... Need more caffeine.

.gitea/workflows/pr-ansible-config-deployment.yaml

@@ -6,7 +6,6 @@ on:
     paths:
       - '**.j2'
       - 'ansible/**.yml'
-
 jobs:
   check-and-create-pr:
     if: github.ref != 'refs/heads/main'
@@ -58,7 +57,7 @@ jobs:
           notification_title: 'GITEA: PR Check'
           notification_message: 'PR Created 🎟️'
   ansible-linting:
-    name: Ansible Linting
+    name: Docker Compose & Ansible Lints
     needs: [check-and-create-pr]
     runs-on: ubuntu-latest
     env:
@@ -71,13 +70,13 @@ jobs:
       - name: Fetch base branch
         run: |
           git fetch origin ${{ github.event.pull_request.base.ref }}
-      # - name: Cache Ansible Galaxy Collections
-      #   uses: actions/cache@v3
-      #   with:
-      #     path: ansible/collections
-      #     key: ${{ runner.os }}-ansible-${{ hashFiles('./ansible/collections/requirements.yml') }}
-      #     restore-keys: |
-      #       ${{ runner.os }}-ansible-
+      - name: Cache Ansible Galaxy Collections
+        uses: actions/cache@v3
+        with:
+          path: ansible/collections
+          key: ${{ runner.os }}-ansible-${{ hashFiles('./ansible/collections/requirements.yml') }}
+          restore-keys: |
+            ${{ runner.os }}-ansible-
       - name: Install Ansible
         uses: alex-oleshkevich/setup-ansible@v1.0.1
         with:
@@ -113,7 +112,7 @@ jobs:
           notification_message: 'Docker Compose dry run completed successfully.'
   pr-merge:
     name: PR Merge
-    needs: [ansible-linting]
+    needs: [regenerate-readme-modified-services]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -140,8 +139,8 @@ jobs:
           gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
           notification_title: 'GITEA: PR Merge Successful'
           notification_message: 'PR #${{ steps.pr_merge.outputs.pr_index }} merged.'
-  ansible-config-deploy:
-    name: Ansible Playbook Run (Service Configs)
+  ansible-config-docker-compose-deploy:
+    name: Ansible Configs & Docker Compose Deployment
     runs-on: ubuntu-latest
     needs: [pr-merge]
     env:

.gitea/workflows/pr-cloudflare-docker-deploy.yml

@@ -5,6 +5,7 @@ on:
       - 'main'
     paths:
       - '**/docker-compose.yml'
+      - '**/pr-cloudflare-docker-deploy.yml'
       - '!ansible/**.yml'
 jobs:
   check-and-create-pr:
@@ -72,6 +73,9 @@ jobs:
       - name: Fetch base branch
         run: |
           git fetch origin ${{ github.event.pull_request.base.ref }}
+      - name: Login to Gitea Container Registry
+        run: |
+          docker login -u gitea-sonarqube-bot -p ${{ secrets.BOT_GITEA_TOKEN }} https://git.trez.wtf
       - name: Save both versions of docker-compose.yml
         run: |
           git show origin/main:docker-compose.yml > docker-compose-main.yml || touch docker-compose-main.yml
@@ -313,11 +317,8 @@ jobs:
       - name: Install Vault
         uses: cpanato/vault-installer@main
       - name: Login to Gitea Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: https://git.trez.wtf
-          username: gitea-sonarqube-bot
-          password: ${{ secrets.BOT_GITEA_TOKEN }}
+        run: |
+          docker login -u gitea-sonarqube-bot -p ${{ secrets.BOT_GITEA_TOKEN }} http://gitea:3000
       - name: Gotify Notification
         uses: eikendev/gotify-action@master
         with:

ansible/app-configs/apprise_apprise.yml.j2

@@ -2,5 +2,5 @@
 {% set secrets_path = 'rinoa-docker/env' %}
 
 urls:
-  - gotify://gotify/{{ vault_secrets['APPRISE_GOTIFY_TOKEN'] }}
-  - mailtos://{{ vault_secrets['POSTAL_SMTP_AUTH_USER'] }}:{{ vault_secrets['POSTAL_SMTP_AUTH_PASSWORD'] }}@trez.wtf25?smtp=postal-smtp&from=noreply@trez.wtf
+  - gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}
+  - mailtos://{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}@trez.wtf25?smtp=postal-smtp&from=noreply@trez.wtf

ansible/app-configs/authelia_configuration.yml.j2

@@ -64,11 +64,11 @@ authentication_backend:
       mail: mail
       display_name: displayName
     user: uid=authelia,ou=people,dc=trez,dc=wtf
-    password: '{{ vault_secrets['AUTHELIA_AUTH_BIND_LDAP_PASSWORD'] }}'
+    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_AUTH_BIND_LDAP_PASSWORD'] }}'
   refresh_interval: 5m
 identity_validation:
   reset_password:
-    jwt_secret: '{{ vault_secrets['AUTHELIA_JWT_SECRET'] }}'
+    jwt_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_JWT_SECRET'] }}'
 password_policy:
   standard:
     enabled: true
@@ -104,7 +104,7 @@ access_control:
       - ['user:the.trezured.one']
 session:
   name: authelia_session
-  secret: '{{ vault_secrets['AUTHELIA_SESSION_SECRET'] }}'
+  secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_SESSION_SECRET'] }}'
   expiration: 1h
   inactivity: 5m
   remember_me: 1M
@@ -115,12 +115,12 @@ session:
     host: redis
     port: 6379
 storage:
-  encryption_key: '{{ vault_secrets['AUTHELIA_STORAGE_ENCRYPTION_KEY'] }}'
+  encryption_key: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_ENCRYPTION_KEY'] }}'
   postgres:
     address: 'tcp://authelia-pg:5432'
     database: authelia
     username: authelia
-    password: '{{ vault_secrets['AUTHELIA_STORAGE_POSTGRES_PASSWORD'] }}'
+    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_POSTGRES_PASSWORD'] }}'
     timeout: '5s'
 regulation:
   max_retries: 3
@@ -131,8 +131,8 @@ notifier:
   smtp:
     address: 'smtp://postal-smtp:25'
     timeout: '5s'
-    username: '{{ vault_secrets['POSTAL_SMTP_AUTH_USER'] }}'
-    password: '{{ vault_secrets['POSTAL_SMTP_AUTH_PASSWORD'] }}'
+    username: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}'
+    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}'
     sender: "Authelia <noreply@trez.wtf>"
     identifier: 'localhost'
     subject: "[Authelia] {title}"
@@ -142,10 +142,10 @@ notifier:
     disable_html_emails: false
 identity_providers:
   oidc:
-    hmac_secret: '{{ vault_secrets['AUTHELIA_OIDC_HMAC_SECRET'] }}'
+    hmac_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_OIDC_HMAC_SECRET'] }}'
     jwks:
       - key: |
-          {{ vault_secrets["AUTHELIA_OIDC_JWKS_KEY"] | replace("\\n", "\n") | indent(10) }}
+          {{ lookup("community.hashi_vault.vault_kv2_get", "env", engine_mount_point="rinoa-docker", url=vault_addr, token=vault_token_cleaned)["secret"]["AUTHELIA_OIDC_JWKS_KEY"] | replace("\\n", "\n") | indent(10) }}
     cors:
       allowed_origins_from_client_redirect_uris: true
       endpoints:
@@ -157,7 +157,7 @@ identity_providers:
     clients:
       - client_id: 'netbird'
         client_name: 'NetBird'
-        client_secret: '{{ vault_secrets['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}'
+        client_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}'
         public: false
         authorization_policy: 'two_factor'
         redirect_uris:

ansible/app-configs/crowdsec_acquis.yaml.j2

@@ -1,6 +1,7 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 
+
 source: journalctl
 journalctl_filter: 
   - "--directory=/var/log/host/"

