Ansible private key fix (hopefully).

.gitea/workflows/pr-ansible-config-deployment.yaml

@@ -1,193 +0,0 @@
-name: Gitea Branch PR & Ansible Deployment
-on:
-  workflow_dispatch:
-  push:
-    branches-ignore:
-      - 'main'
-    paths:
-      - '**.j2'
-      - 'ansible/**.yml'
-jobs:
-  check-and-create-pr:
-    if: github.ref != 'refs/heads/main'
-    name: Check and Create PR
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout Code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-      - name: Cache tea CLI
-        id: cache-tea
-        uses: actions/cache@v4
-        with:
-          path: /opt/hostedtoolcache/tea/0.9.2/x64
-          key: tea-${{ runner.os }}-0.9.2
-      - name: Install tea
-        uses: supplypike/setup-bin@v4
-        with:
-          uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64'
-          name: 'tea'
-          version: '0.9.2'
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: PR Check'
-          notification_message: 'Checking for existing PR... 🔍'
-      - name: Check if open PR exists
-        id: check-opened-pr-step
-        continue-on-error: true
-        run: |
-          tea login add --name gitea-rinoa --url "${{ secrets.RINOA_GITEA_URL }}" --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
-          pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep ${{ github.ref_name }} | tail -1 | wc -l)
-          echo "exists=$pr_exists" >> $GITHUB_OUTPUT
-      - name: Create PR
-        if: ${{ steps.check-opened-pr-step.outputs.exists == '0' }}
-        run: |
-          tea login default gitea-rinoa
-          pr_index_old=$(tea pr ls --repo ${{ github.repository }} --state all --fields index,title,head --output csv | sed -e 's|"||g' | egrep '^[0-9]' | head -1 | awk -F"," '{print $1}')
-          pr_index_new=$(expr ${pr_index_old} + 1)
-          tea pr c -r ${{ github.repository }} -t "Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Ansible Configs.j2"
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: PR Check'
-          notification_message: 'PR Created 🎟️'
-  ansible-linting:
-    name: Docker Compose & Ansible Lints
-    needs: [check-and-create-pr]
-    runs-on: ubuntu-latest
-    env:
-      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
-      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
-      VAULT_NAMESPACE: ""
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Fetch base branch
-        run: |
-          git fetch origin ${{ github.event.pull_request.base.ref }}
-      - name: Cache Ansible Galaxy Collections
-        uses: actions/cache@v3
-        with:
-          path: ansible/collections
-          key: ${{ runner.os }}-ansible-${{ hashFiles('./ansible/collections/requirements.yml') }}
-          restore-keys: |
-            ${{ runner.os }}-ansible-
-      - name: Install Ansible
-        uses: alex-oleshkevich/setup-ansible@v1.0.1
-        with:
-          version: "11.0.0"
-      - name: Install Vault
-        uses: cpanato/vault-installer@main
-      - name: Install hvac
-        run: pip install hvac
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: Ansible Config Dry Run @ Rinoa'
-          notification_message: 'Starting Ansible dry run...'
-      - name: Ansible Playbook Dry Run
-        uses: arillso/action.playbook@0.1.0
-        with:
-          check: true
-          galaxy_collections_path: ansible/collections
-          galaxy_requirements_file: ansible/collections/requirements.yml
-          inventory: ansible/inventory/hosts.yml
-          playbook: ansible/docker_config_deploy.yml
-          private_key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
-          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
-          verbose: 0
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: Docker Compose Dry Run @ Rinoa'
-          notification_message: 'Docker Compose dry run completed successfully.'
-  pr-merge:
-    name: PR Merge
-    needs: [regenerate-readme-modified-services]
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Install tea
-        uses: supplypike/setup-bin@v4
-        with:
-          uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64'
-          name: 'tea'
-          version: '0.9.2'
-      - name: PR Merge
-        id: pr_merge
-        run: |
-          tea login add --name gitea-rinoa --url ${{ secrets.RINOA_GITEA_URL }} --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
-          tea login default gitea-rinoa
-          echo "Merging PR..."
-          pr_index=$(tea pr ls --repo ${{ github.repository }} --state open --fields index,title,head,state --output csv | egrep ${{ github.ref_name }} | awk -F"," '{print $1}' | sed -e 's|"||g')
-          tea pr m --repo ${{ github.repository }} --title "Auto Merge of PR ${pr_index} - ${{ github.ref_name }}" --message "Merged by ${{ github.actor }}" ${pr_index}
-          echo "pr_index=${pr_index}" >> $GITHUB_OUTPUT
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: PR Merge Successful'
-          notification_message: 'PR #${{ steps.pr_merge.outputs.pr_index }} merged.'
-  ansible-config-deploy:
-    name: Ansible Config Deployment
-    runs-on: ubuntu-latest
-    needs: [pr-merge]
-    env:
-      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
-      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
-      DOCKER_HOST: tcp://dockerproxy:2375
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          ref: main
-      - name: Cache Vault install
-        id: cache-vault
-        uses: actions/cache@v4
-        with:
-          path: /opt/hostedtoolcache/vault/1.18.0/x64
-          key: vault-${{ runner.os }}-1.18.0
-      - name: Install Ansible
-        uses: alex-oleshkevich/setup-ansible@v1.0.1
-        with:
-          version: "11.0.0"
-      - name: Install Vault
-        uses: cpanato/vault-installer@main
-      - name: Install hvac
-        run: pip install hvac
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
-          notification_message: 'Starting config deployment with Ansible...'
-      - name: Ansible Playbook Config Deploy
-        uses: arillso/action.playbook@0.1.0
-        with:
-          check: false
-          galaxy_collections_path: ansible/collections
-          galaxy_requirements_file: ansible/collections/requirements.yml
-          inventory: ansible/inventory/hosts.yml
-          playbook: ansible/docker_config_deploy.yml
-          private_key: ${{ secrets.RINOA_ANSIBLE_PRIVATE_KEY }}
-          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
-          notification_message: 'Deployment completed successfully.'

.gitea/workflows/pr-cloudflare-docker-deploy.yml

@@ -1,16 +1,14 @@
-name: Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment
+name: Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment
 on:
-  workflow_dispatch:
   push:
     branches-ignore:
-      - 'main'
+      - main
     paths:
-      - '**/docker-compose.yml'
-      - '**/pr-cloudflare-docker-deploy.yml'
-      - '!ansible/**.yml'
+      - '**.yaml'
+      - '**.yml'
+      - '**.j2'
 jobs:
   check-and-create-pr:
-    if: github.ref != 'refs/heads/main'
     name: Check and Create PR
     runs-on: ubuntu-latest
     steps:
@@ -30,19 +28,14 @@ jobs:
           uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64'
           name: 'tea'
           version: '0.9.2'
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: PR Check'
-          notification_message: 'Checking for existing PR... 🔍'
       - name: Check if open PR exists
         id: check-opened-pr-step
         continue-on-error: true
         run: |
           tea login add --name gitea-rinoa --url "${{ secrets.RINOA_GITEA_URL }}" --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
+          tea pr list --repo ${{ github.repository }} --state all
           pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep ${{ github.ref_name }} | tail -1 | wc -l)
+          echo ${pr_exists}
           echo "exists=$pr_exists" >> $GITHUB_OUTPUT
       - name: Create PR
         if: ${{ steps.check-opened-pr-step.outputs.exists == '0' }}
@@ -50,103 +43,66 @@ jobs:
           tea login default gitea-rinoa
           pr_index_old=$(tea pr ls --repo ${{ github.repository }} --state all --fields index,title,head --output csv | sed -e 's|"||g' | egrep '^[0-9]' | head -1 | awk -F"," '{print $1}')
           pr_index_new=$(expr ${pr_index_old} + 1)
-          tea pr c -r ${{ github.repository }} -t "Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Docker Compose"
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: PR Check'
-          notification_message: 'PR Created 🎟️'
-  docker-compose-dry-run:
-    name: Docker Compose Dry Run
+          tea pr c -r ${{ github.repository }} -t "Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }}
+  docker-compose-ansible-lints:
+    name: Docker Compose & Ansible Lints
     needs: [check-and-create-pr]
     runs-on: ubuntu-latest
     env:
       VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
       VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
-      VAULT_NAMESPACE: ""
-      RINOA_REGISTRY_PASSWORD: ${{ secrets.BOT_GITEA_PASSWORD }}
-    outputs:
-      svc_deploy_list: ${{ steps.modded_svcs.outputs.rinoa_svcs }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-      - name: Fetch base branch
-        run: |
-          git fetch origin ${{ github.event.pull_request.base.ref }}
-      - name: Login to Gitea Container Registry
-        run: |
-          docker login -u gitea-sonarqube-bot -p ${RINOA_REGISTRY_PASSWORD} git.trez.wtf
-      - name: Save both versions of docker-compose.yml
-        run: |
-          git show origin/main:docker-compose.yml > docker-compose-main.yml || touch docker-compose-main.yml
-          cp docker-compose.yml docker-compose-head.yml
-      - name: Detect added, deleted, and modified services
-        id: detect_services
-        run: |
-          echo "Getting services from main and ${{ github.ref_name }}"
-          yq '.services | keys | .[]' docker-compose-main.yml | sort > services_main.txt
-          yq '.services | keys | .[]' docker-compose-head.yml | sort > services_head.txt
-
-          echo "Creating list of modified services..."
-          touch service_changes.txt
-
-          comm -13 services_main.txt services_head.txt | while read service; do
-            echo "$service: added" >> service_changes.txt
-          done
-
-          comm -12 services_main.txt services_head.txt | while read service; do
-            yq ".services[\"$service\"]" docker-compose-main.yml > tmp_main.yml
-            yq ".services[\"$service\"]" docker-compose-head.yml > tmp_head.yml
-            if ! diff -q tmp_main.yml tmp_head.yml > /dev/null; then
-              echo "$service: modified" >> service_changes.txt
-            fi
-          done
-
-          echo "Detected service changes:"
-          cat service_changes.txt
-
-          svc_list=$(paste -sd '|' service_changes.txt)
-          echo "classified_services=$svc_list" >> "$GITHUB_OUTPUT"
+      - name: Cache Ansible Galaxy Collections
+        uses: actions/cache@v3
+        with:
+          path: ansible/collections
+          key: ${{ runner.os }}-ansible-${{ hashFiles('./ansible/collections/requirements.yml') }}
+          restore-keys: |
+            ${{ runner.os }}-ansible-
+      - name: Install Ansible
+        uses: alex-oleshkevich/setup-ansible@v1.0.1
+        with:
+          version: "11.0.0"
       - name: Install Vault
         uses: cpanato/vault-installer@main
+      - name: Install hvac
+        run: pip install hvac
+      - name: Ansible Playbook Dry Run
+        uses: dawidd6/action-ansible-playbook@v2
+        with:
+          directory: ansible/
+          playbook: docker_config_deploy.yml
+          key: ${{secrets.RINOA_ANSIBLE_PRIVATE_SSH_KEY}}
+          options: |
+            --inventory inventory/hosts.yml
+            --check
+          requirements: collections/requirements.yml
+          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
       - name: Gotify Notification
         uses: eikendev/gotify-action@master
         with:
           gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
           gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: Docker Compose Dry Run @ Rinoa'
-          notification_message: 'Starting Docker Compose dry run...'
+          notification_title: 'GITEA: Ansible Config Dry Run @ Rinoa'
+          notification_message: 'Ansible dry run completed successfully.'
+      - name: Generate .env file for Docker Compose Dry Run
+        run: |
+          vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
       - name: Cache .env Files
         uses: actions/cache@v4
         with:
           path: .env
           key: ${{ runner.os }}-env-${{ hashFiles('docker-compose.yml') }}
-      - name: Generate modified services list & .env file for Docker Compose Dry Run
-        id: modded_svcs
-        run: |
-          mod_svcs=$(echo "${{ steps.detect_services.outputs.classified_services }}" | sed -e 's/|//g' -e 's/: \(add\|modifi\|delet\)ed/ /g')
-          echo ${mod_svcs}
-          vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
-          echo "rinoa_svcs=${mod_svcs}" >> "$GITHUB_OUTPUT"
-      - name: Testing service list output
-        run: |
-          echo ${{ steps.modded_svcs.outputs.rinoa_svcs }}
       - name: Docker Compose Dry Run
-        timeout-minutes: 360
-        continue-on-error: true
-        uses: chaplyk/docker-compose-remote-action@v1.1
+        uses: yu-ichiro/spin-up-docker-compose-action@v1
         with:
-          ssh_host: 192.168.1.254
-          ssh_port: 22
-          ssh_user: gitea-deploy
-          ssh_key: ${{ secrets.RINOA_GITEA_PRIVATE_SSH_KEY }}
-          service: ${{ steps.modded_svcs.outputs.rinoa_svcs }}
-          compose_file: docker-compose.yml
-          pull: false
-          build: false
-          options: -d --remove-orphans
+          file: docker-compose.yml
+          pull: true
+          pull-opts: --dry-run
+          up: true
+          up-opts: --dry-run -d --remove-orphans
         env:
           DOCKER_HOST: tcp://dockerproxy:2375
       - name: Gotify Notification
@@ -197,7 +153,7 @@ jobs:
           gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
           gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
           notification_title: 'GITEA: Cloudflare Setup @ Rinoa'
-          notification_message: 'Starting Cloudflare DNS setup...'
+          notification_message: 'Starting Cloudflare setup'
       - name: Compare Subdomains
         id: compare-subdomains
         uses: LouisBrunner/diff-action@v2.2.0
@@ -229,18 +185,28 @@ jobs:
     name: Update README & Generate List of Modified Services
     runs-on: ubuntu-latest
     needs: [cloudflare-dns-setup]
+    # outputs:
+    #   pr-pushed: ${{ steps.commit-readme.outputs.pushed }}
+    #   modified_services: ${{ steps.compare-services.outputs.modified_services }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Install yq
         uses: dcarbone/install-yq-action@v1
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: README Update'
-          notification_message: 'Updating README...'
+      # - name: Fetch main branch for comparison
+      #   run: |
+      #     git fetch origin main:main
+      # - name: Compare services using yq
+      #   continue-on-error: true
+      #   id: compare-services
+      #   run: |
+      #     current_services=$(yq '.services | to_entries' docker-compose.yml)
+      #     git show main:docker-compose.yml > main_compose.yml
+      #     main_services=$(yq '.services | to_entries' main_compose.yml)
+      #     modified_services_file=$(comm -13 <(echo "$main_services") <(echo "$current_services") > changes_compose.yml)
+      #     modified_services=${egrep '^  [a-z]' changes.yml | sed -e 's|^  ||g' -e 's|:||g' | sed ':a;N;$!ba;s/\n/ /g'}
+      #     echo "Modified services: $modified_services"
+      #     echo "modified_services=$modified_services" >> $GITHUB_OUTPUT
       - name: Generate service list
         run: |
           yq '.services | to_entries | map({"service": .key, "image": .value.image})' docker-compose.yml > services.yml
@@ -260,13 +226,6 @@ jobs:
         with:
           message: "chore: Update README"
           add: "README.md"
-      - name: Gotify Notification
-        uses: eikendev/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: README Update'
-          notification_message: 'README updated'
   pr-merge:
     name: PR Merge
     needs: [regenerate-readme-modified-services]
@@ -296,16 +255,15 @@ jobs:
           gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
           notification_title: 'GITEA: PR Merge Successful'
           notification_message: 'PR #${{ steps.pr_merge.outputs.pr_index }} merged.'
-  docker-compose-deploy:
-    name: Docker Compose Deployment
+  ansible-config-docker-compose-deploy:
+    name: Deploy via Ansible & Docker Compose
+    timeout-minutes: 360
     runs-on: ubuntu-latest
-    needs: [docker-compose-dry-run, pr-merge]
+    needs: [pr-merge]
     env:
       VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
       VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
       DOCKER_HOST: tcp://dockerproxy:2375
-      RINOA_REGISTRY_PASSWORD: ${{ secrets.BOT_GITEA_PASSWORD }}
-      DOCKER_SVC_LIST: ${{ needs.docker-compose-dry-run.outputs.svc_deploy_list }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -323,35 +281,39 @@ jobs:
           version: "11.0.0"
       - name: Install Vault
         uses: cpanato/vault-installer@main
-      - name: Login to Gitea Container Registry
-        run: |
-          docker login -u gitea-sonarqube-bot -p ${RINOA_REGISTRY_PASSWORD} git.trez.wtf
+      - name: Install hvac
+        run: pip install hvac
+      - name: Deploy Docker Configs via Ansible
+        uses: dawidd6/action-ansible-playbook@v2
+        with:
+          directory: ansible/
+          playbook: docker_config_deploy.yml
+          key: ${{secrets.RINOA_ANSIBLE_PRIVATE_KEY}}
+          options: |
+            --inventory inventory/hosts.yml
+          requirements: collections/requirements.yml
+          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
       - name: Gotify Notification
         uses: eikendev/gotify-action@master
         with:
           gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
           gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: Docker Compose Deployment @ Rinoa'
-          notification_message: 'Starting Docker Compose run...'
+          notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
+          notification_message: 'Deployment completed successfully.'
       - name: Generate .env file for deployment
         run: |
            vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
-      - name: Docker Compose Dry Run
-        timeout-minutes: 360
+      - name: Docker Compose Deployment
+        # if: ${{ steps.regenerate-readme-modified-services.outputs.modified_services != '' }}
         continue-on-error: true
-        uses: chaplyk/docker-compose-remote-action@v1.1
-        env:
-          DOCKER_HOST: tcp://dockerproxy:2375
+        uses: keatonLiu/docker-compose-remote-action@v1.2
         with:
-          ssh_host: 192.168.1.254
-          ssh_port: 22
+          docker_compose_file: docker-compose.yml
+          docker_args: -d --remove-orphans --pull missing
           ssh_user: gitea-deploy
-          ssh_key: ${{ secrets.RINOA_GITEA_PRIVATE_SSH_KEY }}
-          service: ${DOCKER_SVC_LIST}
-          compose_file: docker-compose.yml
-          pull: false
-          build: false
-          options: -d --remove-orphans
+          ssh_host: 192.168.1.254
+          ssh_host_public_key: ${{ secrets.RINOA_GITEA_PUBLIC_SSH_KEY }}
+          ssh_private_key: ${{ secrets.RINOA_GITEA_PRIVATE_SSH_KEY }}
       - name: Gotify Notification
         uses: eikendev/gotify-action@master
         with:

.gitea/workflows/vault-auto-unseal-flow.yml

@@ -1,28 +0,0 @@
-name: Auto-Unseal for Vault
-on:
-  schedule:
-    - cron: "30 2 * * *"
-jobs:
-  auto-unseal:
-    name: Unseal Vault
-    runs-on: ubuntu-latest
-    env:
-      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
-      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
-      VAULT_SHARDS: |
-        ${{ secrets.VAULT_UNSEAL_SHARDS }}
-      VAULT_NAMESPACE: ""
-    steps:
-      - name: Cache Vault install
-        id: cache-vault
-        uses: actions/cache@v4
-        with:
-          path: /opt/hostedtoolcache/vault/1.18.0/x64
-          key: vault-${{ runner.os }}-1.18.0
-      - name: Install Vault
-        uses: cpanato/vault-installer@main
-      - name: Unseal Vault
-        run: |
-          for vault_shard in $(echo ${VAULT_SHARDS}); do
-            vault operator unseal -address=${VAULT_ADDR} -non-interactive "${vault_shard}"
-          done

