chore: Update README

Adding Patchman service.
Auto Merge of PR 136 - dagu-deploy-cronicle-removal_2025-08-08T11-13-25
2025-08-08 17:05:41 +00:00 · 2025-08-08 13:01:28 -04:00 · 2025-08-08 12:14:14 -04:00 · 2025-08-08 16:13:44 +00:00 · 2025-08-08 12:09:36 -04:00 · 2025-08-07 21:14:07 -04:00
37 changed files with 3255 additions and 2584 deletions
@@ -58,8 +58,8 @@ jobs:
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: PR Check'
          notification_message: 'PR Created 🎟️'
-  ansible-linting:
+  ansible-dry-run:
-    name: Ansible Lint
+    name: Ansible Dry Run
    needs: [check-and-create-pr]
    runs-on: ubuntu-latest
    env:
@@ -103,17 +103,16 @@ jobs:
          options: |
            --check
            --inventory inventory/hosts.yml
            -v
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
-          notification_title: 'GITEA: Docker Compose Dry Run @ Rinoa'
+          notification_title: 'GITEA: Ansible Dry Run @ Rinoa'
-          notification_message: 'Docker Compose dry run completed successfully.'
+          notification_message: 'Ansible dry run completed successfully.'
  pr-merge:
    name: PR Merge
-    needs: [regenerate-readme-modified-services]
+    needs: [ansible-dry-run]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
@@ -8,6 +8,10 @@ on:
      - '**/docker-compose.yml'
      - '**/pr-cloudflare-docker-deploy.yml'
      - '!ansible/**.yml'
 env:
  FLARECTL_VERSION: '0.115.0'
  HC_VAULT_VERSION: '1.20.0'
  TEA_VERSION: '0.10.1'
 jobs:
  check-and-create-pr:
    if: github.ref != 'refs/heads/main'
@@ -22,14 +26,14 @@ jobs:
        id: cache-tea
        uses: actions/cache@v4
        with:
-          path: /opt/hostedtoolcache/tea/0.9.2/x64
+          path: /opt/hostedtoolcache/tea/${{ env.TEA_VERSION }}/x64
-          key: tea-${{ runner.os }}-0.9.2
+          key: tea-${{ runner.os }}-${{ env.TEA_VERSION }}
      - name: Install tea
        uses: supplypike/setup-bin@v4
        with:
-          uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64'
+          uri: https://gitea.com/gitea/tea/releases/download/v${{ env.TEA_VERSION }}/tea-${{ env.TEA_VERSION }}-linux-amd64
-          name: 'tea'
+          name: tea
-          version: '0.9.2'
+          version: ${{ env.TEA_VERSION }}
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -58,26 +62,25 @@ jobs:
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: PR Check'
          notification_message: 'PR Created 🎟️'
-  docker-compose-dry-run:
+  generate-service-list:
-    name: Docker Compose Dry Run
+    name: Generate list of added/modified/deleted services
    needs: [check-and-create-pr]
    runs-on: ubuntu-latest
-    env:
+    needs: [check-and-create-pr]
      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
      VAULT_NAMESPACE: ""
      RINOA_REGISTRY_PASSWORD: ${{ secrets.BOT_GITEA_PASSWORD }}
    outputs:
-      svc_deploy_list: ${{ steps.modded_svcs.outputs.rinoa_svcs }}
+      svc_deploy_list: ${{ steps.detect_services.outputs.docker_svc_list }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Fetch base branch
        run: |
          git fetch origin ${{ github.event.pull_request.base.ref }}
-      - name: Login to Gitea Container Registry
+      - name: Gotify Notification
-        run: |
+        uses: eikendev/gotify-action@master
-          docker login -u gitea-sonarqube-bot -p ${RINOA_REGISTRY_PASSWORD} git.trez.wtf
+        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: Services TBD'
          notification_message: 'Generating list of services to deploy...'
      - name: Save both versions of docker-compose.yml
        run: |
          git show origin/main:docker-compose.yml > docker-compose-main.yml || touch docker-compose-main.yml
@@ -107,10 +110,40 @@ jobs:
          echo "Detected service changes:"
          cat service_changes.txt
-          svc_list=$(paste -sd '|' service_changes.txt)
+          mod_svcs=$(cut -d':' -f1 service_changes.txt | sort | uniq)
-          echo "classified_services=$svc_list" >> "$GITHUB_OUTPUT"
+          echo "docker_svc_list<<EOF" >> "$GITHUB_OUTPUT"
-      - name: Install Vault
+          echo "$mod_svcs" >> "$GITHUB_OUTPUT"
          echo "EOF" >> "$GITHUB_OUTPUT"
      - name: List of Services for (Re)Deployment
        run: |
          echo -e "${{ steps.detect_services.outputs.docker_svc_list }}"
  docker-compose-dry-run:
    name: Docker Compose Dry Run
    needs: [generate-service-list]
    runs-on: ubuntu-latest
    env:
      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
      VAULT_NAMESPACE: ""
      RINOA_REGISTRY_PASSWORD: ${{ secrets.BOT_GITEA_PASSWORD }}
      DOCKER_SVC_LIST: ${{ needs.generate-service-list.outputs.svc_deploy_list }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Login to Gitea Container Registry
        run: |
          docker login -u gitea-sonarqube-bot -p ${RINOA_REGISTRY_PASSWORD} git.trez.wtf
      - name: Cache Vault install
        id: cache-vault
        uses: actions/cache@v4
        with:
          path: /opt/hostedtoolcache/vault/${{ env.HC_VAULT_VERSION }}/x64
          key: vault-${{ runner.os }}-${{ env.HC_VAULT_VERSION }}
      - name: Install Vault (only if not cached)
        if: steps.cache-vault.outputs.cache-hit != 'true'
        uses: cpanato/vault-installer@main
        with:
          version: ${{ env.HC_VAULT_VERSION }}
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -118,37 +151,20 @@ jobs:
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: Docker Compose Dry Run @ Rinoa'
          notification_message: 'Starting Docker Compose dry run...'
-      - name: Cache .env Files
+      - name: Generate .env file for Docker Compose
        uses: actions/cache@v4
        with:
          path: .env
          key: ${{ runner.os }}-env-${{ hashFiles('docker-compose.yml') }}
      - name: Generate modified services list & .env file for Docker Compose Dry Run
        id: modded_svcs
        run: |
          mod_svcs=$(echo "${{ steps.detect_services.outputs.classified_services }}" | sed -e 's/|//g' -e 's/: \(add\|modifi\|delet\)ed/ /g')
          echo ${mod_svcs}
          vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
-          echo "rinoa_svcs=${mod_svcs}" >> "$GITHUB_OUTPUT"
+          echo ${DOCKER_SVC_LIST}
      - name: Testing service list output
        run: |
          echo ${{ steps.modded_svcs.outputs.rinoa_svcs }}
      - name: Docker Compose Dry Run
-        timeout-minutes: 360
+        uses: hoverkraft-tech/compose-action@v2.2.0
        continue-on-error: true
        uses: chaplyk/docker-compose-remote-action@v1.1
        with:
          ssh_host: 192.168.1.254
          ssh_port: 22
          ssh_user: gitea-deploy
          ssh_key: ${{ secrets.RINOA_GITEA_PRIVATE_SSH_KEY }}
          service: ${{ steps.modded_svcs.outputs.rinoa_svcs }}
          compose_file: docker-compose.yml
          pull: false
          build: false
          options: -d --remove-orphans
        env:
          DOCKER_HOST: tcp://dockerproxy:2375
        with:
          services: |
            ${{ needs.generate-service-list.outputs.svc_deploy_list }}
          up-flags: -d --remove-orphans --dry-run
          down-flags: --dry-run
          compose-flags: --dry-run
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -158,7 +174,7 @@ jobs:
          notification_message: 'Docker Compose dry run completed successfully.'
  cloudflare-dns-setup:
    name: Cloudflare DNS Setup
-    needs: [docker-compose-ansible-lints]
+    needs: [docker-compose-dry-run]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
@@ -169,13 +185,13 @@ jobs:
        uses: actions/cache@v4
        with:
          path: ~/.flarectl
-          key: flarectl-${{ runner.os }}-${{ hashFiles('workflow-config.yml') }}
+          key: flarectl-${{ runner.os }}-${{ env.FLARECTL_VERSION }}-${{ hashFiles('workflow-config.yml') }}
      - name: Install flarectl
        uses: supplypike/setup-bin@v4
        with:
-          uri: 'https://github.com/cloudflare/cloudflare-go/releases/download/v0.113.0/flarectl_0.113.0_linux_amd64.tar.gz'
+          uri: https://github.com/cloudflare/cloudflare-go/releases/download/v${{ env.FLARECTL_VERSION }}/flarectl_${{ env.FLARECTL_VERSION }}_linux_amd64.tar.gz
-          name: 'flarectl'
+          name: flarectl
-          version: '0.113.0'
+          version: ${{ env.FLARECTL_VERSION }}
      - name: Cache Subdomain Files
        uses: actions/cache@v4
        with:
@@ -274,12 +290,18 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Cache tea CLI
        id: cache-tea
        uses: actions/cache@v4
        with:
          path: /opt/hostedtoolcache/tea/${{ env.TEA_VERSION }}/x64
          key: tea-${{ runner.os }}-${{ env.TEA_VERSION }}
      - name: Install tea
        uses: supplypike/setup-bin@v4
        with:
-          uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64'
+          uri: https://gitea.com/gitea/tea/releases/download/v${{ env.TEA_VERSION }}/tea-${{ env.TEA_VERSION }}-linux-amd64
-          name: 'tea'
+          name: tea
-          version: '0.9.2'
+          version: ${{ env.TEA_VERSION }}
      - name: PR Merge
        id: pr_merge
        run: |
@@ -299,13 +321,13 @@ jobs:
  docker-compose-deploy:
    name: Docker Compose Deployment
    runs-on: ubuntu-latest
-    needs: [docker-compose-dry-run, pr-merge]
+    needs: [generate-service-list, docker-compose-dry-run, pr-merge]
    env:
      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
      DOCKER_HOST: tcp://dockerproxy:2375
      RINOA_REGISTRY_PASSWORD: ${{ secrets.BOT_GITEA_PASSWORD }}
-      DOCKER_SVC_LIST: ${{ needs.docker-compose-dry-run.outputs.svc_deploy_list }}
+      DOCKER_SVC_LIST: ${{ needs.generate-service-list.outputs.svc_deploy_list }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -315,10 +337,13 @@ jobs:
        id: cache-vault
        uses: actions/cache@v4
        with:
-          path: /opt/hostedtoolcache/vault/1.18.0/x64
+          path: /opt/hostedtoolcache/vault/${{ env.HC_VAULT_VERSION }}/x64
-          key: vault-${{ runner.os }}-1.18.0
+          key: vault-${{ runner.os }}-${{ env.HC_VAULT_VERSION }}
-      - name: Install Vault
+      - name: Install Vault (only if not cached)
        if: steps.cache-vault.outputs.cache-hit != 'true'
        uses: cpanato/vault-installer@main
        with:
          version: ${{ env.HC_VAULT_VERSION }}
      - name: Login to Gitea Container Registry
        run: |
          docker login -u gitea-sonarqube-bot -p ${RINOA_REGISTRY_PASSWORD} git.trez.wtf
@@ -332,22 +357,24 @@ jobs:
      - name: Generate .env file for deployment
        run: |
           vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
           echo ${DOCKER_SVC_LIST}
      - name: Docker Compose Deployment
-        timeout-minutes: 360
+        uses: hoverkraft-tech/compose-action@v2.2.0
        continue-on-error: true
        uses: chaplyk/docker-compose-remote-action@v1.1
        env:
          DOCKER_HOST: tcp://dockerproxy:2375
        with:
-          ssh_host: 192.168.1.254
+          services: |
-          ssh_port: 22
+            ${{ needs.generate-service-list.outputs.svc_deploy_list }}
-          ssh_user: gitea-deploy
+          up-flags: -d --remove-orphans
-          ssh_key: ${{ secrets.RINOA_GITEA_PRIVATE_SSH_KEY }}
+          down-flags: --dry-run
-          service: ${DOCKER_SVC_LIST}
+      - name: Docker Compose Healthcheck
-          compose_file: docker-compose.yml
+        uses: jaracogmbh/docker-compose-health-check-action@v1.0.0
-          pull: false
+        with:
-          build: false
+          max-retries: 30
-          options: -d --remove-orphans
+          retry-interval: 10
          compose-file: "docker-compose.yml"
          skip-exited: "true"
          skip-no-healthcheck: "true"
      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
@@ -2,7 +2,9 @@ name: Auto-Unseal for Vault
 on:
  workflow_dispatch:
  schedule:
-    - cron: "0 5 * * *"
+    - cron: '30 5 * * *'
 env:
  HC_VAULT_VERSION: '1.20.0'
 jobs:
  auto-unseal:
    name: Unseal Vault
@@ -10,20 +12,36 @@ jobs:
    env:
      VAULT_ADDR: ${{ secrets.RINOA_VAULT_ADDR }}
      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
-      VAULT_SHARDS: |
+      VAULT_SHARDS: ${{ secrets.VAULT_UNSEAL_SHARDS }}
        ${{ secrets.VAULT_UNSEAL_SHARDS }}
      VAULT_NAMESPACE: ""
    steps:
      - name: Vault Unseal Start
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: HC Vault @ Rinoa'
          notification_message: 'Hashicorp Vault unsealing started... 🔐'
      - name: Cache Vault install
        id: cache-vault
        uses: actions/cache@v4
        with:
-          path: /opt/hostedtoolcache/vault/1.18.0/x64
