chore: Update README

Adding Patchman service.
Auto Merge of PR 136 - dagu-deploy-cronicle-removal_2025-08-08T11-13-25
2025-08-08 17:05:41 +00:00 · 2025-08-08 13:01:28 -04:00 · 2025-08-08 12:14:14 -04:00 · 2025-08-08 16:13:44 +00:00 · 2025-08-08 12:09:36 -04:00 · 2025-08-07 21:14:07 -04:00
112 changed files with 3379 additions and 12916 deletions
@@ -6,6 +6,7 @@ on:
      - 'main'
    paths:
      - '**.j2'
+      - '**/pr-ansible-config-deployment.yaml'
      - 'ansible/**.yml'
 jobs:
  check-and-create-pr:
@@ -41,7 +42,7 @@ jobs:
        continue-on-error: true
        run: |
          tea login add --name gitea-rinoa --url "${{ secrets.RINOA_GITEA_URL }}" --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
-          pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep ${{ github.ref_name }} | tail -1 | wc -l)
+          pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep '\[ANSIBLE\].*${{ github.ref_name }}' | tail -1 | wc -l)
          echo "exists=$pr_exists" >> $GITHUB_OUTPUT
      - name: Create PR
        if: ${{ steps.check-opened-pr-step.outputs.exists == '0' }}
@@ -49,7 +50,7 @@ jobs:
          tea login default gitea-rinoa
          pr_index_old=$(tea pr ls --repo ${{ github.repository }} --state all --fields index,title,head --output csv | sed -e 's|"||g' | egrep '^[0-9]' | head -1 | awk -F"," '{print $1}')
          pr_index_new=$(expr ${pr_index_old} + 1)
-          tea pr c -r ${{ github.repository }} -t "Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Ansible Configs.j2"
+          tea pr c -r ${{ github.repository }} -t "[ANSIBLE] Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Ansible Configs.j2"
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -57,8 +58,8 @@ jobs:
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: PR Check'
          notification_message: 'PR Created 🎟️'
-  ansible-linting:
-    name: Docker Compose & Ansible Lints
+  ansible-dry-run:
+    name: Ansible Dry Run
    needs: [check-and-create-pr]
    runs-on: ubuntu-latest
    env:
@@ -68,9 +69,6 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@v4
-      - name: Fetch base branch
-        run: |
-          git fetch origin ${{ github.event.pull_request.base.ref }}
      - name: Cache Ansible Galaxy Collections
        uses: actions/cache@v3
        with:
@@ -81,11 +79,12 @@ jobs:
      - name: Install Ansible
        uses: alex-oleshkevich/setup-ansible@v1.0.1
        with:
-          version: "11.0.0"
+          version: "11.4.0"
      - name: Install Vault
        uses: cpanato/vault-installer@main
      - name: Install hvac
-        run: pip install hvac
+        run: |
+          pip install hvac
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -94,26 +93,26 @@ jobs:
          notification_title: 'GITEA: Ansible Config Dry Run @ Rinoa'
          notification_message: 'Starting Ansible dry run...'
      - name: Ansible Playbook Dry Run
-        uses: arillso/action.playbook@0.1.0
+        uses: dawidd6/action-ansible-playbook@v3
        with:
-          check: true
-          galaxy_collections_path: ansible/collections
-          galaxy_requirements_file: ansible/collections/requirements.yml
-          inventory: ansible/inventory/hosts.yml
-          playbook: ansible/docker_config_deploy.yml
-          private_key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
+          directory: ansible/
+          playbook: docker_config_deploy.yml
+          key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
-          verbose: 0
+          requirements: collections/requirements.yml
+          options: |
+            --check
+            --inventory inventory/hosts.yml
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: Docker Compose Dry Run @ Rinoa'
-          notification_message: 'Docker Compose dry run completed successfully.'
+          notification_title: 'GITEA: Ansible Dry Run @ Rinoa'
+          notification_message: 'Ansible dry run completed successfully.'
  pr-merge:
    name: PR Merge
-    needs: [regenerate-readme-modified-services]
+    needs: [ansible-dry-run]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
@@ -153,6 +152,10 @@ jobs:
        uses: actions/checkout@v4
        with:
          ref: main
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: 3.12
      - name: Cache Vault install
        id: cache-vault
        uses: actions/cache@v4
@@ -162,11 +165,12 @@ jobs:
      - name: Install Ansible
        uses: alex-oleshkevich/setup-ansible@v1.0.1
        with:
-          version: "11.0.0"
+          version: "11.4.0"
      - name: Install Vault
        uses: cpanato/vault-installer@main
      - name: Install hvac
-        run: pip install hvac
+        run: |
+          pip install hvac
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -175,15 +179,15 @@ jobs:
          notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
          notification_message: 'Starting config deployment with Ansible...'
      - name: Ansible Playbook Config Deploy
-        uses: arillso/action.playbook@0.1.0
+        uses: dawidd6/action-ansible-playbook@v3
        with:
-          check: false
-          galaxy_collections_path: ansible/collections
-          galaxy_requirements_file: ansible/collections/requirements.yml
-          inventory: ansible/inventory/hosts.yml
-          playbook: ansible/docker_config_deploy.yml
-          private_key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
+          directory: ansible/
+          playbook: docker_config_deploy.yml
+          key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
+          requirements: collections/requirements.yml
+          options: |
+            --inventory inventory/hosts.yml
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -8,6 +8,10 @@ on:
      - '**/docker-compose.yml'
      - '**/pr-cloudflare-docker-deploy.yml'
      - '!ansible/**.yml'
+env:
+  FLARECTL_VERSION: '0.115.0'
+  HC_VAULT_VERSION: '1.20.0'
+  TEA_VERSION: '0.10.1'
 jobs:
  check-and-create-pr:
    if: github.ref != 'refs/heads/main'
@@ -22,14 +26,14 @@ jobs:
        id: cache-tea
        uses: actions/cache@v4
        with:
-          path: /opt/hostedtoolcache/tea/0.9.2/x64
-          key: tea-${{ runner.os }}-0.9.2
+          path: /opt/hostedtoolcache/tea/${{ env.TEA_VERSION }}/x64
+          key: tea-${{ runner.os }}-${{ env.TEA_VERSION }}
      - name: Install tea
        uses: supplypike/setup-bin@v4
        with:
-          uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64'
-          name: 'tea'
-          version: '0.9.2'
+          uri: https://gitea.com/gitea/tea/releases/download/v${{ env.TEA_VERSION }}/tea-${{ env.TEA_VERSION }}-linux-amd64
+          name: tea
+          version: ${{ env.TEA_VERSION }}
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -42,7 +46,7 @@ jobs:
        continue-on-error: true
        run: |
          tea login add --name gitea-rinoa --url "${{ secrets.RINOA_GITEA_URL }}" --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
-          pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep ${{ github.ref_name }} | tail -1 | wc -l)
+          pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep '\[DOCKER\].*${{ github.ref_name }}' | tail -1 | wc -l)
          echo "exists=$pr_exists" >> $GITHUB_OUTPUT
      - name: Create PR
        if: ${{ steps.check-opened-pr-step.outputs.exists == '0' }}
@@ -50,7 +54,7 @@ jobs:
          tea login default gitea-rinoa
          pr_index_old=$(tea pr ls --repo ${{ github.repository }} --state all --fields index,title,head --output csv | sed -e 's|"||g' | egrep '^[0-9]' | head -1 | awk -F"," '{print $1}')
          pr_index_new=$(expr ${pr_index_old} + 1)
-          tea pr c -r ${{ github.repository }} -t "Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Docker Compose"
+          tea pr c -r ${{ github.repository }} -t "[DOCKER] Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Docker Compose"
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -58,26 +62,25 @@ jobs:
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: PR Check'
          notification_message: 'PR Created 🎟️'
-  docker-compose-dry-run:
-    name: Docker Compose Dry Run
-    needs: [check-and-create-pr]
+  generate-service-list:
+    name: Generate list of added/modified/deleted services
    runs-on: ubuntu-latest
-    env:
-      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
-      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
-      VAULT_NAMESPACE: ""
-      RINOA_REGISTRY_PASSWORD: ${{ secrets.BOT_GITEA_PASSWORD }}
+    needs: [check-and-create-pr]
    outputs:
-      svc_deploy_list: ${{ steps.modded_svcs.outputs.rinoa_svcs }}
+      svc_deploy_list: ${{ steps.detect_services.outputs.docker_svc_list }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Fetch base branch
        run: |
          git fetch origin ${{ github.event.pull_request.base.ref }}
-      - name: Login to Gitea Container Registry
-        run: |
-          docker login -u gitea-sonarqube-bot -p ${RINOA_REGISTRY_PASSWORD} git.trez.wtf
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: Services TBD'
+          notification_message: 'Generating list of services to deploy...'
      - name: Save both versions of docker-compose.yml
        run: |
          git show origin/main:docker-compose.yml > docker-compose-main.yml || touch docker-compose-main.yml
@@ -107,10 +110,40 @@ jobs:
          echo "Detected service changes:"
          cat service_changes.txt

-          svc_list=$(paste -sd '|' service_changes.txt)
-          echo "classified_services=$svc_list" >> "$GITHUB_OUTPUT"
-      - name: Install Vault
+          mod_svcs=$(cut -d':' -f1 service_changes.txt | sort | uniq)
+          echo "docker_svc_list<<EOF" >> "$GITHUB_OUTPUT"
+          echo "$mod_svcs" >> "$GITHUB_OUTPUT"
+          echo "EOF" >> "$GITHUB_OUTPUT"
+      - name: List of Services for (Re)Deployment
+        run: |
+          echo -e "${{ steps.detect_services.outputs.docker_svc_list }}"
+  docker-compose-dry-run:
+    name: Docker Compose Dry Run
+    needs: [generate-service-list]
+    runs-on: ubuntu-latest
+    env:
+      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
+      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
+      VAULT_NAMESPACE: ""
+      RINOA_REGISTRY_PASSWORD: ${{ secrets.BOT_GITEA_PASSWORD }}
+      DOCKER_SVC_LIST: ${{ needs.generate-service-list.outputs.svc_deploy_list }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Login to Gitea Container Registry
+        run: |
+          docker login -u gitea-sonarqube-bot -p ${RINOA_REGISTRY_PASSWORD} git.trez.wtf
+      - name: Cache Vault install
+        id: cache-vault
+        uses: actions/cache@v4
+        with:
+          path: /opt/hostedtoolcache/vault/${{ env.HC_VAULT_VERSION }}/x64
+          key: vault-${{ runner.os }}-${{ env.HC_VAULT_VERSION }}
+      - name: Install Vault (only if not cached)
+        if: steps.cache-vault.outputs.cache-hit != 'true'
        uses: cpanato/vault-installer@main
+        with:
+          version: ${{ env.HC_VAULT_VERSION }}
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -118,37 +151,20 @@ jobs:
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: Docker Compose Dry Run @ Rinoa'
          notification_message: 'Starting Docker Compose dry run...'
-      - name: Cache .env Files
-        uses: actions/cache@v4
-        with:
-          path: .env
-          key: ${{ runner.os }}-env-${{ hashFiles('docker-compose.yml') }}
-      - name: Generate modified services list & .env file for Docker Compose Dry Run
-        id: modded_svcs
+      - name: Generate .env file for Docker Compose
        run: |
-          mod_svcs=$(echo "${{ steps.detect_services.outputs.classified_services }}" | sed -e 's/|//g' -e 's/: \(add\|modifi\|delet\)ed/ /g')
-          echo ${mod_svcs}
          vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
-          echo "rinoa_svcs=${mod_svcs}" >> "$GITHUB_OUTPUT"
-      - name: Testing service list output
-        run: |
-          echo ${{ steps.modded_svcs.outputs.rinoa_svcs }}
+          echo ${DOCKER_SVC_LIST}
      - name: Docker Compose Dry Run
-        timeout-minutes: 360
-        continue-on-error: true
-        uses: chaplyk/docker-compose-remote-action@v1.1
-        with:
-          ssh_host: 192.168.1.254
-          ssh_port: 22
-          ssh_user: gitea-deploy
-          ssh_key: ${{ secrets.RINOA_GITEA_PRIVATE_SSH_KEY }}
-          service: ${{ steps.modded_svcs.outputs.rinoa_svcs }}
-          compose_file: docker-compose.yml
-          pull: false
-          build: false
-          options: -d --remove-orphans
+        uses: hoverkraft-tech/compose-action@v2.2.0
        env:
          DOCKER_HOST: tcp://dockerproxy:2375
+        with:
+          services: |
+            ${{ needs.generate-service-list.outputs.svc_deploy_list }}
+          up-flags: -d --remove-orphans --dry-run
+          down-flags: --dry-run
+          compose-flags: --dry-run
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -158,7 +174,7 @@ jobs:
          notification_message: 'Docker Compose dry run completed successfully.'
  cloudflare-dns-setup:
    name: Cloudflare DNS Setup
-    needs: [docker-compose-ansible-lints]
+    needs: [docker-compose-dry-run]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
@@ -169,13 +185,13 @@ jobs:
        uses: actions/cache@v4
        with:
          path: ~/.flarectl
-          key: flarectl-${{ runner.os }}-${{ hashFiles('workflow-config.yml') }}
+          key: flarectl-${{ runner.os }}-${{ env.FLARECTL_VERSION }}-${{ hashFiles('workflow-config.yml') }}
      - name: Install flarectl
        uses: supplypike/setup-bin@v4
        with:
-          uri: 'https://github.com/cloudflare/cloudflare-go/releases/download/v0.113.0/flarectl_0.113.0_linux_amd64.tar.gz'
-          name: 'flarectl'
-          version: '0.113.0'
+          uri: https://github.com/cloudflare/cloudflare-go/releases/download/v${{ env.FLARECTL_VERSION }}/flarectl_${{ env.FLARECTL_VERSION }}_linux_amd64.tar.gz
+          name: flarectl
+          version: ${{ env.FLARECTL_VERSION }}
      - name: Cache Subdomain Files
        uses: actions/cache@v4
        with:
@@ -274,12 +290,18 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@v4
+      - name: Cache tea CLI
+        id: cache-tea
+        uses: actions/cache@v4
+        with:
+          path: /opt/hostedtoolcache/tea/${{ env.TEA_VERSION }}/x64
+          key: tea-${{ runner.os }}-${{ env.TEA_VERSION }}
      - name: Install tea
        uses: supplypike/setup-bin@v4
        with:
-          uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64'
-          name: 'tea'
-          version: '0.9.2'
+          uri: https://gitea.com/gitea/tea/releases/download/v${{ env.TEA_VERSION }}/tea-${{ env.TEA_VERSION }}-linux-amd64
+          name: tea
+          version: ${{ env.TEA_VERSION }}
      - name: PR Merge
        id: pr_merge
        run: |
@@ -299,13 +321,13 @@ jobs:
  docker-compose-deploy:
    name: Docker Compose Deployment
    runs-on: ubuntu-latest
-    needs: [docker-compose-dry-run, pr-merge]
+    needs: [generate-service-list, docker-compose-dry-run, pr-merge]
    env:
      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
      DOCKER_HOST: tcp://dockerproxy:2375
      RINOA_REGISTRY_PASSWORD: ${{ secrets.BOT_GITEA_PASSWORD }}
-      DOCKER_SVC_LIST: ${{ needs.docker-compose-dry-run.outputs.svc_deploy_list }}
+      DOCKER_SVC_LIST: ${{ needs.generate-service-list.outputs.svc_deploy_list }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -315,14 +337,13 @@ jobs:
        id: cache-vault
        uses: actions/cache@v4
        with:
-          path: /opt/hostedtoolcache/vault/1.18.0/x64
-          key: vault-${{ runner.os }}-1.18.0
-      - name: Install Ansible
-        uses: alex-oleshkevich/setup-ansible@v1.0.1
-        with:
-          version: "11.0.0"
-      - name: Install Vault
+          path: /opt/hostedtoolcache/vault/${{ env.HC_VAULT_VERSION }}/x64
+          key: vault-${{ runner.os }}-${{ env.HC_VAULT_VERSION }}
+      - name: Install Vault (only if not cached)
+        if: steps.cache-vault.outputs.cache-hit != 'true'
        uses: cpanato/vault-installer@main
+        with:
+          version: ${{ env.HC_VAULT_VERSION }}
      - name: Login to Gitea Container Registry
        run: |
          docker login -u gitea-sonarqube-bot -p ${RINOA_REGISTRY_PASSWORD} git.trez.wtf
@@ -336,22 +357,24 @@ jobs:
      - name: Generate .env file for deployment
        run: |
           vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
-      - name: Docker Compose Dry Run
-        timeout-minutes: 360
-        continue-on-error: true
-        uses: chaplyk/docker-compose-remote-action@v1.1
+           echo ${DOCKER_SVC_LIST}
+      - name: Docker Compose Deployment
+        uses: hoverkraft-tech/compose-action@v2.2.0
        env:
          DOCKER_HOST: tcp://dockerproxy:2375
        with:
-          ssh_host: 192.168.1.254
-          ssh_port: 22
-          ssh_user: gitea-deploy
-          ssh_key: ${{ secrets.RINOA_GITEA_PRIVATE_SSH_KEY }}
-          service: ${DOCKER_SVC_LIST}
-          compose_file: docker-compose.yml
-          pull: false
-          build: false
-          options: -d --remove-orphans
+          services: |
+            ${{ needs.generate-service-list.outputs.svc_deploy_list }}
+          up-flags: -d --remove-orphans
+          down-flags: --dry-run
+      - name: Docker Compose Healthcheck
+        uses: jaracogmbh/docker-compose-health-check-action@v1.0.0
+        with:
+          max-retries: 30
+          retry-interval: 10
+          compose-file: "docker-compose.yml"
+          skip-exited: "true"
+          skip-no-healthcheck: "true"
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -1,7 +1,10 @@
 name: Auto-Unseal for Vault
 on:
+  workflow_dispatch:
  schedule:
-    - cron: "30 2 * * *"
+    - cron: '30 5 * * *'
+env:
+  HC_VAULT_VERSION: '1.20.0'
 jobs:
  auto-unseal:
    name: Unseal Vault
@@ -9,20 +12,36 @@ jobs:
    env:
      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
-      VAULT_SHARDS: |
-        ${{ secrets.VAULT_UNSEAL_SHARDS }}
+      VAULT_SHARDS: ${{ secrets.VAULT_UNSEAL_SHARDS }}
      VAULT_NAMESPACE: ""
    steps:
+      - name: Vault Unseal Start
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: HC Vault @ Rinoa'
+          notification_message: 'Hashicorp Vault unsealing started... 🔐'
      - name: Cache Vault install
        id: cache-vault
        uses: actions/cache@v4
        with:
-          path: /opt/hostedtoolcache/vault/1.18.0/x64
-          key: vault-${{ runner.os }}-1.18.0
-      - name: Install Vault
+          path: /opt/hostedtoolcache/vault/${{ env.HC_VAULT_VERSION }}/x64
+          key: vault-${{ runner.os }}-${{ env.HC_VAULT_VERSION }}
+      - name: Install Vault (only if not cached)
+        if: steps.cache-vault.outputs.cache-hit != 'true'
        uses: cpanato/vault-installer@main
+        with:
+          version: ${{ env.HC_VAULT_VERSION }}
      - name: Unseal Vault
        run: |
-          for vault_shard in $(echo ${VAULT_SHARDS}); do
-            vault operator unseal -address=${VAULT_ADDR} -non-interactive "${vault_shard}"
-          done
+          for vault_shard in $VAULT_SHARDS; do
+            vault operator unseal -address="${VAULT_ADDR}" -non-interactive "${vault_shard}"
+          done
+      - name: Vault Unseal Completion
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: HC Vault @ Rinoa'
+          notification_message: 'Hashicorp Vault unsealed! 🔓'
@@ -4,13 +4,16 @@

 | Service | Image |
 | --- | --- |
+| 13ft | ghcr.io/wasi-master/13ft:latest |
 | actual_server | docker.io/actualbudget/actual-server:latest |
 | adguard | adguard/adguardhome:latest |
 | apprise-api | lscr.io/linuxserver/apprise-api:latest |
 | archivebox | archivebox/archivebox:latest |
+| argus | quay.io/argus-io/argus:latest |
 | audiobookshelf | ghcr.io/advplyr/audiobookshelf:latest |
 | authelia | authelia/authelia:master |
 | authelia-pg | postgres:16-alpine |
+| authelia-valkey | docker.io/bitnami/valkey:latest |
 | bazarr | lscr.io/linuxserver/bazarr:latest |
 | beszel | henrygd/beszel:latest |
 | beszel-agent | henrygd/beszel-agent:latest |
@@ -19,27 +22,35 @@
 | browserless | ghcr.io/browserless/chromium:latest |
 | bytestash | ghcr.io/jordan-dalby/bytestash:latest |
 | castopod | castopod/castopod:latest |
+| castopod-valkey | docker.io/bitnami/valkey:latest |
+| changedetection | ghcr.io/dgtlmoon/changedetection.io |
+| changedetection-chrome | dgtlmoon/sockpuppetbrowser:latest |
+| chrome | gcr.io/zenika-hub/alpine-chrome:123 |
+| clipcascade | sathvikrao/clipcascade:latest |
 | cloudflareddns | ghcr.io/hotio/cloudflareddns:latest |
 | convertx | ghcr.io/c4illin/convertx |
-| cronicle | elestio/cronicle:latest |
 | crowdsec | crowdsecurity/crowdsec:latest |
 | crowdsec-dashboard | metabase/metabase |
 | cyber-chef | mpepping/cyberchef:latest |
 | czkawka | jlesage/czkawka |
+| dagu | ghcr.io/dagu-org/dagu:alpine |
 | dawarich-app | freikin/dawarich:latest |
 | dawarich-pg-db | postgis/postgis:17-3.5-alpine |
 | dawarich-sidekiq | freikin/dawarich:latest |
+| dawarich-valkey | docker.io/bitnami/valkey:latest |
 | dead-man-hand | ghcr.io/bkupidura/dead-man-hand:latest |
 | docker-socket-proxy | ghcr.io/tecnativa/docker-socket-proxy:latest |
 | dockflare | alplat/dockflare:stable |
 | duplicati | lscr.io/linuxserver/duplicati:latest |
+| easyappointments | alextselegidis/easyappointments:1.5.1 |
 | excalidraw | excalidraw/excalidraw:latest |
 | explo | ghcr.io/lumepart/explo:latest |
 | fastenhealth | ghcr.io/fastenhealth/fasten-onprem:main |
 | flaresolverr | ghcr.io/flaresolverr/flaresolverr:latest |
-| freescout | tiredofit/freescout:latest |
+| garage | dxflrs/garage:v2.0.0 |
+| garage-webui | khairul169/garage-webui:latest |
 | ghost | ghost:latest |
-| gitea | gitea/gitea:1.23.1 |
+| gitea | gitea/gitea:1.24.3 |
 | gitea-db | postgres:14 |
 | gitea-runner | gitea/act_runner:latest |
 | gitea-sonarqube-bot | justusbunsi/gitea-sonarqube-bot:v0.4.0 |
@@ -49,12 +60,13 @@
 | graylog-datanode | graylog/graylog-datanode:6.1 |
 | guacamole | flcontainers/guacamole:latest |
 | homepage | ghcr.io/gethomepage/homepage:latest |
-| hugo | hugomods/hugo:exts-0.145.0 |
+| hugo | hugomods/hugo:exts |
 | immich-server | ghcr.io/immich-app/immich-server:release |
 | immich-machine-learning | ghcr.io/immich-app/immich-machine-learning:release |
 | immich-pg-db | tensorchord/pgvecto-rs:pg14-v0.2.1 |
 | immich-public-proxy | alangrainger/immich-public-proxy:latest |
 | immich-power-tools | ghcr.io/varun-raj/immich-power-tools:latest |
+| immich-valkey | docker.io/bitnami/valkey:latest |
 | influxdb2 | influxdb:2-alpine |
 | invidious | quay.io/invidious/invidious:latest |
 | invidious-sig-helper | quay.io/invidious/inv-sig-helper:latest |
@@ -72,10 +84,12 @@
 | jitsi-web | jitsi/web:stable |
 | joplin-db | postgres:17-alpine |
 | joplin | joplin/server:latest |
+| karakeep | ghcr.io/karakeep-app/karakeep:release |
 | languagetool | elestio/languagetool:latest |
 | librechat-api | ghcr.io/danny-avila/librechat-dev:latest |
-| librechat-vectordb | ankane/pgvector:latest |
 | librechat-rag-api | ghcr.io/danny-avila/librechat-rag-api-dev-lite:latest |
+| librechat-valkey | docker.io/bitnami/valkey:latest |
+| librechat-vectordb | ankane/pgvector:latest |
 | libretranslate | libretranslate/libretranslate |
 | lidarr | lscr.io/linuxserver/lidarr:latest |
 | lidify | thewicklowwolf/lidify:latest |
@@ -84,15 +98,23 @@
 | loggifly | ghcr.io/clemcer/loggifly:latest |
 | maloja | krateng/maloja:latest |
 | manyfold | lscr.io/linuxserver/manyfold:latest |
+| manyfold-valkey | docker.io/bitnami/valkey:latest |
 | mariadb | linuxserver/mariadb |
 | mastodon | lscr.io/linuxserver/mastodon:latest |
 | mastodon-pg-db | postgres:17-alpine |
+| mastodon-valkey | docker.io/bitnami/valkey:latest |
 | maxun-backend | getmaxun/maxun-backend:latest |
 | maxun-frontend | getmaxun/maxun-frontend:latest |
 | maxun-pg-db | postgres:13-alpine |
-| meilisearch | getmeili/meilisearch:v1.12.3 |
+| maxun-valkey | docker.io/bitnami/valkey:latest |
+| meilisearch | getmeili/meilisearch:v1.15 |
+| meme-search-pro | ghcr.io/neonwatty/meme_search_pro:latest |
+| meme-search-pro-img2txt-gen | ghcr.io/neonwatty/image_to_text_generator:latest |
+| meme-search-db | pgvector/pgvector:pg17 |
+| mini-qr | ghcr.io/lyqht/mini-qr:latest |
 | minio | minio/minio:RELEASE.2025-04-22T22-12-26Z |
 | mixpost | inovector/mixpost:latest |
+| mixpost-valkey | docker.io/bitnami/valkey:latest |
 | mongodb | bitnami/mongodb:7.0 |
 | multi-scrobbler | foxxmd/multi-scrobbler |
 | n8n | docker.n8n.io/n8nio/n8n |
@@ -101,13 +123,29 @@
 | nextcloud | nextcloud/all-in-one:latest |
 | ollama | ollama/ollama |
 | ombi | lscr.io/linuxserver/ombi:latest |
-| omni-tools | iib0011/omni-tools:latest |
+| omnitools | iib0011/omni-tools:latest |
 | omnipoly | kweg/omnipoly:latest |
 | paperless-ngx | ghcr.io/paperless-ngx/paperless-ngx:latest |
+| paperless-valkey | docker.io/bitnami/valkey:latest |
+| patchman-server | ghcr.io/tigattack/patchman |
+| patchman-worker | ghcr.io/tigattack/patchman |
+| patchman-memcached | memcached:1.6-alpine |
+| patchman-valkey | docker.io/bitnami/valkey:latest |
+| penpot-frontend | penpotapp/frontend:latest |
+| penpot-backend | penpotapp/backend:latest |
+| penpot-exporter | penpotapp/exporter:latest |
+| penpot-pg-db | postgres:15-alpine |
+| penpot-redis | redis:7.2 |
 | pgbackweb | eduardolat/pgbackweb:latest |
 | pgbackweb-db | postgres:16-alpine |
+| planka | ghcr.io/plankanban/planka:2.0.0-rc.3 |
+| planka-pg-db | postgres:16-alpine |
+| plant-it | msdeluise/plant-it-server:latest |
+| plant-it-valkey | docker.io/bitnami/valkey:latest |
 | plantuml-server | plantuml/plantuml-server:jetty |
 | portainer | portainer/portainer-ce:alpine |
+| portchecker-web | ghcr.io/dsgnr/portcheckerio-web:latest |
+| portchecker-api | ghcr.io/dsgnr/portcheckerio-api:latest |
 | portnote-web | haedlessdev/portnote:latest |
 | portnote-agent | haedlessdev/portnote-agent:latest |
 | portnote-pg-db | postgres:17-alpine |
@@ -115,46 +153,65 @@
 | postal-web | ghcr.io/postalserver/postal:latest |
 | postal-worker | ghcr.io/postalserver/postal:latest |
 | prowlarr | lscr.io/linuxserver/prowlarr:latest |
+| qbit-manage | ghcr.io/stuffanthings/qbit_manage:latest |
 | qbittorrentvpn | ghcr.io/binhex/arch-qbittorrentvpn:latest |
 | radarec | thewicklowwolf/radarec:latest |
 | radarr | lscr.io/linuxserver/radarr:latest |
 | reactive-resume | amruthpillai/reactive-resume:latest |
 | reactive-resume-pg | postgres:16-alpine |
 | readarr | lscr.io/linuxserver/readarr:develop |
-| redis | redis:alpine |
 | redlib | quay.io/redlib/redlib:latest |
 | rocketchat | registry.rocket.chat/rocketchat/rocket.chat:latest |
 | romm | rommapp/romm:latest |
+| romm-valkey | docker.io/bitnami/valkey:latest |
 | sabnzbdvpn | ghcr.io/binhex/arch-sabnzbdvpn:latest |
 | sablier | sablierapp/sablier:latest |
+| scraparr | ghcr.io/thecfu/scraparr:latest |
 | scrutiny | ghcr.io/analogj/scrutiny:master-omnibus |
 | searxng | searxng/searxng:latest |
-| semaphore | semaphoreui/semaphore:v2.12.14 |
-| signoz-init-clickhouse | clickhouse/clickhouse-server:24.1.2-alpine |
-| signoz-zookeeper-1 | bitnami/zookeeper:3.7.1 |
+| searxng-valkey | docker.io/bitnami/valkey:latest |
+| semaphore-ui | semaphoreui/semaphore:v2.12.14 |
+| signoz-app | signoz/signoz:v0.91.0 |
 | signoz-clickhouse | clickhouse/clickhouse-server:24.1.2-alpine |
-| signoz-app | signoz/signoz:v0.86.2 |
-| signoz-otel-collector | signoz/signoz-otel-collector:v0.111.42 |
-| signoz-schema-migrator-sync | signoz/signoz-schema-migrator:v0.111.42 |
-| signoz-schema-migrator-async | signoz/signoz-schema-migrator:v0.111.42 |
+| signoz-init-clickhouse | clickhouse/clickhouse-server:24.1.2-alpine |
+| signoz-logspout | pavanputhra/logspout-signoz |
+| signoz-otel-collector | signoz/signoz-otel-collector:v0.128.2 |
+| signoz-schema-migrator-async | signoz/signoz-schema-migrator:v0.128.2 |
+| signoz-schema-migrator-sync | signoz/signoz-schema-migrator:v0.128.2 |
+| signoz-zookeeper-1 | bitnami/zookeeper:3.7.1 |
 | sonarqube | mc1arke/sonarqube-with-community-branch-plugin:lts |
 | sonarqube-pg-db | postgres:17-alpine |
 | sonarr | lscr.io/linuxserver/sonarr:latest |
 | sonashow | thewicklowwolf/sonashow:latest |
+| soularr | mrusse08/soularr:latest |
+| soularr-dashboard | git.trez.wtf/trez.one/soularr-dashboard:v0.1 |
+| soulseek | slskd/slskd |
 | speedtest-tracker | lscr.io/linuxserver/speedtest-tracker:latest |
-| stable-diffusion-download | git.trez.wtf/trez.one/stable-diffusion-download:v9.0.0 |
-| stable-diffusion-webui | git.trez.wtf/trez.one/stable-diffusion-ui:v9.0.1 |
+| stable-diffusion-download | git./trez.one/stable-diffusion-download:v9.0.0 |
+| stable-diffusion-webui | git./trez.one/stable-diffusion-ui:v9.0.1 |
 | stirling-pdf | docker.stirlingpdf.com/stirlingtools/stirling-pdf:latest |
 | swag | lscr.io/linuxserver/swag:latest |
 | tandoor | vabene1111/recipes |
 | tandoor-pg | postgres:16-alpine |
+| umami | ghcr.io/umami-software/umami:postgresql-latest |
+| umami-pg-db | postgres:15-alpine |
 | unmanic | josh5/unmanic:latest |
 | uptimekuma | louislam/uptime-kuma:latest |
 | vault | hashicorp/vault:latest |
-| wallabag | wallabag/wallabag |
 | wallos | bellamy/wallos:latest |
 | watchtower | ghcr.io/containrrr/watchtower:latest |
 | web-check | lissy93/web-check |
 | whodb | clidey/whodb |
+| wizarr | ghcr.io/wizarrrr/wizarr |
 | youtubedl | nbr23/youtube-dl-server:latest |
+| zammad-backup | ghcr.io/zammad/zammad:6.5.0-15 |
+| zammad-elasticsearch | elasticsearch:8.18.0 |
+| zammad-init | ghcr.io/zammad/zammad:6.5.0-15 |
+| zammad-memcached | memcached:1.6.38-alpine |
+| zammad-nginx | ghcr.io/zammad/zammad:6.5.0-15 |
+| zammad-postgresql | postgres:17.5-alpine |
+| zammad-railsserver | ghcr.io/zammad/zammad:6.5.0-15 |
+| zammad-redis | redis:7.4.2-alpine |
+| zammad-scheduler | ghcr.io/zammad/zammad:6.5.0-15 |
+| zammad-websocket | ghcr.io/zammad/zammad:6.5.0-15 |

@@ -1,45 +0,0 @@
-# Rinoa Docker_configs Ansible Project
-
-## Included content/ Directory Structure
-
-The directory structure follows best practices recommended by the Ansible community. Feel free to customize this template according to your specific project requirements.
-
-```
- ansible-project/
- |── .devcontainer/
- |    └── docker/
- |        └── devcontainer.json
- |    └── podman/
- |        └── devcontainer.json
- |    └── devcontainer.json
- |── .github/
- |    └── workflows/
- |        └── tests.yml
- |    └── ansible-code-bot.yml
- |── .vscode/
- |    └── extensions.json
- |── collections/
- |   └── requirements.yml
- |   └── ansible_collections/
- |       └── project_org/
- |           └── project_repo/
- |               └── README.md
- |               └── roles/sample_role/
- |                         └── README.md
- |                         └── tasks/main.yml
- |── inventory/
- |   └── groups_vars/
- |   └── host_vars/
- |   └── hosts.yml
- |── ansible-navigator.yml
- |── ansible.cfg
- |── devfile.yaml
- |── linux_playbook.yml
- |── network_playbook.yml
- |── README.md
- |── site.yml
-```
-
-## Compatible with Ansible-lint
-
-Tested with ansible-lint >=24.2.0 releases and the current development version of ansible-core.