.gitignore

@@ -1,4 +1,3 @@
 **/.cache_ggshield
 ansible/collections/ansible_collections/
-**/.env
-**/netbird_openid-configuration.json.j2
+**/.env

README.md

@@ -6,50 +6,50 @@
 | --- | --- |
 | actual_server | docker.io/actualbudget/actual-server:latest |
 | adguard | adguard/adguardhome:latest |
-| apprise-api | lscr.io/linuxserver/apprise-api:latest |
-| archivebox | archivebox/archivebox:latest |
 | audiobookshelf | ghcr.io/advplyr/audiobookshelf:latest |
 | authelia | authelia/authelia:master |
 | authelia-pg | postgres:16-alpine |
 | bazarr | lscr.io/linuxserver/bazarr:latest |
 | beszel | henrygd/beszel:latest |
 | beszel-agent | henrygd/beszel-agent:latest |
+| bitmagnet | ghcr.io/bitmagnet-io/bitmagnet:latest |
+| bitmagnet-pg-db | postgres:17-alpine |
 | bitwarden | vaultwarden/server:latest |
-| bluesky-pds | code.modernleft.org/gravityfargo/bluesky-pds:v0.4.98 |
+| bluesky-pds | ghcr.io/bluesky-social/pds:latest |
 | browserless | ghcr.io/browserless/chromium:latest |
-| bytestash | ghcr.io/jordan-dalby/bytestash:latest |
 | castopod | castopod/castopod:latest |
+| cloudflared | cloudflare/cloudflared:latest |
 | cloudflareddns | ghcr.io/hotio/cloudflareddns:latest |
-| convertx | ghcr.io/c4illin/convertx |
 | cronicle | elestio/cronicle:latest |
 | crowdsec | crowdsecurity/crowdsec:latest |
 | crowdsec-dashboard | metabase/metabase |
-| cyber-chef | mpepping/cyberchef:latest |
 | czkawka | jlesage/czkawka |
-| dawarich-app | freikin/dawarich:latest |
-| dawarich-pg-db | postgis/postgis:17-3.5-alpine |
-| dawarich-sidekiq | freikin/dawarich:latest |
-| dead-man-hand | ghcr.io/bkupidura/dead-man-hand:latest |
+| dbgate | dbgate/dbgate:alpine |
+| delugevpn | ghcr.io/binhex/arch-delugevpn:latest |
 | docker-socket-proxy | ghcr.io/tecnativa/docker-socket-proxy:latest |
-| dockflare | alplat/dockflare:stable |
+| docuseal | docuseal/docuseal:latest |
 | duplicati | lscr.io/linuxserver/duplicati:latest |
-| excalidraw | excalidraw/excalidraw:latest |
-| explo | ghcr.io/lumepart/explo:latest |
 | fastenhealth | ghcr.io/fastenhealth/fasten-onprem:main |
 | flaresolverr | ghcr.io/flaresolverr/flaresolverr:latest |
-| freescout | tiredofit/freescout:latest |
 | ghost | ghost:latest |
 | gitea | gitea/gitea:1.23.1 |
 | gitea-db | postgres:14 |
+| gitea-opengist | ghcr.io/thomiceli/opengist:latest |
 | gitea-runner | gitea/act_runner:latest |
 | gitea-sonarqube-bot | justusbunsi/gitea-sonarqube-bot:v0.4.0 |
 | gluetun | qmcgaw/gluetun:latest |
 | gotify | gotify/server |
-| graylog | graylog/graylog:6.1 |
-| graylog-datanode | graylog/graylog-datanode:6.1 |
+| grafana | grafana/grafana-enterprise:latest |
+| grafana-alloy | grafana/alloy:latest |
+| grafana-loki | grafana/loki:latest |
+| grafana-mimir | grafana/mimir:latest |
+| grafana-mimir-memcached | memcached |
+| grafana-pyroscope | grafana/pyroscope:latest |
+| grafana-tempo | grafana/tempo:latest |
 | guacamole | flcontainers/guacamole:latest |
 | homepage | ghcr.io/gethomepage/homepage:latest |
-| hugo | hugomods/hugo:exts-0.145.0 |
+| hortusfox | ghcr.io/danielbrendel/hortusfox-web:latest |
+| hugo | hugomods/hugo:exts |
 | immich-server | ghcr.io/immich-app/immich-server:release |
 | immich-machine-learning | ghcr.io/immich-app/immich-machine-learning:release |
 | immich-pg-db | tensorchord/pgvecto-rs:pg14-v0.2.1 |
@@ -57,7 +57,6 @@
 | immich-power-tools | ghcr.io/varun-raj/immich-power-tools:latest |
 | influxdb2 | influxdb:2-alpine |
 | invidious | quay.io/invidious/invidious:latest |
-| invidious-sig-helper | quay.io/invidious/inv-sig-helper:latest |
 | invidious-db | docker.io/library/postgres:14 |
 | invoice-ninja | invoiceninja/invoiceninja-debian:5 |
 | invoice-ninja_proxy | nginx |
@@ -72,50 +71,42 @@
 | jitsi-web | jitsi/web:stable |
 | joplin-db | postgres:17-alpine |
 | joplin | joplin/server:latest |
-| languagetool | elestio/languagetool:latest |
-| librechat-api | ghcr.io/danny-avila/librechat-dev:latest |
-| librechat-vectordb | ankane/pgvector:latest |
-| librechat-rag-api | ghcr.io/danny-avila/librechat-rag-api-dev-lite:latest |
-| libretranslate | libretranslate/libretranslate |
 | lidarr | lscr.io/linuxserver/lidarr:latest |
 | lidify | thewicklowwolf/lidify:latest |
-| linkstack | linkstackorg/linkstack:latest |
 | lldap | lldap/lldap:stable |
-| loggifly | ghcr.io/clemcer/loggifly:latest |
 | maloja | krateng/maloja:latest |
-| manyfold | lscr.io/linuxserver/manyfold:latest |
 | mariadb | linuxserver/mariadb |
 | mastodon | lscr.io/linuxserver/mastodon:latest |
 | mastodon-pg-db | postgres:17-alpine |
-| maxun-backend | getmaxun/maxun-backend:latest |
-| maxun-frontend | getmaxun/maxun-frontend:latest |
-| maxun-pg-db | postgres:13-alpine |
-| meilisearch | getmeili/meilisearch:v1.12.3 |
-| minio | minio/minio:RELEASE.2025-04-22T22-12-26Z |
-| mixpost | inovector/mixpost:latest |
+| minio | minio/minio |
 | mongodb | bitnami/mongodb:7.0 |
 | multi-scrobbler | foxxmd/multi-scrobbler |
 | n8n | docker.n8n.io/n8nio/n8n |
 | navidrome | deluan/navidrome:latest |
 | netalertx | jokobsk/netalertx:latest |
+| netbird-dashboard | netbirdio/dashboard:latest |
+| netbird-signal | netbirdio/signal:latest |
+| netbird-relay | netbirdio/relay:latest |
+| netbird-management | netbirdio/management:latest |
+| netbird-coturn | coturn/coturn:latest |
 | nextcloud | nextcloud/all-in-one:latest |
 | ollama | ollama/ollama |
 | ombi | lscr.io/linuxserver/ombi:latest |
-| omni-tools | iib0011/omni-tools:latest |
-| omnipoly | kweg/omnipoly:latest |
+| open-webui | ghcr.io/open-webui/open-webui:main |
 | paperless-ngx | ghcr.io/paperless-ngx/paperless-ngx:latest |
+| parseable | containers.parseable.com/parseable/parseable:latest |
 | pgbackweb | eduardolat/pgbackweb:latest |
 | pgbackweb-db | postgres:16-alpine |
 | plantuml-server | plantuml/plantuml-server:jetty |
-| portainer | portainer/portainer-ce:alpine |
-| portnote-web | haedlessdev/portnote:latest |
-| portnote-agent | haedlessdev/portnote-agent:latest |
-| portnote-pg-db | postgres:17-alpine |
+| plausible | ghcr.io/plausible/community-edition:v2.1.0 |
+| plausible_db | postgres:16-alpine |
+| plausible_events_db | clickhouse/clickhouse-server:24.3.3.102-alpine |
+| portainer | portainer/portainer-ce:alpine-sts |
+| portall | need4swede/portall:latest |
 | postal-smtp | ghcr.io/postalserver/postal:latest |
 | postal-web | ghcr.io/postalserver/postal:latest |
 | postal-worker | ghcr.io/postalserver/postal:latest |
 | prowlarr | lscr.io/linuxserver/prowlarr:latest |
-| qbittorrentvpn | ghcr.io/binhex/arch-qbittorrentvpn:latest |
 | radarec | thewicklowwolf/radarec:latest |
 | radarr | lscr.io/linuxserver/radarr:latest |
 | reactive-resume | amruthpillai/reactive-resume:latest |
@@ -124,37 +115,45 @@
 | redis | redis:alpine |
 | redlib | quay.io/redlib/redlib:latest |
 | rocketchat | registry.rocket.chat/rocketchat/rocket.chat:latest |
-| romm | rommapp/romm:latest |
 | sabnzbdvpn | ghcr.io/binhex/arch-sabnzbdvpn:latest |
-| sablier | sablierapp/sablier:latest |
+| scraperr | jpyles0524/scraperr:latest |
+| scraperr-api | jpyles0524/scraperr_api:latest |
 | scrutiny | ghcr.io/analogj/scrutiny:master-omnibus |
 | searxng | searxng/searxng:latest |
-| semaphore | semaphoreui/semaphore:v2.12.14 |
-| signoz-init-clickhouse | clickhouse/clickhouse-server:24.1.2-alpine |
-| signoz-zookeeper-1 | bitnami/zookeeper:3.7.1 |
-| signoz-clickhouse | clickhouse/clickhouse-server:24.1.2-alpine |
-| signoz-app | signoz/signoz:v0.86.2 |
-| signoz-otel-collector | signoz/signoz-otel-collector:v0.111.42 |
-| signoz-schema-migrator-sync | signoz/signoz-schema-migrator:v0.111.42 |
-| signoz-schema-migrator-async | signoz/signoz-schema-migrator:v0.111.42 |
 | sonarqube | mc1arke/sonarqube-with-community-branch-plugin:lts |
 | sonarqube-pg-db | postgres:17-alpine |
 | sonarr | lscr.io/linuxserver/sonarr:latest |
 | sonashow | thewicklowwolf/sonashow:latest |
+| soularr | mrusse08/soularr:latest |
+| soulseek | slskd/slskd |
+| sourcebot | ghcr.io/sourcebot-dev/sourcebot:latest |
 | speedtest-tracker | lscr.io/linuxserver/speedtest-tracker:latest |
-| stable-diffusion-download | git.trez.wtf/trez.one/stable-diffusion-download:v9.0.0 |
-| stable-diffusion-webui | git.trez.wtf/trez.one/stable-diffusion-ui:v9.0.1 |
-| stirling-pdf | docker.stirlingpdf.com/stirlingtools/stirling-pdf:latest |
+| spotisub | blastbeng/spotisub:latest |
 | swag | lscr.io/linuxserver/swag:latest |
 | tandoor | vabene1111/recipes |
 | tandoor-pg | postgres:16-alpine |
+| traccar | traccar/traccar:latest |
+| traccar-pg | postgres:16-alpine |
 | unmanic | josh5/unmanic:latest |
 | uptimekuma | louislam/uptime-kuma:latest |
 | vault | hashicorp/vault:latest |
+| vector | timberio/vector:0.44.0-alpine |
 | wallabag | wallabag/wallabag |
 | wallos | bellamy/wallos:latest |
 | watchtower | ghcr.io/containrrr/watchtower:latest |
 | web-check | lissy93/web-check |
-| whodb | clidey/whodb |
+| your_spotify | lscr.io/linuxserver/your_spotify:latest |
 | youtubedl | nbr23/youtube-dl-server:latest |
+| zammad-backup | postgres: |
+| zammad-elasticsearch | bitnami/elasticsearch: |
+| zammad-init | : |
+| zammad-memcached | memcached: |
+| zammad-nginx | : |
+| zammad-postgresql | postgres: |
+| zammad-railsserver | : |
+| zammad-redis | redis: |
+| zammad-scheduler | : |
+| zammad-websocket | : |
+| zitadel | ghcr.io/zitadel/zitadel:latest |
+| zitadel-pg-db | postgres:16-alpine |
 

ansible/app-configs/AdGuardHome.yaml.j2

@@ -1,199 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-http:
-  pprof:
-    port: 6060
-    enabled: false
-  address: 0.0.0.0:8008
-  session_ttl: 720h
-users:
-  - name: admin
-    password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ADGUARD_BCRYPT'] }}
-auth_attempts: 5
-block_auth_min: 15
-http_proxy: ""
-language: ""
-theme: auto
-dns:
-  bind_hosts:
-    - 0.0.0.0
-  port: 53
-  anonymize_client_ip: false
-  ratelimit: 20
-  ratelimit_subnet_len_ipv4: 24
-  ratelimit_subnet_len_ipv6: 56
-  ratelimit_whitelist: []
-  refuse_any: true
-  upstream_dns:
-    - 94.140.14.14
-    - 94.140.15.15
-    - https://dns.adguard-dns.com/dns-query
-    - tls://dns.adguard-dns.com
-    - quic://dns.adguard-dns.com
-    - 1.1.1.1
-    - 1.0.0.1
-    - 1.1.1.2
-    - 1.0.0.2
-    - 185.228.168.9
-    - 185.228.169.9
-    - 76.76.2.3
-    - tls://getdnsapi.net
-    - 185.49.141.37
-    - tls://dot.seby.io
-  upstream_dns_file: ""
-  bootstrap_dns:
-    - 9.9.9.10
-    - 149.112.112.10
-    - 2620:fe::10
-    - 2620:fe::fe:10
-  fallback_dns: []
-  upstream_mode: load_balance
-  fastest_timeout: 1s
-  allowed_clients: []
-  disallowed_clients: []
-  blocked_hosts:
-    - version.bind
-    - id.server
-    - hostname.bind
-  trusted_proxies:
-    - 127.0.0.0/8
-    - ::1/128
-  cache_size: 4194304
-  cache_ttl_min: 0
-  cache_ttl_max: 0
-  cache_optimistic: false
-  bogus_nxdomain: []
-  aaaa_disabled: false
-  enable_dnssec: false
-  edns_client_subnet:
-    custom_ip: ""
-    enabled: false
-    use_custom: false
-  max_goroutines: 300
-  handle_ddr: true
-  ipset: []
-  ipset_file: ""
-  bootstrap_prefer_ipv6: false
-  upstream_timeout: 10s
-  private_networks: []
-  use_private_ptr_resolvers: false
-  local_ptr_upstreams: []
-  use_dns64: false
-  dns64_prefixes: []
-  serve_http3: false
-  use_http3_upstreams: false
-  serve_plain_dns: true
-  hostsfile_enabled: true
-  pending_requests:
-    enabled: true
-tls:
-  enabled: true
-  server_name: ""
-  force_https: false
-  port_https: 446
-  port_dns_over_tls: 853
-  port_dns_over_quic: 853
-  port_dnscrypt: 0
-  dnscrypt_config_file: ""
-  allow_unencrypted_doh: false
-  certificate_chain: ""
-  private_key: ""
-  certificate_path: /opt/adguardhome/certs/live/trez.wtf/priv-fullchain-bundle.pem
-  private_key_path: /opt/adguardhome/certs/live/trez.wtf/priv-fullchain-bundle.pem
-  strict_sni_check: false
-querylog:
-  dir_path: ""
-  ignored: []
-  interval: 2160h
-  size_memory: 1000
-  enabled: true
-  file_enabled: true
-statistics:
-  dir_path: ""
-  ignored: []
-  interval: 24h
-  enabled: true
-filters:
-  - enabled: true
-    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
-    name: AdGuard DNS filter
-    id: 1
-  - enabled: false
-    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
-    name: AdAway Default Blocklist
-    id: 2
-whitelist_filters: []
-user_rules: []
-dhcp:
-  enabled: false
-  interface_name: ""
-  local_domain_name: lan
-  dhcpv4:
-    gateway_ip: 192.168.1.1
-    subnet_mask: 255.255.255.0
-    range_start: 192.168.1.2
-    range_end: 192.168.1.240
-    lease_duration: 86400
-    icmp_timeout_msec: 1000
-    options: []
-  dhcpv6:
-    range_start: ""
-    lease_duration: 86400
-    ra_slaac_only: false
-    ra_allow_slaac: false
-filtering:
-  blocking_ipv4: ""
-  blocking_ipv6: ""
-  blocked_services:
-    schedule:
-      time_zone: America/New_York
-    ids: []
-  protection_disabled_until: null
-  safe_search:
-    enabled: false
-    bing: true
-    duckduckgo: true
-    ecosia: true
-    google: true
-    pixabay: true
-    yandex: true
-    youtube: true
-  blocking_mode: default
-  parental_block_host: family-block.dns.adguard.com
-  safebrowsing_block_host: standard-block.dns.adguard.com
-  rewrites: []
-  safe_fs_patterns:
-    - /opt/adguardhome/work/userfilters/*
-  safebrowsing_cache_size: 1048576
-  safesearch_cache_size: 1048576
-  parental_cache_size: 1048576
-  cache_time: 30
-  filters_update_interval: 24
-  blocked_response_ttl: 10
-  filtering_enabled: true
-  parental_enabled: false
-  safebrowsing_enabled: false
-  protection_enabled: true
-clients:
-  runtime_sources:
-    whois: true
-    arp: true
-    rdns: true
-    dhcp: true
-    hosts: true
-  persistent: []
-log:
-  enabled: true
-  file: ""
-  max_backups: 0
-  max_size: 100
-  max_age: 3
-  compress: false
-  local_time: false
-  verbose: false
-os:
-  group: ""
-  user: ""
-  rlimit_nofile: 0
-schema_version: 29

ansible/app-configs/apprise_apprise.yml.j2

@@ -1,6 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-urls:
-  - gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}
-  - mailto://{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}@trez.wtf25?smtp=postal-smtp&from=noreply@trez.wtf