+          path: /opt/hostedtoolcache/vault/${{ env.HC_VAULT_VERSION }}/x64
-          key: vault-${{ runner.os }}-1.18.0
+          key: vault-${{ runner.os }}-${{ env.HC_VAULT_VERSION }}
-      - name: Install Vault
+      - name: Install Vault (only if not cached)
        if: steps.cache-vault.outputs.cache-hit != 'true'
        uses: cpanato/vault-installer@main
        with:
          version: ${{ env.HC_VAULT_VERSION }}
      - name: Unseal Vault
        run: |
-          for vault_shard in $(echo ${VAULT_SHARDS}); do
+          for vault_shard in $VAULT_SHARDS; do
-            vault operator unseal -address=${VAULT_ADDR} -non-interactive "${vault_shard}"
+            vault operator unseal -address="${VAULT_ADDR}" -non-interactive "${vault_shard}"
-          done
+          done
      - name: Vault Unseal Completion
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
          notification_title: 'GITEA: HC Vault @ Rinoa'
          notification_message: 'Hashicorp Vault unsealed! 🔓'
@@ -4,13 +4,16 @@
 | Service | Image |
 | --- | --- |
 | 13ft | ghcr.io/wasi-master/13ft:latest |
 | actual_server | docker.io/actualbudget/actual-server:latest |
 | adguard | adguard/adguardhome:latest |
 | apprise-api | lscr.io/linuxserver/apprise-api:latest |
 | archivebox | archivebox/archivebox:latest |
 | argus | quay.io/argus-io/argus:latest |
 | audiobookshelf | ghcr.io/advplyr/audiobookshelf:latest |
 | authelia | authelia/authelia:master |
 | authelia-pg | postgres:16-alpine |
 | authelia-valkey | docker.io/bitnami/valkey:latest |
 | bazarr | lscr.io/linuxserver/bazarr:latest |
 | beszel | henrygd/beszel:latest |
 | beszel-agent | henrygd/beszel-agent:latest |
@@ -19,27 +22,35 @@
 | browserless | ghcr.io/browserless/chromium:latest |
 | bytestash | ghcr.io/jordan-dalby/bytestash:latest |
 | castopod | castopod/castopod:latest |
 | castopod-valkey | docker.io/bitnami/valkey:latest |
 | changedetection | ghcr.io/dgtlmoon/changedetection.io |
 | changedetection-chrome | dgtlmoon/sockpuppetbrowser:latest |
 | chrome | gcr.io/zenika-hub/alpine-chrome:123 |
 | clipcascade | sathvikrao/clipcascade:latest |
 | cloudflareddns | ghcr.io/hotio/cloudflareddns:latest |
 | convertx | ghcr.io/c4illin/convertx |
 | cronicle | elestio/cronicle:latest |
 | crowdsec | crowdsecurity/crowdsec:latest |
 | crowdsec-dashboard | metabase/metabase |
 | cyber-chef | mpepping/cyberchef:latest |
 | czkawka | jlesage/czkawka |
 | dagu | ghcr.io/dagu-org/dagu:alpine |
 | dawarich-app | freikin/dawarich:latest |
 | dawarich-pg-db | postgis/postgis:17-3.5-alpine |
 | dawarich-sidekiq | freikin/dawarich:latest |
 | dawarich-valkey | docker.io/bitnami/valkey:latest |
 | dead-man-hand | ghcr.io/bkupidura/dead-man-hand:latest |
 | docker-socket-proxy | ghcr.io/tecnativa/docker-socket-proxy:latest |
 | dockflare | alplat/dockflare:stable |
 | duplicati | lscr.io/linuxserver/duplicati:latest |
 | easyappointments | alextselegidis/easyappointments:1.5.1 |
 | excalidraw | excalidraw/excalidraw:latest |
 | explo | ghcr.io/lumepart/explo:latest |
 | fastenhealth | ghcr.io/fastenhealth/fasten-onprem:main |
 | flaresolverr | ghcr.io/flaresolverr/flaresolverr:latest |
-| freescout | tiredofit/freescout:latest |
+| garage | dxflrs/garage:v2.0.0 |
 | garage-webui | khairul169/garage-webui:latest |
 | ghost | ghost:latest |
-| gitea | gitea/gitea:1.24.0 |
+| gitea | gitea/gitea:1.24.3 |
 | gitea-db | postgres:14 |
 | gitea-runner | gitea/act_runner:latest |
 | gitea-sonarqube-bot | justusbunsi/gitea-sonarqube-bot:v0.4.0 |
@@ -49,12 +60,13 @@
 | graylog-datanode | graylog/graylog-datanode:6.1 |
 | guacamole | flcontainers/guacamole:latest |
 | homepage | ghcr.io/gethomepage/homepage:latest |
-| hugo | hugomods/hugo:exts-0.145.0 |
+| hugo | hugomods/hugo:exts |
 | immich-server | ghcr.io/immich-app/immich-server:release |
 | immich-machine-learning | ghcr.io/immich-app/immich-machine-learning:release |
 | immich-pg-db | tensorchord/pgvecto-rs:pg14-v0.2.1 |
 | immich-public-proxy | alangrainger/immich-public-proxy:latest |
 | immich-power-tools | ghcr.io/varun-raj/immich-power-tools:latest |
 | immich-valkey | docker.io/bitnami/valkey:latest |
 | influxdb2 | influxdb:2-alpine |
 | invidious | quay.io/invidious/invidious:latest |
 | invidious-sig-helper | quay.io/invidious/inv-sig-helper:latest |
@@ -72,10 +84,12 @@
 | jitsi-web | jitsi/web:stable |
 | joplin-db | postgres:17-alpine |
 | joplin | joplin/server:latest |
 | karakeep | ghcr.io/karakeep-app/karakeep:release |
 | languagetool | elestio/languagetool:latest |
 | librechat-api | ghcr.io/danny-avila/librechat-dev:latest |
 | librechat-vectordb | ankane/pgvector:latest |
 | librechat-rag-api | ghcr.io/danny-avila/librechat-rag-api-dev-lite:latest |
 | librechat-valkey | docker.io/bitnami/valkey:latest |
 | librechat-vectordb | ankane/pgvector:latest |
 | libretranslate | libretranslate/libretranslate |
 | lidarr | lscr.io/linuxserver/lidarr:latest |
 | lidify | thewicklowwolf/lidify:latest |
@@ -84,15 +98,23 @@
 | loggifly | ghcr.io/clemcer/loggifly:latest |
 | maloja | krateng/maloja:latest |
 | manyfold | lscr.io/linuxserver/manyfold:latest |
 | manyfold-valkey | docker.io/bitnami/valkey:latest |
 | mariadb | linuxserver/mariadb |
 | mastodon | lscr.io/linuxserver/mastodon:latest |
 | mastodon-pg-db | postgres:17-alpine |
 | mastodon-valkey | docker.io/bitnami/valkey:latest |
 | maxun-backend | getmaxun/maxun-backend:latest |
 | maxun-frontend | getmaxun/maxun-frontend:latest |
 | maxun-pg-db | postgres:13-alpine |
-| meilisearch | getmeili/meilisearch:v1.12.3 |
+| maxun-valkey | docker.io/bitnami/valkey:latest |
 | meilisearch | getmeili/meilisearch:v1.15 |
 | meme-search-pro | ghcr.io/neonwatty/meme_search_pro:latest |
 | meme-search-pro-img2txt-gen | ghcr.io/neonwatty/image_to_text_generator:latest |
 | meme-search-db | pgvector/pgvector:pg17 |
 | mini-qr | ghcr.io/lyqht/mini-qr:latest |
 | minio | minio/minio:RELEASE.2025-04-22T22-12-26Z |
 | mixpost | inovector/mixpost:latest |
 | mixpost-valkey | docker.io/bitnami/valkey:latest |
 | mongodb | bitnami/mongodb:7.0 |
 | multi-scrobbler | foxxmd/multi-scrobbler |
 | n8n | docker.n8n.io/n8nio/n8n |
@@ -101,13 +123,29 @@
 | nextcloud | nextcloud/all-in-one:latest |
 | ollama | ollama/ollama |
 | ombi | lscr.io/linuxserver/ombi:latest |
-| omni-tools | iib0011/omni-tools:latest |
+| omnitools | iib0011/omni-tools:latest |
 | omnipoly | kweg/omnipoly:latest |
 | paperless-ngx | ghcr.io/paperless-ngx/paperless-ngx:latest |
 | paperless-valkey | docker.io/bitnami/valkey:latest |
 | patchman-server | ghcr.io/tigattack/patchman |
 | patchman-worker | ghcr.io/tigattack/patchman |
 | patchman-memcached | memcached:1.6-alpine |
 | patchman-valkey | docker.io/bitnami/valkey:latest |
 | penpot-frontend | penpotapp/frontend:latest |
 | penpot-backend | penpotapp/backend:latest |
 | penpot-exporter | penpotapp/exporter:latest |
 | penpot-pg-db | postgres:15-alpine |
 | penpot-redis | redis:7.2 |
 | pgbackweb | eduardolat/pgbackweb:latest |
 | pgbackweb-db | postgres:16-alpine |
 | planka | ghcr.io/plankanban/planka:2.0.0-rc.3 |
 | planka-pg-db | postgres:16-alpine |
 | plant-it | msdeluise/plant-it-server:latest |
 | plant-it-valkey | docker.io/bitnami/valkey:latest |
 | plantuml-server | plantuml/plantuml-server:jetty |
 | portainer | portainer/portainer-ce:alpine |
 | portchecker-web | ghcr.io/dsgnr/portcheckerio-web:latest |
 | portchecker-api | ghcr.io/dsgnr/portcheckerio-api:latest |
 | portnote-web | haedlessdev/portnote:latest |
 | portnote-agent | haedlessdev/portnote-agent:latest |
 | portnote-pg-db | postgres:17-alpine |
@@ -115,46 +153,65 @@
 | postal-web | ghcr.io/postalserver/postal:latest |
 | postal-worker | ghcr.io/postalserver/postal:latest |
 | prowlarr | lscr.io/linuxserver/prowlarr:latest |
 | qbit-manage | ghcr.io/stuffanthings/qbit_manage:latest |
 | qbittorrentvpn | ghcr.io/binhex/arch-qbittorrentvpn:latest |
 | radarec | thewicklowwolf/radarec:latest |
 | radarr | lscr.io/linuxserver/radarr:latest |
 | reactive-resume | amruthpillai/reactive-resume:latest |
 | reactive-resume-pg | postgres:16-alpine |
 | readarr | lscr.io/linuxserver/readarr:develop |
 | redis | redis:alpine |
 | redlib | quay.io/redlib/redlib:latest |
 | rocketchat | registry.rocket.chat/rocketchat/rocket.chat:latest |
 | romm | rommapp/romm:latest |
 | romm-valkey | docker.io/bitnami/valkey:latest |
 | sabnzbdvpn | ghcr.io/binhex/arch-sabnzbdvpn:latest |
 | sablier | sablierapp/sablier:latest |
 | scraparr | ghcr.io/thecfu/scraparr:latest |
 | scrutiny | ghcr.io/analogj/scrutiny:master-omnibus |
 | searxng | searxng/searxng:latest |
-| semaphore | semaphoreui/semaphore:v2.12.14 |
+| searxng-valkey | docker.io/bitnami/valkey:latest |
-| signoz-init-clickhouse | clickhouse/clickhouse-server:24.1.2-alpine |
+| semaphore-ui | semaphoreui/semaphore:v2.12.14 |
-| signoz-zookeeper-1 | bitnami/zookeeper:3.7.1 |
+| signoz-app | signoz/signoz:v0.91.0 |
 | signoz-clickhouse | clickhouse/clickhouse-server:24.1.2-alpine |
-| signoz-app | signoz/signoz:v0.86.2 |
+| signoz-init-clickhouse | clickhouse/clickhouse-server:24.1.2-alpine |
-| signoz-otel-collector | signoz/signoz-otel-collector:v0.111.42 |
+| signoz-logspout | pavanputhra/logspout-signoz |
-| signoz-schema-migrator-sync | signoz/signoz-schema-migrator:v0.111.42 |
+| signoz-otel-collector | signoz/signoz-otel-collector:v0.128.2 |
-| signoz-schema-migrator-async | signoz/signoz-schema-migrator:v0.111.42 |
+| signoz-schema-migrator-async | signoz/signoz-schema-migrator:v0.128.2 |
 | signoz-schema-migrator-sync | signoz/signoz-schema-migrator:v0.128.2 |
 | signoz-zookeeper-1 | bitnami/zookeeper:3.7.1 |
 | sonarqube | mc1arke/sonarqube-with-community-branch-plugin:lts |
 | sonarqube-pg-db | postgres:17-alpine |
 | sonarr | lscr.io/linuxserver/sonarr:latest |
 | sonashow | thewicklowwolf/sonashow:latest |
 | soularr | mrusse08/soularr:latest |
 | soularr-dashboard | git.trez.wtf/trez.one/soularr-dashboard:v0.1 |
 | soulseek | slskd/slskd |
 | speedtest-tracker | lscr.io/linuxserver/speedtest-tracker:latest |
-| stable-diffusion-download | git.trez.wtf/trez.one/stable-diffusion-download:v9.0.0 |
+| stable-diffusion-download | git./trez.one/stable-diffusion-download:v9.0.0 |
-| stable-diffusion-webui | git.trez.wtf/trez.one/stable-diffusion-ui:v9.0.1 |
+| stable-diffusion-webui | git./trez.one/stable-diffusion-ui:v9.0.1 |
 | stirling-pdf | docker.stirlingpdf.com/stirlingtools/stirling-pdf:latest |
 | swag | lscr.io/linuxserver/swag:latest |
 | tandoor | vabene1111/recipes |
 | tandoor-pg | postgres:16-alpine |
 | umami | ghcr.io/umami-software/umami:postgresql-latest |
 | umami-pg-db | postgres:15-alpine |
 | unmanic | josh5/unmanic:latest |
 | uptimekuma | louislam/uptime-kuma:latest |
 | vault | hashicorp/vault:latest |
 | wallabag | wallabag/wallabag |
 | wallos | bellamy/wallos:latest |
 | watchtower | ghcr.io/containrrr/watchtower:latest |
 | web-check | lissy93/web-check |
 | whodb | clidey/whodb |
 | wizarr | ghcr.io/wizarrrr/wizarr |
 | youtubedl | nbr23/youtube-dl-server:latest |
 | zammad-backup | ghcr.io/zammad/zammad:6.5.0-15 |
 | zammad-elasticsearch | elasticsearch:8.18.0 |
 | zammad-init | ghcr.io/zammad/zammad:6.5.0-15 |
 | zammad-memcached | memcached:1.6.38-alpine |
 | zammad-nginx | ghcr.io/zammad/zammad:6.5.0-15 |
 | zammad-postgresql | postgres:17.5-alpine |
 | zammad-railsserver | ghcr.io/zammad/zammad:6.5.0-15 |
 | zammad-redis | redis:7.4.2-alpine |
 | zammad-scheduler | ghcr.io/zammad/zammad:6.5.0-15 |
 | zammad-websocket | ghcr.io/zammad/zammad:6.5.0-15 |
@@ -1,45 +0,0 @@
 # Rinoa Docker_configs Ansible Project
 ## Included content/ Directory Structure
 The directory structure follows best practices recommended by the Ansible community. Feel free to customize this template according to your specific project requirements.
 ```
 ansible-project/
 |── .devcontainer/
 |    └── docker/
 |        └── devcontainer.json
 |    └── podman/
 |        └── devcontainer.json
 |    └── devcontainer.json
 |── .github/
 |    └── workflows/
 |        └── tests.yml
 |    └── ansible-code-bot.yml
 |── .vscode/
 |    └── extensions.json
 |── collections/
 |   └── requirements.yml
 |   └── ansible_collections/
 |       └── project_org/
 |           └── project_repo/
 |               └── README.md
 |               └── roles/sample_role/
 |                         └── README.md
 |                         └── tasks/main.yml
 |── inventory/
 |   └── groups_vars/
 |   └── host_vars/
 |   └── hosts.yml
 |── ansible-navigator.yml
 |── ansible.cfg
 |── devfile.yaml
 |── linux_playbook.yml
 |── network_playbook.yml
 |── README.md
 |── site.yml
 ```
 ## Compatible with Ansible-lint
 Tested with ansible-lint >=24.2.0 releases and the current development version of ansible-core.