@@ -1,199 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-http:
-  pprof:
-    port: 6060
-    enabled: false
-  address: 0.0.0.0:8008
-  session_ttl: 720h
-users:
-  - name: admin
-    password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ADGUARD_BCRYPT'] }}
-auth_attempts: 5
-block_auth_min: 15
-http_proxy: ""
-language: ""
-theme: auto
-dns:
-  bind_hosts:
-    - 0.0.0.0
-  port: 53
-  anonymize_client_ip: false
-  ratelimit: 20
-  ratelimit_subnet_len_ipv4: 24
-  ratelimit_subnet_len_ipv6: 56
-  ratelimit_whitelist: []
-  refuse_any: true
-  upstream_dns:
-    - 94.140.14.14
-    - 94.140.15.15
-    - https://dns.adguard-dns.com/dns-query
-    - tls://dns.adguard-dns.com
-    - quic://dns.adguard-dns.com
-    - 1.1.1.1
-    - 1.0.0.1
-    - 1.1.1.2
-    - 1.0.0.2
-    - 185.228.168.9
-    - 185.228.169.9
-    - 76.76.2.3
-    - tls://getdnsapi.net
-    - 185.49.141.37
-    - tls://dot.seby.io
-  upstream_dns_file: ""
-  bootstrap_dns:
-    - 9.9.9.10
-    - 149.112.112.10
-    - 2620:fe::10
-    - 2620:fe::fe:10
-  fallback_dns: []
-  upstream_mode: load_balance
-  fastest_timeout: 1s
-  allowed_clients: []
-  disallowed_clients: []
-  blocked_hosts:
-    - version.bind
-    - id.server
-    - hostname.bind
-  trusted_proxies:
-    - 127.0.0.0/8
-    - ::1/128
-  cache_size: 4194304
-  cache_ttl_min: 0
-  cache_ttl_max: 0
-  cache_optimistic: false
-  bogus_nxdomain: []
-  aaaa_disabled: false
-  enable_dnssec: false
-  edns_client_subnet:
-    custom_ip: ""
-    enabled: false
-    use_custom: false
-  max_goroutines: 300
-  handle_ddr: true
-  ipset: []
-  ipset_file: ""
-  bootstrap_prefer_ipv6: false
-  upstream_timeout: 10s
-  private_networks: []
-  use_private_ptr_resolvers: false
-  local_ptr_upstreams: []
-  use_dns64: false
-  dns64_prefixes: []
-  serve_http3: false
-  use_http3_upstreams: false
-  serve_plain_dns: true
-  hostsfile_enabled: true
-  pending_requests:
-    enabled: true
-tls:
-  enabled: true
-  server_name: ""
-  force_https: false
-  port_https: 446
-  port_dns_over_tls: 853
-  port_dns_over_quic: 853
-  port_dnscrypt: 0
-  dnscrypt_config_file: ""
-  allow_unencrypted_doh: false
-  certificate_chain: ""
-  private_key: ""
-  certificate_path: /opt/adguardhome/certs/live/trez.wtf/priv-fullchain-bundle.pem
-  private_key_path: /opt/adguardhome/certs/live/trez.wtf/priv-fullchain-bundle.pem
-  strict_sni_check: false
-querylog:
-  dir_path: ""
-  ignored: []
-  interval: 2160h
-  size_memory: 1000
-  enabled: true
-  file_enabled: true
-statistics:
-  dir_path: ""
-  ignored: []
-  interval: 24h
-  enabled: true
-filters:
-  - enabled: true
-    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
-    name: AdGuard DNS filter
-    id: 1
-  - enabled: false
-    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
-    name: AdAway Default Blocklist
-    id: 2
-whitelist_filters: []
-user_rules: []
-dhcp:
-  enabled: false
-  interface_name: ""
-  local_domain_name: lan
-  dhcpv4:
-    gateway_ip: 192.168.1.1
-    subnet_mask: 255.255.255.0
-    range_start: 192.168.1.2
-    range_end: 192.168.1.240
-    lease_duration: 86400
-    icmp_timeout_msec: 1000
-    options: []
-  dhcpv6:
-    range_start: ""
-    lease_duration: 86400
-    ra_slaac_only: false
-    ra_allow_slaac: false
-filtering:
-  blocking_ipv4: ""
-  blocking_ipv6: ""
-  blocked_services:
-    schedule:
-      time_zone: America/New_York
-    ids: []
-  protection_disabled_until: null
-  safe_search:
-    enabled: false
-    bing: true
-    duckduckgo: true
-    ecosia: true
-    google: true
-    pixabay: true
-    yandex: true
-    youtube: true
-  blocking_mode: default
-  parental_block_host: family-block.dns.adguard.com
-  safebrowsing_block_host: standard-block.dns.adguard.com
-  rewrites: []
-  safe_fs_patterns:
-    - /opt/adguardhome/work/userfilters/*
-  safebrowsing_cache_size: 1048576
-  safesearch_cache_size: 1048576
-  parental_cache_size: 1048576
-  cache_time: 30
-  filters_update_interval: 24
-  blocked_response_ttl: 10
-  filtering_enabled: true
-  parental_enabled: false
-  safebrowsing_enabled: false
-  protection_enabled: true
-clients:
-  runtime_sources:
-    whois: true
-    arp: true
-    rdns: true
-    dhcp: true
-    hosts: true
-  persistent: []
-log:
-  enabled: true
-  file: ""
-  max_backups: 0
-  max_size: 100
-  max_age: 3
-  compress: false
-  local_time: false
-  verbose: false
-os:
-  group: ""
-  user: ""
-  rlimit_nofile: 0
-schema_version: 29
@@ -1,6 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-urls:
-  - gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}
-  - mailto://{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}@trez.wtf25?smtp=postal-smtp&from=noreply@trez.wtf
@@ -0,0 +1,337 @@
+settings:
+  log:
+    level: INFO
+    timestamps: true
+  data:
+    database_file: data/argus.db
+  web:
+    listen_host: 0.0.0.0
+    listen_port: 8080
+    route_prefix: /
+    basic_auth:
+      username: 'admin'
+      password: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ARGUS_WEB_PASSWORD'] }}"
+  disabled_routes: []
+  favicon:
+    png: ''
+    svg: ''
+notify:
+  rinoa-gotify:
+    type: gotify
+    url_fields:
+      Host: gotify
+      Token: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ARGUS_WEB_PASSWORD'] }}
+    params:
+      Title: Argus @ Rinoa
+service:
+  AdguardTeam/AdGuardHome:
+    latest_version:
+      type: github
+      url: AdguardTeam/AdGuardHome
+      url_commands:
+        - type: regex
+          regex: v([0-9.]+)$
+    deployed_version:
+      url: "https://adguard.trez.wtf/control/status"
+      basic_auth:
+        username: admin
+        password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ADGUARD_PASSWORD'] }}
+      json: version
+      regex: v([0-9.]+)
+    dashboard:
+      web_url: "https://github.com/AdguardTeam/AdGuardHome/releases/v{% raw %}{{ version }}{% endraw %}"
+      icon: "https://avatars.githubusercontent.com/u/8361145?s=200&v=4"
+  advplyr/audiobookshelf:
+    latest_version:
+      type: github
+      url: advplyr/audiobookshelf
+      url_commands:
+        - type: regex
+          regex: v([0-9.]+)$
+    deployed_version:
+      method: GET
+      url: "https://abs.trez.wtf/status"
+      json: serverVersion
+    dashboard:
+      icon: "https://raw.githubusercontent.com/advplyr/audiobookshelf/master/client/static/icon.svg"
+      web_url: "https://github.com/advplyr/audiobookshelf/releases/tag/v{% raw %}{{ version }}{% endraw %}"
+  dani-garcia/vaultwarden:
+    latest_version:
+      type: github
+      url: dani-garcia/vaultwarden
+    deployed_version:
+      url: "https://bitwarden.trez.wtf/api/version"
+      regex: ([0-9.]+)
+    dashboard:
+      web_url: "https://github.com/dani-garcia/vaultwarden/releases/{% raw %}{{ version }}{% endraw %}"
+      icon: "https://raw.githubusercontent.com/dani-garcia/vaultwarden/main/src/static/images/vaultwarden-icon.png"
+  ellite/Wallos:
+    latest_version:
+      type: github
+      url: ellite/Wallos
+    deployed_version:
+      method: GET
+      url: http://wallos.com/api/status/version.php?api_key=xxx
+      json: version_number
+    dashboard:
+      icon: "https://github.com/ellite/Wallos/raw/main/images/siteicons/wallos.png"
+      web_url: "https://github.com/ellite/Wallos/releases"
+  FlareSolverr/FlareSolverr:
+    latest_version:
+      type: github
+      url: FlareSolverr/FlareSolverr
+      url_commands:
+        - type: regex
+          regex: v([0-9.]+)$
+    deployed_version:
+      method: GET
+      url: "https://flaresolverr.trez.wtf"
+      json: version
+    dashboard:
+      icon: "https://raw.githubusercontent.com/FlareSolverr/FlareSolverr/master/resources/flaresolverr_logo.png"
+      web_url: "https://github.com/FlareSolverr/FlareSolverr/releases/tag/v{% raw %}{{ version }}{% endraw %}"
+  go-gitea/gitea:
+    latest_version:
+      type: github
+      url: go-gitea/gitea
+      url_commands:
+        - type: regex
+          regex: v([0-9.]+)$
+      require:
+        regex_content: gitea-{% raw %}{{ version }}{% endraw %}-linux-amd64
+        regex_version: ^[0-9.]+[0-9]$
+    deployed_version:
+      url: "https://git.trez.wtf"
+      regex: 'Powered by Gitea\s+Version:\s+([0-9.]+) '
+    dashboard:
+      web_url: "https://github.com/go-gitea/gitea/releases/v{% raw %}{{ version }}{% endraw %}"
+      icon: "https://raw.githubusercontent.com/go-gitea/gitea/main/public/img/logo.png"
+  gohugoio/hugo:
+    latest_version:
+      type: github
+      url: gohugoio/hugo
+      url_commands:
+        - type: regex
+          regex: v([0-9.]+)$
+      require:
+        regex_content: hugo_{% raw %}{{ version }}{% endraw %}_Linux-64bit\.deb
+    dashboard:
+      web_url: "https://github.com/gohugoio/hugo/releases/v{% raw %}{{ version }}{% endraw %}"
+      icon: "https://raw.githubusercontent.com/gohugoio/hugo/master/docs/static/img/hugo.png"
+  gotify/server:
+    latest_version:
+      type: github
+      url: gotify/server
+      url_commands:
+        - type: regex
+          regex: v([0-9.]+)$
+    deployed_version:
+      url: "https://gotify.trez.wtf/version"
+      json: version
+    dashboard:
+      web_url: "https://github.com/gotify/server/releases/v{% raw %}{{ version }}{% endraw %}"
+      icon: "https://github.com/gotify/logo/raw/master/gotify-logo.png"
+  hashicorp/vault:
+    latest_version:
+      type: github
+      url: hashicorp/vault
+      url_commands:
+        - type: regex
+          regex: v([0-9.]+)$
+    deployed_version:
+      url: "https://vault.trez.wtf/v1/sys/health"
+      json: version
+    dashboard:
+      web_url: "https://github.com/hashicorp/vault/releases/v{% raw %}{{ version }}{% endraw %}"
+      icon: "https://raw.githubusercontent.com/hashicorp/vault/main/ui/public/vault-logo.svg"
+  immich-app/immich:
+    latest_version:
+      type: github
+      url: immich-app/immich
+    deployed_version:
+      url: "https://pics.trez.wtf/api/server/about"
+      json: version
+      regex: ^v([0-9.]+)$
+      headers:
+        - key: x-api-key
+          value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['IMMICH_POWER_TOOLS_KEY'] }}
+    dashboard:
+      icon: "https://raw.githubusercontent.com/immich-app/immich/main/web/static/immich-logo.svg"
+      web_url: "https://github.com/immich-app/immich/releases/tag/v{% raw %}{{ version }}{% endraw %}"
+  influxdata/influxdb:
+    latest_version:
+      type: github
+      url: influxdata/influxdb
+      url_commands:
+        - type: regex
+          regex: v([0-9.]+)$
+    deployed_version:
+      url: "https://influxdb.trez.wtf/health"
+      json: version
+    dashboard:
+      web_url: "https://github.com/influxdata/influxdb/releases/tag/v{% raw %}{{ version }}{% endraw %}"
+      icon: "https://github.com/influxdata/ui/raw/master/src/writeData/graphics/influxdb.svg"
+  jellyfin/jellyfin:
+    latest_version:
+      type: github
+      url: jellyfin/jellyfin
+      url_commands:
+        - type: regex
+          regex: v([0-9.]+)$
+    deployed_version:
+      url: "https://jellyfin.trez.wtf/System/Info/Public"
+      json: Version
+    dashboard:
+      web_url: "https://github.com/jellyfin/jellyfin/releases/v{% raw %}{{ version }}{% endraw %}"
+      icon: "https://avatars.githubusercontent.com/u/45698031?s=200&v=4"
+  Lidarr/Lidarr:
+    options:
+      semantic_versioning: false
+    latest_version:
+      type: github
+      url: Lidarr/Lidarr
+      url_commands:
+        - type: regex
+          regex: v([0-9.]+)$
+    deployed_version:
+      method: GET
+      url: "https://lidarr.trez.wtf/api/v1/system/status"
+      headers:
+        - key: X-Api-Key
+          value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}
+      json: version
+    dashboard:
+      icon: "https://raw.githubusercontent.com/Lidarr/Lidarr/develop/Logo/1024.png"
+      web_url: "https://github.com/Lidarr/Lidarr/releases/v{% raw %}{{ version }}{% endraw %}"
+  louislam/uptime-kuma:
+    latest_version:
+      type: github
+      url: louislam/uptime-kuma
+    deployed_version:
+      url: "https://status.trez.wtf/metrics"
+      regex: app_version{version=\"([0-9.]+)\",major=\"[0-9]+\",minor=\"[0-9]+\",patch=\"[0-9]+\"}
+    dashboard:
+      web_url: "https://github.com/louislam/uptime-kuma/releases/{% raw %}{{ version }}{% endraw %}"
+      icon: "https://raw.githubusercontent.com/louislam/uptime-kuma/master/public/icon.png"
+  morpheus65535/bazarr:
+    latest_version:
+      type: github
+      url: morpheus65535/bazarr
+      url_commands:
+        - type: regex
+          regex: v([0-9.]+)$
+    deployed_version:
+      url: "https://bazarr.trez.wtf/api/system/status"
+      headers:
+        - key: X-API-KEY
+          value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['BAZARR_API_KEY'] }}
+      json: data.bazarr_version
+    dashboard:
+      web_url: "https://github.com/morpheus65535/bazarr/releases/v{% raw %}{{ version }}{% endraw %}"
+      icon: "https://raw.githubusercontent.com/morpheus65535/bazarr/master/frontend/public/images/logo128.png"
+  n8n-io/n8n:
+    latest_version:
+      type: url
+      url: "https://github.com/n8n-io/n8n/tags"
+      url_commands:
+        - type: regex
+          regex: n8n\%40([0-9.]+)
+    dashboard:
+      web_url: "https://github.com/n8n-io/n8n/blob/master/CHANGELOG.md"
+      icon: "https://raw.githubusercontent.com/n8n-io/n8n-docs/main/docs/_images/n8n-docs-icon.svg"
+  nextcloud/server:
+    latest_version:
+      type: github
+      url: nextcloud/server
+      url_commands:
+        - type: regex
+          regex: v([0-9.]+)$
+    deployed_version:
+      url: "https://cloud.trez.wtf/status.php"
+      json: versionstring
+    dashboard:
+      web_url: "https://nextcloud.com/changelog/"
+      icon: "https://github.com/nextcloud/server/raw/master/core/img/favicon.png"
+  Prowlarr/Prowlarr:
+    options:
+      semantic_versioning: false
+    latest_version:
+      type: github
+      url: Prowlarr/Prowlarr
+      url_commands:
+        - type: regex
+          regex: v([0-9.]+)$
+      use_prerelease: true
+    deployed_version:
+      url: "https://prowlarr.trez.wtf/api/v1/system/status"
+      headers:
+        - key: X-Api-Key
+          value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PROWLARR_API_KEY'] }}
+      json: version
+    dashboard:
+      web_url: "https://github.com/Prowlarr/Prowlarr/releases/v{% raw %}{{ version }}{% endraw %}"
+      icon: "https://avatars.githubusercontent.com/u/73049443?s=200&v=4"
+  Radarr/Radarr:
+    options:
+      semantic_versioning: false
+    latest_version:
+      type: github
+      url: Radarr/Radarr
+      url_commands:
+        - type: regex
+          regex: v([0-9.]+)$
+    deployed_version:
+      url: "https://radarr.trez.wtf/api/v3/system/status"
+      headers:
+        - key: X-Api-Key
+          value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['RADARR_API_KEY'] }}
+      json: version
+    dashboard:
+      web_url: "https://github.com/Radarr/Radarr/releases/v{% raw %}{{ version }}{% endraw %}"
+      icon: "https://avatars.githubusercontent.com/u/25025331?s=200&v=4"
+  Readarr/Readarr:
+    options:
+      semantic_versioning: false
+    latest_version:
+      type: github
+      url: Readarr/Readarr
+      use_prerelease: true
+      url_commands:
+        - type: regex
+          regex: v([0-9.]+)$
+    deployed_version:
+      method: GET
+      url: "https://readarr.trez.wtf/api/v1/system/status"
+      headers:
+        - key: X-Api-Key
+          value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['READARR_API_KEY'] }}
+      json: version
+    dashboard:
+      icon: "https://raw.githubusercontent.com/Readarr/Readarr/develop/Logo/1024.png"
+      web_url: "https://github.com/Readarr/Readarr/releases/v{% raw %}{{ version }}{% endraw %}"
+  Sonarr/Sonarr:
+    options:
+      semantic_versioning: false
+    latest_version:
+      type: url
+      url: "https://github.com/Sonarr/Sonarr/tags"
+      url_commands:
+        - type: regex
+          regex: \/releases\/tag\/v?([0-9.]+)\"
+    deployed_version:
+      url: "https://sonarr.trez.wtf/api/v3/system/status"
+      headers:
+        - key: X-Api-Key
+          value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SONARR_API_KEY'] }}
+      json: version
+    dashboard:
+      web_url: "https://sonarr.trez.wtf/system/updates"
+      icon: "https://raw.githubusercontent.com/Sonarr/Sonarr/develop/Logo/256.png"
+  release-argus/argus:
+    latest_version:
+      type: github
+      url: release-argus/argus
+    dashboard:
+      icon: "https://raw.githubusercontent.com/release-argus/Argus/master/web/ui/react-app/public/favicon.svg"
+      icon_link-to: "https://release-argus.io"
+      web_url: "https://github.com/release-argus/Argus/blob/master/CHANGELOG.md"
@@ -102,6 +102,14 @@ access_control:
      policy: one_factor
      subject:
      - ['user:the.trezured.one']
+    - domain: wizarr.trez.wtf
+      resources:
+        - '^/join(/.*)?$'
+        - '^/j(/.*)?$'
+        - '^/static(/.*)?$'
+        - '^/setup(/.*)?$'
+        - '^/wizard(/.*)?$'
+      policy: bypass
 session:
  name: authelia_session
  secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_SESSION_SECRET'] }}'
@@ -112,8 +120,9 @@ session:
    - domain: 'trez.wtf'
      authelia_url: 'https://auth.trez.wtf'
  redis:
-    host: redis
+    host: authelia-valkey
    port: 6379
+    database_index: 0
 storage:
  encryption_key: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_ENCRYPTION_KEY'] }}'
  postgres:
@@ -1,172 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-# yaml-language-server: $schema=https://www.authelia.com/schemas/latest/json-schema/configuration.json
---
-theme: auto
-default_2fa_method: "totp"
-server:
-  address: '0.0.0.0:9091'
-  endpoints:
-    enable_pprof: false
-    enable_expvars: false
-  disable_healthcheck: false
-  tls:
-    key: ""
-    certificate: ""
-    client_certificates: []
-  headers:
-    csp_template: ""
-log:
-  level: debug
-telemetry:
-  metrics:
-    enabled: true
-    address: tcp://0.0.0.0:9959
-totp:
-  disable: false
-  issuer: authelia.com
-  algorithm: sha256
-  digits: 6
-  period: 30
-  skew: 1
-  secret_size: 32
-webauthn:
-  disable: false
-  timeout: 60s
-  display_name: Authelia
-  attestation_conveyance_preference: indirect
-  selection_criteria:
-    user_verification: preferred
-ntp:
-  address: "time.cloudflare.com:123"
-  version: 4
-  max_desync: 3s
-  disable_startup_check: false
-  disable_failure: false
-authentication_backend:
-  password_reset:
-    disable: false
-    custom_url: ""
-  ldap:
-    implementation: custom
-    address: ldap://lldap:3890
-    timeout: 5s
-    start_tls: false
-    base_dn: dc=trez,dc=wtf
-    additional_users_dn: ou=people
-    users_filter: "(&({username_attribute}={input})(objectClass=person))"
-    additional_groups_dn: ou=groups
-    groups_filter: "(member={dn})"
-    attributes:
-      username: uid
-      group_name: cn
-      mail: mail
-      display_name: displayName
-    user: uid=authelia,ou=people,dc=trez,dc=wtf
-    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_AUTH_BIND_LDAP_PASSWORD'] }}'
-  refresh_interval: 5m
-identity_validation:
-  reset_password:
-    jwt_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_JWT_SECRET'] }}'
-password_policy:
-  standard:
-    enabled: true
-    min_length: 8
-    max_length: 0
-    require_uppercase: true
-    require_lowercase: true
-    require_number: true
-    require_special: false
-  zxcvbn:
-    enabled: false
-    min_score: 3
-access_control:
-  default_policy: deny
-  networks:
-    - name: 'internal'
-      networks:
-        - '172.17.0.0/16'
-        - '172.18.0.0/16'
-        - '192.168.1.0/24'
-  rules:
-    - domain_regex:
-      - '^trez.wtf$'
-      - ^www.trez.wtf$''
-      policy: bypass
-    - domain: '*.trez.wtf'
-      policy: bypass
-      networks:
-        - 'internal'
-    - domain: '*.trez.wtf'
-      policy: one_factor
-      subject:
-      - ['user:the.trezured.one']
-session:
-  name: authelia_session
-  secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_SESSION_SECRET'] }}'
-  expiration: 1h
-  inactivity: 5m
-  remember_me: 1M
-  cookies:
-    - domain: 'trez.wtf'
-      authelia_url: 'https://auth.trez.wtf'
-  redis:
-    host: redis
-    port: 6379
-storage:
-  encryption_key: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_ENCRYPTION_KEY'] }}'
-  postgres:
-    address: 'tcp://authelia-pg:5432'
-    database: authelia
-    username: authelia
-    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_POSTGRES_PASSWORD'] }}'
-    timeout: '5s'
-regulation:
-  max_retries: 3
-  find_time: 2m
-  ban_time: 5m
-notifier:
-  disable_startup_check: true
-  smtp:
-    address: 'smtp://postal-smtp:25'
-    timeout: '5s'
-    username: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}'
-    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}'
-    sender: "Authelia <noreply@trez.wtf>"
-    identifier: 'localhost'
-    subject: "[Authelia] {title}"
-    startup_check_address: 'test@authelia.com'
-    disable_require_tls: true
-    disable_starttls: true
-    disable_html_emails: false
-identity_providers:
-  oidc:
-    hmac_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_OIDC_HMAC_SECRET'] }}'
-    jwks:
-      - key: |
-          {{ lookup("community.hashi_vault.vault_kv2_get", "env", engine_mount_point="rinoa-docker", url=vault_addr, token=vault_token_cleaned)["secret"]["AUTHELIA_OIDC_JWKS_KEY"] | replace("\\n", "\n") | indent(10) }}
-    cors:
-      allowed_origins_from_client_redirect_uris: true
-      endpoints:
-        - 'userinfo'
-        - 'authorization'
-        - 'token'
-        - 'revocation'
-        - 'introspection'
-    clients:
-      - client_id: 'netbird'
-        client_name: 'NetBird'
-        client_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}'
-        public: false
-        authorization_policy: 'two_factor'
-        redirect_uris:
-          - 'https://vpn.trez.wtf/peers'
-          - 'https://vpn.trez.wtf/add-peers'
-          - 'http://localhost'
-        scopes:
-          - 'openid'
-          - 'email'
-          - 'profile'
-        userinfo_signed_response_alg: 'none'
-        token_endpoint_auth_method: 'client_secret_post'
@@ -1,16 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-tunnel: 52bdee6e-8ccb-47be-ba9e-f8010b905e41
-credentials-file: /etc/cloudflared/52bdee6e-8ccb-47be-ba9e-f8010b905e41.json
-warp-routing:
-  enabled: true
-
-ingress:
-  - hostname: git-ssh.trez.wtf
-    service: ssh://gitea:22
-  - hostname: gist-ssh.trez.wtf
-    service: ssh://gitea-opengist:2222
-  - hostname: ssh.trez.wtf
-    service: ssh://192.168.1.254:22
-  - service: http_status:404  # Default for unmatched requests
@@ -1,9 +1,7 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
-
-
 source: journalctl
-journalctl_filter: 
+journalctl_filter:
  - "--directory=/var/log/host/"
 labels:
  type: syslog
@@ -13,3 +11,55 @@ filenames:
 labels:
  type: nginx
 ---
+filenames:
+  - /var/log/auth/auth.log
+labels:
+  type: syslog
+---
+filenames:
+  - /var/lib/mysql/log/mysql/*
+  - /var/lib/mysql/databases/*.err
+  - /var/lib/mysql/databases/*.log
+labels:
+  type: mariadb
+---
+source: docker
+container_name:
+  - adguard
+labels:
+  type: adguardhome
+---
+source: docker
+container_name:
+ - mongodb
+labels:
+  type: mongodb
+---
+source: docker
+container_name:
+ - immich-server
+labels:
+  type: immich
+---
+source: docker
+container_name:
+ - uptimekuma
+labels:
+  type: uptime-kuma
+---
+source: docker
+container_name:
+ - jellyfin
+labels:
+  type: jellyfin
+---
+source: docker
+container_name:
+ - navidrome
+labels:
+  type: navidrome
+---
+filenames:
+  - /var/log/audiobookshelf/*.txt
+labels:
+  type: audiobookshelf
@@ -1,3 +1,5 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
 common:
  daemonize: false
  log_media: stdout
@@ -1,15 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-
-source: journalctl
-journalctl_filter: 
-  - "--directory=/var/log/host/"
-labels:
-  type: syslog
---
-filenames:
-  - /var/log/swag/*
-labels:
-  type: nginx
---
@@ -1,49 +0,0 @@
-common:
-  daemonize: false
-  log_media: stdout
-  log_level: info
-  log_dir: /var/log/
-config_paths:
-  config_dir: /etc/crowdsec/
-  data_dir: /var/lib/crowdsec/data/
-  simulation_path: /etc/crowdsec/simulation.yaml
-  hub_dir: /etc/crowdsec/hub/
-  index_path: /etc/crowdsec/hub/.index.json
-  notification_dir: /etc/crowdsec/notifications/
-  plugin_dir: /usr/local/lib/crowdsec/plugins/
-crowdsec_service:
-  acquisition_path: /etc/crowdsec/acquis.yaml
-  acquisition_dir: /etc/crowdsec/acquis.d
-  parser_routines: 1
-plugin_config:
-  user: nobody
-  group: nobody
-cscli:
-  output: human
-db_config:
-  log_level: info
-  type: sqlite
-  db_path: /var/lib/crowdsec/data/crowdsec.db
-  flush:
-    max_items: 5000
-    max_age: 7d
-  use_wal: false
-api:
-  client:
-    insecure_skip_verify: false
-    credentials_path: /etc/crowdsec/local_api_credentials.yaml
-  server:
-    log_level: info
-    listen_uri: 0.0.0.0:8080
-    profiles_path: /etc/crowdsec/profiles.yaml
-    trusted_ips: # IP ranges, or IPs which can have admin API access
-      - 127.0.0.1
-      - ::1
-    online_client: # Central API credentials (to push signals and receive bad IPs)
-      credentials_path: /etc/crowdsec/online_api_credentials.yaml
-    enable: true
-prometheus:
-  enabled: true
-  level: full
-  listen_addr: 0.0.0.0
-  listen_port: 6060
@@ -1,6 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-url: http://0.0.0.0:8080
-login: localhost
-password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_LOCAL_API_KEY'] }}
@@ -1,6 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-url: https://api.crowdsec.net/
-login: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_ONLINE_PASSWORD'] }}
-password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_ONLINE_PASSWORD'] }}
@@ -1,17 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-name: default_ip_remediation
-#debug: true
-filters:
- - Alert.Remediation == true && Alert.GetScope() == "Ip"
-decisions:
- - type: ban
-   duration: 4h
-#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
-# notifications:
-#   - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
-#   - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
-#   - http_default   # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
-#   - email_default  # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
-on_success: break
@@ -0,0 +1,25 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+EXPLO_SYSTEM: subsonic
+SYSTEM_URL: http://navidrome:4533
+SYSTEM_USERNAME: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NAVIDROME_USERNAME'] }}
+SYSTEM_PASSWORD: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NAVIDROME_PASSWORD'] }}
+DOWNLOAD_DIR: /downloads
+PLAYLIST_DIR: /playlists
+LISTENBRAINZ_USER: Trez.One
+YOUTUBE_API_KEY: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUTUBE_DATA_API_V3_KEY'] }}
+# Assign a custom path to yt-dlp
+# YTDLP_PATH=
+# Keywords to ignore on videos downloaded by youtube (separated by only commas)
+FILTER_LIST: live,remix,instrumental,extended
+# Define a custom filename sepatator for special characters
+# FILENAME_SEPARATOR=
+# true to keep pervious weeks discoveries, only set to false if the parent folder only contains discovered songs (deletes every file in folder)
+PERSIST: true
+# 'playlist' to get tracks from Weekly Exploration playlist, anything else gets it from API (not the best recommendations). 'test' will download 1 song
+LISTENBRAINZ_DISCOVERY: playlist
+# Time to sleep (in minutes) between scanning and querying tracks from your system (If using Subsonic, Jellyfin)
+SLEEP: 5
+# Whether to provide additional info for debugging
+DEBUG: true
+SINGLE_ARTIST: true
@@ -0,0 +1,26 @@
+metadata_dir = "/var/lib/garage/meta"
+data_dir = "/var/lib/garage/data"
+db_engine = "lmdb"
+metadata_auto_snapshot_interval = "6h"
+
+replication_factor = 1
+
+compression_level = 10
+
+rpc_bind_addr = "[::]:3901"
+rpc_public_addr = "localhost:3901"
+rpc_secret = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GARAGE_RPC_SECRET'] }}"
+
+[s3_api]
+s3_region = "us-east-fh-pln"
+api_bind_addr = "[::]:3900"
+root_domain = ".s3.trez.wtf"
+
+[s3_web]
+bind_addr = "[::]:3902"
+root_domain = ".garage.trez.wtf"
+
+[admin]
+api_bind_addr = "[::]:3903"
+admin_token = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GARAGE_ADMIN_TOKEN'] }}"
+metrics_token = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GARAGE_METRICS_TOKEN'] }}"
@@ -1,42 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-{
-  "url": "blog.trez.wtf",
-  "database": {
-    "client": "mysql",
-    "connection": {
-      "host"     : "mariadb",
-      "port"     : 3306,
-      "user"     : "ghost",
-      "password" : "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GHOST_DB_PASSWORD'] }}",
-      "database" : "ghost_db"
-    }
-  },
-  "mail": {
-    "from": "'Ghost @ Rinoa' <noreply@trez.wtf>",
-    "transport": "SMTP",
-    "options": {
-      "host": "postal-smtp",
-      "port": 25,
-      "secure": false,
-      "auth": {
-        "user": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}",
-        "pass": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}"
-      }
-    }
-  },
-  "paths": {
-    "contentPath": "content/"
-  },
-  "privacy": {
-    "useGravatar": true
-  },
-  "logging": {
-    "level": "info",
-    "rotation": {
-      "enabled": true
-    },
-    "transports": ["file"]
-  }
-}
@@ -1,101 +0,0 @@
-# Example configuration file, it's safe to copy this as the default config file without any modification.
-
-# You don't have to copy this file to your instance,
-# just run `./act_runner generate-config > config.yaml` to generate a config file.
-
-log:
-  # The level of logging, can be trace, debug, info, warn, error, fatal
-  level: info
-
-runner:
-  # Where to store the registration result.
-  file: .runner
-  # Execute how many tasks concurrently at the same time.
-  capacity: 3
-  # Extra environment variables to run jobs.
-#   envs:
-#     A_TEST_ENV_NAME_1: a_test_env_value_1
-#     A_TEST_ENV_NAME_2: a_test_env_value_2
-  # Extra environment variables to run jobs from a file.
-  # It will be ignored if it's empty or the file doesn't exist.
-#   env_file: .env
-  # The timeout for a job to be finished.
-  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
-  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
-  timeout: 3h
-  # The timeout for the runner to wait for running jobs to finish when shutting down.
-  # Any running jobs that haven't finished after this timeout will be cancelled.
-  shutdown_timeout: 0s
-  # Whether skip verifying the TLS certificate of the Gitea instance.
-  insecure: false
-  # The timeout for fetching the job from the Gitea instance.
-  fetch_timeout: 5s
-  # The interval for fetching the job from the Gitea instance.
-  fetch_interval: 2s
-  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
-  # Like: "macos-arm64:host" or "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
-  # Find more images provided by Gitea at https://gitea.com/gitea/runner-images .
-  # If it's empty when registering, it will ask for inputting labels.
-  # If it's empty when execute `daemon`, will use labels in `.runner` file.
-  labels:
-    - "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
-    - "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04"
-    - "ubuntu-20.04:docker://gitea/runner-images:ubuntu-20.04"
-
-cache:
-  # Enable cache server to use actions/cache.
-  enabled: true
-  # The directory to store the cache data.
-  # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
-  dir: ""
-  # The host of the cache server.
-  # It's not for the address to listen, but the address to connect from job containers.
-  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
-  host: "192.168.1.254"
-  # The port of the cache server.
-  # 0 means to use a random available port.
-  port: 63604
-  # The external cache server URL. Valid only when enable is true.
-  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
-  # The URL should generally end with "/".
-  external_server: ""
-
-container:
-  # Specifies the network to which the container will connect.
-  # Could be host, bridge or the name of a custom network.
-  # If it's empty, act_runner will create a network automatically.
-  network: "compose_default"
-  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
-  privileged: false
-  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
-  options:
-  # The parent directory of a job's working directory.
-  # NOTE: There is no need to add the first '/' of the path as act_runner will add it automatically. 
-  # If the path starts with '/', the '/' will be trimmed.
-  # For example, if the parent directory is /path/to/my/dir, workdir_parent should be path/to/my/dir
-  # If it's empty, /workspace will be used.
-  workdir_parent:
-  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
-  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
-  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
-  # valid_volumes:
-  #   - data
-  #   - /src/*.json
-  # If you want to allow any volume, please use the following configuration:
-  # valid_volumes:
-  #   - '**'
-  valid_volumes: []
-  # overrides the docker client host with the specified one.
-  # If it's empty, act_runner will find an available docker host automatically.
-  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
-  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
-  docker_host: ""
-  # Pull docker image(s) even if already present
-  force_pull: false
-  # Rebuild docker image(s) even if already present
-  force_rebuild: false
-
-host:
-  # The parent directory of a job's working directory.
-  # If it's empty, $HOME/.cache/act/ will be used.
-  workdir_parent:
@@ -1,125 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-APP_NAME = Gitea: Git with a cup of tea
-RUN_MODE = prod
-RUN_USER = git
-WORK_PATH = /data/gitea
-
-[repository]
-ROOT = /data/git/repositories
-DEFAULT_PRIVATE = last
-EMABLE_PUSH_CREATE_USER = true
-
-[repository.local]
-LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
-
-[repository.upload]
-TEMP_PATH = /data/gitea/uploads
-
-[server]
-APP_DATA_PATH = /data/gitea
-DOMAIN = git.trez.wtf
-SSH_DOMAIN = git-ssh.trez.wtf
-HTTP_PORT = 3000
-ROOT_URL = https://git.trez.wtf/
-DISABLE_SSH = false
-SSH_PORT = 22
-SSH_LISTEN_PORT = 22
-LFS_START_SERVER = true
-LFS_JWT_SECRET = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_LFS_JWT_SECRET'] }}
-OFFLINE_MODE = true
-
-[database]
-PATH = /data/gitea/gitea.db
-DB_TYPE = postgres
-HOST = gitea-db:5432
-NAME = gitea
-USER = gitea
-PASSWD = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_PG_DB_PASSWORD'] }}
-LOG_SQL = false
-SCHEMA =
-SSL_MODE = disable
-
-[indexer]
-ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
-REPO_INDEXER_ENABLED = true
-REPO_INDEXER_PATH = indexers/repos.bleve
-MAX_FILE_SIZE = 1048576
-REPO_INDEXER_INCLUDE =
-REPO_INDEXER_EXCLUDE = resources/bin/**
-
-[session]
-PROVIDER_CONFIG = /data/gitea/sessions
-PROVIDER = file
-
-[picture]
-AVATAR_UPLOAD_PATH = /data/gitea/avatars
-REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
-
-[attachment]
-PATH = /data/gitea/attachments
-
-[log]
-MODE = console
-LEVEL = info
-ROOT_PATH = root
-
-[security]
-INSTALL_LOCK = true
-SECRET_KEY =
-REVERSE_PROXY_LIMIT = 1
-REVERSE_PROXY_TRUSTED_PROXIES = *
-INTERNAL_TOKEN = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_INTERNAL_TOKEN'] }}
-PASSWORD_HASH_ALGO = pbkdf2
-
-[service]
-DISABLE_REGISTRATION = false
-REQUIRE_SIGNIN_VIEW = false
-REGISTER_EMAIL_CONFIRM = true
-ENABLE_NOTIFY_MAIL = true
-ALLOW_ONLY_EXTERNAL_REGISTRATION = false
-ENABLE_CAPTCHA = true
-DEFAULT_KEEP_EMAIL_PRIVATE = true
-DEFAULT_ALLOW_CREATE_ORGANIZATION = false
-DEFAULT_ENABLE_TIMETRACKING = false
-NO_REPLY_ADDRESS = noreply@trez.wtf
-
-[lfs]
-PATH = /data/git/lfs
-
-[mailer]
-PASSWD = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
-PROTOCOL = smtp
-ENABLED = true
-FROM = '"Gitea" <noreply@trez.wtf>'
-SMTP_PORT = 25
-USER = rinoa/postal-smtp
-SMTP_ADDR = postal-smtp
-IS_TLS_ENABLED = faLse
-
-[openid]
-ENABLE_OPENID_SIGNIN = true
-ENABLE_OPENID_SIGNUP = true
-
-[cron.update_checker]
-ENABLED = false
-
-[repository.pull-request]
-DEFAULT_MERGE_STYLE = merge
-
-[repository.signing]
-DEFAULT_TRUST_MODEL = committer
-
-[oauth2]
-JWT_SECRET = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_OAUTH2_JWT_SECRET'] }}
-
-[ui]
-THEMES =
-
-[actions]
-ENABLED = true
-
-[webhook]
-ALLOWED_HOST_LIST = private,104.21.1.234,172.67.152.146
-SKIP_TLS_VERIFY = true
@@ -1,81 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-# Gitea related configuration. Necessary for adding/updating comments on repository pull requests
-gitea:
-  # Endpoint of your Gitea instance. Must be expandable by '/api/v1' to form the API base path as shown in Swagger UI.
-  url: https://git.trez.wtf
-
-  # Created access token for the user that shall be used as bot account.
-  # User needs "Read project" permissions with access to "Pull Requests"
-  token:
-    value: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}"
-    # # or path to file containing the plain text secret
-    # file: /path/to/gitea/token
-
-  # If the sent webhook has a signature header, the bot validates the request payload. If the value does not match, the
-  # request will be ignored.
-  # The bot looks for `X-Gitea-Signature` header containing the sha256 hmac hash of the plain text secret. If the header
-  # exists and no webhookSecret is defined here, the bot will ignore the request, because it cannot be validated.
-  webhook:
-    secret: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_WEBHOOK_SECRET'] }}"
-    # # or path to file containing the plain text secret
-    # secretFile: /path/to/gitea/webhook/secret
-
-  # Pull Request status check settings.
-  statusCheck:
-    # Configure the label/name of the PR status check.
-    name: "gitea-sonarqube-bot"
-
-# SonarQube related configuration. Necessary for requesting data from the API and processing the webhook.
-sonarqube:
-  # Endpoint of your SonarQube instance. Must be expandable by '/api' to form the API base path.
-  url: https://sqube.trez.wtf
-
-  # Created access token for the user that shall be used as bot account.
-  # User needs "Browse on project" permissions
-  token:
-    value: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_SQUBE_TOKEN'] }}"
-    # # or path to file containing the plain text secret
-    # file: /path/to/sonarqube/token
-
-  # If the sent webhook has a signature header, the bot validates the request payload. If the value does not match, the
-  # request will be ignored.
-  # The bot looks for `X-Sonar-Webhook-HMAC-SHA256` header containing the sha256 hmac hash of the plain text secret.
-  # If the header exists and no webhookSecret is defined here, the bot will ignore the request, because it cannot be
-  # validated.
-  webhook:
-    secret: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_SQUBE_WEBHOOK_SECRET'] }}"
-    # # or path to file containing the plain text secret
-    # secretFile: /path/to/sonarqube/webhook/secret
-
-  # Some useful metrics depend on the edition in use. There are various ones like code_smells, vulnerabilities, bugs, etc.
-  # By default, the bot will extract "bugs,vulnerabilities,code_smells"
-  # Setting this option you can extend that default list by your own metrics.
-  # additionalMetrics: []
-  # - "new_security_hotspots"
-
-# List of project mappings to take care of. Webhooks for other projects will be ignored.
-# At least one must be configured. Otherwise, all webhooks (no matter which source) because the bot cannot map on its own.
-projects:
-  - sonarqube:
-      key: rinoa-docker
-    # A repository specification contains the owner name and the repository name itself. The owner can be the name of a
-    # real account or an organization in which the repository is located.
-    gitea:
-      owner: Trez.One
-      name: rinoa-docker
-
-# Define pull request names from SonarScanner analysis. Default pattern matches the Jenkins Gitea plugin schema.
-namingPattern:
-  # Regular expression that MUST HAVE exactly ONE GROUP that matches the integer part of the PR.
-  # That integer part is identical to the pull request ID in Gitea.
-  regex: "^.*$"
-
-  # Valid Go format string. It MUST have one integer placeholder which will be replaced by the pull request ID.
-  # See: https://pkg.go.dev/fmt#hdr-Printing
-  template: "%s"
-
-  # Example for integer-only names
-  # # regex: "^(\\d+)$"
-  # # template: "%d"
@@ -1,404 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-/////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// Agent globals
-/////////////////////////////////////////////////////////////////////////////////////////////////////////////
-local.file "endpoints" {
-    // The endpoints file is used to define the endpoints, credentials and options
-    // for the Agent export to.
-    filename = "/etc/alloy/endpoints.json"
-}
-
-discovery.docker "rinoadocker" {
-        host = env("DOCKER_HOST")
-}
-
-tracing {
-    write_to = [otelcol.exporter.otlp.tempo.input]
-}
-/////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// Metrics
-/////////////////////////////////////////////////////////////////////////////////////////////////////////////
-prometheus.remote_write "mimir" {
-  endpoint {
-    url = json_path(local.file.endpoints.content, ".metrics.url")[0]
-    basic_auth {
-        username = json_path(local.file.endpoints.content, ".metrics.basicAuth.username")[0]
-        password = json_path(local.file.endpoints.content, ".metrics.basicAuth.password")[0]
-    }
-  }
-}
-
-prometheus.scrape "prometheus" {
-        targets = [{
-                __address__ = "localhost:12345",
-        }]
-        forward_to = [prometheus.remote_write.mimir.receiver]
-        job_name   = "prometheus"
-}
-
-prometheus.exporter.unix "rinoa" {
-        procfs_path = "/host/proc"
-        sysfs_path  = "/host/sys"
-        rootfs_path = "/rootfs"
-}
-
-prometheus.scrape "rinoa" {
-        targets    = prometheus.exporter.unix.rinoa.targets
-        forward_to = [prometheus.remote_write.mimir.receiver]
-        job_name   = "rinoa_host"
-}
-
-prometheus.exporter.cadvisor "docker" {
-        docker_host      = env("DOCKER_HOST")
-        storage_duration = "5m"
-}
-
-prometheus.scrape "docker" {
-        targets    = prometheus.exporter.cadvisor.docker.targets
-        forward_to = [prometheus.remote_write.mimir.receiver]
-        job_name   = "docker_stats"
-}
-/////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// Logging
-/////////////////////////////////////////////////////////////////////////////////////////////////////////////
-loki.write "loki" {
-        endpoint {
-                url = json_path(local.file.endpoints.content, ".logs.url")[0]
-                basic_auth {
-                        username = json_path(local.file.endpoints.content, ".logs.basicAuth.username")[0]
-                        password = json_path(local.file.endpoints.content, ".logs.basicAuth.password")[0]
-                }
-        }
-        external_labels = {}
-}
-
-loki.source.journal "hostjournal" {
-        forward_to = [loki.write.loki.receiver]
-        max_age = "24h"
-        path = "/rootfs/var/log/journal/"
-        labels = {
-                job = "host-journal",
-        }
-}
-
-local.file_match "system" {
-        path_targets = [{
-                __address__ = "localhost",
-                __path__    = "/rootfs/var/log/*log",
-                job         = "varlogs",
-        }]
-}
-
-loki.source.file "system" {
-        targets    = local.file_match.system.targets
-        forward_to = [loki.write.loki.receiver]
-}
-
-loki.source.docker "containers" {
-        host       = env("DOCKER_HOST")
-        targets    = discovery.docker.rinoadocker.targets
-        forward_to = [loki.write.loki.receiver]
-        labels     = {
-                job = "containerlogs",
-        }
-}
-
-loki.process "containers" {
-        forward_to = [loki.write.loki.receiver]
-        // stage.docker {}
-        stage.json {
-		expressions = {
-			attrs  = "",
-			output = "log",
-			stream = "stream",
-		}
-	}
-
-	stage.json {
-		expressions = {
-			tag = "",
-		}
-		source = "attrs"
-	}
-
-	stage.regex {
-		expression = "(?P<image_name>(?:[^|]*[^|])).(?P<container_name>(?:[^|]*[^|])).(?P<image_id>(?:[^|]*[^|])).(?P<container_id>(?:[^|]*[^|]))"
-		source     = "tag"
-	}
-
-	stage.timestamp {
-		source = "time"
-		format = "RFC3339Nano"
-	}
-
-	stage.labels {
-		values = {
-			container_id   = null,
-			container_name = null,
-			image_id       = null,
-			image_name     = null,
-			stream         = null,
-			tag            = null,
-		}
-	}
-
-	stage.output {
-		source = "output"
-	}
-}
-
-/////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// Traces
-/////////////////////////////////////////////////////////////////////////////////////////////////////////////
-beyla.ebpf "rinoadocker" {
-    open_port = "80-65535"
-    routes {
-        unmatched = "heauristic"
-    }
-    output {
-        traces = [
-            otelcol.connector.servicegraph.tracemetrics.input,
-            otelcol.connector.spanmetrics.tracemetrics.input,
-            otelcol.processor.batch.default.input,
-            otelcol.connector.spanlogs.autologging.input,
-        ]
-    }
-}
-
-prometheus.scrape "beyla" { 
-    targets = beyla.ebpf.rinoadocker.targets
-    forward_to = [prometheus.remote_write.mimir.receiver]
-}
-
-otelcol.auth.headers "tempo" {
-    header {
-        key = "Authorization"
-        value = join(["Basic ", json_path(local.file.endpoints.content, ".traces.basicAuthToken")[0]], "")
-    }
-}
-
-otelcol.processor.batch "default" {
-    // Wait until we've received 16K of data.
-    send_batch_size = 16384
-    send_batch_max_size = 16384
-    // Or until 2 seconds have elapsed.
-    timeout = "2s"
-    // When the Agent has enough batched data, send it to the OpenTelemetry exporter named 'tempo'.
-    output {
-        traces = [otelcol.exporter.otlp.tempo.input]
-    }
-}
-
-otelcol.exporter.otlp "tempo" {
-    // Define the client for exporting.
-    client {
-        // Authentication block.
-        auth = otelcol.auth.headers.tempo.handler
-
-        // Send to the locally running Tempo instance, on port 4317 (OTLP gRPC).
-        endpoint = json_path(local.file.endpoints.content, ".traces.url")[0]
-
-        // Configure TLS settings for communicating with the endpoint.
-        tls {
-            // The connection is insecure.
-            insecure = json_path(local.file.endpoints.content, ".traces.tls.insecure")[0]
-            // Do not verify TLS certificates when connecting.
-            insecure_skip_verify = json_path(local.file.endpoints.content, ".traces.tls.insecureSkipVerify")[0]
-        }
-    }
-}
-
-otelcol.connector.spanlogs "autologging" {
-    // We only want to output a line for each root span (ie. every single trace), and not for every
-    // process or span (outputting a line for every span would be extremely verbose).
-    spans = false
-    roots = true
-    processes = false
-    // We want to ensure that the following three span attributes are included in the log line, if
-    // present.
-    span_attributes = [ "http.method", "http.target", "http.status_code" ]
-
-    // Overrides the default key in the log line to be `traceId`, which is then used by Grafana to
-    // identify the trace ID for correlation with the Tempo datasource.
-    overrides {
-        trace_id_key = "traceId"
-    }
-    // Send to the OpenTelemetry Loki exporter.
-    output {
-        logs = [otelcol.exporter.loki.autologging.input]
-    }
-}
-
-// Simply forwards the incoming OpenTelemetry log format out as a Loki log.
-// We need this stage to ensure we can then process the logline as a Loki object.
-otelcol.exporter.loki "autologging" {
-    forward_to = [loki.process.autologging.receiver]
-}
-
-// The Loki processor allows us to accept a correctly formatted Loki log and mutate it into
-// a set of fields for output.
-loki.process "autologging" {
-    // The JSON stage simply extracts the `body` (the actual logline) from the Loki log, ignoring
-    // all other fields.
-    stage.json {
-        expressions = { "body" = "" }
-    }
-    // The output stage takes the body (the main logline) and uses this as the source for the output
-    // logline. In this case, it essentially turns it into logfmt.
-    stage.output {
-        source = "body"
-    }
-
-    // Finally send the processed logline onto the Loki exporter.
-    forward_to = [loki.write.autologging.receiver]
-}
-
-// The Loki writer receives a processed Loki log and then writes it to a Loki instance.
-loki.write "autologging" {
-    // Add the `agent` value to the `job` label, so we can identify it as having been generated
-    // by Grafana Agent when querying.
-    external_labels = {
-        job = "agent",
-    }
-
-    // Output the Loki log to the local Loki instance.
-    endpoint {
-        url = json_path(local.file.endpoints.content, ".logs.url")[0]
-
-        // The basic auth credentials for the Loki instance.
-        basic_auth {
-            username = json_path(local.file.endpoints.content, ".logs.basicAuth.username")[0]
-            password = json_path(local.file.endpoints.content, ".logs.basicAuth.password")[0]
-        }
-    }
-}
-
-// The Tail Sampling processor will use a set of policies to determine which received traces to keep
-// and send to Tempo.
-otelcol.processor.tail_sampling "errors" {
-    // Total wait time from the start of a trace before making a sampling decision. Note that smaller time
-    // periods can potentially cause a decision to be made before the end of a trace has occurred.
-    decision_wait = "30s"
-
-    // The following policies follow a logical OR pattern, meaning that if any of the policies match,
-    // the trace will be kept. For logical AND, you can use the `and` policy. Every span of a trace is
-    // examined by each policy in turn. A match will cause a short-circuit.
-
-    // This policy defines that traces that contain errors should be kept.
-    policy {
-        // The name of the policy can be used for logging purposes.
-        name = "sample-erroring-traces"
-        // The type must match the type of policy to be used, in this case examing the status code
-        // of every span in the trace.
-        type = "status_code"
-        // This block determines the error codes that should match in order to keep the trace,
-        // in this case the OpenTelemetry 'ERROR' code.
-        status_code {
-            status_codes = [ "ERROR" ]
-        }
-    }
-
-    // This policy defines that only traces that are longer than 200ms in total should be kept.
-    policy {
-        // The name of the policy can be used for logging purposes.
-        name = "sample-long-traces"
-        // The type must match the policy to be used, in this case the total latency of the trace.
-        type = "latency"
-        // This block determines the total length of the trace in milliseconds.