ansible/app-configs/authelia_configuration.yml.j2

@@ -1,172 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-# yaml-language-server: $schema=https://www.authelia.com/schemas/latest/json-schema/configuration.json
----
-theme: auto
-default_2fa_method: "totp"
-server:
-  address: '0.0.0.0:9091'
-  endpoints:
-    enable_pprof: false
-    enable_expvars: false
-  disable_healthcheck: false
-  tls:
-    key: ""
-    certificate: ""
-    client_certificates: []
-  headers:
-    csp_template: ""
-log:
-  level: debug
-telemetry:
-  metrics:
-    enabled: true
-    address: tcp://0.0.0.0:9959
-totp:
-  disable: false
-  issuer: authelia.com
-  algorithm: sha256
-  digits: 6
-  period: 30
-  skew: 1
-  secret_size: 32
-webauthn:
-  disable: false
-  timeout: 60s
-  display_name: Authelia
-  attestation_conveyance_preference: indirect
-  selection_criteria:
-    user_verification: preferred
-ntp:
-  address: "time.cloudflare.com:123"
-  version: 4
-  max_desync: 3s
-  disable_startup_check: false
-  disable_failure: false
-authentication_backend:
-  password_reset:
-    disable: false
-    custom_url: ""
-  ldap:
-    implementation: custom
-    address: ldap://lldap:3890
-    timeout: 5s
-    start_tls: false
-    base_dn: dc=trez,dc=wtf
-    additional_users_dn: ou=people
-    users_filter: "(&({username_attribute}={input})(objectClass=person))"
-    additional_groups_dn: ou=groups
-    groups_filter: "(member={dn})"
-    attributes:
-      username: uid
-      group_name: cn
-      mail: mail
-      display_name: displayName
-    user: uid=authelia,ou=people,dc=trez,dc=wtf
-    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_AUTH_BIND_LDAP_PASSWORD'] }}'
-  refresh_interval: 5m
-identity_validation:
-  reset_password:
-    jwt_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_JWT_SECRET'] }}'
-password_policy:
-  standard:
-    enabled: true
-    min_length: 8
-    max_length: 0
-    require_uppercase: true
-    require_lowercase: true
-    require_number: true
-    require_special: false
-  zxcvbn:
-    enabled: false
-    min_score: 3
-access_control:
-  default_policy: deny
-  networks:
-    - name: 'internal'
-      networks:
-        - '172.17.0.0/16'
-        - '172.18.0.0/16'
-        - '192.168.1.0/24'
-  rules:
-    - domain_regex:
-      - '^trez.wtf$'
-      - ^www.trez.wtf$''
-      policy: bypass
-    - domain: '*.trez.wtf'
-      policy: bypass
-      networks:
-        - 'internal'
-    - domain: '*.trez.wtf'
-      policy: one_factor
-      subject:
-      - ['user:the.trezured.one']
-session:
-  name: authelia_session
-  secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_SESSION_SECRET'] }}'
-  expiration: 1h
-  inactivity: 5m
-  remember_me: 1M
-  cookies:
-    - domain: 'trez.wtf'
-      authelia_url: 'https://auth.trez.wtf'
-  redis:
-    host: redis
-    port: 6379
-storage:
-  encryption_key: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_ENCRYPTION_KEY'] }}'
-  postgres:
-    address: 'tcp://authelia-pg:5432'
-    database: authelia
-    username: authelia
-    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_POSTGRES_PASSWORD'] }}'
-    timeout: '5s'
-regulation:
-  max_retries: 3
-  find_time: 2m
-  ban_time: 5m
-notifier:
-  disable_startup_check: true
-  smtp:
-    address: 'smtp://postal-smtp:25'
-    timeout: '5s'
-    username: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}'
-    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}'
-    sender: "Authelia <noreply@trez.wtf>"
-    identifier: 'localhost'
-    subject: "[Authelia] {title}"
-    startup_check_address: 'test@authelia.com'
-    disable_require_tls: true
-    disable_starttls: true
-    disable_html_emails: false
-identity_providers:
-  oidc:
-    hmac_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_OIDC_HMAC_SECRET'] }}'
-    jwks:
-      - key: |
-          {{ lookup("community.hashi_vault.vault_kv2_get", "env", engine_mount_point="rinoa-docker", url=vault_addr, token=vault_token_cleaned)["secret"]["AUTHELIA_OIDC_JWKS_KEY"] | replace("\\n", "\n") | indent(10) }}
-    cors:
-      allowed_origins_from_client_redirect_uris: true
-      endpoints:
-        - 'userinfo'
-        - 'authorization'
-        - 'token'
-        - 'revocation'
-        - 'introspection'
-    clients:
-      - client_id: 'netbird'
-        client_name: 'NetBird'
-        client_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}'
-        public: false
-        authorization_policy: 'two_factor'
-        redirect_uris:
-          - 'https://vpn.trez.wtf/peers'
-          - 'https://vpn.trez.wtf/add-peers'
-          - 'http://localhost'
-        scopes:
-          - 'openid'
-          - 'email'
-          - 'profile'
-        userinfo_signed_response_alg: 'none'
-        token_endpoint_auth_method: 'client_secret_post'

ansible/app-configs/crowdsec_local-api-credentials.yaml.j2

@@ -1,6 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-url: http://0.0.0.0:8080
-login: localhost
-password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_LOCAL_API_KEY'] }}

ansible/app-configs/ghost_config.production.json.j2

@@ -1,42 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-{
-  "url": "blog.trez.wtf",
-  "database": {
-    "client": "mysql",
-    "connection": {
-      "host"     : "mariadb",
-      "port"     : 3306,
-      "user"     : "ghost",
-      "password" : "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GHOST_DB_PASSWORD'] }}",
-      "database" : "ghost_db"
-    }
-  },
-  "mail": {
-    "from": "'Ghost @ Rinoa' <noreply@trez.wtf>",
-    "transport": "SMTP",
-    "options": {
-      "host": "postal-smtp",
-      "port": 25,
-      "secure": false,
-      "auth": {
-        "user": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}",
-        "pass": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}"
-      }
-    }
-  },
-  "paths": {
-    "contentPath": "content/"
-  },
-  "privacy": {
-    "useGravatar": true
-  },
-  "logging": {
-    "level": "info",
-    "rotation": {
-      "enabled": true
-    },
-    "transports": ["file"]
-  }
-}

ansible/app-configs/gitea_act-runner_config.yaml.j2

@@ -1,101 +1,101 @@
-# Example configuration file, it's safe to copy this as the default config file without any modification.
-
-# You don't have to copy this file to your instance,
-# just run `./act_runner generate-config > config.yaml` to generate a config file.
-
-log:
-  # The level of logging, can be trace, debug, info, warn, error, fatal
-  level: info
-
-runner:
-  # Where to store the registration result.
-  file: .runner
-  # Execute how many tasks concurrently at the same time.
-  capacity: 3
-  # Extra environment variables to run jobs.
-#   envs:
-#     A_TEST_ENV_NAME_1: a_test_env_value_1
-#     A_TEST_ENV_NAME_2: a_test_env_value_2
-  # Extra environment variables to run jobs from a file.
-  # It will be ignored if it's empty or the file doesn't exist.
-#   env_file: .env
-  # The timeout for a job to be finished.
-  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
-  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
-  timeout: 3h
-  # The timeout for the runner to wait for running jobs to finish when shutting down.
-  # Any running jobs that haven't finished after this timeout will be cancelled.
-  shutdown_timeout: 0s
-  # Whether skip verifying the TLS certificate of the Gitea instance.
-  insecure: false
-  # The timeout for fetching the job from the Gitea instance.
-  fetch_timeout: 5s
-  # The interval for fetching the job from the Gitea instance.
-  fetch_interval: 2s
-  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
-  # Like: "macos-arm64:host" or "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
-  # Find more images provided by Gitea at https://gitea.com/gitea/runner-images .
-  # If it's empty when registering, it will ask for inputting labels.
-  # If it's empty when execute `daemon`, will use labels in `.runner` file.
-  labels:
-    - "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
-    - "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04"
-    - "ubuntu-20.04:docker://gitea/runner-images:ubuntu-20.04"
-
-cache:
-  # Enable cache server to use actions/cache.
-  enabled: true
-  # The directory to store the cache data.
-  # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
-  dir: ""
-  # The host of the cache server.
-  # It's not for the address to listen, but the address to connect from job containers.
-  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
-  host: "192.168.1.254"
-  # The port of the cache server.
-  # 0 means to use a random available port.
-  port: 63604
-  # The external cache server URL. Valid only when enable is true.
-  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
-  # The URL should generally end with "/".
-  external_server: ""
-
-container:
-  # Specifies the network to which the container will connect.
-  # Could be host, bridge or the name of a custom network.
-  # If it's empty, act_runner will create a network automatically.
-  network: "compose_default"
-  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
-  privileged: false
-  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
-  options:
-  # The parent directory of a job's working directory.
-  # NOTE: There is no need to add the first '/' of the path as act_runner will add it automatically. 
-  # If the path starts with '/', the '/' will be trimmed.
-  # For example, if the parent directory is /path/to/my/dir, workdir_parent should be path/to/my/dir
-  # If it's empty, /workspace will be used.
-  workdir_parent:
-  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
-  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
-  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
-  # valid_volumes:
-  #   - data
-  #   - /src/*.json
-  # If you want to allow any volume, please use the following configuration:
-  # valid_volumes:
-  #   - '**'
-  valid_volumes: []
-  # overrides the docker client host with the specified one.
-  # If it's empty, act_runner will find an available docker host automatically.
-  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
-  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
-  docker_host: ""
-  # Pull docker image(s) even if already present
-  force_pull: false
-  # Rebuild docker image(s) even if already present
-  force_rebuild: false
-
-host:
-  # The parent directory of a job's working directory.
-  # If it's empty, $HOME/.cache/act/ will be used.
-  workdir_parent:
+# Example configuration file, it's safe to copy this as the default config file without any modification.
+
+# You don't have to copy this file to your instance,
+# just run `./act_runner generate-config > config.yaml` to generate a config file.
+
+log:
+  # The level of logging, can be trace, debug, info, warn, error, fatal
+  level: info
+
+runner:
+  # Where to store the registration result.
+  file: .runner
+  # Execute how many tasks concurrently at the same time.
+  capacity: 2
+  # Extra environment variables to run jobs.
+  envs:
+    A_TEST_ENV_NAME_1: a_test_env_value_1
+    A_TEST_ENV_NAME_2: a_test_env_value_2
+  # Extra environment variables to run jobs from a file.
+  # It will be ignored if it's empty or the file doesn't exist.
+  env_file: .env
+  # The timeout for a job to be finished.
+  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
+  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
+  timeout: 3h
+  # The timeout for the runner to wait for running jobs to finish when shutting down.
+  # Any running jobs that haven't finished after this timeout will be cancelled.
+  shutdown_timeout: 0s
+  # Whether skip verifying the TLS certificate of the Gitea instance.
+  insecure: false
+  # The timeout for fetching the job from the Gitea instance.
+  fetch_timeout: 5s
+  # The interval for fetching the job from the Gitea instance.
+  fetch_interval: 2s
+  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
+  # Like: "macos-arm64:host" or "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
+  # Find more images provided by Gitea at https://gitea.com/gitea/runner-images .
+  # If it's empty when registering, it will ask for inputting labels.
+  # If it's empty when execute `daemon`, will use labels in `.runner` file.
+  labels:
+    - "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
+    - "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04"
+    - "ubuntu-20.04:docker://gitea/runner-images:ubuntu-20.04"
+
+cache:
+  # Enable cache server to use actions/cache.
+  enabled: true
+  # The directory to store the cache data.
+  # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
+  dir: ""
+  # The host of the cache server.
+  # It's not for the address to listen, but the address to connect from job containers.
+  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
+  host: "192.168.1.254"
+  # The port of the cache server.
+  # 0 means to use a random available port.
+  port: 63604
+  # The external cache server URL. Valid only when enable is true.
+  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
+  # The URL should generally end with "/".
+  external_server: ""
+
+container:
+  # Specifies the network to which the container will connect.
+  # Could be host, bridge or the name of a custom network.
+  # If it's empty, act_runner will create a network automatically.
+  network: "compose_default"
+  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
+  privileged: false
+  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
+  options:
+  # The parent directory of a job's working directory.
+  # NOTE: There is no need to add the first '/' of the path as act_runner will add it automatically. 
+  # If the path starts with '/', the '/' will be trimmed.
+  # For example, if the parent directory is /path/to/my/dir, workdir_parent should be path/to/my/dir
+  # If it's empty, /workspace will be used.
+  workdir_parent:
+  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
+  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
+  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
+  # valid_volumes:
+  #   - data
+  #   - /src/*.json
+  # If you want to allow any volume, please use the following configuration:
+  # valid_volumes:
+  #   - '**'
+  valid_volumes: []
+  # overrides the docker client host with the specified one.
+  # If it's empty, act_runner will find an available docker host automatically.
+  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
+  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
+  docker_host: ""
+  # Pull docker image(s) even if already present
+  force_pull: false
+  # Rebuild docker image(s) even if already present
+  force_rebuild: false
+
+host:
+  # The parent directory of a job's working directory.
+  # If it's empty, $HOME/.cache/act/ will be used.
+  workdir_parent:

ansible/app-configs/homepage_settings.yaml.j2

@@ -11,10 +11,10 @@ providers:
 title: Rinoa Dashboard (trez.WTF)
 headerStyle: underlined
 color: slate
-showStats: false
+showStats: true
 statusStyle: "dot"
 favicon: /icons/favicon.ico
-useEqualHeights: true
+useEqualHeights: false
 hideErrors: false
 searchDescriptions: true
 showSearchSuggestions: true
@@ -24,6 +24,7 @@ layout:
   System Administration:
     style: row
     columns: 4
+    # fiveColumns: true
   Infrastructure/App Performance Monitoring:
     style: row
     columns: 3
@@ -32,25 +33,28 @@ layout:
     columns: 3
   Social:
     style: row
-    columns: 4
+    columns: 3
   Lifestyle:
     style: row
     columns: 3
   Automation:
-    style: row
-    columns: 5
+    style: columns
+    row: 2
   Privacy/Security:
+    style: columns
+    row: 5
+  Personal Services:
     style: row
-    columns: 5
-  Personal/Professional Services:
+    columns: 4
+  Professional Services:
     style: row
-    columns: 5
+    columns: 3
   Servarr Stack:
     style: row
     columns: 3
   Downloaders:
     style: row
-    columns: 2
+    columns: 3
   Media Library:
     style: row
     columns: 3

