Misc. fix for Immich stack.

Ansible syntax fixes in Authelia config.
Authelia YML fixes.
2025-03-14 09:22:46 -04:00 · 2025-03-14 08:29:05 -04:00 · 2025-03-13 20:54:42 -04:00 · 2025-03-13 20:20:44 -04:00 · 2025-03-13 19:58:56 -04:00 · 2025-03-13 19:08:47 -04:00
8 changed files with 594 additions and 680 deletions
@@ -25,6 +25,13 @@ jobs:
          uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64'
          name: 'tea'
          version: '0.9.2'
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: PR Check'
+          notification_message: 'Checking for existing PR... 🔍'
      - name: Check if open PR exists
        id: check-opened-pr-step
        continue-on-error: true
@@ -39,6 +46,13 @@ jobs:
          pr_index_old=$(tea pr ls --repo ${{ github.repository }} --state all --fields index,title,head --output csv | sed -e 's|"||g' | egrep '^[0-9]' | head -1 | awk -F"," '{print $1}')
          pr_index_new=$(expr ${pr_index_old} + 1)
          tea pr c -r ${{ github.repository }} -t "Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Docker Compose, Ansible Configs.j2"
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: PR Check'
+          notification_message: 'PR Created 🎟️'
  docker-compose-ansible-lints:
    name: Docker Compose & Ansible Lints
    needs: [check-and-create-pr]
@@ -65,6 +79,13 @@ jobs:
        uses: cpanato/vault-installer@main
      - name: Install hvac
        run: pip install hvac
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: Ansible Config Dry Run @ Rinoa'
+          notification_message: 'Starting Ansible dry run...'
      - name: Ansible Playbook Dry Run
        uses: dawidd6/action-ansible-playbook@v2
        with:
@@ -82,7 +103,7 @@ jobs:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: Ansible Config Dry Run @ Rinoa'
-          notification_message: 'Ansible dry run completed successfully.'
+          notification_message: 'Ansible dry run completed successfully; starting Docker Compose'
      - name: Generate .env file for Docker Compose Dry Run
        run: |
          vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
@@ -149,7 +170,7 @@ jobs:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: Cloudflare Setup @ Rinoa'
-          notification_message: 'Starting Cloudflare setup'
+          notification_message: 'Starting Cloudflare DNS setup...'
      - name: Compare Subdomains
        id: compare-subdomains
        uses: LouisBrunner/diff-action@v2.2.0
@@ -203,6 +224,13 @@ jobs:
      #     modified_services=${egrep '^  [a-z]' changes.yml | sed -e 's|^  ||g' -e 's|:||g' | sed ':a;N;$!ba;s/\n/ /g'}
      #     echo "Modified services: $modified_services"
      #     echo "modified_services=$modified_services" >> $GITHUB_OUTPUT
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: README Update'
+          notification_message: 'Updating README...'
      - name: Generate service list
        run: |
          yq '.services | to_entries | map({"service": .key, "image": .value.image})' docker-compose.yml > services.yml
@@ -222,6 +250,13 @@ jobs:
        with:
          message: "chore: Update README"
          add: "README.md"
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: README Update'
+          notification_message: 'README updated'
  pr-merge:
    name: PR Merge
    needs: [regenerate-readme-modified-services]
@@ -278,6 +313,13 @@ jobs:
        uses: cpanato/vault-installer@main
      - name: Install hvac
        run: pip install hvac
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
+          notification_message: 'Starting config deployment with Ansible.'
      - name: Deploy Docker Configs via Ansible
        uses: dawidd6/action-ansible-playbook@v2
        with:
@@ -295,6 +337,13 @@ jobs:
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: Ansible Config Deployment @ Rinoa'
          notification_message: 'Deployment completed successfully.'
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: Docker Compose Deployment @ Rinoa'
+          notification_message: 'Starting Docker Compose run...'
      - name: Generate .env file for deployment
        run: |
           vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
@@ -1,3 +1,4 @@
 **/.cache_ggshield
 ansible/collections/ansible_collections/
-**/.env
+**/.env
+**/netbird_openid-configuration.json.j2
@@ -16,7 +16,7 @@
 | bitmagnet | ghcr.io/bitmagnet-io/bitmagnet:latest |
 | bitmagnet-pg-db | postgres:17-alpine |
 | bitwarden | vaultwarden/server:latest |
-| bluesky-pds | ghcr.io/bluesky-social/pds:latest |
+| bluesky-pds | code.modernleft.org/gravityfargo/bluesky-pds:v0.4.98 |
 | browserless | ghcr.io/browserless/chromium:latest |
 | bunkerweb | bunkerity/bunkerweb:1.6.0 |
 | bunkerweb-scheduler | bunkerity/bunkerweb-scheduler:1.6.0 |
@@ -52,7 +52,6 @@
 | gotify | gotify/server |
 | guacamole | flcontainers/guacamole:latest |
 | homepage | ghcr.io/gethomepage/homepage:latest |
-| hortusfox | ghcr.io/danielbrendel/hortusfox-web:latest |
 | hugo | hugomods/hugo:exts |
 | immich-server | ghcr.io/immich-app/immich-server:release |
 | immich-machine-learning | ghcr.io/immich-app/immich-machine-learning:release |
@@ -63,8 +62,6 @@
 | invidious | quay.io/invidious/invidious:latest |
 | invidious-sig-helper | quay.io/invidious/inv-sig-helper:latest |
 | invidious-db | docker.io/library/postgres:14 |
-| invoice-ninja | invoiceninja/invoiceninja-debian:5 |
-| invoice-ninja_proxy | nginx |
 | it-tools | ghcr.io/corentinth/it-tools:latest |
 | jellyfin | jellyfin/jellyfin |
 | jitsi-etherpad | etherpad/etherpad:1.8.6 |
@@ -82,6 +79,7 @@
 | libretranslate | libretranslate/libretranslate |
 | lidarr | lscr.io/linuxserver/lidarr:latest |
 | lidify | thewicklowwolf/lidify:latest |
+| linkstack | linkstackorg/linkstack:latest |
 | lldap | lldap/lldap:stable |
 | maloja | krateng/maloja:latest |
 | manyfold | lscr.io/linuxserver/manyfold:latest |
@@ -96,24 +94,14 @@
 | n8n | docker.n8n.io/n8nio/n8n |
 | navidrome | deluan/navidrome:latest |
 | netalertx | jokobsk/netalertx:latest |
-| netbird-dashboard | netbirdio/dashboard:latest |
-| netbird-signal | netbirdio/signal:latest |
-| netbird-relay | netbirdio/relay:latest |
-| netbird-management | netbirdio/management:latest |
-| netbird-coturn | coturn/coturn:latest |
 | nextcloud | nextcloud/all-in-one:latest |
 | ollama | ollama/ollama |
 | ombi | lscr.io/linuxserver/ombi:latest |
 | paperless-ngx | ghcr.io/paperless-ngx/paperless-ngx:latest |
 | parseable | containers.parseable.com/parseable/parseable:latest |
-| peppermint | pepperlabs/peppermint:latest |
-| peppermint-pg-db | postgres:17-alpine |
 | pgbackweb | eduardolat/pgbackweb:latest |
 | pgbackweb-db | postgres:16-alpine |
 | plantuml-server | plantuml/plantuml-server:jetty |
-| plausible | ghcr.io/plausible/community-edition:v2.1.0 |
-| plausible_db | postgres:16-alpine |
-| plausible_events_db | clickhouse/clickhouse-server:24.3.3.102-alpine |
 | portainer | portainer/portainer-ce:2.27.0-alpine |
 | portall | need4swede/portall:latest |
 | postal-smtp | ghcr.io/postalserver/postal:latest |
@@ -143,9 +131,8 @@
 | soulseek | slskd/slskd |
 | sourcebot | ghcr.io/sourcebot-dev/sourcebot:latest |
 | speedtest-tracker | lscr.io/linuxserver/speedtest-tracker:latest |
-| spotisub | blastbeng/spotisub:latest |
 | stable-diffusion-download | git.trez.wtf/trez.one/stable-diffusion-download:v9.0.0 |
-| stable-diffusion-webui | git.trez.wtf/trez.one/stable-diffusion-ui:v9.0.0 |
+| stable-diffusion-webui | git.trez.wtf/trez.one/stable-diffusion-ui:v9.0.1 |
 | swag | lscr.io/linuxserver/swag:latest |
 | tandoor | vabene1111/recipes |
 | tandoor-pg | postgres:16-alpine |
@@ -0,0 +1,174 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+# yaml-language-server: $schema=https://www.authelia.com/schemas/latest/json-schema/configuration.json
+---
+theme: auto
+default_2fa_method: "totp"
+server:
+  address: '0.0.0.0:9091'
+  endpoints:
+    enable_pprof: false
+    enable_expvars: false
+  disable_healthcheck: false
+  tls:
+    key: ""
+    certificate: ""
+    client_certificates: []
+  headers:
+    csp_template: ""
+log:
+  level: debug
+telemetry:
+  metrics:
+    enabled: true
+    address: tcp://0.0.0.0:9959
+totp:
+  disable: false
+  issuer: authelia.com
+  algorithm: sha256
+  digits: 6
+  period: 30
+  skew: 1
+  secret_size: 32
+webauthn:
+  disable: false
+  timeout: 60s
+  display_name: Authelia
+  attestation_conveyance_preference: indirect
+  user_verification: preferred
+ntp:
+  address: "time.cloudflare.com:123"
+  version: 4
+  max_desync: 3s
+  disable_startup_check: false
+  disable_failure: false
+authentication_backend:
+  password_reset:
+    disable: false
+    custom_url: ""
+  ldap:
+    implementation: custom
+    address: ldap://lldap:3890
+    timeout: 5s
+    start_tls: false
+    base_dn: dc=trez,dc=wtf
+    additional_users_dn: ou=people
+    users_filter: "(&({username_attribute}={input})(objectClass=person))"
+    additional_groups_dn: ou=groups
+    groups_filter: "(member={dn})"
+    attributes:
+      username: uid
+      group_name: cn
+      mail: mail
+      display_name: displayName
+    user: uid=authelia,ou=people,dc=trez,dc=wtf
+    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_AUTH_BIND_LDAP_PASSWORD'] }}'
+  refresh_interval: 5m
+identity_validation:
+  reset_password:
+    jwt_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_JWT_SECRET'] }}'
+password_policy:
+  standard:
+    enabled: true
+    min_length: 8
+    max_length: 0
+    require_uppercase: true
+    require_lowercase: true
+    require_number: true
+    require_special: false
+  zxcvbn:
+    enabled: false
+    min_score: 3
+access_control:
+  default_policy: deny
+  networks:
+    - name: 'internal'
+      networks:
+        - '172.17.0.0/16'
+        - '172.18.0.0/16'
+        - '192.168.1.0/24'
+  rules:
+    - domain_regex:
+      - '^trez.wtf$'
+      - ^www.trez.wtf$''
+      policy: bypass
+    - domain: '*.trez.wtf'
+      policy: bypass
+      networks:
+        - 'internal'
+    - domain: '*.trez.wtf'
+      policy: one_factor
+      subject:
+      - ['user:the.trezured.one']
+session:
+  name: authelia_session
+  secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_SESSION_SECRET'] }}'
+  expiration: 1h
+  inactivity: 5m
+  remember_me: 1M
+  cookies:
+    - domain: 'trez.wtf'
+      authelia_url: 'https://auth.trez.wtf'
+  redis:
+    host: redis
+    port: 6379
+storage:
+  encryption_key: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_ENCRYPTION_KEY'] }}'
+  postgres:
+    address: 'tcp://authelia-pg:5432'
+    database: authelia
+    username: authelia
+    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_POSTGRES_PASSWORD'] }}'
+    timeout: '5s'
+regulation:
+  max_retries: 3
+  find_time: 2m
+  ban_time: 5m
+notifier:
+  disable_startup_check: true
+  smtp:
+    address: 'smtp://postal-smtp:25'
+    timeout: '5s'
+    username: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}'
+    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}'
+    sender: "Authelia <noreply@trez.wtf>"
+    identifier: 'localhost'
+    subject: "[Authelia] {title}"
+    startup_check_address: 'test@authelia.com'
+    disable_require_tls: true
+    disable_starttls: true
+    disable_html_emails: false
+identity_providers:
+  oidc:
+    hmac_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_OIDC_HMAC_SECRET'] }}'
+    jwks:
+      key_id: 'netbird'
+      key: |
+        {{ lookup("community.hashi_vault.vault_kv2_get", "env", engine_mount_point="rinoa-docker", url=vault_addr, token=vault_token_cleaned)["secret"]["AUTHELIA_OIDC_JWKS_KEY"] | replace("\\n", "\n") | indent(8) }}
+      certificate_chain: |
+        {{ lookup("community.hashi_vault.vault_kv2_get", "env", engine_mount_point="rinoa-docker", url=vault_addr, token=vault_token_cleaned)["secret"]["AUTHELIA_OIDC_JWKS_CERT_CHAIN"] | replace("\\n", "\n") | indent(8) }}
+    cors:
+      allowed_origins_from_client_redirect_uris: true
+      endpoints:
+        - 'userinfo'
+        - 'authorization'
+        - 'token'
+        - 'revocation'
+        - 'introspection'
+    clients:
+      - client_id: 'netbird'
+        client_name: 'NetBird'
+        client_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}'
+        public: false
+        authorization_policy: 'two_factor'
+        redirect_uris:
+          - 'https://vpn.trez.wtf/peers'
+          - 'https://vpn.trez.wtf/add-peers'
+          - 'http://localhost'
+        scopes:
+          - 'openid'
+          - 'email'
+          - 'profile'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_post'
@@ -23,10 +23,10 @@ provider: duckduckgo
 layout:
  System Administration:
    style: row
-    columns: 5
+    columns: 4
  Infrastructure/App Performance Monitoring:
    style: row
-    columns: 3
+    columns: 4
  Code/DevOps:
    style: row
    columns: 4
@@ -35,17 +35,14 @@ layout:
    columns: 4
  Lifestyle:
    style: row
-    columns: 5
+    columns: 3
  Automation:
    style: row
    columns: 5
  Privacy/Security:
    style: row
-    columns: 3
-  Personal Services:
-    style: row
-    columns: 4
-  Professional Services:
+    columns: 5
+  Personal/Professional Services:
    style: row
    columns: 5
  Servarr Stack:
@@ -2,62 +2,102 @@
 {% set secrets_path = 'rinoa-docker/env' %}

 {
-    "sourceDefaults": {
-      "maxPollRetries": 0,          // optional, default # of automatic polling restarts on error. can be overridden by property in individual config
-      "maxRequestRetries": 1,       // optional, default # of http request retries a source can make before error is thrown. can be overridden by property in individual config
-      "retryMultiplier": 1.5       // optional, default retry delay multiplier (retry attempt * multiplier = # of seconds to wait before retrying). can be overridden by property in individual config
+  "debugMode": false,
+  "disableWeb": false,
+  "sourceDefaults": {
+    "logPayload": false,
+    "logFilterFailure": "warn",
+    "logPlayerState": false,
+    "scrobbleThresholds": {
+      "duration": 30,
+      "percent": 20
    },
-    "clientDefaults": {
-      "maxRequestRetries": 1,       // optional, default # of http request retries a client can make before error is thrown. can be overridden by property in individual config
-      "retryMultiplier": 1.5       // optional, default retry delay multiplier (retry attempt * multiplier = # of seconds to wait before retrying). can be overridden by property in individual config
+    "maxPollRetries": 1,
+    "maxRequestRetries": 1,
+    "retryMultiplier": 1.5
+  },
+  "clientDefaults": {
+    "maxRequestRetries": 1,
+    "retryMultiplier": 1.5
+  },
+  "sources": [
+    {
+      "type": "spotify",
+      "enable": true,
+      "clients": [],
+      "name": "Spotify",
+      "data": {
+        "clientId": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_ID'] }}",
+        "clientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
+        "redirectUri": "http://localhost:9078/callback"
+      }
    },
-    "clients": [
-        {
-            "name": "Last.fm Client",
-            "enable": true,
-            "configureAs": "client",
-            "data": {
-            "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
-            "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
-            "redirectUri": "http://localhost:9078/lastfm/callback"
-            }
-        },
-        {
-            "name": "Last.fm Source",
-            "enable": true,
-            "configureAs": "source",
-            "data": {
-            "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
-            "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
-            "redirectUri": "http://localhost:9078/lastfm/callback"
-            }
-        },
-        {
-            "name": "Maloja",
-            "enable": true,
-            "data": {
-            "url": "http://maloja:42010",
-            "apiKey": "myMalojaKey"
-            }
-        },
-        {
-          "name": "ListenBrainz Client",
-          "enable": true,
-          "configureAs": "client",
-          "data": {
-            "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
-            "username": "Trez.One"
-          }
-        },
-        {
-          "name": "ListenBrainz Source",
-          "enable": true,
-          "configureAs": "source",
-          "data": {
-            "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
-            "username": "Trez.One"
-          }
-        }
-      ]
-  }
+    {
+      "name": "Last.fm",
+      "enable": true,
+      "data": {
+        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
+        "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
+        "redirectUri": "http://localhost:9078/lastfm/callback"
+      }
+    },
+    {
+      "name": "ListenBrainz",
+      "enable": true,
+      "data": {
+        "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
+        "username": "Trez.One"
+      }
+    },
+    {
+      "name": "Navidrome",
+      "enable": true,
+      "data": {
+        "url": "http://navidrome:4533",
+        "user": "admin",
+        "password": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NAVIDROME_PASSWORD'] }}"
+      }
+    }
+  ],
+  "clients": [