ansible/app-configs/crowdsec_local-api-credentials.yaml.j2

@@ -3,4 +3,4 @@
 
 url: http://0.0.0.0:8080
 login: localhost
-password: {{ vault_secrets['CROWDSEC_LOCAL_API_KEY'] }}
+password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_LOCAL_API_KEY'] }}

ansible/app-configs/ghost_config.production.json.j2

@@ -9,7 +9,7 @@
       "host"     : "mariadb",
       "port"     : 3306,
       "user"     : "ghost",
-      "password" : "{{ vault_secrets['GHOST_DB_PASSWORD'] }}",
+      "password" : "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GHOST_DB_PASSWORD'] }}",
       "database" : "ghost_db"
     }
   },
@@ -21,8 +21,8 @@
       "port": 25,
       "secure": false,
       "auth": {
-        "user": "{{ vault_secrets['POSTAL_SMTP_AUTH_USER'] }}",
-        "pass": "{{ vault_secrets['POSTAL_SMTP_AUTH_PASSWORD'] }}"
+        "user": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}",
+        "pass": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}"
       }
     }
   },

ansible/app-configs/gitea_app.ini.j2

@@ -27,7 +27,7 @@ DISABLE_SSH = false
 SSH_PORT = 22
 SSH_LISTEN_PORT = 22
 LFS_START_SERVER = true
-LFS_JWT_SECRET = {{ vault_secrets['GITEA_LFS_JWT_SECRET'] }}
+LFS_JWT_SECRET = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_LFS_JWT_SECRET'] }}
 OFFLINE_MODE = true
 
 [database]
@@ -36,7 +36,7 @@ DB_TYPE = postgres
 HOST = gitea-db:5432
 NAME = gitea
 USER = gitea
-PASSWD = {{ vault_secrets['GITEA_PG_DB_PASSWORD'] }}
+PASSWD = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_PG_DB_PASSWORD'] }}
 LOG_SQL = false
 SCHEMA =
 SSL_MODE = disable
@@ -70,7 +70,7 @@ INSTALL_LOCK = true
 SECRET_KEY =
 REVERSE_PROXY_LIMIT = 1
 REVERSE_PROXY_TRUSTED_PROXIES = *
-INTERNAL_TOKEN = {{ vault_secrets['GITEA_INTERNAL_TOKEN'] }}
+INTERNAL_TOKEN = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_INTERNAL_TOKEN'] }}
 PASSWORD_HASH_ALGO = pbkdf2
 
 [service]
@@ -89,7 +89,7 @@ NO_REPLY_ADDRESS = noreply@trez.wtf
 PATH = /data/git/lfs
 
 [mailer]
-PASSWD = {{ vault_secrets['POSTAL_SMTP_AUTH_PASSWORD'] }}
+PASSWD = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
 PROTOCOL = smtp
 ENABLED = true
 FROM = '"Gitea" <noreply@trez.wtf>'
@@ -112,7 +112,7 @@ DEFAULT_MERGE_STYLE = merge
 DEFAULT_TRUST_MODEL = committer
 
 [oauth2]
-JWT_SECRET = {{ vault_secrets['GITEA_OAUTH2_JWT_SECRET'] }}
+JWT_SECRET = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_OAUTH2_JWT_SECRET'] }}
 
 [ui]
 THEMES =

ansible/app-configs/gitea_gitea-sonarqube-bot_config.yaml.j2

@@ -9,7 +9,7 @@ gitea:
   # Created access token for the user that shall be used as bot account.
   # User needs "Read project" permissions with access to "Pull Requests"
   token:
-    value: "{{ vault_secrets['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}"
+    value: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}"
     # # or path to file containing the plain text secret
     # file: /path/to/gitea/token
 
@@ -18,7 +18,7 @@ gitea:
   # The bot looks for `X-Gitea-Signature` header containing the sha256 hmac hash of the plain text secret. If the header
   # exists and no webhookSecret is defined here, the bot will ignore the request, because it cannot be validated.
   webhook:
-    secret: "{{ vault_secrets['GITEA_SONARQUBE_BOT_GITEA_WEBHOOK_SECRET'] }}"
+    secret: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_WEBHOOK_SECRET'] }}"
     # # or path to file containing the plain text secret
     # secretFile: /path/to/gitea/webhook/secret
 
@@ -35,7 +35,7 @@ sonarqube:
   # Created access token for the user that shall be used as bot account.
   # User needs "Browse on project" permissions
   token:
-    value: "{{ vault_secrets['GITEA_SONARQUBE_BOT_SQUBE_TOKEN'] }}"
+    value: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_SQUBE_TOKEN'] }}"
     # # or path to file containing the plain text secret
     # file: /path/to/sonarqube/token
 
@@ -45,7 +45,7 @@ sonarqube:
   # If the header exists and no webhookSecret is defined here, the bot will ignore the request, because it cannot be
   # validated.
   webhook:
-    secret: "{{ vault_secrets['GITEA_SONARQUBE_BOT_SQUBE_WEBHOOK_SECRET'] }}"
+    secret: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_SQUBE_WEBHOOK_SECRET'] }}"
     # # or path to file containing the plain text secret
     # secretFile: /path/to/sonarqube/webhook/secret
 

ansible/app-configs/grafana_pyroscope_config.yaml.j2

@@ -4,8 +4,8 @@ storage:
     bucket_name: pyroscope
     endpoint: minio:9000
     region: us-east-fh-pln
-    access_key_id: {{ vault_secrets['MINIO_PYROSCOPE_STORAGE_ACCESS_KEY'] }}
-    secret_access_key: {{ vault_secrets['MINIO_PYROSCOPE_STORAGE_SECRET_KEY'] }}
+    access_key_id: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_PYROSCOPE_STORAGE_ACCESS_KEY'] }}
+    secret_access_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_PYROSCOPE_STORAGE_SECRET_KEY'] }}
     insecure: true
 
 analytics:

ansible/app-configs/grafana_tempo_tempo.yaml.j2

@@ -46,8 +46,8 @@ storage:
     s3:
       bucket: tempo                    # how to store data in s3
       endpoint: minio:9000
-      access_key: {{ vault_secrets['MINIO_TEMPO_STORAGE_ACCESS_KEY'] }}
-      secret_key: {{ vault_secrets['MINIO_TEMPO_STORAGE_SECRET_KEY'] }}
+      access_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_TEMPO_STORAGE_ACCESS_KEY'] }}
+      secret_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_TEMPO_STORAGE_SECRET_KEY'] }}
       insecure: true
 
 usage_report:

ansible/app-configs/homepage_services.yaml.j2

@@ -29,5 +29,5 @@
         widget:
             type: homeassistant
             url: http://192.168.1.252:8123
-            key: {{ vault_secrets['HOMEPAGE_HOME_ASSISTANT_API_KEY'] }}
+            key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_HOME_ASSISTANT_API_KEY'] }}
 

ansible/app-configs/homepage_settings.yaml.j2

@@ -6,7 +6,7 @@
 # https://gethomepage.dev/en/configs/settings
 
 providers:
-  openweathermap: {{ vault_secrets['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
+  openweathermap: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
   # weatherapi: weatherapiapikey
 title: Rinoa Dashboard (trez.WTF)
 headerStyle: underlined

ansible/app-configs/invidious_config.yml.j2

@@ -16,7 +16,7 @@ db:
   host: invidious-db
   port: 5432
   dbname: invidious
-  password: {{ vault_secrets['INVID_PG_DB_PASSWORD'] }}
+  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_PG_DB_PASSWORD'] }}
 