@@ -0,0 +1,337 @@
 settings:
  log:
    level: INFO
    timestamps: true
  data:
    database_file: data/argus.db
  web:
    listen_host: 0.0.0.0
    listen_port: 8080
    route_prefix: /
    basic_auth:
      username: 'admin'
      password: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ARGUS_WEB_PASSWORD'] }}"
  disabled_routes: []
  favicon:
    png: ''
    svg: ''
 notify:
  rinoa-gotify:
    type: gotify
    url_fields:
      Host: gotify
      Token: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ARGUS_WEB_PASSWORD'] }}
    params:
      Title: Argus @ Rinoa
 service:
  AdguardTeam/AdGuardHome:
    latest_version:
      type: github
      url: AdguardTeam/AdGuardHome
      url_commands:
        - type: regex
          regex: v([0-9.]+)$
    deployed_version:
      url: "https://adguard.trez.wtf/control/status"
      basic_auth:
        username: admin
        password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ADGUARD_PASSWORD'] }}
      json: version
      regex: v([0-9.]+)
    dashboard:
      web_url: "https://github.com/AdguardTeam/AdGuardHome/releases/v{% raw %}{{ version }}{% endraw %}"
      icon: "https://avatars.githubusercontent.com/u/8361145?s=200&v=4"
  advplyr/audiobookshelf:
    latest_version:
      type: github
      url: advplyr/audiobookshelf
      url_commands:
        - type: regex
          regex: v([0-9.]+)$
    deployed_version:
      method: GET
      url: "https://abs.trez.wtf/status"
      json: serverVersion
    dashboard:
      icon: "https://raw.githubusercontent.com/advplyr/audiobookshelf/master/client/static/icon.svg"
      web_url: "https://github.com/advplyr/audiobookshelf/releases/tag/v{% raw %}{{ version }}{% endraw %}"
  dani-garcia/vaultwarden:
    latest_version:
      type: github
      url: dani-garcia/vaultwarden
    deployed_version:
      url: "https://bitwarden.trez.wtf/api/version"
      regex: ([0-9.]+)
    dashboard:
      web_url: "https://github.com/dani-garcia/vaultwarden/releases/{% raw %}{{ version }}{% endraw %}"
      icon: "https://raw.githubusercontent.com/dani-garcia/vaultwarden/main/src/static/images/vaultwarden-icon.png"
  ellite/Wallos:
    latest_version:
      type: github
      url: ellite/Wallos
    deployed_version:
      method: GET
      url: http://wallos.com/api/status/version.php?api_key=xxx
      json: version_number
    dashboard:
      icon: "https://github.com/ellite/Wallos/raw/main/images/siteicons/wallos.png"
      web_url: "https://github.com/ellite/Wallos/releases"
  FlareSolverr/FlareSolverr:
    latest_version:
      type: github
      url: FlareSolverr/FlareSolverr
      url_commands:
        - type: regex
          regex: v([0-9.]+)$
    deployed_version:
      method: GET
      url: "https://flaresolverr.trez.wtf"
      json: version
    dashboard:
      icon: "https://raw.githubusercontent.com/FlareSolverr/FlareSolverr/master/resources/flaresolverr_logo.png"
      web_url: "https://github.com/FlareSolverr/FlareSolverr/releases/tag/v{% raw %}{{ version }}{% endraw %}"
  go-gitea/gitea:
    latest_version:
      type: github
      url: go-gitea/gitea
      url_commands:
        - type: regex
          regex: v([0-9.]+)$
      require:
        regex_content: gitea-{% raw %}{{ version }}{% endraw %}-linux-amd64
        regex_version: ^[0-9.]+[0-9]$
    deployed_version:
      url: "https://git.trez.wtf"
      regex: 'Powered by Gitea\s+Version:\s+([0-9.]+) '
    dashboard:
      web_url: "https://github.com/go-gitea/gitea/releases/v{% raw %}{{ version }}{% endraw %}"
      icon: "https://raw.githubusercontent.com/go-gitea/gitea/main/public/img/logo.png"
  gohugoio/hugo:
    latest_version:
      type: github
      url: gohugoio/hugo
      url_commands:
        - type: regex
          regex: v([0-9.]+)$
      require:
        regex_content: hugo_{% raw %}{{ version }}{% endraw %}_Linux-64bit\.deb
    dashboard:
      web_url: "https://github.com/gohugoio/hugo/releases/v{% raw %}{{ version }}{% endraw %}"
      icon: "https://raw.githubusercontent.com/gohugoio/hugo/master/docs/static/img/hugo.png"
  gotify/server:
    latest_version:
      type: github
      url: gotify/server
      url_commands:
        - type: regex
          regex: v([0-9.]+)$
    deployed_version:
      url: "https://gotify.trez.wtf/version"
      json: version
    dashboard:
      web_url: "https://github.com/gotify/server/releases/v{% raw %}{{ version }}{% endraw %}"
      icon: "https://github.com/gotify/logo/raw/master/gotify-logo.png"
  hashicorp/vault:
    latest_version:
      type: github
      url: hashicorp/vault
      url_commands:
        - type: regex
          regex: v([0-9.]+)$
    deployed_version:
      url: "https://vault.trez.wtf/v1/sys/health"
      json: version
    dashboard:
      web_url: "https://github.com/hashicorp/vault/releases/v{% raw %}{{ version }}{% endraw %}"
      icon: "https://raw.githubusercontent.com/hashicorp/vault/main/ui/public/vault-logo.svg"
  immich-app/immich:
    latest_version:
      type: github
      url: immich-app/immich
    deployed_version:
      url: "https://pics.trez.wtf/api/server/about"
      json: version
      regex: ^v([0-9.]+)$
      headers:
        - key: x-api-key
          value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['IMMICH_POWER_TOOLS_KEY'] }}
    dashboard:
      icon: "https://raw.githubusercontent.com/immich-app/immich/main/web/static/immich-logo.svg"
      web_url: "https://github.com/immich-app/immich/releases/tag/v{% raw %}{{ version }}{% endraw %}"
  influxdata/influxdb:
    latest_version:
      type: github
      url: influxdata/influxdb
      url_commands:
        - type: regex
          regex: v([0-9.]+)$
    deployed_version:
      url: "https://influxdb.trez.wtf/health"
      json: version
    dashboard:
      web_url: "https://github.com/influxdata/influxdb/releases/tag/v{% raw %}{{ version }}{% endraw %}"
      icon: "https://github.com/influxdata/ui/raw/master/src/writeData/graphics/influxdb.svg"
  jellyfin/jellyfin:
    latest_version:
      type: github
      url: jellyfin/jellyfin
      url_commands:
        - type: regex
          regex: v([0-9.]+)$
    deployed_version:
      url: "https://jellyfin.trez.wtf/System/Info/Public"
      json: Version
    dashboard:
      web_url: "https://github.com/jellyfin/jellyfin/releases/v{% raw %}{{ version }}{% endraw %}"
      icon: "https://avatars.githubusercontent.com/u/45698031?s=200&v=4"
  Lidarr/Lidarr:
    options:
      semantic_versioning: false
    latest_version:
      type: github
      url: Lidarr/Lidarr
      url_commands:
        - type: regex
          regex: v([0-9.]+)$
    deployed_version:
      method: GET
      url: "https://lidarr.trez.wtf/api/v1/system/status"
      headers:
        - key: X-Api-Key
          value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}
      json: version
    dashboard:
      icon: "https://raw.githubusercontent.com/Lidarr/Lidarr/develop/Logo/1024.png"
      web_url: "https://github.com/Lidarr/Lidarr/releases/v{% raw %}{{ version }}{% endraw %}"
  louislam/uptime-kuma:
    latest_version:
      type: github
      url: louislam/uptime-kuma
    deployed_version:
      url: "https://status.trez.wtf/metrics"
      regex: app_version{version=\"([0-9.]+)\",major=\"[0-9]+\",minor=\"[0-9]+\",patch=\"[0-9]+\"}
    dashboard:
      web_url: "https://github.com/louislam/uptime-kuma/releases/{% raw %}{{ version }}{% endraw %}"
      icon: "https://raw.githubusercontent.com/louislam/uptime-kuma/master/public/icon.png"
  morpheus65535/bazarr:
    latest_version:
      type: github
      url: morpheus65535/bazarr
      url_commands:
        - type: regex
          regex: v([0-9.]+)$
    deployed_version:
      url: "https://bazarr.trez.wtf/api/system/status"
      headers:
        - key: X-API-KEY
          value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['BAZARR_API_KEY'] }}
      json: data.bazarr_version
    dashboard:
      web_url: "https://github.com/morpheus65535/bazarr/releases/v{% raw %}{{ version }}{% endraw %}"
      icon: "https://raw.githubusercontent.com/morpheus65535/bazarr/master/frontend/public/images/logo128.png"
  n8n-io/n8n:
    latest_version:
      type: url
      url: "https://github.com/n8n-io/n8n/tags"
      url_commands:
        - type: regex
          regex: n8n\%40([0-9.]+)
    dashboard:
      web_url: "https://github.com/n8n-io/n8n/blob/master/CHANGELOG.md"
      icon: "https://raw.githubusercontent.com/n8n-io/n8n-docs/main/docs/_images/n8n-docs-icon.svg"
  nextcloud/server:
    latest_version:
      type: github
      url: nextcloud/server
      url_commands:
        - type: regex
          regex: v([0-9.]+)$
    deployed_version:
      url: "https://cloud.trez.wtf/status.php"
      json: versionstring
    dashboard:
      web_url: "https://nextcloud.com/changelog/"
      icon: "https://github.com/nextcloud/server/raw/master/core/img/favicon.png"
  Prowlarr/Prowlarr:
    options:
      semantic_versioning: false
    latest_version:
      type: github
      url: Prowlarr/Prowlarr
      url_commands:
        - type: regex
          regex: v([0-9.]+)$
      use_prerelease: true
    deployed_version:
      url: "https://prowlarr.trez.wtf/api/v1/system/status"
      headers:
        - key: X-Api-Key
          value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PROWLARR_API_KEY'] }}
      json: version
    dashboard:
      web_url: "https://github.com/Prowlarr/Prowlarr/releases/v{% raw %}{{ version }}{% endraw %}"
      icon: "https://avatars.githubusercontent.com/u/73049443?s=200&v=4"
  Radarr/Radarr:
    options:
      semantic_versioning: false
    latest_version:
      type: github
      url: Radarr/Radarr
      url_commands:
        - type: regex
          regex: v([0-9.]+)$
    deployed_version:
      url: "https://radarr.trez.wtf/api/v3/system/status"
      headers:
        - key: X-Api-Key
          value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['RADARR_API_KEY'] }}
      json: version
    dashboard:
      web_url: "https://github.com/Radarr/Radarr/releases/v{% raw %}{{ version }}{% endraw %}"
      icon: "https://avatars.githubusercontent.com/u/25025331?s=200&v=4"
  Readarr/Readarr:
    options:
      semantic_versioning: false
    latest_version:
      type: github
      url: Readarr/Readarr
      use_prerelease: true
      url_commands:
        - type: regex
          regex: v([0-9.]+)$
    deployed_version:
      method: GET
      url: "https://readarr.trez.wtf/api/v1/system/status"
      headers:
        - key: X-Api-Key
          value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['READARR_API_KEY'] }}
      json: version
    dashboard:
      icon: "https://raw.githubusercontent.com/Readarr/Readarr/develop/Logo/1024.png"
      web_url: "https://github.com/Readarr/Readarr/releases/v{% raw %}{{ version }}{% endraw %}"
  Sonarr/Sonarr:
    options:
      semantic_versioning: false
    latest_version:
      type: url
      url: "https://github.com/Sonarr/Sonarr/tags"
      url_commands:
        - type: regex
          regex: \/releases\/tag\/v?([0-9.]+)\"
    deployed_version:
      url: "https://sonarr.trez.wtf/api/v3/system/status"
      headers:
        - key: X-Api-Key
          value: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SONARR_API_KEY'] }}
      json: version
    dashboard:
      web_url: "https://sonarr.trez.wtf/system/updates"
      icon: "https://raw.githubusercontent.com/Sonarr/Sonarr/develop/Logo/256.png"
  release-argus/argus:
    latest_version:
      type: github
      url: release-argus/argus
    dashboard:
      icon: "https://raw.githubusercontent.com/release-argus/Argus/master/web/ui/react-app/public/favicon.svg"
      icon_link-to: "https://release-argus.io"
      web_url: "https://github.com/release-argus/Argus/blob/master/CHANGELOG.md"
@@ -102,6 +102,14 @@ access_control:
      policy: one_factor
      subject:
      - ['user:the.trezured.one']
    - domain: wizarr.trez.wtf
      resources:
        - '^/join(/.*)?$'
        - '^/j(/.*)?$'
        - '^/static(/.*)?$'
        - '^/setup(/.*)?$'
        - '^/wizard(/.*)?$'
      policy: bypass
 session:
  name: authelia_session
  secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_SESSION_SECRET'] }}'
@@ -112,8 +120,9 @@ session:
    - domain: 'trez.wtf'
      authelia_url: 'https://auth.trez.wtf'
  redis:
-    host: redis
+    host: authelia-valkey
    port: 6379
    database_index: 0
 storage:
  encryption_key: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_ENCRYPTION_KEY'] }}'
  postgres:
@@ -0,0 +1,25 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 EXPLO_SYSTEM: subsonic
 SYSTEM_URL: http://navidrome:4533
 SYSTEM_USERNAME: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NAVIDROME_USERNAME'] }}
 SYSTEM_PASSWORD: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NAVIDROME_PASSWORD'] }}
 DOWNLOAD_DIR: /downloads
 PLAYLIST_DIR: /playlists
 LISTENBRAINZ_USER: Trez.One
 YOUTUBE_API_KEY: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUTUBE_DATA_API_V3_KEY'] }}
 # Assign a custom path to yt-dlp
 # YTDLP_PATH=
 # Keywords to ignore on videos downloaded by youtube (separated by only commas)
 FILTER_LIST: live,remix,instrumental,extended
 # Define a custom filename sepatator for special characters
 # FILENAME_SEPARATOR=
 # true to keep pervious weeks discoveries, only set to false if the parent folder only contains discovered songs (deletes every file in folder)
 PERSIST: true
 # 'playlist' to get tracks from Weekly Exploration playlist, anything else gets it from API (not the best recommendations). 'test' will download 1 song
 LISTENBRAINZ_DISCOVERY: playlist
 # Time to sleep (in minutes) between scanning and querying tracks from your system (If using Subsonic, Jellyfin)
 SLEEP: 5
 # Whether to provide additional info for debugging
 DEBUG: true
 SINGLE_ARTIST: true
@@ -0,0 +1,26 @@
 metadata_dir = "/var/lib/garage/meta"
 data_dir = "/var/lib/garage/data"
 db_engine = "lmdb"
 metadata_auto_snapshot_interval = "6h"
 replication_factor = 1
 compression_level = 10
 rpc_bind_addr = "[::]:3901"
 rpc_public_addr = "localhost:3901"
 rpc_secret = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GARAGE_RPC_SECRET'] }}"
 [s3_api]
 s3_region = "us-east-fh-pln"
 api_bind_addr = "[::]:3900"
 root_domain = ".s3.trez.wtf"
 [s3_web]
 bind_addr = "[::]:3902"
 root_domain = ".garage.trez.wtf"
 [admin]
 api_bind_addr = "[::]:3903"
 admin_token = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GARAGE_ADMIN_TOKEN'] }}"
 metrics_token = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GARAGE_METRICS_TOKEN'] }}"
@@ -0,0 +1,22 @@
 ui = true
 disable_clustering = true
 log_level = "debug"
 api_addr = "http://127.0.0.1:8200"
 // storage "raft" {
 //   path = "/path/to/raft/data"
 //   node_id = "raft_node_id"
 // }
 storage "s3" {
    endpoint = "minio:9000"
    bucket = "secrets-vault"
    region = "us-east-fh-pln"
    s3_force_path_style = "true"
    disable_ssl = "true"
 }
 listener "tcp" {
  address = "0.0.0.0:8200"
  proxy_protocol_behavior = "use_always"
  tls_disable = 1
 }
@@ -23,10 +23,10 @@ provider: duckduckgo
 layout:
  System Administration:
    style: row
-    columns: 4
+    columns: 5
  Infrastructure/App Performance Monitoring:
    style: row
-    columns: 3
+    columns: 5
  Code/DevOps:
    style: row
    columns: 3
@@ -35,22 +35,25 @@ layout:
    columns: 4
  Lifestyle:
    style: row
-    columns: 3
+    columns: 5
  Automation:
    style: row
    columns: 5
  Privacy/Security:
    style: row
    columns: 5
-  Personal/Professional Services:
+  Personal Tools:
    style: row
    columns: 4
  Professional Services:
    style: row
    columns: 5
  Servarr Stack:
    style: row
-    columns: 3
+    columns: 5
  Downloaders:
    style: row
-    columns: 2
+    columns: 5
  Media Library:
    style: row
    columns: 3
@@ -1,550 +0,0 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 #=====================================================================#
 #                       LibreChat Configuration                       #
 #=====================================================================#
 # Please refer to the reference documentation for assistance          #
 # with configuring your LibreChat environment.                        #
 #                                                                     #
 # https://www.librechat.ai/docs/configuration/dotenv                  #
 #=====================================================================#
 #==================================================#
 #               Server Configuration               #
 #==================================================#
 HOST=localhost
 PORT=3080
 MONGO_URI=mongodb://librechat:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MONGODB_PASSWORD'] }}@mongodb:27017/librechat?replicaSet=rinoa
 DOMAIN_CLIENT=https://ai.trez.wtf
 DOMAIN_SERVER=https://ai.trez.wtf
 NO_INDEX=true
 # Use the address that is at most n number of hops away from the Express application.
 # req.socket.remoteAddress is the first hop, and the rest are looked for in the X-Forwarded-For header from right to left.
 # A value of 0 means that the first untrusted address would be req.socket.remoteAddress, i.e. there is no reverse proxy.
 # Defaulted to 1.
 TRUST_PROXY=1
 #===============#
 # JSON Logging  #
 #===============#
 # Use when process console logs in cloud deployment like GCP/AWS
 CONSOLE_JSON=true
 #===============#
 # Debug Logging #
 #===============#
 DEBUG_LOGGING=true
 DEBUG_CONSOLE=false
 #=============#
 # Permissions #
 #=============#
 # UID=1000
 # GID=1000
 #===============#
 # Configuration #
 #===============#
 # Use an absolute path, a relative path, or a URL
 # CONFIG_PATH="/alternative/path/to/librechat.yaml"
 #===================================================#
 #                     Endpoints                     #
 #===================================================#
 # ENDPOINTS=openAI,assistants,azureOpenAI,google,gptPlugins,anthropic
 PROXY=
 #===================================#
 # Known Endpoints - librechat.yaml  #
 #===================================#
 # https://www.librechat.ai/docs/configuration/librechat_yaml/ai_endpoints
 # ANYSCALE_API_KEY=
 # APIPIE_API_KEY=
 # COHERE_API_KEY=
 DEEPSEEK_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_DEEPSEEK_API_KEY'] }}
 # DATABRICKS_API_KEY=
 # FIREWORKS_API_KEY=
 # GROQ_API_KEY=
 # HUGGINGFACE_TOKEN=
 MISTRAL_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MISTRAL_API_KEY'] }}
 # OPENROUTER_KEY=
 # PERPLEXITY_API_KEY=
 # SHUTTLEAI_API_KEY=
 # TOGETHERAI_API_KEY=
 # UNIFY_API_KEY=
 # XAI_API_KEY=
 #============#
 # Anthropic  #
 #============#
 ANTHROPIC_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_ANTHROPIC_API_KEY'] }}
 ANTHROPIC_MODELS=claude-3-7-sonnet-latest,claude-3-7-sonnet-20250219,claude-3-5-haiku-20241022,claude-3-5-sonnet-20241022,claude-3-5-sonnet-latest,claude-3-5-sonnet-20240620,claude-3-opus-20240229,claude-3-sonnet-20240229,claude-3-haiku-20240307,claude-2.1,claude-2,claude-1.2,claude-1,claude-1-100k,claude-instant-1,claude-instant-1-100k
 # ANTHROPIC_REVERSE_PROXY=
 #============#
 # Azure      #
 #============#
 # Note: these variables are DEPRECATED
 # Use the `librechat.yaml` configuration for `azureOpenAI` instead
 # You may also continue to use them if you opt out of using the `librechat.yaml` configuration
 # AZURE_OPENAI_DEFAULT_MODEL=gpt-3.5-turbo # Deprecated
 # AZURE_OPENAI_MODELS=gpt-3.5-turbo,gpt-4 # Deprecated
 # AZURE_USE_MODEL_AS_DEPLOYMENT_NAME=TRUE # Deprecated
 # AZURE_API_KEY= # Deprecated
 # AZURE_OPENAI_API_INSTANCE_NAME= # Deprecated
 # AZURE_OPENAI_API_DEPLOYMENT_NAME= # Deprecated
 # AZURE_OPENAI_API_VERSION= # Deprecated
 # AZURE_OPENAI_API_COMPLETIONS_DEPLOYMENT_NAME= # Deprecated
 # AZURE_OPENAI_API_EMBEDDINGS_DEPLOYMENT_NAME= # Deprecated
 # PLUGINS_USE_AZURE="true" # Deprecated
 #=================#
 #   AWS Bedrock   #
 #=================#
 # BEDROCK_AWS_DEFAULT_REGION=us-east-1 # A default region must be provided
 # BEDROCK_AWS_ACCESS_KEY_ID=someAccessKey
 # BEDROCK_AWS_SECRET_ACCESS_KEY=someSecretAccessKey
 # BEDROCK_AWS_SESSION_TOKEN=someSessionToken
 # Note: This example list is not meant to be exhaustive. If omitted, all known, supported model IDs will be included for you.