+    {
+      "name": "Last.fm Client",
+      "enable": true,
+      "data": {
+        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
+        "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
+        "redirectUri": "http://localhost:9078/lastfm/callback"
+      }
+    },
+    {
+      "name": "ListenBrainz Client",
+      "enable": true,
+      "data": {
+        "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
+        "username": "Trez.One"
+      }
+    },
+    {
+      "type": "maloja",
+      "enable": true,
+      "name": "Maloja",
+      "data": {
+        "url": "http://maloja:42010",
+        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_API_KEY'] }}"
+      }
+    }
+  ],
+  "webhooks": [
+    {
+      "name": "Gotify",
+      "type": "gotify",
+      "url": "http://gotify:8070",
+      "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MULTI_SCROBBLER_GOTIFY_TOKEN'] }}",
+      "priorities": {
+        "info": 5,
+        "warn": 7,
+        "error": 10
+      }
+    }
+  ]
 }
@@ -47,60 +47,30 @@
  },
  "HttpConfig": {
    "Address": "0.0.0.0:33073",
-    "AuthIssuer": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}",
-    "AuthAudience": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_ID'] }}",
-    "AuthKeysLocation": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/keys",
+    "AuthIssuer": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}",
+    "AuthAudience": "netbird",
+    "AuthKeysLocation": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/jwks.json",
    "AuthUserIDClaim": "",
    "CertFile": "",
    "CertKey": "",
    "IdpSignKeyRefreshEnabled": true,
-    "OIDCConfigEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/.well-known/openid-configuration"
-  },
-  "IdpManagerConfig": {
-    "ManagerType": "zitadel",
-    "ClientConfig": {
-      "Issuer": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}",
-      "TokenEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/token",
-      "ClientID": "netbird",
-      "ClientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_SECRET'] }}",
-      "GrantType": "client_credentials"
-    },
-    "ExtraConfig": {
-      "ManagementEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/management/v1"
-    },
-    "Auth0ClientCredentials": null,
-    "AzureClientCredentials": null,
-    "KeycloakClientCredentials": null,
-    "ZitadelClientCredentials": null
-  },
-  "DeviceAuthorizationFlow": {
-    "Provider": "hosted",
-    "ProviderConfig": {
-      "Audience": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_ID'] }}",
-      "AuthorizationEndpoint": "",
-      "Domain": "",
-      "ClientID": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_ID'] }}",
-      "ClientSecret": "",
-      "TokenEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/token",
-      "DeviceAuthEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/device_authorization",
-      "Scope": "openid",
-      "UseIDToken": false,
-      "RedirectURLs": null
-    }
+    "OIDCConfigEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/.well-known/openid-configuration"
  },
+  "IdpManagerConfig": {},
+  "DeviceAuthorizationFlow": {},
  "PKCEAuthorizationFlow": {
    "ProviderConfig": {
-      "Audience": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_ID'] }}",
-      "ClientID": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_ID'] }}",
-      "ClientSecret": "",
+      "Audience": "netbird",
+      "ClientID": "netbird",
+      "ClientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}",
      "Domain": "",
-      "AuthorizationEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/authorize",
-      "TokenEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/token",
+      "AuthorizationEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/authorization",
+      "TokenEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/token",
      "Scope": "openid profile email offline_access api",
      "RedirectURLs": [
        "http://localhost:53000"
      ],
-      "UseIDToken": false
+      "UseIDToken": true
    }
  }
 }
@@ -115,7 +115,7 @@ services:
      SEARCH_BACKEND_ENGINE: ripgrep       # tells ArchiveBox to use sonic container below for fast full-text search
    image: archivebox/archivebox:latest
    labels:
-      homepage.group: Personal Services
+      homepage.group: Personal/Professional Services
      homepage.name: ArchiveBox
      homepage.href: https://archive.${MY_TLD}
      homepage.icon: archivebox.png
@@ -202,9 +202,10 @@ services:
      AUTHELIA_SESSION_SECRET: ${AUTHELIA_SESSION_SECRET}
      AUTHELIA_STORAGE_ENCRYPTION_KEY: ${AUTHELIA_STORAGE_ENCRYPTION_KEY}
      AUTHELIA_STORAGE_POSTGRES_PASSWORD: ${AUTHELIA_STORAGE_POSTGRES_PASSWORD}
-      # PGID: ${PGID}
-      # PUID: ${PUID}
+      PGID: ${PGID}
+      PUID: ${PUID}
      TZ: ${TZ}
+      X_AUTHELIA_CONFIG_FILTERS: template
    expose:
      - 9091
    image: authelia/authelia:master
@@ -496,15 +497,17 @@ services:
      ALLOW_FILE_PROTOCOL: true
      CONCURRENT: 20
      HEALTH: false
-      PROXY_HOST: swag
-      PROXY_PORT: 443
-      PROXY_SSL: true
+      PROXY_HOST: browserless
+      PROXY_PORT: 3000
+      PROXY_SSL: false
      QUEUED: 20
      TIMEOUT: 300000
      TOKEN: ${CHROMIUM_TOKEN}
      TZ: ${TZ}
    expose:
      - 3000
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
    image: ghcr.io/browserless/chromium:latest
    labels:
      swag: enable
@@ -924,7 +927,7 @@ services:
      timeout: 10s
    image: freikin/dawarich:latest
    labels:
-      homepage.group: Personal Services
+      homepage.group: Personal/Professional Services
      homepage.name: Dawarich
      homepage.href: https://loc.${MY_TLD}
      homepage.icon: dawarich.svg
@@ -1266,82 +1269,82 @@ services:
    restart: always
    volumes:
      - ${DOCKER_VOLUME_STORAGE}/backups/docker_volume_bkups:/archive
-      - authelia-pg-db:/data/authelia-pg-db:ro
-      - bitmagnet-pg-db:/data/bitmagnet-pg-db:ro
-      - bunkerweb-storage:/data/bunkerweb-storage:ro
-      - castopod-media:/data/castopod-media:ro
-      - crowdsec-config:/data/crowdsec-config:ro
-      - crowdsec-db:/data/crowdsec-db:ro
-      - dawarich_db_data:/data/dawarich_db_data:ro
-      - dawarich_shared:/data/dawarich_shared:ro
-      - dawarich_public:/data/dawarich_public:ro
-      - dawarich_watched:/data/dawarich_watched:ro
-      - dbgate-data:/data/dbgate-data:ro
-      - docker-volume-bkup-data:/data/docker-volume-bkup-data:ro
-      - fastenhealth-cache:/data/fastenhealth-cache:ro
-      - fastenhealth-db:/data/fastenhealth-db:ro
-      - filebeat_etc:/data/filebeat_etc:ro
-      - filebeat_var:/data/filebeat_var:ro
-      - gitea-pg-db:/data/gitea-pg-db:ro
-      - hortusfox_app_backup:/data/hortusfox_app_backup:ro
-      - hortusfox_app_images:/data/hortusfox_app_images:ro
-      - hortusfox_app_logs:/data/hortusfox_app_logs:ro
-      - hortusfox_app_migrate:/data/hortusfox_app_migrate:ro
-      - hortusfox_app_themes:/data/hortusfox_app_themes:ro
-      - hortusfox_db_data:/data/hortusfox_db_data:ro
-      - immich-model-cache:/data/immich-model-cache:ro
-      - influxdb2-data:/data/influxdb2-data:ro
-      - influxdb2-config:/data/influxdb2-config:ro
-      - invidious-postgres:/data/invidious-postgres:ro
-      - invoice-ninja_cache:/data/invoice-ninja_cache:ro
-      - invoice-ninja_public:/data/invoice-ninja_public:ro
-      - invoice-ninja_storage:/data/invoice-ninja_storage:ro
-      - jitsi-web-admin-theme:/data/jitsi-web-admin-theme:ro
-      - jitsi-web-admin-upload:/data/jitsi-web-admin-upload:ro
-      - joplin_data:/data/joplin_data:ro
-      - librechat-pg-data:/data/librechat-pg-data:ro
-      - libretranslate_models:/data/libretranslate_models:ro
-      - lldap_data:/data/lldap_data:ro
-      - mastodon-pg-db:/data/mastodon-pg-db:ro
-      - mixpost-storage:/data/mixpost-storage:ro
-      - mixpost-logs:/data/mixpost-logs:ro
-      - mongodb_config:/data/mongodb_config:ro
-      - mongodb_data:/data/mongodb_data:ro
-      - n8n-data:/data/n8n-data:ro
-      - netbird-mgmt:/data/netbird-mgmt:ro
-      - netbird-signal:/data/netbird-signal:ro
-      - netbird-letsencrypt:/data/netbird-letsencrypt:ro
-      - nextcloud_aio_mastercontainer:/data/nextcloud_aio_mastercontainer:ro
-      - ollama:/data/ollama:ro
-      - open-webui:/data/open-webui:ro
-      - paperless-ngx-data:/data/paperless-ngx-data:ro
-      - paperless-ngx-media:/data/paperless-ngx-media:ro
-      - paperless-ngx-pg:/data/paperless-ngx-pg:ro
-      - peppermint-pg-data:/data/peppermint-pg-data:ro
-      - pgbackweb-data:/data/pgbackweb-data:ro