 ##
 ## Database configuration using a single URI. This is an
@@ -210,8 +210,8 @@ https_only: false
 ## Accepted values: String
 ## Default: <none>
 ##
-po_token: {{ vault_secrets['INVID_PO_TOKEN'] }}
-visitor_data: {{ vault_secrets['INVID_VISITOR_DATA'] }}
+po_token: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_PO_TOKEN'] }}
+visitor_data: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_VISITOR_DATA'] }}
 
 # -----------------------------
 #  Logging
@@ -471,7 +471,7 @@ jobs:
 ## Accepted values: a string
 ## Default: <none>
 ##
-hmac_key: {{ vault_secrets['INVID_HMAC_KEY'] }}
+hmac_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_HMAC_KEY'] }}
 
 ##
 ## List of video IDs where the "download" widget must be

ansible/app-configs/invoice-ninja_invoice-ninja.env.j2

@@ -3,7 +3,7 @@
 
 # IN application vars
 IN_APP_URL=https://biz.trez.wtf
-IN_APP_KEY={{ vault_secrets['IN_APP_KEY'] }}
+IN_APP_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['IN_APP_KEY'] }}
 IN_APP_DEBUG=true
 IN_REQUIRE_HTTPS=false
 IN_PHANTOMJS_PDF_GENERATION=false
@@ -18,7 +18,7 @@ IN_DB_HOST=mariadb
 IN_DB_PORT=3306
 IN_DB_DATABASE=invoice_ninja
 IN_DB_USERNAME=ininja
-IN_DB_PASSWORD={{ vault_secrets['IN_MYSQL_PASSWORD'] }}
+IN_DB_PASSWORD={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['IN_MYSQL_PASSWORD'] }}
 
 # Create initial user
 # Default to these values if empty
@@ -31,8 +31,8 @@ IN_PASSWORD=
 IN_MAIL_MAILER=log
 IN_MAIL_HOST=postal-smtp
 IN_MAIL_PORT=25
-IN_MAIL_USERNAME={{ vault_secrets['POSTAL_SMTP_AUTH_USER'] }}
-IN_MAIL_PASSWORD={{ vault_secrets['POSTAL_SMTP_AUTH_PASSWORD'] }}
+IN_MAIL_USERNAME={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}
+IN_MAIL_PASSWORD={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
 IN_MAIL_ENCRYPTION=null
 IN_MAIL_FROM_ADDRESS='noreply@trez.wtf'
 IN_MAIL_FROM_NAME='Treasured IT'

ansible/app-configs/librechat_librechat.env.j2

@@ -17,7 +17,7 @@
 HOST=localhost
 PORT=3080
 
-MONGO_URI=mongodb://librechat:{{ vault_secrets['LIBRECHAT_MONGODB_PASSWORD'] }}@mongodb:27017/librechat?replicaSet=rinoa
+MONGO_URI=mongodb://librechat:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MONGODB_PASSWORD'] }}@mongodb:27017/librechat?replicaSet=rinoa
 
 DOMAIN_CLIENT=https://ai.trez.wtf
 DOMAIN_SERVER=https://ai.trez.wtf
@@ -73,12 +73,12 @@ PROXY=
 # ANYSCALE_API_KEY=
 # APIPIE_API_KEY=
 # COHERE_API_KEY=
-DEEPSEEK_API_KEY={{ vault_secrets['LIBRECHAT_DEEPSEEK_API_KEY'] }}
+DEEPSEEK_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_DEEPSEEK_API_KEY'] }}
 # DATABRICKS_API_KEY=
 # FIREWORKS_API_KEY=
 # GROQ_API_KEY=
 # HUGGINGFACE_TOKEN=
-MISTRAL_API_KEY={{ vault_secrets['LIBRECHAT_MISTRAL_API_KEY'] }}
+MISTRAL_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MISTRAL_API_KEY'] }}
 # OPENROUTER_KEY=
 # PERPLEXITY_API_KEY=
 # SHUTTLEAI_API_KEY=
@@ -90,7 +90,7 @@ MISTRAL_API_KEY={{ vault_secrets['LIBRECHAT_MISTRAL_API_KEY'] }}
 # Anthropic  #
 #============#
 
-ANTHROPIC_API_KEY={{ vault_secrets['LIBRECHAT_ANTHROPIC_API_KEY'] }}
+ANTHROPIC_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_ANTHROPIC_API_KEY'] }}
 ANTHROPIC_MODELS=claude-3-7-sonnet-latest,claude-3-7-sonnet-20250219,claude-3-5-haiku-20241022,claude-3-5-sonnet-20241022,claude-3-5-sonnet-latest,claude-3-5-sonnet-20240620,claude-3-opus-20240229,claude-3-sonnet-20240229,claude-3-haiku-20240307,claude-2.1,claude-2,claude-1.2,claude-1,claude-1-100k,claude-instant-1,claude-instant-1-100k
 # ANTHROPIC_REVERSE_PROXY=
 
@@ -177,7 +177,7 @@ ANTHROPIC_MODELS=claude-3-7-sonnet-latest,claude-3-7-sonnet-20250219,claude-3-5-
 # OpenAI     #
 #============#
 
-OPENAI_API_KEY={{ vault_secrets['LIBRECHAT_OPENAI_API_KEY'] }}
+OPENAI_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_OPENAI_API_KEY'] }}
 OPENAI_MODELS=o1,o1-mini,o1-preview,gpt-4o,chatgpt-4o-latest,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-0301,gpt-3.5-turbo,gpt-4,gpt-4-0613,gpt-4-vision-preview,gpt-3.5-turbo-0613,gpt-3.5-turbo-16k-0613,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview,gpt-3.5-turbo-1106,gpt-3.5-turbo-instruct,gpt-3.5-turbo-instruct-0914,gpt-3.5-turbo-16k
 
 DEBUG_OPENAI=false
@@ -226,8 +226,8 @@ DEBUG_OPENAI=false
 
 # DEBUG_PLUGINS=
 
-CREDS_KEY={{ vault_secrets['LIBRECHAT_CREDS_KEY'] }}
-CREDS_IV={{ vault_secrets['LIBRECHAT_CREDS_IV'] }}
+CREDS_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_KEY'] }}
+CREDS_IV={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_IV'] }}
 
 # Azure AI Search
 #-----------------
@@ -298,7 +298,7 @@ ZAPIER_NLA_API_KEY=
 SEARCH=true
 MEILI_NO_ANALYTICS=true
 MEILI_HOST=http://meilisearch:7700
-MEILI_MASTER_KEY={{ vault_secrets['MEILISEARCH_MASTER_KEY'] }}
+MEILI_MASTER_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MEILISEARCH_MASTER_KEY'] }}
 
 # Optional: Disable indexing, useful in a multi-node setup
 # where only one instance should perform an index sync.
@@ -384,8 +384,8 @@ ALLOW_UNVERIFIED_EMAIL_LOGIN=true
 SESSION_EXPIRY=1000 * 60 * 15
 REFRESH_TOKEN_EXPIRY=(1000 * 60 * 60 * 24) * 7
 
-JWT_SECRET={{ vault_secrets['LIBRECHAT_JWT_SECRET'] }}
-JWT_REFRESH_SECRET={{ vault_secrets['LIBRECHAT_JWT_REFRESH_SECRET'] }}
+JWT_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_SECRET'] }}
+JWT_REFRESH_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_REFRESH_SECRET'] }}
 