 # BEDROCK_AWS_MODELS=anthropic.claude-3-5-sonnet-20240620-v1:0,meta.llama3-1-8b-instruct-v1:0
 # See all Bedrock model IDs here: https://docs.aws.amazon.com/bedrock/latest/userguide/model-ids.html#model-ids-arns
 # Notes on specific models:
 # The following models are not support due to not supporting streaming:
 # ai21.j2-mid-v1
 # The following models are not support due to not supporting conversation history:
 # ai21.j2-ultra-v1, cohere.command-text-v14, cohere.command-light-text-v14
 #============#
 # Google     #
 #============#
 {# GOOGLE_KEY=user_provided #}
 # GOOGLE_REVERSE_PROXY=
 # Some reverse proxies do not support the X-goog-api-key header, uncomment to pass the API key in Authorization header instead.
 # GOOGLE_AUTH_HEADER=true
 # Gemini API (AI Studio)
 # GOOGLE_MODELS=gemini-2.0-flash-exp,gemini-2.0-flash-thinking-exp-1219,gemini-exp-1121,gemini-exp-1114,gemini-1.5-flash-latest,gemini-1.0-pro,gemini-1.0-pro-001,gemini-1.0-pro-latest,gemini-1.0-pro-vision-latest,gemini-1.5-pro-latest,gemini-pro,gemini-pro-vision
 # Vertex AI
 # GOOGLE_MODELS=gemini-1.5-flash-preview-0514,gemini-1.5-pro-preview-0514,gemini-1.0-pro-vision-001,gemini-1.0-pro-002,gemini-1.0-pro-001,gemini-pro-vision,gemini-1.0-pro
 # GOOGLE_TITLE_MODEL=gemini-pro
 # GOOGLE_LOC=us-central1
 # Google Safety Settings
 # NOTE: These settings apply to both Vertex AI and Gemini API (AI Studio)
 #
 # For Vertex AI:
 # To use the BLOCK_NONE setting, you need either:
 # (a) Access through an allowlist via your Google account team, or
 # (b) Switch to monthly invoiced billing: https://cloud.google.com/billing/docs/how-to/invoiced-billing
 #
 # For Gemini API (AI Studio):
 # BLOCK_NONE is available by default, no special account requirements.
 #
 # Available options: BLOCK_NONE, BLOCK_ONLY_HIGH, BLOCK_MEDIUM_AND_ABOVE, BLOCK_LOW_AND_ABOVE
 #
 # GOOGLE_SAFETY_SEXUALLY_EXPLICIT=BLOCK_ONLY_HIGH
 # GOOGLE_SAFETY_HATE_SPEECH=BLOCK_ONLY_HIGH
 # GOOGLE_SAFETY_HARASSMENT=BLOCK_ONLY_HIGH
 # GOOGLE_SAFETY_DANGEROUS_CONTENT=BLOCK_ONLY_HIGH
 # GOOGLE_SAFETY_CIVIC_INTEGRITY=BLOCK_ONLY_HIGH
 #============#
 # OpenAI     #
 #============#
 OPENAI_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_OPENAI_API_KEY'] }}
 OPENAI_MODELS=o1,o1-mini,o1-preview,gpt-4o,chatgpt-4o-latest,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-0301,gpt-3.5-turbo,gpt-4,gpt-4-0613,gpt-4-vision-preview,gpt-3.5-turbo-0613,gpt-3.5-turbo-16k-0613,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview,gpt-3.5-turbo-1106,gpt-3.5-turbo-instruct,gpt-3.5-turbo-instruct-0914,gpt-3.5-turbo-16k
 DEBUG_OPENAI=false
 # TITLE_CONVO=false
 # OPENAI_TITLE_MODEL=gpt-4o-mini
 # OPENAI_SUMMARIZE=true
 # OPENAI_SUMMARY_MODEL=gpt-4o-mini
 # OPENAI_FORCE_PROMPT=true
 # OPENAI_REVERSE_PROXY=
 # OPENAI_ORGANIZATION=
 #====================#
 #   Assistants API   #
 #====================#
 # ASSISTANTS_API_KEY=user_provided
 # ASSISTANTS_BASE_URL=
 # ASSISTANTS_MODELS=gpt-4o,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-16k-0613,gpt-3.5-turbo-16k,gpt-3.5-turbo,gpt-4,gpt-4-0314,gpt-4-32k-0314,gpt-4-0613,gpt-3.5-turbo-0613,gpt-3.5-turbo-1106,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview
 #==========================#
 #   Azure Assistants API   #
 #==========================#
 # Note: You should map your credentials with custom variables according to your Azure OpenAI Configuration
 # The models for Azure Assistants are also determined by your Azure OpenAI configuration.
 # More info, including how to enable use of Assistants with Azure here:
 # https://www.librechat.ai/docs/configuration/librechat_yaml/ai_endpoints/azure#using-assistants-with-azure
 #============#
 # OpenRouter #
 #============#
 # !!!Warning: Use the variable above instead of this one. Using this one will override the OpenAI endpoint
 # OPENROUTER_API_KEY=
 #============#
 # Plugins    #
 #============#
 # PLUGIN_MODELS=gpt-4o,gpt-4o-mini,gpt-4,gpt-4-turbo-preview,gpt-4-0125-preview,gpt-4-1106-preview,gpt-4-0613,gpt-3.5-turbo,gpt-3.5-turbo-0125,gpt-3.5-turbo-1106,gpt-3.5-turbo-0613
 # DEBUG_PLUGINS=
 CREDS_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_KEY'] }}
 CREDS_IV={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_IV'] }}
 # Azure AI Search
 #-----------------
 # AZURE_AI_SEARCH_SERVICE_ENDPOINT=
 # AZURE_AI_SEARCH_INDEX_NAME=
 # AZURE_AI_SEARCH_API_KEY=
 # AZURE_AI_SEARCH_API_VERSION=
 # AZURE_AI_SEARCH_SEARCH_OPTION_QUERY_TYPE=
 # AZURE_AI_SEARCH_SEARCH_OPTION_TOP=
 # AZURE_AI_SEARCH_SEARCH_OPTION_SELECT=
 # DALL·E
 #----------------
 # DALLE_API_KEY=
 # DALLE3_API_KEY=
 # DALLE2_API_KEY=
 # DALLE3_SYSTEM_PROMPT=
 # DALLE2_SYSTEM_PROMPT=
 # DALLE_REVERSE_PROXY=
 # DALLE3_BASEURL=
 # DALLE2_BASEURL=
 # DALL·E (via Azure OpenAI)
 # Note: requires some of the variables above to be set
 #----------------
 # DALLE3_AZURE_API_VERSION=
 # DALLE2_AZURE_API_VERSION=
 # Google
 #-----------------
 GOOGLE_SEARCH_API_KEY=
 GOOGLE_CSE_ID=
 # YOUTUBE
 #-----------------
 YOUTUBE_API_KEY=
 # SerpAPI
 #-----------------
 SERPAPI_API_KEY=
 # Stable Diffusion
 #-----------------
 SD_WEBUI_URL=http://stable-diffusion-webui:7860
 # Tavily
 #-----------------
 TAVILY_API_KEY=
 # Traversaal
 #-----------------
 TRAVERSAAL_API_KEY=
 # WolframAlpha
 #-----------------
 WOLFRAM_APP_ID=
 # Zapier
 #-----------------
 ZAPIER_NLA_API_KEY=
 #==================================================#
 #                      Search                      #
 #==================================================#
 SEARCH=true
 MEILI_NO_ANALYTICS=true
 MEILI_HOST=http://meilisearch:7700
 MEILI_MASTER_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MEILISEARCH_MASTER_KEY'] }}
 # Optional: Disable indexing, useful in a multi-node setup
 # where only one instance should perform an index sync.
 # MEILI_NO_SYNC=true
 #==================================================#
 #          Speech to Text & Text to Speech         #
 #==================================================#
 STT_API_KEY=
 TTS_API_KEY=
 #==================================================#
 #                        RAG                       #
 #==================================================#
 # More info: https://www.librechat.ai/docs/configuration/rag_api
 # RAG_OPENAI_BASEURL=
 # RAG_OPENAI_API_KEY=
 # RAG_USE_FULL_CONTEXT=
 # EMBEDDINGS_PROVIDER=openai
 # EMBEDDINGS_MODEL=text-embedding-3-small
 #===================================================#
 #                    User System                    #
 #===================================================#
 #========================#
 # Moderation             #
 #========================#
 OPENAI_MODERATION=false
 OPENAI_MODERATION_API_KEY=
 # OPENAI_MODERATION_REVERSE_PROXY=
 BAN_VIOLATIONS=true
 BAN_DURATION=1000 * 60 * 60 * 2
 BAN_INTERVAL=20
 LOGIN_VIOLATION_SCORE=1
 REGISTRATION_VIOLATION_SCORE=1
 CONCURRENT_VIOLATION_SCORE=1
 MESSAGE_VIOLATION_SCORE=1
 NON_BROWSER_VIOLATION_SCORE=20
 LOGIN_MAX=7
 LOGIN_WINDOW=5
 REGISTER_MAX=5
 REGISTER_WINDOW=60
 LIMIT_CONCURRENT_MESSAGES=true
 CONCURRENT_MESSAGE_MAX=2
 LIMIT_MESSAGE_IP=true
 MESSAGE_IP_MAX=40
 MESSAGE_IP_WINDOW=1
 LIMIT_MESSAGE_USER=false
 MESSAGE_USER_MAX=40
 MESSAGE_USER_WINDOW=1
 ILLEGAL_MODEL_REQ_SCORE=5
 #========================#
 # Balance                #
 #========================#
 CHECK_BALANCE=false
 # START_BALANCE=20000 # note: the number of tokens that will be credited after registration.
 #========================#
 # Registration and Login #
 #========================#
 ALLOW_EMAIL_LOGIN=true
 ALLOW_REGISTRATION=true
 ALLOW_SOCIAL_LOGIN=false
 ALLOW_SOCIAL_REGISTRATION=false
 ALLOW_PASSWORD_RESET=false
 # ALLOW_ACCOUNT_DELETION=true # note: enabled by default if omitted/commented out
 ALLOW_UNVERIFIED_EMAIL_LOGIN=true
 SESSION_EXPIRY=1000 * 60 * 15
 REFRESH_TOKEN_EXPIRY=(1000 * 60 * 60 * 24) * 7
 JWT_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_SECRET'] }}
 JWT_REFRESH_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_REFRESH_SECRET'] }}
 # Discord
 DISCORD_CLIENT_ID=
 DISCORD_CLIENT_SECRET=
 DISCORD_CALLBACK_URL=/oauth/discord/callback
 # Facebook
 FACEBOOK_CLIENT_ID=
 FACEBOOK_CLIENT_SECRET=
 FACEBOOK_CALLBACK_URL=/oauth/facebook/callback
 # GitHub
 GITHUB_CLIENT_ID=
 GITHUB_CLIENT_SECRET=
 GITHUB_CALLBACK_URL=/oauth/github/callback
 # GitHub Enterprise
 # GITHUB_ENTERPRISE_BASE_URL=
 # GITHUB_ENTERPRISE_USER_AGENT=
 # Google
 GOOGLE_CLIENT_ID=
 GOOGLE_CLIENT_SECRET=
 GOOGLE_CALLBACK_URL=/oauth/google/callback
 # Apple
 APPLE_CLIENT_ID=
 APPLE_TEAM_ID=
 APPLE_KEY_ID=
 APPLE_PRIVATE_KEY_PATH=
 APPLE_CALLBACK_URL=/oauth/apple/callback
 # OpenID
 OPENID_CLIENT_ID=
 OPENID_CLIENT_SECRET=
 OPENID_ISSUER=
 OPENID_SESSION_SECRET=
 OPENID_SCOPE="openid profile email"
 OPENID_CALLBACK_URL=/oauth/openid/callback
 OPENID_REQUIRED_ROLE=
 OPENID_REQUIRED_ROLE_TOKEN_KIND=
 OPENID_REQUIRED_ROLE_PARAMETER_PATH=
 # Set to determine which user info property returned from OpenID Provider to store as the User's username
 OPENID_USERNAME_CLAIM=
 # Set to determine which user info property returned from OpenID Provider to store as the User's name
 OPENID_NAME_CLAIM=
 OPENID_BUTTON_LABEL=
 OPENID_IMAGE_URL=
 # LDAP
 # LDAP_URL=
 # LDAP_BIND_DN=
 # LDAP_BIND_CREDENTIALS=
 # LDAP_USER_SEARCH_BASE=
 # LDAP_SEARCH_FILTER=mail=
 # LDAP_CA_CERT_PATH=
 # LDAP_TLS_REJECT_UNAUTHORIZED=
 # LDAP_LOGIN_USES_USERNAME=true
 # LDAP_ID=
 # LDAP_USERNAME=
 # LDAP_EMAIL=
 # LDAP_FULL_NAME=
 #========================#
 # Email Password Reset   #
 #========================#
 EMAIL_SERVICE=
 EMAIL_HOST=postal-smtp
 EMAIL_PORT=25
 EMAIL_ENCRYPTION=
 EMAIL_ENCRYPTION_HOSTNAME=
 EMAIL_ALLOW_SELFSIGNED=
 EMAIL_USERNAME=
 EMAIL_PASSWORD=
 EMAIL_FROM_NAME=
 EMAIL_FROM=noreply@librechat.ai
 #========================#
 # Firebase CDN           #
 #========================#
 # FIREBASE_API_KEY=
 # FIREBASE_AUTH_DOMAIN=
 # FIREBASE_PROJECT_ID=
 # FIREBASE_STORAGE_BUCKET=
 # FIREBASE_MESSAGING_SENDER_ID=
 # FIREBASE_APP_ID=
 #========================#
 # Shared Links           #
 #========================#
 ALLOW_SHARED_LINKS=true
 ALLOW_SHARED_LINKS_PUBLIC=true
 #==============================#
 # Static File Cache Control    #
 #==============================#
 # Leave commented out to use defaults: 1 day (86400 seconds) for s-maxage and 2 days (172800 seconds) for max-age
 # NODE_ENV must be set to production for these to take effect
 # STATIC_CACHE_MAX_AGE=172800
 # STATIC_CACHE_S_MAX_AGE=86400
 # If you have another service in front of your LibreChat doing compression, disable express based compression here
 # DISABLE_COMPRESSION=true
 #===================================================#
 #                        UI                         #
 #===================================================#
 APP_TITLE=LibreChat
 # CUSTOM_FOOTER="My custom footer"
 HELP_AND_FAQ_URL=https://librechat.ai
 # SHOW_BIRTHDAY_ICON=true
 # Google tag manager id
 #ANALYTICS_GTM_ID=user provided google tag manager id
 #===============#
 # REDIS Options #
 #===============#
 REDIS_URI=redis:6379
 USE_REDIS=true
 # USE_REDIS_CLUSTER=true
 # REDIS_CA=/path/to/ca.crt
 #==================================================#
 #                      Others                      #
 #==================================================#
 #   You should leave the following commented out   #
 # NODE_ENV=
 # E2E_USER_EMAIL=
 # E2E_USER_PASSWORD=
 #=====================================================#
 #                  Cache Headers                      #
 #=====================================================#
 #   Headers that control caching of the index.html    #
 #   Default configuration prevents caching to ensure  #
 #   users always get the latest version. Customize    #
 #   only if you understand caching implications.      #
 # INDEX_HTML_CACHE_CONTROL=no-cache, no-store, must-revalidate
 # INDEX_HTML_PRAGMA=no-cache
 # INDEX_HTML_EXPIRES=0
 # no-cache: Forces validation with server before using cached version
 # no-store: Prevents storing the response entirely
 # must-revalidate: Prevents using stale content when offline
 #=====================================================#
 #                  OpenWeather                        #
 #=====================================================#
 OPENWEATHER_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
@@ -1,26 +1,26 @@
-version: 1.0.0
+version: 1.2.8
 endpoints:
  custom:
-    - name: "ollama"
+    - name: "rinoa-ollama"
      apiKey: "ollama"
      baseURL: "http://ollama:11434/v1/chat/completions"
      models:
        default: [
-          "deepseek-r1:1.5b",
+          "codellama:7b",
          "deepseek-coder-v2:16b",
          "deepseek-r1:1.5b",
          "deepseek-v3:671b",
          "dolphin-mistral:7b",
          "llama2:7b",
          "llama3.3:70b",
          "mistral-openorca:7b",
          "mistral:7b",
          "orca-mini:3b",
          "phi4:14b",
          "qwen2.5",
          "llama2:7b",
          "mistral:7b",
          "codellama:7b",
          "tinyllama:1.1b",
          "starcoder2:3b",
          "dolphin-mistral:7b",
          "smollm2:1.7b",
-          "orca-mini:3b",
+          "starcoder2:3b",
-          "mistral-openorca:7b"
+          "tinyllama:1.1b",
        ]
 # fetching list of models is supported but the `name` field must start
 # with `ollama` (case-insensitive), as it does in this example.
@@ -0,0 +1,124 @@
 [app]
 # Log level: info, debug, warn, error, fatal
 log_level = "debug"
 # Environment: dev, prod.
 # Setting to "dev" will enable color logging in terminal.
 env = "dev"
 # Whether to automatically check for application updates on start up, app updates are shown as a banner in the admin panel.