-        latency {
-            threshold_ms = 200
-        }
-    }
-
-    // The output block forwards the kept traces onto the batch processor, which will marshall them
-    // for exporting to Tempo.
-    output {
-        traces = [otelcol.processor.batch.default.input]
-    }
-}
-
-// The Spanmetrics Connector will generate RED metrics based on the incoming trace span data.
-otelcol.connector.spanmetrics "tracemetrics" {
-    // The namespace explicit adds a prefix to all the generated span metrics names.
-    // In this case, we'll ensure they match as closely as possible those generated by Tempo.
-    namespace = "traces.spanmetrics"
-
-    // Each extra dimension (metrics label) to be added to the generated metrics from matching span attributes. These
-    // need to be defined with a name and optionally a default value (in the following cases, we do not want a default
-    // value if the span attribute is not present).
-    dimension {
-        name = "http.method"
-    }
-    dimension {
-        name = "http.target"
-    }
-    dimension {
-        name = "http.status_code"
-    }
-    dimension {
-        name = "service.version"
-    }
-
-    // A histogram block must be present, either explicitly defining bucket values or via an exponential block.
-    // We do the latter here.
-    histogram {
-        explicit {
-        }
-    }
-
-    // The exemplar block is added to ensure we generate exemplars for traces on relevant metric values.
-    exemplars {
-        enabled = true
-    }
-
-    // Generated metrics data is in OTLP format. We send this data to the OpenTelemetry Prometheus exporter to ensure
-    // it gets transformed into Prometheus format data.
-    output {
-        metrics = [otelcol.exporter.prometheus.tracemetrics.input]
-    }
-}
-
-// The Servicegraph Connector will generate service graph metrics (edges and nodes) based on incoming trace spans.
-otelcol.connector.servicegraph "tracemetrics" {
-    // Extra dimensions (metrics labels) to be added to the generated metrics from matching span attributes.
-    // For this component, this is defined as an array. There are no default values and the labels will not be generated
-    // for missing span attributes.
-    dimensions = [
-        "http.method",
-        "http.target",
-        "http.status_code",
-        "service.version",
-    ]
-
-    // Generated metrics data is in OTLP format. We send this data to the OpenTelemetry Prometheus exporter to ensure
-    // it gets transformed into Prometheus format data.
-    output {
-        metrics = [otelcol.exporter.prometheus.tracemetrics.input]
-    }
-}
-
-otelcol.exporter.prometheus "tracemetrics" {
-    // Forward to our local Prometheus remote writer which will send the metrics to Mimir.
-    forward_to = [prometheus.remote_write.mimir.receiver]
-}
-/////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// Profiling
-/////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
-pyroscope.write "pyroscope" {
-        endpoint {
-                url = json_path(local.file.endpoints.content, ".profiles.url")[0]
-                basic_auth {
-                        username = json_path(local.file.endpoints.content, ".profiles.basicAuth.username")[0]
-                        password = json_path(local.file.endpoints.content, ".profiles.basicAuth.password")[0]
-                }
-        }
-        external_labels = {}
-}
-
-pyroscope.ebpf "rinoadocker" {
-        forward_to = [pyroscope.write.pyroscope.receiver]
-        targets = discovery.docker.rinoadocker.targets
-}
@@ -1,34 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-{
-    "metrics": {
-        "url": "http://grafana-mimir:9009/api/v1/push",
-        "basicAuth": {
-            "username": "",
-            "password": ""
-        }
-    },
-    "logs": {
-        "url": "http://grafana-loki:3100/loki/api/v1/push",
-        "basicAuth": {
-            "username": "",
-            "password": ""
-        }
-    },
-    "traces": {
-        "url": "http://grafana-tempo:4317",
-        "basicAuthToken": "",
-        "tls": {
-            "insecure": true,
-            "insecureSkipVerify": true
-        }
-    },
-    "profiles": {
-        "url": "http://grafana-pyroscope:4040",
-        "basicAuth": {
-            "username": "",
-            "password": ""
-        }
-    }
-}
@@ -1,7 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-routes:
-  patterns:
-    - /*
-  unmatched: heuristic
@@ -1,77 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-multitenancy_enabled: false
-no_auth_tenant: rinoa_mimir
-# target: query-frontend
-# api:
-#   prometheus_http_prefix: '/prometheus'
-server:
-  http_listen_port: 9009
-# frontend:
-#   split_queries_by_interval: 24h
-#   align_queries_with_step: true
-  # cache_results: true
-  # results_cache:
-  #   backend: "memcached"
-  #   memcached:
-  #     addresses: "memcached-mimir:11211"
-#   downstream_url: http://grafana-agent:12345
-
-common:
-  storage:
-    backend: s3
-    s3:
-      endpoint: minio:9000
-      access_key_id: "Q8KAihuXtGgmretKNh7C"
-      secret_access_key: "hOlRODtnvFlNlL26Bj3GizZG6Ys3rlpG8p6Vo3NX"
-      bucket_name: "mimir"
-      insecure: true
-
-blocks_storage:
-  storage_prefix: rinoa
-  tsdb:
-    dir: /tmp/mimir/tsdb
-
-memberlist:
-  tls_enabled: false
-
-compactor:
-  # Directory to temporarily store blocks underdoing compaction.
-  data_dir: /tmp/mimir/compactor
-  # The sharding ring type used to share the hashed ring for the compactor.
-  sharding_ring:
-    # Use memberlist backend store (the default).
-    kvstore:
-      store: memberlist
-
-# The distributor receives incoming metrics data for the system.
-distributor:
-  # The ring to share hash ring data across instances.
-  ring:
-    # The address advertised in the ring. Localhost.
-    instance_addr: 127.0.0.1
-    # Use memberlist backend store (the default).
-    kvstore:
-      store: memberlist
-
-# The ingester receives data from the distributor and processes it into indices and blocks.
-ingester:
-  # The ring to share hash ring data across instances.
-  ring:
-    # The address advertised in the ring. Localhost.
-    instance_addr: 127.0.0.1
-    # Use memberlist backend store (the default).
-    kvstore:
-      store: memberlist
-    # Only run one instance of the ingesters.
-    # Note: It is highly recommended to run more than one ingester in production, the default is an RF of 3.
-    replication_factor: 1
-
-# The store gateway block configures gateway storage.
-store_gateway:
-  # Configuration for the hash ring.
-  sharding_ring:
-    # Only run a single instance. In production setups, the replication factor must
-    # be set on the querier and ruler as well.
-    replication_factor: 1
@@ -1,12 +0,0 @@
-storage:
-  backend: s3
-  s3:
-    bucket_name: pyroscope
-    endpoint: minio:9000
-    region: us-east-fh-pln
-    access_key_id: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_PYROSCOPE_STORAGE_ACCESS_KEY'] }}
-    secret_access_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_PYROSCOPE_STORAGE_SECRET_KEY'] }}
-    insecure: true
-
-analytics:
-  reporting_enabled: false
@@ -1,787 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-target: all
-http_api_prefix: ""
-autocomplete_filtering_enabled: true
-server:
-    http_listen_network: tcp
-    http_listen_address: ""
-    http_listen_port: 80
-    http_listen_conn_limit: 0
-    grpc_listen_network: tcp
-    grpc_listen_address: ""
-    grpc_listen_port: 9095
-    grpc_listen_conn_limit: 0
-    tls_cipher_suites: ""
-    tls_min_version: ""
-    http_tls_config:
-        cert: ""
-        key: null
-        client_ca: ""
-        cert_file: ""
-        key_file: ""
-        client_auth_type: ""
-        client_ca_file: ""
-    grpc_tls_config:
-        cert: ""
-        key: null
-        client_ca: ""
-        cert_file: ""
-        key_file: ""
-        client_auth_type: ""
-        client_ca_file: ""
-    register_instrumentation: true
-    report_grpc_codes_in_instrumentation_label_enabled: false
-    graceful_shutdown_timeout: 30s
-    http_server_read_timeout: 30s
-    http_server_read_header_timeout: 0s
-    http_server_write_timeout: 30s
-    http_server_idle_timeout: 2m0s
-    http_log_closed_connections_without_response_enabled: false
-    grpc_server_max_recv_msg_size: 16777216
-    grpc_server_max_send_msg_size: 16777216
-    grpc_server_max_concurrent_streams: 100
-    grpc_server_max_connection_idle: 2562047h47m16.854775807s
-    grpc_server_max_connection_age: 2562047h47m16.854775807s
-    grpc_server_max_connection_age_grace: 2562047h47m16.854775807s
-    grpc_server_keepalive_time: 2h0m0s
-    grpc_server_keepalive_timeout: 20s
-    grpc_server_min_time_between_pings: 10s
-    grpc_server_ping_without_stream_allowed: true
-    grpc_server_num_workers: 0
-    log_format: logfmt
-    log_level: info
-    log_source_ips_enabled: false
-    log_source_ips_header: ""
-    log_source_ips_regex: ""
-    log_request_headers: false
-    log_request_at_info_level_enabled: false
-    log_request_exclude_headers_list: ""
-    http_path_prefix: ""
-internal_server:
-    http_listen_network: tcp
-    http_listen_address: ""
-    http_listen_port: 3101
-    http_listen_conn_limit: 0
-    grpc_listen_network: ""
-    grpc_listen_address: ""
-    grpc_listen_port: 0
-    grpc_listen_conn_limit: 0
-    tls_cipher_suites: ""
-    tls_min_version: ""
-    http_tls_config:
-        cert: ""
-        key: null
-        client_ca: ""
-        cert_file: ""
-        key_file: ""
-        client_auth_type: ""
-        client_ca_file: ""
-    grpc_tls_config:
-        cert: ""
-        key: null
-        client_ca: ""
-        cert_file: ""
-        key_file: ""
-        client_auth_type: ""
-        client_ca_file: ""
-    register_instrumentation: false
-    report_grpc_codes_in_instrumentation_label_enabled: false
-    graceful_shutdown_timeout: 30s
-    http_server_read_timeout: 30s
-    http_server_read_header_timeout: 0s
-    http_server_write_timeout: 30s
-    http_server_idle_timeout: 2m0s
-    http_log_closed_connections_without_response_enabled: false
-    grpc_server_max_recv_msg_size: 0
-    grpc_server_max_send_msg_size: 0
-    grpc_server_max_concurrent_streams: 0
-    grpc_server_max_connection_idle: 0s
-    grpc_server_max_connection_age: 0s
-    grpc_server_max_connection_age_grace: 0s
-    grpc_server_keepalive_time: 0s
-    grpc_server_keepalive_timeout: 0s
-    grpc_server_min_time_between_pings: 0s
-    grpc_server_ping_without_stream_allowed: false
-    grpc_server_num_workers: 0
-    log_format: logfmt
-    log_level: info
-    log_source_ips_enabled: false
-    log_source_ips_header: ""
-    log_source_ips_regex: ""
-    log_request_headers: false
-    log_request_at_info_level_enabled: false
-    log_request_exclude_headers_list: ""
-    http_path_prefix: ""
-    enable: false
-distributor:
-    ring:
-        kvstore:
-            store: memberlist
-            prefix: collectors/
-            consul:
-                host: localhost:8500
-                acl_token: ""
-                http_client_timeout: 20s
-                consistent_reads: false
-                watch_rate_limit: 1
-                watch_burst_size: 1
-                cas_retry_delay: 1s
-            etcd:
-                endpoints: []
-                dial_timeout: 10s
-                max_retries: 10
-                tls_enabled: false
-                tls_cert_path: ""
-                tls_key_path: ""
-                tls_ca_path: ""
-                tls_server_name: ""
-                tls_insecure_skip_verify: false
-                tls_cipher_suites: ""
-                tls_min_version: ""
-                username: ""
-                password: ""
-            multi:
-                primary: ""
-                secondary: ""
-                mirror_enabled: false
-                mirror_timeout: 2s
-        heartbeat_period: 5s
-        heartbeat_timeout: 5m0s
-        instance_id: local-instance
-        instance_interface_names:
-            - eth0
-            - en0
-        instance_port: 0
-        instance_addr: ""
-    receivers: {}
-    override_ring_key: distributor
-    forwarders: []
-    extend_writes: true
-    retry_after_on_resource_exhausted: 0s
-ingester_client:
-    pool_config:
-        checkinterval: 15s
-        healthcheckenabled: true
-        healthchecktimeout: 1s
-        maxconcurrenthealthchecks: 0
-    remote_timeout: 5s
-    grpc_client_config:
-        max_recv_msg_size: 104857600
-        max_send_msg_size: 104857600
-        grpc_compression: snappy
-        rate_limit: 0
-        rate_limit_burst: 0
-        backoff_on_ratelimits: false
-        backoff_config:
-            min_period: 100ms
-            max_period: 10s
-            max_retries: 10
-        initial_stream_window_size: 63KiB1023B
-        initial_connection_window_size: 63KiB1023B
-        tls_enabled: false
-        tls_cert_path: ""
-        tls_key_path: ""
-        tls_ca_path: ""
-        tls_server_name: ""
-        tls_insecure_skip_verify: false
-        tls_cipher_suites: ""
-        tls_min_version: ""
-        connect_timeout: 5s
-        connect_backoff_base_delay: 1s
-        connect_backoff_max_delay: 5s
-metrics_generator_client:
-    pool_config:
-        checkinterval: 15s
-        healthcheckenabled: true
-        healthchecktimeout: 1s
-        maxconcurrenthealthchecks: 0
-    remote_timeout: 5s
-    grpc_client_config:
-        max_recv_msg_size: 104857600
-        max_send_msg_size: 104857600
-        grpc_compression: snappy
-        rate_limit: 0
-        rate_limit_burst: 0
-        backoff_on_ratelimits: false
-        backoff_config:
-            min_period: 100ms
-            max_period: 10s
-            max_retries: 10
-        initial_stream_window_size: 63KiB1023B
-        initial_connection_window_size: 63KiB1023B
-        tls_enabled: false
-        tls_cert_path: ""
-        tls_key_path: ""
-        tls_ca_path: ""
-        tls_server_name: ""
-        tls_insecure_skip_verify: false
-        tls_cipher_suites: ""
-        tls_min_version: ""
-        connect_timeout: 5s
-        connect_backoff_base_delay: 1s
-        connect_backoff_max_delay: 5s
-querier:
-    search:
-        query_timeout: 30s
-        prefer_self: 10
-        external_hedge_requests_at: 8s
-        external_hedge_requests_up_to: 2
-        external_backend: ""
-        google_cloud_run: null
-        external_endpoints: []
-    trace_by_id:
-        query_timeout: 10s
-    max_concurrent_queries: 20
-    frontend_worker:
-        frontend_address: 127.0.0.1:9095
-        dns_lookup_duration: 10s
-        parallelism: 2
-        match_max_concurrent: true
-        id: ""
-        grpc_client_config:
-            max_recv_msg_size: 104857600
-            max_send_msg_size: 16777216
-            grpc_compression: gzip
-            rate_limit: 0
-            rate_limit_burst: 0
-            backoff_on_ratelimits: false
-            backoff_config:
-                min_period: 100ms
-                max_period: 1s
-                max_retries: 5
-            initial_stream_window_size: 0B
-            initial_connection_window_size: 0B
-            tls_enabled: false
-            tls_cert_path: ""
-            tls_key_path: ""
-            tls_ca_path: ""
-            tls_server_name: ""
-            tls_insecure_skip_verify: false
-            tls_cipher_suites: ""
-            tls_min_version: ""
-            connect_timeout: 0s
-            connect_backoff_base_delay: 0s
-            connect_backoff_max_delay: 0s
-    query_relevant_ingesters: false
-query_frontend:
-    max_outstanding_per_tenant: 2000
-    querier_forget_delay: 0s
-    max_batch_size: 5
-    max_retries: 2
-    search:
-        concurrent_jobs: 1000
-        target_bytes_per_job: 104857600
-        default_result_limit: 20
-        max_result_limit: 0
-        max_duration: 168h0m0s
-        query_backend_after: 15m0s
-        query_ingesters_until: 30m0s
-    trace_by_id:
-        query_shards: 50
-        hedge_requests_at: 2s
-        hedge_requests_up_to: 2
-    metrics:
-        concurrent_jobs: 1000
-        target_bytes_per_job: 104857600
-        max_duration: 0s
-        query_backend_after: 1h0m0s
-        interval: 5m0s
-    multi_tenant_queries_enabled: true
-compactor:
-    ring:
-        kvstore:
-            store: ""
-            prefix: collectors/
-            consul:
-                host: localhost:8500
-                acl_token: ""
-                http_client_timeout: 20s
-                consistent_reads: false
-                watch_rate_limit: 1
-                watch_burst_size: 1
-                cas_retry_delay: 1s
-            etcd:
-                endpoints: []
-                dial_timeout: 10s
-                max_retries: 10
-                tls_enabled: false
-                tls_cert_path: ""
-                tls_key_path: ""
-                tls_ca_path: ""
-                tls_server_name: ""
-                tls_insecure_skip_verify: false
-                tls_cipher_suites: ""
-                tls_min_version: ""
-                username: ""
-                password: ""
-            multi:
-                primary: ""
-                secondary: ""
-                mirror_enabled: false
-                mirror_timeout: 2s
-        heartbeat_period: 5s
-        heartbeat_timeout: 1m0s
-        wait_stability_min_duration: 1m0s
-        wait_stability_max_duration: 5m0s
-        instance_id: local-instance
-        instance_interface_names:
-            - eth0
-            - en0
-        instance_port: 0
-        instance_addr: ""
-        enable_inet6: false
-        wait_active_instance_timeout: 10m0s
-    compaction:
-        v2_in_buffer_bytes: 5242880
-        v2_out_buffer_bytes: 20971520
-        v2_prefetch_traces_count: 1000
-        compaction_window: 1h0m0s
-        max_compaction_objects: 6000000
-        max_block_bytes: 107374182400
-        block_retention: 336h0m0s
-        compacted_block_retention: 1h0m0s
-        retention_concurrency: 10
-        max_time_per_tenant: 5m0s
-        compaction_cycle: 30s
-    override_ring_key: compactor
-ingester:
-    lifecycler:
-        ring:
-            kvstore:
-                store: inmemory
-                prefix: collectors/
-                consul:
-                    host: localhost:8500
-                    acl_token: ""
-                    http_client_timeout: 20s
-                    consistent_reads: false
-                    watch_rate_limit: 1
-                    watch_burst_size: 1
-                    cas_retry_delay: 1s
-                etcd:
-                    endpoints: []
-                    dial_timeout: 10s
-                    max_retries: 10
-                    tls_enabled: false
-                    tls_cert_path: ""
-                    tls_key_path: ""
-                    tls_ca_path: ""
-                    tls_server_name: ""
-                    tls_insecure_skip_verify: false
-                    tls_cipher_suites: ""
-                    tls_min_version: ""
-                    username: ""
-                    password: ""
-                multi:
-                    primary: ""
-                    secondary: ""
-                    mirror_enabled: false
-                    mirror_timeout: 2s
-            heartbeat_timeout: 5m0s
-            replication_factor: 1
-            zone_awareness_enabled: false
-            excluded_zones: ""
-        num_tokens: 128
-        heartbeat_period: 5s
-        heartbeat_timeout: 1m0s
-        observe_period: 0s
-        join_after: 0s
-        min_ready_duration: 15s
-        interface_names:
-            - en0
-            - bridge100
-        enable_inet6: false
-        final_sleep: 0s
-        tokens_file_path: ""
-        availability_zone: ""
-        unregister_on_shutdown: true
-        readiness_check_ring_health: true
-        address: 127.0.0.1
-        port: 0
-        id: local-instance
-    concurrent_flushes: 4
-    flush_check_period: 10s
-    flush_op_timeout: 5m0s
-    trace_idle_period: 10s
-    max_block_duration: 30m0s
-    max_block_bytes: 524288000
-    complete_block_timeout: 15m0s
-    override_ring_key: ring
-    flush_all_on_shutdown: false
-metrics_generator:
-    ring:
-        kvstore:
-            store: inmemory
-            prefix: collectors/
-            consul:
-                host: localhost:8500
-                acl_token: ""
-                http_client_timeout: 20s
-                consistent_reads: false
-                watch_rate_limit: 1
-                watch_burst_size: 1
-                cas_retry_delay: 1s
-            etcd:
-                endpoints: []
-                dial_timeout: 10s
-                max_retries: 10
-                tls_enabled: false
-                tls_cert_path: ""
-                tls_key_path: ""
-                tls_ca_path: ""
-                tls_server_name: ""
-                tls_insecure_skip_verify: false
-                tls_cipher_suites: ""
-                tls_min_version: ""
-                username: ""
-                password: ""
-            multi:
-                primary: ""
-                secondary: ""
-                mirror_enabled: false
-                mirror_timeout: 2s
-        heartbeat_period: 5s
-        heartbeat_timeout: 1m0s
-        instance_id: local-instance
-        instance_interface_names:
-            - eth0
-            - en0
-        instance_addr: 127.0.0.1
-        instance_port: 0
-        enable_inet6: false
-    processor:
-        service_graphs:
-            wait: 10s
-            max_items: 10000
-            workers: 10
-            histogram_buckets:
-                - 0.1
-                - 0.2
-                - 0.4
-                - 0.8
-                - 1.6
-                - 3.2
-                - 6.4
-                - 12.8
-            dimensions: []
-            enable_client_server_prefix: false
-            peer_attributes:
-                - peer.service
-                - db.name
-                - db.system
-            span_multiplier_key: ""
-        span_metrics:
-            histogram_buckets:
-                - 0.002
-                - 0.004
-                - 0.008
-                - 0.016
-                - 0.032
-                - 0.064
-                - 0.128
-                - 0.256
-                - 0.512
-                - 1.024
-                - 2.048
-                - 4.096
-                - 8.192
-                - 16.384
-            intrinsic_dimensions:
-                service: true
-                span_name: true
-                span_kind: true
-                status_code: true
-            dimensions: []
-            dimension_mappings: []
-            enable_target_info: false
-            span_multiplier_key: ""
-            subprocessors:
-                0: true
-                1: true
-                2: true
-            filter_policies: []
-            target_info_excluded_dimensions: []
-        local_blocks:
-            block:
-                bloom_filter_false_positive: 0.01
-                bloom_filter_shard_size_bytes: 102400
-                version: vParquet3
-                search_encoding: snappy
-                search_page_size_bytes: 1048576
-                v2_index_downsample_bytes: 1048576
-                v2_index_page_size_bytes: 256000
-                v2_encoding: zstd
-                parquet_row_group_size_bytes: 100000000
-                parquet_dedicated_columns: []
-            search:
-                chunk_size_bytes: 1000000
-                prefetch_trace_count: 1000
-                read_buffer_count: 32
-                read_buffer_size_bytes: 1048576
-                cache_control:
-                    footer: false
-                    column_index: false
-                    offset_index: false
-            flush_check_period: 10s
-            trace_idle_period: 10s
-            max_block_duration: 1m0s
-            max_block_bytes: 500000000
-            complete_block_timeout: 1h0m0s
-            max_live_traces: 0
-            concurrent_blocks: 10
-            filter_server_spans: true
-    registry:
-        collection_interval: 15s
-        stale_duration: 15m0s
-        max_label_name_length: 1024
-        max_label_value_length: 2048
-    storage:
-        path: ""
-        wal:
-            wal_segment_size: 134217728
-            wal_compression: none
-            stripe_size: 16384
-            truncate_frequency: 2h0m0s
-            min_wal_time: 300000
-            max_wal_time: 14400000
-            no_lockfile: false
-        remote_write_flush_deadline: 1m0s
-        remote_write_add_org_id_header: true
-    traces_storage:
-        path: ""
-        completedfilepath: ""
-        blocksfilepath: ""
-        v2_encoding: none
-        search_encoding: none
-        ingestion_time_range_slack: 0s
-        version: vParquet3
-    metrics_ingestion_time_range_slack: 30s
-    query_timeout: 30s
-    override_ring_key: metrics-generator
-storage:
-    trace:
-        pool:
-            max_workers: 400
-            queue_depth: 20000
-        wal:
-            path: /tmp/tempo/wal
-            completedfilepath: /tmp/tempo/wal/completed
-            blocksfilepath: /tmp/tempo/wal/blocks
-            v2_encoding: snappy
-            search_encoding: none
-            ingestion_time_range_slack: 2m0s
-            version: vParquet3
-        block:
-            bloom_filter_false_positive: 0.01
-            bloom_filter_shard_size_bytes: 102400
-            version: vParquet3
-            search_encoding: snappy
-            search_page_size_bytes: 1048576
-            v2_index_downsample_bytes: 1048576
-            v2_index_page_size_bytes: 256000
-            v2_encoding: zstd
-            parquet_row_group_size_bytes: 100000000
-            parquet_dedicated_columns: []
-        search:
-            chunk_size_bytes: 1000000
-            prefetch_trace_count: 1000
-            read_buffer_count: 32
-            read_buffer_size_bytes: 1048576
-            cache_control:
-                footer: false
-                column_index: false
-                offset_index: false
-        blocklist_poll: 5m0s
-        blocklist_poll_concurrency: 50
-        blocklist_poll_fallback: true
-        blocklist_poll_tenant_index_builders: 2
-        blocklist_poll_stale_tenant_index: 0s
-        blocklist_poll_jitter_ms: 0
-        blocklist_poll_tolerate_consecutive_errors: 1
-        backend: local
-        local:
-            path: /tmp/tempo/traces
-        gcs:
-            bucket_name: ""
-            prefix: ""
-            chunk_buffer_size: 10485760
-            endpoint: ""
-            hedge_requests_at: 0s
-            hedge_requests_up_to: 2
-            insecure: false
-            object_cache_control: ""
-            object_metadata: {}
-            list_blocks_concurrency: 3
-        s3:
-            tls_cert_path: ""
-            tls_key_path: ""
-            tls_ca_path: ""
-            tls_server_name: ""
-            tls_insecure_skip_verify: false
-            tls_cipher_suites: ""
-            tls_min_version: VersionTLS12
-            bucket: ""
-            prefix: ""
-            endpoint: ""
-            region: ""
-            access_key: ""
-            secret_key: ""
-            session_token: ""
-            insecure: false
-            part_size: 0
-            hedge_requests_at: 0s
-            hedge_requests_up_to: 2
-            signature_v2: false
-            forcepathstyle: false
-            bucket_lookup_type: 0
-            tags: {}
-            storage_class: ""
-            metadata: {}
-            native_aws_auth_enabled: false
-            list_blocks_concurrency: 3
-        azure:
-            storage_account_name: ""
-            storage_account_key: ""
-            use_managed_identity: false
-            use_federated_token: false
-            user_assigned_id: ""
-            container_name: ""
-            prefix: ""
-            endpoint_suffix: blob.core.windows.net
-            max_buffers: 4
-            buffer_size: 3145728
-            hedge_requests_at: 0s
-            hedge_requests_up_to: 2
-            use_v2_sdk: false
-        cache: ""
-        background_cache:
-            writeback_goroutines: 10
-            writeback_buffer: 10000
-        memcached: null
-        redis: null
-        cache_min_compaction_level: 0
-        cache_max_block_age: 0s
-overrides:
-    defaults:
-        ingestion:
-            rate_strategy: local
-            rate_limit_bytes: 15000000
-            burst_size_bytes: 20000000
-            max_traces_per_user: 10000
-        read:
-            max_bytes_per_tag_values_query: 5000000
-        global:
-            max_bytes_per_trace: 5000000
-    per_tenant_override_config: ""
-    per_tenant_override_period: 10s
-    user_configurable_overrides:
-        enabled: false
-        poll_interval: 1m0s
-        client:
-            backend: ""
-            confirm_versioning: true
-            local:
-                path: ""
-            gcs:
-                bucket_name: ""
-                prefix: ""
-                chunk_buffer_size: 10485760
-                endpoint: ""
-                hedge_requests_at: 0s
-                hedge_requests_up_to: 2
-                insecure: false
-                object_cache_control: ""
-                object_metadata: {}
-                list_blocks_concurrency: 3
-            s3:
-                tls_cert_path: ""
-                tls_key_path: ""
-                tls_ca_path: ""
-                tls_server_name: ""
-                tls_insecure_skip_verify: false
-                tls_cipher_suites: ""
-                tls_min_version: VersionTLS12
-                bucket: ""
-                prefix: ""
-                endpoint: ""
-                region: ""
-                access_key: ""
-                secret_key: ""
-                session_token: ""
-                insecure: false
-                part_size: 0
-                hedge_requests_at: 0s
-                hedge_requests_up_to: 2
-                signature_v2: false
-                forcepathstyle: false
-                bucket_lookup_type: 0
-                tags: {}
-                storage_class: ""
-                metadata: {}
-                native_aws_auth_enabled: false
-                list_blocks_concurrency: 3
-            azure:
-                storage_account_name: ""
-                storage_account_key: ""
-                use_managed_identity: false
-                use_federated_token: false
-                user_assigned_id: ""
-                container_name: ""
-                prefix: ""
-                endpoint_suffix: blob.core.windows.net
-                max_buffers: 4
-                buffer_size: 3145728
-                hedge_requests_at: 0s
-                hedge_requests_up_to: 2
-                use_v2_sdk: false
-        api:
-            check_for_conflicting_runtime_overrides: false
-memberlist:
-    node_name: ""
-    randomize_node_name: true
-    stream_timeout: 2s
-    retransmit_factor: 2
-    pull_push_interval: 30s
-    gossip_interval: 1s
-    gossip_nodes: 2
-    gossip_to_dead_nodes_time: 30s
-    dead_node_reclaim_time: 0s
-    compression_enabled: false
-    advertise_addr: ""
-    advertise_port: 7946
-    cluster_label: ""
-    cluster_label_verification_disabled: false
-    join_members: []
-    min_join_backoff: 1s
-    max_join_backoff: 1m0s
-    max_join_retries: 10
-    abort_if_cluster_join_fails: false
-    rejoin_interval: 0s
-    left_ingesters_timeout: 5m0s
-    leave_timeout: 20s
-    message_history_buffer_bytes: 0
-    bind_addr: []
-    bind_port: 7946
-    packet_dial_timeout: 2s
-    packet_write_timeout: 5s
-    tls_enabled: false
-    tls_cert_path: ""
-    tls_key_path: ""
-    tls_ca_path: ""
-    tls_server_name: ""
-    tls_insecure_skip_verify: false
-    tls_cipher_suites: ""
-    tls_min_version: ""
-usage_report:
-    reporting_enabled: true
-    backoff:
-        min_period: 100ms
-        max_period: 10s
-        max_retries: 0
-cache:
-    background:
-        writeback_goroutines: 10
-        writeback_buffer: 10000
-    caches: []
@@ -1,54 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-
-server:
-  http_listen_port: 3200
-
-distributor:
-  receivers:                           # this configuration will listen on all ports and protocols that tempo is capable of.
-    jaeger:                            # the receives all come from the OpenTelemetry collector.  more configuration information can
-      protocols:                       # be found there: https://github.com/open-telemetry/opentelemetry-collector/tree/main/receiver
-        thrift_http:                   #
-        grpc:                          # for a production deployment you should only enable the receivers you need!
-        thrift_binary:
-        thrift_compact:
-    zipkin:
-    otlp:
-      protocols:
-        http:
-        grpc:
-    opencensus:
-
-ingester:
-  max_block_duration: 5m               # cut the headblock when this much time passes. this is being set for demo purposes and should probably be left alone normally
-
-compactor:
-  compaction:
-    block_retention: 1h                # overall Tempo trace retention. set for demo purposes
-
-# metrics_generator:
-#   registry:
-#     external_labels:
-#       source: tempo
-#       cluster: docker-compose
-#   storage:
-#     path: /tmp/tempo/generator/wal
-#     remote_write:
-#       - url: http://grafana-alloy:12345/api/v1/write
-#         send_exemplars: true
-
-storage:
-  trace:
-    backend: s3                        # backend configuration to use
-    wal:
-      path: /tmp/tempo/wal             # where to store the the wal locally
-    s3:
-      bucket: tempo                    # how to store data in s3
-      endpoint: minio:9000
-      access_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_TEMPO_STORAGE_ACCESS_KEY'] }}
-      secret_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_TEMPO_STORAGE_SECRET_KEY'] }}
-      insecure: true
-
-usage_report:
-  reporting_enabled: false
@@ -0,0 +1,22 @@
+ui = true
+disable_clustering = true
+log_level = "debug"
+api_addr = "http://127.0.0.1:8200"
+// storage "raft" {
+//   path = "/path/to/raft/data"
+//   node_id = "raft_node_id"
+// }
+
+storage "s3" {
+    endpoint = "minio:9000"
+    bucket = "secrets-vault"
+    region = "us-east-fh-pln"
+    s3_force_path_style = "true"
+    disable_ssl = "true"
+}
+
+listener "tcp" {
+  address = "0.0.0.0:8200"
+  proxy_protocol_behavior = "use_always"
+  tls_disable = 1
+}
@@ -23,10 +23,10 @@ provider: duckduckgo
 layout:
  System Administration:
    style: row
-    columns: 4
+    columns: 5
  Infrastructure/App Performance Monitoring:
    style: row
-    columns: 3
+    columns: 5
  Code/DevOps:
    style: row
    columns: 3
@@ -35,22 +35,25 @@ layout:
    columns: 4
  Lifestyle:
    style: row
-    columns: 3
+    columns: 5
  Automation:
    style: row
    columns: 5
  Privacy/Security:
    style: row
    columns: 5
-  Personal/Professional Services:
+  Personal Tools:
+    style: row
+    columns: 4
+  Professional Services:
    style: row
    columns: 5
  Servarr Stack:
    style: row
-    columns: 3
+    columns: 5
  Downloaders:
    style: row
-    columns: 2
+    columns: 5
  Media Library:
    style: row
    columns: 3
@@ -1,22 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-
---
-# For configuration options and examples, please see:
-# https://gethomepage.dev/en/configs/bookmarks
-
-#- Developer:
-#    - Github:
-#        - abbr: GH
-#          href: https://github.com/
-#
-#- Social:
-#    - Reddit:
-#        - abbr: RE
-#          href: https://reddit.com/
-#
-#- Entertainment:
-#    - YouTube:
-#        - abbr: YT
-#          href: https://youtube.com/
@@ -1,15 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-
---
-# For configuration options and examples, please see:
-# https://gethomepage.dev/en/configs/docker/
-
-# my-docker:
-#   host: 127.0.0.1
-#   port: 2375
-
- my-docker:
-   host: dockerproxy
-   port: 2375
@@ -1,6 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-
---
-# sample kubernetes config
@@ -1,33 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
---
-# For configuration options and examples, please see:
-# https://gethomepage.dev/en/configs/services
-
-#- My First Group:
-#    - My First Service:
-#        href: http://localhost/
-#        description: Homepage is awesome
-#
-#- My Second Group:
-#    - My Second Service:
-#        href: http://localhost/
-#        description: Homepage is the best
-#
-#- My Third Group:
-#    - My Third Service:
-#        href: http://localhost/
-#        description: Homepage is 😎
-
- Automation:
-    - Home Assistant (Rikku):
-        href: https://ha.trez.wtf
-        description: Smart Home
-        icon: home-assistant.png
-        weight: 0
-        widget:
-            type: homeassistant
-            url: http://192.168.1.252:8123
-            key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_HOME_ASSISTANT_API_KEY'] }}
-
@@ -1,56 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
---
-# For configuration options and examples, please see:
-# https://gethomepage.dev/en/configs/settings
-
-providers:
-  openweathermap: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
-  # weatherapi: weatherapiapikey
-title: Rinoa Dashboard (trez.WTF)
-headerStyle: underlined
-color: slate
-showStats: false
-statusStyle: "dot"
-favicon: /icons/favicon.ico
-useEqualHeights: true
-hideErrors: false
-searchDescriptions: true
-showSearchSuggestions: true
-provider: duckduckgo
-
-layout:
-  System Administration:
-    style: row
-    columns: 4
-  Infrastructure/App Performance Monitoring:
-    style: row
-    columns: 3
-  Code/DevOps:
-    style: row
-    columns: 3
-  Social:
-    style: row
-    columns: 4
-  Lifestyle:
-    style: row
-    columns: 3
-  Automation:
-    style: row
-    columns: 5
-  Privacy/Security:
-    style: row
-    columns: 5
-  Personal/Professional Services:
-    style: row
-    columns: 5
-  Servarr Stack:
-    style: row
-    columns: 3
-  Downloaders:
-    style: row
-    columns: 2
-  Media Library:
-    style: row
-    columns: 3
@@ -1,33 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
---
-# For configuration options and examples, please see:
-# https://gethomepage.dev/en/configs/widgets
-
- resources:
-    label: System
-    cpu: true
-    memory: true
-    cputemp: true
-    uptime: true
-
- resources:
-    label: Storage
-    expanded: true
-    disk:
-        - /
-        - /rinoa-storage
-
- search:
-    provider: custom
-    url: https://search.trez.wtf/search?q=
-    target: _blank
-
- openweathermap:
-    label: New York
-    latitude: 40.72
-    longitude: -73.85
-    units: imperial
-    provider: openweathermap
-    cache: 10
@@ -1,952 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-#########################################
-#
-#  Database and other external servers
-#
-#########################################
-
-##
-## Database configuration with separate parameters.
-## This setting is MANDATORY, unless 'database_url' is used.
-##
-db:
-  user: kemal
-  host: invidious-db
-  port: 5432
-  dbname: invidious
-  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_PG_DB_PASSWORD'] }}
-
-##
-## Database configuration using a single URI. This is an
-## alternative to the 'db' parameter above. If both forms
-## are used, then only database_url is used.
-## This setting is MANDATORY, unless 'db' is used.
-##
-## Note: The 'database_url' setting allows the use of UNIX
-## sockets. To do so, remove the IP address (or FQDN) and port
-## and append the 'host' parameter. E.g:
-##   postgres://kemal:kemal@/invidious?host=/var/run/postgresql
-##
-## Accepted values: a postgres:// URI
-## Default: postgres://kemal:kemal@localhost:5432/invidious
-##
-#database_url: postgres://kemal:kemal@localhost:5432/invidious
-
-##
-## Enable automatic table integrity check. This will create
-## the required tables and columns if anything is missing.
-##
-## Accepted values: true, false
-## Default: false
-##
-check_tables: true
-
-
-##
-## Path to an external signature resolver, used to emulate
-## the Youtube client's Javascript. If no such server is
-## available, some videos will not be playable.
-##
-## When this setting is commented out, no external
-## resolver will be used.
-##
-## Accepted values: a path to a UNIX socket or "<IP>:<Port>"
-## Default: <none>
-##
-signature_server: invidious-sig-helper:12999
-
-
-#########################################
-#
-#  Server config
-#
-#########################################
-
-# -----------------------------
-#  Network (inbound)
-# -----------------------------
-
-##
-## Port to listen on for incoming connections.
-##
-## Note: Ports lower than 1024 requires either root privileges
-## (not recommended) or the "CAP_NET_BIND_SERVICE" capability
-## (See https://stackoverflow.com/a/414258 and `man capabilities`)
-##
-## Accepted values: 1-65535
-## Default: 3000
-##
-#port: 3000
-
-##
-## When the invidious instance is behind a proxy, and the proxy
-## listens on a different port than the instance does, this lets
-## invidious know about it. This is used to craft absolute URLs
-## to the instance (e.g in the API).
-##
-## Note: This setting is MANDATORY if invidious is behind a
-## reverse proxy.
-##
-## Accepted values: 1-65535
-## Default: <none>
-##
-#external_port:
-
-##
-## Interface address to listen on for incoming connections.
-##
-## Accepted values: a valid IPv4 or IPv6 address.
-## default: 0.0.0.0  (listen on all interfaces)
-##
-#host_binding: 0.0.0.0
-
-##
-## Domain name under which this instance is hosted. This is
-## used to craft absolute URLs to the instance (e.g in the API).
-## The domain MUST be defined if your instance is accessed from
-## a domain name (like 'example.com').
-##
-## Accepted values: a fully qualified domain name (FQDN)
-## Default: <none>
-##
-# domain:
-
-##
-## Tell Invidious that it is behind a proxy that provides only
-## HTTPS, so all links must use the https:// scheme. This
-## setting MUST be set to true if invidious is behind a
-## reverse proxy serving HTTPs.
-##
-## Accepted values: true, false
-## Default: false
-##
-https_only: false
-
-##
-## Enable/Disable 'Strict-Transport-Security'. Make sure that
-## the domain specified under 'domain' is served securely.
-##
-## Accepted values: true, false
-## Default: true
-##
-#hsts: true
-
-
-# -----------------------------
-#  Network (outbound)
-# -----------------------------
-
-##
-## Disable proxying server-wide. Can be disable as a whole, or
-## only for a single function.
-##
-## Accepted values: true, false, dash, livestreams, downloads, local
-## Default: false
-##
-#disable_proxy: false
-
-##
-## Size of the HTTP pool used to connect to youtube. Each
-## domain ('youtube.com', 'ytimg.com', ...) has its own pool.
-##
-## Accepted values: a positive integer
-## Default: 100
-##
-#pool_size: 100
-
-
-##
-## Additional cookies to be sent when requesting the youtube API.
-##
-## Accepted values: a string in the format "name1=value1; name2=value2..."
-## Default: <none>
-##
-#cookies:
-
-##
-## Force connection to youtube over a specific IP family.
-##
-## Note: This may sometimes resolve issues involving rate-limiting.
-## See https://github.com/ytdl-org/youtube-dl/issues/21729.
-##
-## Accepted values: ipv4, ipv6
-## Default: <none>
-##
-#force_resolve:
-
-##
-## Configuration for using a HTTP proxy
-##
-## If unset, then no HTTP proxy will be used.
-## 
-#http_proxy:
-#  user:
-#  password:
-#  host:
-#  port:
-
-
-##
-## Use Innertube's transcripts API instead of timedtext for closed captions
-##
-## Useful for larger instances as InnerTube is **not ratelimited**. See https://github.com/iv-org/invidious/issues/2567
-##
-## Subtitle experience may differ slightly on Invidious.
-##
-## Accepted values: true, false
-## Default: false
-##
-# use_innertube_for_captions: false
-
-##
-## Send Google session informations. This is useful when Invidious is blocked
-## by the message "This helps protect our community."
-## See https://github.com/iv-org/invidious/issues/4734.
-##
-## Warning: These strings gives much more identifiable information to Google!
-##
-## Accepted values: String
-## Default: <none>
-##
-po_token: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_PO_TOKEN'] }}
-visitor_data: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_VISITOR_DATA'] }}
-
-# -----------------------------
-#  Logging
-# -----------------------------
-
-##
-## Path to log file. Can be absolute or relative to the invidious
-## binary. This is overridden if "-o OUTPUT" or "--output=OUTPUT"
-## are passed on the command line.
-##
-## Accepted values: a filesystem path or 'STDOUT'
-## Default: STDOUT
-##
-#output: STDOUT
-
-##
-## Logging Verbosity. This is overridden if "-l LEVEL" or
-## "--log-level=LEVEL" are passed on the command line.
-##
-## Accepted values: All, Trace, Debug, Info, Warn, Error, Fatal, Off
-## Default: Info
-##
-#log_level: Info
-
-##
-## Enables colors in logs. Useful for debugging purposes
-## This is overridden if "-k" or "--colorize"
-## are passed on the command line.
-## Colors are also disabled if the environment variable
-## NO_COLOR is present and has any value
-##
-## Accepted values: true, false
-## Default: true
-##
-#colorize_logs: false
-
-# -----------------------------
-#  Features
-# -----------------------------
-
-##
-## Enable/Disable the "Popular" tab on the main page.
-##
-## Accepted values: true, false
-## Default: true
-##
-#popular_enabled: true
-
-##
-## Enable/Disable statstics (available at /api/v1/stats).