-      - plausible-db-data:/data/plausible-db-data:ro
-      - plausible-event-data:/data/plausible-event-data:ro
-      - plausible-event-logs:/data/plausible-event-logs:ro
-      - portainer-data:/data/portainer-data:ro
-      - reactive-resume-pg:/data/reactive-resume-pg:ro
-      - semaphore_config:/data/semaphore_config:ro
-      - semaphore_data:/data/semaphore_data:ro
-      - semaphore_tmp:/data/semaphore_tmp:ro
-      - sonarqube-data:/data/sonarqube-data:ro
-      - sonarqube-db:/data/sonarqube-db:ro
-      - sonarqube-db-data:/data/sonarqube-db-data:ro
-      - sonarqube-extensions:/data/sonarqube-extensions:ro
-      - sonarqube-logs:/data/sonarqube-logs:ro
-      - sonarqube-temp:/data/sonarqube-temp:ro
-      - tandoor-pg:/data/tandoor-pg:ro
-      - unmanic-cache:/data/unmanic-cache:ro
-      - wallos-db:/data/wallos-db:ro
-      - wallos-logos:/data/wallos-logos:ro
+      - authelia-pg-db:/backup/authelia-pg-db:ro
+      - bitmagnet-pg-db:/backup/bitmagnet-pg-db:ro
+      - bunkerweb-storage:/backup/bunkerweb-storage:ro
+      - castopod-media:/backup/castopod-media:ro
+      - crowdsec-config:/backup/crowdsec-config:ro
+      - crowdsec-db:/backup/crowdsec-db:ro
+      - dawarich_db_data:/backup/dawarich_db_data:ro
+      - dawarich_shared:/backup/dawarich_shared:ro
+      - dawarich_public:/backup/dawarich_public:ro
+      - dawarich_watched:/backup/dawarich_watched:ro
+      - dbgate-data:/backup/dbgate-data:ro
+      - docker-volume-bkup-data:/backup/docker-volume-bkup-data:ro
+      - fastenhealth-cache:/backup/fastenhealth-cache:ro
+      - fastenhealth-db:/backup/fastenhealth-db:ro
+      - filebeat_etc:/backup/filebeat_etc:ro
+      - filebeat_var:/backup/filebeat_var:ro
+      - gitea-pg-db:/backup/gitea-pg-db:ro
+      - hortusfox_app_backup:/backup/hortusfox_app_backup:ro
+      - hortusfox_app_images:/backup/hortusfox_app_images:ro
+      - hortusfox_app_logs:/backup/hortusfox_app_logs:ro
+      - hortusfox_app_migrate:/backup/hortusfox_app_migrate:ro
+      - hortusfox_app_themes:/backup/hortusfox_app_themes:ro
+      - hortusfox_db_data:/backup/hortusfox_db_data:ro
+      - immich-model-cache:/backup/immich-model-cache:ro
+      - influxdb2-data:/backup/influxdb2-data:ro
+      - influxdb2-config:/backup/influxdb2-config:ro
+      - invidious-postgres:/backup/invidious-postgres:ro
+      - invoice-ninja_cache:/backup/invoice-ninja_cache:ro
+      - invoice-ninja_public:/backup/invoice-ninja_public:ro
+      - invoice-ninja_storage:/backup/invoice-ninja_storage:ro
+      - jitsi-web-admin-theme:/backup/jitsi-web-admin-theme:ro
+      - jitsi-web-admin-upload:/backup/jitsi-web-admin-upload:ro
+      - joplin_data:/backup/joplin_data:ro
+      - librechat-pg-data:/backup/librechat-pg-data:ro
+      - libretranslate_models:/backup/libretranslate_models:ro
+      - lldap_data:/backup/lldap_data:ro
+      - mastodon-pg-db:/backup/mastodon-pg-db:ro
+      - mixpost-storage:/backup/mixpost-storage:ro
+      - mixpost-logs:/backup/mixpost-logs:ro
+      - mongodb_config:/backup/mongodb_config:ro
+      - mongodb_data:/backup/mongodb_data:ro
+      - n8n-data:/backup/n8n-data:ro
+      - netbird-mgmt:/backup/netbird-mgmt:ro
+      - netbird-signal:/backup/netbird-signal:ro
+      - netbird-letsencrypt:/backup/netbird-letsencrypt:ro
+      - nextcloud_aio_mastercontainer:/backup/nextcloud_aio_mastercontainer:ro
+      - ollama:/backup/ollama:ro
+      - open-webui:/backup/open-webui:ro
+      - paperless-ngx-data:/backup/paperless-ngx-data:ro
+      - paperless-ngx-media:/backup/paperless-ngx-media:ro
+      - paperless-ngx-pg:/backup/paperless-ngx-pg:ro
+      - peppermint-pg-data:/backup/peppermint-pg-data:ro
+      - pgbackweb-data:/backup/pgbackweb-data:ro
+      - plausible-db-data:/backup/plausible-db-data:ro
+      - plausible-event-data:/backup/plausible-event-data:ro
+      - plausible-event-logs:/backup/plausible-event-logs:ro
+      - portainer-data:/backup/portainer-data:ro
+      - reactive-resume-pg:/backup/reactive-resume-pg:ro
+      - semaphore_config:/backup/semaphore_config:ro
+      - semaphore_data:/backup/semaphore_data:ro
+      - semaphore_tmp:/backup/semaphore_tmp:ro
+      - sonarqube-data:/backup/sonarqube-data:ro
+      - sonarqube-db:/backup/sonarqube-db:ro
+      - sonarqube-db-data:/backup/sonarqube-db-data:ro
+      - sonarqube-extensions:/backup/sonarqube-extensions:ro
+      - sonarqube-logs:/backup/sonarqube-logs:ro
+      - sonarqube-temp:/backup/sonarqube-temp:ro
+      - tandoor-pg:/backup/tandoor-pg:ro
+      - unmanic-cache:/backup/unmanic-cache:ro
+      - wallos-db:/backup/wallos-db:ro
+      - wallos-logos:/backup/wallos-logos:ro
  docuseal:
    container_name: docuseal
    image: docuseal/docuseal:latest
    labels:
-      homepage.group: Personal Services
+      homepage.group: Personal/Professional Services
      homepage.name: Docuseal
      homepage.href: https://docs.${MY_TLD}
      homepage.description: OSS Document Signing & Verification
@@ -1759,92 +1762,28 @@ services:
        type: bind
        bind:
          create_host_path: true
-  # hortusfox:
-  #   container_name: hortusfox
-  #   depends_on:
-  #     mariadb:
-  #       condition: service_started
-  #       required: true
-  #       restart: true
-  #   environment:
-  #     APP_ADMIN_EMAIL: charish.patel@trez.wtf
-  #     APP_ADMIN_PASSWORD: ${HORTUSFOX_ADMIN_PASSWORD}
-  #     DB_CHARSET: utf8mb4
-  #     DB_DATABASE: hortusfox
-  #     DB_HOST: mariadb
-  #     DB_PASSWORD: ${HORTUSFOX_DB_PASSWORD}
-  #     DB_PORT: 3306
-  #     DB_USERNAME: hortusfox
-  #   image: ghcr.io/danielbrendel/hortusfox-web:latest
-  #   labels:
-  #     swag: enable
-  #     swag_proto: http
-  #     swag_url: plants.${MY_TLD}
-  #     swag.uptime-kuma.enabled: true
-  #     swag.uptime-kuma.monitor.url: https://plants.${MY_TLD}
-  #     homepage.group: Lifestyle
-  #     homepage.name: HortusFox
-  #     homepage.href: https://plants.${MY_TLD}
-  #     homepage.icon: hortusfox.png
-  #     homepage.description: Plant management system
-  #   networks:
-  #     default: null
-  #   ports:
-  #     - 8006:80
-  #   restart: unless-stopped
-  #   volumes:
-  #     - source: hortusfox_app_images
-  #       target: /var/www/html/public/img
-  #       type: volume
-  #       volume: {}
-  #     - source: hortusfox_app_logs
-  #       target: /var/www/html/app/logs
-  #       type: volume
-  #       volume: {}
-  #     - source: hortusfox_app_backup
-  #       target: /var/www/html/public/backup
-  #       type: volume
-  #       volume: {}
-  #     - source: hortusfox_app_themes
-  #       target: /var/www/html/public/themes
-  #       type: volume
-  #       volume: {}
-  #     - source: hortusfox_app_migrate
-  #       target: /var/www/html/app/migrations
-  #       type: volume
-  #       volume: {}
-  # hugo:
-  #   command: hugo server --baseURL "it-services.trez.wtf" --bind 0.0.0.0 --appendPort=false --source=/src/it-services --configDir=/src/it-services/config/ -e production --logLevel debug
-  #   container_name: hugo
-  #   image: hugomods/hugo:exts
-  #   labels:
-  #     swag: enable
-  #     swag_proto: http
-  #     swag_port: 1313
-  #     swag_url: it-services.${MY_TLD}
-  #     swag.uptime-kuma.enabled: true
-  #     swag.uptime-kuma.monitor.url: https://it-services.${MY_TLD}
-  #     homepage.group: Professional Services
-  #     homepage.name: Hugo
-  #     homepage.href: https://it-services.${MY_TLD}
-  #     homepage.icon: hugo.svg
-  #     homepage.description: Static site
-  #   networks:
-  #     default: null
-  #   ports:
-  #     - 1313:1313
-  #   restart: unless-stopped
-  #   volumes:
-  #     - source: ${DOCKER_VOLUME_CONFIG}/hugo/
-  #       target: /src
-  #       type: bind
-  #       bind:
-  #         create_host_path: true
-  #     - source: ${DOCKER_VOLUME_CONFIG}/hugo/cache
-  #       target: /tmp/hugo_cache
-  #       type: bind
-  #       bind:
-  #         create_host_path: true
+  hugo:
+    command: hugo server --baseURL "it-services.trez.wtf" --bind 0.0.0.0 --appendPort=false --source=/src/it-services --configDir=/src/it-services/config/ -e production --logLevel debug
+    container_name: hugo
+    image: hugomods/hugo:exts
+    labels:
+      swag: enable
+      swag_proto: http
+      swag_port: 1313
+      swag_url: it-services.${MY_TLD}
+      swag.uptime-kuma.enabled: true
+      swag.uptime-kuma.monitor.url: https://it-services.${MY_TLD}
+      homepage.group: Personal/Professional Services
+      homepage.name: Hugo
+      homepage.href: https://it-services.${MY_TLD}
+      homepage.icon: hugo.svg
+      homepage.description: Static site