 check_updates = true
 # HTTP server.
 [app.server]
 # Address to bind the HTTP server to.
 address = "0.0.0.0:9000"
 # Unix socket path (leave empty to use TCP address instead)
 socket = ""
 # Do NOT disable secure cookies in production environment if you don't know exactly what you're doing!
 disable_secure_cookies = false
 # Request read and write timeouts.
 read_timeout = "5s"
 write_timeout = "5s"
 # Maximum request body size in bytes (100MB)
 # If you are using proxy, you may need to configure them to allow larger request bodies.
 max_body_size = 104857600
 # Size of the read buffer for incoming requests
 read_buffer_size = 4096
 # Keepalive settings.
 keepalive_timeout = "10s"
 # File upload provider to use, either `fs` or `s3`.
 [upload]
 provider = "s3"
 # Filesystem provider.
 [upload.fs]
 # Directory where uploaded files are stored, make sure this directory exists and is writable by the application.
 upload_path = 'uploads'
 # S3 provider.
 [upload.s3]
 # S3 endpoint URL (required only for non-AWS S3-compatible providers like MinIO).
 # Leave empty to use default AWS endpoints.
 url = "http://minio:9000"
 # AWS S3 credentials, keep empty to use attached IAM roles.
 access_key = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBREDESK_S3_ACCESS_KEY'] }}"
 secret_key = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBREDESK_S3_SECRET_KEY'] }}"
 # AWS region, e.g., "us-east-1", "eu-west-1", etc.
 region = "us-east-fh-pln"
 # S3 bucket name where files will be stored.
 bucket = "libredesk"
 # Optional prefix path within the S3 bucket where files will be stored.
 # Example, if set to "uploads/media", files will be stored under that path.
 # Useful for organizing files inside a shared bucket.
 bucket_path = ""
 # S3 signed URL expiry duration (e.g., "30m", "1h")
 expiry = "30m"
 # Postgres.
 [db]
 # If running locally, use `localhost`.
 host = "libredesk-pg-db"
 # Database port, default is 5432.
 port = 5432
 # Update the following values with your database credentials.
 user = "libredesk"
 password = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBREDESK_PG_DB_PASSWD'] }}"
 database = "libredesk"
 ssl_mode = "disable"
 # Maximum number of open database connections
 max_open = 30
 # Maximum number of idle connections in the pool
 max_idle = 30
 # Maximum time a connection can be reused before being closed
 max_lifetime = "300s"
 # Redis.
 [redis]
 # If running locally, use `localhost:6379`.
 address = "libredesk-valkey:6379"
 password = ""
 db = 0
 [message]
 # Number of workers processing outgoing message queue
 outgoing_queue_workers = 10
 # Number of workers processing incoming message queue
 incoming_queue_workers = 10
 # How often to scan for outgoing messages to process, keep it low to process messages quickly.
 message_outgoing_scan_interval = "50ms"
 # Maximum number of messages that can be queued for incoming processing
 incoming_queue_size = 5000
 # Maximum number of messages that can be queued for outgoing processing
 outgoing_queue_size = 5000
 [notification]
 # Number of concurrent notification workers
 concurrency = 2
 # Maximum number of notifications that can be queued
 queue_size = 2000
 [automation]
 # Number of workers processing automation rules
 worker_count = 10
 [autoassigner]
 # How often to run automatic conversation assignment
 autoassign_interval = "5m"
 [webhook]
 # Number of webhook delivery workers
 workers = 5
 # Maximum number of webhook deliveries that can be queued
 queue_size = 10000
 # HTTP timeout for webhook requests
 timeout = "15s"
 [conversation]
 # How often to check for conversations to unsnooze
 unsnooze_interval = "5m"
 [sla]
 # How often to evaluate SLA compliance for conversations
 evaluation_interval = "5m"
@@ -1,18 +1,34 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 containers:
  ghost_blog:
    action_keywords:
      - restart:
-          regex: ':[0-9]{2}\] ERROR.*$'
+          regex: 'Connection Error.*ECONNRESET$'
  immich-server:
    action_keywords:
      - restart:
-          regex: 'ADVICE:.*error'
+          regex: '(ENOTFOUND|Error|ECONNREFUSED)'
  invidious:
-    keywords:
+    action_keywords:
-      - regex: 'Error reading.*Connection reset by peer trying to reconnect...'
+      - restart:
          regex: 'Error reading.*Connection reset by peer trying to reconnect\.\.\.'
  maxun-backend:
    action_keywords:
      - restart:
          regex: '[Ee]rror'
  planka:
    action_keywords:
      - restart:
          regex: 'Failed to lift app: Sails is taking too long to load.$'
  scrutiny:
    action_keywords:
      - restart:
          regex: '^s6-.*: fatal.*$'
  swag:
    action_keywords:
      - restart:
          regex: '^s6-.*: fatal.*$'
 global_keywords:
  keywords:
    - panic
@@ -1,159 +0,0 @@
 'use strict';
 const packageJson = require('../../package.json');
 module.exports = {
    // Branding and customizations require a license: https://codecanyon.net/item/mirotalk-p2p-webrtc-realtime-video-conferences/38376661
    brand: {
        app: {
            language: 'en', // https://en.wikipedia.org/wiki/List_of_ISO_639_language_codes
            name: 'MiroTalk',
            title: '<h1>MiroTalk</h1/>Free browser based Real-time video calls.<br />Simple, Secure, Fast.',
            description:
                'Start your next video call with a single click. No download, plug-in, or login is required. Just get straight to talking, messaging, and sharing your screen.',
            joinDescription: 'Pick a room name.<br />How about this one?',
            joinButtonLabel: 'JOIN ROOM',
            joinLastLabel: 'Your recent room:',
        },
        og: {
            type: 'app-webrtc',
            siteName: 'MiroTalk',
            title: 'Click the link to make a call.',
            description:
                'MiroTalk calling provides real-time HD quality and latency simply not available with traditional technology.',
            image: 'https://p2p.mirotalk.com/images/preview.png',
            url: 'https://p2p.mirotalk.com',
        },
        site: {
            shortcutIcon: '../images/logo.svg',
            appleTouchIcon: '../images/logo.svg',
            landingTitle: 'MiroTalk a Free Secure Video Calls, Chat & Screen Sharing.',
            newCallTitle: 'MiroTalk a Free Secure Video Calls, Chat & Screen Sharing.',
            newCallRoomTitle: 'Pick name. <br />Share URL. <br />Start conference.',
            newCallRoomDescription:
                "Each room has its disposable URL. Just pick a room name and share your custom URL. It's that easy.",
            loginTitle: 'MiroTalk - Host Protected login required.',
            clientTitle: 'MiroTalk WebRTC Video call, Chat Room & Screen Sharing.',
            privacyPolicyTitle: 'MiroTalk - privacy and policy.',
            stunTurnTitle: 'Test Stun/Turn Servers.',
            notFoundTitle: 'MiroTalk - 404 Page not found.',
        },
        html: {
            features: true,
            browsers: true,
            teams: true, // please keep me always true ;)
            tryEasier: true,
            poweredBy: true,
            sponsors: true,
            advertisers: true,
            footer: true,
        },
        about: {
            imageUrl: '../images/mirotalk-logo.gif',
            title: `WebRTC P2P v${packageJson.version}`,
            html: `
                <button
                    id="support-button"
                    data-umami-event="Support button"
                    onclick="window.open('https://codecanyon.net/user/miroslavpejic85')">
                    <i class="fas fa-heart" ></i>&nbsp;Support
                </button>
                <br /><br /><br />
                Author:<a
                    id="linkedin-button"
                    data-umami-event="Linkedin button"
                    href="https://www.linkedin.com/in/miroslav-pejic-976a07101/" target="_blank">
                    Miroslav Pejic
                </a>
                <br /><br />
                Email:<a
                    id="email-button"
                    data-umami-event="Email button"
                    href="mailto:miroslav.pejic.85@gmail.com?subject=MiroTalk P2P info">
                    miroslav.pejic.85@gmail.com
                </a>
                <br /><br />
                <hr />
                <span>&copy; 2025 MiroTalk P2P, all rights reserved</span>
                <hr />
            `,
        },
        //...
    },
    /**
     * Configuration for controlling the visibility of buttons in the MiroTalk P2P client.
     * Set properties to true to show the corresponding buttons, or false to hide them.
     * captionBtn, showSwapCameraBtn, showScreenShareBtn, showFullScreenBtn, showVideoPipBtn, showDocumentPipBtn -> (auto-detected).
     */
    buttons: {
        main: {
            showShareQr: true,
            showShareRoomBtn: true, // For guests
            showHideMeBtn: true,
            showAudioBtn: true,
            showVideoBtn: true,
            showScreenBtn: true, // autodetected
            showRecordStreamBtn: true,
            showChatRoomBtn: true,
            showCaptionRoomBtn: true,
            showRoomEmojiPickerBtn: true,
            showMyHandBtn: true,
            showWhiteboardBtn: true,
            showSnapshotRoomBtn: true,
            showFileShareBtn: true,
            showDocumentPipBtn: true,
            showMySettingsBtn: true,
            showAboutBtn: true, // Please keep me always true, Thank you!
        },
        chat: {
            showTogglePinBtn: true,
            showMaxBtn: true,
            showSaveMessageBtn: true,
            showMarkDownBtn: true,
            showChatGPTBtn: true,
            showFileShareBtn: true,
            showShareVideoAudioBtn: true,
            showParticipantsBtn: true,
        },
        caption: {
            showTogglePinBtn: true,
            showMaxBtn: true,
        },
        settings: {
            showMicOptionsBtn: true,
            showTabRoomPeerName: true,
            showTabRoomParticipants: true,
            showTabRoomSecurity: true,
            showTabEmailInvitation: true,
            showCaptionEveryoneBtn: true,
            showMuteEveryoneBtn: true,
            showHideEveryoneBtn: true,
            showEjectEveryoneBtn: true,
            showLockRoomBtn: true,
            showUnlockRoomBtn: true,
            showShortcutsBtn: true,
        },
        remote: {
            showAudioVolume: true,
            audioBtnClickAllowed: true,
            videoBtnClickAllowed: true,
            showVideoPipBtn: true,
            showKickOutBtn: true,
            showSnapShotBtn: true,
            showFileShareBtn: true,
            showShareVideoAudioBtn: true,
            showPrivateMessageBtn: true,
            showZoomInOutBtn: false,
            showVideoFocusBtn: true,
        },
        local: {
            showVideoPipBtn: true,
            showSnapShotBtn: true,
            showVideoCircleBtn: true,
            showZoomInOutBtn: false,
        },
        whiteboard: {
            whiteboardLockBtn: false,
        },
    },
 };
@@ -24,30 +24,31 @@
    {
      "type": "spotify",
      "enable": true,
-      "clients": [],
+      "clients": ["lastfmClient", "ListenBrainzClient", "maloja"],
-      "name": "spotify",
+      "name": "spotifySource",
      "data": {
        "clientId": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_ID'] }}",
        "clientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
-        "redirectUri": "http://localhost:9078/callback"
+        "redirectUri": "https://scrobble.trez.wtf/callback"
      }
    },
    {
      "type": "lastfm",
      "enable": true,
-      "clients": [],
+      "clients": ["ListenBrainzClient", "maloja"],
-      "name": "lastfm",
+      "configureAs": "source",
      "name": "lastfmSource",
      "data": {
        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
        "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
-        "redirectUri": "http://localhost:9078/lastfm/callback"
+        "redirectUri": "https://scrobble.trez.wtf/lastfm/callback"
      }
    },
    {
      "type": "listenbrainz",
      "enable": true,
-      "clients": [],
+      "clients": ["lastfmClient", "maloja"],
-      "name": "listenBrainz",
+      "name": "listenBrainzSource",
      "data": {
        "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
        "username": "Trez.One"
@@ -56,8 +57,8 @@
    {
      "type": "subsonic",
      "enable": true,
-      "clients": [],
+      "clients": ["lastfmClient", "ListenBrainzClient", "maloja"],
-      "name": "navidrome",
+      "name": "navidromeSource",
      "data": {
        "url": "http://navidrome:4533",
        "user": "admin",
@@ -70,10 +71,11 @@
      "type": "lastfm",
      "enable": true,
      "name": "lastFmClient",
      "configureAs": "client",
      "data": {
        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
        "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
-        "redirectUri": "http://localhost:9078/lastfm/callback"
+        "redirectUri": "https://scrobble.trez.wtf/lastfm/callback"
      }
    },
    {
@@ -88,7 +90,7 @@
    {
      "type": "maloja",
      "enable": true,
-      "name": "maloja",
+      "name": "malojaClient",
      "data": {
        "url": "http://maloja:42010",
        "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_API_KEY'] }}"
@@ -1,76 +0,0 @@
 {
  "Stuns": [
    {
      "Proto": "udp",
      "URI": "stun:netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:3478",
      "Username": "",
      "Password": null
    }
  ],
  "TURNConfig": {
    "Turns": [
      {
        "Proto": "udp",
        "URI": "turn:netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:3478",
        "Username": "self",
        "Password": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_TURN_PASSWORD'] }}"
      }
    ],
    "CredentialsTTL": "12h",
    "Secret": "secret",
    "TimeBasedCredentials": false
  },
  "Relay": {
    "Addresses": [
      "rel://netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:33080"
    ],
    "CredentialsTTL": "24h",
    "Secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_RELAY_AUTH_SECRET'] }}"
  },
  "Signal": {
    "Proto": "https",
    "URI": "netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:10001",
    "Username": "",
    "Password": null
  },
  "ReverseProxy": {
    "TrustedHTTPProxies": [],
    "TrustedHTTPProxiesCount": 0,
    "TrustedPeers": [
      "0.0.0.0/0"
    ]
  },
  "Datadir": "",
  "DataStoreEncryptionKey": "",
  "StoreConfig": {
    "Engine": "sqlite"
  },
  "HttpConfig": {
    "Address": "0.0.0.0:33073",
    "AuthIssuer": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}",
    "AuthAudience": "netbird",
    "AuthKeysLocation": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/jwks.json",
    "AuthUserIDClaim": "",
    "CertFile": "",
    "CertKey": "",
    "IdpSignKeyRefreshEnabled": true,
    "OIDCConfigEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/.well-known/openid-configuration"
  },
  "IdpManagerConfig": {},
  "DeviceAuthorizationFlow": {},
  "PKCEAuthorizationFlow": {
    "ProviderConfig": {
      "Audience": "netbird",
      "ClientID": "netbird",
      "ClientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}",
      "Domain": "",
      "AuthorizationEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/authorization",
      "TokenEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/token",
      "Scope": "openid profile email offline_access api",
      "RedirectURLs": [
        "http://localhost:53000"
      ],
      "UseIDToken": true
    }
  }
 }
@@ -1,122 +0,0 @@
 {
    "issuer": "https://id.trez.wtf",
    "authorization_endpoint": "https://id.trez.wtf/oauth/v2/authorize",
    "token_endpoint": "https://id.trez.wtf/oauth/v2/token",
    "introspection_endpoint": "https://id.trez.wtf/oauth/v2/introspect",
    "userinfo_endpoint": "https://id.trez.wtf/oidc/v1/userinfo",
    "revocation_endpoint": "https://id.trez.wtf/oauth/v2/revoke",
    "end_session_endpoint": "https://id.trez.wtf/oidc/v1/end_session",
    "device_authorization_endpoint": "https://id.trez.wtf/oauth/v2/device_authorization",
    "jwks_uri": "https://id.trez.wtf/oauth/v2/keys",
    "scopes_supported": [
        "openid",
        "profile",
        "email",
        "phone",
        "address",
        "offline_access"
    ],
    "response_types_supported": [
        "code",
        "id_token",
        "id_token token"
    ],
    "response_modes_supported": [
        "query",
        "fragment",
        "form_post"
    ],
    "grant_types_supported": [
        "authorization_code",
        "implicit",
        "refresh_token",
        "client_credentials",
        "urn:ietf:params:oauth:grant-type:jwt-bearer",
        "urn:ietf:params:oauth:grant-type:device_code"
    ],
    "subject_types_supported": [
        "public"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "request_object_signing_alg_values_supported": [
        "RS256"
    ],
    "token_endpoint_auth_methods_supported": [
        "none",
        "client_secret_basic",
        "client_secret_post",
        "private_key_jwt"
    ],
    "token_endpoint_auth_signing_alg_values_supported": [
        "RS256"
    ],
    "revocation_endpoint_auth_methods_supported": [
        "none",
        "client_secret_basic",
        "client_secret_post",
        "private_key_jwt"
    ],
    "revocation_endpoint_auth_signing_alg_values_supported": [
        "RS256"
    ],
    "introspection_endpoint_auth_methods_supported": [
        "client_secret_basic",
        "private_key_jwt"
    ],
    "introspection_endpoint_auth_signing_alg_values_supported": [
        "RS256"
    ],
    "claims_supported": [
        "sub",
        "aud",
        "exp",
        "iat",
        "iss",
        "auth_time",
        "nonce",
        "acr",
        "amr",
        "c_hash",
        "at_hash",
        "act",
        "scopes",
        "client_id",
        "azp",
        "preferred_username",
        "name",
        "family_name",
        "given_name",
        "locale",
        "email",
        "email_verified",
        "phone_number",
        "phone_number_verified"
    ],
    "code_challenge_methods_supported": [
        "S256"
    ],
    "ui_locales_supported": [
        "bg",
        "cs",
        "de",
        "en",
        "es",
        "fr",
        "hu",
        "id",
        "it",
        "ja",
        "ko",
        "mk",
        "nl",
        "pl",
        "pt",
        "ru",
        "sv",
        "zh"