-## The following data is available:
-##   - Software name ("invidious") and version+branch (same data as
-##     displayed in the footer, e.g: "2021.05.13-75e5b49" / "master")
-##   - The value of the 'registration_enabled' config (true/false)
-##   - Number of currently registered users
-##   - Number of registered users who connected in the last month
-##   - Number of registered users who connected in the last 6 months
-##   - Timestamp of the last server restart
-##   - Timestamp of the last "Channel Refresh" job execution
-##
-## Warning: This setting MUST be set to true if you plan to run
-## a public instance. It is used by api.invidious.io to refresh
-## your instance's status.
-##
-## Accepted values: true, false
-## Default: false
-##
-#statistics_enabled: false
-
-
-# -----------------------------
-#  Users and accounts
-# -----------------------------
-
-##
-## Allow/Forbid Invidious (local) account creation. Invidious
-## accounts allow users to subscribe to channels and to create
-## playlists without a Google account.
-##
-## Accepted values: true, false
-## Default: true
-##
-#registration_enabled: true
-
-##
-## Allow/Forbid users to log-in.
-##
-## Accepted values: true, false
-## Default: true
-##
-#login_enabled: true
-
-##
-## Enable/Disable the captcha challenge on the login page.
-##
-## Note: this is a basic captcha challenge that doesn't
-## depend on any third parties.
-##
-## Accepted values: true, false
-## Default: true
-##
-#captcha_enabled: true
-
-##
-## List of usernames that will be granted administrator rights.
-## A user with administrator rights will be able to change the
-## server configuration options listed below in /preferences,
-## in addition to the usual user preferences.
-##
-## Server-wide settings:
-##   - popular_enabled
-##   - captcha_enabled
-##   - login_enabled
-##   - registration_enabled
-##   - statistics_enabled
-## Default user preferences:
-##   - default_home
-##   - feed_menu
-##
-## Accepted values: an array of strings
-## Default: [""]
-##
-#admins: [""]
-
-##
-## Enable/Disable the user notifications for all users
-##
-## Note: On large instances, it is recommended to set this option to 'false'
-## in order to reduce the amount of data written to the database, and hence
-## improve the overall performance of the instance.
-##
-## Accepted values: true, false
-## Default: true
-##
-#enable_user_notifications: true
-
-# -----------------------------
-#  Background jobs
-# -----------------------------
-
-##
-## Number of threads to use when crawling channel videos (during
-## subscriptions update).
-##
-## Notes: This setting is overridden if either "-c THREADS" or
-## "--channel-threads=THREADS" is passed on the command line.
-##
-## Accepted values: a positive integer
-## Default: 1
-##
-channel_threads: 1
-
-##
-## Time interval between two executions of the job that crawls
-## channel videos (subscriptions update).
-##
-## Accepted values: a valid time interval (like 1h30m or 90m)
-## Default: 30m
-##
-#channel_refresh_interval: 30m
-
-##
-## Forcefully dump and re-download the entire list of uploaded
-## videos when crawling channel (during subscriptions update).
-##
-## Accepted values: true, false
-## Default: false
-##
-full_refresh: false
-
-##
-## Number of threads to use when updating RSS feeds.
-##
-## Notes: This setting is overridden if either "-f THREADS" or
-## "--feed-threads=THREADS" is passed on the command line.
-##
-## Accepted values: a positive integer
-## Default: 1
-##
-feed_threads: 1
-
-
-jobs:
-
-  ## Options for the database cleaning job
-  clear_expired_items:
-
-    ## Enable/Disable job
-    ##
-    ## Accepted values: true, false
-    ## Default: true
-    ##
-    enable: true
-
-  ## Options for the channels updater job
-  refresh_channels:
-
-    ## Enable/Disable job
-    ##
-    ## Accepted values: true, false
-    ## Default: true
-    ##
-    enable: true
-
-  ## Options for the RSS feeds updater job
-  refresh_feeds:
-
-    ## Enable/Disable job
-    ##
-    ## Accepted values: true, false
-    ## Default: true
-    ##
-    enable: true
-
-
-# -----------------------------
-#  Miscellaneous
-# -----------------------------
-
-##
-## custom banner displayed at the top of every page. This can
-## used for instance announcements, e.g.
-##
-## Accepted values: any string. HTML is accepted.
-## Default: <none>
-##
-#banner:
-
-##
-## Subscribe to channels using PubSubHub (Google PubSubHubbub service).
-## PubSubHub allows Invidious to be instantly notified when a new video
-## is published on any subscribed channels. When PubSubHub is not used,
-## Invidious will check for new videos every minute.
-##
-## Note: This setting is recommended for public instances.
-##
-## Note 2:
-##  - Requires a public instance (it uses /feed/webhook/v1)
-##  - Requires 'domain' and 'hmac_key' to be set.
-##  - Setting this parameter to any number greater than zero will
-##    enable channel subscriptions via PubSubHub, but will limit the
-##    amount of concurrent subscriptions.
-##
-## Accepted values: true, false, a positive integer
-## Default: false
-##
-#use_pubsub_feeds: false
-
-##
-## HMAC signing key used for CSRF tokens, cookies and pubsub
-## subscriptions verification.
-##
-## Note: This parameter is mandatory and should be a random string.
-## Such random string can be generated on linux with the following
-## command: `pwgen 20 1`
-##
-## Accepted values: a string
-## Default: <none>
-##
-hmac_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_HMAC_KEY'] }}
-
-##
-## List of video IDs where the "download" widget must be
-## disabled, in order to comply with DMCA requests.
-##
-## Accepted values: an array of string
-## Default: <none>
-##
-#dmca_content:
-
-##
-## Cache video annotations in the database.
-##
-## Warning: empty annotations or annotations that only contain
-## cards won't be cached.
-##
-## Accepted values: true, false
-## Default: false
-##
-#cache_annotations: false
-
-##
-## Source code URL. If your instance is running a modified source
-## code, you MUST publish it somewhere and set this option.
-##
-## Accepted values: a string
-## Default: <none>
-##
-#modified_source_code_url: ""
-
-##
-## Maximum custom playlist length limit.
-##
-## Accepted values: Integer
-## Default: 500
-##
-#playlist_length_limit: 500
-
-#########################################
-#
-#  Default user preferences
-#
-#########################################
-
-##
-## NOTE: All the settings below define the default user
-## preferences. They will apply to ALL users connecting
-## without a preferences cookie (so either on the first
-## connection to the instance or after clearing the
-## browser's cookies).
-##
-
-default_user_preferences:
-
-  # -----------------------------
-  #  Internationalization
-  # -----------------------------
-
-  ##
-  ## Default user interface language (locale).
-  ##
-  ## Note: When hosting a public instance, overriding the
-  ## default (english) is not recommended, as it may
-  ## people using other languages.
-  ##
-  ## Accepted values:
-  ##   ar      (Arabic)
-  ##   da      (Danish)
-  ##   de      (German)
-  ##   en-US   (english, US)
-  ##   el      (Greek)
-  ##   eo      (Esperanto)
-  ##   es      (Spanish)
-  ##   fa      (Persian)
-  ##   fi      (Finnish)
-  ##   fr      (French)
-  ##   he      (Hebrew)
-  ##   hr      (Hungarian)
-  ##   id      (Indonesian)
-  ##   is      (Icelandic)
-  ##   it      (Italian)
-  ##   ja      (Japanese)
-  ##   nb-NO   (Norwegian, Bokmål)
-  ##   nl      (Dutch)
-  ##   pl      (Polish)
-  ##   pt-BR   (Portuguese, Brazil)
-  ##   pt-PT   (Portuguese, Portugal)
-  ##   ro      (Romanian)
-  ##   ru      (Russian)
-  ##   sv      (Swedish)
-  ##   tr      (Turkish)
-  ##   uk      (Ukrainian)
-  ##   zh-CN   (Chinese, China)  (a.k.a "Simplified Chinese")
-  ##   zh-TW   (Chinese, Taiwan) (a.k.a "Traditional Chinese")
-  ##
-  ## Default: en-US
-  ##
-  #locale: en-US
-
-  ##
-  ## Default geographical location for content.
-  ##
-  ## Accepted values:
-  ##   AE, AR, AT, AU, AZ, BA, BD, BE, BG, BH, BO, BR, BY, CA, CH, CL, CO, CR,
-  ##   CY, CZ, DE, DK, DO, DZ, EC, EE, EG, ES, FI, FR, GB, GE, GH, GR, GT, HK,
-  ##   HN, HR, HU, ID, IE, IL, IN, IQ, IS, IT, JM, JO, JP, KE, KR, KW, KZ, LB,
-  ##   LI, LK, LT, LU, LV, LY, MA, ME, MK, MT, MX, MY, NG, NI, NL, NO, NP, NZ,
-  ##   OM, PA, PE, PG, PH, PK, PL, PR, PT, PY, QA, RO, RS, RU, SA, SE, SG, SI,
-  ##   SK, SN, SV, TH, TN, TR, TW, TZ, UA, UG, US, UY, VE, VN, YE, ZA, ZW
-  ##
-  ## Default: US
-  ##
-  #region: US
-
-  ##
-  ## Top 3 preferred languages for video captions.
-  ##
-  ## Note: overriding the default (no preferred
-  ## caption language) is not recommended, in order
-  ## to not penalize people using other languages.
-  ##
-  ## Accepted values: a three-entries array.
-  ## Each entry can be one of:
-  ##   "English", "English (auto-generated)",
-  ##   "Afrikaans", "Albanian", "Amharic", "Arabic",
-  ##   "Armenian", "Azerbaijani", "Bangla", "Basque",
-  ##   "Belarusian", "Bosnian", "Bulgarian", "Burmese",
-  ##   "Catalan", "Cebuano", "Chinese (Simplified)",
-  ##   "Chinese (Traditional)", "Corsican", "Croatian",
-  ##   "Czech", "Danish", "Dutch", "Esperanto", "Estonian",
-  ##   "Filipino", "Finnish", "French", "Galician", "Georgian",
-  ##   "German", "Greek", "Gujarati", "Haitian Creole", "Hausa",
-  ##   "Hawaiian", "Hebrew", "Hindi", "Hmong", "Hungarian",
-  ##   "Icelandic", "Igbo", "Indonesian", "Irish", "Italian",
-  ##   "Japanese", "Javanese", "Kannada", "Kazakh", "Khmer",
-  ##   "Korean", "Kurdish", "Kyrgyz", "Lao", "Latin", "Latvian",
-  ##   "Lithuanian", "Luxembourgish", "Macedonian",
-  ##   "Malagasy", "Malay", "Malayalam", "Maltese", "Maori",
-  ##   "Marathi", "Mongolian", "Nepali", "Norwegian Bokmål",
-  ##   "Nyanja", "Pashto", "Persian", "Polish", "Portuguese",
-  ##   "Punjabi", "Romanian", "Russian", "Samoan",
-  ##   "Scottish Gaelic", "Serbian", "Shona", "Sindhi",
-  ##   "Sinhala", "Slovak", "Slovenian", "Somali",
-  ##   "Southern Sotho", "Spanish", "Spanish (Latin America)",
-  ##   "Sundanese",  "Swahili", "Swedish", "Tajik", "Tamil",
-  ##   "Telugu", "Thai", "Turkish", "Ukrainian", "Urdu",
-  ##   "Uzbek", "Vietnamese", "Welsh", "Western Frisian",
-  ##   "Xhosa", "Yiddish", "Yoruba", "Zulu"
-  ##
-  ## Default: ["", "", ""]
-  ##
-  #captions: ["", "", ""]
-
-
-  # -----------------------------
-  #  Interface
-  # -----------------------------
-
-  ##
-  ## Enable/Disable dark mode.
-  ##
-  ## Accepted values: "dark", "light", "auto"
-  ## Default: "auto"
-  ##
-  #dark_mode: "auto"
-
-  ##
-  ## Enable/Disable thin mode (no video thumbnails).
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #thin_mode: false
-
-  ##
-  ## List of feeds available on the home page.
-  ##
-  ## Note: "Subscriptions" and "Playlists" are only visible
-  ## when the user is logged in.
-  ##
-  ## Accepted values: A list of strings
-  ## Each entry can be one of: "Popular", "Trending",
-  ##    "Subscriptions", "Playlists"
-  ##
-  ## Default: ["Popular", "Trending", "Subscriptions", "Playlists"]  (show all feeds)
-  ##
-  #feed_menu: ["Popular", "Trending", "Subscriptions", "Playlists"]
-
-  ##
-  ## Default feed to display on the home page.
-  ##
-  ## Note: setting this option to "Popular" has no
-  ## effect when 'popular_enabled' is set to false.
-  ##
-  ## Accepted values: Popular, Trending, Subscriptions, Playlists, <none>
-  ## Default: Popular
-  ##
-  #default_home: Popular
-
-  ##
-  ## Default number of results to display per page.
-  ##
-  ## Note: this affects invidious-generated pages only, such
-  ## as watch history and subscription feeds. Playlists, search
-  ## results and channel videos depend on the data returned by
-  ## the Youtube API.
-  ##
-  ## Accepted values: any positive integer
-  ## Default: 40
-  ##
-  #max_results: 40
-
-  ##
-  ## Show/hide annotations.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #annotations: false
-
-  ##
-  ## Show/hide annotation.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #annotations_subscribed: false
-
-  ##
-  ## Type of comments to display below video.
-  ##
-  ## Accepted values: a two-entries array.
-  ## Each entry can be one of: "youtube", "reddit", ""
-  ##
-  ## Default: ["youtube", ""]
-  ##
-  #comments: ["youtube", ""]
-
-  ##
-  ## Default player style.
-  ##
-  ## Accepted values: invidious, youtube
-  ## Default: invidious
-  ##
-  #player_style: invidious
-
-  ##
-  ## Show/Hide the "related videos" sidebar when
-  ## watching a video.
-  ##
-  ## Accepted values: true, false
-  ## Default: true
-  ##
-  #related_videos: true
-
-
-  # -----------------------------
-  #  Video player behavior
-  # -----------------------------
-
-  ##
-  ## This option controls the value of the HTML5 <video> element's
-  ## "preload" attribute.
-  ##
-  ## If set to 'false', no video data will be loaded until the user
-  ## explicitly starts the video by clicking the "Play" button.
-  ## If set to 'true', the web browser will buffer some video data
-  ## while the page is loading.
-  ##
-  ## See: https://www.w3schools.com/tags/att_video_preload.asp
-  ##
-  ## Accepted values: true, false
-  ## Default: true
-  ##
-  #preload: true
-
-  ##
-  ## Automatically play videos on page load.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #autoplay: false
-
-  ##
-  ## Automatically load the "next" video (either next in
-  ## playlist or proposed) when the current video ends.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #continue: false
-
-  ##
-  ## Autoplay next video by default.
-  ##
-  ## Note: Only effective if 'continue' is set to true.
-  ##
-  ## Accepted values: true, false
-  ## Default: true
-  ##
-  #continue_autoplay: true
-
-  ##
-  ## Play videos in Audio-only mode by default.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #listen: false
-
-  ##
-  ## Loop videos automatically.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #video_loop: false
-
-
-  # -----------------------------
-  #  Video playback settings
-  # -----------------------------
-
-  ##
-  ## Default video quality.
-  ##
-  ## Accepted values: dash, hd720, medium, small
-  ## Default: hd720
-  ##
-  #quality: hd720
-
-  ##
-  ## Default dash video quality.
-  ##
-  ## Note: this setting only takes effet if the
-  ## 'quality' parameter is set to "dash".
-  ##
-  ## Accepted values:
-  ##    auto, best, 4320p, 2160p, 1440p, 1080p,
-  ##    720p, 480p, 360p, 240p, 144p, worst
-  ## Default: auto
-  ##
-  #quality_dash: auto
-
-  ##
-  ## Default video playback speed.
-  ##
-  ## Accepted values: 0.25, 0.5, 0.75, 1.0, 1.25, 1.5, 1.75, 2.0
-  ## Default: 1.0
-  ##
-  #speed: 1.0
-
-  ##
-  ## Default volume.
-  ##
-  ## Accepted values: 0-100
-  ## Default: 100
-  ##
-  #volume: 100
-
-  ##
-  ## Allow 360° videos to be played.
-  ##
-  ## Note: This feature requires a WebGL-enabled browser.
-  ##
-  ## Accepted values: true, false
-  ## Default: true
-  ##
-  #vr_mode: true
-  
-  ##
-  ## Save the playback position
-  ## Allow to continue watching at the previous position when
-  ## watching the same video.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #save_player_pos: false
-
-  # -----------------------------
-  #  Subscription feed
-  # -----------------------------
-
-  ##
-  ## In the "Subscription" feed, only show the latest video
-  ## of each channel the user is subscribed to.
-  ##
-  ## Note: when combined with 'unseen_only', the latest unseen
-  ## video of each channel will be displayed instead of the
-  ## latest by date.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #latest_only: false
-
-  ##
-  ## Enable/Disable user subscriptions desktop notifications.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #notifications_only: false
-
-  ##
-  ## In the "Subscription" feed, Only show the videos that the
-  ## user haven't watched yet (i.e which are not in their watch
-  ## history).
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #unseen_only: false
-
-  ##
-  ## Default sorting parameter for subscription feeds.
-  ##
-  ## Accepted values:
-  ##   'alphabetically'
-  ##   'alphabetically - reverse'
-  ##   'channel name'
-  ##   'channel name - reverse'
-  ##   'published'
-  ##   'published - reverse'
-  ##
-  ## Default: published
-  ##
-  #sort: published
-
-
-  # -----------------------------
-  #  Miscellaneous
-  # -----------------------------
-
-  ##
-  ## Proxy videos through instance by default.
-  ##
-  ## Warning: As most users won't change this setting in their
-  ## preferences, defaulting  to true will significantly
-  ## increase the instance's network usage, so make sure that
-  ## your server's connection can handle it.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #local: false
-
-  ##
-  ## Show the connected user's nick at the top right.
-  ##
-  ## Accepted values: true, false
-  ## Default: true
-  ##
-  #show_nick: true
-
-  ##
-  ## Automatically redirect to a random instance when the user uses
-  ## any "switch invidious instance" link (For videos, it's the plane
-  ## icon, next to "watch on youtube" and "listen"). When set to false,
-  ## the user is sent to https://redirect.invidious.io instead, where
-  ## they can manually select an instance.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #automatic_instance_redirect: false
-
-  ##
-  ## Show the entire video description by default (when set to 'false',
-  ## only the first few lines of the description are shown and a
-  ## "show more" button allows to expand it).
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #extend_desc: false
@@ -1,52 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-# IN application vars
-IN_APP_URL=https://biz.trez.wtf
-IN_APP_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['IN_APP_KEY'] }}
-IN_APP_DEBUG=true
-IN_REQUIRE_HTTPS=false
-IN_PHANTOMJS_PDF_GENERATION=false
-IN_PDF_GENERATOR=snappdf
-IN_TRUSTED_PROXIES='*'
-
-
-IN_QUEUE_CONNECTION=database
-
-# DB connection
-IN_DB_HOST=mariadb
-IN_DB_PORT=3306
-IN_DB_DATABASE=invoice_ninja
-IN_DB_USERNAME=ininja
-IN_DB_PASSWORD={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['IN_MYSQL_PASSWORD'] }}
-
-# Create initial user
-# Default to these values if empty
-# IN_USER_EMAIL=admin@example.com
-# IN_PASSWORD=changeme!
-IN_USER_EMAIL=
-IN_PASSWORD=
-
-# Mail options
-IN_MAIL_MAILER=log
-IN_MAIL_HOST=postal-smtp
-IN_MAIL_PORT=25
-IN_MAIL_USERNAME={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}
-IN_MAIL_PASSWORD={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
-IN_MAIL_ENCRYPTION=null
-IN_MAIL_FROM_ADDRESS='noreply@trez.wtf'
-IN_MAIL_FROM_NAME='Treasured IT'
-
-# MySQL
-IN_MYSQL_ROOT_PASSWORD=ninjaAdm1nPassword
-IN_MYSQL_USER=ninja
-IN_MYSQL_PASSWORD=ninja
-IN_MYSQL_DATABASE=ninja
-
-# GoCardless/Nordigen API key for banking integration
-NORDIGEN_SECRET_ID=
-NORDIGEN_SECRET_KEY=
-
-# V4 env vars
-# DB_STRICT=false
-# APP_CIPHER=AES-256-CBC
@@ -1,550 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-#=====================================================================#
-#                       LibreChat Configuration                       #
-#=====================================================================#
-# Please refer to the reference documentation for assistance          #
-# with configuring your LibreChat environment.                        #
-#                                                                     #
-# https://www.librechat.ai/docs/configuration/dotenv                  #
-#=====================================================================#
-
-#==================================================#
-#               Server Configuration               #
-#==================================================#
-
-HOST=localhost
-PORT=3080
-
-MONGO_URI=mongodb://librechat:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MONGODB_PASSWORD'] }}@mongodb:27017/librechat?replicaSet=rinoa
-
-DOMAIN_CLIENT=https://ai.trez.wtf
-DOMAIN_SERVER=https://ai.trez.wtf
-
-NO_INDEX=true
-# Use the address that is at most n number of hops away from the Express application.
-# req.socket.remoteAddress is the first hop, and the rest are looked for in the X-Forwarded-For header from right to left.
-# A value of 0 means that the first untrusted address would be req.socket.remoteAddress, i.e. there is no reverse proxy.
-# Defaulted to 1.
-TRUST_PROXY=1
-
-#===============#
-# JSON Logging  #
-#===============#
-
-# Use when process console logs in cloud deployment like GCP/AWS
-CONSOLE_JSON=true
-
-#===============#
-# Debug Logging #
-#===============#
-
-DEBUG_LOGGING=true
-DEBUG_CONSOLE=false
-
-#=============#
-# Permissions #
-#=============#
-
-# UID=1000
-# GID=1000
-
-#===============#
-# Configuration #
-#===============#
-# Use an absolute path, a relative path, or a URL
-
-# CONFIG_PATH="/alternative/path/to/librechat.yaml"
-
-#===================================================#
-#                     Endpoints                     #
-#===================================================#
-
-# ENDPOINTS=openAI,assistants,azureOpenAI,google,gptPlugins,anthropic
-
-PROXY=
-
-#===================================#
-# Known Endpoints - librechat.yaml  #
-#===================================#
-# https://www.librechat.ai/docs/configuration/librechat_yaml/ai_endpoints
-
-# ANYSCALE_API_KEY=
-# APIPIE_API_KEY=
-# COHERE_API_KEY=
-DEEPSEEK_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_DEEPSEEK_API_KEY'] }}
-# DATABRICKS_API_KEY=
-# FIREWORKS_API_KEY=
-# GROQ_API_KEY=
-# HUGGINGFACE_TOKEN=
-MISTRAL_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MISTRAL_API_KEY'] }}
-# OPENROUTER_KEY=
-# PERPLEXITY_API_KEY=
-# SHUTTLEAI_API_KEY=
-# TOGETHERAI_API_KEY=
-# UNIFY_API_KEY=
-# XAI_API_KEY=
-
-#============#
-# Anthropic  #
-#============#
-
-ANTHROPIC_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_ANTHROPIC_API_KEY'] }}
-ANTHROPIC_MODELS=claude-3-7-sonnet-latest,claude-3-7-sonnet-20250219,claude-3-5-haiku-20241022,claude-3-5-sonnet-20241022,claude-3-5-sonnet-latest,claude-3-5-sonnet-20240620,claude-3-opus-20240229,claude-3-sonnet-20240229,claude-3-haiku-20240307,claude-2.1,claude-2,claude-1.2,claude-1,claude-1-100k,claude-instant-1,claude-instant-1-100k
-# ANTHROPIC_REVERSE_PROXY=
-
-#============#
-# Azure      #
-#============#
-
-# Note: these variables are DEPRECATED
-# Use the `librechat.yaml` configuration for `azureOpenAI` instead
-# You may also continue to use them if you opt out of using the `librechat.yaml` configuration
-
-# AZURE_OPENAI_DEFAULT_MODEL=gpt-3.5-turbo # Deprecated
-# AZURE_OPENAI_MODELS=gpt-3.5-turbo,gpt-4 # Deprecated
-# AZURE_USE_MODEL_AS_DEPLOYMENT_NAME=TRUE # Deprecated
-# AZURE_API_KEY= # Deprecated
-# AZURE_OPENAI_API_INSTANCE_NAME= # Deprecated
-# AZURE_OPENAI_API_DEPLOYMENT_NAME= # Deprecated
-# AZURE_OPENAI_API_VERSION= # Deprecated
-# AZURE_OPENAI_API_COMPLETIONS_DEPLOYMENT_NAME= # Deprecated
-# AZURE_OPENAI_API_EMBEDDINGS_DEPLOYMENT_NAME= # Deprecated
-# PLUGINS_USE_AZURE="true" # Deprecated
-
-#=================#
-#   AWS Bedrock   #
-#=================#
-
-# BEDROCK_AWS_DEFAULT_REGION=us-east-1 # A default region must be provided
-# BEDROCK_AWS_ACCESS_KEY_ID=someAccessKey
-# BEDROCK_AWS_SECRET_ACCESS_KEY=someSecretAccessKey
-# BEDROCK_AWS_SESSION_TOKEN=someSessionToken
-
-# Note: This example list is not meant to be exhaustive. If omitted, all known, supported model IDs will be included for you.
-# BEDROCK_AWS_MODELS=anthropic.claude-3-5-sonnet-20240620-v1:0,meta.llama3-1-8b-instruct-v1:0
-
-# See all Bedrock model IDs here: https://docs.aws.amazon.com/bedrock/latest/userguide/model-ids.html#model-ids-arns
-
-# Notes on specific models:
-# The following models are not support due to not supporting streaming:
-# ai21.j2-mid-v1
-
-# The following models are not support due to not supporting conversation history:
-# ai21.j2-ultra-v1, cohere.command-text-v14, cohere.command-light-text-v14
-
-#============#
-# Google     #
-#============#
-
-{# GOOGLE_KEY=user_provided #}
-
-# GOOGLE_REVERSE_PROXY=
-# Some reverse proxies do not support the X-goog-api-key header, uncomment to pass the API key in Authorization header instead.
-# GOOGLE_AUTH_HEADER=true
-
-# Gemini API (AI Studio)
-# GOOGLE_MODELS=gemini-2.0-flash-exp,gemini-2.0-flash-thinking-exp-1219,gemini-exp-1121,gemini-exp-1114,gemini-1.5-flash-latest,gemini-1.0-pro,gemini-1.0-pro-001,gemini-1.0-pro-latest,gemini-1.0-pro-vision-latest,gemini-1.5-pro-latest,gemini-pro,gemini-pro-vision
-
-# Vertex AI
-# GOOGLE_MODELS=gemini-1.5-flash-preview-0514,gemini-1.5-pro-preview-0514,gemini-1.0-pro-vision-001,gemini-1.0-pro-002,gemini-1.0-pro-001,gemini-pro-vision,gemini-1.0-pro
-
-# GOOGLE_TITLE_MODEL=gemini-pro
-
-# GOOGLE_LOC=us-central1
-
-# Google Safety Settings
-# NOTE: These settings apply to both Vertex AI and Gemini API (AI Studio)
-#
-# For Vertex AI:
-# To use the BLOCK_NONE setting, you need either:
-# (a) Access through an allowlist via your Google account team, or
-# (b) Switch to monthly invoiced billing: https://cloud.google.com/billing/docs/how-to/invoiced-billing
-#
-# For Gemini API (AI Studio):
-# BLOCK_NONE is available by default, no special account requirements.
-#
-# Available options: BLOCK_NONE, BLOCK_ONLY_HIGH, BLOCK_MEDIUM_AND_ABOVE, BLOCK_LOW_AND_ABOVE
-#
-# GOOGLE_SAFETY_SEXUALLY_EXPLICIT=BLOCK_ONLY_HIGH
-# GOOGLE_SAFETY_HATE_SPEECH=BLOCK_ONLY_HIGH
-# GOOGLE_SAFETY_HARASSMENT=BLOCK_ONLY_HIGH
-# GOOGLE_SAFETY_DANGEROUS_CONTENT=BLOCK_ONLY_HIGH
-# GOOGLE_SAFETY_CIVIC_INTEGRITY=BLOCK_ONLY_HIGH
-
-#============#
-# OpenAI     #
-#============#
-
-OPENAI_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_OPENAI_API_KEY'] }}
-OPENAI_MODELS=o1,o1-mini,o1-preview,gpt-4o,chatgpt-4o-latest,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-0301,gpt-3.5-turbo,gpt-4,gpt-4-0613,gpt-4-vision-preview,gpt-3.5-turbo-0613,gpt-3.5-turbo-16k-0613,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview,gpt-3.5-turbo-1106,gpt-3.5-turbo-instruct,gpt-3.5-turbo-instruct-0914,gpt-3.5-turbo-16k
-
-DEBUG_OPENAI=false
-
-# TITLE_CONVO=false
-# OPENAI_TITLE_MODEL=gpt-4o-mini
-
-# OPENAI_SUMMARIZE=true
-# OPENAI_SUMMARY_MODEL=gpt-4o-mini
-
-# OPENAI_FORCE_PROMPT=true
-
-# OPENAI_REVERSE_PROXY=
-
-# OPENAI_ORGANIZATION=
-
-#====================#
-#   Assistants API   #
-#====================#
-
-# ASSISTANTS_API_KEY=user_provided
-# ASSISTANTS_BASE_URL=
-# ASSISTANTS_MODELS=gpt-4o,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-16k-0613,gpt-3.5-turbo-16k,gpt-3.5-turbo,gpt-4,gpt-4-0314,gpt-4-32k-0314,gpt-4-0613,gpt-3.5-turbo-0613,gpt-3.5-turbo-1106,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview
-
-#==========================#
-#   Azure Assistants API   #
-#==========================#
-
-# Note: You should map your credentials with custom variables according to your Azure OpenAI Configuration
-# The models for Azure Assistants are also determined by your Azure OpenAI configuration.
-
-# More info, including how to enable use of Assistants with Azure here:
-# https://www.librechat.ai/docs/configuration/librechat_yaml/ai_endpoints/azure#using-assistants-with-azure
-
-#============#
-# OpenRouter #
-#============#
-# !!!Warning: Use the variable above instead of this one. Using this one will override the OpenAI endpoint
-# OPENROUTER_API_KEY=
-
-#============#
-# Plugins    #
-#============#
-
-# PLUGIN_MODELS=gpt-4o,gpt-4o-mini,gpt-4,gpt-4-turbo-preview,gpt-4-0125-preview,gpt-4-1106-preview,gpt-4-0613,gpt-3.5-turbo,gpt-3.5-turbo-0125,gpt-3.5-turbo-1106,gpt-3.5-turbo-0613
-
-# DEBUG_PLUGINS=
-
-CREDS_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_KEY'] }}
-CREDS_IV={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_IV'] }}
-
-# Azure AI Search
-#-----------------
-# AZURE_AI_SEARCH_SERVICE_ENDPOINT=
-# AZURE_AI_SEARCH_INDEX_NAME=
-# AZURE_AI_SEARCH_API_KEY=
-
-# AZURE_AI_SEARCH_API_VERSION=
-# AZURE_AI_SEARCH_SEARCH_OPTION_QUERY_TYPE=
-# AZURE_AI_SEARCH_SEARCH_OPTION_TOP=
-# AZURE_AI_SEARCH_SEARCH_OPTION_SELECT=
-
-# DALL·E
-#----------------
-# DALLE_API_KEY=
-# DALLE3_API_KEY=
-# DALLE2_API_KEY=
-# DALLE3_SYSTEM_PROMPT=
-# DALLE2_SYSTEM_PROMPT=
-# DALLE_REVERSE_PROXY=
-# DALLE3_BASEURL=
-# DALLE2_BASEURL=
-
-# DALL·E (via Azure OpenAI)
-# Note: requires some of the variables above to be set
-#----------------
-# DALLE3_AZURE_API_VERSION=
-# DALLE2_AZURE_API_VERSION=
-
-
-# Google
-#-----------------
-GOOGLE_SEARCH_API_KEY=
-GOOGLE_CSE_ID=
-
-# YOUTUBE
-#-----------------
-YOUTUBE_API_KEY=
-
-# SerpAPI
-#-----------------
-SERPAPI_API_KEY=
-
-# Stable Diffusion
-#-----------------
-SD_WEBUI_URL=http://stable-diffusion-webui:7860
-
-# Tavily
-#-----------------
-TAVILY_API_KEY=
-
-# Traversaal
-#-----------------
-TRAVERSAAL_API_KEY=
-
-# WolframAlpha
-#-----------------
-WOLFRAM_APP_ID=
-
-# Zapier
-#-----------------
-ZAPIER_NLA_API_KEY=
-
-#==================================================#
-#                      Search                      #
-#==================================================#
-
-SEARCH=true
-MEILI_NO_ANALYTICS=true
-MEILI_HOST=http://meilisearch:7700
-MEILI_MASTER_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MEILISEARCH_MASTER_KEY'] }}
-
-# Optional: Disable indexing, useful in a multi-node setup
-# where only one instance should perform an index sync.
-# MEILI_NO_SYNC=true
-
-#==================================================#
-#          Speech to Text & Text to Speech         #
-#==================================================#
-
-STT_API_KEY=
-TTS_API_KEY=
-
-#==================================================#
-#                        RAG                       #
-#==================================================#
-# More info: https://www.librechat.ai/docs/configuration/rag_api
-
-# RAG_OPENAI_BASEURL=
-# RAG_OPENAI_API_KEY=
-# RAG_USE_FULL_CONTEXT=
-# EMBEDDINGS_PROVIDER=openai
-# EMBEDDINGS_MODEL=text-embedding-3-small
-
-#===================================================#
-#                    User System                    #
-#===================================================#
-
-#========================#
-# Moderation             #
-#========================#
-
-OPENAI_MODERATION=false
-OPENAI_MODERATION_API_KEY=
-# OPENAI_MODERATION_REVERSE_PROXY=
-
-BAN_VIOLATIONS=true
-BAN_DURATION=1000 * 60 * 60 * 2
-BAN_INTERVAL=20
-
-LOGIN_VIOLATION_SCORE=1
-REGISTRATION_VIOLATION_SCORE=1
-CONCURRENT_VIOLATION_SCORE=1
-MESSAGE_VIOLATION_SCORE=1
-NON_BROWSER_VIOLATION_SCORE=20
-
-LOGIN_MAX=7
-LOGIN_WINDOW=5
-REGISTER_MAX=5
-REGISTER_WINDOW=60
-
-LIMIT_CONCURRENT_MESSAGES=true
-CONCURRENT_MESSAGE_MAX=2
-
-LIMIT_MESSAGE_IP=true
-MESSAGE_IP_MAX=40
-MESSAGE_IP_WINDOW=1
-
-LIMIT_MESSAGE_USER=false
-MESSAGE_USER_MAX=40
-MESSAGE_USER_WINDOW=1
-
-ILLEGAL_MODEL_REQ_SCORE=5
-
-#========================#
-# Balance                #
-#========================#
-
-CHECK_BALANCE=false
-# START_BALANCE=20000 # note: the number of tokens that will be credited after registration.
-
-#========================#
-# Registration and Login #
-#========================#
-
-ALLOW_EMAIL_LOGIN=true
-ALLOW_REGISTRATION=true
-ALLOW_SOCIAL_LOGIN=false
-ALLOW_SOCIAL_REGISTRATION=false
-ALLOW_PASSWORD_RESET=false
-# ALLOW_ACCOUNT_DELETION=true # note: enabled by default if omitted/commented out
-ALLOW_UNVERIFIED_EMAIL_LOGIN=true
-
-SESSION_EXPIRY=1000 * 60 * 15
-REFRESH_TOKEN_EXPIRY=(1000 * 60 * 60 * 24) * 7
-
-JWT_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_SECRET'] }}
-JWT_REFRESH_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_REFRESH_SECRET'] }}
-
-
-# Discord
-DISCORD_CLIENT_ID=
-DISCORD_CLIENT_SECRET=
-DISCORD_CALLBACK_URL=/oauth/discord/callback
-
-# Facebook
-FACEBOOK_CLIENT_ID=
-FACEBOOK_CLIENT_SECRET=
-FACEBOOK_CALLBACK_URL=/oauth/facebook/callback
-
-# GitHub
-GITHUB_CLIENT_ID=
-GITHUB_CLIENT_SECRET=
-GITHUB_CALLBACK_URL=/oauth/github/callback
-# GitHub Enterprise
-# GITHUB_ENTERPRISE_BASE_URL=
-# GITHUB_ENTERPRISE_USER_AGENT=
-
-# Google
-GOOGLE_CLIENT_ID=
-GOOGLE_CLIENT_SECRET=
-GOOGLE_CALLBACK_URL=/oauth/google/callback
-
-# Apple
-APPLE_CLIENT_ID=
-APPLE_TEAM_ID=
-APPLE_KEY_ID=
-APPLE_PRIVATE_KEY_PATH=
-APPLE_CALLBACK_URL=/oauth/apple/callback
-
-# OpenID
-OPENID_CLIENT_ID=
-OPENID_CLIENT_SECRET=
-OPENID_ISSUER=
-OPENID_SESSION_SECRET=
-OPENID_SCOPE="openid profile email"
-OPENID_CALLBACK_URL=/oauth/openid/callback
-OPENID_REQUIRED_ROLE=
-OPENID_REQUIRED_ROLE_TOKEN_KIND=
-OPENID_REQUIRED_ROLE_PARAMETER_PATH=
-# Set to determine which user info property returned from OpenID Provider to store as the User's username
-OPENID_USERNAME_CLAIM=
-# Set to determine which user info property returned from OpenID Provider to store as the User's name
-OPENID_NAME_CLAIM=
-
-OPENID_BUTTON_LABEL=
-OPENID_IMAGE_URL=
-
-# LDAP
-# LDAP_URL=
-# LDAP_BIND_DN=
-# LDAP_BIND_CREDENTIALS=
-# LDAP_USER_SEARCH_BASE=
-# LDAP_SEARCH_FILTER=mail=
-# LDAP_CA_CERT_PATH=
-# LDAP_TLS_REJECT_UNAUTHORIZED=
-# LDAP_LOGIN_USES_USERNAME=true
-# LDAP_ID=
-# LDAP_USERNAME=
-# LDAP_EMAIL=
-# LDAP_FULL_NAME=
-
-#========================#
-# Email Password Reset   #
-#========================#
-
-EMAIL_SERVICE=
-EMAIL_HOST=postal-smtp
-EMAIL_PORT=25
-EMAIL_ENCRYPTION=
-EMAIL_ENCRYPTION_HOSTNAME=
-EMAIL_ALLOW_SELFSIGNED=
-EMAIL_USERNAME=
-EMAIL_PASSWORD=
-EMAIL_FROM_NAME=
-EMAIL_FROM=noreply@librechat.ai
-
-#========================#
-# Firebase CDN           #
-#========================#
-
-# FIREBASE_API_KEY=
-# FIREBASE_AUTH_DOMAIN=
-# FIREBASE_PROJECT_ID=
-# FIREBASE_STORAGE_BUCKET=
-# FIREBASE_MESSAGING_SENDER_ID=
-# FIREBASE_APP_ID=
-
-#========================#
-# Shared Links           #
-#========================#
-
-ALLOW_SHARED_LINKS=true
-ALLOW_SHARED_LINKS_PUBLIC=true
-
-#==============================#
-# Static File Cache Control    #
-#==============================#
-
-# Leave commented out to use defaults: 1 day (86400 seconds) for s-maxage and 2 days (172800 seconds) for max-age
-# NODE_ENV must be set to production for these to take effect
-# STATIC_CACHE_MAX_AGE=172800
-# STATIC_CACHE_S_MAX_AGE=86400
-
-# If you have another service in front of your LibreChat doing compression, disable express based compression here
-# DISABLE_COMPRESSION=true
-
-#===================================================#
-#                        UI                         #
-#===================================================#
-
-APP_TITLE=LibreChat
-# CUSTOM_FOOTER="My custom footer"
-HELP_AND_FAQ_URL=https://librechat.ai
-
-# SHOW_BIRTHDAY_ICON=true
-
-# Google tag manager id
-#ANALYTICS_GTM_ID=user provided google tag manager id
-
-#===============#
-# REDIS Options #
-#===============#
-
-REDIS_URI=redis:6379
-USE_REDIS=true
-
-# USE_REDIS_CLUSTER=true
-# REDIS_CA=/path/to/ca.crt
-
-#==================================================#
-#                      Others                      #
-#==================================================#
-#   You should leave the following commented out   #
-
-# NODE_ENV=
-
-# E2E_USER_EMAIL=
-# E2E_USER_PASSWORD=
-
-#=====================================================#
-#                  Cache Headers                      #
-#=====================================================#
-#   Headers that control caching of the index.html    #
-#   Default configuration prevents caching to ensure  #
-#   users always get the latest version. Customize    #
-#   only if you understand caching implications.      #
-
-# INDEX_HTML_CACHE_CONTROL=no-cache, no-store, must-revalidate
-# INDEX_HTML_PRAGMA=no-cache
-# INDEX_HTML_EXPIRES=0
-
-# no-cache: Forces validation with server before using cached version
-# no-store: Prevents storing the response entirely
-# must-revalidate: Prevents using stale content when offline
-
-#=====================================================#
-#                  OpenWeather                        #
-#=====================================================#
-OPENWEATHER_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
@@ -1,26 +1,26 @@
-version: 1.0.0
+version: 1.2.8
 endpoints:
  custom:
-    - name: "ollama"
+    - name: "rinoa-ollama"
      apiKey: "ollama"
      baseURL: "http://ollama:11434/v1/chat/completions"
      models:
        default: [
-          "deepseek-r1:1.5b",
+          "codellama:7b",
          "deepseek-coder-v2:16b",
+          "deepseek-r1:1.5b",
          "deepseek-v3:671b",
+          "dolphin-mistral:7b",
+          "llama2:7b",
          "llama3.3:70b",
+          "mistral-openorca:7b",
+          "mistral:7b",
+          "orca-mini:3b",
          "phi4:14b",
          "qwen2.5",
-          "llama2:7b",
-          "mistral:7b",
-          "codellama:7b",
-          "tinyllama:1.1b",
-          "starcoder2:3b",
-          "dolphin-mistral:7b",
          "smollm2:1.7b",
-          "orca-mini:3b",
-          "mistral-openorca:7b"
+          "starcoder2:3b",
+          "tinyllama:1.1b",
        ]
 # fetching list of models is supported but the `name` field must start
 # with `ollama` (case-insensitive), as it does in this example.
@@ -1,550 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-#=====================================================================#
-#                       LibreChat Configuration                       #
-#=====================================================================#
-# Please refer to the reference documentation for assistance          #
-# with configuring your LibreChat environment.                        #
-#                                                                     #
-# https://www.librechat.ai/docs/configuration/dotenv                  #
-#=====================================================================#
-
-#==================================================#
-#               Server Configuration               #
-#==================================================#
-
-HOST=localhost
-PORT=3080
-
-MONGO_URI=mongodb://librechat:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MONGODB_PASSWORD'] }}@mongodb:27017/librechat?replicaSet=rinoa
-
-DOMAIN_CLIENT=https://ai.trez.wtf
-DOMAIN_SERVER=https://ai.trez.wtf
-
-NO_INDEX=true
-# Use the address that is at most n number of hops away from the Express application.
-# req.socket.remoteAddress is the first hop, and the rest are looked for in the X-Forwarded-For header from right to left.
-# A value of 0 means that the first untrusted address would be req.socket.remoteAddress, i.e. there is no reverse proxy.
-# Defaulted to 1.