 
 # Discord
@@ -547,4 +547,4 @@ USE_REDIS=true
 #=====================================================#
 #                  OpenWeather                        #
 #=====================================================#
-OPENWEATHER_API_KEY={{ vault_secrets['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
+OPENWEATHER_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}

ansible/app-configs/lidarr_config.xml.j2

@@ -7,7 +7,7 @@
   <SslPort>6868</SslPort>
   <EnableSsl>False</EnableSsl>
   <LaunchBrowser>True</LaunchBrowser>
-  <ApiKey>{{ vault_secrets['LIDARR_API_KEY'] }}</ApiKey>
+  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}</ApiKey>
   <AuthenticationMethod>Forms</AuthenticationMethod>
   <Branch>master</Branch>
   <LogLevel>trace</LogLevel>

ansible/app-configs/lidify_settings_config.json.j2

@@ -3,11 +3,11 @@
 
 {
     "lidarr_address": "http://lidarr:8686",
-    "lidarr_api_key": "{{ vault_secrets['LIDARR_API_KEY'] }}",
-    "spotify_client_secret": "{{ vault_secrets['YOUR_SPOTIFY_SECRET'] }}",
+    "lidarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}",
+    "spotify_client_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
     "root_folder_path": "/data/media/music",
-    "spotify_client_id": "{{ vault_secrets['YOUR_SPOTIFY_ID'] }}",
-    "spotify_client_secret": "{{ vault_secrets['YOUR_SPOTIFY_SECRET'] }}",
+    "spotify_client_id": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_ID'] }}",
+    "spotify_client_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
     "fallback_to_top_result": false,
     "lidarr_api_timeout": 120.0,
     "quality_profile_id": 1,
@@ -17,8 +17,8 @@
     "app_name": "lidify",
     "app_rev": "0.09",
     "app_url": "lidify.trez.wtf",
-    "last_fm_api_key": "{{ vault_secrets['LASTFM_API_KEY'] }}",
-    "last_fm_api_secret": "{{ vault_secrets['LASTFM_API_SECRET'] }}",
+    "last_fm_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
+    "last_fm_api_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
     "mode": "LastFM",
     "auto_start": false,
     "auto_start_delay": 60

ansible/app-configs/loggifly_config.yaml.j2

@@ -20,7 +20,7 @@ global_keywords:
     - fatal
 notifications:
   apprise:
-    url: gotify://gotify/{{ vault_secrets['APPRISE_GOTIFY_TOKEN'] }}    # Any Apprise-compatible URL (https://github.com/caronc/apprise/wiki)
+    url: gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}    # Any Apprise-compatible URL (https://github.com/caronc/apprise/wiki)
 # settings are optional because they all have default values
 settings:
   log_level: INFO               # DEBUG, INFO, WARNING, ERROR

ansible/app-configs/multi-scrobbler_config.json.j2

@@ -27,8 +27,8 @@
       "clients": [],
       "name": "spotify",
       "data": {
-        "clientId": "{{ vault_secrets['YOUR_SPOTIFY_ID'] }}",
-        "clientSecret": "{{ vault_secrets['YOUR_SPOTIFY_SECRET'] }}",
+        "clientId": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_ID'] }}",
+        "clientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
         "redirectUri": "http://localhost:9078/callback"
       }
     },
@@ -38,8 +38,8 @@
       "clients": [],
       "name": "lastfm",
       "data": {
-        "apiKey": "{{ vault_secrets['LASTFM_API_KEY'] }}",
-        "secret": "{{ vault_secrets['LASTFM_API_SECRET'] }}",
+        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
+        "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
         "redirectUri": "http://localhost:9078/lastfm/callback"
       }
     },
@@ -49,7 +49,7 @@
       "clients": [],
       "name": "listenBrainz",
       "data": {
-        "token": "{{ vault_secrets['MALOJA_LISTENBRAINZ_TOKEN'] }}",
+        "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
         "username": "Trez.One"
       }
     },
@@ -61,7 +61,7 @@
       "data": {
         "url": "http://navidrome:4533",
         "user": "admin",
-        "password": "{{ vault_secrets['NAVIDROME_PASSWORD'] }}"
+        "password": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NAVIDROME_PASSWORD'] }}"
       }
     }
   ],
@@ -71,8 +71,8 @@
       "enable": true,
       "name": "lastFmClient",
       "data": {
-        "apiKey": "{{ vault_secrets['LASTFM_API_KEY'] }}",
-        "secret": "{{ vault_secrets['LASTFM_API_SECRET'] }}",
+        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
+        "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
         "redirectUri": "http://localhost:9078/lastfm/callback"
       }
     },
@@ -81,7 +81,7 @@
       "enable": true,
       "name": "ListenBrainzClient",
       "data": {
-        "token": "{{ vault_secrets['MALOJA_LISTENBRAINZ_TOKEN'] }}",
+        "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
         "username": "Trez.One"
       }
     },
@@ -91,7 +91,7 @@
       "name": "maloja",
       "data": {
         "url": "http://maloja:42010",
-        "apiKey": "{{ vault_secrets['MALOJA_API_KEY'] }}"
+        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_API_KEY'] }}"
       }
     }
   ],
@@ -100,7 +100,7 @@
       "name": "Gotify",
       "type": "gotify",
       "url": "http://gotify",
-      "token": "{{ vault_secrets['MULTI_SCROBBLER_GOTIFY_TOKEN'] }}",
+      "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MULTI_SCROBBLER_GOTIFY_TOKEN'] }}",
       "priorities": {
         "info": 5,
         "warn": 7,

ansible/app-configs/netbird_management.json.j2

@@ -2,7 +2,7 @@
   "Stuns": [
     {
       "Proto": "udp",
-      "URI": "stun:netbird.{{ vault_secrets['MY_TLD'] }}:3478",
+      "URI": "stun:netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:3478",
       "Username": "",
       "Password": null
     }
@@ -11,9 +11,9 @@
     "Turns": [
       {
         "Proto": "udp",
-        "URI": "turn:netbird.{{ vault_secrets['MY_TLD'] }}:3478",
+        "URI": "turn:netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:3478",
         "Username": "self",
-        "Password": "{{ vault_secrets['NETBIRD_TURN_PASSWORD'] }}"
+        "Password": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_TURN_PASSWORD'] }}"
       }
     ],
     "CredentialsTTL": "12h",
@@ -22,14 +22,14 @@
   },
   "Relay": {
     "Addresses": [
-      "rel://netbird.{{ vault_secrets['MY_TLD'] }}:33080"
+      "rel://netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:33080"
     ],
     "CredentialsTTL": "24h",
-    "Secret": "{{ vault_secrets['NETBIRD_RELAY_AUTH_SECRET'] }}"
+    "Secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_RELAY_AUTH_SECRET'] }}"
   },
   "Signal": {
     "Proto": "https",
-    "URI": "netbird.{{ vault_secrets['MY_TLD'] }}:10001",
+    "URI": "netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:10001",
     "Username": "",
     "Password": null
   },
@@ -47,14 +47,14 @@
   },
   "HttpConfig": {
     "Address": "0.0.0.0:33073",
-    "AuthIssuer": "https://auth.{{ vault_secrets['MY_TLD'] }}",
+    "AuthIssuer": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}",
     "AuthAudience": "netbird",
-    "AuthKeysLocation": "https://auth.{{ vault_secrets['MY_TLD'] }}/jwks.json",
+    "AuthKeysLocation": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/jwks.json",
     "AuthUserIDClaim": "",
     "CertFile": "",
     "CertKey": "",
     "IdpSignKeyRefreshEnabled": true,
-    "OIDCConfigEndpoint": "https://auth.{{ vault_secrets['MY_TLD'] }}/.well-known/openid-configuration"
+    "OIDCConfigEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/.well-known/openid-configuration"
   },
   "IdpManagerConfig": {},
   "DeviceAuthorizationFlow": {},
@@ -62,10 +62,10 @@
     "ProviderConfig": {
       "Audience": "netbird",
       "ClientID": "netbird",
-      "ClientSecret": "{{ vault_secrets['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}",
+      "ClientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}",
       "Domain": "",
-      "AuthorizationEndpoint": "https://auth.{{ vault_secrets['MY_TLD'] }}/api/oidc/authorization",
-      "TokenEndpoint": "https://auth.{{ vault_secrets['MY_TLD'] }}/api/oidc/token",
+      "AuthorizationEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/authorization",
+      "TokenEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/token",
       "Scope": "openid profile email offline_access api",
       "RedirectURLs": [
         "http://localhost:53000"