    ],
    "request_parameter_supported": true,
    "request_uri_parameter_supported": false
 }
@@ -1,725 +0,0 @@
 # Coturn TURN SERVER configuration file
 #
 # Boolean values note: where a boolean value is supposed to be used,
 # you can use '0', 'off', 'no', 'false', or 'f' as 'false,
 # and you can use '1', 'on', 'yes', 'true', or 't' as 'true'
 # If the value is missing, then it means 'true' by default.
 #
 # Listener interface device (optional, Linux only).
 # NOT RECOMMENDED.
 #
 #listening-device=eth0
 # TURN listener port for UDP and TCP (Default: 3478).
 # Note: actually, TLS & DTLS sessions can connect to the
 # "plain" TCP & UDP port(s), too - if allowed by configuration.
 #
 listening-port=3478
 # TURN listener port for TLS (Default: 5349).
 # Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
 # port(s), too - if allowed by configuration. The TURN server
 # "automatically" recognizes the type of traffic. Actually, two listening
 # endpoints (the "plain" one and the "tls" one) are equivalent in terms of
 # functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs.
 # For secure TCP connections, Coturn currently supports SSL version 3 and
 # TLS version 1.0, 1.1 and 1.2.
 # For secure UDP connections, Coturn supports DTLS version 1.
 #
 tls-listening-port=5349
 # Alternative listening port for UDP and TCP listeners;
 # default (or zero) value means "listening port plus one".
 # This is needed for RFC 5780 support
 # (STUN extension specs, NAT behavior discovery). The TURN Server
 # supports RFC 5780 only if it is started with more than one
 # listening IP address of the same family (IPv4 or IPv6).
 # RFC 5780 is supported only by UDP protocol, other protocols
 # are listening to that endpoint only for "symmetry".
 #
 #alt-listening-port=0
 # Alternative listening port for TLS and DTLS protocols.
 # Default (or zero) value means "TLS listening port plus one".
 #
 #alt-tls-listening-port=0
 # Some network setups will require using a TCP reverse proxy in front
 # of the STUN server. If the proxy port option is set a single listener
 # is started on the given port that accepts connections using the
 # haproxy proxy protocol v2.
 # (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
 #
 #tcp-proxy-port=5555
 # Listener IP address of relay server. Multiple listeners can be specified.
 # If no IP(s) specified in the config file or in the command line options,
 # then all IPv4 and IPv6 system IPs will be used for listening.
 #
 #listening-ip=172.17.19.101
 #listening-ip=10.207.21.238
 #listening-ip=2607:f0d0:1002:51::4
 # Auxiliary STUN/TURN server listening endpoint.
 # Aux servers have almost full TURN and STUN functionality.
 # The (minor) limitations are:
 #
 # 1) Auxiliary servers do not have alternative ports and
 # they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
 #
 # 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
 #
 # Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
 #
 # There may be multiple aux-server options, each will be used for listening
 # to client requests.
 #
 #aux-server=172.17.19.110:33478
 #aux-server=[2607:f0d0:1002:51::4]:33478
 # (recommended for older Linuxes only)
 # Automatically balance UDP traffic over auxiliary servers (if configured).
 # The load balancing is using the ALTERNATE-SERVER mechanism.
 # The TURN client must support 300 ALTERNATE-SERVER response for this
 # functionality.
 #
 #udp-self-balance
 # Relay interface device for relay sockets (optional, Linux only).
 # NOT RECOMMENDED.
 #
 #relay-device=eth1
 # Relay address (the local IP address that will be used to relay the
 # packets to the peer).
 # Multiple relay addresses may be used.
 # The same IP(s) can be used as both listening IP(s) and relay IP(s).
 #
 # If no relay IP(s) specified, then the turnserver will apply the default
 # policy: it will decide itself which relay addresses to be used, and it
 # will always be using the client socket IP address as the relay IP address
 # of the TURN session (if the requested relay address family is the same
 # as the family of the client socket).
 #
 #relay-ip=172.17.19.105
 #relay-ip=2607:f0d0:1002:51::5
 # For Amazon EC2 users:
 #
 # TURN Server public/private address mapping, if the server is behind NAT.
 # In that situation, if a -X is used in form "-X <ip>" then that ip will be reported
 # as relay IP address of all allocations. This scenario works only in a simple case
 # when one single relay address is be used, and no RFC5780 functionality is required.
 # That single relay address must be mapped by NAT to the 'external' IP.
 # The "external-ip" value, if not empty, is returned in XOR-RELAYED-ADDRESS field.
 # For that 'external' IP, NAT must forward ports directly (relayed port 12345
 # must be always mapped to the same 'external' port 12345).
 #
 # In more complex case when more than one IP address is involved,
 # that option must be used several times, each entry must
 # have form "-X <public-ip/private-ip>", to map all involved addresses.
 # RFC5780 NAT discovery STUN functionality will work correctly,
 # if the addresses are mapped properly, even when the TURN server itself
 # is behind A NAT.
 #
 # By default, this value is empty, and no address mapping is used.
 #
 # external-ip=193.224.22.37
 #
 #OR:
 #
 #external-ip=60.70.80.91/172.17.19.101
 #external-ip=60.70.80.92/172.17.19.102
 external-ip=108.29.206.17
 # Number of the relay threads to handle the established connections
 # (in addition to authentication thread and the listener thread).
 # If explicitly set to 0 then application runs relay process in a
 # single thread, in the same thread with the listener process
 # (the authentication thread will still be a separate thread).
 #
 # If this parameter is not set, then the default OS-dependent
 # thread pattern algorithm will be employed. Usually the default
 # algorithm is optimal, so you have to change this option
 # if you want to make some fine tweaks.
 #
 # In the older systems (Linux kernel before 3.9),
 # the number of UDP threads is always one thread per network listening
 # endpoint - including the auxiliary endpoints - unless 0 (zero) or
 # 1 (one) value is set.
 #
 #relay-threads=0
 # Lower and upper bounds of the UDP relay endpoints:
 # (default values are 49152 and 65535)
 #
 min-port=49152
 max-port=65535
 # Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
 # By default the verbose mode is off.
 #verbose
 # Uncomment to run TURN server in 'extra' verbose mode.
 # This mode is very annoying and produces lots of output.
 # Not recommended under normal circumstances.
 #
 #Verbose
 # Uncomment to use fingerprints in the TURN messages.
 # By default the fingerprints are off.
 #
 fingerprint
 # Uncomment to use long-term credential mechanism.
 # By default no credentials mechanism is used (any user allowed).
 #
 lt-cred-mech
 # This option is the opposite of lt-cred-mech.
 # (TURN Server with no-auth option allows anonymous access).
 # If neither option is defined, and no users are defined,
 # then no-auth is default. If at least one user is defined,
 # in this file, in command line or in usersdb file, then
 # lt-cred-mech is default.
 #
 #no-auth
 # TURN REST API flag.
 # (Time Limited Long Term Credential)
 # Flag that sets a special authorization option that is based upon authentication secret.
 #
 # This feature's purpose is to support "TURN Server REST API", see
 # "TURN REST API" link in the project's page
 # https://github.com/coturn/coturn/
 #
 # This option is used with timestamp:
 #
 # usercombo -> "timestamp:userid"
 # turn user -> usercombo
 # turn password -> base64(hmac(secret key, usercombo))
 #
 # This allows TURN credentials to be accounted for a specific user id.
 # If you don't have a suitable id, then the timestamp alone can be used.
 # This option is enabled by turning on secret-based authentication.
 # The actual value of the secret is defined either by the option static-auth-secret,
 # or can be found in the turn_secret table in the database (see below).
 #
 # Read more about it:
 #  - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
 #  - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
 #
 # Be aware that use-auth-secret overrides some parts of lt-cred-mech.
 # The use-auth-secret feature depends internally on lt-cred-mech, so if you set
 # this option then it automatically enables lt-cred-mech internally
 # as if you had enabled both.
 #
 # Note that you can use only one auth mechanism at the same time! This is because,
 # both mechanisms conduct username and password validation in different ways.
 #
 # Use either lt-cred-mech or use-auth-secret in the conf
 # to avoid any confusion.
 #
 #use-auth-secret
 # 'Static' authentication secret value (a string) for TURN REST API only.
 # If not set, then the turn server
 # will try to use the 'dynamic' value in the turn_secret table
 # in the user database (if present). The database-stored  value can be changed on-the-fly
 # by a separate program, so this is why that mode is considered 'dynamic'.
 #
 #static-auth-secret=north
 # Server name used for
 # the oAuth authentication purposes.
 # The default value is the realm name.
 #
 # server-name=stun.wiretrustee.com
 # Flag that allows oAuth authentication.
 #
 #oauth
 # 'Static' user accounts for the long term credentials mechanism, only.
 # This option cannot be used with TURN REST API.
 # 'Static' user accounts are NOT dynamically checked by the turnserver process,
 # so they can NOT be changed while the turnserver is running.
 #
 #user=username1:key1
 #user=username2:key2
 # OR:
 user=self:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_TURN_PASSWORD'] }}
 #user=username2:password2
 #
 # Keys must be generated by turnadmin utility. The key value depends
 # on user name, realm, and password:
 #
 # Example:
 # $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic
 # Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee
 # ('0x' in the beginning of the key is what differentiates the key from
 # password. If it has 0x then it is a key, otherwise it is a password).
 #
 # The corresponding user account entry in the config file will be:
 #
 #user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
 # Or, equivalently, with open clear password (less secure):
 #user=ninefingers:youhavetoberealistic
 #
 # SQLite database file name.
 #
 # The default file name is /var/db/turndb or /usr/local/var/db/turndb or
 # /var/lib/turn/turndb.
 #
 #userdb=/var/db/turndb
 # PostgreSQL database connection string in the case that you are using PostgreSQL
 # as the user database.
 # This database can be used for the long-term credential mechanism
 # and it can store the secret value for secret-based timed authentication in TURN REST API.
 # See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
 # versions connection string format, see
 # http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
 # for 9.x and newer connection string formats.
 #
 #psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
 # MySQL database connection string in the case that you are using MySQL
 # as the user database.
 # This database can be used for the long-term credential mechanism
 # and it can store the secret value for secret-based timed authentication in TURN REST API.
 #
 # Optional connection string parameters for the secure communications (SSL):
 # ca, capath, cert, key, cipher
 # (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
 # command options description).
 #
 # Use the string format below (space separated parameters, all optional):
 #
 # mysql-userdb="host=mysql dbname=coturn user=coturn password=CHANGE_ME port=3306 connect_timeout=10 read_timeout=10"
 # If you want to use an encrypted password in the MySQL connection string,
 # then set the MySQL password encryption secret key file with this option.
 #
 # Warning: If this option is set, then the mysql password must be set in "mysql-userdb" in an encrypted format!
 # If you want to use a cleartext password then do not set this option!
 #
 # This is the file path for the aes encrypted secret key used for password encryption.
 #
 #secret-key-file=/path/
 # MongoDB database connection string in the case that you are using MongoDB
 # as the user database.
 # This database can be used for long-term credential mechanism
 # and it can store the secret value for secret-based timed authentication in TURN REST API.
 # Use the string format described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
 #
 #mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
 # Redis database connection string in the case that you are using Redis
 # as the user database.
 # This database can be used for long-term credential mechanism
 # and it can store the secret value for secret-based timed authentication in TURN REST API.
 # Use the string format below (space separated parameters, all optional):
 #
 #redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
 # Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
 # This database keeps allocations status information, and it can be also used for publishing
 # and delivering traffic and allocation event notifications.
 # The connection string has the same parameters as redis-userdb connection string.
 # Use the string format below (space separated parameters, all optional):
 #
 #redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
 # The default realm to be used for the users when no explicit
 # origin/realm relationship is found in the database, or if the TURN
 # server is not using any database (just the commands-line settings
 # and the userdb file). Must be used with long-term credentials
 # mechanism or with TURN REST API.
 #
 # Note: If the default realm is not specified, then realm falls back to the host domain name.
 #       If the domain name string is empty, or set to '(None)', then it is initialized as an empty string.
 #
 # realm=wiretrustee.com
 # This flag sets the origin consistency
 # check. Across the session, all requests must have the same
 # main ORIGIN attribute value (if the ORIGIN was
 # initially used by the session).
 #
 #check-origin-consistency
 # Per-user allocation quota.
 # default value is 0 (no quota, unlimited number of sessions per user).
 # This option can also be set through the database, for a particular realm.
 #
 #user-quota=0
 # Total allocation quota.
 # default value is 0 (no quota).
 # This option can also be set through the database, for a particular realm.
 #
 #total-quota=0
 # Max bytes-per-second bandwidth a TURN session is allowed to handle
 # (input and output network streams are treated separately). Anything above
 # that limit will be dropped or temporarily suppressed (within
 # the available buffer limits).
 # This option can also be set through the database, for a particular realm.
 #
 #max-bps=0
 #
 # Maximum server capacity.
 # Total bytes-per-second bandwidth the TURN server is allowed to allocate
 # for the sessions, combined (input and output network streams are treated separately).
 #
 # bps-capacity=0
 # Uncomment if no UDP client listener is desired.
 # By default UDP client listener is always started.
 #
 #no-udp
 # Uncomment if no TCP client listener is desired.
 # By default TCP client listener is always started.
 #
 #no-tcp
 # Uncomment if no TLS client listener is desired.
 # By default TLS client listener is always started.
 #
 #no-tls
 # Uncomment if no DTLS client listener is desired.
 # By default DTLS client listener is always started.
 #
 #no-dtls
 # Uncomment if no UDP relay endpoints are allowed.
 # By default UDP relay endpoints are enabled (like in RFC 5766).
 #
 #no-udp-relay
 # Uncomment if no TCP relay endpoints are allowed.
 # By default TCP relay endpoints are enabled (like in RFC 6062).
 #
 #no-tcp-relay
 # Uncomment if extra security is desired,
 # with nonce value having a limited lifetime.
 # The nonce value is unique for a session.
 # Set this option to limit the nonce lifetime.
 # Set it to 0 for unlimited lifetime.
 # It defaults to 600 secs (10 min) if no value is provided. After that delay,
 # the client will get 438 error and will have to re-authenticate itself.
 #
 #stale-nonce=600
 # Uncomment if you want to set the maximum allocation
 # time before it has to be refreshed.
 # Default is 3600s.
 #
 #max-allocate-lifetime=3600
 # Uncomment to set the lifetime for the channel.
 # Default value is 600 secs (10 minutes).
 # This value MUST not be changed for production purposes.
 #
 #channel-lifetime=600
 # Uncomment to set the permission lifetime.
 # Default to 300 secs (5 minutes).
 # In production this value MUST not be changed,
 # however it can be useful for test purposes.
 #
 #permission-lifetime=300
 # Certificate file.
 # Use an absolute path or path relative to the
 # configuration file.
 # Use PEM file format.
 #
 cert=/etc/coturn/certs/cert.pem
 # Private key file.
 # Use an absolute path or path relative to the
 # configuration file.
 # Use PEM file format.
 #
 pkey=/etc/coturn/private/privkey.pem
 # Private key file password, if it is in encoded format.
 # This option has no default value.
 #
 #pkey-pwd=...