-TRUST_PROXY=1
-
-#===============#
-# JSON Logging  #
-#===============#
-
-# Use when process console logs in cloud deployment like GCP/AWS
-CONSOLE_JSON=true
-
-#===============#
-# Debug Logging #
-#===============#
-
-DEBUG_LOGGING=true
-DEBUG_CONSOLE=false
-
-#=============#
-# Permissions #
-#=============#
-
-# UID=1000
-# GID=1000
-
-#===============#
-# Configuration #
-#===============#
-# Use an absolute path, a relative path, or a URL
-
-# CONFIG_PATH="/alternative/path/to/librechat.yaml"
-
-#===================================================#
-#                     Endpoints                     #
-#===================================================#
-
-# ENDPOINTS=openAI,assistants,azureOpenAI,google,gptPlugins,anthropic
-
-PROXY=
-
-#===================================#
-# Known Endpoints - librechat.yaml  #
-#===================================#
-# https://www.librechat.ai/docs/configuration/librechat_yaml/ai_endpoints
-
-# ANYSCALE_API_KEY=
-# APIPIE_API_KEY=
-# COHERE_API_KEY=
-DEEPSEEK_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_DEEPSEEK_API_KEY'] }}
-# DATABRICKS_API_KEY=
-# FIREWORKS_API_KEY=
-# GROQ_API_KEY=
-# HUGGINGFACE_TOKEN=
-MISTRAL_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MISTRAL_API_KEY'] }}
-# OPENROUTER_KEY=
-# PERPLEXITY_API_KEY=
-# SHUTTLEAI_API_KEY=
-# TOGETHERAI_API_KEY=
-# UNIFY_API_KEY=
-# XAI_API_KEY=
-
-#============#
-# Anthropic  #
-#============#
-
-ANTHROPIC_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_ANTHROPIC_API_KEY'] }}
-ANTHROPIC_MODELS=claude-3-7-sonnet-latest,claude-3-7-sonnet-20250219,claude-3-5-haiku-20241022,claude-3-5-sonnet-20241022,claude-3-5-sonnet-latest,claude-3-5-sonnet-20240620,claude-3-opus-20240229,claude-3-sonnet-20240229,claude-3-haiku-20240307,claude-2.1,claude-2,claude-1.2,claude-1,claude-1-100k,claude-instant-1,claude-instant-1-100k
-# ANTHROPIC_REVERSE_PROXY=
-
-#============#
-# Azure      #
-#============#
-
-# Note: these variables are DEPRECATED
-# Use the `librechat.yaml` configuration for `azureOpenAI` instead
-# You may also continue to use them if you opt out of using the `librechat.yaml` configuration
-
-# AZURE_OPENAI_DEFAULT_MODEL=gpt-3.5-turbo # Deprecated
-# AZURE_OPENAI_MODELS=gpt-3.5-turbo,gpt-4 # Deprecated
-# AZURE_USE_MODEL_AS_DEPLOYMENT_NAME=TRUE # Deprecated
-# AZURE_API_KEY= # Deprecated
-# AZURE_OPENAI_API_INSTANCE_NAME= # Deprecated
-# AZURE_OPENAI_API_DEPLOYMENT_NAME= # Deprecated
-# AZURE_OPENAI_API_VERSION= # Deprecated
-# AZURE_OPENAI_API_COMPLETIONS_DEPLOYMENT_NAME= # Deprecated
-# AZURE_OPENAI_API_EMBEDDINGS_DEPLOYMENT_NAME= # Deprecated
-# PLUGINS_USE_AZURE="true" # Deprecated
-
-#=================#
-#   AWS Bedrock   #
-#=================#
-
-# BEDROCK_AWS_DEFAULT_REGION=us-east-1 # A default region must be provided
-# BEDROCK_AWS_ACCESS_KEY_ID=someAccessKey
-# BEDROCK_AWS_SECRET_ACCESS_KEY=someSecretAccessKey
-# BEDROCK_AWS_SESSION_TOKEN=someSessionToken
-
-# Note: This example list is not meant to be exhaustive. If omitted, all known, supported model IDs will be included for you.
-# BEDROCK_AWS_MODELS=anthropic.claude-3-5-sonnet-20240620-v1:0,meta.llama3-1-8b-instruct-v1:0
-
-# See all Bedrock model IDs here: https://docs.aws.amazon.com/bedrock/latest/userguide/model-ids.html#model-ids-arns
-
-# Notes on specific models:
-# The following models are not support due to not supporting streaming:
-# ai21.j2-mid-v1
-
-# The following models are not support due to not supporting conversation history:
-# ai21.j2-ultra-v1, cohere.command-text-v14, cohere.command-light-text-v14
-
-#============#
-# Google     #
-#============#
-
-{# GOOGLE_KEY=user_provided #}
-
-# GOOGLE_REVERSE_PROXY=
-# Some reverse proxies do not support the X-goog-api-key header, uncomment to pass the API key in Authorization header instead.
-# GOOGLE_AUTH_HEADER=true
-
-# Gemini API (AI Studio)
-# GOOGLE_MODELS=gemini-2.0-flash-exp,gemini-2.0-flash-thinking-exp-1219,gemini-exp-1121,gemini-exp-1114,gemini-1.5-flash-latest,gemini-1.0-pro,gemini-1.0-pro-001,gemini-1.0-pro-latest,gemini-1.0-pro-vision-latest,gemini-1.5-pro-latest,gemini-pro,gemini-pro-vision
-
-# Vertex AI
-# GOOGLE_MODELS=gemini-1.5-flash-preview-0514,gemini-1.5-pro-preview-0514,gemini-1.0-pro-vision-001,gemini-1.0-pro-002,gemini-1.0-pro-001,gemini-pro-vision,gemini-1.0-pro
-
-# GOOGLE_TITLE_MODEL=gemini-pro
-
-# GOOGLE_LOC=us-central1
-
-# Google Safety Settings
-# NOTE: These settings apply to both Vertex AI and Gemini API (AI Studio)
-#
-# For Vertex AI:
-# To use the BLOCK_NONE setting, you need either:
-# (a) Access through an allowlist via your Google account team, or
-# (b) Switch to monthly invoiced billing: https://cloud.google.com/billing/docs/how-to/invoiced-billing
-#
-# For Gemini API (AI Studio):
-# BLOCK_NONE is available by default, no special account requirements.
-#
-# Available options: BLOCK_NONE, BLOCK_ONLY_HIGH, BLOCK_MEDIUM_AND_ABOVE, BLOCK_LOW_AND_ABOVE
-#
-# GOOGLE_SAFETY_SEXUALLY_EXPLICIT=BLOCK_ONLY_HIGH
-# GOOGLE_SAFETY_HATE_SPEECH=BLOCK_ONLY_HIGH
-# GOOGLE_SAFETY_HARASSMENT=BLOCK_ONLY_HIGH
-# GOOGLE_SAFETY_DANGEROUS_CONTENT=BLOCK_ONLY_HIGH
-# GOOGLE_SAFETY_CIVIC_INTEGRITY=BLOCK_ONLY_HIGH
-
-#============#
-# OpenAI     #
-#============#
-
-OPENAI_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_OPENAI_API_KEY'] }}
-OPENAI_MODELS=o1,o1-mini,o1-preview,gpt-4o,chatgpt-4o-latest,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-0301,gpt-3.5-turbo,gpt-4,gpt-4-0613,gpt-4-vision-preview,gpt-3.5-turbo-0613,gpt-3.5-turbo-16k-0613,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview,gpt-3.5-turbo-1106,gpt-3.5-turbo-instruct,gpt-3.5-turbo-instruct-0914,gpt-3.5-turbo-16k
-
-DEBUG_OPENAI=false
-
-# TITLE_CONVO=false
-# OPENAI_TITLE_MODEL=gpt-4o-mini
-
-# OPENAI_SUMMARIZE=true
-# OPENAI_SUMMARY_MODEL=gpt-4o-mini
-
-# OPENAI_FORCE_PROMPT=true
-
-# OPENAI_REVERSE_PROXY=
-
-# OPENAI_ORGANIZATION=
-
-#====================#
-#   Assistants API   #
-#====================#
-
-# ASSISTANTS_API_KEY=user_provided
-# ASSISTANTS_BASE_URL=
-# ASSISTANTS_MODELS=gpt-4o,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-16k-0613,gpt-3.5-turbo-16k,gpt-3.5-turbo,gpt-4,gpt-4-0314,gpt-4-32k-0314,gpt-4-0613,gpt-3.5-turbo-0613,gpt-3.5-turbo-1106,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview
-
-#==========================#
-#   Azure Assistants API   #
-#==========================#
-
-# Note: You should map your credentials with custom variables according to your Azure OpenAI Configuration
-# The models for Azure Assistants are also determined by your Azure OpenAI configuration.
-
-# More info, including how to enable use of Assistants with Azure here:
-# https://www.librechat.ai/docs/configuration/librechat_yaml/ai_endpoints/azure#using-assistants-with-azure
-
-#============#
-# OpenRouter #
-#============#
-# !!!Warning: Use the variable above instead of this one. Using this one will override the OpenAI endpoint
-# OPENROUTER_API_KEY=
-
-#============#
-# Plugins    #
-#============#
-
-# PLUGIN_MODELS=gpt-4o,gpt-4o-mini,gpt-4,gpt-4-turbo-preview,gpt-4-0125-preview,gpt-4-1106-preview,gpt-4-0613,gpt-3.5-turbo,gpt-3.5-turbo-0125,gpt-3.5-turbo-1106,gpt-3.5-turbo-0613
-
-# DEBUG_PLUGINS=
-
-CREDS_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_KEY'] }}
-CREDS_IV={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_IV'] }}
-
-# Azure AI Search
-#-----------------
-# AZURE_AI_SEARCH_SERVICE_ENDPOINT=
-# AZURE_AI_SEARCH_INDEX_NAME=
-# AZURE_AI_SEARCH_API_KEY=
-
-# AZURE_AI_SEARCH_API_VERSION=
-# AZURE_AI_SEARCH_SEARCH_OPTION_QUERY_TYPE=
-# AZURE_AI_SEARCH_SEARCH_OPTION_TOP=
-# AZURE_AI_SEARCH_SEARCH_OPTION_SELECT=
-
-# DALL·E
-#----------------
-# DALLE_API_KEY=
-# DALLE3_API_KEY=
-# DALLE2_API_KEY=
-# DALLE3_SYSTEM_PROMPT=
-# DALLE2_SYSTEM_PROMPT=
-# DALLE_REVERSE_PROXY=
-# DALLE3_BASEURL=
-# DALLE2_BASEURL=
-
-# DALL·E (via Azure OpenAI)
-# Note: requires some of the variables above to be set
-#----------------
-# DALLE3_AZURE_API_VERSION=
-# DALLE2_AZURE_API_VERSION=
-
-
-# Google
-#-----------------
-GOOGLE_SEARCH_API_KEY=
-GOOGLE_CSE_ID=
-
-# YOUTUBE
-#-----------------
-YOUTUBE_API_KEY=
-
-# SerpAPI
-#-----------------
-SERPAPI_API_KEY=
-
-# Stable Diffusion
-#-----------------
-SD_WEBUI_URL=http://stable-diffusion-webui:7860
-
-# Tavily
-#-----------------
-TAVILY_API_KEY=
-
-# Traversaal
-#-----------------
-TRAVERSAAL_API_KEY=
-
-# WolframAlpha
-#-----------------
-WOLFRAM_APP_ID=
-
-# Zapier
-#-----------------
-ZAPIER_NLA_API_KEY=
-
-#==================================================#
-#                      Search                      #
-#==================================================#
-
-SEARCH=true
-MEILI_NO_ANALYTICS=true
-MEILI_HOST=http://meilisearch:7700
-MEILI_MASTER_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MEILISEARCH_MASTER_KEY'] }}
-
-# Optional: Disable indexing, useful in a multi-node setup
-# where only one instance should perform an index sync.
-# MEILI_NO_SYNC=true
-
-#==================================================#
-#          Speech to Text & Text to Speech         #
-#==================================================#
-
-STT_API_KEY=
-TTS_API_KEY=
-
-#==================================================#
-#                        RAG                       #
-#==================================================#
-# More info: https://www.librechat.ai/docs/configuration/rag_api
-
-# RAG_OPENAI_BASEURL=
-# RAG_OPENAI_API_KEY=
-# RAG_USE_FULL_CONTEXT=
-# EMBEDDINGS_PROVIDER=openai
-# EMBEDDINGS_MODEL=text-embedding-3-small
-
-#===================================================#
-#                    User System                    #
-#===================================================#
-
-#========================#
-# Moderation             #
-#========================#
-
-OPENAI_MODERATION=false
-OPENAI_MODERATION_API_KEY=
-# OPENAI_MODERATION_REVERSE_PROXY=
-
-BAN_VIOLATIONS=true
-BAN_DURATION=1000 * 60 * 60 * 2
-BAN_INTERVAL=20
-
-LOGIN_VIOLATION_SCORE=1
-REGISTRATION_VIOLATION_SCORE=1
-CONCURRENT_VIOLATION_SCORE=1
-MESSAGE_VIOLATION_SCORE=1
-NON_BROWSER_VIOLATION_SCORE=20
-
-LOGIN_MAX=7
-LOGIN_WINDOW=5
-REGISTER_MAX=5
-REGISTER_WINDOW=60
-
-LIMIT_CONCURRENT_MESSAGES=true
-CONCURRENT_MESSAGE_MAX=2
-
-LIMIT_MESSAGE_IP=true
-MESSAGE_IP_MAX=40
-MESSAGE_IP_WINDOW=1
-
-LIMIT_MESSAGE_USER=false
-MESSAGE_USER_MAX=40
-MESSAGE_USER_WINDOW=1
-
-ILLEGAL_MODEL_REQ_SCORE=5
-
-#========================#
-# Balance                #
-#========================#
-
-CHECK_BALANCE=false
-# START_BALANCE=20000 # note: the number of tokens that will be credited after registration.
-
-#========================#
-# Registration and Login #
-#========================#
-
-ALLOW_EMAIL_LOGIN=true
-ALLOW_REGISTRATION=true
-ALLOW_SOCIAL_LOGIN=false
-ALLOW_SOCIAL_REGISTRATION=false
-ALLOW_PASSWORD_RESET=false
-# ALLOW_ACCOUNT_DELETION=true # note: enabled by default if omitted/commented out
-ALLOW_UNVERIFIED_EMAIL_LOGIN=true
-
-SESSION_EXPIRY=1000 * 60 * 15
-REFRESH_TOKEN_EXPIRY=(1000 * 60 * 60 * 24) * 7
-
-JWT_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_SECRET'] }}
-JWT_REFRESH_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_REFRESH_SECRET'] }}
-
-
-# Discord
-DISCORD_CLIENT_ID=
-DISCORD_CLIENT_SECRET=
-DISCORD_CALLBACK_URL=/oauth/discord/callback
-
-# Facebook
-FACEBOOK_CLIENT_ID=
-FACEBOOK_CLIENT_SECRET=
-FACEBOOK_CALLBACK_URL=/oauth/facebook/callback
-
-# GitHub
-GITHUB_CLIENT_ID=
-GITHUB_CLIENT_SECRET=
-GITHUB_CALLBACK_URL=/oauth/github/callback
-# GitHub Enterprise
-# GITHUB_ENTERPRISE_BASE_URL=
-# GITHUB_ENTERPRISE_USER_AGENT=
-
-# Google
-GOOGLE_CLIENT_ID=
-GOOGLE_CLIENT_SECRET=
-GOOGLE_CALLBACK_URL=/oauth/google/callback
-
-# Apple
-APPLE_CLIENT_ID=
-APPLE_TEAM_ID=
-APPLE_KEY_ID=
-APPLE_PRIVATE_KEY_PATH=
-APPLE_CALLBACK_URL=/oauth/apple/callback
-
-# OpenID
-OPENID_CLIENT_ID=
-OPENID_CLIENT_SECRET=
-OPENID_ISSUER=
-OPENID_SESSION_SECRET=
-OPENID_SCOPE="openid profile email"
-OPENID_CALLBACK_URL=/oauth/openid/callback
-OPENID_REQUIRED_ROLE=
-OPENID_REQUIRED_ROLE_TOKEN_KIND=
-OPENID_REQUIRED_ROLE_PARAMETER_PATH=
-# Set to determine which user info property returned from OpenID Provider to store as the User's username
-OPENID_USERNAME_CLAIM=
-# Set to determine which user info property returned from OpenID Provider to store as the User's name
-OPENID_NAME_CLAIM=
-
-OPENID_BUTTON_LABEL=
-OPENID_IMAGE_URL=
-
-# LDAP
-# LDAP_URL=
-# LDAP_BIND_DN=
-# LDAP_BIND_CREDENTIALS=
-# LDAP_USER_SEARCH_BASE=
-# LDAP_SEARCH_FILTER=mail=
-# LDAP_CA_CERT_PATH=
-# LDAP_TLS_REJECT_UNAUTHORIZED=
-# LDAP_LOGIN_USES_USERNAME=true
-# LDAP_ID=
-# LDAP_USERNAME=
-# LDAP_EMAIL=
-# LDAP_FULL_NAME=
-
-#========================#
-# Email Password Reset   #
-#========================#
-
-EMAIL_SERVICE=
-EMAIL_HOST=postal-smtp
-EMAIL_PORT=25
-EMAIL_ENCRYPTION=
-EMAIL_ENCRYPTION_HOSTNAME=
-EMAIL_ALLOW_SELFSIGNED=
-EMAIL_USERNAME=
-EMAIL_PASSWORD=
-EMAIL_FROM_NAME=
-EMAIL_FROM=noreply@librechat.ai
-
-#========================#
-# Firebase CDN           #
-#========================#
-
-# FIREBASE_API_KEY=
-# FIREBASE_AUTH_DOMAIN=
-# FIREBASE_PROJECT_ID=
-# FIREBASE_STORAGE_BUCKET=
-# FIREBASE_MESSAGING_SENDER_ID=
-# FIREBASE_APP_ID=
-
-#========================#
-# Shared Links           #
-#========================#
-
-ALLOW_SHARED_LINKS=true
-ALLOW_SHARED_LINKS_PUBLIC=true
-
-#==============================#
-# Static File Cache Control    #
-#==============================#
-
-# Leave commented out to use defaults: 1 day (86400 seconds) for s-maxage and 2 days (172800 seconds) for max-age
-# NODE_ENV must be set to production for these to take effect
-# STATIC_CACHE_MAX_AGE=172800
-# STATIC_CACHE_S_MAX_AGE=86400
-
-# If you have another service in front of your LibreChat doing compression, disable express based compression here
-# DISABLE_COMPRESSION=true
-
-#===================================================#
-#                        UI                         #
-#===================================================#
-
-APP_TITLE=LibreChat
-# CUSTOM_FOOTER="My custom footer"
-HELP_AND_FAQ_URL=https://librechat.ai
-
-# SHOW_BIRTHDAY_ICON=true
-
-# Google tag manager id
-#ANALYTICS_GTM_ID=user provided google tag manager id
-
-#===============#
-# REDIS Options #
-#===============#
-
-REDIS_URI=redis:6379
-USE_REDIS=true
-
-# USE_REDIS_CLUSTER=true
-# REDIS_CA=/path/to/ca.crt
-
-#==================================================#
-#                      Others                      #
-#==================================================#
-#   You should leave the following commented out   #
-
-# NODE_ENV=
-
-# E2E_USER_EMAIL=
-# E2E_USER_PASSWORD=
-
-#=====================================================#
-#                  Cache Headers                      #
-#=====================================================#
-#   Headers that control caching of the index.html    #
-#   Default configuration prevents caching to ensure  #
-#   users always get the latest version. Customize    #
-#   only if you understand caching implications.      #
-
-# INDEX_HTML_CACHE_CONTROL=no-cache, no-store, must-revalidate
-# INDEX_HTML_PRAGMA=no-cache
-# INDEX_HTML_EXPIRES=0
-
-# no-cache: Forces validation with server before using cached version
-# no-store: Prevents storing the response entirely
-# must-revalidate: Prevents using stale content when offline
-
-#=====================================================#
-#                  OpenWeather                        #
-#=====================================================#
-OPENWEATHER_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
@@ -1,33 +0,0 @@
-version: 1.0.0
-endpoints:
-  custom:
-    - name: "ollama"
-      apiKey: "ollama"
-      baseURL: "http://ollama:11434/v1/chat/completions"
-      models:
-        default: [
-          "deepseek-r1:1.5b",
-          "deepseek-coder-v2:16b",
-          "deepseek-v3:671b",
-          "llama3.3:70b",
-          "phi4:14b",
-          "qwen2.5",
-          "llama2:7b",
-          "mistral:7b",
-          "codellama:7b",
-          "tinyllama:1.1b",
-          "starcoder2:3b",
-          "dolphin-mistral:7b",
-          "smollm2:1.7b",
-          "orca-mini:3b",
-          "mistral-openorca:7b"
-        ]
-# fetching list of models is supported but the `name` field must start
-# with `ollama` (case-insensitive), as it does in this example.
-        fetch: true
-      titleConvo: true
-      titleModel: "current_model"
-      summarize: false
-      summaryModel: "current_model"
-      forcePrompt: false
-      modelDisplayLabel: "Ollama"
@@ -0,0 +1,124 @@
+[app]
+# Log level: info, debug, warn, error, fatal
+log_level = "debug"
+# Environment: dev, prod.
+# Setting to "dev" will enable color logging in terminal.
+env = "dev"
+# Whether to automatically check for application updates on start up, app updates are shown as a banner in the admin panel.
+check_updates = true
+
+# HTTP server.
+[app.server]
+# Address to bind the HTTP server to.
+address = "0.0.0.0:9000"
+# Unix socket path (leave empty to use TCP address instead)
+socket = ""
+# Do NOT disable secure cookies in production environment if you don't know exactly what you're doing!
+disable_secure_cookies = false
+# Request read and write timeouts.
+read_timeout = "5s"
+write_timeout = "5s"
+# Maximum request body size in bytes (100MB)
+# If you are using proxy, you may need to configure them to allow larger request bodies.
+max_body_size = 104857600
+# Size of the read buffer for incoming requests
+read_buffer_size = 4096
+# Keepalive settings.
+keepalive_timeout = "10s"
+
+# File upload provider to use, either `fs` or `s3`.
+[upload]
+provider = "s3"
+
+# Filesystem provider.
+[upload.fs]
+# Directory where uploaded files are stored, make sure this directory exists and is writable by the application.
+upload_path = 'uploads'
+
+# S3 provider.
+[upload.s3]
+# S3 endpoint URL (required only for non-AWS S3-compatible providers like MinIO).
+# Leave empty to use default AWS endpoints.
+url = "http://minio:9000"
+
+# AWS S3 credentials, keep empty to use attached IAM roles.
+access_key = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBREDESK_S3_ACCESS_KEY'] }}"
+secret_key = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBREDESK_S3_SECRET_KEY'] }}"
+
+# AWS region, e.g., "us-east-1", "eu-west-1", etc.
+region = "us-east-fh-pln"
+# S3 bucket name where files will be stored.
+bucket = "libredesk"
+# Optional prefix path within the S3 bucket where files will be stored.
+# Example, if set to "uploads/media", files will be stored under that path.
+# Useful for organizing files inside a shared bucket.
+bucket_path = ""
+# S3 signed URL expiry duration (e.g., "30m", "1h")
+expiry = "30m"
+
+# Postgres.
+[db]
+# If running locally, use `localhost`.
+host = "libredesk-pg-db"
+# Database port, default is 5432.
+port = 5432
+# Update the following values with your database credentials.
+user = "libredesk"
+password = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBREDESK_PG_DB_PASSWD'] }}"
+database = "libredesk"
+ssl_mode = "disable"
+# Maximum number of open database connections
+max_open = 30
+# Maximum number of idle connections in the pool
+max_idle = 30
+# Maximum time a connection can be reused before being closed
+max_lifetime = "300s"
+
+# Redis.
+[redis]
+# If running locally, use `localhost:6379`.
+address = "libredesk-valkey:6379"
+password = ""
+db = 0
+
+[message]
+# Number of workers processing outgoing message queue
+outgoing_queue_workers = 10
+# Number of workers processing incoming message queue
+incoming_queue_workers = 10
+# How often to scan for outgoing messages to process, keep it low to process messages quickly.
+message_outgoing_scan_interval = "50ms"
+# Maximum number of messages that can be queued for incoming processing
+incoming_queue_size = 5000
+# Maximum number of messages that can be queued for outgoing processing
+outgoing_queue_size = 5000
+
+[notification]
+# Number of concurrent notification workers
+concurrency = 2
+# Maximum number of notifications that can be queued
+queue_size = 2000
+
+[automation]
+# Number of workers processing automation rules
+worker_count = 10
+
+[autoassigner]
+# How often to run automatic conversation assignment
+autoassign_interval = "5m"
+
+[webhook]
+# Number of webhook delivery workers
+workers = 5
+# Maximum number of webhook deliveries that can be queued
+queue_size = 10000
+# HTTP timeout for webhook requests
+timeout = "15s"
+
+[conversation]
+# How often to check for conversations to unsnooze
+unsnooze_interval = "5m"
+
+[sla]
+# How often to evaluate SLA compliance for conversations
+evaluation_interval = "5m"
@@ -1,21 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-<Config>
-  <BindAddress>*</BindAddress>
-  <Port>8686</Port>
-  <SslPort>6868</SslPort>
-  <EnableSsl>False</EnableSsl>
-  <LaunchBrowser>True</LaunchBrowser>
-  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}</ApiKey>
-  <AuthenticationMethod>Forms</AuthenticationMethod>
-  <Branch>master</Branch>
-  <LogLevel>trace</LogLevel>
-  <SslCertPath></SslCertPath>
-  <SslCertPassword></SslCertPassword>
-  <UrlBase></UrlBase>
-  <InstanceName>Lidarr</InstanceName>
-  <UpdateMechanism>Docker</UpdateMechanism>
-  <Theme>auto</Theme>
-  <AuthenticationRequired>Enabled</AuthenticationRequired>
-</Config>
@@ -1,25 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-{
-    "lidarr_address": "http://lidarr:8686",
-    "lidarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}",
-    "spotify_client_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
-    "root_folder_path": "/data/media/music",
-    "spotify_client_id": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_ID'] }}",
-    "spotify_client_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
-    "fallback_to_top_result": false,
-    "lidarr_api_timeout": 120.0,
-    "quality_profile_id": 1,
-    "metadata_profile_id": 1,
-    "search_for_missing_albums": false,
-    "dry_run_adding_to_lidarr": true,
-    "app_name": "lidify",
-    "app_rev": "0.09",
-    "app_url": "lidify.trez.wtf",
-    "last_fm_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
-    "last_fm_api_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
-    "mode": "LastFM",
-    "auto_start": false,
-    "auto_start_delay": 60
-}
@@ -1,18 +1,34 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
-
 containers:
  ghost_blog:
    action_keywords:
      - restart:
-          regex: ':[0-9]{2}\] ERROR.*$'
+          regex: 'Connection Error.*ECONNRESET$'
  immich-server:
    action_keywords:
      - restart:
-          regex: 'ADVICE:.*error'
+          regex: '(ENOTFOUND|Error|ECONNREFUSED)'
  invidious:
-    keywords:
-      - regex: 'Error reading.*Connection reset by peer trying to reconnect...'
+    action_keywords:
+      - restart:
+          regex: 'Error reading.*Connection reset by peer trying to reconnect\.\.\.'
+  maxun-backend:
+    action_keywords:
+      - restart:
+          regex: '[Ee]rror'
+  planka:
+    action_keywords:
+      - restart:
+          regex: 'Failed to lift app: Sails is taking too long to load.$'
+  scrutiny:
+    action_keywords:
+      - restart:
+          regex: '^s6-.*: fatal.*$'
+  swag:
+    action_keywords:
+      - restart:
+          regex: '^s6-.*: fatal.*$'
 global_keywords:
  keywords:
    - panic
@@ -1,33 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-containers:
-  ghost_blog:
-    action_keywords:
-      - restart:
-          regex: ':[0-9]{2}\] ERROR.*$'
-  immich-server:
-    action_keywords:
-      - restart:
-          regex: 'ADVICE:.*error'
-  invidious:
-    keywords:
-      - regex: 'Error reading.*Connection reset by peer trying to reconnect...'
-global_keywords:
-  keywords:
-    - panic
-  keywords_with_attachment:
-    - fatal
-notifications:
-  apprise:
-    url: gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}    # Any Apprise-compatible URL (https://github.com/caronc/apprise/wiki)
-# settings are optional because they all have default values
-settings:
-  log_level: INFO               # DEBUG, INFO, WARNING, ERROR
-  notification_cooldown: 5      # Seconds between alerts for same keyword (per container)
-  attachment_lines: 20          # Number of Lines to include in log attachments
-  multi_line_entries: true      # Detect multi-line log entries
-  disable_restart: false        # Disable restart when a config change is detected
-  disable_start_message: false  # Suppress startup notification
-  disable_shutdown_message: false  # Suppress shutdown notification
-  disable_restart_message: false   # Suppress config reload notification
@@ -1,159 +0,0 @@
-'use strict';
-
-const packageJson = require('../../package.json');
-
-module.exports = {
-    // Branding and customizations require a license: https://codecanyon.net/item/mirotalk-p2p-webrtc-realtime-video-conferences/38376661
-    brand: {
-        app: {
-            language: 'en', // https://en.wikipedia.org/wiki/List_of_ISO_639_language_codes
-            name: 'MiroTalk',
-            title: '<h1>MiroTalk</h1/>Free browser based Real-time video calls.<br />Simple, Secure, Fast.',
-            description:
-                'Start your next video call with a single click. No download, plug-in, or login is required. Just get straight to talking, messaging, and sharing your screen.',
-            joinDescription: 'Pick a room name.<br />How about this one?',
-            joinButtonLabel: 'JOIN ROOM',
-            joinLastLabel: 'Your recent room:',
-        },
-        og: {
-            type: 'app-webrtc',
-            siteName: 'MiroTalk',
-            title: 'Click the link to make a call.',
-            description:
-                'MiroTalk calling provides real-time HD quality and latency simply not available with traditional technology.',
-            image: 'https://p2p.mirotalk.com/images/preview.png',
-            url: 'https://p2p.mirotalk.com',
-        },
-        site: {
-            shortcutIcon: '../images/logo.svg',
-            appleTouchIcon: '../images/logo.svg',
-            landingTitle: 'MiroTalk a Free Secure Video Calls, Chat & Screen Sharing.',
-            newCallTitle: 'MiroTalk a Free Secure Video Calls, Chat & Screen Sharing.',
-            newCallRoomTitle: 'Pick name. <br />Share URL. <br />Start conference.',
-            newCallRoomDescription:
-                "Each room has its disposable URL. Just pick a room name and share your custom URL. It's that easy.",
-            loginTitle: 'MiroTalk - Host Protected login required.',
-            clientTitle: 'MiroTalk WebRTC Video call, Chat Room & Screen Sharing.',
-            privacyPolicyTitle: 'MiroTalk - privacy and policy.',
-            stunTurnTitle: 'Test Stun/Turn Servers.',
-            notFoundTitle: 'MiroTalk - 404 Page not found.',
-        },
-        html: {
-            features: true,
-            browsers: true,
-            teams: true, // please keep me always true ;)
-            tryEasier: true,
-            poweredBy: true,
-            sponsors: true,
-            advertisers: true,
-            footer: true,
-        },
-        about: {
-            imageUrl: '../images/mirotalk-logo.gif',
-            title: `WebRTC P2P v${packageJson.version}`,
-            html: `
-                <button
-                    id="support-button"
-                    data-umami-event="Support button"
-                    onclick="window.open('https://codecanyon.net/user/miroslavpejic85')">
-                    <i class="fas fa-heart" ></i>&nbsp;Support
-                </button>
-                <br /><br /><br />
-                Author:<a
-                    id="linkedin-button"
-                    data-umami-event="Linkedin button"
-                    href="https://www.linkedin.com/in/miroslav-pejic-976a07101/" target="_blank">
-                    Miroslav Pejic
-                </a>
-                <br /><br />
-                Email:<a
-                    id="email-button"
-                    data-umami-event="Email button"
-                    href="mailto:miroslav.pejic.85@gmail.com?subject=MiroTalk P2P info">
-                    miroslav.pejic.85@gmail.com
-                </a>
-                <br /><br />
-                <hr />
-                <span>&copy; 2025 MiroTalk P2P, all rights reserved</span>
-                <hr />
-            `,
-        },
-        //...
-    },
-    /**
-     * Configuration for controlling the visibility of buttons in the MiroTalk P2P client.
-     * Set properties to true to show the corresponding buttons, or false to hide them.
-     * captionBtn, showSwapCameraBtn, showScreenShareBtn, showFullScreenBtn, showVideoPipBtn, showDocumentPipBtn -> (auto-detected).
-     */
-    buttons: {
-        main: {
-            showShareQr: true,
-            showShareRoomBtn: true, // For guests
-            showHideMeBtn: true,
-            showAudioBtn: true,
-            showVideoBtn: true,
-            showScreenBtn: true, // autodetected
-            showRecordStreamBtn: true,
-            showChatRoomBtn: true,
-            showCaptionRoomBtn: true,
-            showRoomEmojiPickerBtn: true,
-            showMyHandBtn: true,
-            showWhiteboardBtn: true,
-            showSnapshotRoomBtn: true,
-            showFileShareBtn: true,
-            showDocumentPipBtn: true,
-            showMySettingsBtn: true,
-            showAboutBtn: true, // Please keep me always true, Thank you!
-        },
-        chat: {
-            showTogglePinBtn: true,
-            showMaxBtn: true,
-            showSaveMessageBtn: true,
-            showMarkDownBtn: true,
-            showChatGPTBtn: true,
-            showFileShareBtn: true,
-            showShareVideoAudioBtn: true,
-            showParticipantsBtn: true,
-        },
-        caption: {
-            showTogglePinBtn: true,
-            showMaxBtn: true,
-        },
-        settings: {
-            showMicOptionsBtn: true,
-            showTabRoomPeerName: true,
-            showTabRoomParticipants: true,
-            showTabRoomSecurity: true,
-            showTabEmailInvitation: true,
-            showCaptionEveryoneBtn: true,
-            showMuteEveryoneBtn: true,
-            showHideEveryoneBtn: true,
-            showEjectEveryoneBtn: true,
-            showLockRoomBtn: true,
-            showUnlockRoomBtn: true,
-            showShortcutsBtn: true,
-        },
-        remote: {
-            showAudioVolume: true,
-            audioBtnClickAllowed: true,
-            videoBtnClickAllowed: true,
-            showVideoPipBtn: true,
-            showKickOutBtn: true,
-            showSnapShotBtn: true,
-            showFileShareBtn: true,
-            showShareVideoAudioBtn: true,
-            showPrivateMessageBtn: true,
-            showZoomInOutBtn: false,
-            showVideoFocusBtn: true,
-        },
-        local: {
-            showVideoPipBtn: true,
-            showSnapShotBtn: true,
-            showVideoCircleBtn: true,
-            showZoomInOutBtn: false,
-        },
-        whiteboard: {
-            whiteboardLockBtn: false,
-        },
-    },
-};
@@ -1,159 +0,0 @@
-'use strict';
-
-const packageJson = require('../../package.json');
-
-module.exports = {
-    // Branding and customizations require a license: https://codecanyon.net/item/mirotalk-p2p-webrtc-realtime-video-conferences/38376661
-    brand: {
-        app: {
-            language: 'en', // https://en.wikipedia.org/wiki/List_of_ISO_639_language_codes
-            name: 'MiroTalk',
-            title: '<h1>MiroTalk</h1/>Free browser based Real-time video calls.<br />Simple, Secure, Fast.',
-            description:
-                'Start your next video call with a single click. No download, plug-in, or login is required. Just get straight to talking, messaging, and sharing your screen.',
-            joinDescription: 'Pick a room name.<br />How about this one?',
-            joinButtonLabel: 'JOIN ROOM',
-            joinLastLabel: 'Your recent room:',
-        },
-        og: {
-            type: 'app-webrtc',
-            siteName: 'MiroTalk',
-            title: 'Click the link to make a call.',
-            description:
-                'MiroTalk calling provides real-time HD quality and latency simply not available with traditional technology.',
-            image: 'https://p2p.mirotalk.com/images/preview.png',
-            url: 'https://p2p.mirotalk.com',
-        },
-        site: {
-            shortcutIcon: '../images/logo.svg',
-            appleTouchIcon: '../images/logo.svg',
-            landingTitle: 'MiroTalk a Free Secure Video Calls, Chat & Screen Sharing.',
-            newCallTitle: 'MiroTalk a Free Secure Video Calls, Chat & Screen Sharing.',
-            newCallRoomTitle: 'Pick name. <br />Share URL. <br />Start conference.',
-            newCallRoomDescription:
-                "Each room has its disposable URL. Just pick a room name and share your custom URL. It's that easy.",
-            loginTitle: 'MiroTalk - Host Protected login required.',
-            clientTitle: 'MiroTalk WebRTC Video call, Chat Room & Screen Sharing.',
-            privacyPolicyTitle: 'MiroTalk - privacy and policy.',
-            stunTurnTitle: 'Test Stun/Turn Servers.',
-            notFoundTitle: 'MiroTalk - 404 Page not found.',
-        },
-        html: {
-            features: true,
-            browsers: true,
-            teams: true, // please keep me always true ;)
-            tryEasier: true,
-            poweredBy: true,
-            sponsors: true,
-            advertisers: true,
-            footer: true,
-        },
-        about: {
-            imageUrl: '../images/mirotalk-logo.gif',
-            title: `WebRTC P2P v${packageJson.version}`,
-            html: `
-                <button
-                    id="support-button"
-                    data-umami-event="Support button"
-                    onclick="window.open('https://codecanyon.net/user/miroslavpejic85')">
-                    <i class="fas fa-heart" ></i>&nbsp;Support
-                </button>
-                <br /><br /><br />
-                Author:<a
-                    id="linkedin-button"
-                    data-umami-event="Linkedin button"
-                    href="https://www.linkedin.com/in/miroslav-pejic-976a07101/" target="_blank">
-                    Miroslav Pejic
-                </a>
-                <br /><br />
-                Email:<a
-                    id="email-button"
-                    data-umami-event="Email button"
-                    href="mailto:miroslav.pejic.85@gmail.com?subject=MiroTalk P2P info">
-                    miroslav.pejic.85@gmail.com
-                </a>
-                <br /><br />
-                <hr />
-                <span>&copy; 2025 MiroTalk P2P, all rights reserved</span>
-                <hr />
-            `,
-        },
-        //...
-    },
-    /**
-     * Configuration for controlling the visibility of buttons in the MiroTalk P2P client.
-     * Set properties to true to show the corresponding buttons, or false to hide them.
-     * captionBtn, showSwapCameraBtn, showScreenShareBtn, showFullScreenBtn, showVideoPipBtn, showDocumentPipBtn -> (auto-detected).
-     */
-    buttons: {
-        main: {
-            showShareQr: true,
-            showShareRoomBtn: true, // For guests
-            showHideMeBtn: true,
-            showAudioBtn: true,
-            showVideoBtn: true,
-            showScreenBtn: true, // autodetected
-            showRecordStreamBtn: true,
-            showChatRoomBtn: true,
-            showCaptionRoomBtn: true,
-            showRoomEmojiPickerBtn: true,
-            showMyHandBtn: true,
-            showWhiteboardBtn: true,
-            showSnapshotRoomBtn: true,
-            showFileShareBtn: true,
-            showDocumentPipBtn: true,
-            showMySettingsBtn: true,
-            showAboutBtn: true, // Please keep me always true, Thank you!
-        },
-        chat: {
-            showTogglePinBtn: true,
-            showMaxBtn: true,
-            showSaveMessageBtn: true,
-            showMarkDownBtn: true,
-            showChatGPTBtn: true,
-            showFileShareBtn: true,
-            showShareVideoAudioBtn: true,
-            showParticipantsBtn: true,
-        },
-        caption: {
-            showTogglePinBtn: true,
-            showMaxBtn: true,
-        },
-        settings: {
-            showMicOptionsBtn: true,
-            showTabRoomPeerName: true,
-            showTabRoomParticipants: true,
-            showTabRoomSecurity: true,
-            showTabEmailInvitation: true,
-            showCaptionEveryoneBtn: true,
-            showMuteEveryoneBtn: true,
-            showHideEveryoneBtn: true,
-            showEjectEveryoneBtn: true,
-            showLockRoomBtn: true,
-            showUnlockRoomBtn: true,
-            showShortcutsBtn: true,
-        },
-        remote: {
-            showAudioVolume: true,
-            audioBtnClickAllowed: true,
-            videoBtnClickAllowed: true,
-            showVideoPipBtn: true,
-            showKickOutBtn: true,
-            showSnapShotBtn: true,
-            showFileShareBtn: true,
-            showShareVideoAudioBtn: true,
-            showPrivateMessageBtn: true,
-            showZoomInOutBtn: false,
-            showVideoFocusBtn: true,
-        },
-        local: {
-            showVideoPipBtn: true,
-            showSnapShotBtn: true,
-            showVideoCircleBtn: true,
-            showZoomInOutBtn: false,
-        },
-        whiteboard: {
-            whiteboardLockBtn: false,
-        },
-    },
-};
@@ -24,30 +24,31 @@
    {
      "type": "spotify",
      "enable": true,
-      "clients": [],
-      "name": "spotify",
+      "clients": ["lastfmClient", "ListenBrainzClient", "maloja"],
+      "name": "spotifySource",
      "data": {
        "clientId": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_ID'] }}",
        "clientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
-        "redirectUri": "http://localhost:9078/callback"
+        "redirectUri": "https://scrobble.trez.wtf/callback"
      }
    },
    {
      "type": "lastfm",
      "enable": true,
-      "clients": [],
-      "name": "lastfm",
+      "clients": ["ListenBrainzClient", "maloja"],
+      "configureAs": "source",
+      "name": "lastfmSource",
      "data": {
        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
        "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
-        "redirectUri": "http://localhost:9078/lastfm/callback"
+        "redirectUri": "https://scrobble.trez.wtf/lastfm/callback"
      }
    },
    {
      "type": "listenbrainz",
      "enable": true,
-      "clients": [],
-      "name": "listenBrainz",
+      "clients": ["lastfmClient", "maloja"],
+      "name": "listenBrainzSource",
      "data": {
        "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
        "username": "Trez.One"
@@ -56,8 +57,8 @@
    {
      "type": "subsonic",
      "enable": true,
-      "clients": [],
-      "name": "navidrome",
+      "clients": ["lastfmClient", "ListenBrainzClient", "maloja"],
+      "name": "navidromeSource",
      "data": {
        "url": "http://navidrome:4533",
        "user": "admin",
@@ -70,10 +71,11 @@
      "type": "lastfm",
      "enable": true,
      "name": "lastFmClient",
+      "configureAs": "client",
      "data": {
        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
        "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
-        "redirectUri": "http://localhost:9078/lastfm/callback"
+        "redirectUri": "https://scrobble.trez.wtf/lastfm/callback"
      }
    },
    {
@@ -88,7 +90,7 @@
    {
      "type": "maloja",
      "enable": true,
-      "name": "maloja",
+      "name": "malojaClient",
      "data": {
        "url": "http://maloja:42010",
        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_API_KEY'] }}"
@@ -1,111 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-{
-  "debugMode": false,
-  "disableWeb": false,
-  "sourceDefaults": {
-    "logPayload": false,
-    "logFilterFailure": "warn",
-    "logPlayerState": false,
-    "scrobbleThresholds": {
-      "duration": 30,
-      "percent": 20
-    },
-    "maxPollRetries": 1,
-    "maxRequestRetries": 1,
-    "retryMultiplier": 1.5
-  },
-  "clientDefaults": {
-    "maxRequestRetries": 1,
-    "retryMultiplier": 1.5
-  },
-  "sources": [
-    {
-      "type": "spotify",
-      "enable": true,
-      "clients": [],
-      "name": "spotify",
-      "data": {
-        "clientId": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_ID'] }}",
-        "clientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
-        "redirectUri": "http://localhost:9078/callback"
-      }
-    },
-    {
-      "type": "lastfm",
-      "enable": true,
-      "clients": [],
-      "name": "lastfm",
-      "data": {
-        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
-        "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
-        "redirectUri": "http://localhost:9078/lastfm/callback"
-      }
-    },
-    {
-      "type": "listenbrainz",
-      "enable": true,
-      "clients": [],
-      "name": "listenBrainz",
-      "data": {
-        "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
-        "username": "Trez.One"
-      }
-    },
-    {
-      "type": "subsonic",
-      "enable": true,
-      "clients": [],
-      "name": "navidrome",
-      "data": {
-        "url": "http://navidrome:4533",
-        "user": "admin",
-        "password": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NAVIDROME_PASSWORD'] }}"
-      }
-    }
-  ],
-  "clients": [
-    {
-      "type": "lastfm",
-      "enable": true,
-      "name": "lastFmClient",
-      "data": {
-        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
-        "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
-        "redirectUri": "http://localhost:9078/lastfm/callback"
-      }
-    },
-    {
-      "type": "listenbrainz",
-      "enable": true,
-      "name": "ListenBrainzClient",
-      "data": {
-        "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
-        "username": "Trez.One"
-      }
-    },
-    {
-      "type": "maloja",
-      "enable": true,
-      "name": "maloja",
-      "data": {
-        "url": "http://maloja:42010",
-        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_API_KEY'] }}"
-      }
-    }
-  ],
-  "webhooks": [
-    {
-      "name": "Gotify",
-      "type": "gotify",
-      "url": "http://gotify",
-      "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MULTI_SCROBBLER_GOTIFY_TOKEN'] }}",
-      "priorities": {
-        "info": 5,
-        "warn": 7,
-        "error": 10
-      }
-    }
-  ]
-}
@@ -1,76 +0,0 @@
-{
-  "Stuns": [
-    {
-      "Proto": "udp",
-      "URI": "stun:netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:3478",
-      "Username": "",
-      "Password": null
-    }
-  ],
-  "TURNConfig": {
-    "Turns": [
-      {
-        "Proto": "udp",
-        "URI": "turn:netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:3478",
-        "Username": "self",
-        "Password": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_TURN_PASSWORD'] }}"
-      }
-    ],
-    "CredentialsTTL": "12h",
-    "Secret": "secret",
-    "TimeBasedCredentials": false
-  },
-  "Relay": {
-    "Addresses": [
-      "rel://netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:33080"
-    ],
-    "CredentialsTTL": "24h",
-    "Secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_RELAY_AUTH_SECRET'] }}"
-  },
-  "Signal": {
-    "Proto": "https",
-    "URI": "netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:10001",
-    "Username": "",
-    "Password": null
-  },
-  "ReverseProxy": {
-    "TrustedHTTPProxies": [],
-    "TrustedHTTPProxiesCount": 0,
-    "TrustedPeers": [
-      "0.0.0.0/0"
-    ]
-  },
-  "Datadir": "",
-  "DataStoreEncryptionKey": "",
-  "StoreConfig": {
-    "Engine": "sqlite"
-  },
-  "HttpConfig": {
-    "Address": "0.0.0.0:33073",
-    "AuthIssuer": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}",
-    "AuthAudience": "netbird",
-    "AuthKeysLocation": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/jwks.json",
-    "AuthUserIDClaim": "",
-    "CertFile": "",
-    "CertKey": "",
-    "IdpSignKeyRefreshEnabled": true,
-    "OIDCConfigEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/.well-known/openid-configuration"
-  },
-  "IdpManagerConfig": {},
-  "DeviceAuthorizationFlow": {},
-  "PKCEAuthorizationFlow": {
-    "ProviderConfig": {
-      "Audience": "netbird",
-      "ClientID": "netbird",
-      "ClientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}",
-      "Domain": "",
-      "AuthorizationEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/authorization",
-      "TokenEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/token",
-      "Scope": "openid profile email offline_access api",
-      "RedirectURLs": [
-        "http://localhost:53000"
-      ],
-      "UseIDToken": true
-    }
-  }
-}
@@ -1,122 +0,0 @@
-{
-    "issuer": "https://id.trez.wtf",
-    "authorization_endpoint": "https://id.trez.wtf/oauth/v2/authorize",
-    "token_endpoint": "https://id.trez.wtf/oauth/v2/token",
-    "introspection_endpoint": "https://id.trez.wtf/oauth/v2/introspect",
-    "userinfo_endpoint": "https://id.trez.wtf/oidc/v1/userinfo",
-    "revocation_endpoint": "https://id.trez.wtf/oauth/v2/revoke",
-    "end_session_endpoint": "https://id.trez.wtf/oidc/v1/end_session",
-    "device_authorization_endpoint": "https://id.trez.wtf/oauth/v2/device_authorization",
-    "jwks_uri": "https://id.trez.wtf/oauth/v2/keys",
-    "scopes_supported": [
-        "openid",
-        "profile",
-        "email",
-        "phone",
-        "address",
-        "offline_access"
-    ],
-    "response_types_supported": [
-        "code",
-        "id_token",
-        "id_token token"
-    ],
-    "response_modes_supported": [
-        "query",
-        "fragment",
-        "form_post"
-    ],
-    "grant_types_supported": [
-        "authorization_code",
-        "implicit",
-        "refresh_token",
-        "client_credentials",
-        "urn:ietf:params:oauth:grant-type:jwt-bearer",
-        "urn:ietf:params:oauth:grant-type:device_code"
-    ],
-    "subject_types_supported": [
-        "public"
-    ],
-    "id_token_signing_alg_values_supported": [
-        "RS256"
-    ],
-    "request_object_signing_alg_values_supported": [
-        "RS256"
-    ],
-    "token_endpoint_auth_methods_supported": [
-        "none",
-        "client_secret_basic",
-        "client_secret_post",
-        "private_key_jwt"
-    ],
-    "token_endpoint_auth_signing_alg_values_supported": [
-        "RS256"
-    ],
-    "revocation_endpoint_auth_methods_supported": [
-        "none",
-        "client_secret_basic",
-        "client_secret_post",
-        "private_key_jwt"
-    ],
-    "revocation_endpoint_auth_signing_alg_values_supported": [
-        "RS256"
-    ],
-    "introspection_endpoint_auth_methods_supported": [
-        "client_secret_basic",
-        "private_key_jwt"
-    ],
-    "introspection_endpoint_auth_signing_alg_values_supported": [
-        "RS256"
-    ],
-    "claims_supported": [
-        "sub",
-        "aud",
-        "exp",
-        "iat",
-        "iss",
-        "auth_time",
-        "nonce",
-        "acr",
-        "amr",
-        "c_hash",
-        "at_hash",
-        "act",
-        "scopes",
-        "client_id",
-        "azp",
-        "preferred_username",
-        "name",
-        "family_name",
-        "given_name",
-        "locale",
-        "email",
-        "email_verified",
-        "phone_number",
-        "phone_number_verified"
-    ],
-    "code_challenge_methods_supported": [
-        "S256"
-    ],
-    "ui_locales_supported": [
-        "bg",
-        "cs",
-        "de",
-        "en",
-        "es",
-        "fr",
-        "hu",
-        "id",
-        "it",
-        "ja",
-        "ko",
-        "mk",
-        "nl",
-        "pl",
-        "pt",
-        "ru",
-        "sv",
-        "zh"
-    ],
-    "request_parameter_supported": true,
-    "request_uri_parameter_supported": false
-}
@@ -1,725 +0,0 @@
-# Coturn TURN SERVER configuration file
-#
-# Boolean values note: where a boolean value is supposed to be used,
-# you can use '0', 'off', 'no', 'false', or 'f' as 'false,
-# and you can use '1', 'on', 'yes', 'true', or 't' as 'true'
-# If the value is missing, then it means 'true' by default.
-#
-
-# Listener interface device (optional, Linux only).
-# NOT RECOMMENDED.
-#
-#listening-device=eth0
-
-# TURN listener port for UDP and TCP (Default: 3478).
-# Note: actually, TLS & DTLS sessions can connect to the
-# "plain" TCP & UDP port(s), too - if allowed by configuration.
-#
-listening-port=3478
-
-# TURN listener port for TLS (Default: 5349).
-# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
-# port(s), too - if allowed by configuration. The TURN server
-# "automatically" recognizes the type of traffic. Actually, two listening
-# endpoints (the "plain" one and the "tls" one) are equivalent in terms of
-# functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs.
-# For secure TCP connections, Coturn currently supports SSL version 3 and
-# TLS version 1.0, 1.1 and 1.2.
-# For secure UDP connections, Coturn supports DTLS version 1.
-#
-tls-listening-port=5349
-
-# Alternative listening port for UDP and TCP listeners;
-# default (or zero) value means "listening port plus one".
-# This is needed for RFC 5780 support
-# (STUN extension specs, NAT behavior discovery). The TURN Server
-# supports RFC 5780 only if it is started with more than one
-# listening IP address of the same family (IPv4 or IPv6).
-# RFC 5780 is supported only by UDP protocol, other protocols
-# are listening to that endpoint only for "symmetry".
-#
-#alt-listening-port=0
-
-# Alternative listening port for TLS and DTLS protocols.
-# Default (or zero) value means "TLS listening port plus one".
-#
-#alt-tls-listening-port=0
-
-# Some network setups will require using a TCP reverse proxy in front
-# of the STUN server. If the proxy port option is set a single listener
-# is started on the given port that accepts connections using the
-# haproxy proxy protocol v2.
-# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
-#
-#tcp-proxy-port=5555
-
-# Listener IP address of relay server. Multiple listeners can be specified.
-# If no IP(s) specified in the config file or in the command line options,
-# then all IPv4 and IPv6 system IPs will be used for listening.
-#
-#listening-ip=172.17.19.101
-#listening-ip=10.207.21.238
-#listening-ip=2607:f0d0:1002:51::4
-
-# Auxiliary STUN/TURN server listening endpoint.
-# Aux servers have almost full TURN and STUN functionality.
-# The (minor) limitations are:
-#
-# 1) Auxiliary servers do not have alternative ports and
-# they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
-#
-# 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
-#
-# Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
-#
-# There may be multiple aux-server options, each will be used for listening
-# to client requests.
-#
-#aux-server=172.17.19.110:33478
-#aux-server=[2607:f0d0:1002:51::4]:33478
-
-# (recommended for older Linuxes only)
-# Automatically balance UDP traffic over auxiliary servers (if configured).
-# The load balancing is using the ALTERNATE-SERVER mechanism.
-# The TURN client must support 300 ALTERNATE-SERVER response for this
-# functionality.
-#
-#udp-self-balance
-
-# Relay interface device for relay sockets (optional, Linux only).
-# NOT RECOMMENDED.
-#
-#relay-device=eth1
-
-# Relay address (the local IP address that will be used to relay the
-# packets to the peer).
-# Multiple relay addresses may be used.
-# The same IP(s) can be used as both listening IP(s) and relay IP(s).
-#
-# If no relay IP(s) specified, then the turnserver will apply the default
-# policy: it will decide itself which relay addresses to be used, and it
-# will always be using the client socket IP address as the relay IP address
-# of the TURN session (if the requested relay address family is the same
-# as the family of the client socket).
-#
-#relay-ip=172.17.19.105
-#relay-ip=2607:f0d0:1002:51::5
-
-# For Amazon EC2 users:
-#
-# TURN Server public/private address mapping, if the server is behind NAT.
-# In that situation, if a -X is used in form "-X <ip>" then that ip will be reported
-# as relay IP address of all allocations. This scenario works only in a simple case
-# when one single relay address is be used, and no RFC5780 functionality is required.
-# That single relay address must be mapped by NAT to the 'external' IP.
-# The "external-ip" value, if not empty, is returned in XOR-RELAYED-ADDRESS field.
-# For that 'external' IP, NAT must forward ports directly (relayed port 12345
-# must be always mapped to the same 'external' port 12345).
-#
-# In more complex case when more than one IP address is involved,
-# that option must be used several times, each entry must
-# have form "-X <public-ip/private-ip>", to map all involved addresses.
-# RFC5780 NAT discovery STUN functionality will work correctly,
-# if the addresses are mapped properly, even when the TURN server itself
-# is behind A NAT.
-#
-# By default, this value is empty, and no address mapping is used.
-#
-# external-ip=193.224.22.37
-#
-#OR:
-#
-#external-ip=60.70.80.91/172.17.19.101
-#external-ip=60.70.80.92/172.17.19.102
-
-external-ip=108.29.206.17
-
-# Number of the relay threads to handle the established connections
-# (in addition to authentication thread and the listener thread).
-# If explicitly set to 0 then application runs relay process in a
-# single thread, in the same thread with the listener process
-# (the authentication thread will still be a separate thread).
-#
-# If this parameter is not set, then the default OS-dependent
-# thread pattern algorithm will be employed. Usually the default
-# algorithm is optimal, so you have to change this option
-# if you want to make some fine tweaks.
-#
-# In the older systems (Linux kernel before 3.9),
-# the number of UDP threads is always one thread per network listening
-# endpoint - including the auxiliary endpoints - unless 0 (zero) or
-# 1 (one) value is set.
-#
-#relay-threads=0
-
-# Lower and upper bounds of the UDP relay endpoints:
-# (default values are 49152 and 65535)
-#
-min-port=49152
-max-port=65535
-
-# Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
-# By default the verbose mode is off.
-#verbose
-
-# Uncomment to run TURN server in 'extra' verbose mode.
-# This mode is very annoying and produces lots of output.
-# Not recommended under normal circumstances.
-#
-#Verbose
-
-# Uncomment to use fingerprints in the TURN messages.
-# By default the fingerprints are off.
-#
-fingerprint
-
-# Uncomment to use long-term credential mechanism.
-# By default no credentials mechanism is used (any user allowed).
-#
-lt-cred-mech
-
-# This option is the opposite of lt-cred-mech.
-# (TURN Server with no-auth option allows anonymous access).
-# If neither option is defined, and no users are defined,
-# then no-auth is default. If at least one user is defined,
-# in this file, in command line or in usersdb file, then
-# lt-cred-mech is default.
-#
-#no-auth
-
-# TURN REST API flag.
-# (Time Limited Long Term Credential)
-# Flag that sets a special authorization option that is based upon authentication secret.
-#
-# This feature's purpose is to support "TURN Server REST API", see
-# "TURN REST API" link in the project's page
-# https://github.com/coturn/coturn/
-#
-# This option is used with timestamp:
-#
-# usercombo -> "timestamp:userid"
-# turn user -> usercombo
-# turn password -> base64(hmac(secret key, usercombo))
-#
-# This allows TURN credentials to be accounted for a specific user id.
-# If you don't have a suitable id, then the timestamp alone can be used.
-# This option is enabled by turning on secret-based authentication.
-# The actual value of the secret is defined either by the option static-auth-secret,
-# or can be found in the turn_secret table in the database (see below).
-#
-# Read more about it:
-#  - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
-#  - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
-#
-# Be aware that use-auth-secret overrides some parts of lt-cred-mech.
-# The use-auth-secret feature depends internally on lt-cred-mech, so if you set
-# this option then it automatically enables lt-cred-mech internally
-# as if you had enabled both.
-#
-# Note that you can use only one auth mechanism at the same time! This is because,
-# both mechanisms conduct username and password validation in different ways.
-#
-# Use either lt-cred-mech or use-auth-secret in the conf
-# to avoid any confusion.
-#
-#use-auth-secret
-
-# 'Static' authentication secret value (a string) for TURN REST API only.
-# If not set, then the turn server
-# will try to use the 'dynamic' value in the turn_secret table
-# in the user database (if present). The database-stored  value can be changed on-the-fly
-# by a separate program, so this is why that mode is considered 'dynamic'.
-#
-#static-auth-secret=north
-
-# Server name used for
-# the oAuth authentication purposes.
-# The default value is the realm name.
-#
-# server-name=stun.wiretrustee.com
-
-# Flag that allows oAuth authentication.
-#
-#oauth
-
-# 'Static' user accounts for the long term credentials mechanism, only.
-# This option cannot be used with TURN REST API.
-# 'Static' user accounts are NOT dynamically checked by the turnserver process,
-# so they can NOT be changed while the turnserver is running.
-#
-#user=username1:key1
-#user=username2:key2
-# OR:
-user=self:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_TURN_PASSWORD'] }}
-#user=username2:password2
-#
-# Keys must be generated by turnadmin utility. The key value depends
-# on user name, realm, and password:
-#
-# Example:
-# $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic
-# Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee
-# ('0x' in the beginning of the key is what differentiates the key from
-# password. If it has 0x then it is a key, otherwise it is a password).
-#
-# The corresponding user account entry in the config file will be:
-#
-#user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
-# Or, equivalently, with open clear password (less secure):
-#user=ninefingers:youhavetoberealistic
-#
-
-# SQLite database file name.
-#
-# The default file name is /var/db/turndb or /usr/local/var/db/turndb or
-# /var/lib/turn/turndb.
-#
-#userdb=/var/db/turndb
-
-# PostgreSQL database connection string in the case that you are using PostgreSQL
-# as the user database.
-# This database can be used for the long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN REST API.
-# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
-# versions connection string format, see
-# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
-# for 9.x and newer connection string formats.
-#
-#psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
-
-# MySQL database connection string in the case that you are using MySQL
-# as the user database.
-# This database can be used for the long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN REST API.
-#
-# Optional connection string parameters for the secure communications (SSL):
-# ca, capath, cert, key, cipher
-# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
-# command options description).
-#
-# Use the string format below (space separated parameters, all optional):
-#
-# mysql-userdb="host=mysql dbname=coturn user=coturn password=CHANGE_ME port=3306 connect_timeout=10 read_timeout=10"
-
-# If you want to use an encrypted password in the MySQL connection string,
-# then set the MySQL password encryption secret key file with this option.
-#
-# Warning: If this option is set, then the mysql password must be set in "mysql-userdb" in an encrypted format!
-# If you want to use a cleartext password then do not set this option!
-#
-# This is the file path for the aes encrypted secret key used for password encryption.
-#
-#secret-key-file=/path/
-
-# MongoDB database connection string in the case that you are using MongoDB
-# as the user database.
-# This database can be used for long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN REST API.
-# Use the string format described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
-#
-#mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
-
-# Redis database connection string in the case that you are using Redis
-# as the user database.
-# This database can be used for long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN REST API.
-# Use the string format below (space separated parameters, all optional):
-#
-#redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
-
-# Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
-# This database keeps allocations status information, and it can be also used for publishing
-# and delivering traffic and allocation event notifications.
-# The connection string has the same parameters as redis-userdb connection string.
-# Use the string format below (space separated parameters, all optional):
-#
-#redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
-
-# The default realm to be used for the users when no explicit
-# origin/realm relationship is found in the database, or if the TURN
-# server is not using any database (just the commands-line settings
-# and the userdb file). Must be used with long-term credentials
-# mechanism or with TURN REST API.
-#
-# Note: If the default realm is not specified, then realm falls back to the host domain name.
-#       If the domain name string is empty, or set to '(None)', then it is initialized as an empty string.
-#
-# realm=wiretrustee.com
-# This flag sets the origin consistency
-# check. Across the session, all requests must have the same
-# main ORIGIN attribute value (if the ORIGIN was
-# initially used by the session).
-#
-#check-origin-consistency
-
-# Per-user allocation quota.
-# default value is 0 (no quota, unlimited number of sessions per user).
-# This option can also be set through the database, for a particular realm.
-#
-#user-quota=0
-
-# Total allocation quota.
-# default value is 0 (no quota).
-# This option can also be set through the database, for a particular realm.
-#
-#total-quota=0
-
-# Max bytes-per-second bandwidth a TURN session is allowed to handle
-# (input and output network streams are treated separately). Anything above
-# that limit will be dropped or temporarily suppressed (within
-# the available buffer limits).
-# This option can also be set through the database, for a particular realm.
-#
-#max-bps=0
-
-#
-# Maximum server capacity.
-# Total bytes-per-second bandwidth the TURN server is allowed to allocate
-# for the sessions, combined (input and output network streams are treated separately).
-#
-# bps-capacity=0
-
-# Uncomment if no UDP client listener is desired.
-# By default UDP client listener is always started.
-#
-#no-udp
-
-# Uncomment if no TCP client listener is desired.
-# By default TCP client listener is always started.
-#
-#no-tcp
-
-# Uncomment if no TLS client listener is desired.
-# By default TLS client listener is always started.
-#
-#no-tls
-
-# Uncomment if no DTLS client listener is desired.
-# By default DTLS client listener is always started.
-#
-#no-dtls
-
-# Uncomment if no UDP relay endpoints are allowed.
-# By default UDP relay endpoints are enabled (like in RFC 5766).
-#
-#no-udp-relay
-
-# Uncomment if no TCP relay endpoints are allowed.
-# By default TCP relay endpoints are enabled (like in RFC 6062).
-#
-#no-tcp-relay
-
-# Uncomment if extra security is desired,
-# with nonce value having a limited lifetime.
-# The nonce value is unique for a session.
-# Set this option to limit the nonce lifetime.
-# Set it to 0 for unlimited lifetime.
-# It defaults to 600 secs (10 min) if no value is provided. After that delay,
-# the client will get 438 error and will have to re-authenticate itself.
-#
-#stale-nonce=600
-
-# Uncomment if you want to set the maximum allocation
-# time before it has to be refreshed.
-# Default is 3600s.
-#
-#max-allocate-lifetime=3600
-
-
-# Uncomment to set the lifetime for the channel.
-# Default value is 600 secs (10 minutes).
-# This value MUST not be changed for production purposes.
-#
-#channel-lifetime=600
-
-# Uncomment to set the permission lifetime.
-# Default to 300 secs (5 minutes).
-# In production this value MUST not be changed,
-# however it can be useful for test purposes.
-#
-#permission-lifetime=300
-
-# Certificate file.
-# Use an absolute path or path relative to the
-# configuration file.
-# Use PEM file format.
-#
-cert=/etc/coturn/certs/cert.pem
-
-# Private key file.
-# Use an absolute path or path relative to the
-# configuration file.
-# Use PEM file format.
-#
-pkey=/etc/coturn/private/privkey.pem
-
-# Private key file password, if it is in encoded format.
-# This option has no default value.
-#
-#pkey-pwd=...
-
-# Allowed OpenSSL cipher list for TLS/DTLS connections.
-# Default value is "DEFAULT".
-#
-#cipher-list="DEFAULT"
-
-# CA file in OpenSSL format.
-# Forces TURN server to verify the client SSL certificates.
-# By default this is not set: there is no default value and the client
-# certificate is not checked.
-#
-# Example:
-#CA-file=/etc/ssh/id_rsa.cert
-
-# Curve name for EC ciphers, if supported by OpenSSL
-# library (TLS and DTLS). The default value is prime256v1,
-# if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
-# an optimal curve will be automatically calculated, if not defined
-# by this option.
-#
-#ec-curve-name=prime256v1
-
-# Use 566 bits predefined DH TLS key. Default size of the key is 2066.
-#
-#dh566
-
-# Use 1066 bits predefined DH TLS key. Default size of the key is 2066.
-#
-#dh1066
-
-# Use custom DH TLS key, stored in PEM format in the file.
-# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
-#
-#dh-file=<DH-PEM-file-name>
-
-# Flag to prevent stdout log messages.
-# By default, all log messages go to both stdout and to
-# the configured log file. With this option everything will
-# go to the configured log only (unless the log file itself is stdout).
-#
-#no-stdout-log
-
-# Option to set the log file name.
-# By default, the turnserver tries to open a log file in
-# /var/log, /var/tmp, /tmp and the current directory
-# (Whichever file open operation succeeds first will be used).
-# With this option you can set the definite log file name.
-# The special names are "stdout" and "-" - they will force everything
-# to the stdout. Also, the "syslog" name will force everything to
-# the system log (syslog).
-# In the runtime, the logfile can be reset with the SIGHUP signal
-# to the turnserver process.
-#
-log-file=stdout
-
-# Option to redirect all log output into system log (syslog).
-#
-# syslog
-
-# This flag means that no log file rollover will be used, and the log file
-# name will be constructed as-is, without PID and date appendage.
-# This option can be used, for example, together with the logrotate tool.
-#
-#simple-log
-
-# Option to set the "redirection" mode. The value of this option
-# will be the address of the alternate server for UDP & TCP service in the form of
-# <ip>[:<port>]. The server will send this value in the attribute
-# ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
-# Client will receive only values with the same address family
-# as the client network endpoint address family.
-# See RFC 5389 and RFC 5766 for the description of ALTERNATE-SERVER functionality.
-# The client must use the obtained value for subsequent TURN communications.
-# If more than one --alternate-server option is provided, then the functionality
-# can be more accurately described as "load-balancing" than a mere "redirection".
-# If the port number is omitted, then the default port
-# number 3478 for the UDP/TCP protocols will be used.
-# Colon (:) characters in IPv6 addresses may conflict with the syntax of
-# the option. To alleviate this conflict, literal IPv6 addresses are enclosed
-# in square brackets in such resource identifiers, for example:
-# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
-# Multiple alternate servers can be set. They will be used in the
-# round-robin manner. All servers in the pool are considered of equal weight and
-# the load will be distributed equally. For example, if you have 4 alternate servers,
-# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
-# address can be used more than one time with the alternate-server option, so this
-# can emulate "weighting" of the servers.
-#
-# Examples:
-#alternate-server=1.2.3.4:5678
-#alternate-server=11.22.33.44:56789
-#alternate-server=5.6.7.8
-#alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
-
-# Option to set alternative server for TLS & DTLS services in form of
-# <ip>:<port>. If the port number is omitted, then the default port
-# number 5349 for the TLS/DTLS protocols will be used. See the previous
-# option for the functionality description.
-#
-# Examples:
-#tls-alternate-server=1.2.3.4:5678
-#tls-alternate-server=11.22.33.44:56789
-#tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
-
-# Option to suppress TURN functionality, only STUN requests will be processed.
-# Run as STUN server only, all TURN requests will be ignored.
-# By default, this option is NOT set.
-#
-#stun-only
-
-# Option to hide software version. Enhance security when used in production.
-# Revealing the specific software version of the agent through the
-# SOFTWARE attribute might allow them to become more vulnerable to
-# attacks against software that is known to contain security holes.
-# Implementers SHOULD make usage of the SOFTWARE attribute a
-# configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2)
-#
-no-software-attribute
-
-# Option to suppress STUN functionality, only TURN requests will be processed.
-# Run as TURN server only, all STUN requests will be ignored.
-# By default, this option is NOT set.
-#
-#no-stun
-
-# This is the timestamp/username separator symbol (character) in TURN REST API.
-# The default value is ':'.
-# rest-api-separator=:
-
-# Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
-# This is an extra security measure.
-#
-# (To avoid any security issue that allowing loopback access may raise,
-# the no-loopback-peers option is replaced by allow-loopback-peers.)
-#
-# Allow it only for testing in a development environment!
-# In production it adds a possible security vulnerability, so for security reasons
-# it is not allowed using it together with empty cli-password.
-#
-#allow-loopback-peers
-
-# Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
-# This is an extra security measure.
-#
-#no-multicast-peers
-
-# Option to set the max time, in seconds, allowed for full allocation establishment.
-# Default is 60 seconds.
-#
-#max-allocate-timeout=60
-
-# Option to allow or ban specific ip addresses or ranges of ip addresses.
-# If an ip address is specified as both allowed and denied, then the ip address is
-# considered to be allowed. This is useful when you wish to ban a range of ip
-# addresses, except for a few specific ips within that range.
-#
-# This can be used when you do not want users of the turn server to be able to access
-# machines reachable by the turn server, but would otherwise be unreachable from the
-# internet (e.g. when the turn server is sitting behind a NAT)
-#
-# Examples:
-# denied-peer-ip=83.166.64.0-83.166.95.255
-# allowed-peer-ip=83.166.68.45
-
-# File name to store the pid of the process.
-# Default is /var/run/turnserver.pid (if superuser account is used) or
-# /var/tmp/turnserver.pid .
-#
-pidfile="/var/tmp/turnserver.pid"
-
-# Require authentication of the STUN Binding request.
-# By default, the clients are allowed anonymous access to the STUN Binding functionality.
-#
-#secure-stun
-
-# Mobility with ICE (MICE) specs support.
-#
-#mobility
-
-# Allocate Address Family according
-# If enabled then TURN server allocates address family according  the TURN
-# Client <=> Server communication address family.
-# (By default Coturn works according RFC 6156.)
-# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
-#
-#keep-address-family
-
-
-# User name to run the process. After the initialization, the turnserver process
-# will attempt to change the current user ID to that user.
-#
-#proc-user=<user-name>
-
-# Group name to run the process. After the initialization, the turnserver process
-# will attempt to change the current group ID to that group.
-#
-#proc-group=<group-name>
-
-# Turn OFF the CLI support.
-# By default it is always ON.
-# See also options cli-ip and cli-port.
-#
-no-cli
-
-#Local system IP address to be used for CLI server endpoint. Default value
-# is 127.0.0.1.
-#
-# cli-ip=127.0.0.1
-
-# CLI server port. Default is 5766.
-#
-# cli-port=5766
-
-# CLI access password. Default is empty (no password).
-# For the security reasons, it is recommended that you use the encrypted
-# form of the password (see the -P command in the turnadmin utility).
-#
-# Secure form for password 'qwerty':
-#
-#cli-password=$5$79a316b350311570$81df9cfb9af7f5e5a76eada31e7097b663a0670f99a3c07ded3f1c8e59c5658a
-#
-# Or insecure form for the same password:
-#
-# cli-password=CHANGE_ME
-
-# Enable Web-admin support on https. By default it is Disabled.
-# If it is enabled it also enables a http a simple static banner page
-# with a small reminder that the admin page is available only on https.
-#
-#web-admin
-
-# Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1.
-#
-#web-admin-ip=127.0.0.1
-
-# Web-admin server port. Default is 8080.
-#
-#web-admin-port=8080
-
-# Web-admin server listen on STUN/TURN worker threads
-# By default it is disabled for security reasons! (Not recommended in any production environment!)
-#
-#web-admin-listen-on-workers
-
-# Server relay. NON-STANDARD AND DANGEROUS OPTION.
-# Only for those applications when you want to run
-# server applications on the relay endpoints.
-# This option eliminates the IP permissions check on
-# the packets incoming to the relay endpoints.
-#
-#server-relay
-
-# Maximum number of output sessions in ps CLI command.
-# This value can be changed on-the-fly in CLI. The default value is 256.
-#
-#cli-max-output-sessions
-
-# Set network engine type for the process (for internal purposes).
-#
-#ne=[1|2|3]
-
-# Do not allow an TLS/DTLS version of protocol
-#
-#no-tlsv1
-#no-tlsv1_1
-#no-tlsv1_2
@@ -1,76 +0,0 @@
-{
-  "Stuns": [
-    {
-      "Proto": "udp",
-      "URI": "stun:netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:3478",
-      "Username": "",
-      "Password": null
-    }
-  ],
-  "TURNConfig": {
-    "Turns": [
-      {
-        "Proto": "udp",
-        "URI": "turn:netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:3478",
-        "Username": "self",
-        "Password": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_TURN_PASSWORD'] }}"
-      }
-    ],
-    "CredentialsTTL": "12h",
-    "Secret": "secret",
-    "TimeBasedCredentials": false
-  },
-  "Relay": {
-    "Addresses": [
-      "rel://netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:33080"
-    ],
-    "CredentialsTTL": "24h",
-    "Secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_RELAY_AUTH_SECRET'] }}"
-  },
-  "Signal": {
-    "Proto": "https",
-    "URI": "netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:10001",
-    "Username": "",
-    "Password": null
-  },
-  "ReverseProxy": {
-    "TrustedHTTPProxies": [],
-    "TrustedHTTPProxiesCount": 0,
-    "TrustedPeers": [
-      "0.0.0.0/0"
-    ]
-  },
-  "Datadir": "",
-  "DataStoreEncryptionKey": "",
-  "StoreConfig": {
-    "Engine": "sqlite"
-  },
-  "HttpConfig": {
-    "Address": "0.0.0.0:33073",
-    "AuthIssuer": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}",
-    "AuthAudience": "netbird",
-    "AuthKeysLocation": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/jwks.json",
-    "AuthUserIDClaim": "",
-    "CertFile": "",
-    "CertKey": "",
-    "IdpSignKeyRefreshEnabled": true,
-    "OIDCConfigEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/.well-known/openid-configuration"
-  },
-  "IdpManagerConfig": {},
-  "DeviceAuthorizationFlow": {},
-  "PKCEAuthorizationFlow": {
-    "ProviderConfig": {
-      "Audience": "netbird",
-      "ClientID": "netbird",
-      "ClientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}",
-      "Domain": "",
-      "AuthorizationEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/authorization",
-      "TokenEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/token",
-      "Scope": "openid profile email offline_access api",
-      "RedirectURLs": [
-        "http://localhost:53000"
-      ],
-      "UseIDToken": true
-    }
-  }
-}
@@ -1,122 +0,0 @@
-{
-    "issuer": "https://id.trez.wtf",
-    "authorization_endpoint": "https://id.trez.wtf/oauth/v2/authorize",
-    "token_endpoint": "https://id.trez.wtf/oauth/v2/token",
-    "introspection_endpoint": "https://id.trez.wtf/oauth/v2/introspect",
-    "userinfo_endpoint": "https://id.trez.wtf/oidc/v1/userinfo",
-    "revocation_endpoint": "https://id.trez.wtf/oauth/v2/revoke",
-    "end_session_endpoint": "https://id.trez.wtf/oidc/v1/end_session",
-    "device_authorization_endpoint": "https://id.trez.wtf/oauth/v2/device_authorization",
-    "jwks_uri": "https://id.trez.wtf/oauth/v2/keys",
-    "scopes_supported": [
-        "openid",
-        "profile",
-        "email",
-        "phone",
-        "address",
-        "offline_access"
-    ],
-    "response_types_supported": [
-        "code",
-        "id_token",
-        "id_token token"
-    ],
-    "response_modes_supported": [
-        "query",
-        "fragment",
-        "form_post"
-    ],
-    "grant_types_supported": [
-        "authorization_code",
-        "implicit",
-        "refresh_token",
-        "client_credentials",
-        "urn:ietf:params:oauth:grant-type:jwt-bearer",
-        "urn:ietf:params:oauth:grant-type:device_code"
-    ],
-    "subject_types_supported": [
-        "public"
-    ],
-    "id_token_signing_alg_values_supported": [
-        "RS256"
-    ],
-    "request_object_signing_alg_values_supported": [
-        "RS256"
-    ],
-    "token_endpoint_auth_methods_supported": [
-        "none",
-        "client_secret_basic",
-        "client_secret_post",
-        "private_key_jwt"
-    ],
-    "token_endpoint_auth_signing_alg_values_supported": [
-        "RS256"
-    ],
-    "revocation_endpoint_auth_methods_supported": [
-        "none",
-        "client_secret_basic",
-        "client_secret_post",
-        "private_key_jwt"
-    ],
-    "revocation_endpoint_auth_signing_alg_values_supported": [
-        "RS256"
-    ],
-    "introspection_endpoint_auth_methods_supported": [
-        "client_secret_basic",
-        "private_key_jwt"
-    ],
-    "introspection_endpoint_auth_signing_alg_values_supported": [
-        "RS256"
-    ],
-    "claims_supported": [
-        "sub",
-        "aud",
-        "exp",
-        "iat",
-        "iss",
-        "auth_time",
-        "nonce",
-        "acr",
-        "amr",
-        "c_hash",
-        "at_hash",
-        "act",
-        "scopes",
-        "client_id",
-        "azp",
-        "preferred_username",
-        "name",
-        "family_name",
-        "given_name",
-        "locale",
-        "email",
-        "email_verified",
-        "phone_number",
-        "phone_number_verified"
-    ],
-    "code_challenge_methods_supported": [
-        "S256"
-    ],
-    "ui_locales_supported": [
-        "bg",
-        "cs",
-        "de",
-        "en",
-        "es",
-        "fr",
-        "hu",
-        "id",
-        "it",
-        "ja",
-        "ko",
-        "mk",
-        "nl",
-        "pl",
-        "pt",
-        "ru",
-        "sv",
-        "zh"
-    ],
-    "request_parameter_supported": true,
-    "request_uri_parameter_supported": false
-}
@@ -1,725 +0,0 @@
-# Coturn TURN SERVER configuration file
-#
-# Boolean values note: where a boolean value is supposed to be used,
-# you can use '0', 'off', 'no', 'false', or 'f' as 'false,
-# and you can use '1', 'on', 'yes', 'true', or 't' as 'true'
-# If the value is missing, then it means 'true' by default.
-#
-
-# Listener interface device (optional, Linux only).
-# NOT RECOMMENDED.
-#
-#listening-device=eth0
-
-# TURN listener port for UDP and TCP (Default: 3478).
-# Note: actually, TLS & DTLS sessions can connect to the
-# "plain" TCP & UDP port(s), too - if allowed by configuration.
-#
-listening-port=3478
-
-# TURN listener port for TLS (Default: 5349).
-# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
-# port(s), too - if allowed by configuration. The TURN server
-# "automatically" recognizes the type of traffic. Actually, two listening
-# endpoints (the "plain" one and the "tls" one) are equivalent in terms of
-# functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs.
-# For secure TCP connections, Coturn currently supports SSL version 3 and
-# TLS version 1.0, 1.1 and 1.2.
-# For secure UDP connections, Coturn supports DTLS version 1.
-#
-tls-listening-port=5349
-
-# Alternative listening port for UDP and TCP listeners;
-# default (or zero) value means "listening port plus one".
-# This is needed for RFC 5780 support
-# (STUN extension specs, NAT behavior discovery). The TURN Server
-# supports RFC 5780 only if it is started with more than one
-# listening IP address of the same family (IPv4 or IPv6).
-# RFC 5780 is supported only by UDP protocol, other protocols
-# are listening to that endpoint only for "symmetry".
-#
-#alt-listening-port=0
-
-# Alternative listening port for TLS and DTLS protocols.
-# Default (or zero) value means "TLS listening port plus one".
-#
-#alt-tls-listening-port=0
-
-# Some network setups will require using a TCP reverse proxy in front
-# of the STUN server. If the proxy port option is set a single listener
-# is started on the given port that accepts connections using the
-# haproxy proxy protocol v2.
-# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
-#
-#tcp-proxy-port=5555
-
-# Listener IP address of relay server. Multiple listeners can be specified.
-# If no IP(s) specified in the config file or in the command line options,
-# then all IPv4 and IPv6 system IPs will be used for listening.
-#
-#listening-ip=172.17.19.101
-#listening-ip=10.207.21.238
-#listening-ip=2607:f0d0:1002:51::4
-
-# Auxiliary STUN/TURN server listening endpoint.
-# Aux servers have almost full TURN and STUN functionality.
-# The (minor) limitations are:
-#
-# 1) Auxiliary servers do not have alternative ports and
-# they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
-#
-# 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
-#
-# Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
-#
-# There may be multiple aux-server options, each will be used for listening
-# to client requests.
-#
-#aux-server=172.17.19.110:33478
-#aux-server=[2607:f0d0:1002:51::4]:33478
-
-# (recommended for older Linuxes only)
-# Automatically balance UDP traffic over auxiliary servers (if configured).
-# The load balancing is using the ALTERNATE-SERVER mechanism.
-# The TURN client must support 300 ALTERNATE-SERVER response for this
-# functionality.
-#
-#udp-self-balance
-
-# Relay interface device for relay sockets (optional, Linux only).
-# NOT RECOMMENDED.
-#
-#relay-device=eth1
-
-# Relay address (the local IP address that will be used to relay the
-# packets to the peer).
-# Multiple relay addresses may be used.
-# The same IP(s) can be used as both listening IP(s) and relay IP(s).
-#
-# If no relay IP(s) specified, then the turnserver will apply the default
-# policy: it will decide itself which relay addresses to be used, and it
-# will always be using the client socket IP address as the relay IP address
-# of the TURN session (if the requested relay address family is the same
-# as the family of the client socket).
-#
-#relay-ip=172.17.19.105
-#relay-ip=2607:f0d0:1002:51::5
-
-# For Amazon EC2 users:
-#
-# TURN Server public/private address mapping, if the server is behind NAT.
-# In that situation, if a -X is used in form "-X <ip>" then that ip will be reported
-# as relay IP address of all allocations. This scenario works only in a simple case
-# when one single relay address is be used, and no RFC5780 functionality is required.
-# That single relay address must be mapped by NAT to the 'external' IP.
-# The "external-ip" value, if not empty, is returned in XOR-RELAYED-ADDRESS field.
-# For that 'external' IP, NAT must forward ports directly (relayed port 12345
-# must be always mapped to the same 'external' port 12345).
-#
-# In more complex case when more than one IP address is involved,
-# that option must be used several times, each entry must
-# have form "-X <public-ip/private-ip>", to map all involved addresses.
-# RFC5780 NAT discovery STUN functionality will work correctly,
-# if the addresses are mapped properly, even when the TURN server itself
-# is behind A NAT.
-#
-# By default, this value is empty, and no address mapping is used.
-#
-# external-ip=193.224.22.37
-#
-#OR:
-#
-#external-ip=60.70.80.91/172.17.19.101
-#external-ip=60.70.80.92/172.17.19.102
-
-external-ip=108.29.206.17
-
-# Number of the relay threads to handle the established connections
-# (in addition to authentication thread and the listener thread).
-# If explicitly set to 0 then application runs relay process in a
-# single thread, in the same thread with the listener process
-# (the authentication thread will still be a separate thread).
-#
-# If this parameter is not set, then the default OS-dependent
-# thread pattern algorithm will be employed. Usually the default
-# algorithm is optimal, so you have to change this option
-# if you want to make some fine tweaks.
-#
-# In the older systems (Linux kernel before 3.9),
-# the number of UDP threads is always one thread per network listening
-# endpoint - including the auxiliary endpoints - unless 0 (zero) or
-# 1 (one) value is set.
-#
-#relay-threads=0
-
-# Lower and upper bounds of the UDP relay endpoints:
-# (default values are 49152 and 65535)
-#
-min-port=49152
-max-port=65535
-
-# Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
-# By default the verbose mode is off.
-#verbose
-
-# Uncomment to run TURN server in 'extra' verbose mode.
-# This mode is very annoying and produces lots of output.
-# Not recommended under normal circumstances.
-#
-#Verbose
-
-# Uncomment to use fingerprints in the TURN messages.
-# By default the fingerprints are off.
-#
-fingerprint
-
-# Uncomment to use long-term credential mechanism.
-# By default no credentials mechanism is used (any user allowed).
-#
-lt-cred-mech
-
-# This option is the opposite of lt-cred-mech.
-# (TURN Server with no-auth option allows anonymous access).
-# If neither option is defined, and no users are defined,
-# then no-auth is default. If at least one user is defined,
-# in this file, in command line or in usersdb file, then
-# lt-cred-mech is default.
-#
-#no-auth
-
-# TURN REST API flag.
-# (Time Limited Long Term Credential)
-# Flag that sets a special authorization option that is based upon authentication secret.
-#
-# This feature's purpose is to support "TURN Server REST API", see
-# "TURN REST API" link in the project's page
-# https://github.com/coturn/coturn/
-#
-# This option is used with timestamp:
-#
-# usercombo -> "timestamp:userid"
-# turn user -> usercombo
-# turn password -> base64(hmac(secret key, usercombo))
-#
-# This allows TURN credentials to be accounted for a specific user id.
-# If you don't have a suitable id, then the timestamp alone can be used.
-# This option is enabled by turning on secret-based authentication.
-# The actual value of the secret is defined either by the option static-auth-secret,
-# or can be found in the turn_secret table in the database (see below).
-#
-# Read more about it:
-#  - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
-#  - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
-#
-# Be aware that use-auth-secret overrides some parts of lt-cred-mech.
-# The use-auth-secret feature depends internally on lt-cred-mech, so if you set
-# this option then it automatically enables lt-cred-mech internally
-# as if you had enabled both.
-#
-# Note that you can use only one auth mechanism at the same time! This is because,
-# both mechanisms conduct username and password validation in different ways.
-#
-# Use either lt-cred-mech or use-auth-secret in the conf
-# to avoid any confusion.
-#
-#use-auth-secret
-
-# 'Static' authentication secret value (a string) for TURN REST API only.
-# If not set, then the turn server
-# will try to use the 'dynamic' value in the turn_secret table
-# in the user database (if present). The database-stored  value can be changed on-the-fly
-# by a separate program, so this is why that mode is considered 'dynamic'.
-#
-#static-auth-secret=north
-
-# Server name used for
-# the oAuth authentication purposes.
-# The default value is the realm name.
-#
-# server-name=stun.wiretrustee.com
-
-# Flag that allows oAuth authentication.
-#
-#oauth
-
-# 'Static' user accounts for the long term credentials mechanism, only.
-# This option cannot be used with TURN REST API.
-# 'Static' user accounts are NOT dynamically checked by the turnserver process,
-# so they can NOT be changed while the turnserver is running.
-#
-#user=username1:key1
-#user=username2:key2
-# OR:
-user=self:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_TURN_PASSWORD'] }}
-#user=username2:password2
-#
-# Keys must be generated by turnadmin utility. The key value depends
-# on user name, realm, and password:
-#
-# Example:
-# $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic
-# Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee
-# ('0x' in the beginning of the key is what differentiates the key from
-# password. If it has 0x then it is a key, otherwise it is a password).
-#
-# The corresponding user account entry in the config file will be:
-#
-#user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
-# Or, equivalently, with open clear password (less secure):
-#user=ninefingers:youhavetoberealistic
-#
-
-# SQLite database file name.
-#
-# The default file name is /var/db/turndb or /usr/local/var/db/turndb or
-# /var/lib/turn/turndb.
-#
-#userdb=/var/db/turndb
-
-# PostgreSQL database connection string in the case that you are using PostgreSQL
-# as the user database.
-# This database can be used for the long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN REST API.
-# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
-# versions connection string format, see
-# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
-# for 9.x and newer connection string formats.
-#
-#psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
-
-# MySQL database connection string in the case that you are using MySQL
-# as the user database.
-# This database can be used for the long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN REST API.
-#
-# Optional connection string parameters for the secure communications (SSL):
-# ca, capath, cert, key, cipher
-# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
-# command options description).
-#
-# Use the string format below (space separated parameters, all optional):
-#
-# mysql-userdb="host=mysql dbname=coturn user=coturn password=CHANGE_ME port=3306 connect_timeout=10 read_timeout=10"
-
-# If you want to use an encrypted password in the MySQL connection string,
-# then set the MySQL password encryption secret key file with this option.
-#
-# Warning: If this option is set, then the mysql password must be set in "mysql-userdb" in an encrypted format!
-# If you want to use a cleartext password then do not set this option!
-#
-# This is the file path for the aes encrypted secret key used for password encryption.
-#
-#secret-key-file=/path/
-
-# MongoDB database connection string in the case that you are using MongoDB
-# as the user database.
-# This database can be used for long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN REST API.
-# Use the string format described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
-#
-#mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
-
-# Redis database connection string in the case that you are using Redis
-# as the user database.
-# This database can be used for long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN REST API.
-# Use the string format below (space separated parameters, all optional):
-#
-#redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
-
-# Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
-# This database keeps allocations status information, and it can be also used for publishing
-# and delivering traffic and allocation event notifications.
-# The connection string has the same parameters as redis-userdb connection string.
-# Use the string format below (space separated parameters, all optional):
-#
-#redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
-
-# The default realm to be used for the users when no explicit
-# origin/realm relationship is found in the database, or if the TURN
-# server is not using any database (just the commands-line settings
-# and the userdb file). Must be used with long-term credentials
-# mechanism or with TURN REST API.
-#
-# Note: If the default realm is not specified, then realm falls back to the host domain name.
-#       If the domain name string is empty, or set to '(None)', then it is initialized as an empty string.
-#
-# realm=wiretrustee.com
-# This flag sets the origin consistency
-# check. Across the session, all requests must have the same
-# main ORIGIN attribute value (if the ORIGIN was
-# initially used by the session).
-#
-#check-origin-consistency
-
-# Per-user allocation quota.
-# default value is 0 (no quota, unlimited number of sessions per user).
-# This option can also be set through the database, for a particular realm.
-#
-#user-quota=0
-
-# Total allocation quota.
-# default value is 0 (no quota).
-# This option can also be set through the database, for a particular realm.
-#
-#total-quota=0
-
-# Max bytes-per-second bandwidth a TURN session is allowed to handle
-# (input and output network streams are treated separately). Anything above
-# that limit will be dropped or temporarily suppressed (within
-# the available buffer limits).
-# This option can also be set through the database, for a particular realm.
-#
-#max-bps=0
-
-#
-# Maximum server capacity.
-# Total bytes-per-second bandwidth the TURN server is allowed to allocate
-# for the sessions, combined (input and output network streams are treated separately).
-#
-# bps-capacity=0
-
-# Uncomment if no UDP client listener is desired.
-# By default UDP client listener is always started.
-#
-#no-udp
-
-# Uncomment if no TCP client listener is desired.
-# By default TCP client listener is always started.
-#
-#no-tcp
-
-# Uncomment if no TLS client listener is desired.
-# By default TLS client listener is always started.
-#
-#no-tls
-
-# Uncomment if no DTLS client listener is desired.
-# By default DTLS client listener is always started.
-#
-#no-dtls
-
-# Uncomment if no UDP relay endpoints are allowed.
-# By default UDP relay endpoints are enabled (like in RFC 5766).
-#
-#no-udp-relay
-
-# Uncomment if no TCP relay endpoints are allowed.
-# By default TCP relay endpoints are enabled (like in RFC 6062).
-#
-#no-tcp-relay
-
-# Uncomment if extra security is desired,
-# with nonce value having a limited lifetime.
-# The nonce value is unique for a session.
-# Set this option to limit the nonce lifetime.
-# Set it to 0 for unlimited lifetime.
-# It defaults to 600 secs (10 min) if no value is provided. After that delay,
-# the client will get 438 error and will have to re-authenticate itself.
-#
-#stale-nonce=600
-
-# Uncomment if you want to set the maximum allocation
-# time before it has to be refreshed.
-# Default is 3600s.
-#
-#max-allocate-lifetime=3600
-
-
-# Uncomment to set the lifetime for the channel.
-# Default value is 600 secs (10 minutes).
-# This value MUST not be changed for production purposes.
-#
-#channel-lifetime=600
-
-# Uncomment to set the permission lifetime.
-# Default to 300 secs (5 minutes).
-# In production this value MUST not be changed,
-# however it can be useful for test purposes.
-#
-#permission-lifetime=300
-
-# Certificate file.
-# Use an absolute path or path relative to the
-# configuration file.
-# Use PEM file format.
-#
-cert=/etc/coturn/certs/cert.pem
-
-# Private key file.
-# Use an absolute path or path relative to the
-# configuration file.
-# Use PEM file format.
-#
-pkey=/etc/coturn/private/privkey.pem
-
-# Private key file password, if it is in encoded format.
-# This option has no default value.
-#
-#pkey-pwd=...
-
-# Allowed OpenSSL cipher list for TLS/DTLS connections.
-# Default value is "DEFAULT".
-#
-#cipher-list="DEFAULT"
-
-# CA file in OpenSSL format.
-# Forces TURN server to verify the client SSL certificates.
-# By default this is not set: there is no default value and the client
-# certificate is not checked.
-#
-# Example:
-#CA-file=/etc/ssh/id_rsa.cert
-
-# Curve name for EC ciphers, if supported by OpenSSL
-# library (TLS and DTLS). The default value is prime256v1,
-# if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
-# an optimal curve will be automatically calculated, if not defined
-# by this option.
-#
-#ec-curve-name=prime256v1
-
-# Use 566 bits predefined DH TLS key. Default size of the key is 2066.
-#
-#dh566
-
-# Use 1066 bits predefined DH TLS key. Default size of the key is 2066.
-#
-#dh1066
-
-# Use custom DH TLS key, stored in PEM format in the file.
-# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
-#
-#dh-file=<DH-PEM-file-name>
-
-# Flag to prevent stdout log messages.
-# By default, all log messages go to both stdout and to
-# the configured log file. With this option everything will
-# go to the configured log only (unless the log file itself is stdout).
-#
-#no-stdout-log
-
-# Option to set the log file name.
-# By default, the turnserver tries to open a log file in
-# /var/log, /var/tmp, /tmp and the current directory
-# (Whichever file open operation succeeds first will be used).
-# With this option you can set the definite log file name.
-# The special names are "stdout" and "-" - they will force everything
-# to the stdout. Also, the "syslog" name will force everything to
-# the system log (syslog).
-# In the runtime, the logfile can be reset with the SIGHUP signal
-# to the turnserver process.
-#
-log-file=stdout
-
-# Option to redirect all log output into system log (syslog).
-#
-# syslog
-
-# This flag means that no log file rollover will be used, and the log file
-# name will be constructed as-is, without PID and date appendage.
-# This option can be used, for example, together with the logrotate tool.
-#
-#simple-log
-
-# Option to set the "redirection" mode. The value of this option
-# will be the address of the alternate server for UDP & TCP service in the form of
-# <ip>[:<port>]. The server will send this value in the attribute
-# ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
-# Client will receive only values with the same address family
-# as the client network endpoint address family.
-# See RFC 5389 and RFC 5766 for the description of ALTERNATE-SERVER functionality.
-# The client must use the obtained value for subsequent TURN communications.
-# If more than one --alternate-server option is provided, then the functionality
-# can be more accurately described as "load-balancing" than a mere "redirection".
-# If the port number is omitted, then the default port
-# number 3478 for the UDP/TCP protocols will be used.
-# Colon (:) characters in IPv6 addresses may conflict with the syntax of
-# the option. To alleviate this conflict, literal IPv6 addresses are enclosed
-# in square brackets in such resource identifiers, for example:
-# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
-# Multiple alternate servers can be set. They will be used in the
-# round-robin manner. All servers in the pool are considered of equal weight and
-# the load will be distributed equally. For example, if you have 4 alternate servers,
-# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
-# address can be used more than one time with the alternate-server option, so this
-# can emulate "weighting" of the servers.
-#
-# Examples:
-#alternate-server=1.2.3.4:5678
-#alternate-server=11.22.33.44:56789
-#alternate-server=5.6.7.8
-#alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
-
-# Option to set alternative server for TLS & DTLS services in form of
-# <ip>:<port>. If the port number is omitted, then the default port
-# number 5349 for the TLS/DTLS protocols will be used. See the previous
-# option for the functionality description.
-#
-# Examples:
-#tls-alternate-server=1.2.3.4:5678
-#tls-alternate-server=11.22.33.44:56789
-#tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
-
-# Option to suppress TURN functionality, only STUN requests will be processed.
-# Run as STUN server only, all TURN requests will be ignored.
-# By default, this option is NOT set.
-#
-#stun-only
-
-# Option to hide software version. Enhance security when used in production.
-# Revealing the specific software version of the agent through the
-# SOFTWARE attribute might allow them to become more vulnerable to
-# attacks against software that is known to contain security holes.
-# Implementers SHOULD make usage of the SOFTWARE attribute a
-# configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2)
-#
-no-software-attribute
-
-# Option to suppress STUN functionality, only TURN requests will be processed.
-# Run as TURN server only, all STUN requests will be ignored.
-# By default, this option is NOT set.
-#
-#no-stun
-
-# This is the timestamp/username separator symbol (character) in TURN REST API.
-# The default value is ':'.
-# rest-api-separator=:
-
-# Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
-# This is an extra security measure.
-#
-# (To avoid any security issue that allowing loopback access may raise,
-# the no-loopback-peers option is replaced by allow-loopback-peers.)
-#
-# Allow it only for testing in a development environment!
-# In production it adds a possible security vulnerability, so for security reasons
-# it is not allowed using it together with empty cli-password.
-#
-#allow-loopback-peers
-
-# Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
-# This is an extra security measure.
-#
-#no-multicast-peers
-
-# Option to set the max time, in seconds, allowed for full allocation establishment.
-# Default is 60 seconds.
-#
-#max-allocate-timeout=60
-
-# Option to allow or ban specific ip addresses or ranges of ip addresses.
-# If an ip address is specified as both allowed and denied, then the ip address is
-# considered to be allowed. This is useful when you wish to ban a range of ip
-# addresses, except for a few specific ips within that range.
-#
-# This can be used when you do not want users of the turn server to be able to access
-# machines reachable by the turn server, but would otherwise be unreachable from the
-# internet (e.g. when the turn server is sitting behind a NAT)
-#
-# Examples:
-# denied-peer-ip=83.166.64.0-83.166.95.255
-# allowed-peer-ip=83.166.68.45
-
-# File name to store the pid of the process.
-# Default is /var/run/turnserver.pid (if superuser account is used) or
-# /var/tmp/turnserver.pid .
-#
-pidfile="/var/tmp/turnserver.pid"
-
-# Require authentication of the STUN Binding request.
-# By default, the clients are allowed anonymous access to the STUN Binding functionality.
-#
-#secure-stun
-
-# Mobility with ICE (MICE) specs support.
-#
-#mobility
-
-# Allocate Address Family according
-# If enabled then TURN server allocates address family according  the TURN
-# Client <=> Server communication address family.
-# (By default Coturn works according RFC 6156.)
-# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
-#
-#keep-address-family
-
-
-# User name to run the process. After the initialization, the turnserver process
-# will attempt to change the current user ID to that user.
-#
-#proc-user=<user-name>
-
-# Group name to run the process. After the initialization, the turnserver process
-# will attempt to change the current group ID to that group.
-#
-#proc-group=<group-name>
-
-# Turn OFF the CLI support.
-# By default it is always ON.
-# See also options cli-ip and cli-port.
-#
-no-cli
-
-#Local system IP address to be used for CLI server endpoint. Default value
-# is 127.0.0.1.
-#
-# cli-ip=127.0.0.1
-
-# CLI server port. Default is 5766.
-#
-# cli-port=5766
-
-# CLI access password. Default is empty (no password).
-# For the security reasons, it is recommended that you use the encrypted
-# form of the password (see the -P command in the turnadmin utility).
-#
-# Secure form for password 'qwerty':
-#
-#cli-password=$5$79a316b350311570$81df9cfb9af7f5e5a76eada31e7097b663a0670f99a3c07ded3f1c8e59c5658a
-#
-# Or insecure form for the same password:
-#
-# cli-password=CHANGE_ME
-
-# Enable Web-admin support on https. By default it is Disabled.
-# If it is enabled it also enables a http a simple static banner page
-# with a small reminder that the admin page is available only on https.
-#
-#web-admin
-
-# Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1.
-#
-#web-admin-ip=127.0.0.1
-
-# Web-admin server port. Default is 8080.
-#
-#web-admin-port=8080
-
-# Web-admin server listen on STUN/TURN worker threads
-# By default it is disabled for security reasons! (Not recommended in any production environment!)
-#
-#web-admin-listen-on-workers
-
-# Server relay. NON-STANDARD AND DANGEROUS OPTION.
-# Only for those applications when you want to run
-# server applications on the relay endpoints.
-# This option eliminates the IP permissions check on
-# the packets incoming to the relay endpoints.
-#
-#server-relay
-
-# Maximum number of output sessions in ps CLI command.
-# This value can be changed on-the-fly in CLI. The default value is 256.
-#
-#cli-max-output-sessions
-
-# Set network engine type for the process (for internal purposes).
-#
-#ne=[1|2|3]
-
-# Do not allow an TLS/DTLS version of protocol
-#
-#no-tlsv1
-#no-tlsv1_1
-#no-tlsv1_2
@@ -1,11 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-<clickhouse>
-    <profiles>
-        <default>
-            <log_queries>0</log_queries>
-            <log_query_threads>0</log_query_threads>
-        </default>
-    </profiles>
-</clickhouse>
@@ -1,11 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-<clickhouse>
-    <profiles>
-        <default>
-            <log_queries>0</log_queries>
-            <log_query_threads>0</log_query_threads>
-        </default>
-    </profiles>
-</clickhouse>
@@ -1,62 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-version: 2
-
-postal:
-  web_hostname: post.trez.wtf
-  web_protocol: http
-  smtp_hostname: post.trez.wtf
-  use_ip_pools: false
-  signing_key_path: /config/signing.key
-  trusted_proxies: [ "172.18.0.0/16" ]
-
-web_server:
-  default_port: 5000
-  default_bind_address: 0.0.0.0
-
-main_db:
-  host: mariadb
-  username: postal
-  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_MYSQL_PASSWORD'] }}
-  database: postal
-
-message_db:
-  host: mariadb
-  username: postal
-  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_MYSQL_PASSWORD'] }}
-  prefix: postal
-
-smtp_server:
-  default_port: 25
-  default_bind_address: "::"
-  tls_enabled: true
-  tls_certificate_path: /config/certs/fullchain.pem
-  tls_private_key_path: /config/certs/privkey.pem
-
-dns:
-  # Specify the DNS records that you have configured. Refer to the documentation at
-  # https://github.com/atech/postal/wiki/Domains-&-DNS-Configuration for further
-  # information about these.
-  mx_records:
-    - mx.post.trez.wtf
-  spf_include: spf.post.trez.wtf
-  return_path_domain: rp.post.trez.wtf
-  route_domain: routes.post.trez.wtf
-  track_domain: track.post.trez.wtf
-
-smtp:
-  # Specify an SMTP server that can be used to send messages from the Postal management
-  # system to users. You can configure this to use a Postal mail server once the
-  # your installation has been set up.
-  host: postal-smtp
-  port: 25
-  username: rinoa/postal-smtp
-  password: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}"
-  from_name: Postal @ Rinoa
-  from_address: noreply@trez.wtf
-
-rails:
-  # This is generated automatically by the config initialization. It should be a random
-  # string unique to your installation.
-  secret_key: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_RAILS_SECRET_KEY'] }}"
@@ -1,21 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-<Config>
-  <BindAddress>*</BindAddress>
-  <Port>9696</Port>
-  <SslPort>6969</SslPort>
-  <EnableSsl>False</EnableSsl>
-  <LaunchBrowser>True</LaunchBrowser>
-  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PROWLARR_API_KEY'] }}</ApiKey>
-  <AuthenticationMethod>Forms</AuthenticationMethod>
-  <AuthenticationRequired>Enabled</AuthenticationRequired>
-  <Branch>master</Branch>
-  <LogLevel>info</LogLevel>
-  <SslCertPath></SslCertPath>
-  <SslCertPassword></SslCertPassword>
-  <UrlBase></UrlBase>
-  <InstanceName>Prowlarr</InstanceName>
-  <UpdateMechanism>Docker</UpdateMechanism>
-  <Theme>light</Theme>
-</Config>
@@ -0,0 +1,225 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+# This is an example configuration file that documents all the options.
+# It will need to be modified for your specific use case.
+# These are not default values. You MUST review the config settings and properly configure this EXAMPLE file.
+# Please refer to the link below for more details on how to set up the configuration file
+# https://github.com/StuffAnThings/qbit_manage/wiki/Config-Setup
+
+commands:
+  # The commands defined below will OVERRIDE any commands used in command line and docker env variables.
+  dry_run: True
+  recheck: False
+  cat_update: False
+  tag_update: False
+  rem_unregistered: False
+  tag_tracker_error: False
+  rem_orphaned: False
+  tag_nohardlinks: False
+  share_limits: False
+  skip_qb_version_check: False
+  skip_cleanup: False
+
+qbt:
+  # qBittorrent parameters
+  # Pass environment variables to the config via !ENV tag
+  host: qbittorrentvpn:8080
+  user: admin
+  pass: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['DELUGEVPN_PASSWORD'] }}
+
+settings:
+  force_auto_tmm: False # Will force qBittorrent to enable Automatic Torrent Management for each torrent.
+  force_auto_tmm_ignore_tags: #Torrents with these tags will be ignored when force_auto_tmm is enabled.
+    - cross-seed
+    - Upload
+  tracker_error_tag: issue # Will set the tag of any torrents that do not have a working tracker.
+  nohardlinks_tag: noHL # Will set the tag of any torrents with no hardlinks.
+  stalled_tag: stalledDL # Will set the tag of any torrents stalled downloading.
+  share_limits_tag: ~share_limit # Will add this tag when applying share limits to provide an easy way to filter torrents by share limit group/priority for each torrent
+  share_limits_min_seeding_time_tag: MinSeedTimeNotReached # Tag to be added to torrents that have not yet reached the minimum seeding time
+  share_limits_min_num_seeds_tag: MinSeedsNotMet # Tag to be added to torrents that have not yet reached the minimum number of seeds
+  share_limits_last_active_tag: LastActiveLimitNotReached # Tag to be added to torrents that have not yet reached the last active limit
+  cat_filter_completed: True # Filters for completed torrents only when running cat_update command
+  share_limits_filter_completed: True # Filters for completed torrents only when running share_limits command
+  tag_nohardlinks_filter_completed: True # Filters for completed torrents only when running tag_nohardlinks command
+  rem_unregistered_filter_completed: False # Filters for completed torrents only when running rem_unregistered command
+  cat_update_all: True # Checks and updates all torrent categories if set to True when running cat_update command, otherwise only update torrents that are uncategorized
+  disable_qbt_default_share_limits: True # Allows QBM to handle share limits by disabling qBittorrents default Share limits. Only active when the share_limits command is set to True
+  tag_stalled_torrents: True # Tags any downloading torrents that are stalled with the `stalledDL` tag when running the tag_update command
+  rem_unregistered_ignore_list: # Ignores a list of words found in the status of the tracker when running rem_unregistered command and will not remove the torrent if matched
+    - example placeholder words
+    - ignore if found
+
+directory:
+  # Do not remove these
+  # root_dir var: </your/path/here/>  # Root downloads directory used to check for orphaned files, noHL, and RecycleBin.
+  # <OPTIONAL> remote_dir var: </your/path/here/>  # Path of docker host mapping of root_dir.
+  # remote_dir must be set if you're running qbit_manage locally and qBittorrent/cross_seed is in a docker
+  # remote_dir should not be set if qbit_manage is running in a container
+  # <OPTIONAL> recycle_bin var: </your/path/here/>   # Path of the RecycleBin folder. Default location is set to remote_dir/.RecycleBin
+  # <OPTIONAL> torrents_dir var: </your/path/here/>  # Path of the your qbittorrent torrents directory. Required for `save_torrents` attribute in recyclebin
+  # <OPTIONAL> orphaned_dir var: </your/path/here/>  # Path of the the Orphaned Data folder. This is similar to RecycleBin, but only for orphaned data.
+  root_dir: "/downloads"
+  # remote_dir: "/host/path/to/torrents/ifdocker/torrents/"
+  # recycle_bin: "/path/to/.RecycleBin"
+  torrents_dir: "/downloads/completed/torrent"
+
+cat:
+  # Category & Path Parameters
+  # All save paths in qbittorent must be populated below.
+  # If you want to leave a save_path as uncategorized you can use the key 'Uncategorized' as the name of the category.
+  # You can use Unix filename pattern matching as well when specifying the save_path
+  # <Category Name> : <save_path>  # Path of your save directory.
+  lidarr: "/downloads/completed/torrent/music"
+  # prowlarr: "/data/torrents"
+  radarr: "/downloads/completed/torrent/movies"
+  readarr: "/downloads/completed/torrent/ebooks"
+  tv-sonarr: "/downloads/completed/torrent//tv"
+
+cat_change:
+  # This moves all the torrents from one category to another category. This executes on --cat-update
+  # WARNING: if the paths are different and Default Torrent Management Mode is set to automatic the files could be moved !!!
+  # <Old Category Name> : <New Category>
+  CatA.cross-seed: CatA
+  CatB.cross-seed: CatB
+
+tracker:
+  # Mandatory
+  # Tag Parameters
+  # <Tracker URL Keyword>:    # <MANDATORY> This is the keyword in the tracker url. You can define multiple tracker urls by splitting with `|` delimiter
+  # <MANDATORY> Set tag name. Can be a list of tags or a single tag
+  #   tag: <Tag Name>
+  # <OPTIONAL> Set the category based on tracker URL. This category option takes priority over the category defined by save directory
+  #   cat: <Category Name>
+  # <OPTIONAL> Set this to the notifiarr react name. This is used to add indexer reactions to the notifications sent by Notifiarr
+  #   notifiarr: <notifiarr indexer>
+  animebytes.tv:
+    tag: AnimeBytes
+    notifiarr: animebytes
+  avistaz:
+    tag:
+      - Avistaz
+      - tag2
+      - tag3
+    notifiarr: avistaz
+  beyond-hd:
+    tag: [Beyond-HD, tag2, tag3]
+    cat: movies
+    notifiarr: beyondhd
+  blutopia:
+    tag: Blutopia
+    notifiarr: blutopia
+  cartoonchaos:
+    tag: CartoonChaos
+  digitalcore:
+    tag: DigitalCore
+    notifiarr: digitalcore
+  gazellegames:
+    tag: GGn
+  hdts:
+    tag: HDTorrents
+  landof.tv:
+    tag: BroadcasTheNet
+    notifiarr: broadcasthenet
+  myanonamouse:
+    tag: MaM
+  passthepopcorn:
+    tag: PassThePopcorn
+    notifiarr: passthepopcorn
+  privatehd:
+    tag: PrivateHD
+    notifiarr:
+  torrentdb:
+    tag: TorrentDB
+    notifiarr: torrentdb
+  torrentleech|tleechreload:
+    tag: TorrentLeech
+    notifiarr: torrentleech
+  tv-vault:
+    tag: TV-Vault
+  # The "other" key is a special keyword and if defined will tag any other trackers that don't match the above trackers into this tag
+  other:
+    tag: other
+
+nohardlinks:
+  # Tag Movies/Series that are not hard linked outside the root directory
+  # Mandatory to fill out directory parameter above to use this function (root_dir/remote_dir)
+  # This variable should be set to your category name of your completed movies/completed series in qbit. Acceptable variable can be any category you would like to tag if there are no hardlinks found
+  movies-completed-4k:
+  series-completed-4k:
+  movies-completed:
+    # <OPTIONAL> exclude_tags var: Will exclude torrents with any of the following tags when searching through the category.
+    exclude_tags:
+      - Beyond-HD
+      - AnimeBytes
+      - MaM
+    # <OPTIONAL> ignore_root_dir var: Will ignore any hardlinks detected in the same root_dir (Default True).
+    ignore_root_dir: true
+  # Can have additional categories set with separate ratio/seeding times defined.
+  series-completed:
+    # <OPTIONAL> exclude_tags var: Will exclude torrents with any of the following tags when searching through the category.
+    exclude_tags:
+      - Beyond-HD
+      - BroadcasTheNet
+    # <OPTIONAL> ignore_root_dir var: Will ignore any hardlinks detected in the same root_dir (Default True).
+    ignore_root_dir: true
+
+share_limits:
+  # Control how torrent share limits are set depending on the priority of your grouping
+  # Each torrent will be matched with the share limit group with the highest priority that meets the group filter criteria.
+  # Each torrent can only be matched with one share limit group
+  # This variable is mandatory and is a text defining the name of your grouping. This can be any string you want
+  spacesaver:
+    priority: 2
+    max_ratio: 3
+    min_last_active: 24h
+    cleanup: false
+  default:
+    priority: 999
+    max_ratio: -1
+    max_seeding_time: -1
+    cleanup: false
+recyclebin:
+  # Recycle Bin method of deletion will move files into the recycle bin (Located in /root_dir/.RecycleBin) instead of directly deleting them in qbit
+  # By default the Recycle Bin will be emptied on every run of the qbit_manage script if empty_after_x_days is defined.
+  enabled: true
+  # <OPTIONAL> empty_after_x_days var:
+  # Will automatically remove all files and folders in recycle bin after x days. (Checks every script run)
+  # If this variable is not defined it, the RecycleBin will never be emptied.
+  # WARNING: Setting this variable to 0 will delete all files immediately upon script run!
+  empty_after_x_days: 60
+  # <OPTIONAL> save_torrents var:
+  # If this option is set to true you MUST fill out the torrents_dir in the directory attribute.
+  # This will save a copy of your .torrent and .fastresume file in the recycle bin before deleting it from qbittorrent
+  save_torrents: true
+  # <OPTIONAL> split_by_category var:
+  # This will split the recycle bin folder by the save path defined in the `cat` attribute
+  # and add the base folder name of the recycle bin that was defined in the `recycle_bin` sub-attribute under directory.
+  split_by_category: false
+
+orphaned:
+  # Orphaned files are those in the root_dir download directory that are not referenced by any active torrents.
+  # Will automatically remove all files and folders in orphaned data after x days. (Checks every script run)
+  # If this variable is not defined it, the orphaned data will never be emptied.
+  # WARNING: Setting this variable to 0 will delete all files immediately upon script run!
+  empty_after_x_days: 60
+  # File patterns that will not be considered orphaned files. Handy for generated files that aren't part of the torrent but belong with the torrent's files
+  exclude_patterns:
+    - "**/.DS_Store"
+    - "**/Thumbs.db"
+    - "**/@eaDir"
+    - "/data/torrents/temp/**"
+    - "**/*.!qB"
+    - "**/*_unpackerred"
+  # Set your desired threshold for the maximum number of orphaned files qbm will delete in a single run. (-1 to disable safeguards)
+  # This will help reduce the number of accidental large amount orphaned deletions in a single run
+  # WARNING: Setting this variable to -1 will not safeguard against any deletions
+  max_orphaned_files_to_delete: 50
+
+apprise:
+  # Apprise integration with webhooks
+  # Leave Empty/Blank to disable
+  # Mandatory to fill out the url of your apprise API endpoint
+  api_url: http://apprise-api:8000
+  # Mandatory to fill out the notification url/urls based on the notification services provided by apprise. https://github.com/caronc/apprise/wiki
+  notify_url: gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}
@@ -1,20 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-{
-    "radarr_address": "http://radarr:7878",
-    "radarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['RADARR_API_KEY'] }}",
-    "root_folder_path": "/data/media/movies",
-    "tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['TMDB_API_KEY'] }}",
-    "fallback_to_top_result": false,
-    "radarr_api_timeout": 120.0,
-    "quality_profile_id": 1,
-    "metadata_profile_id": 1,
-    "search_for_movie": true,
-    "dry_run_adding_to_radarr": false,
-    "minimum_rating": 4.5,
-    "minimum_votes": 50,
-    "language_choice": "all",
-    "auto_start": true,
-    "auto_start_delay": 60.0
-}
@@ -1,21 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-<Config>
-  <LogLevel>info</LogLevel>
-  <BindAddress>*</BindAddress>
-  <EnableSsl>False</EnableSsl>
-  <SslCertPath></SslCertPath>
-  <Port>7878</Port>
-  <UrlBase></UrlBase>
-  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['RADARR_API_KEY'] }}</ApiKey>
-  <AuthenticationMethod>Forms</AuthenticationMethod>
-  <UpdateMechanism>Docker</UpdateMechanism>
-  <SslPort>9898</SslPort>
-  <LaunchBrowser>True</LaunchBrowser>
-  <Branch>master</Branch>
-  <SslCertPassword></SslCertPassword>
-  <InstanceName>Radarr</InstanceName>
-  <Theme>auto</Theme>
-  <AuthenticationRequired>Enabled</AuthenticationRequired>
-</Config>
@@ -1,21 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-<Config>
-  <BindAddress>*</BindAddress>
-  <Port>8787</Port>
-  <SslPort>6868</SslPort>
-  <EnableSsl>False</EnableSsl>
-  <LaunchBrowser>True</LaunchBrowser>
-  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['READARR_API_KEY'] }}</ApiKey>
-  <AuthenticationMethod>Forms</AuthenticationMethod>
-  <Branch>develop</Branch>
-  <LogLevel>info</LogLevel>
-  <SslCertPath></SslCertPath>
-  <SslCertPassword></SslCertPassword>
-  <UrlBase></UrlBase>
-  <InstanceName>Readarr</InstanceName>
-  <UpdateMechanism>Docker</UpdateMechanism>
-  <Theme>auto</Theme>
-  <AuthenticationRequired>Enabled</AuthenticationRequired>
-</Config>
@@ -1,48 +0,0 @@
-# This is a generic example of a configuration file
-# Rename this file to `config.yml`, copy it to a `config` folder, and mount that folder as per the docker-compose.example.yml
-# Only uncomment the lines you want to use/modify, or add new ones where needed
-
-exclude:
-  # Exclude platforms to be scanned
-  platforms: [] # ['my_excluded_platform_1', 'my_excluded_platform_2']
-
-  # Exclude roms or parts of roms to be scanned
-  roms:
-    # Single file games section.
-    # Will not apply to files that are in sub-folders (multi-disc roms, games with updates, DLC, patches, etc.)
-    single_file:
-      # Exclude all files with certain extensions to be scanned
-      extensions: [] # ['xml', 'txt']
-
-      # Exclude matched file names to be scanned.
-      # Supports unix filename pattern matching
-      # Can also exclude files by extension
-      names: [] # ['info.txt', '._*', '*.nfo']
-
-    # Multi files games section
-    # Will apply to files that are in sub-folders (multi-disc roms, games with updates, DLC, patches, etc.)
-    multi_file:
-      # Exclude matched 'folder' names to be scanned (RomM identifies folders as multi file games)
-      names: [] # ['my_multi_file_game', 'DLC']
-
-      # Exclude files within sub-folders.
-      parts:
-        # Exclude matched file names to be scanned from multi file roms
-        # Keep in mind that RomM doesn't scan folders inside multi files games,
-        # so there is no need to exclude folders from inside of multi files games.
-        names: [] # ['data.xml', '._*'] # Supports unix filename pattern matching
-
-        # Exclude all files with certain extensions to be scanned from multi file roms
-        extensions: [] # ['xml', 'txt']
-
-system:
-  # Asociate different platform names to your current file system platform names
-  # [your custom platform folder name]: [RomM platform name]
-  # In this example if you have a 'gc' folder, RomM will treat it like the 'ngc' folder and if you have a 'psx' folder, RomM will treat it like the 'ps' folder
-  platforms: {} # { gc: 'ngc', psx: 'ps' }
-
-  # Asociate one platform to it's main version
-  versions: {} # { naomi: 'arcade' }
-
-# The folder name where your roms are located
-filesystem: {} # { roms_folder: 'roms' } For example if your folder structure is /home/user/library/roms_folder
@@ -1,482 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-__version__ = 19
-__encoding__ = utf-8
-[misc]
-pre_script = None
-queue_complete = ""
-queue_complete_pers = 0
-bandwidth_perc = 0
-refresh_rate = 1
-queue_limit = 20
-config_lock = 0
-sched_converted = 2
-notified_new_skin = 2
-direct_unpack_tested = 1
-check_new_rel = 1
-auto_browser = 0
-language = en
-enable_https_verification = 1
-host = 0.0.0.0
-port = 8080
-https_port = 8090
-username = thetrezuredone
-password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_PASSWORD'] }}
-bandwidth_max = 1000M
-cache_limit = 1G
-web_dir = Glitter
-web_color = Auto
-https_cert = server.cert
-https_key = server.key
-https_chain = ""
-enable_https = 1
-inet_exposure = 0
-local_ranges = ,
-api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_API_KEY'] }}
-nzb_key = 3c0fa874bb2748b58c1bd7512e649946
-permissions = 775
-download_dir = /storage/downloads/incomplete
-download_free = ""
-complete_dir = /storage/downloads/completed/nzb
-script_dir = ""
-nzb_backup_dir = ""
-admin_dir = admin
-dirscan_dir = /storage/downloads/watch
-dirscan_speed = 5
-password_file = ""
-log_dir = logs
-max_art_tries = 3
-load_balancing = 2
-top_only = 0
-sfv_check = 1
-quick_check_ext_ignore = nfo, sfv, srr
-script_can_fail = 0
-ssl_ciphers = ""
-enable_recursive = 1
-flat_unpack = 0
-par_option = ""
-pre_check = 1
-nice = ""
-win_process_prio = 3
-ionice = ""
-fail_hopeless_jobs = 1
-fast_fail = 1
-auto_disconnect = 1
-no_dupes = 3
-no_series_dupes = 0
-series_propercheck = 1
-pause_on_pwrar = 2
-ignore_samples = 1
-deobfuscate_final_filenames = 0
-auto_sort = ""
-direct_unpack = 1
-direct_unpack_threads = 3
-propagation_delay = 0
-folder_rename = 1
-replace_spaces = 1
-replace_dots = 1
-safe_postproc = 1
-pause_on_post_processing = 0
-sanitize_safe = 0
-cleanup_list = ,
-unwanted_extensions = ,
-action_on_unwanted_extensions = 0
-new_nzb_on_failure = 1
-history_retention = ""
-enable_meta = 1
-quota_size = ""
-quota_day = ""
-quota_resume = 0
-quota_period = m
-rating_enable = 0
-rating_host = ""
-rating_api_key = ""
-rating_filter_enable = 0
-rating_filter_abort_audio = 0
-rating_filter_abort_video = 0
-rating_filter_abort_encrypted = 0
-rating_filter_abort_encrypted_confirm = 0
-rating_filter_abort_spam = 0
-rating_filter_abort_spam_confirm = 0
-rating_filter_abort_downvoted = 0
-rating_filter_abort_keywords = ""
-rating_filter_pause_audio = 0
-rating_filter_pause_video = 0
-rating_filter_pause_encrypted = 0
-rating_filter_pause_encrypted_confirm = 0
-rating_filter_pause_spam = 0
-rating_filter_pause_spam_confirm = 0
-rating_filter_pause_downvoted = 0
-rating_filter_pause_keywords = ""
-enable_tv_sorting = 1
-tv_sort_string = %sn/Season %s/%sn - %sx%0e - %en.%ext
-tv_sort_countries = 1
-tv_categories = tv,
-enable_movie_sorting = 0
-movie_sort_string = ""
-movie_sort_extra = -cd%1
-movie_extra_folder = 0
-movie_categories = movies,
-enable_date_sorting = 0
-date_sort_string = ""
-date_categories = tv,
-schedlines = ,
-rss_rate = 60
-ampm = 0
-replace_illegal = 1
-start_paused = 0
-enable_all_par = 1
-enable_par_cleanup = 1
-enable_unrar = 1
-enable_unzip = 1
-enable_7zip = 1
-enable_filejoin = 1
-enable_tsjoin = 1
-overwrite_files = 0
-ignore_unrar_dates = 0
-backup_for_duplicates = 1
-empty_postproc = 0
-wait_for_dfolder = 0
-rss_filenames = 0
-api_logging = 1
-html_login = 1
-osx_menu = 1
-osx_speed = 1
-warn_dupl_jobs = 1
-helpfull_warnings = 1
-keep_awake = 1
-win_menu = 1
-allow_incomplete_nzb = 0
-enable_bonjour = 1
-max_art_opt = 0
-ipv6_hosting = 0
-fixed_ports = 1
-api_warnings = 1
-disable_api_key = 0
-no_penalties = 0
-x_frame_options = 1
-require_modern_tls = 0
-num_decoders = 3
-rss_odd_titles = nzbindex.nl/, nzbindex.com/, nzbclub.com/
-req_completion_rate = 100.2
-selftest_host = self-test.sabnzbd.org
-movie_rename_limit = 100M
-size_limit = 0
-show_sysload = 2
-history_limit = 10
-wait_ext_drive = 5
-max_foldername_length = 246
-nomedia_marker = ""
-ipv6_servers = 1
-url_base = /sabnzbd
-host_whitelist = rinoa, sabnzbd.trez.wtf
-max_url_retries = 10
-email_server = ""
-email_to = ,
-email_from = ""
-email_account = ""
-email_pwd = ""
-email_endjob = 0
-email_full = 0
-email_dir = ""
-email_rss = 0
-email_cats = *,
-interface_settings = '{"dateFormat":"fromNow","extraQueueColumns":["category"],"extraHistoryColumns":[],"displayCompact":false,"displayFullWidth":false,"confirmDeleteQueue":true,"confirmDeleteHistory":true,"keyboardShortcuts":true}'
-complete_free = ""
-fulldisk_autoresume = 0
-enable_broadcast = 1
-downloader_sleep_time = 10
-ssdp_broadcast_interval = 15
-unwanted_extensions_mode = 0
-process_unpacked_par2 = 1
-episode_rename_limit = 20M
-socks5_proxy_url = ""
-preserve_paused_state = 0
-helpful_warnings = 1
-allow_old_ssl_tls = 0
-num_simd_decoders = 2
-ext_rename_ignore = ,
-backup_dir = ""
-replace_underscores = 0
-tray_icon = 1
-sorters_converted = 1
-enable_season_sorting = 1
-receive_threads = 2
-switchinterval = 0.005
-end_queue_script = None
-no_smart_dupes = 1
-dupes_propercheck = 1
-enable_multipar = 1
-verify_xff_header = 0
-history_retention_option = all
-history_retention_number = 1
-ipv6_staging = 0
-disable_archive = 0
-config_conversion_version = 4
-disable_par2cmdline = 0
-[logging]
-log_level = 1
-max_log_size = 5242880
-log_backups = 5
-[ncenter]
-ncenter_enable = 0
-ncenter_cats = *,
-ncenter_prio_startup = 0
-ncenter_prio_download = 0
-ncenter_prio_pause_resume = 0
-ncenter_prio_pp = 0
-ncenter_prio_complete = 0
-ncenter_prio_failed = 0
-ncenter_prio_disk_full = 0
-ncenter_prio_new_login = 0
-ncenter_prio_warning = 0
-ncenter_prio_error = 0
-ncenter_prio_queue_done = 0
-ncenter_prio_other = 0
-[acenter]
-acenter_enable = 0
-acenter_cats = *,
-acenter_prio_startup = 0
-acenter_prio_download = 0
-acenter_prio_pause_resume = 0
-acenter_prio_pp = 0
-acenter_prio_complete = 0
-acenter_prio_failed = 0
-acenter_prio_disk_full = 0
-acenter_prio_new_login = 0
-acenter_prio_warning = 0
-acenter_prio_error = 0
-acenter_prio_queue_done = 0
-acenter_prio_other = 0
-[ntfosd]
-ntfosd_enable = 0
-ntfosd_cats = *,
-ntfosd_prio_startup = 0
-ntfosd_prio_download = 0
-ntfosd_prio_pause_resume = 0
-ntfosd_prio_pp = 0
-ntfosd_prio_complete = 0
-ntfosd_prio_failed = 0
-ntfosd_prio_disk_full = 0
-ntfosd_prio_new_login = 0
-ntfosd_prio_warning = 0
-ntfosd_prio_error = 0
-ntfosd_prio_queue_done = 0
-ntfosd_prio_other = 0
-[prowl]
-prowl_enable = 0
-prowl_cats = *,
-prowl_apikey = ""
-prowl_prio_startup = -3
-prowl_prio_download = -3
-prowl_prio_pause_resume = -3
-prowl_prio_pp = -3
-prowl_prio_complete = 0
-prowl_prio_failed = 1
-prowl_prio_disk_full = 1
-prowl_prio_new_login = -3
-prowl_prio_warning = -3
-prowl_prio_error = -3
-prowl_prio_queue_done = 0
-prowl_prio_other = -3
-[pushover]
-pushover_token = ""
-pushover_userkey = ""
-pushover_device = ""
-pushover_emergency_expire = 3600
-pushover_emergency_retry = 60
-pushover_enable = 0
-pushover_cats = *,
-pushover_prio_startup = -3
-pushover_prio_download = -2
-pushover_prio_pause_resume = -2
-pushover_prio_pp = -3
-pushover_prio_complete = -1
-pushover_prio_failed = -1
-pushover_prio_disk_full = 1
-pushover_prio_new_login = -3
-pushover_prio_warning = 1
-pushover_prio_error = 1
-pushover_prio_queue_done = -1
-pushover_prio_other = -3
-[pushbullet]
-pushbullet_enable = 0
-pushbullet_cats = *,
-pushbullet_apikey = ""
-pushbullet_device = ""
-pushbullet_prio_startup = 0
-pushbullet_prio_download = 0
-pushbullet_prio_pause_resume = 0
-pushbullet_prio_pp = 0
-pushbullet_prio_complete = 1
-pushbullet_prio_failed = 1
-pushbullet_prio_disk_full = 1
-pushbullet_prio_new_login = 0
-pushbullet_prio_warning = 0
-pushbullet_prio_error = 0
-pushbullet_prio_queue_done = 0
-pushbullet_prio_other = 0
-[nscript]
-nscript_enable = 0
-nscript_cats = *,
-nscript_script = None
-nscript_parameters = ""
-nscript_prio_startup = 1
-nscript_prio_download = 0
-nscript_prio_pause_resume = 0
-nscript_prio_pp = 0
-nscript_prio_complete = 1
-nscript_prio_failed = 1
-nscript_prio_disk_full = 1
-nscript_prio_new_login = 0
-nscript_prio_warning = 0
-nscript_prio_error = 0
-nscript_prio_queue_done = 1
-nscript_prio_other = 0
-[servers]
-[[news.newshosting.com]]
-name = news.newshosting.com
-displayname = Newshosting
-host = news.newshosting.com
-port = 563
-timeout = 60
-username = thetrezuredone
-password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSK_USER_PASSWORD'] }}
-connections = 8
-ssl = 1
-ssl_verify = 3
-ssl_ciphers = ""
-enable = 1
-required = 0
-optional = 0
-retention = 0
-expire_date = ""
-quota = ""
-usage_at_start = 0
-priority = 0
-notes = ""
-[[news.easynews.com]]
-name = news.easynews.com
-displayname = EasyNews
-host = news.easynews.com
-port = 443
-timeout = 60
-username = TrezOne
-password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_EASYNEWS_PASSWORD'] }}
-connections = 60
-ssl = 0
-ssl_verify = 3
-ssl_ciphers = ""
-enable = 1
-required = 0
-optional = 0
-retention = 0
-expire_date = ""
-quota = ""
-usage_at_start = 0
-priority = 0
-notes = ""
-[categories]
-[[software]]
-name = software
-order = 0
-pp = ""
-script = Default
-dir = ""
-newzbin = ""
-priority = -100
-[[*]]
-name = *
-order = 0
-pp = 3
-script = Default
-dir = ""
-newzbin = ""
-priority = 0
-[[tv]]
-name = tv
-order = 0
-pp = ""
-script = Default
-dir = tv
-newzbin = ""
-priority = -100
-[[audio]]
-name = audio
-order = 0
-pp = 2
-script = Default
-dir = music
-newzbin = ""
-priority = 1
-[[movies]]
-name = movies
-order = 0
-pp = ""
-script = Default
-dir = movies
-newzbin = ""
-priority = -100
-[[ebook]]
-name = ebook
-order = 0
-pp = 2
-script = Default
-dir = ebooks
-newzbin = ""
-priority = -100
-[[prowlarr]]
-name = prowlarr
-order = 0
-pp = ""
-script = Default
-dir = ""
-newzbin = ""
-priority = -1
-[[sonarr]]
-name = sonarr
-order = 1
-pp = ""
-script = Default
-dir = tv
-newzbin = ""
-priority = -100
-[sorters]
-[[Series Sorting]]
-name = Series Sorting
-order = 0
-min_size = 20M
-multipart_label = ""
-sort_string = %sn/Season %s/%sn - %sx%0e - %en.%ext
-sort_cats = tv,
-sort_type = 1,
-is_active = 1
-[apprise]
-apprise_enable = 1
-apprise_cats = *,
-apprise_urls = apprise://apprise:8000/aef1ab3765b857585e13340f1f5f879b2babcc47b0eccead98a19e0a93fe1a35
-apprise_target_startup = ""
-apprise_target_startup_enable = 0
-apprise_target_download = ""
-apprise_target_download_enable = 0
-apprise_target_pause_resume = ""
-apprise_target_pause_resume_enable = 1
-apprise_target_pp = ""
-apprise_target_pp_enable = 0
-apprise_target_complete = ""
-apprise_target_complete_enable = 1
-apprise_target_failed = ""
-apprise_target_failed_enable = 1
-apprise_target_disk_full = ""
-apprise_target_disk_full_enable = 0
-apprise_target_new_login = ""
-apprise_target_new_login_enable = 1
-apprise_target_warning = ""
-apprise_target_warning_enable = 1
-apprise_target_error = ""
-apprise_target_error_enable = 1
-apprise_target_queue_done = ""
-apprise_target_queue_done_enable = 0
-apprise_target_other = ""
-apprise_target_other_enable = 1
@@ -1,7 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-bolt-path: /opt/scrutiny/influxdb/influxd.bolt
-engine-path: /opt/scrutiny/influxdb/engine
-http-bind-address: ":8086"
-reporting-disabled: true
@@ -100,7 +100,7 @@ server:
 redis:
  # URL to connect redis database. Is overwritten by ${SEARXNG_REDIS_URL}.
  # https://docs.searxng.org/admin/settings/settings_redis.html#settings-redis
-  url: redis://redis:6379/0
+  url: redis://searxng-valkey:6379/0

 ui:
  # Custom static path - leave it blank if you didn't change
@@ -1,49 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-[uwsgi]
-# Who will run the code
-uid = searxng
-gid = searxng
-
-# Number of workers (usually CPU count)
-workers = %k
-threads = 4
-
-# The right granted on the created socket
-chmod-socket = 666
-
-# Plugin to use and interpreter config
-single-interpreter = true
-master = true
-plugin = python3
-lazy-apps = true
-enable-threads = 4
-
-# Module to import
-module = searx.webapp
-
-# Virtualenv and python path
-pythonpath = /usr/local/searxng/
-chdir = /usr/local/searxng/searx/
-
-# automatically set processes name to something meaningful
-auto-procname = true
-
-# Disable request logging for privacy
-disable-logging = true
-log-5xx = true
-
-# Set the max size of a request (request-body excluded)
-buffer-size = 8192
-
-# No keep alive
-# See https://github.com/searx/searx-docker/issues/24
-add-header = Connection: close
-
-# uwsgi serves the static files
-static-map = /static=/usr/local/searxng/searx/static
-# expires set to one day
-static-expires = /* 86400
-static-gzip-all = True
-offload-threads = 4
@@ -1,10 +1,111 @@
 receivers:
+  httplogreceiver/json:
+    endpoint: 0.0.0.0:8082
+    source: json
  otlp:
    protocols:
      grpc:
        endpoint: 0.0.0.0:4317
      http:
        endpoint: 0.0.0.0:4318
+  hostmetrics:
+    collection_interval: 60s  # Frequency of metrics collection.