ansible/app-configs/invidious_config.yml.j2

@@ -1,952 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-#########################################
-#
-#  Database and other external servers
-#
-#########################################
-
-##
-## Database configuration with separate parameters.
-## This setting is MANDATORY, unless 'database_url' is used.
-##
-db:
-  user: kemal
-  host: invidious-db
-  port: 5432
-  dbname: invidious
-  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_PG_DB_PASSWORD'] }}
-
-##
-## Database configuration using a single URI. This is an
-## alternative to the 'db' parameter above. If both forms
-## are used, then only database_url is used.
-## This setting is MANDATORY, unless 'db' is used.
-##
-## Note: The 'database_url' setting allows the use of UNIX
-## sockets. To do so, remove the IP address (or FQDN) and port
-## and append the 'host' parameter. E.g:
-##   postgres://kemal:kemal@/invidious?host=/var/run/postgresql
-##
-## Accepted values: a postgres:// URI
-## Default: postgres://kemal:kemal@localhost:5432/invidious
-##
-#database_url: postgres://kemal:kemal@localhost:5432/invidious
-
-##
-## Enable automatic table integrity check. This will create
-## the required tables and columns if anything is missing.
-##
-## Accepted values: true, false
-## Default: false
-##
-check_tables: true
-
-
-##
-## Path to an external signature resolver, used to emulate
-## the Youtube client's Javascript. If no such server is
-## available, some videos will not be playable.
-##
-## When this setting is commented out, no external
-## resolver will be used.
-##
-## Accepted values: a path to a UNIX socket or "<IP>:<Port>"
-## Default: <none>
-##
-signature_server: invidious-sig-helper:12999
-
-
-#########################################
-#
-#  Server config
-#
-#########################################
-
-# -----------------------------
-#  Network (inbound)
-# -----------------------------
-
-##
-## Port to listen on for incoming connections.
-##
-## Note: Ports lower than 1024 requires either root privileges
-## (not recommended) or the "CAP_NET_BIND_SERVICE" capability
-## (See https://stackoverflow.com/a/414258 and `man capabilities`)
-##
-## Accepted values: 1-65535
-## Default: 3000
-##
-#port: 3000
-
-##
-## When the invidious instance is behind a proxy, and the proxy
-## listens on a different port than the instance does, this lets
-## invidious know about it. This is used to craft absolute URLs
-## to the instance (e.g in the API).
-##
-## Note: This setting is MANDATORY if invidious is behind a
-## reverse proxy.
-##
-## Accepted values: 1-65535
-## Default: <none>
-##
-#external_port:
-
-##
-## Interface address to listen on for incoming connections.
-##
-## Accepted values: a valid IPv4 or IPv6 address.
-## default: 0.0.0.0  (listen on all interfaces)
-##
-#host_binding: 0.0.0.0
-
-##
-## Domain name under which this instance is hosted. This is
-## used to craft absolute URLs to the instance (e.g in the API).
-## The domain MUST be defined if your instance is accessed from
-## a domain name (like 'example.com').
-##
-## Accepted values: a fully qualified domain name (FQDN)
-## Default: <none>
-##
-# domain:
-
-##
-## Tell Invidious that it is behind a proxy that provides only
-## HTTPS, so all links must use the https:// scheme. This
-## setting MUST be set to true if invidious is behind a
-## reverse proxy serving HTTPs.
-##
-## Accepted values: true, false
-## Default: false
-##
-https_only: false
-
-##
-## Enable/Disable 'Strict-Transport-Security'. Make sure that
-## the domain specified under 'domain' is served securely.
-##
-## Accepted values: true, false
-## Default: true
-##
-#hsts: true
-
-
-# -----------------------------
-#  Network (outbound)
-# -----------------------------
-
-##
-## Disable proxying server-wide. Can be disable as a whole, or
-## only for a single function.
-##
-## Accepted values: true, false, dash, livestreams, downloads, local
-## Default: false
-##
-#disable_proxy: false
-
-##
-## Size of the HTTP pool used to connect to youtube. Each
-## domain ('youtube.com', 'ytimg.com', ...) has its own pool.
-##
-## Accepted values: a positive integer
-## Default: 100
-##
-#pool_size: 100
-
-
-##
-## Additional cookies to be sent when requesting the youtube API.
-##
-## Accepted values: a string in the format "name1=value1; name2=value2..."
-## Default: <none>
-##
-#cookies:
-
-##
-## Force connection to youtube over a specific IP family.
-##
-## Note: This may sometimes resolve issues involving rate-limiting.
-## See https://github.com/ytdl-org/youtube-dl/issues/21729.
-##
-## Accepted values: ipv4, ipv6
-## Default: <none>
-##
-#force_resolve:
-
-##
-## Configuration for using a HTTP proxy
-##
-## If unset, then no HTTP proxy will be used.
-## 
-#http_proxy:
-#  user:
-#  password:
-#  host:
-#  port:
-
-
-##
-## Use Innertube's transcripts API instead of timedtext for closed captions
-##
-## Useful for larger instances as InnerTube is **not ratelimited**. See https://github.com/iv-org/invidious/issues/2567
-##
-## Subtitle experience may differ slightly on Invidious.
-##
-## Accepted values: true, false
-## Default: false
-##
-# use_innertube_for_captions: false
-
-##
-## Send Google session informations. This is useful when Invidious is blocked
-## by the message "This helps protect our community."
-## See https://github.com/iv-org/invidious/issues/4734.
-##
-## Warning: These strings gives much more identifiable information to Google!
-##
-## Accepted values: String
-## Default: <none>
-##
-po_token: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_PO_TOKEN'] }}
-visitor_data: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_VISITOR_DATA'] }}
-
-# -----------------------------
-#  Logging
-# -----------------------------
-
-##
-## Path to log file. Can be absolute or relative to the invidious
-## binary. This is overridden if "-o OUTPUT" or "--output=OUTPUT"
-## are passed on the command line.
-##
-## Accepted values: a filesystem path or 'STDOUT'
-## Default: STDOUT
-##
-#output: STDOUT
-
-##
-## Logging Verbosity. This is overridden if "-l LEVEL" or
-## "--log-level=LEVEL" are passed on the command line.
-##
-## Accepted values: All, Trace, Debug, Info, Warn, Error, Fatal, Off
-## Default: Info
-##
-#log_level: Info
-
-##
-## Enables colors in logs. Useful for debugging purposes
-## This is overridden if "-k" or "--colorize"
-## are passed on the command line.
-## Colors are also disabled if the environment variable
-## NO_COLOR is present and has any value
-##
-## Accepted values: true, false
-## Default: true
-##
-#colorize_logs: false
-
-# -----------------------------
-#  Features
-# -----------------------------
-
-##
-## Enable/Disable the "Popular" tab on the main page.
-##
-## Accepted values: true, false
-## Default: true
-##
-#popular_enabled: true
-
-##
-## Enable/Disable statstics (available at /api/v1/stats).
-## The following data is available:
-##   - Software name ("invidious") and version+branch (same data as
-##     displayed in the footer, e.g: "2021.05.13-75e5b49" / "master")
-##   - The value of the 'registration_enabled' config (true/false)
-##   - Number of currently registered users
-##   - Number of registered users who connected in the last month
-##   - Number of registered users who connected in the last 6 months
-##   - Timestamp of the last server restart
-##   - Timestamp of the last "Channel Refresh" job execution
-##
-## Warning: This setting MUST be set to true if you plan to run
-## a public instance. It is used by api.invidious.io to refresh
-## your instance's status.
-##
-## Accepted values: true, false
-## Default: false
-##
-#statistics_enabled: false
-
-
-# -----------------------------
-#  Users and accounts
-# -----------------------------
-
-##
-## Allow/Forbid Invidious (local) account creation. Invidious
-## accounts allow users to subscribe to channels and to create
-## playlists without a Google account.
-##
-## Accepted values: true, false
-## Default: true
-##
-#registration_enabled: true
-
-##
-## Allow/Forbid users to log-in.
-##
-## Accepted values: true, false
-## Default: true
-##
-#login_enabled: true
-
-##
-## Enable/Disable the captcha challenge on the login page.
-##
-## Note: this is a basic captcha challenge that doesn't
-## depend on any third parties.
-##
-## Accepted values: true, false
-## Default: true
-##
-#captcha_enabled: true
-
-##
-## List of usernames that will be granted administrator rights.
-## A user with administrator rights will be able to change the
-## server configuration options listed below in /preferences,
-## in addition to the usual user preferences.
-##
-## Server-wide settings:
-##   - popular_enabled
-##   - captcha_enabled
-##   - login_enabled
-##   - registration_enabled
-##   - statistics_enabled
-## Default user preferences:
-##   - default_home
-##   - feed_menu
-##
-## Accepted values: an array of strings
-## Default: [""]
-##
-#admins: [""]
-
-##
-## Enable/Disable the user notifications for all users
-##
-## Note: On large instances, it is recommended to set this option to 'false'
-## in order to reduce the amount of data written to the database, and hence
-## improve the overall performance of the instance.
-##
-## Accepted values: true, false
-## Default: true
-##
-#enable_user_notifications: true
-
-# -----------------------------
-#  Background jobs
-# -----------------------------
-
-##
-## Number of threads to use when crawling channel videos (during
-## subscriptions update).
-##
-## Notes: This setting is overridden if either "-c THREADS" or
-## "--channel-threads=THREADS" is passed on the command line.
-##
-## Accepted values: a positive integer
-## Default: 1
-##
-channel_threads: 1
-
-##
-## Time interval between two executions of the job that crawls
-## channel videos (subscriptions update).
-##
-## Accepted values: a valid time interval (like 1h30m or 90m)
-## Default: 30m
-##
-#channel_refresh_interval: 30m
-
-##
-## Forcefully dump and re-download the entire list of uploaded
-## videos when crawling channel (during subscriptions update).
-##
-## Accepted values: true, false
-## Default: false
-##
-full_refresh: false
-
-##
-## Number of threads to use when updating RSS feeds.
-##
-## Notes: This setting is overridden if either "-f THREADS" or
-## "--feed-threads=THREADS" is passed on the command line.
-##
-## Accepted values: a positive integer
-## Default: 1
-##
-feed_threads: 1
-
-
-jobs:
-
-  ## Options for the database cleaning job
-  clear_expired_items:
-
-    ## Enable/Disable job
-    ##
-    ## Accepted values: true, false
-    ## Default: true
-    ##
-    enable: true
-
-  ## Options for the channels updater job
-  refresh_channels:
-
-    ## Enable/Disable job
-    ##
-    ## Accepted values: true, false
-    ## Default: true
-    ##
-    enable: true
-
-  ## Options for the RSS feeds updater job
-  refresh_feeds:
-
-    ## Enable/Disable job
-    ##
-    ## Accepted values: true, false
-    ## Default: true
-    ##
-    enable: true
-
-
-# -----------------------------
-#  Miscellaneous
-# -----------------------------
-
-##
-## custom banner displayed at the top of every page. This can
-## used for instance announcements, e.g.
-##
-## Accepted values: any string. HTML is accepted.
-## Default: <none>
-##
-#banner:
-
-##
-## Subscribe to channels using PubSubHub (Google PubSubHubbub service).
-## PubSubHub allows Invidious to be instantly notified when a new video
-## is published on any subscribed channels. When PubSubHub is not used,
-## Invidious will check for new videos every minute.
-##
-## Note: This setting is recommended for public instances.
-##
-## Note 2:
-##  - Requires a public instance (it uses /feed/webhook/v1)
-##  - Requires 'domain' and 'hmac_key' to be set.
-##  - Setting this parameter to any number greater than zero will
-##    enable channel subscriptions via PubSubHub, but will limit the
-##    amount of concurrent subscriptions.
-##
-## Accepted values: true, false, a positive integer
-## Default: false
-##
-#use_pubsub_feeds: false
-
-##
-## HMAC signing key used for CSRF tokens, cookies and pubsub
-## subscriptions verification.
-##
-## Note: This parameter is mandatory and should be a random string.
-## Such random string can be generated on linux with the following
-## command: `pwgen 20 1`
-##
-## Accepted values: a string
-## Default: <none>
-##
-hmac_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_HMAC_KEY'] }}
-
-##
-## List of video IDs where the "download" widget must be
-## disabled, in order to comply with DMCA requests.
-##
-## Accepted values: an array of string
-## Default: <none>
-##
-#dmca_content:
-
-##
-## Cache video annotations in the database.
-##
-## Warning: empty annotations or annotations that only contain
-## cards won't be cached.
-##
-## Accepted values: true, false
-## Default: false
-##
-#cache_annotations: false
-
-##
-## Source code URL. If your instance is running a modified source
-## code, you MUST publish it somewhere and set this option.
-##
-## Accepted values: a string
-## Default: <none>
-##
-#modified_source_code_url: ""
-
-##
-## Maximum custom playlist length limit.
-##
-## Accepted values: Integer
-## Default: 500
-##
-#playlist_length_limit: 500
-
-#########################################
-#
-#  Default user preferences
-#
-#########################################
-
-##
-## NOTE: All the settings below define the default user
-## preferences. They will apply to ALL users connecting
-## without a preferences cookie (so either on the first
-## connection to the instance or after clearing the
-## browser's cookies).
-##
-
-default_user_preferences:
-
-  # -----------------------------
-  #  Internationalization
-  # -----------------------------
-
-  ##
-  ## Default user interface language (locale).
-  ##
-  ## Note: When hosting a public instance, overriding the
-  ## default (english) is not recommended, as it may
-  ## people using other languages.
-  ##
-  ## Accepted values:
-  ##   ar      (Arabic)
-  ##   da      (Danish)
-  ##   de      (German)
-  ##   en-US   (english, US)
-  ##   el      (Greek)
-  ##   eo      (Esperanto)
-  ##   es      (Spanish)
-  ##   fa      (Persian)
-  ##   fi      (Finnish)
-  ##   fr      (French)
-  ##   he      (Hebrew)
-  ##   hr      (Hungarian)
-  ##   id      (Indonesian)
-  ##   is      (Icelandic)
-  ##   it      (Italian)
-  ##   ja      (Japanese)
-  ##   nb-NO   (Norwegian, Bokmål)
-  ##   nl      (Dutch)
-  ##   pl      (Polish)
-  ##   pt-BR   (Portuguese, Brazil)
-  ##   pt-PT   (Portuguese, Portugal)
-  ##   ro      (Romanian)
-  ##   ru      (Russian)
-  ##   sv      (Swedish)
-  ##   tr      (Turkish)
-  ##   uk      (Ukrainian)
-  ##   zh-CN   (Chinese, China)  (a.k.a "Simplified Chinese")
-  ##   zh-TW   (Chinese, Taiwan) (a.k.a "Traditional Chinese")
-  ##
-  ## Default: en-US
-  ##
-  #locale: en-US
-
-  ##
-  ## Default geographical location for content.
-  ##
-  ## Accepted values:
-  ##   AE, AR, AT, AU, AZ, BA, BD, BE, BG, BH, BO, BR, BY, CA, CH, CL, CO, CR,
-  ##   CY, CZ, DE, DK, DO, DZ, EC, EE, EG, ES, FI, FR, GB, GE, GH, GR, GT, HK,
-  ##   HN, HR, HU, ID, IE, IL, IN, IQ, IS, IT, JM, JO, JP, KE, KR, KW, KZ, LB,
-  ##   LI, LK, LT, LU, LV, LY, MA, ME, MK, MT, MX, MY, NG, NI, NL, NO, NP, NZ,
-  ##   OM, PA, PE, PG, PH, PK, PL, PR, PT, PY, QA, RO, RS, RU, SA, SE, SG, SI,
-  ##   SK, SN, SV, TH, TN, TR, TW, TZ, UA, UG, US, UY, VE, VN, YE, ZA, ZW
-  ##
-  ## Default: US
-  ##
-  #region: US
-
-  ##
-  ## Top 3 preferred languages for video captions.
-  ##
-  ## Note: overriding the default (no preferred
-  ## caption language) is not recommended, in order
-  ## to not penalize people using other languages.
-  ##
-  ## Accepted values: a three-entries array.
-  ## Each entry can be one of:
-  ##   "English", "English (auto-generated)",
-  ##   "Afrikaans", "Albanian", "Amharic", "Arabic",
-  ##   "Armenian", "Azerbaijani", "Bangla", "Basque",
-  ##   "Belarusian", "Bosnian", "Bulgarian", "Burmese",
-  ##   "Catalan", "Cebuano", "Chinese (Simplified)",
-  ##   "Chinese (Traditional)", "Corsican", "Croatian",
-  ##   "Czech", "Danish", "Dutch", "Esperanto", "Estonian",
-  ##   "Filipino", "Finnish", "French", "Galician", "Georgian",
-  ##   "German", "Greek", "Gujarati", "Haitian Creole", "Hausa",
-  ##   "Hawaiian", "Hebrew", "Hindi", "Hmong", "Hungarian",
-  ##   "Icelandic", "Igbo", "Indonesian", "Irish", "Italian",
-  ##   "Japanese", "Javanese", "Kannada", "Kazakh", "Khmer",
-  ##   "Korean", "Kurdish", "Kyrgyz", "Lao", "Latin", "Latvian",
-  ##   "Lithuanian", "Luxembourgish", "Macedonian",
-  ##   "Malagasy", "Malay", "Malayalam", "Maltese", "Maori",
-  ##   "Marathi", "Mongolian", "Nepali", "Norwegian Bokmål",
-  ##   "Nyanja", "Pashto", "Persian", "Polish", "Portuguese",
-  ##   "Punjabi", "Romanian", "Russian", "Samoan",
-  ##   "Scottish Gaelic", "Serbian", "Shona", "Sindhi",
-  ##   "Sinhala", "Slovak", "Slovenian", "Somali",
-  ##   "Southern Sotho", "Spanish", "Spanish (Latin America)",
-  ##   "Sundanese",  "Swahili", "Swedish", "Tajik", "Tamil",
-  ##   "Telugu", "Thai", "Turkish", "Ukrainian", "Urdu",
-  ##   "Uzbek", "Vietnamese", "Welsh", "Western Frisian",
-  ##   "Xhosa", "Yiddish", "Yoruba", "Zulu"
-  ##
-  ## Default: ["", "", ""]
-  ##
-  #captions: ["", "", ""]
-
-
-  # -----------------------------
-  #  Interface
-  # -----------------------------
-
-  ##
-  ## Enable/Disable dark mode.
-  ##
-  ## Accepted values: "dark", "light", "auto"
-  ## Default: "auto"
-  ##
-  #dark_mode: "auto"
-
-  ##
-  ## Enable/Disable thin mode (no video thumbnails).
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #thin_mode: false
-
-  ##
-  ## List of feeds available on the home page.
-  ##
-  ## Note: "Subscriptions" and "Playlists" are only visible
-  ## when the user is logged in.
-  ##
-  ## Accepted values: A list of strings
-  ## Each entry can be one of: "Popular", "Trending",
-  ##    "Subscriptions", "Playlists"
-  ##
-  ## Default: ["Popular", "Trending", "Subscriptions", "Playlists"]  (show all feeds)
-  ##
-  #feed_menu: ["Popular", "Trending", "Subscriptions", "Playlists"]
-
-  ##
-  ## Default feed to display on the home page.
-  ##
-  ## Note: setting this option to "Popular" has no
-  ## effect when 'popular_enabled' is set to false.
-  ##
-  ## Accepted values: Popular, Trending, Subscriptions, Playlists, <none>
-  ## Default: Popular
-  ##
-  #default_home: Popular
-
-  ##
-  ## Default number of results to display per page.
-  ##
-  ## Note: this affects invidious-generated pages only, such
-  ## as watch history and subscription feeds. Playlists, search
-  ## results and channel videos depend on the data returned by
-  ## the Youtube API.
-  ##
-  ## Accepted values: any positive integer
-  ## Default: 40
-  ##
-  #max_results: 40
-
-  ##
-  ## Show/hide annotations.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #annotations: false
-
-  ##
-  ## Show/hide annotation.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #annotations_subscribed: false
-
-  ##
-  ## Type of comments to display below video.
-  ##
-  ## Accepted values: a two-entries array.
-  ## Each entry can be one of: "youtube", "reddit", ""
-  ##
-  ## Default: ["youtube", ""]
-  ##
-  #comments: ["youtube", ""]
-
-  ##
-  ## Default player style.
-  ##
-  ## Accepted values: invidious, youtube
-  ## Default: invidious
-  ##
-  #player_style: invidious
-
-  ##
-  ## Show/Hide the "related videos" sidebar when
-  ## watching a video.
-  ##
-  ## Accepted values: true, false
-  ## Default: true
-  ##
-  #related_videos: true
-
-
-  # -----------------------------
-  #  Video player behavior
-  # -----------------------------
-
-  ##
-  ## This option controls the value of the HTML5 <video> element's
-  ## "preload" attribute.
-  ##
-  ## If set to 'false', no video data will be loaded until the user
-  ## explicitly starts the video by clicking the "Play" button.
-  ## If set to 'true', the web browser will buffer some video data
-  ## while the page is loading.
-  ##
-  ## See: https://www.w3schools.com/tags/att_video_preload.asp
-  ##
-  ## Accepted values: true, false
-  ## Default: true
-  ##
-  #preload: true
-
-  ##
-  ## Automatically play videos on page load.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #autoplay: false
-
-  ##
-  ## Automatically load the "next" video (either next in
-  ## playlist or proposed) when the current video ends.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #continue: false
-
-  ##
-  ## Autoplay next video by default.
-  ##
-  ## Note: Only effective if 'continue' is set to true.
-  ##
-  ## Accepted values: true, false
-  ## Default: true
-  ##
-  #continue_autoplay: true
-
-  ##
-  ## Play videos in Audio-only mode by default.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #listen: false
-
-  ##
-  ## Loop videos automatically.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #video_loop: false
-
-
-  # -----------------------------
-  #  Video playback settings
-  # -----------------------------
-
-  ##
-  ## Default video quality.
-  ##
-  ## Accepted values: dash, hd720, medium, small
-  ## Default: hd720
-  ##
-  #quality: hd720
-
-  ##
-  ## Default dash video quality.
-  ##
-  ## Note: this setting only takes effet if the
-  ## 'quality' parameter is set to "dash".
-  ##
-  ## Accepted values:
-  ##    auto, best, 4320p, 2160p, 1440p, 1080p,
-  ##    720p, 480p, 360p, 240p, 144p, worst
-  ## Default: auto
-  ##
-  #quality_dash: auto
-
-  ##
-  ## Default video playback speed.
-  ##
-  ## Accepted values: 0.25, 0.5, 0.75, 1.0, 1.25, 1.5, 1.75, 2.0
-  ## Default: 1.0
-  ##
-  #speed: 1.0
-
-  ##
-  ## Default volume.
-  ##
-  ## Accepted values: 0-100
-  ## Default: 100
-  ##
-  #volume: 100
-
-  ##
-  ## Allow 360° videos to be played.
-  ##
-  ## Note: This feature requires a WebGL-enabled browser.
-  ##
-  ## Accepted values: true, false
-  ## Default: true
-  ##
-  #vr_mode: true
-  
-  ##
-  ## Save the playback position
-  ## Allow to continue watching at the previous position when
-  ## watching the same video.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #save_player_pos: false
-
-  # -----------------------------
-  #  Subscription feed
-  # -----------------------------
-
-  ##
-  ## In the "Subscription" feed, only show the latest video
-  ## of each channel the user is subscribed to.
-  ##
-  ## Note: when combined with 'unseen_only', the latest unseen
-  ## video of each channel will be displayed instead of the
-  ## latest by date.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #latest_only: false
-
-  ##
-  ## Enable/Disable user subscriptions desktop notifications.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #notifications_only: false
-
-  ##
-  ## In the "Subscription" feed, Only show the videos that the
-  ## user haven't watched yet (i.e which are not in their watch
-  ## history).
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #unseen_only: false
-
-  ##
-  ## Default sorting parameter for subscription feeds.
-  ##
-  ## Accepted values:
-  ##   'alphabetically'
-  ##   'alphabetically - reverse'
-  ##   'channel name'
-  ##   'channel name - reverse'
-  ##   'published'
-  ##   'published - reverse'
-  ##
-  ## Default: published
-  ##
-  #sort: published
-
-
-  # -----------------------------
-  #  Miscellaneous
-  # -----------------------------
-
-  ##
-  ## Proxy videos through instance by default.
-  ##
-  ## Warning: As most users won't change this setting in their
-  ## preferences, defaulting  to true will significantly
-  ## increase the instance's network usage, so make sure that
-  ## your server's connection can handle it.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #local: false
-
-  ##
-  ## Show the connected user's nick at the top right.
-  ##
-  ## Accepted values: true, false
-  ## Default: true
-  ##
-  #show_nick: true
-
-  ##
-  ## Automatically redirect to a random instance when the user uses
-  ## any "switch invidious instance" link (For videos, it's the plane
-  ## icon, next to "watch on youtube" and "listen"). When set to false,
-  ## the user is sent to https://redirect.invidious.io instead, where
-  ## they can manually select an instance.
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #automatic_instance_redirect: false
-
-  ##
-  ## Show the entire video description by default (when set to 'false',
-  ## only the first few lines of the description are shown and a
-  ## "show more" button allows to expand it).
-  ##
-  ## Accepted values: true, false
-  ## Default: false
-  ##
-  #extend_desc: false

ansible/app-configs/invoice-ninja_invoice-ninja.env.j2

@@ -2,8 +2,8 @@
 {% set secrets_path = 'rinoa-docker/env' %}
 
 # IN application vars
-IN_APP_URL=https://biz.trez.wtf
-IN_APP_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['IN_APP_KEY'] }}
+IN_APP_URL=http://in.localhost:8003
+IN_APP_KEY=<insert your generated key in here>
 IN_APP_DEBUG=true
 IN_REQUIRE_HTTPS=false
 IN_PHANTOMJS_PDF_GENERATION=false
@@ -14,11 +14,11 @@ IN_TRUSTED_PROXIES='*'
 IN_QUEUE_CONNECTION=database
 
 # DB connection
-IN_DB_HOST=mariadb
+IN_DB_HOST=db
 IN_DB_PORT=3306
-IN_DB_DATABASE=invoice_ninja
-IN_DB_USERNAME=ininja
-IN_DB_PASSWORD={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['IN_MYSQL_PASSWORD'] }}
+IN_DB_DATABASE=ninja
+IN_DB_USERNAME=ninja
+IN_DB_PASSWORD=ninja
 
 # Create initial user
 # Default to these values if empty
@@ -29,13 +29,13 @@ IN_PASSWORD=
 
 # Mail options
 IN_MAIL_MAILER=log
-IN_MAIL_HOST=postal-smtp
-IN_MAIL_PORT=25
-IN_MAIL_USERNAME={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}
-IN_MAIL_PASSWORD={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
+IN_MAIL_HOST=smtp.mailtrap.io
+IN_MAIL_PORT=2525
+IN_MAIL_USERNAME=null
+IN_MAIL_PASSWORD=null
 IN_MAIL_ENCRYPTION=null
-IN_MAIL_FROM_ADDRESS='noreply@trez.wtf'
-IN_MAIL_FROM_NAME='Treasured IT'
+IN_MAIL_FROM_ADDRESS='user@example.com'
+IN_MAIL_FROM_NAME='Self Hosted User'
 
 # MySQL
 IN_MYSQL_ROOT_PASSWORD=ninjaAdm1nPassword

ansible/app-configs/librechat_librechat.env.j2

@@ -1,550 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-#=====================================================================#
-#                       LibreChat Configuration                       #
-#=====================================================================#
-# Please refer to the reference documentation for assistance          #
-# with configuring your LibreChat environment.                        #
-#                                                                     #
-# https://www.librechat.ai/docs/configuration/dotenv                  #
-#=====================================================================#
-
-#==================================================#
-#               Server Configuration               #
-#==================================================#
-
-HOST=localhost
-PORT=3080
-
-MONGO_URI=mongodb://librechat:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MONGODB_PASSWORD'] }}@mongodb:27017/librechat?replicaSet=rinoa
-
-DOMAIN_CLIENT=https://ai.trez.wtf
-DOMAIN_SERVER=https://ai.trez.wtf
-
-NO_INDEX=true
-# Use the address that is at most n number of hops away from the Express application.
-# req.socket.remoteAddress is the first hop, and the rest are looked for in the X-Forwarded-For header from right to left.
-# A value of 0 means that the first untrusted address would be req.socket.remoteAddress, i.e. there is no reverse proxy.
-# Defaulted to 1.
-TRUST_PROXY=1
-
-#===============#
-# JSON Logging  #
-#===============#
-
-# Use when process console logs in cloud deployment like GCP/AWS
-CONSOLE_JSON=true
-
-#===============#
-# Debug Logging #
-#===============#
-
-DEBUG_LOGGING=true
-DEBUG_CONSOLE=false
-
-#=============#
-# Permissions #
-#=============#
-
-# UID=1000
-# GID=1000
-
-#===============#
-# Configuration #
-#===============#
-# Use an absolute path, a relative path, or a URL
-
-# CONFIG_PATH="/alternative/path/to/librechat.yaml"
-
-#===================================================#
-#                     Endpoints                     #
-#===================================================#
-
-# ENDPOINTS=openAI,assistants,azureOpenAI,google,gptPlugins,anthropic
-
-PROXY=
-
-#===================================#
-# Known Endpoints - librechat.yaml  #
-#===================================#
-# https://www.librechat.ai/docs/configuration/librechat_yaml/ai_endpoints
-
-# ANYSCALE_API_KEY=
-# APIPIE_API_KEY=
-# COHERE_API_KEY=
-DEEPSEEK_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_DEEPSEEK_API_KEY'] }}
-# DATABRICKS_API_KEY=
-# FIREWORKS_API_KEY=
-# GROQ_API_KEY=
-# HUGGINGFACE_TOKEN=
-MISTRAL_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MISTRAL_API_KEY'] }}
-# OPENROUTER_KEY=
-# PERPLEXITY_API_KEY=
-# SHUTTLEAI_API_KEY=
-# TOGETHERAI_API_KEY=
-# UNIFY_API_KEY=
-# XAI_API_KEY=
-
-#============#
-# Anthropic  #
-#============#
-
-ANTHROPIC_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_ANTHROPIC_API_KEY'] }}
-ANTHROPIC_MODELS=claude-3-7-sonnet-latest,claude-3-7-sonnet-20250219,claude-3-5-haiku-20241022,claude-3-5-sonnet-20241022,claude-3-5-sonnet-latest,claude-3-5-sonnet-20240620,claude-3-opus-20240229,claude-3-sonnet-20240229,claude-3-haiku-20240307,claude-2.1,claude-2,claude-1.2,claude-1,claude-1-100k,claude-instant-1,claude-instant-1-100k
-# ANTHROPIC_REVERSE_PROXY=
-
-#============#
-# Azure      #
-#============#
-
-# Note: these variables are DEPRECATED
-# Use the `librechat.yaml` configuration for `azureOpenAI` instead
-# You may also continue to use them if you opt out of using the `librechat.yaml` configuration
-
-# AZURE_OPENAI_DEFAULT_MODEL=gpt-3.5-turbo # Deprecated
-# AZURE_OPENAI_MODELS=gpt-3.5-turbo,gpt-4 # Deprecated
-# AZURE_USE_MODEL_AS_DEPLOYMENT_NAME=TRUE # Deprecated
-# AZURE_API_KEY= # Deprecated
-# AZURE_OPENAI_API_INSTANCE_NAME= # Deprecated
-# AZURE_OPENAI_API_DEPLOYMENT_NAME= # Deprecated
-# AZURE_OPENAI_API_VERSION= # Deprecated
-# AZURE_OPENAI_API_COMPLETIONS_DEPLOYMENT_NAME= # Deprecated
-# AZURE_OPENAI_API_EMBEDDINGS_DEPLOYMENT_NAME= # Deprecated
-# PLUGINS_USE_AZURE="true" # Deprecated
-
-#=================#
-#   AWS Bedrock   #
-#=================#
-
-# BEDROCK_AWS_DEFAULT_REGION=us-east-1 # A default region must be provided
-# BEDROCK_AWS_ACCESS_KEY_ID=someAccessKey
-# BEDROCK_AWS_SECRET_ACCESS_KEY=someSecretAccessKey
-# BEDROCK_AWS_SESSION_TOKEN=someSessionToken
-
-# Note: This example list is not meant to be exhaustive. If omitted, all known, supported model IDs will be included for you.
-# BEDROCK_AWS_MODELS=anthropic.claude-3-5-sonnet-20240620-v1:0,meta.llama3-1-8b-instruct-v1:0
-
-# See all Bedrock model IDs here: https://docs.aws.amazon.com/bedrock/latest/userguide/model-ids.html#model-ids-arns
-
-# Notes on specific models:
-# The following models are not support due to not supporting streaming:
-# ai21.j2-mid-v1
-
-# The following models are not support due to not supporting conversation history:
-# ai21.j2-ultra-v1, cohere.command-text-v14, cohere.command-light-text-v14
-
-#============#
-# Google     #
-#============#
-
-{# GOOGLE_KEY=user_provided #}
-
-# GOOGLE_REVERSE_PROXY=
-# Some reverse proxies do not support the X-goog-api-key header, uncomment to pass the API key in Authorization header instead.
-# GOOGLE_AUTH_HEADER=true
-
-# Gemini API (AI Studio)
-# GOOGLE_MODELS=gemini-2.0-flash-exp,gemini-2.0-flash-thinking-exp-1219,gemini-exp-1121,gemini-exp-1114,gemini-1.5-flash-latest,gemini-1.0-pro,gemini-1.0-pro-001,gemini-1.0-pro-latest,gemini-1.0-pro-vision-latest,gemini-1.5-pro-latest,gemini-pro,gemini-pro-vision
-
-# Vertex AI
-# GOOGLE_MODELS=gemini-1.5-flash-preview-0514,gemini-1.5-pro-preview-0514,gemini-1.0-pro-vision-001,gemini-1.0-pro-002,gemini-1.0-pro-001,gemini-pro-vision,gemini-1.0-pro
-
-# GOOGLE_TITLE_MODEL=gemini-pro
-
-# GOOGLE_LOC=us-central1
-
-# Google Safety Settings
-# NOTE: These settings apply to both Vertex AI and Gemini API (AI Studio)
-#
-# For Vertex AI:
-# To use the BLOCK_NONE setting, you need either:
-# (a) Access through an allowlist via your Google account team, or
-# (b) Switch to monthly invoiced billing: https://cloud.google.com/billing/docs/how-to/invoiced-billing
-#
-# For Gemini API (AI Studio):
-# BLOCK_NONE is available by default, no special account requirements.
-#
-# Available options: BLOCK_NONE, BLOCK_ONLY_HIGH, BLOCK_MEDIUM_AND_ABOVE, BLOCK_LOW_AND_ABOVE
-#
-# GOOGLE_SAFETY_SEXUALLY_EXPLICIT=BLOCK_ONLY_HIGH
-# GOOGLE_SAFETY_HATE_SPEECH=BLOCK_ONLY_HIGH
-# GOOGLE_SAFETY_HARASSMENT=BLOCK_ONLY_HIGH
-# GOOGLE_SAFETY_DANGEROUS_CONTENT=BLOCK_ONLY_HIGH
-# GOOGLE_SAFETY_CIVIC_INTEGRITY=BLOCK_ONLY_HIGH
-
-#============#
-# OpenAI     #
-#============#
-
-OPENAI_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_OPENAI_API_KEY'] }}
-OPENAI_MODELS=o1,o1-mini,o1-preview,gpt-4o,chatgpt-4o-latest,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-0301,gpt-3.5-turbo,gpt-4,gpt-4-0613,gpt-4-vision-preview,gpt-3.5-turbo-0613,gpt-3.5-turbo-16k-0613,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview,gpt-3.5-turbo-1106,gpt-3.5-turbo-instruct,gpt-3.5-turbo-instruct-0914,gpt-3.5-turbo-16k
-
-DEBUG_OPENAI=false
-
-# TITLE_CONVO=false
-# OPENAI_TITLE_MODEL=gpt-4o-mini
-
-# OPENAI_SUMMARIZE=true
-# OPENAI_SUMMARY_MODEL=gpt-4o-mini
-
-# OPENAI_FORCE_PROMPT=true
-
-# OPENAI_REVERSE_PROXY=
-
-# OPENAI_ORGANIZATION=
-
-#====================#
-#   Assistants API   #
-#====================#
-
-# ASSISTANTS_API_KEY=user_provided
-# ASSISTANTS_BASE_URL=
-# ASSISTANTS_MODELS=gpt-4o,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-16k-0613,gpt-3.5-turbo-16k,gpt-3.5-turbo,gpt-4,gpt-4-0314,gpt-4-32k-0314,gpt-4-0613,gpt-3.5-turbo-0613,gpt-3.5-turbo-1106,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview
-
-#==========================#
-#   Azure Assistants API   #
-#==========================#
-
-# Note: You should map your credentials with custom variables according to your Azure OpenAI Configuration
-# The models for Azure Assistants are also determined by your Azure OpenAI configuration.
-
-# More info, including how to enable use of Assistants with Azure here:
-# https://www.librechat.ai/docs/configuration/librechat_yaml/ai_endpoints/azure#using-assistants-with-azure
-
-#============#
-# OpenRouter #
-#============#
-# !!!Warning: Use the variable above instead of this one. Using this one will override the OpenAI endpoint
-# OPENROUTER_API_KEY=
-
-#============#
-# Plugins    #
-#============#
-
-# PLUGIN_MODELS=gpt-4o,gpt-4o-mini,gpt-4,gpt-4-turbo-preview,gpt-4-0125-preview,gpt-4-1106-preview,gpt-4-0613,gpt-3.5-turbo,gpt-3.5-turbo-0125,gpt-3.5-turbo-1106,gpt-3.5-turbo-0613
-
-# DEBUG_PLUGINS=
-
-CREDS_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_KEY'] }}
-CREDS_IV={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_IV'] }}
-
-# Azure AI Search
-#-----------------
-# AZURE_AI_SEARCH_SERVICE_ENDPOINT=
-# AZURE_AI_SEARCH_INDEX_NAME=
-# AZURE_AI_SEARCH_API_KEY=
-
-# AZURE_AI_SEARCH_API_VERSION=
-# AZURE_AI_SEARCH_SEARCH_OPTION_QUERY_TYPE=
-# AZURE_AI_SEARCH_SEARCH_OPTION_TOP=
-# AZURE_AI_SEARCH_SEARCH_OPTION_SELECT=
-
-# DALL·E
-#----------------
-# DALLE_API_KEY=
-# DALLE3_API_KEY=
-# DALLE2_API_KEY=
-# DALLE3_SYSTEM_PROMPT=
-# DALLE2_SYSTEM_PROMPT=
-# DALLE_REVERSE_PROXY=
-# DALLE3_BASEURL=
-# DALLE2_BASEURL=
-
-# DALL·E (via Azure OpenAI)
-# Note: requires some of the variables above to be set
-#----------------
-# DALLE3_AZURE_API_VERSION=
-# DALLE2_AZURE_API_VERSION=
-
-
-# Google
-#-----------------
-GOOGLE_SEARCH_API_KEY=
-GOOGLE_CSE_ID=
-
-# YOUTUBE
-#-----------------
-YOUTUBE_API_KEY=
-
-# SerpAPI
-#-----------------
-SERPAPI_API_KEY=
-
-# Stable Diffusion
-#-----------------
-SD_WEBUI_URL=http://stable-diffusion-webui:7860
-
-# Tavily
-#-----------------
-TAVILY_API_KEY=
-
-# Traversaal
-#-----------------
-TRAVERSAAL_API_KEY=
-
-# WolframAlpha
-#-----------------
-WOLFRAM_APP_ID=
-
-# Zapier
-#-----------------
-ZAPIER_NLA_API_KEY=
-
-#==================================================#
-#                      Search                      #
-#==================================================#
-
-SEARCH=true
-MEILI_NO_ANALYTICS=true
-MEILI_HOST=http://meilisearch:7700
-MEILI_MASTER_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MEILISEARCH_MASTER_KEY'] }}
-
-# Optional: Disable indexing, useful in a multi-node setup
-# where only one instance should perform an index sync.
-# MEILI_NO_SYNC=true
-
-#==================================================#
-#          Speech to Text & Text to Speech         #
-#==================================================#
-
-STT_API_KEY=
-TTS_API_KEY=
-
-#==================================================#
-#                        RAG                       #
-#==================================================#
-# More info: https://www.librechat.ai/docs/configuration/rag_api
-
-# RAG_OPENAI_BASEURL=
-# RAG_OPENAI_API_KEY=
-# RAG_USE_FULL_CONTEXT=
-# EMBEDDINGS_PROVIDER=openai
-# EMBEDDINGS_MODEL=text-embedding-3-small
-
-#===================================================#
-#                    User System                    #
-#===================================================#
-
-#========================#
-# Moderation             #
-#========================#
-
-OPENAI_MODERATION=false
-OPENAI_MODERATION_API_KEY=
-# OPENAI_MODERATION_REVERSE_PROXY=
-
-BAN_VIOLATIONS=true
-BAN_DURATION=1000 * 60 * 60 * 2
-BAN_INTERVAL=20
-
-LOGIN_VIOLATION_SCORE=1
-REGISTRATION_VIOLATION_SCORE=1
-CONCURRENT_VIOLATION_SCORE=1
-MESSAGE_VIOLATION_SCORE=1
-NON_BROWSER_VIOLATION_SCORE=20
-
-LOGIN_MAX=7
-LOGIN_WINDOW=5
-REGISTER_MAX=5
-REGISTER_WINDOW=60
-
-LIMIT_CONCURRENT_MESSAGES=true
-CONCURRENT_MESSAGE_MAX=2
-
-LIMIT_MESSAGE_IP=true
-MESSAGE_IP_MAX=40
-MESSAGE_IP_WINDOW=1
-
-LIMIT_MESSAGE_USER=false
-MESSAGE_USER_MAX=40
-MESSAGE_USER_WINDOW=1
-
-ILLEGAL_MODEL_REQ_SCORE=5
-
-#========================#
-# Balance                #
-#========================#
-
-CHECK_BALANCE=false
-# START_BALANCE=20000 # note: the number of tokens that will be credited after registration.
-
-#========================#
-# Registration and Login #
-#========================#
-
-ALLOW_EMAIL_LOGIN=true
-ALLOW_REGISTRATION=true
-ALLOW_SOCIAL_LOGIN=false
-ALLOW_SOCIAL_REGISTRATION=false
-ALLOW_PASSWORD_RESET=false
-# ALLOW_ACCOUNT_DELETION=true # note: enabled by default if omitted/commented out
-ALLOW_UNVERIFIED_EMAIL_LOGIN=true
-
-SESSION_EXPIRY=1000 * 60 * 15
-REFRESH_TOKEN_EXPIRY=(1000 * 60 * 60 * 24) * 7
-
-JWT_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_SECRET'] }}
-JWT_REFRESH_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_REFRESH_SECRET'] }}
-
-
-# Discord
-DISCORD_CLIENT_ID=
-DISCORD_CLIENT_SECRET=
-DISCORD_CALLBACK_URL=/oauth/discord/callback
-
-# Facebook
-FACEBOOK_CLIENT_ID=
-FACEBOOK_CLIENT_SECRET=
-FACEBOOK_CALLBACK_URL=/oauth/facebook/callback
-
-# GitHub
-GITHUB_CLIENT_ID=
-GITHUB_CLIENT_SECRET=
-GITHUB_CALLBACK_URL=/oauth/github/callback
-# GitHub Enterprise
-# GITHUB_ENTERPRISE_BASE_URL=
-# GITHUB_ENTERPRISE_USER_AGENT=
-
-# Google
-GOOGLE_CLIENT_ID=
-GOOGLE_CLIENT_SECRET=
-GOOGLE_CALLBACK_URL=/oauth/google/callback
-
-# Apple
-APPLE_CLIENT_ID=
-APPLE_TEAM_ID=
-APPLE_KEY_ID=
-APPLE_PRIVATE_KEY_PATH=
-APPLE_CALLBACK_URL=/oauth/apple/callback
-
-# OpenID
-OPENID_CLIENT_ID=
-OPENID_CLIENT_SECRET=
-OPENID_ISSUER=
-OPENID_SESSION_SECRET=
-OPENID_SCOPE="openid profile email"
-OPENID_CALLBACK_URL=/oauth/openid/callback
-OPENID_REQUIRED_ROLE=
-OPENID_REQUIRED_ROLE_TOKEN_KIND=
-OPENID_REQUIRED_ROLE_PARAMETER_PATH=
-# Set to determine which user info property returned from OpenID Provider to store as the User's username
-OPENID_USERNAME_CLAIM=
-# Set to determine which user info property returned from OpenID Provider to store as the User's name
-OPENID_NAME_CLAIM=
-
-OPENID_BUTTON_LABEL=
-OPENID_IMAGE_URL=
-
-# LDAP
-# LDAP_URL=
-# LDAP_BIND_DN=
-# LDAP_BIND_CREDENTIALS=
-# LDAP_USER_SEARCH_BASE=
-# LDAP_SEARCH_FILTER=mail=
-# LDAP_CA_CERT_PATH=
-# LDAP_TLS_REJECT_UNAUTHORIZED=
-# LDAP_LOGIN_USES_USERNAME=true
-# LDAP_ID=
-# LDAP_USERNAME=
-# LDAP_EMAIL=
-# LDAP_FULL_NAME=
-
-#========================#
-# Email Password Reset   #
-#========================#
-
-EMAIL_SERVICE=
-EMAIL_HOST=postal-smtp
-EMAIL_PORT=25
-EMAIL_ENCRYPTION=
-EMAIL_ENCRYPTION_HOSTNAME=
-EMAIL_ALLOW_SELFSIGNED=
-EMAIL_USERNAME=
-EMAIL_PASSWORD=
-EMAIL_FROM_NAME=
-EMAIL_FROM=noreply@librechat.ai
-
-#========================#
-# Firebase CDN           #
-#========================#
-
-# FIREBASE_API_KEY=
-# FIREBASE_AUTH_DOMAIN=
-# FIREBASE_PROJECT_ID=
-# FIREBASE_STORAGE_BUCKET=
-# FIREBASE_MESSAGING_SENDER_ID=
-# FIREBASE_APP_ID=
-
-#========================#
-# Shared Links           #
-#========================#
-
-ALLOW_SHARED_LINKS=true
-ALLOW_SHARED_LINKS_PUBLIC=true
-
-#==============================#
-# Static File Cache Control    #
-#==============================#
-
-# Leave commented out to use defaults: 1 day (86400 seconds) for s-maxage and 2 days (172800 seconds) for max-age
-# NODE_ENV must be set to production for these to take effect
-# STATIC_CACHE_MAX_AGE=172800
-# STATIC_CACHE_S_MAX_AGE=86400
-
-# If you have another service in front of your LibreChat doing compression, disable express based compression here
-# DISABLE_COMPRESSION=true
-
-#===================================================#
-#                        UI                         #
-#===================================================#
-
-APP_TITLE=LibreChat
-# CUSTOM_FOOTER="My custom footer"
-HELP_AND_FAQ_URL=https://librechat.ai
-
-# SHOW_BIRTHDAY_ICON=true
-
-# Google tag manager id
-#ANALYTICS_GTM_ID=user provided google tag manager id
-
-#===============#
-# REDIS Options #
-#===============#
-
-REDIS_URI=redis:6379
-USE_REDIS=true
-
-# USE_REDIS_CLUSTER=true
-# REDIS_CA=/path/to/ca.crt
-
-#==================================================#
-#                      Others                      #
-#==================================================#
-#   You should leave the following commented out   #
-
-# NODE_ENV=
-
-# E2E_USER_EMAIL=
-# E2E_USER_PASSWORD=
-
-#=====================================================#
-#                  Cache Headers                      #
-#=====================================================#
-#   Headers that control caching of the index.html    #
-#   Default configuration prevents caching to ensure  #
-#   users always get the latest version. Customize    #
-#   only if you understand caching implications.      #
-
-# INDEX_HTML_CACHE_CONTROL=no-cache, no-store, must-revalidate
-# INDEX_HTML_PRAGMA=no-cache
-# INDEX_HTML_EXPIRES=0
-
-# no-cache: Forces validation with server before using cached version
-# no-store: Prevents storing the response entirely
-# must-revalidate: Prevents using stale content when offline
-
-#=====================================================#
-#                  OpenWeather                        #
-#=====================================================#
-OPENWEATHER_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}

ansible/app-configs/librechat_librechat.yaml.j2

@@ -1,33 +0,0 @@
-version: 1.0.0
-endpoints:
-  custom:
-    - name: "ollama"
-      apiKey: "ollama"
-      baseURL: "http://ollama:11434/v1/chat/completions"
-      models:
-        default: [
-          "deepseek-r1:1.5b",
-          "deepseek-coder-v2:16b",
-          "deepseek-v3:671b",
-          "llama3.3:70b",
-          "phi4:14b",
-          "qwen2.5",
-          "llama2:7b",
-          "mistral:7b",
-          "codellama:7b",
-          "tinyllama:1.1b",
-          "starcoder2:3b",
-          "dolphin-mistral:7b",
-          "smollm2:1.7b",
-          "orca-mini:3b",
-          "mistral-openorca:7b"
-        ]
-# fetching list of models is supported but the `name` field must start
-# with `ollama` (case-insensitive), as it does in this example.
-        fetch: true
-      titleConvo: true
-      titleModel: "current_model"
-      summarize: false
-      summaryModel: "current_model"
-      forcePrompt: false
-      modelDisplayLabel: "Ollama"

ansible/app-configs/loggifly_config.yaml.j2

@@ -1,33 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-containers:
-  ghost_blog:
-    action_keywords:
-      - restart:
-          regex: ':[0-9]{2}\] ERROR.*$'
-  immich-server:
-    action_keywords:
-      - restart:
-          regex: 'ADVICE:.*error'
-  invidious:
-    keywords:
-      - regex: 'Error reading.*Connection reset by peer trying to reconnect...'
-global_keywords:
-  keywords:
-    - panic
-  keywords_with_attachment:
-    - fatal
-notifications:
-  apprise:
-    url: gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}    # Any Apprise-compatible URL (https://github.com/caronc/apprise/wiki)
-# settings are optional because they all have default values
-settings:
-  log_level: INFO               # DEBUG, INFO, WARNING, ERROR
-  notification_cooldown: 5      # Seconds between alerts for same keyword (per container)
-  attachment_lines: 20          # Number of Lines to include in log attachments
-  multi_line_entries: true      # Detect multi-line log entries
-  disable_restart: false        # Disable restart when a config change is detected
-  disable_start_message: false  # Suppress startup notification
-  disable_shutdown_message: false  # Suppress shutdown notification
-  disable_restart_message: false   # Suppress config reload notification

ansible/app-configs/mirotalk_src_config.js.j2

@@ -1,159 +0,0 @@
-'use strict';
-
-const packageJson = require('../../package.json');
-
-module.exports = {
-    // Branding and customizations require a license: https://codecanyon.net/item/mirotalk-p2p-webrtc-realtime-video-conferences/38376661
-    brand: {
-        app: {
-            language: 'en', // https://en.wikipedia.org/wiki/List_of_ISO_639_language_codes
-            name: 'MiroTalk',
-            title: '<h1>MiroTalk</h1/>Free browser based Real-time video calls.<br />Simple, Secure, Fast.',
-            description:
-                'Start your next video call with a single click. No download, plug-in, or login is required. Just get straight to talking, messaging, and sharing your screen.',
-            joinDescription: 'Pick a room name.<br />How about this one?',
-            joinButtonLabel: 'JOIN ROOM',
-            joinLastLabel: 'Your recent room:',
-        },
-        og: {
-            type: 'app-webrtc',
-            siteName: 'MiroTalk',
-            title: 'Click the link to make a call.',
-            description:
-                'MiroTalk calling provides real-time HD quality and latency simply not available with traditional technology.',
-            image: 'https://p2p.mirotalk.com/images/preview.png',
-            url: 'https://p2p.mirotalk.com',
-        },
-        site: {
-            shortcutIcon: '../images/logo.svg',
-            appleTouchIcon: '../images/logo.svg',
-            landingTitle: 'MiroTalk a Free Secure Video Calls, Chat & Screen Sharing.',
-            newCallTitle: 'MiroTalk a Free Secure Video Calls, Chat & Screen Sharing.',
-            newCallRoomTitle: 'Pick name. <br />Share URL. <br />Start conference.',
-            newCallRoomDescription:
-                "Each room has its disposable URL. Just pick a room name and share your custom URL. It's that easy.",
-            loginTitle: 'MiroTalk - Host Protected login required.',
-            clientTitle: 'MiroTalk WebRTC Video call, Chat Room & Screen Sharing.',
-            privacyPolicyTitle: 'MiroTalk - privacy and policy.',
-            stunTurnTitle: 'Test Stun/Turn Servers.',
-            notFoundTitle: 'MiroTalk - 404 Page not found.',
-        },
-        html: {
-            features: true,
-            browsers: true,
-            teams: true, // please keep me always true ;)
-            tryEasier: true,
-            poweredBy: true,
-            sponsors: true,
-            advertisers: true,
-            footer: true,
-        },
-        about: {
-            imageUrl: '../images/mirotalk-logo.gif',
-            title: `WebRTC P2P v${packageJson.version}`,
-            html: `
-                <button
-                    id="support-button"
-                    data-umami-event="Support button"
-                    onclick="window.open('https://codecanyon.net/user/miroslavpejic85')">
-                    <i class="fas fa-heart" ></i>&nbsp;Support
-                </button>
-                <br /><br /><br />
-                Author:<a
-                    id="linkedin-button"
-                    data-umami-event="Linkedin button"
-                    href="https://www.linkedin.com/in/miroslav-pejic-976a07101/" target="_blank">
-                    Miroslav Pejic
-                </a>
-                <br /><br />
-                Email:<a
-                    id="email-button"
-                    data-umami-event="Email button"
-                    href="mailto:miroslav.pejic.85@gmail.com?subject=MiroTalk P2P info">
-                    miroslav.pejic.85@gmail.com
-                </a>
-                <br /><br />
-                <hr />
-                <span>&copy; 2025 MiroTalk P2P, all rights reserved</span>
-                <hr />
-            `,
-        },
-        //...
-    },
-    /**
-     * Configuration for controlling the visibility of buttons in the MiroTalk P2P client.
-     * Set properties to true to show the corresponding buttons, or false to hide them.
-     * captionBtn, showSwapCameraBtn, showScreenShareBtn, showFullScreenBtn, showVideoPipBtn, showDocumentPipBtn -> (auto-detected).
-     */
-    buttons: {
-        main: {
-            showShareQr: true,
-            showShareRoomBtn: true, // For guests
-            showHideMeBtn: true,
-            showAudioBtn: true,
-            showVideoBtn: true,
-            showScreenBtn: true, // autodetected
-            showRecordStreamBtn: true,
-            showChatRoomBtn: true,
-            showCaptionRoomBtn: true,
-            showRoomEmojiPickerBtn: true,
-            showMyHandBtn: true,
-            showWhiteboardBtn: true,
-            showSnapshotRoomBtn: true,
-            showFileShareBtn: true,
-            showDocumentPipBtn: true,
-            showMySettingsBtn: true,
-            showAboutBtn: true, // Please keep me always true, Thank you!
-        },
-        chat: {
-            showTogglePinBtn: true,
-            showMaxBtn: true,
-            showSaveMessageBtn: true,
-            showMarkDownBtn: true,
-            showChatGPTBtn: true,
-            showFileShareBtn: true,
-            showShareVideoAudioBtn: true,
-            showParticipantsBtn: true,
-        },
-        caption: {
-            showTogglePinBtn: true,
-            showMaxBtn: true,
-        },
-        settings: {
-            showMicOptionsBtn: true,
-            showTabRoomPeerName: true,
-            showTabRoomParticipants: true,
-            showTabRoomSecurity: true,
-            showTabEmailInvitation: true,
-            showCaptionEveryoneBtn: true,
-            showMuteEveryoneBtn: true,
-            showHideEveryoneBtn: true,
-            showEjectEveryoneBtn: true,
-            showLockRoomBtn: true,
-            showUnlockRoomBtn: true,
-            showShortcutsBtn: true,
-        },
-        remote: {
-            showAudioVolume: true,
-            audioBtnClickAllowed: true,
-            videoBtnClickAllowed: true,
-            showVideoPipBtn: true,
-            showKickOutBtn: true,
-            showSnapShotBtn: true,
-            showFileShareBtn: true,
-            showShareVideoAudioBtn: true,
-            showPrivateMessageBtn: true,
-            showZoomInOutBtn: false,
-            showVideoFocusBtn: true,
-        },
-        local: {
-            showVideoPipBtn: true,
-            showSnapShotBtn: true,
-            showVideoCircleBtn: true,
-            showZoomInOutBtn: false,
-        },
-        whiteboard: {
-            whiteboardLockBtn: false,
-        },
-    },
-};

ansible/app-configs/multi-scrobbler_config.json.j2

@@ -2,110 +2,62 @@
 {% set secrets_path = 'rinoa-docker/env' %}
 
 {
-  "debugMode": false,
-  "disableWeb": false,
-  "sourceDefaults": {
-    "logPayload": false,
-    "logFilterFailure": "warn",
-    "logPlayerState": false,
-    "scrobbleThresholds": {
-      "duration": 30,
-      "percent": 20
+    "sourceDefaults": {
+      "maxPollRetries": 0,          // optional, default # of automatic polling restarts on error. can be overridden by property in individual config
+      "maxRequestRetries": 1,       // optional, default # of http request retries a source can make before error is thrown. can be overridden by property in individual config
+      "retryMultiplier": 1.5       // optional, default retry delay multiplier (retry attempt * multiplier = # of seconds to wait before retrying). can be overridden by property in individual config
     },
-    "maxPollRetries": 1,
-    "maxRequestRetries": 1,
-    "retryMultiplier": 1.5
-  },
-  "clientDefaults": {
-    "maxRequestRetries": 1,
-    "retryMultiplier": 1.5
-  },
-  "sources": [
-    {
-      "type": "spotify",
-      "enable": true,
-      "clients": [],
-      "name": "spotify",
-      "data": {
-        "clientId": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_ID'] }}",
-        "clientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
-        "redirectUri": "http://localhost:9078/callback"
-      }
+    "clientDefaults": {
+      "maxRequestRetries": 1,       // optional, default # of http request retries a client can make before error is thrown. can be overridden by property in individual config
+      "retryMultiplier": 1.5       // optional, default retry delay multiplier (retry attempt * multiplier = # of seconds to wait before retrying). can be overridden by property in individual config
     },
-    {
-      "type": "lastfm",
-      "enable": true,
-      "clients": [],
-      "name": "lastfm",
-      "data": {
-        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
-        "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
-        "redirectUri": "http://localhost:9078/lastfm/callback"
-      }
-    },
-    {
-      "type": "listenbrainz",
-      "enable": true,
-      "clients": [],
-      "name": "listenBrainz",
-      "data": {
-        "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
-        "username": "Trez.One"
-      }
-    },
-    {
-      "type": "subsonic",
-      "enable": true,
-      "clients": [],
-      "name": "navidrome",
-      "data": {
-        "url": "http://navidrome:4533",
-        "user": "admin",
-        "password": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NAVIDROME_PASSWORD'] }}"
-      }
-    }
-  ],
-  "clients": [
-    {
-      "type": "lastfm",
-      "enable": true,
-      "name": "lastFmClient",
-      "data": {
-        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
-        "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
-        "redirectUri": "http://localhost:9078/lastfm/callback"
-      }
-    },
-    {
-      "type": "listenbrainz",
-      "enable": true,
-      "name": "ListenBrainzClient",
-      "data": {
-        "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
-        "username": "Trez.One"
-      }
-    },
-    {
-      "type": "maloja",
-      "enable": true,
-      "name": "maloja",
-      "data": {
-        "url": "http://maloja:42010",
-        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_API_KEY'] }}"
-      }
-    }
-  ],
-  "webhooks": [
-    {
-      "name": "Gotify",
-      "type": "gotify",
-      "url": "http://gotify",
-      "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MULTI_SCROBBLER_GOTIFY_TOKEN'] }}",
-      "priorities": {
-        "info": 5,
-        "warn": 7,
-        "error": 10
-      }
-    }
-  ]
-}
+    "clients": [
+        {
+            "name": "Last.fm Client",
+            "enable": true,
+            "configureAs": "client",
+            "data": {
+            "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
+            "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
+            "redirectUri": "http://localhost:9078/lastfm/callback"
+            }
+        },
+        {
+            "name": "Last.fm Source",
+            "enable": true,
+            "configureAs": "source",
+            "data": {
+            "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
+            "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
+            "redirectUri": "http://localhost:9078/lastfm/callback"
+            }
+        },
+        {
+            "name": "Maloja",
+            "enable": true,
+            "data": {
+            "url": "http://maloja:42010",
+            "apiKey": "myMalojaKey"
+            }
+        },
+        {
+          "name": "ListenBrainz Client",
+          "enable": true,
+          "configureAs": "client",
+          "data": {
+            "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
+            "username": "Trez.One"
+          }
+        },
+        {
+          "name": "ListenBrainz Source",
+          "enable": true,
+          "configureAs": "source",
+          "data": {
+            "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
+            "username": "Trez.One"
+          }
+        }
+      ]
+  }
+}

ansible/app-configs/netbird_management.json.j2

@@ -47,30 +47,60 @@
   },
   "HttpConfig": {
     "Address": "0.0.0.0:33073",
-    "AuthIssuer": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}",
-    "AuthAudience": "netbird",
-    "AuthKeysLocation": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/jwks.json",
+    "AuthIssuer": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}",
+    "AuthAudience": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_ID'] }}",
+    "AuthKeysLocation": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/keys",
     "AuthUserIDClaim": "",
     "CertFile": "",
     "CertKey": "",
     "IdpSignKeyRefreshEnabled": true,
-    "OIDCConfigEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/.well-known/openid-configuration"
+    "OIDCConfigEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/.well-known/openid-configuration"
+  },
+  "IdpManagerConfig": {
+    "ManagerType": "zitadel",
+    "ClientConfig": {
+      "Issuer": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}",
+      "TokenEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/token",
+      "ClientID": "netbird",
+      "ClientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_SECRET'] }}",
+      "GrantType": "client_credentials"
+    },
+    "ExtraConfig": {
+      "ManagementEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/management/v1"
+    },
+    "Auth0ClientCredentials": null,
+    "AzureClientCredentials": null,
+    "KeycloakClientCredentials": null,
+    "ZitadelClientCredentials": null
+  },
+  "DeviceAuthorizationFlow": {
+    "Provider": "hosted",
+    "ProviderConfig": {
+      "Audience": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_ID'] }}",
+      "AuthorizationEndpoint": "",
+      "Domain": "",
+      "ClientID": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_ID'] }}",
+      "ClientSecret": "",
+      "TokenEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/token",
+      "DeviceAuthEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/device_authorization",
+      "Scope": "openid",
+      "UseIDToken": false,
+      "RedirectURLs": null
+    }
   },
-  "IdpManagerConfig": {},
-  "DeviceAuthorizationFlow": {},
   "PKCEAuthorizationFlow": {
     "ProviderConfig": {
-      "Audience": "netbird",
-      "ClientID": "netbird",
-      "ClientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}",
+      "Audience": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_ID'] }}",
+      "ClientID": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_ID'] }}",
+      "ClientSecret": "",
       "Domain": "",
-      "AuthorizationEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/authorization",
-      "TokenEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/token",
+      "AuthorizationEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/authorize",
+      "TokenEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/token",
       "Scope": "openid profile email offline_access api",
       "RedirectURLs": [
         "http://localhost:53000"
       ],
-      "UseIDToken": true
+      "UseIDToken": false
     }
   }
 }

ansible/app-configs/postal_postal.yml.j2

@@ -30,9 +30,6 @@ message_db:
 smtp_server:
   default_port: 25
   default_bind_address: "::"
-  tls_enabled: true
-  tls_certificate_path: /config/certs/fullchain.pem
-  tls_private_key_path: /config/certs/privkey.pem
 
 dns:
   # Specify the DNS records that you have configured. Refer to the documentation at

ansible/app-configs/romm_config.yml.j2

@@ -1,48 +0,0 @@
-# This is a generic example of a configuration file
-# Rename this file to `config.yml`, copy it to a `config` folder, and mount that folder as per the docker-compose.example.yml
-# Only uncomment the lines you want to use/modify, or add new ones where needed
-
-exclude:
-  # Exclude platforms to be scanned
-  platforms: [] # ['my_excluded_platform_1', 'my_excluded_platform_2']
-
-  # Exclude roms or parts of roms to be scanned
-  roms:
-    # Single file games section.
-    # Will not apply to files that are in sub-folders (multi-disc roms, games with updates, DLC, patches, etc.)
-    single_file:
-      # Exclude all files with certain extensions to be scanned
-      extensions: [] # ['xml', 'txt']
-
-      # Exclude matched file names to be scanned.
-      # Supports unix filename pattern matching
-      # Can also exclude files by extension
-      names: [] # ['info.txt', '._*', '*.nfo']
-
-    # Multi files games section
-    # Will apply to files that are in sub-folders (multi-disc roms, games with updates, DLC, patches, etc.)
-    multi_file:
-      # Exclude matched 'folder' names to be scanned (RomM identifies folders as multi file games)
-      names: [] # ['my_multi_file_game', 'DLC']
-
-      # Exclude files within sub-folders.
-      parts:
-        # Exclude matched file names to be scanned from multi file roms
-        # Keep in mind that RomM doesn't scan folders inside multi files games,
-        # so there is no need to exclude folders from inside of multi files games.
-        names: [] # ['data.xml', '._*'] # Supports unix filename pattern matching
-
-        # Exclude all files with certain extensions to be scanned from multi file roms
-        extensions: [] # ['xml', 'txt']
-
-system:
-  # Asociate different platform names to your current file system platform names
-  # [your custom platform folder name]: [RomM platform name]
-  # In this example if you have a 'gc' folder, RomM will treat it like the 'ngc' folder and if you have a 'psx' folder, RomM will treat it like the 'ps' folder
-  platforms: {} # { gc: 'ngc', psx: 'ps' }
-
-  # Asociate one platform to it's main version
-  versions: {} # { naomi: 'arcade' }
-
-# The folder name where your roms are located
-filesystem: {} # { roms_folder: 'roms' } For example if your folder structure is /home/user/library/roms_folder

ansible/app-configs/sabnzbd_sabnzbd.ini.j2

@@ -342,7 +342,7 @@ host = news.newshosting.com
 port = 563
 timeout = 60
 username = thetrezuredone
-password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSK_USER_PASSWORD'] }}
+password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_PASSWORD'] }}
 connections = 8
 ssl = 1
 ssl_verify = 3

ansible/app-configs/searxng_settings.yml.j2

@@ -211,13 +211,11 @@ outgoing:
 
 # Comment or un-comment plugin to activate / deactivate by default.
 #
-enabled_plugins:
+# enabled_plugins:
 #   # these plugins are enabled if nothing is configured ..
-  - 'Hash plugin'
-  - 'Self Information'
-  - 'Tracker URL remover'
-  - 'Basic Calculator'
-  - 'Unit converter plugin'
+#   - 'Hash plugin'
+#   - 'Self Information'
+#   - 'Tracker URL remover'
 #   - 'Ahmia blacklist'  # activation depends on outgoing.using_tor_proxy
 #   # these plugins are disabled if nothing is configured ..
 #   - 'Hostname replace'  # see hostname_replace configuration below

ansible/app-configs/signoz_common_clickhouse_cluster.ha.xml.j2

@@ -1,75 +0,0 @@
-<?xml version="1.0"?>
-<clickhouse>
-    <!-- ZooKeeper is used to store metadata about replicas, when using Replicated tables.
-         Optional. If you don't use replicated tables, you could omit that.
-
-         See https://clickhouse.com/docs/en/engines/table-engines/mergetree-family/replication/
-      -->
-    <zookeeper>
-        <node index="1">
-            <host>signoz-zookeeper-1</host>
-            <port>2181</port>
-        </node>
-        <node index="2">
-            <host>zookeeper-2</host>
-            <port>2181</port>
-        </node>
-        <node index="3">
-            <host>zookeeper-3</host>
-            <port>2181</port>
-        </node>
-    </zookeeper>
-
-    <!-- Configuration of clusters that could be used in Distributed tables.
-         https://clickhouse.com/docs/en/operations/table_engines/distributed/
-      -->
-    <remote_servers>
-        <cluster>
-            <!-- Inter-server per-cluster secret for Distributed queries
-                 default: no secret (no authentication will be performed)
-
-                 If set, then Distributed queries will be validated on shards, so at least:
-                 - such cluster should exist on the shard,
-                 - such cluster should have the same secret.
-
-                 And also (and which is more important), the initial_user will
-                 be used as current user for the query.
-
-                 Right now the protocol is pretty simple and it only takes into account:
-                 - cluster name
-                 - query
-
-                 Also it will be nice if the following will be implemented:
-                 - source hostname (see interserver_http_host), but then it will depends from DNS,
-                   it can use IP address instead, but then the you need to get correct on the initiator node.
-                 - target hostname / ip address (same notes as for source hostname)
-                 - time-based security tokens
-            -->
-            <!-- <secret></secret> -->
-            <shard>
-                <!-- Optional. Whether to write data to just one of the replicas. Default: false (write data to all replicas). -->
-                <!-- <internal_replication>false</internal_replication> -->
-                <!-- Optional. Shard weight when writing data. Default: 1. -->
-                <!-- <weight>1</weight> -->
-                <replica>
-                    <host>signoz-clickhouse</host>
-                    <port>9000</port>
-                    <!-- Optional. Priority of the replica for load_balancing. Default: 1 (less value has more priority). -->
-                    <!-- <priority>1</priority> -->
-                </replica>
-            </shard>
-            <shard>
-                <replica>
-                    <host>clickhouse-2</host>
-                    <port>9000</port>
-                </replica>
-            </shard>
-            <shard>
-                <replica>
-                    <host>clickhouse-3</host>
-                    <port>9000</port>
-                </replica>
-            </shard>
-        </cluster>
-    </remote_servers>
-</clickhouse>

ansible/app-configs/signoz_common_clickhouse_cluster.xml.j2

@@ -1,75 +0,0 @@
-<?xml version="1.0"?>
-<clickhouse>
-    <!-- ZooKeeper is used to store metadata about replicas, when using Replicated tables.
-         Optional. If you don't use replicated tables, you could omit that.
-
-         See https://clickhouse.com/docs/en/engines/table-engines/mergetree-family/replication/
-      -->
-    <zookeeper>
-        <node index="1">
-            <host>signoz-zookeeper-1</host>
-            <port>2181</port>
-        </node>
-        <!-- <node index="2">
-            <host>zookeeper-2</host>
-            <port>2181</port>
-        </node>
-        <node index="3">
-            <host>zookeeper-3</host>
-            <port>2181</port>
-        </node> -->
-    </zookeeper>
-
-    <!-- Configuration of clusters that could be used in Distributed tables.
-         https://clickhouse.com/docs/en/operations/table_engines/distributed/
-      -->
-    <remote_servers>
-        <cluster>
-            <!-- Inter-server per-cluster secret for Distributed queries
-                 default: no secret (no authentication will be performed)
-
-                 If set, then Distributed queries will be validated on shards, so at least:
-                 - such cluster should exist on the shard,
-                 - such cluster should have the same secret.
-
-                 And also (and which is more important), the initial_user will
-                 be used as current user for the query.
-
-                 Right now the protocol is pretty simple and it only takes into account:
-                 - cluster name
-                 - query
-
-                 Also it will be nice if the following will be implemented:
-                 - source hostname (see interserver_http_host), but then it will depends from DNS,
-                   it can use IP address instead, but then the you need to get correct on the initiator node.
-                 - target hostname / ip address (same notes as for source hostname)
-                 - time-based security tokens
-            -->
-            <!-- <secret></secret> -->
-            <shard>
-                <!-- Optional. Whether to write data to just one of the replicas. Default: false (write data to all replicas). -->
-                <!-- <internal_replication>false</internal_replication> -->
-                <!-- Optional. Shard weight when writing data. Default: 1. -->
-                <!-- <weight>1</weight> -->
-                <replica>
-                    <host>signoz-clickhouse</host>
-                    <port>9000</port>
-                    <!-- Optional. Priority of the replica for load_balancing. Default: 1 (less value has more priority). -->
-                    <!-- <priority>1</priority> -->
-                </replica>
-            </shard>
-            <!-- <shard>
-                <replica>
-                    <host>clickhouse-2</host>
-                    <port>9000</port>
-                </replica>
-            </shard>
-            <shard>
-                <replica>
-                    <host>clickhouse-3</host>
-                    <port>9000</port>
-                </replica>
-            </shard> -->
-        </cluster>
-    </remote_servers>
-</clickhouse>

ansible/app-configs/signoz_common_clickhouse_custom-function.xml.j2

@@ -1,21 +0,0 @@
-<functions>
-    <function>
-        <type>executable</type>
-        <name>histogramQuantile</name>
-        <return_type>Float64</return_type>
-        <argument>
-            <type>Array(Float64)</type>
-            <name>buckets</name>
-        </argument>
-        <argument>
-            <type>Array(Float64)</type>
-            <name>counts</name>
-        </argument>
-        <argument>
-            <type>Float64</type>
-            <name>quantile</name>
-        </argument>
-        <format>CSV</format>
-        <command>./histogramQuantile</command>
-    </function>
-</functions>

ansible/app-configs/signoz_common_clickhouse_storage.xml.j2

@@ -1,41 +0,0 @@
-<?xml version="1.0"?>
-<clickhouse>
-<storage_configuration>
-    <disks>
-        <default>
-            <keep_free_space_bytes>10485760</keep_free_space_bytes>
-        </default>
-        <s3>
-            <type>s3</type>
-            <!-- For S3 cold storage,
-                    if region is us-east-1, endpoint can be https://<bucket-name>.s3.amazonaws.com
-                    if region is not us-east-1, endpoint should be https://<bucket-name>.s3-<region>.amazonaws.com
-                For GCS cold storage,
-                    endpoint should be https://storage.googleapis.com/<bucket-name>/data/
-                -->
-            <endpoint>https://BUCKET-NAME.s3-REGION-NAME.amazonaws.com/data/</endpoint>
-            <access_key_id>ACCESS-KEY-ID</access_key_id>
-            <secret_access_key>SECRET-ACCESS-KEY</secret_access_key>
-            <!-- In case of S3, uncomment the below configuration in case you want to read
-                AWS credentials from the Environment variables if they exist. -->
-            <!-- <use_environment_credentials>true</use_environment_credentials> -->
-            <!-- In case of GCS, uncomment the below configuration, since GCS does
-                not support batch deletion and result in error messages in logs. -->
-            <!-- <support_batch_delete>false</support_batch_delete> -->
-        </s3>
-   </disks>
-   <policies>
-       <tiered>
-           <volumes>
-                <default>
-                    <disk>default</disk>
-                </default>
-                <s3>
-                    <disk>s3</disk>
-                    <perform_ttl_move_on_insert>0</perform_ttl_move_on_insert>
-                </s3>
-            </volumes>
-        </tiered>
-    </policies>
-</storage_configuration>
-</clickhouse>

ansible/app-configs/signoz_common_clickhouse_users.xml.j2

@@ -1,123 +0,0 @@
-<?xml version="1.0"?>
-<clickhouse>
-    <!-- See also the files in users.d directory where the settings can be overridden. -->
-
-    <!-- Profiles of settings. -->
-    <profiles>
-        <!-- Default settings. -->
-        <default>
-            <!-- Maximum memory usage for processing single query, in bytes. -->
-            <max_memory_usage>10000000000</max_memory_usage>
-
-            <!-- How to choose between replicas during distributed query processing.
-                 random - choose random replica from set of replicas with minimum number of errors
-                 nearest_hostname - from set of replicas with minimum number of errors, choose replica
-                  with minimum number of different symbols between replica's hostname and local hostname
-                  (Hamming distance).
-                 in_order - first live replica is chosen in specified order.
-                 first_or_random - if first replica one has higher number of errors, pick a random one from replicas with minimum number of errors.
-            -->
-            <load_balancing>random</load_balancing>
-        </default>
-
-        <!-- Profile that allows only read queries. -->
-        <readonly>
-            <readonly>1</readonly>
-        </readonly>
-    </profiles>
-
-    <!-- Users and ACL. -->
-    <users>
-        <!-- If user name was not specified, 'default' user is used. -->
-        <default>
-            <!-- See also the files in users.d directory where the password can be overridden.
-
-                 Password could be specified in plaintext or in SHA256 (in hex format).
-
-                 If you want to specify password in plaintext (not recommended), place it in 'password' element.
-                 Example: <password>qwerty</password>.
-                 Password could be empty.
-
-                 If you want to specify SHA256, place it in 'password_sha256_hex' element.
-                 Example: <password_sha256_hex>65e84be33532fb784c48129675f9eff3a682b27168c0ea744b2cf58ee02337c5</password_sha256_hex>
-                 Restrictions of SHA256: impossibility to connect to ClickHouse using MySQL JS client (as of July 2019).
-
-                 If you want to specify double SHA1, place it in 'password_double_sha1_hex' element.
-                 Example: <password_double_sha1_hex>e395796d6546b1b65db9d665cd43f0e858dd4303</password_double_sha1_hex>
-
-                 If you want to specify a previously defined LDAP server (see 'ldap_servers' in the main config) for authentication,
-                  place its name in 'server' element inside 'ldap' element.
-                 Example: <ldap><server>my_ldap_server</server></ldap>
-
-                 If you want to authenticate the user via Kerberos (assuming Kerberos is enabled, see 'kerberos' in the main config),
-                  place 'kerberos' element instead of 'password' (and similar) elements.
-                 The name part of the canonical principal name of the initiator must match the user name for authentication to succeed.
-                 You can also place 'realm' element inside 'kerberos' element to further restrict authentication to only those requests
-                  whose initiator's realm matches it.
-                 Example: <kerberos />
-                 Example: <kerberos><realm>EXAMPLE.COM</realm></kerberos>
-
-                 How to generate decent password:
-                 Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha256sum | tr -d '-'
-                 In first line will be password and in second - corresponding SHA256.
-
-                 How to generate double SHA1:
-                 Execute: PASSWORD=$(base64 < /dev/urandom | head -c8); echo "$PASSWORD"; echo -n "$PASSWORD" | sha1sum | tr -d '-' | xxd -r -p | sha1sum | tr -d '-'
-                 In first line will be password and in second - corresponding double SHA1.
-            -->
-            <password></password>
-
-            <!-- List of networks with open access.
-
-                 To open access from everywhere, specify:
-                    <ip>::/0</ip>
-
-                 To open access only from localhost, specify:
-                    <ip>::1</ip>
-                    <ip>127.0.0.1</ip>
-
-                 Each element of list has one of the following forms:
-                 <ip> IP-address or network mask. Examples: 213.180.204.3 or 10.0.0.1/8 or 10.0.0.1/255.255.255.0
-                     2a02:6b8::3 or 2a02:6b8::3/64 or 2a02:6b8::3/ffff:ffff:ffff:ffff::.
-                 <host> Hostname. Example: server01.clickhouse.com.
-                     To check access, DNS query is performed, and all received addresses compared to peer address.
-                 <host_regexp> Regular expression for host names. Example, ^server\d\d-\d\d-\d\.clickhouse\.com$
-                     To check access, DNS PTR query is performed for peer address and then regexp is applied.
-                     Then, for result of PTR query, another DNS query is performed and all received addresses compared to peer address.
-                     Strongly recommended that regexp is ends with $
-                 All results of DNS requests are cached till server restart.
-            -->
-            <networks>
-                <ip>::/0</ip>
-            </networks>
-
-            <!-- Settings profile for user. -->
-            <profile>default</profile>
-
-            <!-- Quota for user. -->
-            <quota>default</quota>
-
-            <!-- User can create other users and grant rights to them. -->
-            <!-- <access_management>1</access_management> -->
-        </default>
-    </users>
-
-    <!-- Quotas. -->
-    <quotas>
-        <!-- Name of quota. -->
-        <default>
-            <!-- Limits for time interval. You could specify many intervals with different limits. -->
-            <interval>
-                <!-- Length of interval. -->
-                <duration>3600</duration>
-
-                <!-- No limits. Just calculate resource usage for time interval. -->
-                <queries>0</queries>
-                <errors>0</errors>
-                <result_rows>0</result_rows>
-                <read_rows>0</read_rows>
-                <execution_time>0</execution_time>
-            </interval>
-        </default>
-    </quotas>
-</clickhouse>

ansible/app-configs/signoz_common_otel_otel-collector-opamp-config.yaml.j2

@@ -1 +0,0 @@
-server_endpoint: ws://signoz:4320/v1/opamp

ansible/app-configs/signoz_common_signoz_otel-collector-opamp-config.yaml.j2

@@ -1 +0,0 @@
-server_endpoint: ws://signoz:4320/v1/opamp

ansible/app-configs/signoz_common_signoz_prometheus.yml.j2

@@ -1,25 +0,0 @@
-# my global config
-global:
-  scrape_interval:     5s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
-  evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
-  # scrape_timeout is set to the global default (10s).
-
-# Alertmanager configuration
-alerting:
-  alertmanagers:
-  - static_configs:
-    - targets:
-      - alertmanager:9093
-
-# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
-rule_files: []
-  # - "first_rules.yml"
-  # - "second_rules.yml"
-  # - 'alerts.yml'
-
-# A scrape configuration containing exactly one endpoint to scrape:
-# Here it's Prometheus itself.
-scrape_configs: []
-
-remote_read:
-  - url: tcp://clickhouse:9000/signoz_metrics

ansible/app-configs/soularr_config.ini.j2

@@ -1,76 +0,0 @@
-{% set vault_addr = 'https://vault.trez.wtf' %}
-{% set secrets_path = 'rinoa-docker/env' %}
-
-[Lidarr]
-api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}
-host_url = http://lidarr:8686
-#This should be the path mounted in lidarr that points to your slskd download directory.
-#If Lidarr is not running in Docker then this may just be the same dir as Slskd is using below.
-download_dir = /storage
-
-[Slskd]
-#Api key from Slskd. Need to set this up manually. See link to Slskd docs above.
-api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_API_KEY'] }}
-host_url = http://gluetun:5030
-#Slskd download directory. Should have set it up when installing Slskd.
-download_dir = /app/downloads
-#Removes searches from Slskd after the search finishes.
-delete_searches = False
-#Maximum time (in seconds) that the script will wait for downloads to complete.
-#This is used to prevent the script from running forever due to a stalled download. Defaults to 1 hour.
-stalled_timeout = 3600
-
-[Release Settings]
-#Selects the release with the most common amount of tracks out of all the releases.
-use_most_common_tracknum = True
-allow_multi_disc = True
-#See full list of countries below.
-accepted_countries = Europe,Japan,United Kingdom,United States,[Worldwide],Australia,Canada
-#See full list of formats below.
-accepted_formats = CD,Digital Media,Vinyl
-
-[Search Settings]
-search_timeout = 5000
-maximum_peer_queue = 50
-#Min upload speed in bit/s
-minimum_peer_upload_speed = 0
-#Min match ratio accepted when comparing lidarr track names to soulseek filenames.
-minimum_filename_match_ratio = 0.5
-#Specify the file types you prefer from most to least. As well as their attributes such as bitrate / samplerate / bitdepth.
-#For flacs you can choose the bitdepth/samplerate. And for mp3s the bitrate.
-#If you do not care about the specific quality you can still just put "flac" or "mp3".
-#Soularr will then just look at the filetype and ignore file attributes.
-allowed_filetypes = flac 24/192,flac 16/44.1,flac,mp3 320,mp3
-ignored_users = User1,User2,Fred,Bob
-#Set to False if you only want to search for complete albums
-search_for_tracks = True
-#Set to True if you want to add the artist's name to the beginning of the search for albums
-album_prepend_artist = False
-track_prepend_artist = True
-#Valid search types: all || incrementing_page || first_page
-  #"all" will search for every wanted record everytime soularr is run.
-  #"incrementing_page" will start with the first page and increment to the next on each run.
-  #"first_page" will repeatedly search the first page.
-#If using the search type "first_page" remove_wanted_on_failure should be enabled.
-search_type = incrementing_page
-#How mancy records to grab each run, must be a number between 1 - 2,147,483,647
-number_of_albums_to_grab = 10
-#Unmonitors the album if Soularr can't find it and places it in "failure_list.txt".
-#Failed albums can be re monitored by filtering "Unmonitored" in the Lidarr wanted list.
-remove_wanted_on_failure = False
-#Comma separated list of words that can't be in the title of albums or tracks. Case insensitive.
-title_blacklist = BlacklistWord1,blacklistword2
-#Lidarr source to use for searching. Accepted values are "all", "missing", or "cutoff_unmet". If "all" is selected
-# then both missing and cutoff_unme will be searched. The default value is "missing".
-search_source = missing
-
-[Logging]
-#These options are passed into the logger's basicConfig() method as-is.
-#This means, if you're familiar with Python's logging module, you can configure
-#the logger with options beyond what's listed here by default.
-#For more information on available options  --  https://docs.python.org/3/library/logging.html#logging.basicConfig
-level = INFO
-# Format of log message  --  https://docs.python.org/3/library/logging.html#logrecord-attributes
-format = [%(levelname)s|%(module)s|L%(lineno)d] %(asctime)s: %(message)s
-# Format of datetimes  --  https://docs.python.org/3/library/time.html#time.strftime
-datefmt = %Y-%m-%dT%H:%M:%S%z

ansible/app-configs/soulseek_slskd.yml.j2

@@ -1,212 +1,238 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 
-directories:
-  incomplete: /app/incomplete
-  downloads: /app/downloads
-shares:
-  directories:
-    - /music
-rooms:
-  - '! meow chat :3'
-  - '#ANUS'
-  - '#CORONAVIRUS'
-  - '#Horrorcore'
-  - '#La France'
-  - '#icilombre-hardcore'
-  - '#polska'
-  - '#vegan'
-  - $$RARE RAP MUSIC$$
-  - ([6)]
-  - +Autism+
-  - +BlackMetal+
-  - +HIP_HOP_SCENE_RELEASES+
-  - /mu/
-  - 60lover
-  - 60lover v2
-  - 70 Rare groove Soul Jazz
-  - 80's 12 Inches & More
-  - 90's Rare Riddim !!
-  - 90's emo
-  - <>Electronics Labels<>
-  - ACID
-  - ARGENTINA
-  - "ATLLUMINATI\u201Cawareness"
-  - AUSTRALIA
-  - Alcohol
-  - Ambient
-  - Anime
-  - Audiobooks
-  - Avantgarde
-  - BDSM
-  - BLUES BUNKER MUSIC
-  - BOB DYLAN ROOM
-  - BigEdsClassicRock
-  - BigedsSixties
-  - Blues&Soul
-  - Bootlegged concerts
-  - Brasil
-  - Breakcore
-  - CHILE
-  - Canada
-  - China Room
-  - Chiptunes
-  - Christians
-  - Classical
-  - Come To The Sabbath !
-  - Communism
-  - DEATH METAL CLUB
-  - Dark Ambient
-  - De Koffie Shop
-  - De Kroeg
-  - Deathrock
-  - DieMilitarmusik
-  - Disco Classics
-  - Doom Metal
-  - Doujin Music
-  - Dub Techno
-  - Dubstep
-  - EBM-GOTHIC-INDUSTRIAL
-  - EBooks
-  - Emo
-  - Eurodance
-  - Eurovision Song Contest
-  - Experimental Electronica
-  - FOLK MUSIC
-  - Free Jazz
-  - Furry
-  - Gay
-  - Gothic
-  - Greece
-  - Grindcore
-  - HEE cum eaters 1! !
-  - HOUSE MUSIC LOVERS (AG)
-  - Happy Hardcore
-  - Hardcore NL
-  - Hardcore/punk
-  - Hip Hop
-  - Horror movies
-  - IDM
-  - INDUSTRIAL
-  - IReGGaeGaLaXy
-  - Incredibly Strange Music
-  - Israel
-  - Jaz (Full CDs)
-  - Jazz
-  - Jazz-Rock-Fusion-Guitar
-  - Juggalo Family
-  - Jungle
-  - Korean Music
-  - LANGUAGE EXCHANGE here
-  - LGBTQ+!!
-  - Last.fm
-  - Linux
-  - Lossless Scores
-  - MOVIES
-  - Mac Users
-  - Metal
-  - MovieMusic
-  - NORWAY
-  - New Crystal Vibrations
-  - New Wave
-  - New Zealand
-  - OLD SKOOL GANGSTA SHIT
-  - OLDSCHOOL 88-94
-  - OLI SHOTA CUB ROOM!
-  - Original Blues Bunker
-  - PSYCHEDELIA
-  - PUNK/HARDCORE/GRIND
-  - Portugal
-  - Post Punk
-  - Post-Hardcore (modern)
-  - Progressive Rock
-  - Psychedelic/Acid Rock
-  - Psytrance
-  - Quebec
-  - REGGAE
-  - Rare Music
-  - RareVHS/DVD/Rips
-  - Retro Gaming
-  - Romania
-  - Room Name
-  - SIsk Idiots !!
-  - SLUDGE!
-  - Slovenia
-  - Soundtracks&Scores
-  - Spain
-  - Stoner HiVe
-  - Stoner Rock
-  - Strange Music
-  - TECHNO, Mixes and Tunes
-  - THC
-  - Talia
-  - The Dangerous Kitchen
-  - TheScoreZone
-  - Thrash Metal
-  - Tinmans Movie Room
-  - Trip-Hop
-  - Ttalian_dancefloor
-  - Twee Folks
-  - UK DUB
-  - URIDDIM!!
-  - Ukraine
-  - Underground Hiphop
-  - VAPORWAVE
-  - Video Game Chat
-  - Vinyl Addicts
-  - Vocaloid
-  - WHATCDs
-  - World Music
-  - Yacht Rock
-  - '[German] [Deutsch]'
-  - abbey road Itd
-  - anime cunny
-  - bleeps&klonks
-  - breakbeat
-  - comics
-  - deep house connection
-  - drum'n'bass
-  - eesti mehed
-  - electro
-  - flacfield
-  - food
-  - for Losers
-  - hungary
-  - indie
-  - japanese music
-  - library music
-  - lossless
-  - minimal music
-  - museek
-  - noise
-  - 'on'
-  - postrock
-  - programming
-  - progressive house
-  - public porn
-  - r/musichoarder
-  - ru
-  - shoegaze
-  - tapekvit
-  - test
-  - trancEaddict
-  - trivia
-  - what.cd
-  - what.cd electronic
-  - what.cd-flac
-  - '{Italo Disco'
-web:
-  authentication:
-    username: slskd
-    password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_WEB_PASSSWORD'] }}
-    api_keys:
-      my_api_key:
-        key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_API_KEY'] }}
-        role: readwrite
-        cidr: 0.0.0.0/0,::/0
-soulseek:
-  address: vps.slsknet.org
-  port: 2271
-  username: Trez.One
-  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSK_USER_PASSWORD'] }}
-  diagnostic_level: Info
+# debug: false
+# remote_configuration: false
+# remote_file_management: false
+# instance_name: default
+# flags:
+#   no_logo: false
+#   no_start: false
+#   no_config_watch: false
+#   no_connect: false
+#   no_share_scan: false
+#   force_share_scan: false
+#   no_version_check: false
+#   log_sql: false
+#   experimental: false
+#   volatile: false
+#   case_sensitive_reg_ex: false
+#   legacy_windows_tcp_keepalive: false
+# relay:
+#   enabled: false
+#   mode: controller # controller (default), agent, or debug (for local development)
+#   # controller config is required when running in 'agent' mode
+#   # this specifies the relay controller that will be controlling this agent
+#   controller:
+#     address: https://some.site.com:5000
+#     ignore_certificate_errors: false
+#     api_key: <a 16-255 character string corresponding to one of the controller's 'readwrite' or 'administrator' API keys>
+#     secret: <a 16-255 character shared secret matching the controller's config for this agent>
+#     downloads: false
+#   # agent config is optional when running in 'controller' mode
+#   # this specifies all of the agents capable of connecting
+#   agents:
+#     my_agent:
+#       instance_name: my_agent # make sure the top-level instance_name of the agent matches!
+#       secret: <a 16-255 character string unique to this agent>
+#       cidr: 0.0.0.0/0,::/0
+# permissions:
+#   file:
+#     mode: ~ # not for Windows, chmod syntax, e.g. 644, 777. can't escalate beyond umask
+# directories:
+#   incomplete: ~
+#   downloads: ~
+# shares:
+#   directories:
+#     - ~
+#   filters:
+#     - \.ini$
+#     - Thumbs.db$
+#     - \.DS_Store$
+#   cache:
+#     storage_mode: memory
+#     workers: 16
+#     retention: ~ # retain indefinitely (do not automatically re-scan)
+# rooms:
+#   - ~
+# global:
+#   upload:
+#     slots: 20
+#     speed_limit: 1000 # in kibibytes
+#   limits:
+#     queued:
+#       files: 500
+#       megabytes: 5000
+#     daily:
+#       files: 1000
+#       megabytes: 10000
+#       failures: 200
+#     weekly:
+#       files: 5000
+#       megabytes: 50000
+#       failures: 1000
+#   download:
+#     slots: 500
+#     speed_limit: 1000
+# groups:
+#   default:
+#     upload:
+#       priority: 500
+#       strategy: roundrobin
+#       slots: 10
+#     limits:
+#       queued:
+#         files: 150
+#         megabytes: 1500
+#       daily: ~ # no daily limits (weekly still apply)
+#       weekly:
+#         files: 1500
+#         megabytes: 15000
+#         failures: 150
+#   leechers:
+#     thresholds:
+#       files: 1
+#       directories: 1
+#     upload:
+#       priority: 999
+#       strategy: roundrobin
+#       slots: 1
+#       speed_limit: 100
+#     limits:
+#       queued:
+#         files: 15
+#         megabytes: 150
+#       daily:
+#         files: 30
+#         megabytes: 300
+#         failures: 10
+#       weekly:
+#         files: 150
+#         megabytes: 1500
+#         failures: 30
+#   blacklisted:
+#     members:
+#       - <username to blacklist>
+#     cidrs:
+#       - <CIDR to blacklist, e.g. 255.255.255.255/32>
+#   user_defined:
+#     my_buddies:
+#       upload:
+#         priority: 250
+#         strategy: firstinfirstout
+#         slots: 10
+#       limits:
+#         queued:
+#           files: 1000 # override global default
+#       members:
+#         - alice
+#         - bob
+# blacklist:
+#   enabled: true
+#   file: <path to file containing CIDRs to blacklist>
+# filters:
+#   search:
+#     request:
+#       - ^.{1,2}$
+# web:
+#   port: 5030
+#   https:
+#     disabled: false
+#     port: 5031
+#     force: false
+#     certificate:
+#       pfx: ~
+#       password: ~
+#   url_base: /
+#   content_path: wwwroot
+#   logging: false
+#   authentication:
+#     disabled: false
+#     username: slskd
+#     password: slskd
+#     jwt:
+#       key: ~
+#       ttl: 604800000
+#     api_keys:
+#       my_api_key:
+#         key: <some example string between 16 and 255 characters>
+#         role: readonly # readonly, readwrite, administrator
+#         cidr: 0.0.0.0/0,::/0
+# retention:
+#   transfers:
+#     upload:
+#       succeeded: 1440 # 1 day
+#       errored: 30
+#       cancelled: 5
+#     download:
+#       succeeded: 1440 # 1 day
+#       errored: 20160 # 2 weeks 
+#       cancelled: 5
+#   files:
+#     complete: 20160 # 2 weeks
+#     incomplete: 43200 # 30 days
+#   logs: 259200 # 180 days
+# logger:
+#   disk: false
+#   no_color: false
+#   loki: ~
+# metrics:
+#   enabled: false
+#   url: /metrics
+#   authentication:
+#     disabled: false
+#     username: slskd
+#     password: slskd
+# feature:
+#   swagger: false
+# soulseek:
+#   address: vps.slsknet.org
+#   port: 2271
+#   username: ~
+#   password: ~
+#   description: |
+#     A slskd user. https://github.com/slskd/slskd
+#   listen_ip_address: 0.0.0.0
+#   listen_port: 50300
+#   diagnostic_level: Info
+#   distributed_network:
+#     disabled: false
+#     disable_children: false
+#     child_limit: 25
+#     logging: false
+#   connection:
+#     timeout:
+#       connect: 10000
+#       inactivity: 15000
+#     buffer:
+#       read: 16384
+#       write: 16384
+#       transfer: 262144
+#       write_queue: 250
+#     proxy:
+#       enabled: false
+#       address: ~
+#       port: ~
+#       username: ~
+#       password: ~
+# integration:
+#   ftp:
+#     enabled: false
+#     address: ~
+#     port: ~
+#     username: ~
+#     password: ~
+#     remote_path: /
+#     encryption_mode: auto
+#     ignore_certificate_errors: false
+#     overwrite_existing: true
+#     connection_timeout: 5000
+#     retry_attempts: 3
+#   pushbullet:
+#     enabled: false
+#     access_token: ~
+#     notification_prefix: "From slskd:"
+#     notify_on_private_message: true
+#     notify_on_room_mention: true
+#     retry_attempts: 3
+#     cooldown_time: 900000

ansible/app-configs/vector.yaml.j2

@@ -0,0 +1,32 @@
+  sources:
+    rinoa_docker_logs:
+      type: docker_logs
+      exclude_containers:
+        - zammad-init
+        - vector
+
+  sinks:
+    parseable:
+      type: http
+      method: post
+      batch:
+        max_bytes: 10485760
+        max_events: 1000
+        timeout_secs: 10
+      compression: gzip
+      inputs:
+        - rinoa_docker_logs
+      encoding:
+        codec: json
+      uri: http://parseable:8000/api/v1/ingest'
+      auth:
+        strategy: basic
+        user: admin
+        password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PARSEABLE_PASSWORD'] }}
+      request:
+        headers:
+          X-P-Stream: vectordemo
+      healthcheck:
+        enabled: true
+        path: 'http://parseable:8000/api/v1/liveness'
+        port: 80

ansible/app-configs/vector_vector.yaml.j2

@@ -2,7 +2,7 @@
     rinoa_docker_logs:
       type: docker_logs
       exclude_containers:
-        - vector
+        - zammad-init
 
   sinks:
     parseable:
@@ -24,7 +24,7 @@
         password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PARSEABLE_PASSWORD'] }}
       request:
         headers:
-          X-P-Stream: rinoa-docker-logs
+          X-P-Stream: vectordemo
       healthcheck:
         enabled: true
         path: 'http://parseable:8000/api/v1/liveness'

ansible/group_vars/all.yml

@@ -1,14 +1,14 @@
 vault_addr: "https://vault.trez.wtf"
 vault_token: !vault |
   $ANSIBLE_VAULT;1.1;AES256
-  62353532343234343230663331623062376533346166343963383464303535646362376233663361
-  3532343530653365663331393339646337653564316337390a646264353561623132366635343032
-  63326535376434353837663334366336613631346161363034646134333439613531376362646161
-  6438316662626566340a346665666234386630633764376336333063363934643162393565386330
-  35333139303939613232303264646236326637613862303339353334623066393966353032333839
-  33323962303635333335376364366336663035303530396262356130373537363134303937353433
-  34393338336666396338616465666466613931373461663761366235643437646136373039353939
-  33643133313264303637646336653537383337336661313765663366356262343064316334313337
-  35306232303132653566356130343366313139336665313737363732613261623439
+  66373236656261373330343233616231386539616566613864306436613635323533336365383232
+  6636653139393566643265303135343864363632393035380a643566373137316363626438356431
+  64653237313866316537326565386164373564353166346334663638636531353337303937346466
+  3539366634393337620a653133336530333963343638643934303336653935363932643665353234
+  63343565663632633563396131346139666236313863663332386131633831633566373366613738
+  63343634313539336534666632313736343338623538303434316230383764643432646663356238
+  61373132633062346436363036333533623931313037306633616662623032616137613734343638
+  63633031616161623437623935346366636433653435646333313638376161663237323130636433
+  31383031646666626163323966393738386233346137326231366263316532343563
 vault_token_cleaned: "{{ vault_token | regex_replace('\\n', '') }}"
 secrets_path: "rinoa-docker/env"

ansible/inventory/host_vars.yml

@@ -1,13 +1,13 @@
 rinoa:
-  ansible_host: 192.168.1.254
-  ansible_python_interpreter: /usr/bin/python3
-  ansible_ssh_port: 22
-  ansible_ssh_user: charish
-  ansible_ssh_pass: !vault |
-    $ANSIBLE_VAULT;1.1;AES256
-    32303262303733356636343163363062383539623938383439373166623236366664333830653163
-    3134323461373461663638333265643631666437306362350a353632313337316535633838343137
-    37353139396531613763393139653231333666363935613462343831303866363863653161636138
-    3438316261363139650a313161643039366438356462383730663839366562333464636130346132
-    31363235326362396630313966303064373532306638383739373739336661346438336534366537
-    6565643866333964353563346433323861346262323933333732
+        ansible_host: 192.168.1.254
+        ansible_python_interpreter: /usr/bin/python3
+        ansible_ssh_port: 22
+        ansible_ssh_user: charish
+        ansible_ssh_pass: !vault |
+                $ANSIBLE_VAULT;1.1;AES256
+                38346631616139316365316566386362396661323163306339303635646331373061323531626431
+                3435373031363739356261656239633835393963636663370a613166653463656337666366633639
+                37373637326633363430633336646165343764303063663636313835326130663532323037663331
+                6332353339656134370a353435396532663932313535646636333262353238386331313764633635
+                63383065623930653134666261353439366535646661383434386261393232373432353937636535
+                3432336137393737643735346665303832653630316439333565

ansible/ssh_pass.yml

@@ -1,7 +1,7 @@
 $ANSIBLE_VAULT;1.1;AES256
-32303262303733356636343163363062383539623938383439373166623236366664333830653163
-3134323461373461663638333265643631666437306362350a353632313337316535633838343137
-37353139396531613763393139653231333666363935613462343831303866363863653161636138
-3438316261363139650a313161643039366438356462383730663839366562333464636130346132
-31363235326362396630313966303064373532306638383739373739336661346438336534366537
-6565643866333964353563346433323861346262323933333732
+65353131326537376561616630666531353731653835306564323565383332653437633533313932
+6239663065306339366536326432323534303364663862350a353034623936363066303164333434
+32666331326332363463383234316136323031626330366132643034376439616339396662636236
+3633393039376438630a326138653031656465373966356564336463643465613638313838393166
+36626366356266636535613862333631386231626134376264363731353264613261633037646662
+6431393837653564366531316332616232336365636533643036