 # Allowed OpenSSL cipher list for TLS/DTLS connections.
 # Default value is "DEFAULT".
 #
 #cipher-list="DEFAULT"
 # CA file in OpenSSL format.
 # Forces TURN server to verify the client SSL certificates.
 # By default this is not set: there is no default value and the client
 # certificate is not checked.
 #
 # Example:
 #CA-file=/etc/ssh/id_rsa.cert
 # Curve name for EC ciphers, if supported by OpenSSL
 # library (TLS and DTLS). The default value is prime256v1,
 # if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
 # an optimal curve will be automatically calculated, if not defined
 # by this option.
 #
 #ec-curve-name=prime256v1
 # Use 566 bits predefined DH TLS key. Default size of the key is 2066.
 #
 #dh566
 # Use 1066 bits predefined DH TLS key. Default size of the key is 2066.
 #
 #dh1066
 # Use custom DH TLS key, stored in PEM format in the file.
 # Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
 #
 #dh-file=<DH-PEM-file-name>
 # Flag to prevent stdout log messages.
 # By default, all log messages go to both stdout and to
 # the configured log file. With this option everything will
 # go to the configured log only (unless the log file itself is stdout).
 #
 #no-stdout-log
 # Option to set the log file name.
 # By default, the turnserver tries to open a log file in
 # /var/log, /var/tmp, /tmp and the current directory
 # (Whichever file open operation succeeds first will be used).
 # With this option you can set the definite log file name.
 # The special names are "stdout" and "-" - they will force everything
 # to the stdout. Also, the "syslog" name will force everything to
 # the system log (syslog).
 # In the runtime, the logfile can be reset with the SIGHUP signal
 # to the turnserver process.
 #
 log-file=stdout
 # Option to redirect all log output into system log (syslog).
 #
 # syslog
 # This flag means that no log file rollover will be used, and the log file
 # name will be constructed as-is, without PID and date appendage.
 # This option can be used, for example, together with the logrotate tool.
 #
 #simple-log
 # Option to set the "redirection" mode. The value of this option
 # will be the address of the alternate server for UDP & TCP service in the form of
 # <ip>[:<port>]. The server will send this value in the attribute
 # ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
 # Client will receive only values with the same address family
 # as the client network endpoint address family.
 # See RFC 5389 and RFC 5766 for the description of ALTERNATE-SERVER functionality.
 # The client must use the obtained value for subsequent TURN communications.
 # If more than one --alternate-server option is provided, then the functionality
 # can be more accurately described as "load-balancing" than a mere "redirection".
 # If the port number is omitted, then the default port
 # number 3478 for the UDP/TCP protocols will be used.
 # Colon (:) characters in IPv6 addresses may conflict with the syntax of
 # the option. To alleviate this conflict, literal IPv6 addresses are enclosed
 # in square brackets in such resource identifiers, for example:
 # [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
 # Multiple alternate servers can be set. They will be used in the
 # round-robin manner. All servers in the pool are considered of equal weight and
 # the load will be distributed equally. For example, if you have 4 alternate servers,
 # then each server will receive 25% of ALLOCATE requests. A alternate TURN server
 # address can be used more than one time with the alternate-server option, so this
 # can emulate "weighting" of the servers.
 #
 # Examples:
 #alternate-server=1.2.3.4:5678
 #alternate-server=11.22.33.44:56789
 #alternate-server=5.6.7.8
 #alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
 # Option to set alternative server for TLS & DTLS services in form of
 # <ip>:<port>. If the port number is omitted, then the default port
 # number 5349 for the TLS/DTLS protocols will be used. See the previous
 # option for the functionality description.
 #
 # Examples:
 #tls-alternate-server=1.2.3.4:5678
 #tls-alternate-server=11.22.33.44:56789
 #tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
 # Option to suppress TURN functionality, only STUN requests will be processed.
 # Run as STUN server only, all TURN requests will be ignored.
 # By default, this option is NOT set.
 #
 #stun-only
 # Option to hide software version. Enhance security when used in production.
 # Revealing the specific software version of the agent through the
 # SOFTWARE attribute might allow them to become more vulnerable to
 # attacks against software that is known to contain security holes.
 # Implementers SHOULD make usage of the SOFTWARE attribute a
 # configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2)
 #
 no-software-attribute
 # Option to suppress STUN functionality, only TURN requests will be processed.
 # Run as TURN server only, all STUN requests will be ignored.
 # By default, this option is NOT set.
 #
 #no-stun
 # This is the timestamp/username separator symbol (character) in TURN REST API.
 # The default value is ':'.
 # rest-api-separator=:
 # Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
 # This is an extra security measure.
 #
 # (To avoid any security issue that allowing loopback access may raise,
 # the no-loopback-peers option is replaced by allow-loopback-peers.)
 #
 # Allow it only for testing in a development environment!
 # In production it adds a possible security vulnerability, so for security reasons
 # it is not allowed using it together with empty cli-password.
 #
 #allow-loopback-peers
 # Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
 # This is an extra security measure.
 #
 #no-multicast-peers
 # Option to set the max time, in seconds, allowed for full allocation establishment.
 # Default is 60 seconds.
 #
 #max-allocate-timeout=60
 # Option to allow or ban specific ip addresses or ranges of ip addresses.
 # If an ip address is specified as both allowed and denied, then the ip address is
 # considered to be allowed. This is useful when you wish to ban a range of ip
 # addresses, except for a few specific ips within that range.
 #
 # This can be used when you do not want users of the turn server to be able to access
 # machines reachable by the turn server, but would otherwise be unreachable from the
 # internet (e.g. when the turn server is sitting behind a NAT)
 #
 # Examples:
 # denied-peer-ip=83.166.64.0-83.166.95.255
 # allowed-peer-ip=83.166.68.45
 # File name to store the pid of the process.
 # Default is /var/run/turnserver.pid (if superuser account is used) or
 # /var/tmp/turnserver.pid .
 #
 pidfile="/var/tmp/turnserver.pid"
 # Require authentication of the STUN Binding request.
 # By default, the clients are allowed anonymous access to the STUN Binding functionality.
 #
 #secure-stun
 # Mobility with ICE (MICE) specs support.
 #
 #mobility
 # Allocate Address Family according
 # If enabled then TURN server allocates address family according  the TURN
 # Client <=> Server communication address family.
 # (By default Coturn works according RFC 6156.)
 # !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
 #
 #keep-address-family
 # User name to run the process. After the initialization, the turnserver process
 # will attempt to change the current user ID to that user.
 #
 #proc-user=<user-name>
 # Group name to run the process. After the initialization, the turnserver process
 # will attempt to change the current group ID to that group.
 #
 #proc-group=<group-name>
 # Turn OFF the CLI support.
 # By default it is always ON.
 # See also options cli-ip and cli-port.
 #
 no-cli
 #Local system IP address to be used for CLI server endpoint. Default value
 # is 127.0.0.1.
 #
 # cli-ip=127.0.0.1
 # CLI server port. Default is 5766.
 #
 # cli-port=5766
 # CLI access password. Default is empty (no password).
 # For the security reasons, it is recommended that you use the encrypted
 # form of the password (see the -P command in the turnadmin utility).
 #
 # Secure form for password 'qwerty':
 #
 #cli-password=$5$79a316b350311570$81df9cfb9af7f5e5a76eada31e7097b663a0670f99a3c07ded3f1c8e59c5658a
 #
 # Or insecure form for the same password:
 #
 # cli-password=CHANGE_ME
 # Enable Web-admin support on https. By default it is Disabled.
 # If it is enabled it also enables a http a simple static banner page
 # with a small reminder that the admin page is available only on https.
 #
 #web-admin
 # Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1.
 #
 #web-admin-ip=127.0.0.1
 # Web-admin server port. Default is 8080.
 #
 #web-admin-port=8080
 # Web-admin server listen on STUN/TURN worker threads
 # By default it is disabled for security reasons! (Not recommended in any production environment!)
 #
 #web-admin-listen-on-workers
 # Server relay. NON-STANDARD AND DANGEROUS OPTION.
 # Only for those applications when you want to run
 # server applications on the relay endpoints.
 # This option eliminates the IP permissions check on
 # the packets incoming to the relay endpoints.
 #
 #server-relay
 # Maximum number of output sessions in ps CLI command.
 # This value can be changed on-the-fly in CLI. The default value is 256.
 #
 #cli-max-output-sessions
 # Set network engine type for the process (for internal purposes).
 #
 #ne=[1|2|3]
 # Do not allow an TLS/DTLS version of protocol
 #
 #no-tlsv1
 #no-tlsv1_1
 #no-tlsv1_2
@@ -1,11 +0,0 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 <clickhouse>
    <profiles>
        <default>
            <log_queries>0</log_queries>
            <log_query_threads>0</log_query_threads>
        </default>
    </profiles>
 </clickhouse>
@@ -0,0 +1,225 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 # This is an example configuration file that documents all the options.
 # It will need to be modified for your specific use case.
 # These are not default values. You MUST review the config settings and properly configure this EXAMPLE file.
 # Please refer to the link below for more details on how to set up the configuration file
 # https://github.com/StuffAnThings/qbit_manage/wiki/Config-Setup
 commands:
  # The commands defined below will OVERRIDE any commands used in command line and docker env variables.
  dry_run: True
  recheck: False
  cat_update: False
  tag_update: False
  rem_unregistered: False
  tag_tracker_error: False
  rem_orphaned: False
  tag_nohardlinks: False
  share_limits: False
  skip_qb_version_check: False
  skip_cleanup: False
 qbt:
  # qBittorrent parameters
  # Pass environment variables to the config via !ENV tag
  host: qbittorrentvpn:8080
  user: admin
  pass: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['DELUGEVPN_PASSWORD'] }}
 settings:
  force_auto_tmm: False # Will force qBittorrent to enable Automatic Torrent Management for each torrent.
  force_auto_tmm_ignore_tags: #Torrents with these tags will be ignored when force_auto_tmm is enabled.
    - cross-seed
    - Upload
  tracker_error_tag: issue # Will set the tag of any torrents that do not have a working tracker.
  nohardlinks_tag: noHL # Will set the tag of any torrents with no hardlinks.
  stalled_tag: stalledDL # Will set the tag of any torrents stalled downloading.
  share_limits_tag: ~share_limit # Will add this tag when applying share limits to provide an easy way to filter torrents by share limit group/priority for each torrent
  share_limits_min_seeding_time_tag: MinSeedTimeNotReached # Tag to be added to torrents that have not yet reached the minimum seeding time
  share_limits_min_num_seeds_tag: MinSeedsNotMet # Tag to be added to torrents that have not yet reached the minimum number of seeds
  share_limits_last_active_tag: LastActiveLimitNotReached # Tag to be added to torrents that have not yet reached the last active limit
  cat_filter_completed: True # Filters for completed torrents only when running cat_update command
  share_limits_filter_completed: True # Filters for completed torrents only when running share_limits command
  tag_nohardlinks_filter_completed: True # Filters for completed torrents only when running tag_nohardlinks command
  rem_unregistered_filter_completed: False # Filters for completed torrents only when running rem_unregistered command
  cat_update_all: True # Checks and updates all torrent categories if set to True when running cat_update command, otherwise only update torrents that are uncategorized
  disable_qbt_default_share_limits: True # Allows QBM to handle share limits by disabling qBittorrents default Share limits. Only active when the share_limits command is set to True
  tag_stalled_torrents: True # Tags any downloading torrents that are stalled with the `stalledDL` tag when running the tag_update command
  rem_unregistered_ignore_list: # Ignores a list of words found in the status of the tracker when running rem_unregistered command and will not remove the torrent if matched
    - example placeholder words
    - ignore if found
 directory:
  # Do not remove these
  # root_dir var: </your/path/here/>  # Root downloads directory used to check for orphaned files, noHL, and RecycleBin.
  # <OPTIONAL> remote_dir var: </your/path/here/>  # Path of docker host mapping of root_dir.
  # remote_dir must be set if you're running qbit_manage locally and qBittorrent/cross_seed is in a docker
  # remote_dir should not be set if qbit_manage is running in a container
  # <OPTIONAL> recycle_bin var: </your/path/here/>   # Path of the RecycleBin folder. Default location is set to remote_dir/.RecycleBin
  # <OPTIONAL> torrents_dir var: </your/path/here/>  # Path of the your qbittorrent torrents directory. Required for `save_torrents` attribute in recyclebin
  # <OPTIONAL> orphaned_dir var: </your/path/here/>  # Path of the the Orphaned Data folder. This is similar to RecycleBin, but only for orphaned data.
  root_dir: "/downloads"
  # remote_dir: "/host/path/to/torrents/ifdocker/torrents/"
  # recycle_bin: "/path/to/.RecycleBin"
  torrents_dir: "/downloads/completed/torrent"
 cat:
  # Category & Path Parameters
  # All save paths in qbittorent must be populated below.
  # If you want to leave a save_path as uncategorized you can use the key 'Uncategorized' as the name of the category.
  # You can use Unix filename pattern matching as well when specifying the save_path
  # <Category Name> : <save_path>  # Path of your save directory.
  lidarr: "/downloads/completed/torrent/music"
  # prowlarr: "/data/torrents"
  radarr: "/downloads/completed/torrent/movies"
  readarr: "/downloads/completed/torrent/ebooks"
  tv-sonarr: "/downloads/completed/torrent//tv"
 cat_change:
  # This moves all the torrents from one category to another category. This executes on --cat-update
  # WARNING: if the paths are different and Default Torrent Management Mode is set to automatic the files could be moved !!!
  # <Old Category Name> : <New Category>
  CatA.cross-seed: CatA
  CatB.cross-seed: CatB
 tracker:
  # Mandatory
  # Tag Parameters
  # <Tracker URL Keyword>:    # <MANDATORY> This is the keyword in the tracker url. You can define multiple tracker urls by splitting with `|` delimiter
  # <MANDATORY> Set tag name. Can be a list of tags or a single tag
  #   tag: <Tag Name>
  # <OPTIONAL> Set the category based on tracker URL. This category option takes priority over the category defined by save directory
  #   cat: <Category Name>
  # <OPTIONAL> Set this to the notifiarr react name. This is used to add indexer reactions to the notifications sent by Notifiarr
  #   notifiarr: <notifiarr indexer>
  animebytes.tv:
    tag: AnimeBytes
    notifiarr: animebytes
  avistaz:
    tag:
      - Avistaz
      - tag2
      - tag3
    notifiarr: avistaz
  beyond-hd:
    tag: [Beyond-HD, tag2, tag3]
    cat: movies
    notifiarr: beyondhd
  blutopia:
    tag: Blutopia
    notifiarr: blutopia
  cartoonchaos:
    tag: CartoonChaos
  digitalcore:
    tag: DigitalCore
    notifiarr: digitalcore
  gazellegames:
    tag: GGn
  hdts:
    tag: HDTorrents
  landof.tv:
    tag: BroadcasTheNet
    notifiarr: broadcasthenet
  myanonamouse:
    tag: MaM
  passthepopcorn:
    tag: PassThePopcorn
    notifiarr: passthepopcorn
  privatehd:
    tag: PrivateHD
    notifiarr:
  torrentdb:
    tag: TorrentDB
    notifiarr: torrentdb
  torrentleech|tleechreload:
    tag: TorrentLeech
    notifiarr: torrentleech
  tv-vault:
    tag: TV-Vault
  # The "other" key is a special keyword and if defined will tag any other trackers that don't match the above trackers into this tag
  other:
    tag: other
 nohardlinks:
  # Tag Movies/Series that are not hard linked outside the root directory
  # Mandatory to fill out directory parameter above to use this function (root_dir/remote_dir)
  # This variable should be set to your category name of your completed movies/completed series in qbit. Acceptable variable can be any category you would like to tag if there are no hardlinks found
  movies-completed-4k:
  series-completed-4k:
  movies-completed:
    # <OPTIONAL> exclude_tags var: Will exclude torrents with any of the following tags when searching through the category.
    exclude_tags:
      - Beyond-HD
      - AnimeBytes
      - MaM
    # <OPTIONAL> ignore_root_dir var: Will ignore any hardlinks detected in the same root_dir (Default True).
    ignore_root_dir: true
  # Can have additional categories set with separate ratio/seeding times defined.
  series-completed:
    # <OPTIONAL> exclude_tags var: Will exclude torrents with any of the following tags when searching through the category.
    exclude_tags:
      - Beyond-HD
      - BroadcasTheNet
    # <OPTIONAL> ignore_root_dir var: Will ignore any hardlinks detected in the same root_dir (Default True).
    ignore_root_dir: true
 share_limits:
  # Control how torrent share limits are set depending on the priority of your grouping
  # Each torrent will be matched with the share limit group with the highest priority that meets the group filter criteria.
  # Each torrent can only be matched with one share limit group
  # This variable is mandatory and is a text defining the name of your grouping. This can be any string you want
  spacesaver:
    priority: 2
    max_ratio: 3
    min_last_active: 24h
    cleanup: false
  default:
    priority: 999
    max_ratio: -1
    max_seeding_time: -1
    cleanup: false
 recyclebin:
  # Recycle Bin method of deletion will move files into the recycle bin (Located in /root_dir/.RecycleBin) instead of directly deleting them in qbit
  # By default the Recycle Bin will be emptied on every run of the qbit_manage script if empty_after_x_days is defined.
  enabled: true
  # <OPTIONAL> empty_after_x_days var:
  # Will automatically remove all files and folders in recycle bin after x days. (Checks every script run)
  # If this variable is not defined it, the RecycleBin will never be emptied.
  # WARNING: Setting this variable to 0 will delete all files immediately upon script run!
  empty_after_x_days: 60
  # <OPTIONAL> save_torrents var:
  # If this option is set to true you MUST fill out the torrents_dir in the directory attribute.
  # This will save a copy of your .torrent and .fastresume file in the recycle bin before deleting it from qbittorrent
  save_torrents: true
  # <OPTIONAL> split_by_category var:
  # This will split the recycle bin folder by the save path defined in the `cat` attribute
  # and add the base folder name of the recycle bin that was defined in the `recycle_bin` sub-attribute under directory.
  split_by_category: false
 orphaned:
  # Orphaned files are those in the root_dir download directory that are not referenced by any active torrents.
  # Will automatically remove all files and folders in orphaned data after x days. (Checks every script run)
  # If this variable is not defined it, the orphaned data will never be emptied.
  # WARNING: Setting this variable to 0 will delete all files immediately upon script run!
  empty_after_x_days: 60
  # File patterns that will not be considered orphaned files. Handy for generated files that aren't part of the torrent but belong with the torrent's files
  exclude_patterns:
    - "**/.DS_Store"
    - "**/Thumbs.db"
    - "**/@eaDir"
    - "/data/torrents/temp/**"
    - "**/*.!qB"
    - "**/*_unpackerred"
  # Set your desired threshold for the maximum number of orphaned files qbm will delete in a single run. (-1 to disable safeguards)
  # This will help reduce the number of accidental large amount orphaned deletions in a single run
  # WARNING: Setting this variable to -1 will not safeguard against any deletions
  max_orphaned_files_to_delete: 50
 apprise:
  # Apprise integration with webhooks
  # Leave Empty/Blank to disable
  # Mandatory to fill out the url of your apprise API endpoint
  api_url: http://apprise-api:8000
  # Mandatory to fill out the notification url/urls based on the notification services provided by apprise. https://github.com/caronc/apprise/wiki
  notify_url: gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }}
@@ -100,7 +100,7 @@ server:
 redis:
  # URL to connect redis database. Is overwritten by ${SEARXNG_REDIS_URL}.
  # https://docs.searxng.org/admin/settings/settings_redis.html#settings-redis
-  url: redis://redis:6379/0
+  url: redis://searxng-valkey:6379/0
 ui:
  # Custom static path - leave it blank if you didn't change
@@ -1,10 +1,111 @@
 receivers:
  httplogreceiver/json:
    endpoint: 0.0.0.0:8082
    source: json
  otlp:
    protocols:
      grpc:
        endpoint: 0.0.0.0:4317
      http:
        endpoint: 0.0.0.0:4318
  hostmetrics:
    collection_interval: 60s  # Frequency of metrics collection.
    scrapers:
      cpu: {}
      load: {}
      memory: {}
      disk: {}
      filesystem: {}
      network: {}
  docker_stats:
    endpoint: unix:///var/run/docker.sock
    collection_interval: 30s
    timeout: 10s
    api_version: "1.51"
    metrics:
      container.uptime:
        enabled: true
      container.restarts:
        enabled: true
      container.network.io.usage.rx_errors:
        enabled: true
      container.network.io.usage.tx_errors:
        enabled: true
      container.network.io.usage.rx_packets:
        enabled: true
      container.network.io.usage.tx_packets:
        enabled: true
  filelog/nginx-access-logs:
    include: ["${env:NGINX_ACCESS_LOG_FILE}"]
    operators:
      # Parse the default nginx access log format. Nginx defaults to the "combined" log format
      # $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"
      # For more details, see https://nginx.org/en/docs/http/ngx_http_log_module.html
      - type: regex_parser
        if: body matches '^(?P<remote_addr>[0-9\\.]+) - (?P<remote_user>[^\\s]+) \\[(?P<ts>.+)\\] "(?P<request_method>\\w+?) (?P<request_path>.+?)" (?P<status>[0-9]+) (?P<body_bytes_sent>[0-9]+) "(?P<http_referrer>.+?)" "(?P<http_user_agent>.+?)"$'
        parse_from: body
        parse_to: attributes
        regex: '^(?P<remote_addr>[0-9\.]+) - (?P<remote_user>[^\s]+) \[(?P<ts>.+)\] "(?P<request_method>\w+?) (?P<request_path>.+?)" (?P<status>[0-9]+) (?P<body_bytes_sent>[0-9]+) "(?P<http_referrer>.+?)" "(?P<http_user_agent>.+?)"$'
        timestamp:
          parse_from: attributes.ts
          layout: "02/Jan/2006:15:04:05 -0700"
          layout_type: gotime
        severity:
          parse_from: attributes.status
          overwrite_text: true
          mapping:
            debug: "1xx"
            info:
              - "2xx"
              - "3xx"
            warn: "4xx"
            error: "5xx"
      - type: remove
        if: attributes.ts != nil
        field: attributes.ts
      - type: add
        field: attributes.source
        value: nginx
  filelog/nginx-error-logs:
    include: ["${env:NGINX_ERROR_LOG_FILE}"]
    operators:
      # Parse the default nginx error log format.
      # YYYY/MM/DD HH:MM:SS [LEVEL] PID#TID: *CID MESSAGE
      # For more details, see https://github.com/phusion/nginx/blob/master/src/core/ngx_log.c
      - type: regex_parser
        if: body matches '^(?P<ts>.+?) \\[(?P<log_level>\\w+)\\] (?P<pid>\\d+)#(?P<tid>\\d+). \\*(?P<cid>\\d+) (?P<message>.+)$'
        parse_from: body
        parse_to: attributes
        regex: '^(?P<ts>.+?) \[(?P<log_level>\w+)\] (?P<pid>\d+)#(?P<tid>\d+). \*(?P<cid>\d+) (?P<message>.+)$'
        timestamp:
          parse_from: attributes.ts
          layout: "2006/01/02 15:04:05"
          layout_type: gotime
        severity:
          parse_from: attributes.log_level
          overwrite_text: true
          mapping:
            debug: "debug"
            info:
              - "info"
              - "notice"
            warn: "warn"
            error:
              - "error"
              - "crit"
              - "alert"
            fatal: "emerg"
      - type: remove
        if: attributes.ts != nil
        field: attributes.ts
      - type: move
        if: attributes.message != nil
        from: attributes.message
        to: body
      - type: add
        field: attributes.source
        value: nginx
  prometheus:
    config:
      global:
@@ -22,9 +123,21 @@ processors:
    send_batch_max_size: 11000
    timeout: 10s
  resourcedetection:
    # Using OTEL_RESOURCE_ATTRIBUTES envvar, env detector adds custom labels.
    detectors: [env, system]
    system:
      hostname_sources: [os]
  resourcedetection/env:
    detectors: [env]
    timeout: 2s
    override: false
  resourcedetection/system:
    detectors: ["system"]
    system:
      hostname_sources: ["dns", "os"]
  resourcedetection/docker:
    detectors: [env, docker]
    timeout: 2s
    override: false
  signozspanmetrics/delta:
    metrics_exporter: clickhousemetricswrite, signozclickhousemetrics
    metrics_flush_interval: 60s
@@ -75,12 +188,14 @@ exporters:
    timeout: 10s
    use_new_schema: true
  # debug: {}
  otlp/nginx-logs:
    endpoint: "localhost:4317"
    tls:
      insecure: true
 service:
  telemetry:
    logs:
      encoding: json
    metrics:
      address: 0.0.0.0:8888
  extensions:
    - health_check
    - pprof
@@ -92,12 +207,16 @@ service:
    metrics:
      receivers: [otlp]
      processors: [batch]
-      exporters: [clickhousemetricswrite, signozclickhousemetrics]
+      exporters: [clickhousemetricswrite, signozclickhousemetrics, resourcedetection/docker, resourcedetection/system]
    metrics/hostmetrics:
      receivers: [hostmetrics]
      processors: [resourcedetection, resource/env]
      exporters: [otlp]
    metrics/prometheus:
      receivers: [prometheus]
      processors: [batch]
      exporters: [clickhousemetricswrite/prometheus, signozclickhousemetrics]
    logs:
-      receivers: [otlp]
+      receivers: [otlp, tcplog/docker, httplogreceiver/json]
      processors: [batch]
      exporters: [clickhouselogsexporter]
@@ -1 +1 @@
-server_endpoint: ws://signoz:4320/v1/opamp
+server_endpoint: ws://signoz-app:4320/v1/opamp
@@ -1,19 +0,0 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 {
  "$schema": "../schemas/v2/index.json",
  "repos": [
      {
          "type": "gitea",
          "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}",
          "url": "https://git.trez.wtf",
          "revisions": {
              "branches": [
                  "main",
                  "*"
              ]
          }
      }
  ]
 }
@@ -1,29 +0,0 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 <?xml version='1.0' encoding='UTF-8'?>
 <!DOCTYPE properties SYSTEM 'http://java.sun.com/dtd/properties.dtd'>
 <properties>
    <entry key='config.default'>./conf/default.xml</entry>
    <!--
    This is the main configuration file. All your configuration parameters should be placed in this file.
    Default configuration parameters are located in the "default.xml" file. You should not modify it to avoid issues
    with upgrading to a new version. Parameters in the main config file override values in the default file. Do not
    remove "config.default" parameter from this file unless you know what you are doing.
    For list of available parameters see following page: https://www.traccar.org/configuration-file/
    -->
    <entry key='database.driver'>org.postgresql.Driver</entry>
    <entry key='database.url'>jdbc:postgresql://traccar-pg:5432/traccar-db</entry>
    <entry key='database.user'>traccar</entry>
    <entry key='database.password'>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['WAZUH_API_PASSWORD'] }}</entry>
 </properties>
@@ -1,31 +0,0 @@
  sources:
    rinoa_docker_logs:
      type: docker_logs
      exclude_containers:
        - vector
  sinks:
    parseable:
      type: http
      method: post
      batch:
        max_bytes: 10485760
        max_events: 1000
        timeout_secs: 10
      compression: gzip
      inputs:
        - rinoa_docker_logs
      encoding:
        codec: json
      uri: http://parseable:8000/api/v1/ingest'
      auth:
        strategy: basic
        user: admin
        password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PARSEABLE_PASSWORD'] }}
      request:
        headers:
          X-P-Stream: rinoa-docker-logs
      healthcheck:
        enabled: true
        path: 'http://parseable:8000/api/v1/liveness'
        port: 80
@@ -1,19 +0,0 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 nodes:
  # Wazuh indexer server nodes
  indexer:
    - name: wazuh.indexer
      ip: wazuh.indexer
  # Wazuh server nodes
  # Use node_type only with more than one Wazuh manager
  server:
    - name: wazuh.manager
      ip: wazuh.manager
  # Wazuh dashboard node
  dashboard:
    - name: wazuh.dashboard
      ip: wazuh.dashboard
@@ -1,33 +0,0 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 network.host: "0.0.0.0"
 node.name: "wazuh.indexer"
 path.data: /var/lib/wazuh-indexer
 path.logs: /var/log/wazuh-indexer
 discovery.type: single-node
 http.port: 9200-9299
 transport.tcp.port: 9300-9399
 compatibility.override_main_response_version: true
 plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
 plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
 plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
 plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
 plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
 plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
 plugins.security.ssl.http.enabled: true
 plugins.security.ssl.transport.enforce_hostname_verification: false
 plugins.security.ssl.transport.resolve_hostname: false
 plugins.security.authcz.admin_dn:
 - "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
 plugins.security.check_snapshot_restore_write_privileges: true
 plugins.security.enable_snapshot_restore_privilege: true
 plugins.security.nodes_dn:
 - "CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
 plugins.security.restapi.roles_enabled:
 - "all_access"
 - "security_rest_api_access"
 plugins.security.system_indices.enabled: true
 plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
 plugins.security.allow_default_init_securityindex: true
 cluster.routing.allocation.disk.threshold_enabled: false
@@ -1,10 +0,0 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 hosts:
  - 1513629884013:
      url: "https://wazuh.manager"
      port: 55000
      username: wazuh-wui
      password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['WAZUH_API_PASSWORD'] }}
      run_as: false
@@ -1,43 +0,0 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 # All possible options and their defaults: https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
 Log:
  Level: 'debug'
 # Make ZITADEL accessible over HTTPs, not HTTP
 ExternalSecure: true
 ExternalDomain: 'id.trez.wtf'
 ExternalPort: 443
 # If not using the docker compose example, adjust these values for connecting ZITADEL to your PostgreSQL
 Database:
  postgres:
    Host: 'zitadel-pg-db'
    Port: 5432
    Database: zitadel
    User:
      SSL:
        Mode: 'disable'
    Admin:
      SSL:
        Mode: 'disable'
 DefaultInstance:
  DomainPolicy:
    UserLoginMustBeDomain: false
 LogStore:
  Access:
    Stdout:
      Enabled: true
 SMTPConfiguration:
    # Configuration of the host
    SMTP:
      # must include the port, like smtp.mailtrap.io:2525. IPv6 is also supported, like [2001:db8::1]:2525
      Host: 'postal-smtp:25'
      User: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}
      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
    From: 'noreply@trez.wtf'
    FromName: 'Zitadel @ Rinoa'
@@ -1,13 +0,0 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 # All possible options and their defaults: https://github.com/zitadel/zitadel/blob/main/cmd/setup/steps.yaml
 FirstInstance:
  Org:
    Human:
      # use the loginname root@my-org.my.domain
      Username: 'root'
      Password: 'RootPassword1!'
      Email:
        Address: 'charish.patel@trez.wtf'
        Verified: true
@@ -1,13 +0,0 @@
 {% set vault_addr = 'https://vault.trez.wtf' %}
 {% set secrets_path = 'rinoa-docker/env' %}
 # If not using the docker compose example, adjust these values for connecting ZITADEL to your PostgreSQL
 Database:
  postgres:
    User:
      # If the user doesn't exist already, it is created
      Username: 'zitadel'
      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ZITADEL_DB_PASSWORD'] }}
    Admin:
      Username: 'root'
      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ZITADEL_DB_ADMIN_PASSWORD'] }}
@@ -1,42 +1,54 @@
- name: Deploy Docker Service Configurations
+---
 - name: Deploy Docker Service Configurations (Modified in Last 10 Minutes)
  hosts: rinoa
  vars:
    appdata_base_path: "~/.docker/config/appdata"
    template_base_path: "{{ playbook_dir }}/app-configs"
    appdata_base_path: "~/.docker/config/appdata"
  tasks:
-    - name: Recursively collect all Jinja2 templates (*.j2)
+    - name: Find all Jinja2 templates
      ansible.builtin.find:
        paths: "{{ template_base_path }}"
        patterns: "*.j2"
-        recurse: true
+        recurse: yes
-      register: template_files
+      register: jinja_templates
      delegate_to: localhost
      run_once: true
-    - name: Set relative template path (without .j2) for each file
+    - name: Get parent directories modified in the last 10 minutes
      ansible.builtin.command: >
        find {{ template_base_path }} -mindepth 1 -maxdepth 1
        -type d -mmin -10
      register: modified_dirs
      changed_when: false
      delegate_to: localhost
      run_once: true
    - name: Set fact for recent directories
      ansible.builtin.set_fact:
-        rel_template_path: >-
+        recent_dirs: "{{ modified_dirs.stdout_lines }}"
-          {{ item.path
+
-             | regex_replace('^' + (template_base_path | regex_escape) + '/', '')
+    - name: Filter templates within recently modified folders
-             | regex_replace('\\.j2$', '') }}
+      ansible.builtin.set_fact:
-      loop: "{{ template_files.files }}"
+        selected_templates: >-
-      loop_control:
+          {{ jinja_templates.files
-        loop_var: item
+             | selectattr('path', 'search', recent_dirs | map('regex_escape') | map('regex_replace', '^', '') | join('|'))
-      register: rel_paths
+             | list }}
    - name: Ensure target directories exist
      ansible.builtin.file:
-        path: "{{ appdata_base_path }}/{{ item.ansible_facts.rel_template_path | dirname }}"
+        path: "{{ appdata_base_path }}/{{ item.path | regex_replace('^' + template_base_path + '/', '') | regex_replace('\\.j2$', '') | dirname }}"
        state: directory
        mode: '0755'
-      loop: "{{ rel_paths.results }}"
+      loop: "{{ selected_templates }}"
      loop_control:
-        label: "{{ item.ansible_facts.rel_template_path }}"
+        label: "{{ item.path }}"
-    - name: Deploy rendered templates
+    - name: Render and deploy templates
      ansible.builtin.template:
-        src: "{{ item.item.path | regex_replace('^' + (playbook_dir | regex_escape) + '/', '') }}"
+        src: "{{ item.path }}"
-        dest: "{{ appdata_base_path }}/{{ item.ansible_facts.rel_template_path }}"
+        dest: "{{ appdata_base_path }}/{{ item.path | regex_replace('^' + template_base_path + '/', '') | regex_replace('\\.j2$', '') }}"
        mode: '0644'
-      loop: "{{ rel_paths.results }}"
+      loop: "{{ selected_templates }}"
      loop_control:
-        label: "{{ item.ansible_facts.rel_template_path }}"
+        label: "{{ item.path }}"
@@ -1,14 +1,14 @@
 vault_addr: "https://vault.trez.wtf"
 vault_token: !vault |
  $ANSIBLE_VAULT;1.1;AES256
-  62353532343234343230663331623062376533346166343963383464303535646362376233663361
+  31616264333530373062366539333738643937326562616130636266646532653862663966663862
-  3532343530653365663331393339646337653564316337390a646264353561623132366635343032
+  6336343130363932316237373939656530663339383061360a626433656432633734363635313236
-  63326535376434353837663334366336613631346161363034646134333439613531376362646161
+  36646161663939393035333066656435663064313031636430386163653438336165663432393563
-  6438316662626566340a346665666234386630633764376336333063363934643162393565386330
+  3032316331653662310a653930623965303835396239383663306438633738356563633834623036
-  35333139303939613232303264646236326637613862303339353334623066393966353032333839
+  35616132656166663233613937346364343439306561306661633239623837373564323430386635
-  33323962303635333335376364366336663035303530396262356130373537363134303937353433
+  31663762303234326363643262633761363661656538373333396139376132303564336635623632
-  34393338336666396338616465666466613931373461663761366235643437646136373039353939
+  30303166336432653038333733386334323262623736626435623933653035363035383930366166
-  33643133313264303637646336653537383337336661313765663366356262343064316334313337
+  64376639396664303034656533656339363436306638396462333230636136396538303638323338
-  35306232303132653566356130343366313139336665313737363732613261623439
+  3138
 vault_token_cleaned: "{{ vault_token | regex_replace('\\n', '') }}"
 secrets_path: "rinoa-docker/env"
`@@ -1 +1 @@`
	`server_endpoint: ws://signoz:4320/v1/opamp`	`server_endpoint: ws://signoz-app:4320/v1/opamp`