+    ports:
+      - 1313:1313
+    restart: unless-stopped
+    volumes:
+      - ${DOCKER_VOLUME_CONFIG}/hugo/:/src
+      - ${DOCKER_VOLUME_CONFIG}/hugo/cache:/tmp/hugo_cache
  immich-server:
    container_name: immich-server
    depends_on:
@@ -1852,8 +1791,12 @@ services:
        condition: service_started
        required: true
      immich-pg-db:
-        condition: service_started
+        condition: service_healthy
        required: true
+      immich-machine-learning:
+        condition: service_healthy
+        required: true
+        restart: true
    environment:
      DB_DATABASE_NAME: immich
      DB_HOSTNAME: immich-pg-db
@@ -1897,10 +1840,6 @@ services:
      - /etc/localtime:/etc/localtime:ro
  immich-machine-learning:
    container_name: immich-machine-learning
-    depends_on:
-      immich-server:
-        condition: service_started
-        required: true
    healthcheck:
      disable: false
    image: ghcr.io/immich-app/immich-machine-learning:release
@@ -2089,110 +2028,6 @@ services:
        type: bind
        bind:
          create_host_path: true
-  # invoice-ninja:
-  #   container_name: invoice-ninja
-  #   depends_on:
-  #     mariadb:
-  #       condition: service_started
-  #       required: true
-  #       restart: true
-  #   environment:
-  #     APP_DEBUG: true
-  #     APP_KEY: ${IN_APP_KEY}
-  #     APP_URL: http://invoice_ninja:8003
-  #     APP_ENV: /var/www/html/.env
-  #     DB_DATABASE: invoice_ninja
-  #     DB_HOST: mariadb
-  #     DB_PASSWORD: ${IN_MYSQL_PASSWORD}
-  #     DB_PORT: 3306
-  #     DB_USERNAME: ininja
-  #     IN_PASSWORD: ${IN_PASSWORD}
-  #     IN_USER_EMAIL: charish.patel@trez.wtf
-  #     MAIL_ENCRYPTION: null
-  #     MAIL_FROM_ADDRESS: noreply@trez.wtf
-  #     MAIL_FROM_NAME: null
-  #     MAIL_HOST: postal-smtp
-  #     MAIL_MAILER: log
-  #     MAIL_PASSWORD: ${POSTAL_SMTP_AUTH_PASSWORD}
-  #     MAIL_PORT: 25
-  #     MAIL_USERNAME: ${POSTAL_SMTP_AUTH_USER}
-  #     MYSQL_DATABASE: invoice_ninja
-  #     MYSQL_PASSWORD: ${IN_MYSQL_PASSWORD}
-  #     MYSQL_ROOT_PASSWORD: ${MARIADB_ENVIRONMENT_MYSQL_ROOT_PASSWORD}
-  #     MYSQL_USER: ininja
-  #     PDF_GENERATOR: snappdf
-  #     PHANTOMJS_PDF_GENERATION: false
-  #     QUEUE_CONNECTION: database
-  #     REQUIRE_HTTPS: false
-  #     TRUSTED_PROXIES: 172.18.0.0/16
-  #   expose:
-  #     - 9000
-  #   image: invoiceninja/invoiceninja-debian:5
-  #   networks:
-  #     default: null
-  #   ports:
-  #     - 8003:8003
-  #   restart: always
-  #   volumes:
-  #     - invoice-ninja_cache:/var/www/html/bootstrap/cache
-  #     - invoice-ninja_public:/var/www/html/public
-  #     - invoice-ninja_storage:/var/www/html/storage
-  # invoice-ninja_proxy:
-  #   container_name: invoice-ninja_proxy
-  #   depends_on:
-  #     invoice-ninja:
-  #       condition: service_started
-  #       required: true
-  #       restart: true
-  #   environment:
-  #     APP_DEBUG: true
-  #     APP_KEY: ${IN_APP_KEY}
-  #     APP_URL: http://invoice_ninja:9000
-  #     DB_DATABASE: invoice_ninja
-  #     DB_HOST: mariadb
-  #     DB_PASSWORD: ${IN_MYSQL_PASSWORD}
-  #     DB_PORT: 3306
-  #     DB_USERNAME: ininja
-  #     IN_PASSWORD: ${IN_PASSWORD}
-  #     IN_USER_EMAIL: charish.patel@trez.wtf
-  #     MAIL_ENCRYPTION: null
-  #     MAIL_FROM_ADDRESS: noreply@trez.wtf
-  #     MAIL_FROM_NAME: null
-  #     MAIL_HOST: postal-smtp
-  #     MAIL_MAILER: log
-  #     MAIL_PASSWORD: ${POSTAL_SMTP_AUTH_PASSWORD}
-  #     MAIL_PORT: 25
-  #     MAIL_USERNAME: ${POSTAL_SMTP_AUTH_USER}
-  #     MYSQL_DATABASE: invoice_ninja
-  #     MYSQL_PASSWORD: ${IN_MYSQL_PASSWORD}
-  #     MYSQL_ROOT_PASSWORD: ${MARIADB_ENVIRONMENT_MYSQL_ROOT_PASSWORD}
-  #     MYSQL_USER: ininja
-  #     PDF_GENERATOR: snappdf
-  #     PHANTOMJS_PDF_GENERATION: false
-  #     QUEUE_CONNECTION: database
-  #     REQUIRE_HTTPS: false
-  #     TRUSTED_PROXIES: 172.18.0.0/16
-  #   image: nginx
-  #   labels:
-  #     swag: enable
-  #     swag_proto: http
-  #     swag_url: biz.${MY_TLD}
-  #     swag.uptime-kuma.enabled: true
-  #     swag.uptime-kuma.monitor.url: https://biz.${MY_TLD}
-  #     homepage.group: Professional Services
-  #     homepage.name: Invoice Ninja
-  #     homepage.href: https://biz.${MY_TLD}
-  #     homepage.icon: invoice-ninja.svg
-  #     homepage.description: Simple invoicing, multiple payment options, expense and vendor management, and more!
-  #   networks:
-  #     default: null
-  #   ports:
-  #     - 8005:80
-  #   restart: always
-  #   volumes:
-  #     - ${DOCKER_VOLUME_CONFIG}/invoice-ninja/nginx:/etc/nginx/conf.d:ro
-  #     - invoice-ninja_public:/var/www/html/public
-  #     - invoice-ninja_storage:/var/www/html/storage
  it-tools:
    container_name: it-tools
    image: ghcr.io/corentinth/it-tools:latest
@@ -2855,7 +2690,7 @@ services:
      POSTGRES_HOST: joplin-db
    image: joplin/server:latest
    labels:
-      homepage.group: Personal Services
+      homepage.group: Personal/Professional Services
      homepage.name: Joplin
      homepage.href: https://notes.${MY_TLD}
      homepage.icon: joplin.svg
@@ -2883,7 +2718,7 @@ services:
      RAG_API_URL: http://librechat-rag-api:8000
    image: ghcr.io/danny-avila/librechat-dev:latest
    labels:
-      homepage.group: Personal Services
+      homepage.group: Personal/Professional Services
      homepage.name: LibreChat
      homepage.href: https://ai.${MY_TLD}
      homepage.icon: sh-librechat.svg
@@ -2939,7 +2774,7 @@ services:
    environment:
      LT_UPDATE_MODELS: true
    labels:
-      homepage.group: Personal Services
+      homepage.group: Personal/Professional Services
      homepage.name: LibreTranslate
      homepage.href: https://translate.${MY_TLD}
      homepage.icon: sh-libretranslate.svg
@@ -3478,6 +3313,10 @@ services:
    environment:
      ND_AUTOIMPORTPLAYLISTS: false
      ND_BASEURL: ""
+      ND_BACKUP_PATH: /backups
+      ND_BACKUP_SCHEDULE: '@every 6h'
+      ND_BACKUP_COUNT: 7
+      ND_ENABLEGRAVATAR: true
      ND_LASTFM_APIKEY: ${LASTFM_API_KEY}
      ND_LASTFM_ENABLED: true
      ND_LASTFM_SECRET: ${LASTFM_API_SECRET}
@@ -3499,8 +3338,8 @@ services:
      homepage.widget.type: navidrome
      homepage.widget.url: http://navidrome:4533
      homepage.widget.user: admin
-      homepage.widget.token: e8a9e97b29aa963fa4729c633289d232
-      homepage.widget.salt: v5Z93Z
+      homepage.widget.token: ${NAVIDROME_HOMEPAGE_TOKEN}
+      homepage.widget.salt: ${NAVIDROME_HOMEPAGE_SALT}
      swag: enable
      swag_port: 4533
      swag_proto: http
@@ -3514,16 +3353,10 @@ services:
    restart: unless-stopped
    user: 1000:1000
    volumes:
-      - source: ${DOCKER_VOLUME_CONFIG}/navidrome
-        target: /data
-        type: bind
-        bind:
-          create_host_path: true
-      - source: ${DOCKER_VOLUME_STORAGE}/Audio/Music
-        target: /music
-        type: bind
-        bind:
-          create_host_path: true
+      - ${DOCKER_VOLUME_CONFIG}/navidrome:/data
+      - ${DOCKER_VOLUME_STORAGE}/Audio/Music:/music
+      - ${DOCKER_VOLUME_STORAGE}/Audio/Playlists:/playlists
+      - ${DOCKER_VOLUME_STORAGE}/backups/navidrome:/backups
  netalertx:
    container_name: netalertx
    environment:
@@ -3551,123 +3384,121 @@ services:
        target: /app/api
      # (API: OPTION 2) use when debugging issues
      # - ${DOCKER_VOLUME_CONFIG}/netalertx/api:/app/api
-  # netbird-dashboard:
-  #   container_name: netbird-dashboard
-  #   environment:
-  #     # Endpoints
-  #     NETBIRD_MGMT_API_ENDPOINT: https://netbird.${MY_TLD}:33073
-  #     NETBIRD_MGMT_GRPC_API_ENDPOINT: https://netbird.${MY_TLD}:33073
-  #     # OIDC
-  #     AUTH_AUDIENCE: ${NETBIRD_ZITADEL_CLIENT_ID}
-  #     AUTH_CLIENT_ID: ${NETBIRD_ZITADEL_CLIENT_ID}
-  #     AUTH_CLIENT_SECRET: ${NETBIRD_ZITADEL_CLIENT_SECRET}
-  #     AUTH_AUTHORITY: https://id.${MY_TLD}
-  #     USE_AUTH0: false
-  #     AUTH_SUPPORTED_SCOPES: openid profile email offline_access api
-  #     AUTH_REDIRECT_URI: /auth
-  #     AUTH_SILENT_REDIRECT_URI: /silent-auth
-  #     NETBIRD_TOKEN_SOURCE: accessToken
-  #     # SSL
-  #     NGINX_SSL_PORT: 443
-  #     # Letsencrypt
-  #     LETSENCRYPT_DOMAIN:
-  #     LETSENCRYPT_EMAIL:
-  #   image: netbirdio/dashboard:latest
-  #   labels:
-  #     homepage.group: Privacy/Security
-  #     homepage.name: Netbird
-  #     homepage.href: https://netbird.${MY_TLD}
-  #     homepage.icon: netbird.svg
-  #     homepage.description: Peer-to-peer private network and centralized access control system
-  #     swag: enable
-  #     swag_proto: http
-  #     swag_port: 80
-  #     swag_auth: authelia