ansible/app-configs/netbird_turnserver.conf.j2

@@ -250,7 +250,7 @@ lt-cred-mech
 #user=username1:key1
 #user=username2:key2
 # OR:
-user=self:{{ vault_secrets['NETBIRD_TURN_PASSWORD'] }}
+user=self:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_TURN_PASSWORD'] }}
 #user=username2:password2
 #
 # Keys must be generated by turnadmin utility. The key value depends

ansible/app-configs/postal_postal.yml.j2

@@ -18,13 +18,13 @@ web_server:
 main_db:
   host: mariadb
   username: postal
-  password: {{ vault_secrets['POSTAL_MYSQL_PASSWORD'] }}
+  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_MYSQL_PASSWORD'] }}
   database: postal
 
 message_db:
   host: mariadb
   username: postal
-  password: {{ vault_secrets['POSTAL_MYSQL_PASSWORD'] }}
+  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_MYSQL_PASSWORD'] }}
   prefix: postal
 
 smtp_server:
@@ -52,11 +52,11 @@ smtp:
   host: postal-smtp
   port: 25
   username: rinoa/postal-smtp
-  password: "{{ vault_secrets['POSTAL_SMTP_AUTH_PASSWORD'] }}"
+  password: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}"
   from_name: Postal @ Rinoa
   from_address: noreply@trez.wtf
 
 rails:
   # This is generated automatically by the config initialization. It should be a random
   # string unique to your installation.
-  secret_key: "{{ vault_secrets['POSTAL_RAILS_SECRET_KEY'] }}"
+  secret_key: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_RAILS_SECRET_KEY'] }}"

ansible/app-configs/prowlarr_config.xml.j2

@@ -7,7 +7,7 @@
   <SslPort>6969</SslPort>
   <EnableSsl>False</EnableSsl>
   <LaunchBrowser>True</LaunchBrowser>
-  <ApiKey>{{ vault_secrets['PROWLARR_API_KEY'] }}</ApiKey>
+  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PROWLARR_API_KEY'] }}</ApiKey>
   <AuthenticationMethod>Forms</AuthenticationMethod>
   <AuthenticationRequired>Enabled</AuthenticationRequired>
   <Branch>master</Branch>

ansible/app-configs/radarec_settings_config.json.j2

@@ -3,9 +3,9 @@
 
 {
     "radarr_address": "http://radarr:7878",
-    "radarr_api_key": "{{ vault_secrets['RADARR_API_KEY'] }}",
+    "radarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['RADARR_API_KEY'] }}",
     "root_folder_path": "/data/media/movies",
-    "tmdb_api_key": "{{ vault_secrets['TMDB_API_KEY'] }}",
+    "tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['TMDB_API_KEY'] }}",
     "fallback_to_top_result": false,
     "radarr_api_timeout": 120.0,
     "quality_profile_id": 1,

ansible/app-configs/radarr_config.xml.j2

@@ -8,7 +8,7 @@
   <SslCertPath></SslCertPath>
   <Port>7878</Port>
   <UrlBase></UrlBase>
-  <ApiKey>{{ vault_secrets['RADARR_API_KEY'] }}</ApiKey>
+  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['RADARR_API_KEY'] }}</ApiKey>
   <AuthenticationMethod>Forms</AuthenticationMethod>
   <UpdateMechanism>Docker</UpdateMechanism>
   <SslPort>9898</SslPort>

ansible/app-configs/readarr_config.xml.j2

@@ -7,7 +7,7 @@
   <SslPort>6868</SslPort>
   <EnableSsl>False</EnableSsl>
   <LaunchBrowser>True</LaunchBrowser>
-  <ApiKey>{{ vault_secrets['READARR_API_KEY'] }}</ApiKey>
+  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['READARR_API_KEY'] }}</ApiKey>
   <AuthenticationMethod>Forms</AuthenticationMethod>
   <Branch>develop</Branch>
   <LogLevel>info</LogLevel>

ansible/app-configs/sabnzbdvpn_sabnzbd.ini.j2

@@ -22,7 +22,7 @@ host = 0.0.0.0
 port = 8080
 https_port = 8090
 username = thetrezuredone
-password = {{ vault_secrets['SABNZBDVPN_PASSWORD'] }}
+password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_PASSWORD'] }}
 bandwidth_max = 1000M
 cache_limit = 1G
 web_dir = Glitter
@@ -33,7 +33,7 @@ https_chain = ""
 enable_https = 1
 inet_exposure = 0
 local_ranges = ,
-api_key = {{ vault_secrets['SABNZBDVPN_API_KEY'] }}
+api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_API_KEY'] }}
 nzb_key = 3c0fa874bb2748b58c1bd7512e649946
 permissions = 775
 download_dir = /storage/downloads/incomplete
@@ -342,7 +342,7 @@ host = news.newshosting.com
 port = 563
 timeout = 60
 username = thetrezuredone
-password = {{ vault_secrets['SLSK_USER_PASSWORD'] }}
+password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSK_USER_PASSWORD'] }}
 connections = 8
 ssl = 1
 ssl_verify = 3
@@ -363,7 +363,7 @@ host = news.easynews.com
 port = 443
 timeout = 60
 username = TrezOne
-password = {{ vault_secrets['SABNZBDVPN_EASYNEWS_PASSWORD'] }}
+password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_EASYNEWS_PASSWORD'] }}
 connections = 60
 ssl = 0
 ssl_verify = 3

ansible/app-configs/searxng_settings.yml.j2

@@ -82,7 +82,7 @@ server:
   # If your instance owns a /etc/searxng/settings.yml file, then set the following
   # values there.
 
-  secret_key: {{ vault_secrets['SEARXNG_SECRET_KEY'] }}  # Is overwritten by ${SEARXNG_SECRET}
+  secret_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SEARXNG_SECRET_KEY'] }}  # Is overwritten by ${SEARXNG_SECRET}
   # Proxying image results through searx
   image_proxy: true
   # 1.0 and 1.1 are supported

ansible/app-configs/sonarr_config.xml.j2

@@ -8,7 +8,7 @@
   <SslPort>9898</SslPort>
   <UrlBase></UrlBase>
   <BindAddress>*</BindAddress>
-  <ApiKey>{{ vault_secrets['SONARR_API_KEY'] }}</ApiKey>
+  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SONARR_API_KEY'] }}</ApiKey>
   <AuthenticationMethod>Forms</AuthenticationMethod>
   <UpdateMechanism>Docker</UpdateMechanism>
   <LaunchBrowser>True</LaunchBrowser>

ansible/app-configs/sonashow_settings_config.json.j2

@@ -3,10 +3,10 @@
 
 {
     "sonarr_address": "http://192.168.1.2:8989",
-    "sonarr_api_key": "{{ vault_secrets['SONARR_API_KEY'] }}",
+    "sonarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SONARR_API_KEY'] }}",
     "root_folder_path": "/data/media/shows",
     "tvdb_api_key": "",
-    "tmdb_api_key": "{{ vault_secrets['TMDB_API_KEY'] }}",
+    "tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['TMDB_API_KEY'] }}",
     "fallback_to_top_result": false,
     "sonarr_api_timeout": 120.0,
     "quality_profile_id": 1,

ansible/app-configs/soularr_config.ini.j2

@@ -2,7 +2,7 @@
 {% set secrets_path = 'rinoa-docker/env' %}
 
 [Lidarr]
-api_key = {{ vault_secrets['LIDARR_API_KEY'] }}
+api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}
 host_url = http://lidarr:8686
 #This should be the path mounted in lidarr that points to your slskd download directory.
 #If Lidarr is not running in Docker then this may just be the same dir as Slskd is using below.
@@ -10,7 +10,7 @@ download_dir = /storage
 
