URL expiry duration (e.g., "30m", "1h")
expiry = "30m"
# Postgres.
[db]
# If running locally, use `localhost`.
host = "libredesk-pg-db"
# Database port, default is 5432.
port = 5432
# Update the following values with your database credentials.
user = "libredesk"
password = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBREDESK_PG_DB_PASSWD'] }}"
database = "libredesk"
ssl_mode = "disable"
# Maximum number of open database connections
max_open = 30
# Maximum number of idle connections in the pool
max_idle = 30
# Maximum time a connection can be reused before being closed
max_lifetime = "300s"
# Redis.
[redis]
# If running locally, use `localhost:6379`.
address = "libredesk-valkey:6379"
password = ""
db = 0
[message]
# Number of workers processing outgoing message queue
outgoing_queue_workers = 10
# Number of workers processing incoming message queue
incoming_queue_workers = 10
# How often to scan for outgoing messages to process, keep it low to process messages quickly.
message_outgoing_scan_interval = "50ms"
# Maximum number of messages that can be queued for incoming processing
incoming_queue_size = 5000
# Maximum number of messages that can be queued for outgoing processing
outgoing_queue_size = 5000
[notification]
# Number of concurrent notification workers
concurrency = 2
# Maximum number of notifications that can be queued
queue_size = 2000
[automation]
# Number of workers processing automation rules
worker_count = 10
[autoassigner]
# How often to run automatic conversation assignment
autoassign_interval = "5m"
[webhook]
# Number of webhook delivery workers
workers = 5
# Maximum number of webhook deliveries that can be queued
queue_size = 10000
# HTTP timeout for webhook requests
timeout = "15s"
[conversation]
# How often to check for conversations to unsnooze
unsnooze_interval = "5m"
[sla]
# How often to evaluate SLA compliance for conversations
evaluation_interval = "5m"
ansible/app-configs/lidarr/config.xml.j2
-21
View File
@@ -1,21 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
<Config>
<BindAddress>*</BindAddress>
<Port>8686</Port>
<SslPort>6868</SslPort>
<EnableSsl>False</EnableSsl>
<LaunchBrowser>True</LaunchBrowser>
<ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}</ApiKey>
<AuthenticationMethod>Forms</AuthenticationMethod>
<Branch>master</Branch>
<LogLevel>trace</LogLevel>
<SslCertPath></SslCertPath>
<SslCertPassword></SslCertPassword>
<UrlBase></UrlBase>
<InstanceName>Lidarr</InstanceName>
<UpdateMechanism>Docker</UpdateMechanism>
<Theme>auto</Theme>
<AuthenticationRequired>Enabled</AuthenticationRequired>
</Config>
ansible/app-configs/lidify/config.json.j2
-25
View File
@@ -1,25 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
{
"lidarr_address": "http://lidarr:8686",
"lidarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}",
"spotify_client_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
"root_folder_path": "/data/media/music",
"spotify_client_id": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_ID'] }}",
"spotify_client_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
"fallback_to_top_result": false,
"lidarr_api_timeout": 120.0,
"quality_profile_id": 1,
"metadata_profile_id": 1,
"search_for_missing_albums": false,
"dry_run_adding_to_lidarr": true,
"app_name": "lidify",
"app_rev": "0.09",
"app_url": "lidify.trez.wtf",
"last_fm_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
"last_fm_api_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
"mode": "LastFM",
"auto_start": false,
"auto_start_delay": 60
}
ansible/app-configs/loggifly/config.yaml.j2
-49
View File
@@ -1,49 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
containers:
ghost_blog:
action_keywords:
- restart:
regex: 'Connection Error.*ECONNRESET$'
immich-server:
action_keywords:
- restart:
regex: '(ENOTFOUND|Error|ECONNREFUSED)'
invidious:
action_keywords:
- restart:
regex: 'Error reading.*Connection reset by peer trying to reconnect\.\.\.'
maxun-backend:
action_keywords:
- restart:
regex: '[Ee]rror'
planka:
action_keywords:
- restart:
regex: 'Failed to lift app: Sails is taking too long to load.$'
scrutiny:
action_keywords:
- restart:
regex: '^s6-.*: fatal.*$'
swag:
action_keywords:
- restart:
regex: '^s6-.*: fatal.*$'
global_keywords:
keywords:
- panic
keywords_with_attachment:
- fatal
notifications:
apprise:
url: gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }} # Any Apprise-compatible URL (https://github.com/caronc/apprise/wiki)
# settings are optional because they all have default values
settings:
log_level: INFO # DEBUG, INFO, WARNING, ERROR
notification_cooldown: 5 # Seconds between alerts for same keyword (per container)
attachment_lines: 20 # Number of Lines to include in log attachments
multi_line_entries: true # Detect multi-line log entries
disable_restart: false # Disable restart when a config change is detected
disable_start_message: false # Suppress startup notification
disable_shutdown_message: false # Suppress shutdown notification
disable_restart_message: false # Suppress config reload notification
ansible/app-configs/multi-scrobbler/config.json.j2
-113
View File
@@ -1,113 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
{
"debugMode": false,
"disableWeb": false,
"sourceDefaults": {
"logPayload": false,
"logFilterFailure": "warn",
"logPlayerState": false,
"scrobbleThresholds": {
"duration": 30,
"percent": 20
},
"maxPollRetries": 1,
"maxRequestRetries": 1,
"retryMultiplier": 1.5
},
"clientDefaults": {
"maxRequestRetries": 1,
"retryMultiplier": 1.5
},
"sources": [
{
"type": "spotify",
"enable": true,
"clients": ["lastfmClient", "ListenBrainzClient", "maloja"],
"name": "spotifySource",
"data": {
"clientId": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_ID'] }}",
"clientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
"redirectUri": "https://scrobble.trez.wtf/callback"
}
},
{
"type": "lastfm",
"enable": true,
"clients": ["ListenBrainzClient", "maloja"],
"configureAs": "source",
"name": "lastfmSource",
"data": {
"apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
"secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
"redirectUri": "https://scrobble.trez.wtf/lastfm/callback"
}
},
{
"type": "listenbrainz",
"enable": true,
"clients": ["lastfmClient", "maloja"],
"name": "listenBrainzSource",
"data": {
"token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
"username": "Trez.One"
}
},
{
"type": "subsonic",
"enable": true,
"clients": ["lastfmClient", "ListenBrainzClient", "maloja"],
"name": "navidromeSource",
"data": {
"url": "http://navidrome:4533",
"user": "admin",
"password": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NAVIDROME_PASSWORD'] }}"
}
}
],
"clients": [
{
"type": "lastfm",
"enable": true,
"name": "lastFmClient",
"configureAs": "client",
"data": {
"apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
"secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
"redirectUri": "https://scrobble.trez.wtf/lastfm/callback"
}
},
{
"type": "listenbrainz",
"enable": true,
"name": "ListenBrainzClient",
"data": {
"token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
"username": "Trez.One"
}
},
{
"type": "maloja",
"enable": true,
"name": "malojaClient",
"data": {
"url": "http://maloja:42010",
"apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_API_KEY'] }}"
}
}
],
"webhooks": [
{
"name": "Gotify",
"type": "gotify",
"url": "http://gotify",
"token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MULTI_SCROBBLER_GOTIFY_TOKEN'] }}",
"priorities": {
"info": 5,
"warn": 7,
"error": 10
}
}
]
}
ansible/app-configs/postal/postal.yml.j2
-62
View File
@@ -1,62 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
version: 2
postal:
web_hostname: post.trez.wtf
web_protocol: http
smtp_hostname: post.trez.wtf
use_ip_pools: false
signing_key_path: /config/signing.key
trusted_proxies: [ "172.18.0.0/16" ]
web_server:
default_port: 5000
default_bind_address: 0.0.0.0
main_db:
host: mariadb
username: postal
password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_MYSQL_PASSWORD'] }}
database: postal
message_db:
host: mariadb
username: postal
password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_MYSQL_PASSWORD'] }}
prefix: postal
smtp_server:
default_port: 25
default_bind_address: "::"
tls_enabled: true
tls_certificate_path: /config/certs/fullchain.pem
tls_private_key_path: /config/certs/privkey.pem
dns:
# Specify the DNS records that you have configured. Refer to the documentation at
# https://github.com/atech/postal/wiki/Domains-&-DNS-Configuration for further
# information about these.
mx_records:
- mx.post.trez.wtf
spf_include: spf.post.trez.wtf
return_path_domain: rp.post.trez.wtf
route_domain: routes.post.trez.wtf
track_domain: track.post.trez.wtf
smtp:
# Specify an SMTP server that can be used to send messages from the Postal management
# system to users. You can configure this to use a Postal mail server once the
# your installation has been set up.
host: postal-smtp
port: 25
username: rinoa/postal-smtp
password: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}"
from_name: Postal @ Rinoa
from_address: noreply@trez.wtf
rails:
# This is generated automatically by the config initialization. It should be a random
# string unique to your installation.
secret_key: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_RAILS_SECRET_KEY'] }}"
ansible/app-configs/prowlarr/config.xml.j2
-21
View File
@@ -1,21 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
<Config>
<BindAddress>*</BindAddress>
<Port>9696</Port>
<SslPort>6969</SslPort>
<EnableSsl>False</EnableSsl>
<LaunchBrowser>True</LaunchBrowser>
<ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PROWLARR_API_KEY'] }}</ApiKey>
<AuthenticationMethod>Forms</AuthenticationMethod>
<AuthenticationRequired>Enabled</AuthenticationRequired>
<Branch>master</Branch>
<LogLevel>info</LogLevel>
<SslCertPath></SslCertPath>
<SslCertPassword></SslCertPassword>
<UrlBase></UrlBase>
<InstanceName>Prowlarr</InstanceName>
<UpdateMechanism>Docker</UpdateMechanism>
<Theme>light</Theme>
</Config>
ansible/app-configs/qbittorrent/qbit_manage/config.yml.j2
-225
View File
@@ -1,225 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
# This is an example configuration file that documents all the options.
# It will need to be modified for your specific use case.
# These are not default values. You MUST review the config settings and properly configure this EXAMPLE file.
# Please refer to the link below for more details on how to set up the configuration file
# https://github.com/StuffAnThings/qbit_manage/wiki/Config-Setup
commands:
# The commands defined below will OVERRIDE any commands used in command line and docker env variables.
dry_run: True
recheck: False
cat_update: False
tag_update: False
rem_unregistered: False
tag_tracker_error: False
rem_orphaned: False
tag_nohardlinks: False
share_limits: False
skip_qb_version_check: False
skip_cleanup: False
qbt:
# qBittorrent parameters
# Pass environment variables to the config via !ENV tag
host: qbittorrentvpn:8080
user: admin
pass: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['DELUGEVPN_PASSWORD'] }}
settings:
force_auto_tmm: False # Will force qBittorrent to enable Automatic Torrent Management for each torrent.
force_auto_tmm_ignore_tags: #Torrents with these tags will be ignored when force_auto_tmm is enabled.
- cross-seed
- Upload
tracker_error_tag: issue # Will set the tag of any torrents that do not have a working tracker.
nohardlinks_tag: noHL # Will set the tag of any torrents with no hardlinks.
stalled_tag: stalledDL # Will set the tag of any torrents stalled downloading.
share_limits_tag: ~share_limit # Will add this tag when applying share limits to provide an easy way to filter torrents by share limit group/priority for each torrent
share_limits_min_seeding_time_tag: MinSeedTimeNotReached # Tag to be added to torrents that have not yet reached the minimum seeding time
share_limits_min_num_seeds_tag: MinSeedsNotMet # Tag to be added to torrents that have not yet reached the minimum number of seeds
share_limits_last_active_tag: LastActiveLimitNotReached # Tag to be added to torrents that have not yet reached the last active limit
cat_filter_completed: True # Filters for completed torrents only when running cat_update command
share_limits_filter_completed: True # Filters for completed torrents only when running share_limits command
tag_nohardlinks_filter_completed: True # Filters for completed torrents only when running tag_nohardlinks command
rem_unregistered_filter_completed: False # Filters for completed torrents only when running rem_unregistered command
cat_update_all: True # Checks and updates all torrent categories if set to True when running cat_update command, otherwise only update torrents that are uncategorized
disable_qbt_default_share_limits: True # Allows QBM to handle share limits by disabling qBittorrents default Share limits. Only active when the share_limits command is set to True
tag_stalled_torrents: True # Tags any downloading torrents that are stalled with the `stalledDL` tag when running the tag_update command
rem_unregistered_ignore_list: # Ignores a list of words found in the status of the tracker when running rem_unregistered command and will not remove the torrent if matched
- example placeholder words
- ignore if found
directory:
# Do not remove these
# root_dir var: </your/path/here/> # Root downloads directory used to check for orphaned files, noHL, and RecycleBin.
# <OPTIONAL> remote_dir var: </your/path/here/> # Path of docker host mapping of root_dir.
# remote_dir must be set if you're running qbit_manage locally and qBittorrent/cross_seed is in a docker
# remote_dir should not be set if qbit_manage is running in a container
# <OPTIONAL> recycle_bin var: </your/path/here/> # Path of the RecycleBin folder. Default location is set to remote_dir/.RecycleBin
# <OPTIONAL> torrents_dir var: </your/path/here/> # Path of the your qbittorrent torrents directory. Required for `save_torrents` attribute in recyclebin
# <OPTIONAL> orphaned_dir var: </your/path/here/> # Path of the the Orphaned Data folder. This is similar to RecycleBin, but only for orphaned data.
root_dir: "/downloads"
# remote_dir: "/host/path/to/torrents/ifdocker/torrents/"
# recycle_bin: "/path/to/.RecycleBin"
torrents_dir: "/downloads/completed/torrent"
cat:
# Category & Path Parameters
# All save paths in qbittorent must be populated below.
# If you want to leave a save_path as uncategorized you can use the key 'Uncategorized' as the name of the category.
# You can use Unix filename pattern matching as well when specifying the save_path
# <Category Name> : <save_path> # Path of your save directory.
lidarr: "/downloads/completed/torrent/music"
# prowlarr: "/data/torrents"
radarr: "/downloads/completed/torrent/movies"
readarr: "/downloads/completed/torrent/ebooks"
tv-sonarr: "/downloads/completed/torrent//tv"
cat_change:
# This moves all the torrents from one category to another category. This executes on --cat-update
# WARNING: if the paths are different and Default Torrent Management Mode is set to automatic the files could be moved !!!
# <Old Category Name> : <New Category>
CatA.cross-seed: CatA
CatB.cross-seed: CatB
tracker:
# Mandatory
# Tag Parameters
# <Tracker URL Keyword>: # <MANDATORY> This is the keyword in the tracker url. You can define multiple tracker urls by splitting with `|` delimiter
# <MANDATORY> Set tag name. Can be a list of tags or a single tag
# tag: <Tag Name>
# <OPTIONAL> Set the category based on tracker URL. This category option takes priority over the category defined by save directory
# cat: <Category Name>
# <OPTIONAL> Set this to the notifiarr react name. This is used to add indexer reactions to the notifications sent by Notifiarr
# notifiarr: <notifiarr indexer>
animebytes.tv:
tag: AnimeBytes
notifiarr: animebytes
avistaz:
tag:
- Avistaz
- tag2
- tag3
notifiarr: avistaz
beyond-hd:
tag: [Beyond-HD, tag2, tag3]
cat: movies
notifiarr: beyondhd
blutopia:
tag: Blutopia
notifiarr: blutopia
cartoonchaos:
tag: CartoonChaos
digitalcore:
tag: DigitalCore
notifiarr: digitalcore
gazellegames:
tag: GGn
hdts:
tag: HDTorrents
landof.tv:
tag: BroadcasTheNet
notifiarr: broadcasthenet
myanonamouse:
tag: MaM
passthepopcorn:
tag: PassThePopcorn
notifiarr: passthepopcorn
privatehd:
tag: PrivateHD
notifiarr:
torrentdb:
tag: TorrentDB
notifiarr: torrentdb
torrentleech|tleechreload:
tag: TorrentLeech
notifiarr: torrentleech
tv-vault:
tag: TV-Vault
# The "other" key is a special keyword and if defined will tag any other trackers that don't match the above trackers into this tag
other:
tag: other
nohardlinks:
# Tag Movies/Series that are not hard linked outside the root directory
# Mandatory to fill out directory parameter above to use this function (root_dir/remote_dir)
# This variable should be set to your category name of your completed movies/completed series in qbit. Acceptable variable can be any category you would like to tag if there are no hardlinks found
movies-completed-4k:
series-completed-4k:
movies-completed:
# <OPTIONAL> exclude_tags var: Will exclude torrents with any of the following tags when searching through the category.
exclude_tags:
- Beyond-HD
- AnimeBytes
- MaM
# <OPTIONAL> ignore_root_dir var: Will ignore any hardlinks detected in the same root_dir (Default True).
ignore_root_dir: true
# Can have additional categories set with separate ratio/seeding times defined.
series-completed:
# <OPTIONAL> exclude_tags var: Will exclude torrents with any of the following tags when searching through the category.
exclude_tags:
- Beyond-HD
- BroadcasTheNet
# <OPTIONAL> ignore_root_dir var: Will ignore any hardlinks detected in the same root_dir (Default True).
ignore_root_dir: true
share_limits:
# Control how torrent share limits are set depending on the priority of your grouping
# Each torrent will be matched with the share limit group with the highest priority that meets the group filter criteria.
# Each torrent can only be matched with one share limit group
# This variable is mandatory and is a text defining the name of your grouping. This can be any string you want
spacesaver:
priority: 2
max_ratio: 3
min_last_active: 24h
cleanup: false
default:
priority: 999
max_ratio: -1
max_seeding_time: -1
cleanup: false
recyclebin:
# Recycle Bin method of deletion will move files into the recycle bin (Located in /root_dir/.RecycleBin) instead of directly deleting them in qbit
# By default the Recycle Bin will be emptied on every run of the qbit_manage script if empty_after_x_days is defined.
enabled: true
# <OPTIONAL> empty_after_x_days var:
# Will automatically remove all files and folders in recycle bin after x days. (Checks every script run)
# If this variable is not defined it, the RecycleBin will never be emptied.
# WARNING: Setting this variable to 0 will delete all files immediately upon script run!
empty_after_x_days: 60
# <OPTIONAL> save_torrents var:
# If this option is set to true you MUST fill out the torrents_dir in the directory attribute.
# This will save a copy of your .torrent and .fastresume file in the recycle bin before deleting it from qbittorrent
save_torrents: true
# <OPTIONAL> split_by_category var:
# This will split the recycle bin folder by the save path defined in the `cat` attribute
# and add the base folder name of the recycle bin that was defined in the `recycle_bin` sub-attribute under directory.
split_by_category: false
orphaned:
# Orphaned files are those in the root_dir download directory that are not referenced by any active torrents.
# Will automatically remove all files and folders in orphaned data after x days. (Checks every script run)
# If this variable is not defined it, the orphaned data will never be emptied.
# WARNING: Setting this variable to 0 will delete all files immediately upon script run!
empty_after_x_days: 60
# File patterns that will not be considered orphaned files. Handy for generated files that aren't part of the torrent but belong with the torrent's files
exclude_patterns:
- "**/.DS_Store"
- "**/Thumbs.db"
- "**/@eaDir"
- "/data/torrents/temp/**"
- "**/*.!qB"
- "**/*_unpackerred"
# Set your desired threshold for the maximum number of orphaned files qbm will delete in a single run. (-1 to disable safeguards)
# This will help reduce the number of accidental large amount orphaned deletions in a single run
# WARNING: Setting this variable to -1 will not safeguard against any deletions
max_orphaned_files_to_delete: 50
apprise:
# Apprise integration with webhooks
# Leave Empty/Blank to disable
# Mandatory to fill out the url of your apprise API endpoint
api_url: http://apprise-api:8000
# Mandatory to fill out the notification url/urls based on the notification services provided by apprise. https://github.com/caronc/apprise/wiki
notify_url: gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}
ansible/app-configs/radarec/config.json.j2
-20
View File
@@ -1,20 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
{
"radarr_address": "http://radarr:7878",
"radarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['RADARR_API_KEY'] }}",
"root_folder_path": "/data/media/movies",
"tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['TMDB_API_KEY'] }}",
"fallback_to_top_result": false,
"radarr_api_timeout": 120.0,
"quality_profile_id": 1,
"metadata_profile_id": 1,
"search_for_movie": true,
"dry_run_adding_to_radarr": false,
"minimum_rating": 4.5,
"minimum_votes": 50,
"language_choice": "all",
"auto_start": true,
"auto_start_delay": 60.0
}
ansible/app-configs/radarr/config.xml.j2
-21
View File
@@ -1,21 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
<Config>
<LogLevel>info</LogLevel>
<BindAddress>*</BindAddress>
<EnableSsl>False</EnableSsl>
<SslCertPath></SslCertPath>
<Port>7878</Port>
<UrlBase></UrlBase>
<ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['RADARR_API_KEY'] }}</ApiKey>
<AuthenticationMethod>Forms</AuthenticationMethod>
<UpdateMechanism>Docker</UpdateMechanism>
<SslPort>9898</SslPort>
<LaunchBrowser>True</LaunchBrowser>
<Branch>master</Branch>
<SslCertPassword></SslCertPassword>
<InstanceName>Radarr</InstanceName>
<Theme>auto</Theme>
<AuthenticationRequired>Enabled</AuthenticationRequired>
</Config>
ansible/app-configs/readarr/config.xml.j2
-21
View File
@@ -1,21 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
<Config>
<BindAddress>*</BindAddress>
<Port>8787</Port>
<SslPort>6868</SslPort>
<EnableSsl>False</EnableSsl>
<LaunchBrowser>True</LaunchBrowser>
<ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['READARR_API_KEY'] }}</ApiKey>
<AuthenticationMethod>Forms</AuthenticationMethod>
<Branch>develop</Branch>
<LogLevel>info</LogLevel>
<SslCertPath></SslCertPath>
<SslCertPassword></SslCertPassword>
<UrlBase></UrlBase>
<InstanceName>Readarr</InstanceName>
<UpdateMechanism>Docker</UpdateMechanism>
<Theme>auto</Theme>
<AuthenticationRequired>Enabled</AuthenticationRequired>
</Config>
ansible/app-configs/romm/config.yml.j2
-48
View File
@@ -1,48 +0,0 @@
# This is a generic example of a configuration file
# Rename this file to `config.yml`, copy it to a `config` folder, and mount that folder as per the docker-compose.example.yml
# Only uncomment the lines you want to use/modify, or add new ones where needed
exclude:
# Exclude platforms to be scanned
platforms: [] # ['my_excluded_platform_1', 'my_excluded_platform_2']
# Exclude roms or parts of roms to be scanned
roms:
# Single file games section.
# Will not apply to files that are in sub-folders (multi-disc roms, games with updates, DLC, patches, etc.)
single_file:
# Exclude all files with certain extensions to be scanned
extensions: [] # ['xml', 'txt']
# Exclude matched file names to be scanned.
# Supports unix filename pattern matching
# Can also exclude files by extension
names: [] # ['info.txt', '._*', '*.nfo']
# Multi files games section
# Will apply to files that are in sub-folders (multi-disc roms, games with updates, DLC, patches, etc.)
multi_file:
# Exclude matched 'folder' names to be scanned (RomM identifies folders as multi file games)
names: [] # ['my_multi_file_game', 'DLC']
# Exclude files within sub-folders.
parts:
# Exclude matched file names to be scanned from multi file roms
# Keep in mind that RomM doesn't scan folders inside multi files games,
# so there is no need to exclude folders from inside of multi files games.
names: [] # ['data.xml', '._*'] # Supports unix filename pattern matching
# Exclude all files with certain extensions to be scanned from multi file roms
extensions: [] # ['xml', 'txt']
system:
# Asociate different platform names to your current file system platform names
# [your custom platform folder name]: [RomM platform name]
# In this example if you have a 'gc' folder, RomM will treat it like the 'ngc' folder and if you have a 'psx' folder, RomM will treat it like the 'ps' folder
platforms: {} # { gc: 'ngc', psx: 'ps' }
# Asociate one platform to it's main version
versions: {} # { naomi: 'arcade' }
# The folder name where your roms are located
filesystem: {} # { roms_folder: 'roms' } For example if your folder structure is /home/user/library/roms_folder
ansible/app-configs/sabnzbdvpn/sabnzbd.ini.j2
-482
View File
@@ -1,482 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
__version__ = 19
__encoding__ = utf-8
[misc]
pre_script = None
queue_complete = ""
queue_complete_pers = 0
bandwidth_perc = 0
refresh_rate = 1
queue_limit = 20
config_lock = 0
sched_converted = 2
notified_new_skin = 2
direct_unpack_tested = 1
check_new_rel = 1
auto_browser = 0
language = en
enable_https_verification = 1
host = 0.0.0.0
port = 8080
https_port = 8090
username = thetrezuredone
password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_PASSWORD'] }}
bandwidth_max = 1000M
cache_limit = 1G
web_dir = Glitter
web_color = Auto
https_cert = server.cert
https_key = server.key
https_chain = ""
enable_https = 1
inet_exposure = 0
local_ranges = ,
api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_API_KEY'] }}
nzb_key = 3c0fa874bb2748b58c1bd7512e649946
permissions = 775
download_dir = /storage/downloads/incomplete
download_free = ""
complete_dir = /storage/downloads/completed/nzb
script_dir = ""
nzb_backup_dir = ""
admin_dir = admin
dirscan_dir = /storage/downloads/watch
dirscan_speed = 5
password_file = ""
log_dir = logs
max_art_tries = 3
load_balancing = 2
top_only = 0
sfv_check = 1
quick_check_ext_ignore = nfo, sfv, srr
script_can_fail = 0
ssl_ciphers = ""
enable_recursive = 1
flat_unpack = 0
par_option = ""
pre_check = 1
nice = ""
win_process_prio = 3
ionice = ""
fail_hopeless_jobs = 1
fast_fail = 1
auto_disconnect = 1
no_dupes = 3
no_series_dupes = 0
series_propercheck = 1
pause_on_pwrar = 2
ignore_samples = 1
deobfuscate_final_filenames = 0
auto_sort = ""
direct_unpack = 1
direct_unpack_threads = 3
propagation_delay = 0
folder_rename = 1
replace_spaces = 1
replace_dots = 1
safe_postproc = 1
pause_on_post_processing = 0
sanitize_safe = 0
cleanup_list = ,
unwanted_extensions = ,
action_on_unwanted_extensions = 0
new_nzb_on_failure = 1
history_retention = ""
enable_meta = 1
quota_size = ""
quota_day = ""
quota_resume = 0
quota_period = m
rating_enable = 0
rating_host = ""
rating_api_key = ""
rating_filter_enable = 0
rating_filter_abort_audio = 0
rating_filter_abort_video = 0
rating_filter_abort_encrypted = 0
rating_filter_abort_encrypted_confirm = 0
rating_filter_abort_spam = 0
rating_filter_abort_spam_confirm = 0
rating_filter_abort_downvoted = 0
rating_filter_abort_keywords = ""
rating_filter_pause_audio = 0
rating_filter_pause_video = 0
rating_filter_pause_encrypted = 0
rating_filter_pause_encrypted_confirm = 0
rating_filter_pause_spam = 0
rating_filter_pause_spam_confirm = 0
rating_filter_pause_downvoted = 0
rating_filter_pause_keywords = ""
enable_tv_sorting = 1
tv_sort_string = %sn/Season %s/%sn - %sx%0e - %en.%ext
tv_sort_countries = 1
tv_categories = tv,
enable_movie_sorting = 0
movie_sort_string = ""
movie_sort_extra = -cd%1
movie_extra_folder = 0
movie_categories = movies,
enable_date_sorting = 0
date_sort_string = ""
date_categories = tv,
schedlines = ,
rss_rate = 60
ampm = 0
replace_illegal = 1
start_paused = 0
enable_all_par = 1
enable_par_cleanup = 1
enable_unrar = 1
enable_unzip = 1
enable_7zip = 1
enable_filejoin = 1
enable_tsjoin = 1
overwrite_files = 0
ignore_unrar_dates = 0
backup_for_duplicates = 1
empty_postproc = 0
wait_for_dfolder = 0
rss_filenames = 0
api_logging = 1
html_login = 1
osx_menu = 1
osx_speed = 1
warn_dupl_jobs = 1
helpfull_warnings = 1
keep_awake = 1
win_menu = 1
allow_incomplete_nzb = 0
enable_bonjour = 1
max_art_opt = 0
ipv6_hosting = 0
fixed_ports = 1
api_warnings = 1
disable_api_key = 0
no_penalties = 0
x_frame_options = 1
require_modern_tls = 0
num_decoders = 3
rss_odd_titles = nzbindex.nl/, nzbindex.com/, nzbclub.com/
req_completion_rate = 100.2
selftest_host = self-test.sabnzbd.org
movie_rename_limit = 100M
size_limit = 0
show_sysload = 2
history_limit = 10
wait_ext_drive = 5
max_foldername_length = 246
nomedia_marker = ""
ipv6_servers = 1
url_base = /sabnzbd
host_whitelist = rinoa, sabnzbd.trez.wtf
max_url_retries = 10
email_server = ""
email_to = ,
email_from = ""
email_account = ""
email_pwd = ""
email_endjob = 0
email_full = 0
email_dir = ""
email_rss = 0
email_cats = *,
interface_settings = '{"dateFormat":"fromNow","extraQueueColumns":["category"],"extraHistoryColumns":[],"displayCompact":false,"displayFullWidth":false,"confirmDeleteQueue":true,"confirmDeleteHistory":true,"keyboardShortcuts":true}'
complete_free = ""
fulldisk_autoresume = 0
enable_broadcast = 1
downloader_sleep_time = 10
ssdp_broadcast_interval = 15
unwanted_extensions_mode = 0
process_unpacked_par2 = 1
episode_rename_limit = 20M
socks5_proxy_url = ""
preserve_paused_state = 0
helpful_warnings = 1
allow_old_ssl_tls = 0
num_simd_decoders = 2
ext_rename_ignore = ,
backup_dir = ""
replace_underscores = 0
tray_icon = 1
sorters_converted = 1
enable_season_sorting = 1
receive_threads = 2
switchinterval = 0.005
end_queue_script = None
no_smart_dupes = 1
dupes_propercheck = 1
enable_multipar = 1
verify_xff_header = 0
history_retention_option = all
history_retention_number = 1
ipv6_staging = 0
disable_archive = 0
config_conversion_version = 4
disable_par2cmdline = 0
[logging]
log_level = 1
max_log_size = 5242880
log_backups = 5
[ncenter]
ncenter_enable = 0
ncenter_cats = *,
ncenter_prio_startup = 0
ncenter_prio_download = 0
ncenter_prio_pause_resume = 0
ncenter_prio_pp = 0
ncenter_prio_complete = 0
ncenter_prio_failed = 0
ncenter_prio_disk_full = 0
ncenter_prio_new_login = 0
ncenter_prio_warning = 0
ncenter_prio_error = 0
ncenter_prio_queue_done = 0
ncenter_prio_other = 0
[acenter]
acenter_enable = 0
acenter_cats = *,
acenter_prio_startup = 0
acenter_prio_download = 0
acenter_prio_pause_resume = 0
acenter_prio_pp = 0
acenter_prio_complete = 0
acenter_prio_failed = 0
acenter_prio_disk_full = 0
acenter_prio_new_login = 0
acenter_prio_warning = 0
acenter_prio_error = 0
acenter_prio_queue_done = 0
acenter_prio_other = 0
[ntfosd]
ntfosd_enable = 0
ntfosd_cats = *,
ntfosd_prio_startup = 0
ntfosd_prio_download = 0
ntfosd_prio_pause_resume = 0
ntfosd_prio_pp = 0
ntfosd_prio_complete = 0
ntfosd_prio_failed = 0
ntfosd_prio_disk_full = 0
ntfosd_prio_new_login = 0
ntfosd_prio_warning = 0
ntfosd_prio_error = 0
ntfosd_prio_queue_done = 0
ntfosd_prio_other = 0
[prowl]
prowl_enable = 0
prowl_cats = *,
prowl_apikey = ""
prowl_prio_startup = -3
prowl_prio_download = -3
prowl_prio_pause_resume = -3
prowl_prio_pp = -3
prowl_prio_complete = 0
prowl_prio_failed = 1
prowl_prio_disk_full = 1
prowl_prio_new_login = -3
prowl_prio_warning = -3
prowl_prio_error = -3
prowl_prio_queue_done = 0
prowl_prio_other = -3
[pushover]
pushover_token = ""
pushover_userkey = ""
pushover_device = ""
pushover_emergency_expire = 3600
pushover_emergency_retry = 60
pushover_enable = 0
pushover_cats = *,
pushover_prio_startup = -3
pushover_prio_download = -2
pushover_prio_pause_resume = -2
pushover_prio_pp = -3
pushover_prio_complete = -1
pushover_prio_failed = -1
pushover_prio_disk_full = 1
pushover_prio_new_login = -3
pushover_prio_warning = 1
pushover_prio_error = 1
pushover_prio_queue_done = -1
pushover_prio_other = -3
[pushbullet]
pushbullet_enable = 0
pushbullet_cats = *,
pushbullet_apikey = ""
pushbullet_device = ""
pushbullet_prio_startup = 0
pushbullet_prio_download = 0
pushbullet_prio_pause_resume = 0
pushbullet_prio_pp = 0
pushbullet_prio_complete = 1
pushbullet_prio_failed = 1
pushbullet_prio_disk_full = 1
pushbullet_prio_new_login = 0
pushbullet_prio_warning = 0
pushbullet_prio_error = 0
pushbullet_prio_queue_done = 0
pushbullet_prio_other = 0
[nscript]
nscript_enable = 0
nscript_cats = *,
nscript_script = None
nscript_parameters = ""
nscript_prio_startup = 1
nscript_prio_download = 0
nscript_prio_pause_resume = 0
nscript_prio_pp = 0
nscript_prio_complete = 1
nscript_prio_failed = 1
nscript_prio_disk_full = 1
nscript_prio_new_login = 0
nscript_prio_warning = 0
nscript_prio_error = 0
nscript_prio_queue_done = 1
nscript_prio_other = 0
[servers]
[[news.newshosting.com]]
name = news.newshosting.com
displayname = Newshosting
host = news.newshosting.com
port = 563
timeout = 60
username = thetrezuredone
password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSK_USER_PASSWORD'] }}
connections = 8
ssl = 1
ssl_verify = 3
ssl_ciphers = ""
enable = 1
required = 0
optional = 0
retention = 0
expire_date = ""
quota = ""
usage_at_start = 0
priority = 0
notes = ""
[[news.easynews.com]]
name = news.easynews.com
displayname = EasyNews
host = news.easynews.com
port = 443
timeout = 60
username = TrezOne
password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_EASYNEWS_PASSWORD'] }}
connections = 60
ssl = 0
ssl_verify = 3
ssl_ciphers = ""
enable = 1
required = 0
optional = 0
retention = 0
expire_date = ""
quota = ""
usage_at_start = 0
priority = 0
notes = ""
[categories]
[[software]]
name = software
order = 0
pp = ""
script = Default
dir = ""
newzbin = ""
priority = -100
[[*]]
name = *
order = 0
pp = 3
script = Default
dir = ""
newzbin = ""
priority = 0
[[tv]]
name = tv
order = 0
pp = ""
script = Default
dir = tv
newzbin = ""
priority = -100
[[audio]]
name = audio
order = 0
pp = 2
script = Default
dir = music
newzbin = ""
priority = 1
[[movies]]
name = movies
order = 0
pp = ""
script = Default
dir = movies
newzbin = ""
priority = -100
[[ebook]]
name = ebook
order = 0
pp = 2
script = Default
dir = ebooks
newzbin = ""
priority = -100
[[prowlarr]]
name = prowlarr
order = 0
pp = ""
script = Default
dir = ""
newzbin = ""
priority = -1
[[sonarr]]
name = sonarr
order = 1
pp = ""
script = Default
dir = tv
newzbin = ""
priority = -100
[sorters]
[[Series Sorting]]
name = Series Sorting
order = 0
min_size = 20M
multipart_label = ""
sort_string = %sn/Season %s/%sn - %sx%0e - %en.%ext
sort_cats = tv,
sort_type = 1,
is_active = 1
[apprise]
apprise_enable = 1
apprise_cats = *,
apprise_urls = apprise://apprise:8000/aef1ab3765b857585e13340f1f5f879b2babcc47b0eccead98a19e0a93fe1a35
apprise_target_startup = ""
apprise_target_startup_enable = 0
apprise_target_download = ""
apprise_target_download_enable = 0
apprise_target_pause_resume = ""
apprise_target_pause_resume_enable = 1
apprise_target_pp = ""
apprise_target_pp_enable = 0
apprise_target_complete = ""
apprise_target_complete_enable = 1
apprise_target_failed = ""
apprise_target_failed_enable = 1
apprise_target_disk_full = ""
apprise_target_disk_full_enable = 0
apprise_target_new_login = ""
apprise_target_new_login_enable = 1
apprise_target_warning = ""
apprise_target_warning_enable = 1
apprise_target_error = ""
apprise_target_error_enable = 1
apprise_target_queue_done = ""
apprise_target_queue_done_enable = 0
apprise_target_other = ""
apprise_target_other_enable = 1
ansible/app-configs/scrutiny/config/config.yaml.j2
-7
View File
@@ -1,7 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
bolt-path: /opt/scrutiny/influxdb/influxd.bolt
engine-path: /opt/scrutiny/influxdb/engine
http-bind-address: ":8086"
reporting-disabled: true
ansible/app-configs/searxng/settings.yml.j2
-2243
View File
File diff suppressed because it is too large Load Diff
ansible/app-configs/searxng/uwsgi.ini.j2
-49
View File
@@ -1,49 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
[uwsgi]
# Who will run the code
uid = searxng
gid = searxng
# Number of workers (usually CPU count)
workers = %k
threads = 4
# The right granted on the created socket
chmod-socket = 666
# Plugin to use and interpreter config
single-interpreter = true
master = true
plugin = python3
lazy-apps = true
enable-threads = 4
# Module to import
module = searx.webapp
# Virtualenv and python path
pythonpath = /usr/local/searxng/
chdir = /usr/local/searxng/searx/
# automatically set processes name to something meaningful
auto-procname = true
# Disable request logging for privacy
disable-logging = true
log-5xx = true
# Set the max size of a request (request-body excluded)
buffer-size = 8192
# No keep alive
# See https://github.com/searx/searx-docker/issues/24
add-header = Connection: close
# uwsgi serves the static files
static-map = /static=/usr/local/searxng/searx/static
# expires set to one day
static-expires = /* 86400
static-gzip-all = True
offload-threads = 4
ansible/app-configs/signoz/clickhouse/cluster.ha.xml.j2
-75
View File
@@ -1,75 +0,0 @@
<?xml version="1.0"?>
<clickhouse>
<!-- ZooKeeper is used to store metadata about replicas, when using Replicated tables.
Optional. If you don't use replicated tables, you could omit that.
See https://clickhouse.com/docs/en/engines/table-engines/mergetree-family/replication/
-->
<zookeeper>
<node index="1">
<host>signoz-zookeeper-1</host>
<port>2181</port>
</node>
<node index="2">
<host>zookeeper-2</host>
<port>2181</port>
</node>
<node index="3">
<host>zookeeper-3</host>
<port>2181</port>
</node>
</zookeeper>
<!-- Configuration of clusters that could be used in Distributed tables.
https://clickhouse.com/docs/en/operations/table_engines/distributed/
-->
<remote_servers>
<cluster>
<!-- Inter-server per-cluster secret for Distributed queries
default: no secret (no authentication will be performed)
If set, then Distributed queries will be validated on shards, so at least:
- such cluster should exist on the shard,
- such cluster should have the same secret.
And also (and which is more important), the initial_user will
be used as current user for the query.
Right now the protocol is pretty simple and it only takes into account:
- cluster name
- query
Also it will be nice if the following will be implemented:
- source hostname (see interserver_http_host), but then it will depends from DNS,
it can use IP address instead, but then the you need to get correct on the initiator node.
- target hostname / ip address (same notes as for source hostname)
- time-based security tokens
-->
<!-- <secret></secret> -->
<shard>
<!-- Optional. Whether to write data to just one of the replicas. Default: false (write data to all replicas). -->
<!-- <internal_replication>false</internal_replication> -->
<!-- Optional. Shard weight when writing data. Default: 1. -->
<!-- <weight>1</weight> -->
<replica>
<host>signoz-clickhouse</host>
<port>9000</port>
<!-- Optional. Priority of the replica for load_balancing. Default: 1 (less value has more priority). -->
<!-- <priority>1</priority> -->
</replica>
</shard>
<shard>
<replica>
<host>clickhouse-2</host>
<port>9000</port>
</replica>
</shard>
<shard>
<replica>
<host>clickhouse-3</host>
<port>9000</port>
</replica>
</shard>
</cluster>
</remote_servers>
</clickhouse>
ansible/app-configs/signoz/clickhouse/cluster.xml.j2
-75
View File
@@ -1,75 +0,0 @@
<?xml version="1.0"?>
<clickhouse>
<!-- ZooKeeper is used to store metadata about replicas, when using Replicated tables.
Optional. If you don't use replicated tables, you could omit that.
See https://clickhouse.com/docs/en/engines/table-engines/mergetree-family/replication/
-->
<zookeeper>
<node index="1">
<host>signoz-zookeeper-1</host>
<port>2181</port>
</node>
<!-- <node index="2">
<host>zookeeper-2</host>
<port>2181</port>
</node>
<node index="3">
<host>zookeeper-3</host>
<port>2181</port>
</node> -->
</zookeeper>
<!-- Configuration of clusters that could be used in Distributed tables.
https://clickhouse.com/docs/en/operations/table_engines/distributed/
-->
<remote_servers>
<cluster>
<!-- Inter-server per-cluster secret for Distributed queries
default: no secret (no authentication will be performed)
If set, then Distributed queries will be validated on shards, so at least:
- such cluster should exist on the shard,
- such cluster should have the same secret.
And also (and which is more important), the initial_user will
be used as current user for the query.
Right now the protocol is pretty simple and it only takes into account:
- cluster name
- query
Also it will be nice if the following will be implemented:
- source hostname (see interserver_http_host), but then it will depends from DNS,
it can use IP address instead, but then the you need to get correct on the initiator node.
- target hostname / ip address (same notes as for source hostname)
- time-based security tokens
-->
<!-- <secret></secret> -->
<shard>
<!-- Optional. Whether to write data to just one of the replicas. Default: false (write data to all replicas). -->
<!-- <internal_replication>false</internal_replication> -->
<!-- Optional. Shard weight when writing data. Default: 1. -->
<!-- <weight>1</weight> -->
<replica>
<host>signoz-clickhouse</host>
<port>9000</port>
<!-- Optional. Priority of the replica for load_balancing. Default: 1 (less value has more priority). -->
<!-- <priority>1</priority> -->
</replica>
</shard>
<!-- <shard>
<replica>
<host>clickhouse-2</host>
<port>9000</port>
</replica>
</shard>
<shard>
<replica>
<host>clickhouse-3</host>
<port>9000</port>
</replica>
</shard> -->
</cluster>
</remote_servers>
</clickhouse>
ansible/app-configs/signoz/clickhouse/config.xml.j2
-1142
View File
File diff suppressed because it is too large Load Diff
ansible/app-configs/signoz/clickhouse/custom-function.xml.j2
-21
View File
@@ -1,21 +0,0 @@
<functions>
<function>
<type>executable</type>
<name>histogramQuantile</name>
<return_type>Float64</return_type>
<argument>
<type>Array(Float64)</type>
<name>buckets</name>
</argument>
<argument>
<type>Array(Float64)</type>
<name>counts</name>
</argument>
<argument>
<type>Float64</type>
<name>quantile</name>
</argument>
<format>CSV</format>
<command>./histogramQuantile</command>
</function>
</functions>
ansible/app-configs/signoz/clickhouse/storage.xml.j2
-41
View File
@@ -1,41 +0,0 @@
<?xml version="1.0"?>
<clickhouse>
<storage_configuration>
<disks>
<default>
<keep_free_space_bytes>10485760</keep_free_space_bytes>
</default>
<s3>
<type>s3</type>
<!-- For S3 cold storage,
if region is us-east-1, endpoint can be https://<bucket-name>.s3.amazonaws.com
if region is not us-east-1, endpoint should be https://<bucket-name>.s3-<region>.amazonaws.com
For GCS cold storage,
endpoint should be https://storage.googleapis.com/<bucket-name>/data/
-->
<endpoint>https://BUCKET-NAME.s3-REGION-NAME.amazonaws.com/data/</endpoint>
<access_key_id>ACCESS-KEY-ID</access_key_id>
<secret_access_key>SECRET-ACCESS-KEY</secret_access_key>
<!-- In case of S3, uncomment the below configuration in case you want to read
AWS credentials from the Environment variables if they exist. -->
<!-- <use_environment_credentials>true</use_environment_credentials> -->
<!-- In case of GCS, uncomment the below configuration, since GCS does
not support batch deletion and result in error messages in logs. -->
<!-- <support_batch_delete>false</support_batch_delete> -->
</s3>
</disks>
<policies>
<tiered>
<volumes>
<default>
<disk>default</disk>
</default>
<s3>
<disk>s3</disk>
<perform_ttl_move_on_insert>0</perform_ttl_move_on_insert>
</s3>
</volumes>
</tiered>
</policies>
</storage_configuration>
</clickhouse>
ansible/app-configs/signoz/clickhouse/users.xml.j2
-123
View File
@@ -1,123 +0,0 @@
<?xml version="1.0"?>
<clickhouse>
<!-- See also the files in users.d directory where the settings can be overridden. -->
<!-- Profiles of settings. -->
<profiles>
<!-- Default settings. -->
<default>
<!-- Maximum memory usage for processing single query, in bytes. -->
<max_memory_usage>10000000000</max_memory_usage>
<!-- How to choose between replicas during distributed query processing.
random - choose random replica from set of replicas with minimum number of errors
nearest_hostname - from set of replicas with minimum number of errors, choose replica
with minimum number of different symbols between replica's hostname and local hostname
(Hamming distance).
in_order - first live replica is chosen in specified order.
first_or_random - if first replica one has higher number of errors, pick a random one from replicas with minimum number of errors.
-->
<load_balancing>random</load_balancing>
</default>
<!-- Profile that allows only read queries. -->
<readonly>
<readonly>1</readonly>
</readonly>
</profiles>
<!-- Users and ACL. -->
<users>
<!-- If user name was not specified, 'default' user is used. -->
<default>
<!-- See also the files in users.d directory where the password can be overridden.
Password could be specified in plaintext or in SHA256 (in hex format).
If you want to specify password in plaintext (not recommended), place it in 'password' element.
Example: <password>qwerty</password>.
Password could be empty.
If you want to specify SHA256, place it in 'password_sha256_hex' element.
Example: <password_sha256_hex>65e84be33532fb784c48129675f9eff3a682b27168c0ea744b2cf58ee02337c5</password_sha256_hex>
Restrictions of SHA256: impossibility to connect to ClickHouse using MySQL JS client (as of July 2019).
If you want to specify double SHA1, place it in 'password_double_sha1_hex' element.
Example: <password_double_sha1_hex>e395796d6546b1b65db9d665cd43f0e858dd4303</password_double_sha1_hex>
If you want to specify a previously defined LDAP server (see 'ldap_servers' in the main config) for authentication,
place its name in 'server' element inside 'ldap' element.
Example: <ldap><server>my_ldap_server</server></ldap>
If you want to authenticate the user via Kerberos (assuming Kerberos is enabled, see 'kerberos' in the main config),
place 'kerberos' element instead of 'password' (and similar) elements.
The name part of the canonical principal name of the initiator must match the user name for authentication to succeed.
You can also place 'realm' element inside 'kerberos' element to further restrict authentication to only those requests
whose initiator's realm matches it.
Example: <kerberos />
Example: <kerberos><realm>EXAMPLE.COM</realm></kerberos>
How to generate decent password:
Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha256sum | tr -d '-'
In first line will be password and in second - corresponding SHA256.
How to generate double SHA1:
Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha1sum | tr -d '-' | xxd -r -p | sha1sum | tr -d '-'
In first line will be password and in second - corresponding double SHA1.
-->
<password></password>
<!-- List of networks with open access.
To open access from everywhere, specify:
<ip>::/0</ip>
To open access only from localhost, specify:
<ip>::1</ip>
<ip>127.0.0.1</ip>
Each element of list has one of the following forms:
<ip> IP-address or network mask. Examples: 213.180.204.3 or 10.0.0.1/8 or 10.0.0.1/255.255.255.0
2a02:6b8::3 or 2a02:6b8::3/64 or 2a02:6b8::3/ffff:ffff:ffff:ffff::.
<host> Hostname. Example: server01.clickhouse.com.
To check access, DNS query is performed, and all received addresses compared to peer address.
<host_regexp> Regular expression for host names. Example, ^server\d\d-\d\d-\d\.clickhouse\.com$
To check access, DNS PTR query is performed for peer address and then regexp is applied.
Then, for result of PTR query, another DNS query is performed and all received addresses compared to peer address.
Strongly recommended that regexp is ends with $
All results of DNS requests are cached till server restart.
-->
<networks>
<ip>::/0</ip>
</networks>
<!-- Settings profile for user. -->
<profile>default</profile>
<!-- Quota for user. -->
<quota>default</quota>
<!-- User can create other users and grant rights to them. -->
<!-- <access_management>1</access_management> -->
</default>
</users>
<!-- Quotas. -->
<quotas>
<!-- Name of quota. -->
<default>
<!-- Limits for time interval. You could specify many intervals with different limits. -->
<interval>
<!-- Length of interval. -->
<duration>3600</duration>
<!-- No limits. Just calculate resource usage for time interval. -->
<queries>0</queries>
<errors>0</errors>
<result_rows>0</result_rows>
<read_rows>0</read_rows>
<execution_time>0</execution_time>
</interval>
</default>
</quotas>
</clickhouse>
ansible/app-configs/signoz/otel/otel-collector-config.yaml.j2
-222
View File
@@ -1,222 +0,0 @@
receivers:
httplogreceiver/json:
endpoint: 0.0.0.0:8082
source: json
otlp:
protocols:
grpc:
endpoint: 0.0.0.0:4317
http:
endpoint: 0.0.0.0:4318
hostmetrics:
collection_interval: 60s # Frequency of metrics collection.
scrapers:
cpu: {}
load: {}
memory: {}
disk: {}
filesystem: {}
network: {}
docker_stats:
endpoint: unix:///var/run/docker.sock
collection_interval: 30s
timeout: 10s
api_version: "1.51"
metrics:
container.uptime:
enabled: true
container.restarts:
enabled: true
container.network.io.usage.rx_errors:
enabled: true
container.network.io.usage.tx_errors:
enabled: true
container.network.io.usage.rx_packets:
enabled: true
container.network.io.usage.tx_packets:
enabled: true
filelog/nginx-access-logs:
include: ["${env:NGINX_ACCESS_LOG_FILE}"]
operators:
# Parse the default nginx access log format. Nginx defaults to the "combined" log format
# $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"
# For more details, see https://nginx.org/en/docs/http/ngx_http_log_module.html
- type: regex_parser
if: body matches '^(?P<remote_addr>[0-9\\.]+) - (?P<remote_user>[^\\s]+) \\[(?P<ts>.+)\\] "(?P<request_method>\\w+?) (?P<request_path>.+?)" (?P<status>[0-9]+) (?P<body_bytes_sent>[0-9]+) "(?P<http_referrer>.+?)" "(?P<http_user_agent>.+?)"$'
parse_from: body
parse_to: attributes
regex: '^(?P<remote_addr>[0-9\.]+) - (?P<remote_user>[^\s]+) \[(?P<ts>.+)\] "(?P<request_method>\w+?) (?P<request_path>.+?)" (?P<status>[0-9]+) (?P<body_bytes_sent>[0-9]+) "(?P<http_referrer>.+?)" "(?P<http_user_agent>.+?)"$'
timestamp:
parse_from: attributes.ts
layout: "02/Jan/2006:15:04:05 -0700"
layout_type: gotime
severity:
parse_from: attributes.status
overwrite_text: true
mapping:
debug: "1xx"
info:
- "2xx"
- "3xx"
warn: "4xx"
error: "5xx"
- type: remove
if: attributes.ts != nil
field: attributes.ts
- type: add
field: attributes.source
value: nginx
filelog/nginx-error-logs:
include: ["${env:NGINX_ERROR_LOG_FILE}"]
operators:
# Parse the default nginx error log format.
# YYYY/MM/DD HH:MM:SS [LEVEL] PID#TID: *CID MESSAGE
# For more details, see https://github.com/phusion/nginx/blob/master/src/core/ngx_log.c
- type: regex_parser
if: body matches '^(?P<ts>.+?) \\[(?P<log_level>\\w+)\\] (?P<pid>\\d+)#(?P<tid>\\d+). \\*(?P<cid>\\d+) (?P<message>.+)$'
parse_from: body
parse_to: attributes
regex: '^(?P<ts>.+?) \[(?P<log_level>\w+)\] (?P<pid>\d+)#(?P<tid>\d+). \*(?P<cid>\d+) (?P<message>.+)$'
timestamp:
parse_from: attributes.ts
layout: "2006/01/02 15:04:05"
layout_type: gotime
severity:
parse_from: attributes.log_level
overwrite_text: true
mapping:
debug: "debug"
info:
- "info"
- "notice"
warn: "warn"
error:
- "error"
- "crit"
- "alert"
fatal: "emerg"
- type: remove
if: attributes.ts != nil
field: attributes.ts
- type: move
if: attributes.message != nil
from: attributes.message
to: body
- type: add
field: attributes.source
value: nginx
prometheus:
config:
global:
scrape_interval: 60s
scrape_configs:
- job_name: otel-collector
static_configs:
- targets:
- localhost:8888
labels:
job_name: otel-collector
processors:
batch:
send_batch_size: 10000
send_batch_max_size: 11000
timeout: 10s
resourcedetection:
detectors: [env, system]
system:
hostname_sources: [os]
resourcedetection/env:
detectors: [env]
timeout: 2s
override: false
resourcedetection/system:
detectors: ["system"]
system:
hostname_sources: ["dns", "os"]
resourcedetection/docker:
detectors: [env, docker]
timeout: 2s
override: false
signozspanmetrics/delta:
metrics_exporter: clickhousemetricswrite, signozclickhousemetrics
metrics_flush_interval: 60s
latency_histogram_buckets: [100us, 1ms, 2ms, 6ms, 10ms, 50ms, 100ms, 250ms, 500ms, 1000ms, 1400ms, 2000ms, 5s, 10s, 20s, 40s, 60s ]
dimensions_cache_size: 100000
aggregation_temporality: AGGREGATION_TEMPORALITY_DELTA
enable_exp_histogram: true
dimensions:
- name: service.namespace
default: default
- name: deployment.environment
default: default
# This is added to ensure the uniqueness of the timeseries
# Otherwise, identical timeseries produced by multiple replicas of
# collectors result in incorrect APM metrics
- name: signoz.collector.id
- name: service.version
- name: browser.platform
- name: browser.mobile
- name: k8s.cluster.name
- name: k8s.node.name
- name: k8s.namespace.name
- name: host.name
- name: host.type
- name: container.name
extensions:
health_check:
endpoint: 0.0.0.0:13133
pprof:
endpoint: 0.0.0.0:1777
exporters:
clickhousetraces:
datasource: tcp://clickhouse:9000/signoz_traces
low_cardinal_exception_grouping: ${env:LOW_CARDINAL_EXCEPTION_GROUPING}
use_new_schema: true
clickhousemetricswrite:
endpoint: tcp://clickhouse:9000/signoz_metrics
disable_v2: true
resource_to_telemetry_conversion:
enabled: true
clickhousemetricswrite/prometheus:
endpoint: tcp://clickhouse:9000/signoz_metrics
disable_v2: true
signozclickhousemetrics:
dsn: tcp://clickhouse:9000/signoz_metrics
clickhouselogsexporter:
dsn: tcp://clickhouse:9000/signoz_logs
timeout: 10s
use_new_schema: true
# debug: {}
otlp/nginx-logs:
endpoint: "localhost:4317"
tls:
insecure: true
service:
telemetry:
logs:
encoding: json
extensions:
- health_check
- pprof
pipelines:
traces:
receivers: [otlp]
processors: [signozspanmetrics/delta, batch]
exporters: [clickhousetraces]
metrics:
receivers: [otlp]
processors: [batch]
exporters: [clickhousemetricswrite, signozclickhousemetrics, resourcedetection/docker, resourcedetection/system]
metrics/hostmetrics:
receivers: [hostmetrics]
processors: [resourcedetection, resource/env]
exporters: [otlp]
metrics/prometheus:
receivers: [prometheus]
processors: [batch]
exporters: [clickhousemetricswrite/prometheus, signozclickhousemetrics]
logs:
receivers: [otlp, tcplog/docker, httplogreceiver/json]
processors: [batch]
exporters: [clickhouselogsexporter]
ansible/app-configs/signoz/otel/otel-collector-opamp-config.yaml.j2
-1
View File
@@ -1 +0,0 @@
server_endpoint: ws://signoz-app:4320/v1/opamp
ansible/app-configs/signoz/prometheus.yml.j2
-25
View File
@@ -1,25 +0,0 @@
# my global config
global:
scrape_interval: 5s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
# scrape_timeout is set to the global default (10s).
# Alertmanager configuration
alerting:
alertmanagers:
- static_configs:
- targets:
- alertmanager:9093
# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
rule_files: []
# - "first_rules.yml"
# - "second_rules.yml"
# - 'alerts.yml'
# A scrape configuration containing exactly one endpoint to scrape:
# Here it's Prometheus itself.
scrape_configs: []
remote_read:
- url: tcp://clickhouse:9000/signoz_metrics
ansible/app-configs/sonarr/config.xml.j2
-22
View File
@@ -1,22 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
<Config>
<LogLevel>info</LogLevel>
<EnableSsl>False</EnableSsl>
<Port>8989</Port>
<SslPort>9898</SslPort>
<UrlBase></UrlBase>
<BindAddress>*</BindAddress>
<ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SONARR_API_KEY'] }}</ApiKey>
<AuthenticationMethod>Forms</AuthenticationMethod>
<UpdateMechanism>Docker</UpdateMechanism>
<LaunchBrowser>True</LaunchBrowser>
<Branch>main</Branch>
<InstanceName>Sonarr</InstanceName>
<SyslogPort>514</SyslogPort>
<AuthenticationRequired>Enabled</AuthenticationRequired>
<SslCertPath></SslCertPath>
<SslCertPassword></SslCertPassword>
<Theme>auto</Theme>
</Config>
ansible/app-configs/sonashow/config.json.j2
-21
View File
@@ -1,21 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
{
"sonarr_address": "http://192.168.1.2:8989",
"sonarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SONARR_API_KEY'] }}",
"root_folder_path": "/data/media/shows",
"tvdb_api_key": "",
"tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['TMDB_API_KEY'] }}",
"fallback_to_top_result": false,
"sonarr_api_timeout": 120.0,
"quality_profile_id": 1,
"metadata_profile_id": 1,
"search_for_missing_episodes": true,
"dry_run_adding_to_sonarr": false,
"minimum_rating": 4.5,
"minimum_votes": 50,
"language_choice": "all",
"auto_start": true,
"auto_start_delay": 60.0
}
ansible/app-configs/soularr/config.ini.j2
-76
View File
@@ -1,76 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
[Lidarr]
api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}
host_url = http://lidarr:8686
#This should be the path mounted in lidarr that points to your slskd download directory.
#If Lidarr is not running in Docker then this may just be the same dir as Slskd is using below.
download_dir = /storage
[Slskd]
#Api key from Slskd. Need to set this up manually. See link to Slskd docs above.
api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_API_KEY'] }}
host_url = http://gluetun:5030
#Slskd download directory. Should have set it up when installing Slskd.
download_dir = /app/downloads
#Removes searches from Slskd after the search finishes.
delete_searches = False
#Maximum time (in seconds) that the script will wait for downloads to complete.
#This is used to prevent the script from running forever due to a stalled download. Defaults to 1 hour.
stalled_timeout = 3600
[Release Settings]
#Selects the release with the most common amount of tracks out of all the releases.
use_most_common_tracknum = True
allow_multi_disc = True
#See full list of countries below.
accepted_countries = Europe,Japan,United Kingdom,United States,[Worldwide],Australia,Canada
#See full list of formats below.
accepted_formats = CD,Digital Media,Vinyl
[Search Settings]
search_timeout = 5000
maximum_peer_queue = 50
#Min upload speed in bit/s
minimum_peer_upload_speed = 0
#Min match ratio accepted when comparing lidarr track names to soulseek filenames.
minimum_filename_match_ratio = 0.5
#Specify the file types you prefer from most to least. As well as their attributes such as bitrate / samplerate / bitdepth.
#For flacs you can choose the bitdepth/samplerate. And for mp3s the bitrate.
#If you do not care about the specific quality you can still just put "flac" or "mp3".
#Soularr will then just look at the filetype and ignore file attributes.
allowed_filetypes = flac 24/192,flac 16/44.1,flac,mp3 320,mp3
ignored_users = User1,User2,Fred,Bob
#Set to False if you only want to search for complete albums
search_for_tracks = True
#Set to True if you want to add the artist's name to the beginning of the search for albums
album_prepend_artist = False
track_prepend_artist = True
#Valid search types: all || incrementing_page || first_page
#"all" will search for every wanted record everytime soularr is run.
#"incrementing_page" will start with the first page and increment to the next on each run.
#"first_page" will repeatedly search the first page.
#If using the search type "first_page" remove_wanted_on_failure should be enabled.
search_type = incrementing_page
#How mancy records to grab each run, must be a number between 1 - 2,147,483,647
number_of_albums_to_grab = 10
#Unmonitors the album if Soularr can't find it and places it in "failure_list.txt".
#Failed albums can be re monitored by filtering "Unmonitored" in the Lidarr wanted list.
remove_wanted_on_failure = False
#Comma separated list of words that can't be in the title of albums or tracks. Case insensitive.
title_blacklist = BlacklistWord1,blacklistword2
#Lidarr source to use for searching. Accepted values are "all", "missing", or "cutoff_unmet". If "all" is selected
# then both missing and cutoff_unme will be searched. The default value is "missing".
search_source = missing
[Logging]
#These options are passed into the logger's basicConfig() method as-is.
#This means, if you're familiar with Python's logging module, you can configure
#the logger with options beyond what's listed here by default.
#For more information on available options -- https://docs.python.org/3/library/logging.html#logging.basicConfig
level = INFO
# Format of log message -- https://docs.python.org/3/library/logging.html#logrecord-attributes
format = [%(levelname)s|%(module)s|L%(lineno)d] %(asctime)s: %(message)s
# Format of datetimes -- https://docs.python.org/3/library/time.html#time.strftime
datefmt = %Y-%m-%dT%H:%M:%S%z
ansible/app-configs/soulseek/slskd.yml.j2
-212
View File
@@ -1,212 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
directories:
incomplete: /app/incomplete
downloads: /app/downloads
shares:
directories:
- /music
rooms:
- '! meow chat :3'
- '#ANUS'
- '#CORONAVIRUS'
- '#Horrorcore'
- '#La France'
- '#icilombre-hardcore'
- '#polska'
- '#vegan'
- $$RARE RAP MUSIC$$
- ([6)]
- +Autism+
- +BlackMetal+
- +HIP_HOP_SCENE_RELEASES+
- /mu/
- 60lover
- 60lover v2
- 70 Rare groove Soul Jazz
- 80's 12 Inches & More
- 90's Rare Riddim !!
- 90's emo
- <>Electronics Labels<>
- ACID
- ARGENTINA
- "ATLLUMINATI\u201Cawareness"
- AUSTRALIA
- Alcohol
- Ambient
- Anime
- Audiobooks
- Avantgarde
- BDSM
- BLUES BUNKER MUSIC
- BOB DYLAN ROOM
- BigEdsClassicRock
- BigedsSixties
- Blues&Soul
- Bootlegged concerts
- Brasil
- Breakcore
- CHILE
- Canada
- China Room
- Chiptunes
- Christians
- Classical
- Come To The Sabbath !
- Communism
- DEATH METAL CLUB
- Dark Ambient
- De Koffie Shop
- De Kroeg
- Deathrock
- DieMilitarmusik
- Disco Classics
- Doom Metal
- Doujin Music
- Dub Techno
- Dubstep
- EBM-GOTHIC-INDUSTRIAL
- EBooks
- Emo
- Eurodance
- Eurovision Song Contest
- Experimental Electronica
- FOLK MUSIC
- Free Jazz
- Furry
- Gay
- Gothic
- Greece
- Grindcore
- HEE cum eaters 1! !
- HOUSE MUSIC LOVERS (AG)
- Happy Hardcore
- Hardcore NL
- Hardcore/punk
- Hip Hop
- Horror movies
- IDM
- INDUSTRIAL
- IReGGaeGaLaXy
- Incredibly Strange Music
- Israel
- Jaz (Full CDs)
- Jazz
- Jazz-Rock-Fusion-Guitar
- Juggalo Family
- Jungle
- Korean Music
- LANGUAGE EXCHANGE here
- LGBTQ+!!
- Last.fm
- Linux
- Lossless Scores
- MOVIES
- Mac Users
- Metal
- MovieMusic
- NORWAY
- New Crystal Vibrations
- New Wave
- New Zealand
- OLD SKOOL GANGSTA SHIT
- OLDSCHOOL 88-94
- OLI SHOTA CUB ROOM!
- Original Blues Bunker
- PSYCHEDELIA
- PUNK/HARDCORE/GRIND
- Portugal
- Post Punk
- Post-Hardcore (modern)
- Progressive Rock
- Psychedelic/Acid Rock
- Psytrance
- Quebec
- REGGAE
- Rare Music
- RareVHS/DVD/Rips
- Retro Gaming
- Romania
- Room Name
- SIsk Idiots !!
- SLUDGE!
- Slovenia
- Soundtracks&Scores
- Spain
- Stoner HiVe
- Stoner Rock
- Strange Music
- TECHNO, Mixes and Tunes
- THC
- Talia
- The Dangerous Kitchen
- TheScoreZone
- Thrash Metal
- Tinmans Movie Room
- Trip-Hop
- Ttalian_dancefloor
- Twee Folks
- UK DUB
- URIDDIM!!
- Ukraine
- Underground Hiphop
- VAPORWAVE
- Video Game Chat
- Vinyl Addicts
- Vocaloid
- WHATCDs
- World Music
- Yacht Rock
- '[German] [Deutsch]'
- abbey road Itd
- anime cunny
- bleeps&klonks
- breakbeat
- comics
- deep house connection
- drum'n'bass
- eesti mehed
- electro
- flacfield
- food
- for Losers
- hungary
- indie
- japanese music
- library music
- lossless
- minimal music
- museek
- noise
- 'on'
- postrock
- programming
- progressive house
- public porn
- r/musichoarder
- ru
- shoegaze
- tapekvit
- test
- trancEaddict
- trivia
- what.cd
- what.cd electronic
- what.cd-flac
- '{Italo Disco'
web:
authentication:
username: slskd
password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_WEB_PASSSWORD'] }}
api_keys:
my_api_key:
key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_API_KEY'] }}
role: readwrite
cidr: 0.0.0.0/0,::/0
soulseek:
address: vps.slsknet.org
port: 2271
username: Trez.One
password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSK_USER_PASSWORD'] }}
diagnostic_level: Info
ansible/app-configs/unmanic/settings.json.j2
-29
View File
@@ -1,29 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
{
"always_keep_failed_tasks": true,
"auto_manage_completed_tasks": false,
"cache_path": "/tmp/unmanic",
"clear_pending_tasks_on_restart": false,
"concurrent_file_testers": 2,
"config_path": "/config/.unmanic/config",
"debugging": false,
"distributed_worker_count_target": 0,
"enable_library_scanner": false,
"first_run": false,
"follow_symlinks": true,
"installation_name": "Unmanic @ Rinoa",
"library_path": "/library",
"log_path": "/config/.unmanic/logs",
"max_age_of_completed_tasks": 91,
"number_of_workers": null,
"plugins_path": "/config/.unmanic/plugins",
"release_notes_viewed": "0.2.8",
"remote_installations": [],
"run_full_scan_on_start": false,
"schedule_full_scan_minutes": 1440,
"ui_port": 8888,
"userdata_path": "/config/.unmanic/userdata",
"worker_event_schedules": null
}
ansible/app-configs/youtubedl/config.yml.j2
-19
View File
@@ -1,19 +0,0 @@
{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}
ydl_server: # youtube-dl-server specific settings
port: 8080 # Port youtube-dl-server should listen on
host: 0.0.0.0 # IP youtube-dl-server should bind to
debug: False # Enable/Disable debug mode
metadata_db_path: '/youtube-dl/.ydl-metadata.db' # Path to metadata DB
output_playlist: '/youtube-dl/%(title)s [%(id)s].%(ext)s' # Playlist output directory template
update_poll_delay_min: 1440 # Automatically check for updates every 24h
max_log_entries: 100 # Maximum number of job log history to keep
forwarded_allow_ips: None # uvicorn Comma seperated list of IPs to trust with proxy headers.
proxy_headers: True # uvicorn flag Enable/Disable X-Forwarded-Proto, X-Forwarded-For, X-Forwarded-Port to populate remote address info.
ydl_options: # youtube-dl options
output: '/youtube-dl/%(title)s [%(id)s].%(ext)s' # output directory template
cache-dir: '/youtube-dl/.cache' # youtube-dl cache directory
ignore-errors: True # instruct youtube-dl to skip errors
age-limit: 6 # minimal age requirement / parental control setting
ansible/collections/requirements.yml
-4
View File
@@ -1,4 +0,0 @@
---
collections:
- name: community.hashi_vault
version: 6.2.0
ansible/docker_config_deploy.yml
-54
View File
@@ -1,54 +0,0 @@
---
- name: Deploy Docker Service Configurations (Modified in Last 10 Minutes)
hosts: rinoa
vars:
template_base_path: "{{ playbook_dir }}/app-configs"
appdata_base_path: "~/.docker/config/appdata"
tasks:
- name: Find all Jinja2 templates
ansible.builtin.find:
paths: "{{ template_base_path }}"
patterns: "*.j2"
recurse: yes
register: jinja_templates
delegate_to: localhost
run_once: true
- name: Get parent directories modified in the last 10 minutes
ansible.builtin.command: >
find {{ template_base_path }} -mindepth 1 -maxdepth 1
-type d -mmin -10
register: modified_dirs
changed_when: false
delegate_to: localhost
run_once: true
- name: Set fact for recent directories
ansible.builtin.set_fact:
recent_dirs: "{{ modified_dirs.stdout_lines }}"
- name: Filter templates within recently modified folders
ansible.builtin.set_fact:
selected_templates: >-
{{ jinja_templates.files
| selectattr('path', 'search', recent_dirs | map('regex_escape') | map('regex_replace', '^', '') | join('|'))
| list }}
- name: Ensure target directories exist
ansible.builtin.file:
path: "{{ appdata_base_path }}/{{ item.path | regex_replace('^' + template_base_path + '/', '') | regex_replace('\\.j2$', '') | dirname }}"
state: directory
mode: '0755'
loop: "{{ selected_templates }}"
loop_control:
label: "{{ item.path }}"
- name: Render and deploy templates
ansible.builtin.template:
src: "{{ item.path }}"
dest: "{{ appdata_base_path }}/{{ item.path | regex_replace('^' + template_base_path + '/', '') | regex_replace('\\.j2$', '') }}"
mode: '0644'
loop: "{{ selected_templates }}"
loop_control:
label: "{{ item.path }}"
ansible/group_vars/all.yml
-14
View File
@@ -1,14 +0,0 @@
vault_addr: "https://vault.trez.wtf"
vault_token: !vault |
$ANSIBLE_VAULT;1.2;AES256
66306233356534393231373064633939646434316262343431663466653262646431633737343432
3364626261356234333233383433316233663866653466390a323733663932316434373038336466
36313462356238336638326135363263393863343939313534336134633037643563373837663263
3963323538636336360a313564316137333665353565623332623666373066316561323738626336
37616537616561336661313763386163643230643731396131373232343038323365626238366430
39613835383461393232613730353133343337303838646131353034613966393865346433386133
32373161306534396330656531353831356430633038333339326564666464663534363164663130
31316665343032396361383534373365613632616436343566323165383166356131636162626339
6336
vault_token_cleaned: "{{ vault_token | regex_replace('\\n', '') }}"
secrets_path: "rinoa-docker/env"
ansible/inventory/host_vars.yml
-13
View File
@@ -1,13 +0,0 @@
rinoa:
ansible_host: 192.168.1.254
ansible_python_interpreter: /usr/bin/python3
ansible_ssh_port: 22
ansible_ssh_user: charish
ansible_ssh_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
32303262303733356636343163363062383539623938383439373166623236366664333830653163
3134323461373461663638333265643631666437306362350a353632313337316535633838343137
37353139396531613763393139653231333666363935613462343831303866363863653161636138
3438316261363139650a313161643039366438356462383730663839366562333464636130346132
31363235326362396630313966303064373532306638383739373739336661346438336534366537
6565643866333964353563346433323861346262323933333732
ansible/inventory/hosts.yml
-12
View File
@@ -1,12 +0,0 @@
---
all:
hosts:
benedikta:
ansible_host: 192.168.1.241
ansible_user: charish
rikku:
ansible_host: 192.168.1.253
ansible_user: pi
rinoa:
ansible_host: 192.168.1.254
ansible_user: charish
ansible/ssh_pass.yml
-7
View File
@@ -1,7 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
32303262303733356636343163363062383539623938383439373166623236366664333830653163
3134323461373461663638333265643631666437306362350a353632313337316535633838343137
37353139396531613763393139653231333666363935613462343831303866363863653161636138
3438316261363139650a313161643039366438356462383730663839366562333464636130346132
31363235326362396630313966303064373532306638383739373739336661346438336534366537
6565643866333964353563346433323861346262323933333732