-  #     swag_url: netbird.${MY_TLD}
-  #     swag_server_custom_directive: |
-  #       location /signalexchange.SignalExchange/ {
-  #           grpc_pass grpc://netbird-signal:80;
-  #           #grpc_ssl_verify off;
-  #           grpc_read_timeout 1d;
-  #           grpc_send_timeout 1d;
-  #           grpc_socket_keepalive on;
-  #       }
-  #       # Proxy Management http endpoint
-  #       location /api {
-  #           proxy_pass http://netbird-management:443;
-  #       }
-  #       # Proxy Management grpc endpoint
-  #       location /management.ManagementService/ {
-  #           grpc_pass grpc://netbird-management:443;
-  #           #grpc_ssl_verify off;
-  #           grpc_read_timeout 1d;
-  #           grpc_send_timeout 1d;
-  #           grpc_socket_keepalive on;
-  #       }
-  #     swag.uptime-kuma.enabled: true
-  #     swag.uptime-kuma.monitor.url: https://netbird.${MY_TLD}
-  #   ports:
-  #     - 32908:80
-  #     - 36610:443
-  #   restart: unless-stopped
-  #   volumes:
-  #     - netbird-letsencrypt:/etc/letsencrypt/
-  # netbird-signal:
-  #   container_name: netbird-signal
-  #   image: netbirdio/signal:latest
-  #   ports:
-  #     - 10001:80
-  #   restart: unless-stopped
-  #   volumes:
-  #     - netbird-signal:/var/lib/netbird
-  # netbird-relay:
-  #   container_name: netbird-relay
-  #   image: netbirdio/relay:latest
-  #   restart: unless-stopped
-  #   environment:
-  #     NB_LOG_LEVEL: info
-  #     NB_LISTEN_ADDRESS: :33080
-  #     NB_EXPOSED_ADDRESS: netbird.${MY_TLD}:33080
-  #     # todo: change to a secure secret
-  #     NB_AUTH_SECRET: ${NETBIRD_RELAY_AUTH_SECRET}
-  #   ports:
-  #     - 33080:33080
-  # netbird-management:
-  #   command: [
-  #     "--port", "443",
-  #     "--log-file", "console",
-  #     "--log-level", "info",
-  #     "--disable-anonymous-metrics=false",
-  #     "--single-account-mode-domain=netbird.${MY_TLD}",
-  #     "--dns-domain=netbird.selfhosted"
-  #     ]
-  #   container_name: netbird-management
-  #   depends_on:
-  #     netbird-dashboard:
-  #       condition: service_started
-  #   environment:
-  #     NETBIRD_STORE_ENGINE_POSTGRES_DSN:
-  #     NETBIRD_STORE_ENGINE_MYSQL_DSN:
-  #   image: netbirdio/management:latest
-  #   restart: unless-stopped
-  #   volumes:
-  #     - netbird-mgmt:/var/lib/netbird
-  #     - netbird-letsencrypt:/etc/letsencrypt:ro
-  #     - ${DOCKER_VOLUME_CONFIG}/netbird/management.json:/etc/netbird/management.json
-  #   ports:
-  #     - 23833:443 #API port
-  # netbird-coturn:
-  #   command:
-  #     - -c /etc/turnserver.conf
-  #   container_name: netbird-coturn
-  #   image: coturn/coturn:latest
-  #   restart: unless-stopped
-  #   #domainname: netbird.${MY_TLD} # only needed when TLS is enabled
-  #   volumes:
-  #     - ${DOCKER_VOLUME_CONFIG}/netbird/turnserver.conf:/etc/turnserver.conf:ro
-  #        - ${DOCKER_VOLUME_CONFIG}/netbird/privkey.pem:/etc/coturn/private/privkey.pem:ro
-  #        - ${DOCKER_VOLUME_CONFIG}/netbird/cert.pem:/etc/coturn/certs/cert.pem:ro
-  #   network_mode: host
+  netbird-dashboard:
+    container_name: netbird-dashboard
+    environment:
+      # Endpoints
+      NETBIRD_MGMT_API_ENDPOINT: https://vpn.${MY_TLD}
+      NETBIRD_MGMT_GRPC_API_ENDPOINT: https://vpn.${MY_TLD}
+      # OIDC
+      AUTH_AUDIENCE: none
+      AUTH_CLIENT_ID: netbird
+      AUTH_CLIENT_SECRET: ${AUTHELIA_NETBIRD_CLIENT_SECRET}
+      AUTH_AUTHORITY: https://auth.${MY_TLD}
+      USE_AUTH0: false
+      AUTH_SUPPORTED_SCOPES: openid profile email offline_access api
+      AUTH_REDIRECT_URI: /peers
+      AUTH_SILENT_REDIRECT_URI: /add-peers
+      NETBIRD_TOKEN_SOURCE: idToken
+      # SSL
+      NGINX_SSL_PORT: 443
+      # Letsencrypt
+      LETSENCRYPT_DOMAIN:
+      LETSENCRYPT_EMAIL:
+    image: netbirdio/dashboard:latest
+    labels:
+      homepage.group: Privacy/Security
+      homepage.name: Netbird
+      homepage.href: https://vpn.${MY_TLD}
+      homepage.icon: netbird.svg
+      homepage.description: Peer-to-peer private network and centralized access control system
+      swag: enable
+      swag_proto: http
+      swag_port: 80
+      swag_auth: authelia
+      swag_url: vpn.${MY_TLD}
+      swag_server_custom_directive: |
+        location /signalexchange.SignalExchange/ {
+            grpc_pass grpc://netbird-signal;
+            #grpc_ssl_verify off;
+            grpc_read_timeout 1d;
+            grpc_send_timeout 1d;
+            grpc_socket_keepalive on;
+        }
+        # Proxy Management http endpoint
+        location /api {
+            proxy_pass http://netbird-management;
+        }
+        # Proxy Management grpc endpoint
+        location /management.ManagementService/ {
+            grpc_pass grpc://netbird-management;
+            #grpc_ssl_verify off;
+            grpc_read_timeout 1d;
+            grpc_send_timeout 1d;
+            grpc_socket_keepalive on;
+        }
+      swag.uptime-kuma.enabled: true
+      swag.uptime-kuma.monitor.url: https://vpn.${MY_TLD}
+    ports:
+      - 32908:80
+      - 36610:443
+    restart: unless-stopped
+    volumes:
+      - netbird-letsencrypt:/etc/letsencrypt/
+  netbird-signal:
+    container_name: netbird-signal
+    image: netbirdio/signal:latest
+    ports:
+      - 10001:80
+    restart: unless-stopped
+    volumes:
+      - netbird-signal:/var/lib/netbird
+  netbird-relay:
+    image: netbirdio/relay:latest
+    restart: unless-stopped
+    environment:
+      NB_LOG_LEVEL: info
+      NB_LISTEN_ADDRESS: :33080
+      NB_EXPOSED_ADDRESS: vpn.${MY_TLD}:33080
+      # todo: change to a secure secret
+      NB_AUTH_SECRET: ${NETBIRD_RELAY_AUTH_SECRET}
+    ports:
+      - 33080:33080
+  netbird-management:
+    command: [
+      "--port", "443",
+      "--log-file", "console",
+      "--log-level", "info",
+      "--disable-anonymous-metrics=false",
+      "--single-account-mode-domain=vpn.${MY_TLD}",
+      "--dns-domain=vpn.trez.wtf"
+    ]
+    container_name: netbird-management
+    depends_on:
+      netbird-dashboard:
+        condition: service_started
+    environment:
+      NETBIRD_STORE_ENGINE_POSTGRES_DSN:
+      NETBIRD_STORE_ENGINE_MYSQL_DSN:
+    image: netbirdio/management:latest
+    restart: unless-stopped
+    volumes:
+      - netbird-mgmt:/var/lib/netbird
+      - netbird-letsencrypt:/etc/letsencrypt:ro
+      - ${DOCKER_VOLUME_CONFIG}/netbird/management.json:/etc/netbird/management.json
+    ports:
+      - 33073:443 #API port
+  netbird-coturn:
+    command:
+      - -c /etc/turnserver.conf
+    container_name: netbird-coturn
+    image: coturn/coturn:latest
+    restart: unless-stopped
+    #domainname: vpn.${MY_TLD} # only needed when TLS is enabled
+    volumes:
+      - ${DOCKER_VOLUME_CONFIG}/netbird/turnserver.conf:/etc/turnserver.conf:ro
+    #      - ${DOCKER_VOLUME_CONFIG}/netbird/privkey.pem:/etc/coturn/private/privkey.pem:ro
+    #      - ${DOCKER_VOLUME_CONFIG}/netbird/cert.pem:/etc/coturn/certs/cert.pem:ro
  nextcloud:
    container_name: nextcloud-aio-mastercontainer
    environment:
@@ -3679,7 +3510,7 @@ services:
      - 11000
    image: nextcloud/all-in-one:latest
    labels:
-      homepage.group: Personal Services
+      homepage.group: Personal/Professional Services
      homepage.name: NextCloud
      homepage.href: https://cloud.${MY_TLD}
      homepage.icon: nextcloud.svg
@@ -3778,7 +3609,7 @@ services:
      swag_url: docs.${MY_TLD}
      swag.uptime-kuma.enabled: true
      swag.uptime-kuma.monitor.url: https://docs.${MY_TLD}
-      homepage.group: Personal Services
+      homepage.group: Personal/Professional Services
      homepage.name: Paperless-ngx
      homepage.href: https://docs.${MY_TLD}
      homepage.icon: paperless-ngx.svg
@@ -3838,51 +3669,6 @@ services:
    restart: unless-stopped
    volumes:
      - ${DOCKER_VOLUME_CONFIG}/parseable/staging:/staging
-  # peppermint:
-  #   container_name: peppermint
-  #   depends_on:
-  #     peppermint-pg-db:
-  #       condition: service_started
-  #       required: true
-  #   environment:
-  #     BASE_URL: https://support.trez.wtf
-  #     DB_USERNAME: peppermint
-  #     DB_PASSWORD: ${PEPPERMINT_PG_PASSWORD}
-  #     DB_HOST: peppermint-pg-db
-  #     SECRET: ${PEPPERMINT_SECRET_KEY}
-  #   image: pepperlabs/peppermint:latest
-  #   labels:
-  #     swag: enable
-  #     swag_proto: http
-  #     swag_port: 3000
-  #     swag_url: support.${MY_TLD}
-  #     swag_server_custom_directive: |
-  #       location /api {
-  #             proxy_pass http://peppermint:5003;
-  #       }
-  #     swag.uptime-kuma.enabled: true
-  #     swag.uptime-kuma.monitor.url: https://support.${MY_TLD}
-  #     homepage.group: Professional Services
-  #     homepage.name: Peppermint
-  #     homepage.href: https://support.${MY_TLD}
-  #     homepage.icon: peppermint.svg
-  #     homepage.description: Open-source ticket management and help desk solution
-  #   ports:
-  #     - 3000:3000
-  #     - 5003:5003
-  #   restart: always
-  # peppermint-pg-db:
-  #   container_name: peppermint-pg-db
-  #   environment:
-  #     POSTGRES_USER: peppermint
-  #     POSTGRES_PASSWORD: ${PEPPERMINT_PG_PASSWORD}
-  #     POSTGRES_DB: peppermint
-  #   expose:
-  #     - 5432
-  #   image: postgres:17-alpine
-  #   restart: always
-  #   volumes:
-  #     - peppermint-pg-data:/var/lib/postgresql/data
  pgbackweb:
    container_name: pgbackweb
    depends_on:
@@ -3929,79 +3715,6 @@ services:
      - 8080
    image: 'plantuml/plantuml-server:jetty'
    restart: unless-stopped
-  # plausible:
-  #   command: sh -c "sleep 10 && /entrypoint.sh db createdb && /entrypoint.sh db migrate && /entrypoint.sh run"
-  #   container_name: plausible
-  #   depends_on:
-  #     plausible_db:
-  #       condition: service_started
-  #       required: true
-  #     plausible_events_db:
-  #       condition: service_started
-  #       required: true
-  #   environment:
-  #     BASE_URL: https://analytics.${MY_TLD}
-  #     CLICKHOUSE_DATABASE_URL: http://plausible-events-db:8123/plausible_events_db
-  #     DATABASE_URL: postgres://plausible:${PLAUSIBLE_PG_PASSWORD}@plausible-db:5432/plausible_db
-  #     DISABLE_REGISTRATION: invite_only
-  #     ENABLE_EMAIL_VERIFICATION: true
-  #     MAILER_ADAPTER: Bamboo.Mua
-  #     MAILER_EMAIL: noreply@trez.wtf
-  #     MAILER_NAME: Plausible
-  #     MAXMINDDB_LICENSE_KEY: ${SWAG_MAXMINDDB_LICENSE_KEY}
-  #     SECRET_KEY_BASE: ${PLAUSIBLE_SECRET_KEY_BASE}
-  #     SMTP_HOST_ADDR: postal-smtp
-  #     SMTP_HOST_PORT: 25
-  #     SMTP_USER_NAME: ${POSTAL_SMTP_AUTH_USER}
-  #     SMTP_USER_PWD: ${POSTAL_SMTP_AUTH_PASSWORD}
-  #     TOTP_VAULT_KEY: ${PLAUSIBLE_TOTP_VAULT_KEY}
-  #   image: ghcr.io/plausible/community-edition:v2.1.0
-  #   labels:
-  #     swag: enable
-  #     swag_proto: http
-  #     swag_port: 8000
-  #     swag_url: analytics.${MY_TLD}
-  #     homepage.group: Professional Services
-  #     homepage.name: Plausible
-  #     homepage.href: https://analytics.${MY_TLD}
-  #     homepage.icon: plausible.svg
-  #     homepage.description: Open-source web analytics
-  #   networks:
-  #     default: null
-  #   ports:
-  #     - 8107:8000
-  #   restart: always
-  # plausible_db:
-  #   container_name: plausible-db
-  #   environment:
-  #     POSTGRES_DB: plausible_db
-  #     POSTGRES_PASSWORD: ${PLAUSIBLE_PG_PASSWORD}
-  #     POSTGRES_USER: plausible
-  #   expose:
-  #     - 5432
-  #   image: postgres:16-alpine
-  #   networks:
-  #     default: null
-  #   restart: always
-  #   volumes:
-  #     - plausible-db-data:/var/lib/postgresql/data
-  # plausible_events_db:
-  #   container_name: plausible-events-db
-  #   expose:
-  #     - 8123
-  #   image: clickhouse/clickhouse-server:24.3.3.102-alpine
-  #   networks:
-  #     default: null
-  #   restart: always
-  #   ulimits:
-  #     nofile:
-  #       hard: 262144
-  #       soft: 262144
-  #   volumes:
-  #     - plausible-event-data:/var/lib/clickhouse
-  #     - plausible-event-logs:/var/log/clickhouse-server
-  #     - ${DOCKER_VOLUME_CONFIG}/plausible/clickhouse/clickhouse-config.xml:/etc/clickhouse-server/config.d/logging.xml:ro
-  #     - ${DOCKER_VOLUME_CONFIG}/plausible/clickhouse/clickhouse-user-config.xml:/etc/clickhouse-server/users.d/logging.xml:ro
  portainer:
    command: -H tcp://dockerproxy:2375
    container_name: portainer
@@ -4270,12 +3983,12 @@ services:
      ACCESS_TOKEN_SECRET: ${REACTIVE_RESUME_ACCESS_TOKEN_SECRET}
      CHROME_PORT: 443
      CHROME_TOKEN: ${CHROMIUM_TOKEN}
-      CHROME_URL: wss://browse.${MY_TLD}
+      CHROME_URL: wss://browserless:3000
      DATABASE_URL: postgresql://reactiveresume:${REACTIVE_RESUME_PGSQL_PASSWORD}@reactive-resume-pg:5432/reactiveresume
      MAIL_FROM: noreply@trez.wtf
      NODE_ENV: production
      PORT: 3000
-      PUBLIC_URL: https://resume.${MY_TLD}
+      PUBLIC_URL: http://reactive-resume:3000
      REFRESH_TOKEN_SECRET: ${REACTIVE_RESUME_REFRESH_TOKEN_SECRET}
      SMTP_URL: smtp://${POSTAL_SMTP_AUTH_USER}:${POSTAL_SMTP_AUTH_PASSWORD}@postal-smtp:25
      STORAGE_ACCESS_KEY: ${REACTIVE_RESUME_S3_ACCESS_KEY}
@@ -4289,7 +4002,7 @@ services:
      TZ: ${TZ}
    image: amruthpillai/reactive-resume:latest
    labels:
-      homepage.group: Personal Services
+      homepage.group: Personal/Professional Services
      homepage.name: Reactive Resume
      homepage.href: https://resume.${MY_TLD}
      homepage.icon: reactive-resume.svg
@@ -4542,7 +4255,7 @@ services:
      - 3000
    image: jpyles0524/scraperr:latest
    labels:
-      homepage.group: Personal Services
+      homepage.group: Personal/Professional Services
      homepage.name: Scraperr
      homepage.href: https://scrape.${MY_TLD}
      homepage.icon: /icons/scraperr.png
@@ -4633,7 +4346,7 @@ services:
      SEARXNG_BASE_URL: https://${SEARXNG_BASE_URL:-localhost}/
    image: searxng/searxng:latest
    labels:
-      homepage.group: Personal Services
+      homepage.group: Personal/Professional Services
      homepage.name: SearxNG
      homepage.href: https://search.${MY_TLD}
      homepage.icon: searxng.png
@@ -4973,27 +4686,6 @@ services:
    restart: unless-stopped
    volumes:
        - ${DOCKER_VOLUME_CONFIG}/speedtest-tracker:/config
-  # spotisub:
-  #   container_name: spotisub
-  #   environment:
-  #     SPOTIPY_CLIENT_ID: ${YOUR_SPOTIFY_ID}
-  #     SPOTIPY_CLIENT_SECRET: ${YOUR_SPOTIFY_SECRET}
-  #     SPOTIPY_REDIRECT_URI: http://127.0.0.1:8080/
-  #     SUBSONIC_API_HOST: http://navidrome
-  #     SUBSONIC_API_PORT: 4533
-  #     SUBSONIC_API_USER: ${NAVIDROME_USERNAME}
-  #     SUBSONIC_API_PASS: ${NAVIDROME_PASSWORD}
-  #   healthcheck:
-  #     test: curl -s http://127.0.0.1:5183/api/v1/utils/healthcheck | grep -q 'Ok!' || exit 1
-  #     interval: 30s
-  #     retries: 20
-  #     start_period: 30s
-  #   image: blastbeng/spotisub:latest
-  #   ports:
-  #     - 5183:5183
-  #   restart: always
-  #   volumes:
-  #     - ${DOCKER_VOLUME_CONFIG}/spotisub:/home/user/spotisub/cache
  stable-diffusion-download:
    container_name: stable-diffusion-download
    image: git.trez.wtf/trez.one/stable-diffusion-download:v9.0.0
@@ -5002,12 +4694,12 @@ services:
      - ${DOCKER_VOLUME_CONFIG}/stable-diffusion-webui/data:/data
  stable-diffusion-webui:
    container_name: stable-diffusion-webui
-    image: git.trez.wtf/trez.one/stable-diffusion-ui:v9.0.0
+    image: git.trez.wtf/trez.one/stable-diffusion-ui:v9.0.1
    environment:
      - CLI_ARGS=--allow-code --medvram --xformers --enable-insecure-extension-access --api
    labels:
      homepage.name: Stable-Diffusion WebUI
-      homepage.group: Personal Services
+      homepage.group: Personal/Professional Services
      homepage.description: Deep learning, text-to-image model
      homepage.href: https://sd.${MY_TLD}
      homepage.icon: /icons/stable-diffusion.png
@@ -5041,7 +4733,7 @@ services:
      VALIDATION: dns
      CROWDSEC_API_KEY: ${CROWDSEC_API_KEY}
      CROWDSEC_LAPI_URL: http://crowdsec:8080
-      DOCKER_MODS: linuxserver/mods:universal-docker|linuxserver/mods:swag-auto-reload|linuxserver/mods:swag-auto-proxy|linuxserver/mods:swag-dashboard|linuxserver/mods:swag-maxmind|linuxserver/mods:universal-stdout-logs|ghcr.io/linuxserver/mods:swag-crowdsec|linuxserver/mods:swag-auto-uptime-kuma
+      DOCKER_MODS: linuxserver/mods:universal-docker|linuxserver/mods:swag-auto-reload|linuxserver/mods:swag-auto-proxy|linuxserver/mods:swag-dashboard|linuxserver/mods:swag-maxmind|linuxserver/mods:universal-stdout-logs|ghcr.io/linuxserver/mods:swag-crowdsec #|linuxserver/mods:swag-auto-uptime-kuma
      PROPAGATION: 30
      UPTIME_KUMA_PASSWORD: ${UPTIME_KUMA_PASSWORD}
      UPTIME_KUMA_URL: http://uptimekuma:3001
@@ -5202,6 +4894,10 @@ services:
        volume: {}
  uptimekuma:
    container_name: uptimekuma
+    depends_on:
+      swag:
+        condition: service_started
+        required: true
    environment:
      PGID: ${PGID}
      PUID: ${PUID}
Author	SHA1	Message	Date
Trez.One	0242957fc4	Misc. fix for Immich stack. Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Check and Create PR (push) Successful in 4m48s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Docker Compose & Ansible Lints (push) Successful in 12m28s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Cloudflare DNS Setup (push) Successful in 4m39s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Update README & Generate List of Modified Services (push) Successful in 6m35s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / PR Merge (push) Successful in 2m15s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Ansible Configs & Docker Compose Deployment (push) Successful in 39m33s Details	2025-03-14 09:22:46 -04:00
Trez.One	aedcdfe4d2	Ansible syntax fixes in Authelia config. Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Check and Create PR (push) Successful in 33s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Docker Compose & Ansible Lints (push) Failing after 17m41s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Update README & Generate List of Modified Services (push) Has been skipped Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Cloudflare DNS Setup (push) Has been skipped Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / PR Merge (push) Has been skipped Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Ansible Configs & Docker Compose Deployment (push) Has been skipped Details	2025-03-14 08:29:05 -04:00
Trez.One	0b252923ab	Authelia YML fixes. Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Check and Create PR (push) Successful in 4m5s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Docker Compose & Ansible Lints (push) Failing after 14m35s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Cloudflare DNS Setup (push) Has been skipped Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Update README & Generate List of Modified Services (push) Has been skipped Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / PR Merge (push) Has been skipped Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Ansible Configs & Docker Compose Deployment (push) Has been skipped Details	2025-03-13 20:54:42 -04:00
Trez.One	40b79c6913	Authelia YML fixes. Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Check and Create PR (push) Successful in 56s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Docker Compose & Ansible Lints (push) Failing after 11m32s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Cloudflare DNS Setup (push) Has been skipped Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Update README & Generate List of Modified Services (push) Has been skipped Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / PR Merge (push) Has been skipped Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Ansible Configs & Docker Compose Deployment (push) Has been skipped Details	2025-03-13 20:20:44 -04:00
Trez.One	90f648fa62	Authelia YML fixes. Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Check and Create PR (push) Successful in 1m25s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Docker Compose & Ansible Lints (push) Failing after 13m26s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Cloudflare DNS Setup (push) Has been skipped Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Update README & Generate List of Modified Services (push) Has been skipped Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / PR Merge (push) Has been skipped Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Ansible Configs & Docker Compose Deployment (push) Has been skipped Details	2025-03-13 19:58:56 -04:00
Trez.One	a4dfc70c66	Removing notification from first job. Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Check and Create PR (push) Successful in 9m11s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Docker Compose & Ansible Lints (push) Failing after 18m41s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Update README & Generate List of Modified Services (push) Has been skipped Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Cloudflare DNS Setup (push) Has been skipped Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / PR Merge (push) Has been skipped Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Ansible Configs & Docker Compose Deployment (push) Has been skipped Details	2025-03-13 19:08:47 -04:00
Trez.One	9c1dd9cb4b	Correcting multi-scrobbler configuration. Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Check and Create PR (push) Failing after 12m31s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Docker Compose & Ansible Lints (push) Has been cancelled Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Cloudflare DNS Setup (push) Has been cancelled Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Update README & Generate List of Modified Services (push) Has been cancelled Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / PR Merge (push) Has been cancelled Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Ansible Configs & Docker Compose Deployment (push) Has been cancelled Details	2025-03-13 18:30:07 -04:00
Trez.One	4fe88c0109	Adding more notifications for workflow.	2025-03-13 18:30:07 -04:00
Trez.One	9f8538f892	Netbird configuration to use Authelia.	2025-03-13 18:30:07 -04:00
Trez.One	391844015a	Adding Gravatar support in ND.	2025-03-13 11:55:58 -04:00
Trez.One	2789ee7121	Added envs for Navidrome.	2025-03-13 11:52:11 -04:00
Trez.One	adf07ff505	Merge remote-tracking branch 'refs/remotes/origin/main'	2025-03-13 11:17:42 -04:00
Trez.One	b7b3fb1af0	Adding SWAG dependency for Uptime Kuma.	2025-03-13 11:16:52 -04:00
Trez.One	f704e3f3f2	Adding Authelia config for Ansible.	2025-03-12 18:47:23 -04:00
Trez.One	5ecde8b8eb	Reactive Resume env change.	2025-03-12 13:23:15 -04:00
gitea-sonarqube-bot	d5281c8231	Auto Merge of PR 28 - browserless-container-extra-hosts Merged by Trez.One	2025-03-12 11:59:40 -04:00
Trez.One	73597effd8	Adding extra_hosts for browserless/chromium. Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Check and Create PR (push) Successful in 3m31s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Docker Compose & Ansible Lints (push) Successful in 15m8s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Cloudflare DNS Setup (push) Successful in 1m42s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Update README & Generate List of Modified Services (push) Successful in 2m37s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / PR Merge (push) Successful in 1m31s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Ansible Configs & Docker Compose Deployment (push) Successful in 19m14s Details	2025-03-12 09:21:39 -04:00
gitea-sonarqube-bot	1ef0778919	Auto Merge of PR 27 - stable-diffusion-image-dependency-fix Merged by Trez.One	2025-03-12 09:18:03 -04:00
Trez.One	b3fc11730f	chore: Update README	2025-03-12 13:16:54 +00:00
Trez.One	5a67a4697c	Revision bump for Stable-Diffusion-UI. Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Check and Create PR (push) Successful in 8m27s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Docker Compose & Ansible Lints (push) Successful in 14m24s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Cloudflare DNS Setup (push) Successful in 1m22s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Update README & Generate List of Modified Services (push) Successful in 3m34s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / PR Merge (push) Successful in 51s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Ansible Configs & Docker Compose Deployment (push) Successful in 18m7s Details	2025-03-12 07:48:14 -04:00
gitea-sonarqube-bot	6f745d95e6	Auto Merge of PR 26 - hugo-site-spinup Merged by Trez.One	2025-03-11 18:36:17 -04:00
Trez.One	2ab5a53aea	chore: Update README	2025-03-11 22:35:40 +00:00
Trez.One	9d730370b0	Spinning Hugo site back up. Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Check and Create PR (push) Successful in 3m13s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Docker Compose & Ansible Lints (push) Successful in 25m6s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Cloudflare DNS Setup (push) Successful in 23m57s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Update README & Generate List of Modified Services (push) Successful in 13m3s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / PR Merge (push) Successful in 28s Details Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment / Ansible Configs & Docker Compose Deployment (push) Successful in 27m55s Details	2025-03-11 15:58:38 -04:00
Trez.One	457d275875	Homepage layout changes.	2025-03-11 15:53:28 -04:00
Trez.One	5c140a2130	Changing PROXY_* for chromium container.	2025-03-11 14:17:24 -04:00
Trez.One	0a6021b1da	Changing CHROME_URL for Reactive Resume.	2025-03-11 13:38:44 -04:00
gitea-sonarqube-bot	c7cead4a8e	Auto Merge of PR 25 - bluesky-image-switch-linkstack-deploy Merged by Trez.One	2025-03-10 19:50:56 -04:00
Trez.One	cb127a51be	chore: Update README	2025-03-10 23:46:48 +00:00