 [Slskd]
 #Api key from Slskd. Need to set this up manually. See link to Slskd docs above.
-api_key = {{ vault_secrets['SLSKD_API_KEY'] }}
+api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_API_KEY'] }}
 host_url = http://gluetun:5030
 #Slskd download directory. Should have set it up when installing Slskd.
 download_dir = /app/downloads

ansible/app-configs/soulseek_slskd.yml.j2

@@ -198,15 +198,15 @@ rooms:
 web:
   authentication:
     username: slskd
-    password: {{ vault_secrets['SLSKD_WEB_PASSSWORD'] }}
+    password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_WEB_PASSSWORD'] }}
     api_keys:
       my_api_key:
-        key: {{ vault_secrets['SLSKD_API_KEY'] }}
+        key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_API_KEY'] }}
         role: readwrite
         cidr: 0.0.0.0/0,::/0
 soulseek:
   address: vps.slsknet.org
   port: 2271
   username: Trez.One
-  password: {{ vault_secrets['SLSK_USER_PASSWORD'] }}
+  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSK_USER_PASSWORD'] }}
   diagnostic_level: Info

ansible/app-configs/sourcebot_config.json.j2

@@ -6,7 +6,7 @@
   "repos": [
       {
           "type": "gitea",
-          "token": "{{ vault_secrets['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}",
+          "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}",
           "url": "https://git.trez.wtf",
           "revisions": {
               "branches": [

ansible/app-configs/traccar_traccar.xml.j2

@@ -24,6 +24,6 @@
     <entry key='database.driver'>org.postgresql.Driver</entry>
     <entry key='database.url'>jdbc:postgresql://traccar-pg:5432/traccar-db</entry>
     <entry key='database.user'>traccar</entry>
-    <entry key='database.password'>{{ vault_secrets['WAZUH_API_PASSWORD'] }}</entry>
+    <entry key='database.password'>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['WAZUH_API_PASSWORD'] }}</entry>
 
 </properties>

ansible/app-configs/vector_vector.yaml.j2

@@ -21,7 +21,7 @@
       auth:
         strategy: basic
         user: admin
-        password: {{ vault_secrets['PARSEABLE_PASSWORD'] }}
+        password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PARSEABLE_PASSWORD'] }}
       request:
         headers:
           X-P-Stream: rinoa-docker-logs

ansible/app-configs/wazuh_wazuh.yml.j2

@@ -6,5 +6,5 @@ hosts:
       url: "https://wazuh.manager"
       port: 55000
       username: wazuh-wui
-      password: {{ vault_secrets['WAZUH_API_PASSWORD'] }}
+      password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['WAZUH_API_PASSWORD'] }}
       run_as: false

ansible/app-configs/zitadel_config.yaml.j2

@@ -37,7 +37,7 @@ SMTPConfiguration:
     SMTP:
       # must include the port, like smtp.mailtrap.io:2525. IPv6 is also supported, like [2001:db8::1]:2525
       Host: 'postal-smtp:25'
-      User: {{ vault_secrets['POSTAL_SMTP_AUTH_USER'] }}
-      Password: {{ vault_secrets['POSTAL_SMTP_AUTH_PASSWORD'] }}
+      User: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}
+      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
     From: 'noreply@trez.wtf'
     FromName: 'Zitadel @ Rinoa'

ansible/app-configs/zitadel_secrets.yaml.j2

@@ -7,7 +7,7 @@ Database:
     User:
       # If the user doesn't exist already, it is created
       Username: 'zitadel'
-      Password: {{ vault_secrets['ZITADEL_DB_PASSWORD'] }}
+      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ZITADEL_DB_PASSWORD'] }}
     Admin:
       Username: 'root'
-      Password: {{ vault_secrets['ZITADEL_DB_ADMIN_PASSWORD'] }}
+      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ZITADEL_DB_ADMIN_PASSWORD'] }}

ansible/docker_config_deploy.yml

@@ -12,12 +12,6 @@
         mode: '0755'
       loop: "{{ query('fileglob', 'app-configs/*.j2') }}"
 
-    - name: Fetch Vault secrets once
-      ansible.builtin.set_fact:
-        vault_secrets: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env',
-          engine_mount_point='rinoa-docker', url=vault_addr,
-          token=vault_token_cleaned)['secret'] }}"
-
     - name: Deploy configuration templates
       ansible.builtin.template:
         src: "{{ item }}"

docker-compose.yml

@@ -80,6 +80,36 @@ x-shared:
       - zammad-memcached
       - zammad-postgresql
       - zammad-redis
+x-maxun: &maxun-env
+  environment:
+    NODE_ENV: production
+    JWT_SECRET: ${MAXUN_JWT_SECRET}
+    DB_NAME: maxun
+    DB_USER: maxun
+    DB_PASSWORD: ${MAXUN_DB_PASSWORD}
+    DB_HOST: maxun-pg-db
+    DB_PORT: 5432
+    ENCRYPTION_KEY: ${MAXUN_ENCRYPTION_KEY}
+    SESSION_SECRET: ${MAXUN_SESSION_SECRET}
+    MINIO_ENDPOINT: minio
+    MINIO_PORT: 9000
+    MINIO_CONSOLE_PORT: 9001
+    MINIO_ACCESS_KEY: ${MAXUN_MINIO_ACCESS_KEY}
+    MINIO_SECRET_KEY: ${MAXUN_MINIO_SECRET_KEY}
+    REDIS_HOST: redis
+    REDIS_PORT: 6379
+    BACKEND_PORT: 8080
+    FRONTEND_PORT: 5173
+    BACKEND_URL: http://maxun-backend:8080
+    PUBLIC_URL: http://maxun-frontend:5173
+    VITE_BACKEND_URL: http://maxun-backend:8080
+    VITE_PUBLIC_URL: http://maxun-frontend:5173
+    MAXUN_TELEMETRY: true
+    PLAYWRIGHT_BROWSERS_PATH: /ms-playwright
+    PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 0
+    CHROMIUM_FLAGS: '--disable-gpu --no-sandbox --headless=new'
+    #DEBUG: pw:api
+    #PWDEBUG: 1
 services:
   actual_server:
     container_name: actualbudget
@@ -97,9 +127,6 @@ services:
       swag_port: 5006
       swag_proto: http
       swag_url: fin.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       homepage.group: Lifestyle
       homepage.name: Actual Budget
       homepage.icon: actual-budget.svg
@@ -119,9 +146,6 @@ services:
       swag: enable
       swag_proto: http
       swag_url: adgh.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       homepage.group: System Administration
       homepage.name: AdGuard Home
       homepage.icon: adguard-home.png
@@ -190,9 +214,6 @@ services:
       swag_port: 8000
       swag_proto: http
       swag_url: archive.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://archive.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -225,9 +246,6 @@ services:
       swag_address: audiobookshelf
       swag_proto: http
       swag_url: abs.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://abs.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -293,9 +311,6 @@ services:
       swag_proto: http
       swag_port: 9091
       swag_url: auth.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://auth.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -347,9 +362,6 @@ services:
       swag: enable
       swag_proto: http
       swag_port: 6767
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://bazaar.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -395,9 +407,6 @@ services:
       swag_proto: http
       swag_port: 8090
       swag_url: beszel.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://beszel.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -449,9 +458,6 @@ services:
       swag_url: bitwarden.${MY_TLD}
       swag_proto: http
       swag_port: 80
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://bitwarden.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -505,9 +511,6 @@ services:
       swag: enable
       swag_port: 3000
       swag_url: bsky.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://bsky.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -563,9 +566,6 @@ services:
       swag_port: 5000
       swag_proto: http
       swag_url: gist.trez.wtf
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://gist.trez.wtf
       swag.uptime-kuma.monitor.interval: 300
@@ -611,9 +611,6 @@ services:
       swag_address: castopod
       swag_port: 8000
       swag_url: pod.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://pod.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -673,9 +670,6 @@ services:
       swag_port: 3000
       swag_proto: http
       swag_url: convert.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://convert.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -703,9 +697,6 @@ services:
       swag_port: 3012
       swag_proto: http
       swag_url: cron.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://cron.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -788,9 +779,6 @@ services:
       swag_port: 3000
       swag_proto: http
       swag_url: csec.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://csec.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -818,9 +806,6 @@ services:
       swag_port: 8000
       swag_proto: http
       swag_url: cchef.trez.wtf
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://cchef.trez.wtf
       swag.uptime-kuma.monitor.interval: 300
@@ -847,9 +832,6 @@ services:
       swag_port: 5800
       swag_proto: http
       swag_url: czkawka.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://czkawka.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -920,9 +902,6 @@ services:
       swag_port: 3000
       swag_proto: http
       swag_url: loc.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://loc.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -1018,9 +997,6 @@ services:
       swag_port: 8080
       swag_proto: http
       swag_url: dms.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://dms.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -1078,9 +1054,6 @@ services:
       swag_port: 8200
       swag_proto: http
       swag_url: dup.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       homepage.group: Automation
       homepage.name: Duplicati
       homepage.href: https://dup.${MY_TLD}
@@ -1130,9 +1103,6 @@ services:
       swag: enable
       swag_proto: http
       swag_url: draw.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://draw.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -1186,9 +1156,6 @@ services:
       swag_proto: http
       swag_port: 8080
       swag_url: health.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://health.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -1270,9 +1237,6 @@ services:
       swag_port: 2368
       swag_proto: http
       swag_url: blog.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://blog.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -1314,9 +1278,6 @@ services:
       homepage.widget.key: ${GITEA_HOMEPAGE_API_KEY}
       swag: enable
       swag_url: git.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://git.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -1462,9 +1423,6 @@ services:
       homepage.widget.key: ${GOTIFY_HOMEPAGE_CLIENT_KEY}
       swag: enable
       swag_proto: http
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://gotify.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -1516,9 +1474,6 @@ services:
       swag_port: 9000
       swag_url: logs.${MY_TLD}
       swag_proto: http
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://logs.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -1584,9 +1539,6 @@ services:
       swag_proto: http
       swag_port: 8080
       swag_url: guac.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://guac.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -1637,9 +1589,6 @@ services:
       swag_proto: http
       swag_port: 1313
       swag_url: it-services.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://it-services.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -1684,9 +1633,6 @@ services:
       swag_proto: http
       swag_port: 2283
       swag_url: pics.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
 