+    scrapers:
+      cpu: {}
+      load: {}
+      memory: {}
+      disk: {}
+      filesystem: {}
+      network: {}
+  docker_stats:
+    endpoint: unix:///var/run/docker.sock
+    collection_interval: 30s
+    timeout: 10s
+    api_version: "1.51"
+    metrics:
+      container.uptime:
+        enabled: true
+      container.restarts:
+        enabled: true
+      container.network.io.usage.rx_errors:
+        enabled: true
+      container.network.io.usage.tx_errors:
+        enabled: true
+      container.network.io.usage.rx_packets:
+        enabled: true
+      container.network.io.usage.tx_packets:
+        enabled: true
+  filelog/nginx-access-logs:
+    include: ["${env:NGINX_ACCESS_LOG_FILE}"]
+    operators:
+      # Parse the default nginx access log format. Nginx defaults to the "combined" log format
+      # $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"
+      # For more details, see https://nginx.org/en/docs/http/ngx_http_log_module.html
+      - type: regex_parser
+        if: body matches '^(?P<remote_addr>[0-9\\.]+) - (?P<remote_user>[^\\s]+) \\[(?P<ts>.+)\\] "(?P<request_method>\\w+?) (?P<request_path>.+?)" (?P<status>[0-9]+) (?P<body_bytes_sent>[0-9]+) "(?P<http_referrer>.+?)" "(?P<http_user_agent>.+?)"$'
+        parse_from: body
+        parse_to: attributes
+        regex: '^(?P<remote_addr>[0-9\.]+) - (?P<remote_user>[^\s]+) \[(?P<ts>.+)\] "(?P<request_method>\w+?) (?P<request_path>.+?)" (?P<status>[0-9]+) (?P<body_bytes_sent>[0-9]+) "(?P<http_referrer>.+?)" "(?P<http_user_agent>.+?)"$'
+        timestamp:
+          parse_from: attributes.ts
+          layout: "02/Jan/2006:15:04:05 -0700"
+          layout_type: gotime
+        severity:
+          parse_from: attributes.status
+          overwrite_text: true
+          mapping:
+            debug: "1xx"
+            info:
+              - "2xx"
+              - "3xx"
+            warn: "4xx"
+            error: "5xx"
+      - type: remove
+        if: attributes.ts != nil
+        field: attributes.ts
+      - type: add
+        field: attributes.source
+        value: nginx
+
+  filelog/nginx-error-logs:
+    include: ["${env:NGINX_ERROR_LOG_FILE}"]
+    operators:
+      # Parse the default nginx error log format.
+      # YYYY/MM/DD HH:MM:SS [LEVEL] PID#TID: *CID MESSAGE
+      # For more details, see https://github.com/phusion/nginx/blob/master/src/core/ngx_log.c
+      - type: regex_parser
+        if: body matches '^(?P<ts>.+?) \\[(?P<log_level>\\w+)\\] (?P<pid>\\d+)#(?P<tid>\\d+). \\*(?P<cid>\\d+) (?P<message>.+)$'
+        parse_from: body
+        parse_to: attributes
+        regex: '^(?P<ts>.+?) \[(?P<log_level>\w+)\] (?P<pid>\d+)#(?P<tid>\d+). \*(?P<cid>\d+) (?P<message>.+)$'
+        timestamp:
+          parse_from: attributes.ts
+          layout: "2006/01/02 15:04:05"
+          layout_type: gotime
+        severity:
+          parse_from: attributes.log_level
+          overwrite_text: true
+          mapping:
+            debug: "debug"
+            info:
+              - "info"
+              - "notice"
+            warn: "warn"
+            error:
+              - "error"
+              - "crit"
+              - "alert"
+            fatal: "emerg"
+      - type: remove
+        if: attributes.ts != nil
+        field: attributes.ts
+      - type: move
+        if: attributes.message != nil
+        from: attributes.message
+        to: body
+      - type: add
+        field: attributes.source
+        value: nginx
  prometheus:
    config:
      global:
@@ -22,9 +123,21 @@ processors:
    send_batch_max_size: 11000
    timeout: 10s
  resourcedetection:
-    # Using OTEL_RESOURCE_ATTRIBUTES envvar, env detector adds custom labels.
    detectors: [env, system]
+    system:
+      hostname_sources: [os]
+  resourcedetection/env:
+    detectors: [env]
    timeout: 2s
+    override: false
+  resourcedetection/system:
+    detectors: ["system"]
+    system:
+      hostname_sources: ["dns", "os"]
+  resourcedetection/docker:
+    detectors: [env, docker]
+    timeout: 2s
+    override: false
  signozspanmetrics/delta:
    metrics_exporter: clickhousemetricswrite, signozclickhousemetrics
    metrics_flush_interval: 60s
@@ -75,12 +188,14 @@ exporters:
    timeout: 10s
    use_new_schema: true
  # debug: {}
+  otlp/nginx-logs:
+    endpoint: "localhost:4317"
+    tls:
+      insecure: true
 service:
  telemetry:
    logs:
      encoding: json
-    metrics:
-      address: 0.0.0.0:8888
  extensions:
    - health_check
    - pprof
@@ -92,12 +207,16 @@ service:
    metrics:
      receivers: [otlp]
      processors: [batch]
-      exporters: [clickhousemetricswrite, signozclickhousemetrics]
+      exporters: [clickhousemetricswrite, signozclickhousemetrics, resourcedetection/docker, resourcedetection/system]
+    metrics/hostmetrics:
+      receivers: [hostmetrics]
+      processors: [resourcedetection, resource/env]
+      exporters: [otlp]
    metrics/prometheus:
      receivers: [prometheus]
      processors: [batch]
      exporters: [clickhousemetricswrite/prometheus, signozclickhousemetrics]
    logs:
-      receivers: [otlp]
+      receivers: [otlp, tcplog/docker, httplogreceiver/json]
      processors: [batch]
      exporters: [clickhouselogsexporter]
@@ -1 +1 @@
-server_endpoint: ws://signoz:4320/v1/opamp
+server_endpoint: ws://signoz-app:4320/v1/opamp
@@ -1,75 +0,0 @@
-<?xml version="1.0"?>
-<clickhouse>
-    <!-- ZooKeeper is used to store metadata about replicas, when using Replicated tables.
-         Optional. If you don't use replicated tables, you could omit that.
-
-         See https://clickhouse.com/docs/en/engines/table-engines/mergetree-family/replication/
-      -->
-    <zookeeper>
-        <node index="1">
-            <host>signoz-zookeeper-1</host>
-            <port>2181</port>
-        </node>
-        <node index="2">
-            <host>zookeeper-2</host>
-            <port>2181</port>
-        </node>
-        <node index="3">
-            <host>zookeeper-3</host>
-            <port>2181</port>
-        </node>
-    </zookeeper>
-
-    <!-- Configuration of clusters that could be used in Distributed tables.
-         https://clickhouse.com/docs/en/operations/table_engines/distributed/
-      -->
-    <remote_servers>
-        <cluster>
-            <!-- Inter-server per-cluster secret for Distributed queries
-                 default: no secret (no authentication will be performed)
-
-                 If set, then Distributed queries will be validated on shards, so at least:
-                 - such cluster should exist on the shard,
-                 - such cluster should have the same secret.
-
-                 And also (and which is more important), the initial_user will
-                 be used as current user for the query.
-
-                 Right now the protocol is pretty simple and it only takes into account:
-                 - cluster name
-                 - query
-
-                 Also it will be nice if the following will be implemented:
-                 - source hostname (see interserver_http_host), but then it will depends from DNS,
-                   it can use IP address instead, but then the you need to get correct on the initiator node.
-                 - target hostname / ip address (same notes as for source hostname)
-                 - time-based security tokens
-            -->
-            <!-- <secret></secret> -->
-            <shard>
-                <!-- Optional. Whether to write data to just one of the replicas. Default: false (write data to all replicas). -->
-                <!-- <internal_replication>false</internal_replication> -->
-                <!-- Optional. Shard weight when writing data. Default: 1. -->
-                <!-- <weight>1</weight> -->
-                <replica>
-                    <host>signoz-clickhouse</host>
-                    <port>9000</port>
-                    <!-- Optional. Priority of the replica for load_balancing. Default: 1 (less value has more priority). -->
-                    <!-- <priority>1</priority> -->
-                </replica>
-            </shard>
-            <shard>
-                <replica>
-                    <host>clickhouse-2</host>
-                    <port>9000</port>
-                </replica>
-            </shard>
-            <shard>
-                <replica>
-                    <host>clickhouse-3</host>
-                    <port>9000</port>
-                </replica>
-            </shard>
-        </cluster>
-    </remote_servers>
-</clickhouse>
@@ -1,75 +0,0 @@
-<?xml version="1.0"?>
-<clickhouse>
-    <!-- ZooKeeper is used to store metadata about replicas, when using Replicated tables.
-         Optional. If you don't use replicated tables, you could omit that.
-
-         See https://clickhouse.com/docs/en/engines/table-engines/mergetree-family/replication/
-      -->
-    <zookeeper>
-        <node index="1">
-            <host>signoz-zookeeper-1</host>
-            <port>2181</port>
-        </node>
-        <!-- <node index="2">
-            <host>zookeeper-2</host>
-            <port>2181</port>
-        </node>
-        <node index="3">
-            <host>zookeeper-3</host>
-            <port>2181</port>
-        </node> -->
-    </zookeeper>
-
-    <!-- Configuration of clusters that could be used in Distributed tables.
-         https://clickhouse.com/docs/en/operations/table_engines/distributed/
-      -->
-    <remote_servers>
-        <cluster>
-            <!-- Inter-server per-cluster secret for Distributed queries
-                 default: no secret (no authentication will be performed)
-
-                 If set, then Distributed queries will be validated on shards, so at least:
-                 - such cluster should exist on the shard,
-                 - such cluster should have the same secret.
-
-                 And also (and which is more important), the initial_user will
-                 be used as current user for the query.
-
-                 Right now the protocol is pretty simple and it only takes into account:
-                 - cluster name
-                 - query
-
-                 Also it will be nice if the following will be implemented:
-                 - source hostname (see interserver_http_host), but then it will depends from DNS,
-                   it can use IP address instead, but then the you need to get correct on the initiator node.
-                 - target hostname / ip address (same notes as for source hostname)
-                 - time-based security tokens
-            -->
-            <!-- <secret></secret> -->
-            <shard>
-                <!-- Optional. Whether to write data to just one of the replicas. Default: false (write data to all replicas). -->
-                <!-- <internal_replication>false</internal_replication> -->
-                <!-- Optional. Shard weight when writing data. Default: 1. -->
-                <!-- <weight>1</weight> -->
-                <replica>
-                    <host>signoz-clickhouse</host>
-                    <port>9000</port>
-                    <!-- Optional. Priority of the replica for load_balancing. Default: 1 (less value has more priority). -->
-                    <!-- <priority>1</priority> -->
-                </replica>
-            </shard>
-            <!-- <shard>
-                <replica>
-                    <host>clickhouse-2</host>
-                    <port>9000</port>
-                </replica>
-            </shard>
-            <shard>
-                <replica>
-                    <host>clickhouse-3</host>
-                    <port>9000</port>
-                </replica>
-            </shard> -->
-        </cluster>
-    </remote_servers>
-</clickhouse>
@@ -1,21 +0,0 @@
-<functions>
-    <function>
-        <type>executable</type>
-        <name>histogramQuantile</name>
-        <return_type>Float64</return_type>
-        <argument>
-            <type>Array(Float64)</type>
-            <name>buckets</name>
-        </argument>
-        <argument>
-            <type>Array(Float64)</type>
-            <name>counts</name>
-        </argument>
-        <argument>
-            <type>Float64</type>
-            <name>quantile</name>
-        </argument>
-        <format>CSV</format>
-        <command>./histogramQuantile</command>
-    </function>
-</functions>
@@ -1,41 +0,0 @@
-<?xml version="1.0"?>
-<clickhouse>
-<storage_configuration>
-    <disks>
-        <default>
-            <keep_free_space_bytes>10485760</keep_free_space_bytes>
-        </default>
-        <s3>
-            <type>s3</type>
-            <!-- For S3 cold storage,
-                    if region is us-east-1, endpoint can be https://<bucket-name>.s3.amazonaws.com
-                    if region is not us-east-1, endpoint should be https://<bucket-name>.s3-<region>.amazonaws.com
-                For GCS cold storage,
-                    endpoint should be https://storage.googleapis.com/<bucket-name>/data/
-                -->
-            <endpoint>https://BUCKET-NAME.s3-REGION-NAME.amazonaws.com/data/</endpoint>
-            <access_key_id>ACCESS-KEY-ID</access_key_id>
-            <secret_access_key>SECRET-ACCESS-KEY</secret_access_key>
-            <!-- In case of S3, uncomment the below configuration in case you want to read
-                AWS credentials from the Environment variables if they exist. -->
-            <!-- <use_environment_credentials>true</use_environment_credentials> -->
-            <!-- In case of GCS, uncomment the below configuration, since GCS does
-                not support batch deletion and result in error messages in logs. -->
-            <!-- <support_batch_delete>false</support_batch_delete> -->
-        </s3>
-   </disks>
-   <policies>
-       <tiered>
-           <volumes>
-                <default>
-                    <disk>default</disk>
-                </default>
-                <s3>
-                    <disk>s3</disk>
-                    <perform_ttl_move_on_insert>0</perform_ttl_move_on_insert>
-                </s3>
-            </volumes>
-        </tiered>
-    </policies>
-</storage_configuration>
-</clickhouse>
@@ -1,123 +0,0 @@
-<?xml version="1.0"?>
-<clickhouse>
-    <!-- See also the files in users.d directory where the settings can be overridden. -->
-
-    <!-- Profiles of settings. -->
-    <profiles>
-        <!-- Default settings. -->
-        <default>
-            <!-- Maximum memory usage for processing single query, in bytes. -->
-            <max_memory_usage>10000000000</max_memory_usage>
-
-            <!-- How to choose between replicas during distributed query processing.
-                 random - choose random replica from set of replicas with minimum number of errors
-                 nearest_hostname - from set of replicas with minimum number of errors, choose replica
-                  with minimum number of different symbols between replica's hostname and local hostname
-                  (Hamming distance).
-                 in_order - first live replica is chosen in specified order.
-                 first_or_random - if first replica one has higher number of errors, pick a random one from replicas with minimum number of errors.
-            -->
-            <load_balancing>random</load_balancing>
-        </default>
-
-        <!-- Profile that allows only read queries. -->
-        <readonly>
-            <readonly>1</readonly>
-        </readonly>
-    </profiles>
-
-    <!-- Users and ACL. -->
-    <users>
-        <!-- If user name was not specified, 'default' user is used. -->
-        <default>
-            <!-- See also the files in users.d directory where the password can be overridden.
-
-                 Password could be specified in plaintext or in SHA256 (in hex format).
-
-                 If you want to specify password in plaintext (not recommended), place it in 'password' element.
-                 Example: <password>qwerty</password>.
-                 Password could be empty.
-
-                 If you want to specify SHA256, place it in 'password_sha256_hex' element.
-                 Example: <password_sha256_hex>65e84be33532fb784c48129675f9eff3a682b27168c0ea744b2cf58ee02337c5</password_sha256_hex>
-                 Restrictions of SHA256: impossibility to connect to ClickHouse using MySQL JS client (as of July 2019).
-
-                 If you want to specify double SHA1, place it in 'password_double_sha1_hex' element.
-                 Example: <password_double_sha1_hex>e395796d6546b1b65db9d665cd43f0e858dd4303</password_double_sha1_hex>
-
-                 If you want to specify a previously defined LDAP server (see 'ldap_servers' in the main config) for authentication,
-                  place its name in 'server' element inside 'ldap' element.
-                 Example: <ldap><server>my_ldap_server</server></ldap>
-
-                 If you want to authenticate the user via Kerberos (assuming Kerberos is enabled, see 'kerberos' in the main config),
-                  place 'kerberos' element instead of 'password' (and similar) elements.
-                 The name part of the canonical principal name of the initiator must match the user name for authentication to succeed.
-                 You can also place 'realm' element inside 'kerberos' element to further restrict authentication to only those requests
-                  whose initiator's realm matches it.
-                 Example: <kerberos />
-                 Example: <kerberos><realm>EXAMPLE.COM</realm></kerberos>
-
-                 How to generate decent password:
-                 Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha256sum | tr -d '-'
-                 In first line will be password and in second - corresponding SHA256.
-
-                 How to generate double SHA1:
-                 Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha1sum | tr -d '-' | xxd -r -p | sha1sum | tr -d '-'
-                 In first line will be password and in second - corresponding double SHA1.
-            -->
-            <password></password>
-
-            <!-- List of networks with open access.
-
-                 To open access from everywhere, specify:
-                    <ip>::/0</ip>
-
-                 To open access only from localhost, specify:
-                    <ip>::1</ip>
-                    <ip>127.0.0.1</ip>
-
-                 Each element of list has one of the following forms:
-                 <ip> IP-address or network mask. Examples: 213.180.204.3 or 10.0.0.1/8 or 10.0.0.1/255.255.255.0
-                     2a02:6b8::3 or 2a02:6b8::3/64 or 2a02:6b8::3/ffff:ffff:ffff:ffff::.
-                 <host> Hostname. Example: server01.clickhouse.com.
-                     To check access, DNS query is performed, and all received addresses compared to peer address.
-                 <host_regexp> Regular expression for host names. Example, ^server\d\d-\d\d-\d\.clickhouse\.com$
-                     To check access, DNS PTR query is performed for peer address and then regexp is applied.
-                     Then, for result of PTR query, another DNS query is performed and all received addresses compared to peer address.
-                     Strongly recommended that regexp is ends with $
-                 All results of DNS requests are cached till server restart.
-            -->
-            <networks>
-                <ip>::/0</ip>
-            </networks>
-
-            <!-- Settings profile for user. -->
-            <profile>default</profile>
-
-            <!-- Quota for user. -->
-            <quota>default</quota>
-
-            <!-- User can create other users and grant rights to them. -->
-            <!-- <access_management>1</access_management> -->
-        </default>
-    </users>
-
-    <!-- Quotas. -->
-    <quotas>
-        <!-- Name of quota. -->
-        <default>
-            <!-- Limits for time interval. You could specify many intervals with different limits. -->
-            <interval>
-                <!-- Length of interval. -->
-                <duration>3600</duration>
-
-                <!-- No limits. Just calculate resource usage for time interval. -->
-                <queries>0</queries>
-                <errors>0</errors>
-                <result_rows>0</result_rows>
-                <read_rows>0</read_rows>
-                <execution_time>0</execution_time>
-            </interval>
-        </default>
-    </quotas>
-</clickhouse>
@@ -1 +0,0 @@
-server_endpoint: ws://signoz:4320/v1/opamp
@@ -1 +0,0 @@
-server_endpoint: ws://signoz:4320/v1/opamp
@@ -1,25 +0,0 @@
-# my global config
-global:
-  scrape_interval:     5s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
-  evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
-  # scrape_timeout is set to the global default (10s).
-
-# Alertmanager configuration
-alerting:
-  alertmanagers:
-  - static_configs:
-    - targets:
-      - alertmanager:9093
-
-# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
-rule_files: []
-  # - "first_rules.yml"
-  # - "second_rules.yml"
-  # - 'alerts.yml'
-
-# A scrape configuration containing exactly one endpoint to scrape:
-# Here it's Prometheus itself.
-scrape_configs: []
-
-remote_read:
-  - url: tcp://clickhouse:9000/signoz_metrics
@@ -1,22 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-<Config>
-  <LogLevel>info</LogLevel>
-  <EnableSsl>False</EnableSsl>
-  <Port>8989</Port>
-  <SslPort>9898</SslPort>
-  <UrlBase></UrlBase>
-  <BindAddress>*</BindAddress>
-  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SONARR_API_KEY'] }}</ApiKey>
-  <AuthenticationMethod>Forms</AuthenticationMethod>
-  <UpdateMechanism>Docker</UpdateMechanism>
-  <LaunchBrowser>True</LaunchBrowser>
-  <Branch>main</Branch>
-  <InstanceName>Sonarr</InstanceName>
-  <SyslogPort>514</SyslogPort>
-  <AuthenticationRequired>Enabled</AuthenticationRequired>
-  <SslCertPath></SslCertPath>
-  <SslCertPassword></SslCertPassword>
-  <Theme>auto</Theme>
-</Config>
@@ -1,21 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-{
-    "sonarr_address": "http://192.168.1.2:8989",
-    "sonarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SONARR_API_KEY'] }}",
-    "root_folder_path": "/data/media/shows",
-    "tvdb_api_key": "",
-    "tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['TMDB_API_KEY'] }}",
-    "fallback_to_top_result": false,
-    "sonarr_api_timeout": 120.0,
-    "quality_profile_id": 1,
-    "metadata_profile_id": 1,
-    "search_for_missing_episodes": true,
-    "dry_run_adding_to_sonarr": false,
-    "minimum_rating": 4.5,
-    "minimum_votes": 50,
-    "language_choice": "all",
-    "auto_start": true,
-    "auto_start_delay": 60.0
-}
@@ -1,76 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-[Lidarr]
-api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}
-host_url = http://lidarr:8686
-#This should be the path mounted in lidarr that points to your slskd download directory.
-#If Lidarr is not running in Docker then this may just be the same dir as Slskd is using below.
-download_dir = /storage
-
-[Slskd]
-#Api key from Slskd. Need to set this up manually. See link to Slskd docs above.
-api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_API_KEY'] }}
-host_url = http://gluetun:5030
-#Slskd download directory. Should have set it up when installing Slskd.
-download_dir = /app/downloads
-#Removes searches from Slskd after the search finishes.
-delete_searches = False
-#Maximum time (in seconds) that the script will wait for downloads to complete.
-#This is used to prevent the script from running forever due to a stalled download. Defaults to 1 hour.
-stalled_timeout = 3600
-
-[Release Settings]
-#Selects the release with the most common amount of tracks out of all the releases.
-use_most_common_tracknum = True
-allow_multi_disc = True
-#See full list of countries below.
-accepted_countries = Europe,Japan,United Kingdom,United States,[Worldwide],Australia,Canada
-#See full list of formats below.
-accepted_formats = CD,Digital Media,Vinyl
-
-[Search Settings]
-search_timeout = 5000
-maximum_peer_queue = 50
-#Min upload speed in bit/s
-minimum_peer_upload_speed = 0
-#Min match ratio accepted when comparing lidarr track names to soulseek filenames.
-minimum_filename_match_ratio = 0.5
-#Specify the file types you prefer from most to least. As well as their attributes such as bitrate / samplerate / bitdepth.
-#For flacs you can choose the bitdepth/samplerate. And for mp3s the bitrate.
-#If you do not care about the specific quality you can still just put "flac" or "mp3".
-#Soularr will then just look at the filetype and ignore file attributes.
-allowed_filetypes = flac 24/192,flac 16/44.1,flac,mp3 320,mp3
-ignored_users = User1,User2,Fred,Bob
-#Set to False if you only want to search for complete albums
-search_for_tracks = True
-#Set to True if you want to add the artist's name to the beginning of the search for albums
-album_prepend_artist = False
-track_prepend_artist = True
-#Valid search types: all || incrementing_page || first_page
-  #"all" will search for every wanted record everytime soularr is run.
-  #"incrementing_page" will start with the first page and increment to the next on each run.
-  #"first_page" will repeatedly search the first page.
-#If using the search type "first_page" remove_wanted_on_failure should be enabled.
-search_type = incrementing_page
-#How mancy records to grab each run, must be a number between 1 - 2,147,483,647
-number_of_albums_to_grab = 10
-#Unmonitors the album if Soularr can't find it and places it in "failure_list.txt".
-#Failed albums can be re monitored by filtering "Unmonitored" in the Lidarr wanted list.
-remove_wanted_on_failure = False
-#Comma separated list of words that can't be in the title of albums or tracks. Case insensitive.
-title_blacklist = BlacklistWord1,blacklistword2
-#Lidarr source to use for searching. Accepted values are "all", "missing", or "cutoff_unmet". If "all" is selected
-# then both missing and cutoff_unme will be searched. The default value is "missing".
-search_source = missing
-
-[Logging]
-#These options are passed into the logger's basicConfig() method as-is.
-#This means, if you're familiar with Python's logging module, you can configure
-#the logger with options beyond what's listed here by default.
-#For more information on available options  --  https://docs.python.org/3/library/logging.html#logging.basicConfig
-level = INFO
-# Format of log message  --  https://docs.python.org/3/library/logging.html#logrecord-attributes
-format = [%(levelname)s|%(module)s|L%(lineno)d] %(asctime)s: %(message)s
-# Format of datetimes  --  https://docs.python.org/3/library/time.html#time.strftime
-datefmt = %Y-%m-%dT%H:%M:%S%z
@@ -1,212 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-directories:
-  incomplete: /app/incomplete
-  downloads: /app/downloads
-shares:
-  directories:
-    - /music
-rooms:
-  - '! meow chat :3'
-  - '#ANUS'
-  - '#CORONAVIRUS'
-  - '#Horrorcore'
-  - '#La France'
-  - '#icilombre-hardcore'
-  - '#polska'
-  - '#vegan'
-  - $$RARE RAP MUSIC$$
-  - ([6)]
-  - +Autism+
-  - +BlackMetal+
-  - +HIP_HOP_SCENE_RELEASES+
-  - /mu/
-  - 60lover
-  - 60lover v2
-  - 70 Rare groove Soul Jazz
-  - 80's 12 Inches & More
-  - 90's Rare Riddim !!
-  - 90's emo
-  - <>Electronics Labels<>
-  - ACID
-  - ARGENTINA
-  - "ATLLUMINATI\u201Cawareness"
-  - AUSTRALIA
-  - Alcohol
-  - Ambient
-  - Anime
-  - Audiobooks
-  - Avantgarde
-  - BDSM
-  - BLUES BUNKER MUSIC
-  - BOB DYLAN ROOM
-  - BigEdsClassicRock
-  - BigedsSixties
-  - Blues&Soul
-  - Bootlegged concerts
-  - Brasil
-  - Breakcore
-  - CHILE
-  - Canada
-  - China Room
-  - Chiptunes
-  - Christians
-  - Classical
-  - Come To The Sabbath !
-  - Communism
-  - DEATH METAL CLUB
-  - Dark Ambient
-  - De Koffie Shop
-  - De Kroeg
-  - Deathrock
-  - DieMilitarmusik
-  - Disco Classics
-  - Doom Metal
-  - Doujin Music
-  - Dub Techno
-  - Dubstep
-  - EBM-GOTHIC-INDUSTRIAL
-  - EBooks
-  - Emo
-  - Eurodance
-  - Eurovision Song Contest
-  - Experimental Electronica
-  - FOLK MUSIC
-  - Free Jazz
-  - Furry
-  - Gay
-  - Gothic
-  - Greece
-  - Grindcore
-  - HEE cum eaters 1! !
-  - HOUSE MUSIC LOVERS (AG)
-  - Happy Hardcore
-  - Hardcore NL
-  - Hardcore/punk
-  - Hip Hop
-  - Horror movies
-  - IDM
-  - INDUSTRIAL
-  - IReGGaeGaLaXy
-  - Incredibly Strange Music
-  - Israel
-  - Jaz (Full CDs)
-  - Jazz
-  - Jazz-Rock-Fusion-Guitar
-  - Juggalo Family
-  - Jungle
-  - Korean Music
-  - LANGUAGE EXCHANGE here
-  - LGBTQ+!!
-  - Last.fm
-  - Linux
-  - Lossless Scores
-  - MOVIES
-  - Mac Users
-  - Metal
-  - MovieMusic
-  - NORWAY
-  - New Crystal Vibrations
-  - New Wave
-  - New Zealand
-  - OLD SKOOL GANGSTA SHIT
-  - OLDSCHOOL 88-94
-  - OLI SHOTA CUB ROOM!
-  - Original Blues Bunker
-  - PSYCHEDELIA
-  - PUNK/HARDCORE/GRIND
-  - Portugal
-  - Post Punk
-  - Post-Hardcore (modern)
-  - Progressive Rock
-  - Psychedelic/Acid Rock
-  - Psytrance
-  - Quebec
-  - REGGAE
-  - Rare Music
-  - RareVHS/DVD/Rips
-  - Retro Gaming
-  - Romania
-  - Room Name
-  - SIsk Idiots !!
-  - SLUDGE!
-  - Slovenia
-  - Soundtracks&Scores
-  - Spain
-  - Stoner HiVe
-  - Stoner Rock
-  - Strange Music
-  - TECHNO, Mixes and Tunes
-  - THC
-  - Talia
-  - The Dangerous Kitchen
-  - TheScoreZone
-  - Thrash Metal
-  - Tinmans Movie Room
-  - Trip-Hop
-  - Ttalian_dancefloor
-  - Twee Folks
-  - UK DUB
-  - URIDDIM!!
-  - Ukraine
-  - Underground Hiphop
-  - VAPORWAVE
-  - Video Game Chat
-  - Vinyl Addicts
-  - Vocaloid
-  - WHATCDs
-  - World Music
-  - Yacht Rock
-  - '[German] [Deutsch]'
-  - abbey road Itd
-  - anime cunny
-  - bleeps&klonks
-  - breakbeat
-  - comics
-  - deep house connection
-  - drum'n'bass
-  - eesti mehed
-  - electro
-  - flacfield
-  - food
-  - for Losers
-  - hungary
-  - indie
-  - japanese music
-  - library music
-  - lossless
-  - minimal music
-  - museek
-  - noise
-  - 'on'
-  - postrock
-  - programming
-  - progressive house
-  - public porn
-  - r/musichoarder
-  - ru
-  - shoegaze
-  - tapekvit
-  - test
-  - trancEaddict
-  - trivia
-  - what.cd
-  - what.cd electronic
-  - what.cd-flac
-  - '{Italo Disco'
-web:
-  authentication:
-    username: slskd
-    password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_WEB_PASSSWORD'] }}
-    api_keys:
-      my_api_key:
-        key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_API_KEY'] }}
-        role: readwrite
-        cidr: 0.0.0.0/0,::/0
-soulseek:
-  address: vps.slsknet.org
-  port: 2271
-  username: Trez.One
-  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSK_USER_PASSWORD'] }}
-  diagnostic_level: Info
@@ -1,19 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-{
-  "$schema": "../schemas/v2/index.json",
-  "repos": [
-      {
-          "type": "gitea",
-          "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}",
-          "url": "https://git.trez.wtf",
-          "revisions": {
-              "branches": [
-                  "main",
-                  "*"
-              ]
-          }
-      }
-  ]
-}
@@ -1,19 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-{
-  "$schema": "../schemas/v2/index.json",
-  "repos": [
-      {
-          "type": "gitea",
-          "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}",
-          "url": "https://git.trez.wtf",
-          "revisions": {
-              "branches": [
-                  "main",
-                  "*"
-              ]
-          }
-      }
-  ]
-}
@@ -1,29 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-<?xml version='1.0' encoding='UTF-8'?>
-
-<!DOCTYPE properties SYSTEM 'http://java.sun.com/dtd/properties.dtd'>
-
-<properties>
-
-    <entry key='config.default'>./conf/default.xml</entry>
-
-    <!--
-
-    This is the main configuration file. All your configuration parameters should be placed in this file.
-
-    Default configuration parameters are located in the "default.xml" file. You should not modify it to avoid issues
-    with upgrading to a new version. Parameters in the main config file override values in the default file. Do not
-    remove "config.default" parameter from this file unless you know what you are doing.
-
-    For list of available parameters see following page: https://www.traccar.org/configuration-file/
-
-    -->
-
-    <entry key='database.driver'>org.postgresql.Driver</entry>
-    <entry key='database.url'>jdbc:postgresql://traccar-pg:5432/traccar-db</entry>
-    <entry key='database.user'>traccar</entry>
-    <entry key='database.password'>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['WAZUH_API_PASSWORD'] }}</entry>
-
-</properties>
@@ -1,29 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-<?xml version='1.0' encoding='UTF-8'?>
-
-<!DOCTYPE properties SYSTEM 'http://java.sun.com/dtd/properties.dtd'>
-
-<properties>
-
-    <entry key='config.default'>./conf/default.xml</entry>
-
-    <!--
-
-    This is the main configuration file. All your configuration parameters should be placed in this file.
-
-    Default configuration parameters are located in the "default.xml" file. You should not modify it to avoid issues
-    with upgrading to a new version. Parameters in the main config file override values in the default file. Do not
-    remove "config.default" parameter from this file unless you know what you are doing.
-
-    For list of available parameters see following page: https://www.traccar.org/configuration-file/
-
-    -->
-
-    <entry key='database.driver'>org.postgresql.Driver</entry>
-    <entry key='database.url'>jdbc:postgresql://traccar-pg:5432/traccar-db</entry>
-    <entry key='database.user'>traccar</entry>
-    <entry key='database.password'>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['WAZUH_API_PASSWORD'] }}</entry>
-
-</properties>
@@ -1,29 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-{
-    "always_keep_failed_tasks": true,
-    "auto_manage_completed_tasks": false,
-    "cache_path": "/tmp/unmanic",
-    "clear_pending_tasks_on_restart": false,
-    "concurrent_file_testers": 2,
-    "config_path": "/config/.unmanic/config",
-    "debugging": false,
-    "distributed_worker_count_target": 0,
-    "enable_library_scanner": false,
-    "first_run": false,
-    "follow_symlinks": true,
-    "installation_name": "Unmanic @ Rinoa",
-    "library_path": "/library",
-    "log_path": "/config/.unmanic/logs",
-    "max_age_of_completed_tasks": 91,
-    "number_of_workers": null,
-    "plugins_path": "/config/.unmanic/plugins",
-    "release_notes_viewed": "0.2.8",
-    "remote_installations": [],
-    "run_full_scan_on_start": false,
-    "schedule_full_scan_minutes": 1440,
-    "ui_port": 8888,
-    "userdata_path": "/config/.unmanic/userdata",
-    "worker_event_schedules": null
-}
@@ -1,31 +0,0 @@
-  sources:
-    rinoa_docker_logs:
-      type: docker_logs
-      exclude_containers:
-        - vector
-
-  sinks:
-    parseable:
-      type: http
-      method: post
-      batch:
-        max_bytes: 10485760
-        max_events: 1000
-        timeout_secs: 10
-      compression: gzip
-      inputs:
-        - rinoa_docker_logs
-      encoding:
-        codec: json
-      uri: http://parseable:8000/api/v1/ingest'
-      auth:
-        strategy: basic
-        user: admin
-        password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PARSEABLE_PASSWORD'] }}
-      request:
-        headers:
-          X-P-Stream: rinoa-docker-logs
-      healthcheck:
-        enabled: true
-        path: 'http://parseable:8000/api/v1/liveness'
-        port: 80
@@ -1,31 +0,0 @@
-  sources:
-    rinoa_docker_logs:
-      type: docker_logs
-      exclude_containers:
-        - vector
-
-  sinks:
-    parseable:
-      type: http
-      method: post
-      batch:
-        max_bytes: 10485760
-        max_events: 1000
-        timeout_secs: 10
-      compression: gzip
-      inputs:
-        - rinoa_docker_logs
-      encoding:
-        codec: json
-      uri: http://parseable:8000/api/v1/ingest'
-      auth:
-        strategy: basic
-        user: admin
-        password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PARSEABLE_PASSWORD'] }}
-      request:
-        headers:
-          X-P-Stream: rinoa-docker-logs
-      healthcheck:
-        enabled: true
-        path: 'http://parseable:8000/api/v1/liveness'
-        port: 80
@@ -1,19 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-nodes:
-  # Wazuh indexer server nodes
-  indexer:
-    - name: wazuh.indexer
-      ip: wazuh.indexer
-
-  # Wazuh server nodes
-  # Use node_type only with more than one Wazuh manager
-  server:
-    - name: wazuh.manager
-      ip: wazuh.manager
-
-  # Wazuh dashboard node
-  dashboard:
-    - name: wazuh.dashboard
-      ip: wazuh.dashboard
@@ -1,33 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-network.host: "0.0.0.0"
-node.name: "wazuh.indexer"
-path.data: /var/lib/wazuh-indexer
-path.logs: /var/log/wazuh-indexer
-discovery.type: single-node
-http.port: 9200-9299
-transport.tcp.port: 9300-9399
-compatibility.override_main_response_version: true
-plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
-plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
-plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
-plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
-plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
-plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
-plugins.security.ssl.http.enabled: true
-plugins.security.ssl.transport.enforce_hostname_verification: false
-plugins.security.ssl.transport.resolve_hostname: false
-plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
-plugins.security.check_snapshot_restore_write_privileges: true
-plugins.security.enable_snapshot_restore_privilege: true
-plugins.security.nodes_dn:
- "CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
-plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"
-plugins.security.system_indices.enabled: true
-plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
-plugins.security.allow_default_init_securityindex: true
-cluster.routing.allocation.disk.threshold_enabled: false
@@ -1,10 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-hosts:
-  - 1513629884013:
-      url: "https://wazuh.manager"
-      port: 55000
-      username: wazuh-wui
-      password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['WAZUH_API_PASSWORD'] }}
-      run_as: false
@@ -1,19 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-nodes:
-  # Wazuh indexer server nodes
-  indexer:
-    - name: wazuh.indexer
-      ip: wazuh.indexer
-
-  # Wazuh server nodes
-  # Use node_type only with more than one Wazuh manager
-  server:
-    - name: wazuh.manager
-      ip: wazuh.manager
-
-  # Wazuh dashboard node
-  dashboard:
-    - name: wazuh.dashboard
-      ip: wazuh.dashboard
--- a/Show More
+++ b/Show More