         location /share {
               proxy_pass http://immich-public-proxy:3000;
@@ -1807,9 +1753,6 @@ services:
       swag_proto: http
       swag_port: 8086
       swag_url: influxdb.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://influxdb.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -1843,9 +1786,6 @@ services:
       swag_proto: http
       swag_port: 3000
       swag_url: invid.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://invid.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -2011,9 +1951,6 @@ services:
       swag: enable
       swag_proto: http
       swag_url: itt.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://itt.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -2050,9 +1987,6 @@ services:
       swag_url: jf.${MY_TLD}
       swag_port: 8096
       swag_proto: http
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://jf.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -2604,9 +2538,6 @@ services:
       swag: enable
       swag_proto: https
       swag_url: meet.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://meet.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -2688,9 +2619,6 @@ services:
       homepage.description: Open-source note taking & to-do
       swag: enable
       swag_url: notes.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://notes.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -2734,9 +2662,6 @@ services:
       swag_port: 3080
       swag_proto: http
       swag_url: ai.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://ai.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -2815,9 +2740,6 @@ services:
       homepage.widget.url: http://lidarr:8686
       homepage.widget.key: ${LIDARR_API_KEY}
       swag: enable
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://lidarr.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -2865,9 +2787,6 @@ services:
       swag_proto: http
       swag_port: 5000
       swag_url: lidify.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://lidify.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -2911,9 +2830,6 @@ services:
       swag: enable
       swag_proto: https
       swag_url: profile.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://profile.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -2942,9 +2858,6 @@ services:
       swag_proto: http
       swag_port: 17170
       swag_url: ldap.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://ldap.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -2994,9 +2907,6 @@ services:
       swag_proto: http
       swag_port: 42010
       swag_url: maloja.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://maloja.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -3042,9 +2952,6 @@ services:
       swag_proto: http
       swag_port: 3214
       swag_url: 3dprint.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://3dprint.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -3138,9 +3045,6 @@ services:
       swag_proto: http
       swag_port: 80
       swag_url: mastodon.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://mastodon.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -3175,6 +3079,61 @@ services:
     restart: always
     volumes:
       - mastodon-pg-db:/var/lib/postgresql/data
+  maxun-backend:
+    container_name: maxun-backend
+    depends_on:
+      - maxun-pg-db
+      - minio
+    <<: *maxun-env
+    expose:
+      - 8080
+    image: getmaxun/maxun-backend:latest
+    mem_limit: 2g   # Set a 2GB memory limit
+    security_opt:
+      - seccomp=unconfined  # This might help with browser sandbox issues
+    shm_size: '2gb' # Increase shared memory size for Chromium
+    restart: unless-stopped
+    volumes:
+      - /var/run/dbus:/var/run/dbus
+  maxun-frontend:
+    container_name: maxun-frontend
+    depends_on:
+      - maxun-backend
+    <<: *maxun-env
+    image: getmaxun/maxun-frontend:latest
+    labels:
+      swag: enable
+      swag_proto: http
+      swag_port: 5173
+      swag_url: scrape.${MY_TLD}
+      swag.uptime-kuma.enabled: true
+      swag.uptime-kuma.monitor.url: https://scrape.${MY_TLD}
+      swag.uptime-kuma.monitor.interval: 300
+      homepage.group: Personal/Professional Services
+      homepage.name: Maxun
+      homepage.href: https://scrape.${MY_TLD}
+      homepage.icon: sh-maxun.svg
+      homepage.description: No-code web data extraction platform
+    ports:
+      - 5173:5173
+    restart: unless-stopped
+  maxun-pg-db:
+    container_name: maxun-pg-db
+    image: postgres:17-alpine
+    environment:
+      POSTGRES_USER: maxun
+      POSTGRES_PASSWORD: ${MAXUN_DB_PASSWORD}
+      POSTGRES_DB: maxun
+    expose:
+      - 5432
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    restart: unless-stopped
+    volumes:
+      - maxun-pg-data:/var/lib/postgresql/data
   meilisearch:
     container_name: meilisearch
     environment:
@@ -3201,9 +3160,6 @@ services:
       swag_proto: http
       swag_port: 9090
       swag_url: s3.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://s3.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -3252,9 +3208,6 @@ services:
       swag_port: 80
       swag_proto: http
       swag_url: social.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://social.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -3314,9 +3267,6 @@ services:
       swag_proto: http
       swag_port: 9078
       swag_url: scrobble.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://scrobble.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -3346,9 +3296,6 @@ services:
       swag_proto: http
       swag_port: 5678
       swag_url: n8n.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://n8n.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -3401,9 +3348,6 @@ services:
       swag_port: 4533
       swag_proto: http
       swag_url: navi.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://navi.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -3504,9 +3448,6 @@ services:
       homepage.widget.url: http://ombi:3579
       homepage.widget.key: ${OMBI_API_KEY}
       swag: enable
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://ombi.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -3542,9 +3483,6 @@ services:
       homepage.icon: sh-omnitools.svg
       homepage.description: Tools for common tasks
       swag: enable
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag_url: otools.${MY_TLD}
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://otools.${MY_TLD}
@@ -3579,9 +3517,6 @@ services:
       homepage.description: Open-source language translation with LanguageTool, LibreTranslate, & Ollama
       swag: enable
       swag_url: translate.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://translate.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -3613,9 +3548,6 @@ services:
       swag_proto: http
       swag_port: 8000
       swag_url: docs.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://docs.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -3668,9 +3600,6 @@ services:
       swag_proto: http
       swag_port: 8085
       swag_url: pg.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
     ports:
       - "8085:8085" # Access the web interface at http://localhost:8085
     restart: unless-stopped
@@ -3715,9 +3644,6 @@ services:
       swag_proto: http
       swag_port: 9000
       swag_url: portainer.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://portainer.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -3752,9 +3678,6 @@ services:
       swag_proto: http
       swag_port: 3000
       swag_url: ports.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://ports.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -3812,9 +3735,6 @@ services:
       swag_port: 5000
       swag_address: postal-web
       swag_url: post.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://post.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -3871,9 +3791,6 @@ services:
       homepage.widget.url: http://prowlarr:9696
       homepage.widget.key: ${PROWLARR_API_KEY}
       swag: enable
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://prowlarr.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -3933,14 +3850,11 @@ services:
       homepage.widget.type: qbittorrent
       homepage.widget.url: http://qbittorrentvpn:8080
       homepage.widget.user: admin
-      homepage.widget.password: ${DELUGEVPN_PASSWORD}
+      homepage.widget.password: "${DELUGEVPN_PASSWORD}"
       swag: enable
       swag_port: 8080
       swag_proto: http
       swag_url: qbit.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://qbit.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -3989,9 +3903,6 @@ services:
       swag_port: 5000
       swag_auth: authelia
       swag_url: radarec.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://radarec.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -4033,9 +3944,6 @@ services:
       homepage.widget.url: http://radarr:7878
       homepage.widget.key: ${RADARR_API_KEY}
       swag: enable
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://radarr.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -4093,9 +4001,6 @@ services:
       swag_proto: http
       swag_port: 3000
       swag_url: resume.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://resume.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -4138,9 +4043,6 @@ services:
       homepage.widget.url: http://readarr:8787
       homepage.widget.key: ${READARR_API_KEY}
       swag: enable
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://readarr.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -4214,9 +4116,6 @@ services:
       swag_proto: http
       swag_port: 8080
       swag_url: rlib.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://rlib.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -4260,9 +4159,6 @@ services:
       swag_proto: http
       swag_port: 3000
       swag_url: chat.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://chat.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -4322,9 +4218,6 @@ services:
       swag: enable
       swag_proto: http
       swag_url: romm.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://romm.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -4372,9 +4265,6 @@ services:
       swag: enable
       swag_proto: http
       swag_url: sabnzbd.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://sabnzbd.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -4428,57 +4318,6 @@ services:
       - ${DOCKER_VOLUME_CONFIG}/sablier/state:/opt/sablier/state
       - ${DOCKER_VOLUME_CONFIG}/sablier/custom_themes:/opt/sablier/custom_themes
       - /var/run/docker.sock:/var/run/docker.sock
-  scraperr:
-    command:
-      - npm
-      - run
-      - start
-    container_name: scraperr
-    depends_on:
-      - scraperr-api
-    expose:
-      - 3000
-    image: jpyles0524/scraperr:latest
-    labels:
-      homepage.group: Personal/Professional Services
-      homepage.name: Scraperr
-      homepage.href: https://scrape.${MY_TLD}
-      homepage.icon: /icons/scraperr.png
-      homepage.description: Web scraper
-      swag: enable
-      swag_proto: http
-      swag_port: 3000
-      swag_url: scrape.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
-
-        location /api {
-              proxy_pass http://scraperr-api:8000;
-        }
-      swag.uptime-kuma.enabled: true
-      swag.uptime-kuma.monitor.url: https://scrape.${MY_TLD}
-      swag.uptime-kuma.monitor.interval: 300
-    restart: unless-stopped
-  scraperr-api:
-    container_name: scraperr-api
-    environment:
-      LOG_LEVEL: DEBUG
-      OLLAMA_URL: http://ollama:11434
-      OLLAMA_MODEL: phi3
-      MONGODB_URI: mongodb://scraperr:${SCRAPERR_MONGODB_PASSWORD}@mongodb:27017/scraperr?replicaSet=rinoa
-      REGISTRATION_ENABLED: true
-      SECRET_KEY: ${SCRAPERR_SECRET_KEY}
-      ALGORITHM: HS256
-      ACCESS_TOKEN_EXPIRE_MINUTES: 600
-      DOCKER_HOST: tcp://dockerproxy:2375
-    expose:
-      - 8000
-    image: jpyles0524/scraperr_api:latest
-    restart: unless-stopped
-    volumes:
-      - ${DOCKER_VOLUME_CONFIG}/scraperr:/project/data
-      # - /var/run/docker.sock:/var/run/docker.sock
   scrutiny:
     cap_add:
       - SYS_RAWIO
@@ -4544,9 +4383,6 @@ services:
       swag_address: searxng
       swag_proto: http
       swag_url: search.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://search.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -4595,9 +4431,6 @@ services:
       swag_port: 3000
       swag_proto: http
       swag_url: devops.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://devops.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -4638,9 +4471,6 @@ services:
       swag_proto: http
       swag_port: 9000
       swag_url: sqube.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://sqube.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -4688,9 +4518,6 @@ services:
       homepage.widget.url: http://sonarr:8989
       homepage.widget.key: ${SONARR_API_KEY}
       swag: enable
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://sonarr.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -4736,9 +4563,6 @@ services:
       swag_proto: http
       swag_port: 5000
       swag_url: sonashow.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://sonashow.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -4782,9 +4606,6 @@ services:
       swag: enable
       swag_proto: http
       swag_url: speed.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://speed.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -4816,9 +4637,6 @@ services:
       swag_auth: authelia
       swag_proto: http
       swag_url: sd.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://sd.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -4848,9 +4666,6 @@ services:
       swag_port: 8080
       swag_proto: http
       swag_url: pdf.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://pdf.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -4947,9 +4762,6 @@ services:
       swag: enable
       swag_proto: http
       swag_url: recipes.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://recipes.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -5006,9 +4818,6 @@ services:
       swag_port: 8888
       swag_url: unmanic.${MY_TLD}
       swag_proto: http
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://unmanic.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -5059,9 +4868,6 @@ services:
       swag: enable
       swag_proto: http
       swag_url: uptime.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
     networks:
       default: null
     ports:
@@ -5104,9 +4910,6 @@ services:
       swag_proto: http
       swag_port: 8200
       swag_url: vault.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://vault.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -5157,9 +4960,6 @@ services:
       swag: enable
       swag_address: wallabag
       swag_proto: http
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://wallabag.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -5195,9 +4995,6 @@ services:
       swag: enable
       swag_proto: http
       swag_url: subs.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://subs.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -5385,9 +5182,6 @@ services:
       swag_port: 8080
       swag_proto: http
       swag_url: dbs.${MY_TLD}
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://dbs.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -5412,9 +5206,6 @@ services:
       swag_proto: http
       swag_url: ytdl.${MY_TLD}
       swag_port: 8080
-      swag_server_custom_directive: |
-        access_log /config/log/$$host_access.log ;
-        error_log /config/log/$$host_error.log ;
       swag.uptime-kuma.enabled: true
       swag.uptime-kuma.monitor.url: https://ytdl.${MY_TLD}
       swag.uptime-kuma.monitor.interval: 300
@@ -5598,6 +5389,8 @@ volumes:
     name: lldap_data
   mastodon-pg-db:
     name: mastodon-pg-db
+  maxun-pg-data:
+    name: maxun-pg-data
   mixpost-storage:
     name: mixpost-storage
   mixpost-logs: