Adding PlantUML server for Gitea.

Removing one commented out step.
Auto Merge of PR 22 - service-removals-i
2025-01-20 13:29:46 -05:00 · 2025-01-20 11:54:18 -05:00 · 2025-01-20 11:16:20 -05:00 · 2025-01-20 11:09:12 -05:00 · 2025-01-20 10:42:32 -05:00 · 2025-01-20 10:35:49 -05:00
59 changed files with 6443 additions and 1082 deletions
@@ -1,42 +1,48 @@
-name: Gitea Branch PR, SonarQube Analyze, and Merge Workflow
-
+name: Gitea Branch PR, Cloudflare DNS, README generation, & Ansible/Docker Deployment
 on:
  push:
    branches-ignore:
      - main
-
+    paths:
+      - '**.yml'
 jobs:
-  # Job 1: Check if PR exists and create one if the branch is new
  check-and-create-pr:
    name: Check and Create PR
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code
        uses: actions/checkout@v4
-
+        with:
+          fetch-depth: 1
+      - name: Cache tea CLI
+        id: cache-tea
+        uses: actions/cache@v4
+        with:
+          path: /opt/hostedtoolcache/tea/0.9.2/x64
+          key: tea-${{ runner.os }}-0.9.2
      - name: Install tea
        uses: supplypike/setup-bin@v4
        with:
          uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64'
          name: 'tea'
          version: '0.9.2'
-
-      - name: Check if PR exists & Create
-        id: list-prs
+      - name: Check if open PR exists
+        id: check-opened-pr-step
+        continue-on-error: true
+        run: |
+          tea login add --name gitea-rinoa --url "${{ secrets.RINOA_GITEA_URL }}" --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
+          pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep ${{ github.ref_name }} | tail -1 | wc -l)
+          echo ${pr_exists}
+          echo "exists=$pr_exists" >> $GITHUB_OUTPUT
+      - name: Create PR
+        if: ${{ steps.check-opened-pr-step.outputs.exists == '0' }}
        run: |
-          tea login add --name gitea-rinoa --url ${{ secrets.RINOA_GITEA_URL }} --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
          tea login default gitea-rinoa
-          echo "Checking if PR exists for ${{ github.ref_name }}..."
-          tea pr ls --repo ${{ github.repository }} --state all --fields index,title,head,state --output csv | egrep '${{ github.ref_name }}' | head -1 | egrep -q 'open'
-          if [ $? -eq 0 ]; then
-            echo "An open PR exists, skipping creation..."
-          elif [ $? -eq 1 ]; then
-            echo "No open PRs, creating one..."
-            tea pr c -r "${{ github.repository }}" -t "Automated PR for ${{ github.ref_name }}" -d "Automated PR for ${{ github.ref_name }}"
-          fi
-
-  docker-compose-test:
-    name: Docker Compose Test
+          pr_index_old=$(tea pr ls --repo ${{ github.repository }} --state all --fields index,title,head --output csv | sed -e 's|"||g' | egrep '^[0-9]' | head -1 | awk -F"," '{print $1}')
+          pr_index_new=$(expr ${pr_index_old} + 1)
+          tea pr c -r ${{ github.repository }} -t "Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }}
+  docker-compose-ansible-lints:
+    name: Docker Compose & Ansible Lints
    needs: [check-and-create-pr]
    runs-on: ubuntu-latest
    env:
@@ -45,20 +51,41 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@v4
-      
-      - name: Install jq
-        uses: dcarbone/install-jq-action@v3.0.1
-
+      - name: Cache Ansible Galaxy Collections
+        uses: actions/cache@v3
+        with:
+          path: ansible/collections
+          key: ${{ runner.os }}-ansible-${{ hashFiles('./ansible/collections/requirements.yml') }}
+          restore-keys: |
+            ${{ runner.os }}-ansible-
+      - name: Install Ansible
+        uses: alex-oleshkevich/setup-ansible@v1.0.1
+        with:
+          version: "11.0.0"
      - name: Install Vault
        uses: cpanato/vault-installer@main
+      - name: Install hvac
+        run: pip install hvac
+      - name: Ansible Playbook Dry Run
+        uses: dawidd6/action-ansible-playbook@v2
        with:
-          vault-release: '1.18.3'
-
-      - name: Generate .env file for linting
+          directory: ansible/
+          playbook: docker_config_deploy.yml
+          key: ${{secrets.RINOA_ANSIBLE_PRIVATE_KEY}}
+          options: |
+            --inventory inventory/hosts.yml
+            --check
+          requirements: collections/requirements.yml
+          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
+      - name: Generate .env file for Docker Compose Dry Run
        run: |
          vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
-
-      - name: Docker Compose Lint
+      - name: Cache .env Files
+        uses: actions/cache@v4
+        with:
+          path: .env
+          key: ${{ runner.os }}-env-${{ hashFiles('docker-compose.yml') }}
+      - name: Docker Compose Dry Run
        uses: yu-ichiro/spin-up-docker-compose-action@v1
        with:
          file: docker-compose.yml
@@ -68,39 +95,41 @@ jobs:
          up-opts: --dry-run -d --remove-orphans
        env:
          DOCKER_HOST: tcp://dockerproxy:2375
-
  cloudflare-dns-setup:
    name: Cloudflare DNS Setup
-    needs: [docker-compose-test]
+    needs: [docker-compose-ansible-lints]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
-
-      - name: Install jq
-        uses: dcarbone/install-jq-action@v3.0.1
-
-      - name: Install yq
-        uses: dcarbone/install-yq-action@v1
-      
+        with:
+          fetch-depth: 1
+      - name: Cache flarectl CLI
+        uses: actions/cache@v4
+        with:
+          path: ~/.flarectl
+          key: flarectl-${{ runner.os }}-${{ hashFiles('workflow-config.yml') }}
      - name: Install flarectl
        uses: supplypike/setup-bin@v4
        with:
          uri: 'https://github.com/cloudflare/cloudflare-go/releases/download/v0.113.0/flarectl_0.113.0_linux_amd64.tar.gz'
          name: 'flarectl'
          version: '0.113.0'
-
+      - name: Cache Subdomain Files
+        uses: actions/cache@v4
+        with:
+          path: |
+            compose_subdomains.txt
+            cloudflare_subdomains.txt
+          key: ${{ runner.os }}-subdomains-${{ hashFiles('docker-compose.yml') }}
      - name: Grab Subdomains from Docker Compose & Cloudflare
        id: grab-subdomains
        env:
          CF_API_TOKEN: ${{ secrets.CF_API_TOKEN }}
          CF_API_EMAIL: ${{ secrets.CF_API_EMAIL }}
        run: |
-          echo "Grabbing subdomains from docker-compose.yml..."
          yq '.services[].labels.swag_url' docker-compose.yml | egrep -v 'null' | sed -e 's|"||g' | awk -F'.' '{print $1}' | sort > compose_subdomains.txt
-          echo "Grabbing subdomains from Cloudflare..."
          flarectl --json dns list --zone "trez.wtf" --type=CNAME --content "trez.wtf" | jq '.[].Name' | sed -e 's|"||g' | awk -F"." '{print $1}' | sort > cloudflare_subdomains.txt
-          
      - name: Compare Subdomains
        id: compare-subdomains
        uses: LouisBrunner/diff-action@v2.2.0
@@ -110,7 +139,6 @@ jobs:
          mode: addition
          tolerance: mixed-better
          output: domain_compare.txt
-
      - name: Create Subdomains
        if: steps.compare-subdomains.outputs.output != ''
        continue-on-error: true
@@ -120,9 +148,8 @@ jobs:
        run: |
          cat domain_compare.txt | egrep '^-[a-z]' | sed -e 's|-||g' | while read -r subdomain; do
            echo "Creating $subdomain.trez.wtf..."
-            flarectl dns create --zone "trez.wtf" --name "${subdomain}" --type=CNAME --content "trez.wtf"
+            flarectl dns create --zone "trez.wtf" --name "${subdomain}" --type=CNAME --content "trez.wtf" --proxy true
          done
-
  regenerate-readme:
    name: Update README
    runs-on: ubuntu-latest
@@ -132,33 +159,27 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@v4
-
      - name: Install yq
        uses: dcarbone/install-yq-action@v1
-      
      - name: Generate service list
        run: |
          yq '.services | to_entries | map({"service": .key, "image": .value.image})' docker-compose.yml > services.yml
-
      - name: Generate Markdown Table
        uses: gazab/create-markdown-table@v1
        id: service-table
        with:
          file: ./services.yml
-
      - name: Regenerate README
        run: |
          echo "# List of Services" > README.md
          echo -e "\n\n" >> README.md
          echo "${{ steps.service-table.outputs.table }}" >> README.md
-
      - name: Add/Commit README.md
        id: commit-readme
        uses: EndBug/add-and-commit@v9
        with:
          message: "chore: Update README"
          add: "README.md"
-
  pr-merge:
    name: PR Merge
    needs: [regenerate-readme]
@@ -166,25 +187,22 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@v4
-      
      - name: Install tea
        uses: supplypike/setup-bin@v4
        with:
          uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64'
          name: 'tea'
          version: '0.9.2'
-
      - name: PR Merge
        id: pr_merge
        run: |
          tea login add --name gitea-rinoa --url ${{ secrets.RINOA_GITEA_URL }} --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }}
          tea login default gitea-rinoa
-          pr_index=$(tea pr ls --repo ${{ github.repository }} --state open --fields index,title,head,state --output csv | egrep ${{ gitea.ref_name }} | awk -F, '{print $1}' | sed -e 's|"||g')
-          tea pr m --repo ${{ github.repository }} --title "Auto Merge of PR #${pr_index} - ${{ gitea.ref_name }}" --message "Merged by ${{ gitea.actor }}" --output table ${pr_index}
-
-
-  docker-compose-deploy:
-    name: Deploy via Docker Compose
+          echo "Merging PR..."
+          pr_index=$(tea pr ls --repo ${{ github.repository }} --state open --fields index,title,head,state --output csv | egrep ${{ github.ref_name }} | awk -F"," '{print $1}' | sed -e 's|"||g')
+          tea pr m --repo ${{ github.repository }} --title "Auto Merge of PR ${pr_index} - ${{ github.ref_name }}" --message "Merged by ${{ github.actor }}" ${pr_index}
+  ansible-config-docker-compose-deploy:
+    name: Deploy via Ansible & Docker Compose
    runs-on: ubuntu-latest
    needs: [pr-merge]
    env:
@@ -196,19 +214,52 @@ jobs:
        uses: actions/checkout@v4
        with:
          ref: main
-
+      - name: Cache Vault install
+        id: cache-vault
+        uses: actions/cache@v4
+        with:
+          path: /opt/hostedtoolcache/vault/1.18.0/x64
+          key: vault-${{ runner.os }}-1.18.0
+      - name: Install Ansible
+        uses: alex-oleshkevich/setup-ansible@v1.0.1
+        with:
+          version: "11.0.0"
      - name: Install Vault
        uses: cpanato/vault-installer@main
-
+      - name: Install hvac
+        run: pip install hvac
+      - name: Deploy Docker Configs via Ansible
+        uses: dawidd6/action-ansible-playbook@v2
+        with:
+          directory: ansible/
+          playbook: docker_config_deploy.yml
+          key: ${{secrets.RINOA_ANSIBLE_PRIVATE_KEY}}
+          options: |
+            --inventory inventory/hosts.yml
+          requirements: collections/requirements.yml
+          vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'Ansible Config Deployment @ Rinoa'
+          notification_message: 'Deployment completed successfully.'
      - name: Generate .env file for deployment
        run: |
           vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env
-
      - name: Docker Compose Deployment
        uses: keatonLiu/docker-compose-remote-action@v1.2
-        with: 
+        with:
          ssh_user: gitea-deploy
          ssh_host: 192.168.1.254
          ssh_host_public_key: ${{ secrets.RINOA_GITEA_PUBLIC_SSH_KEY }}
          ssh_private_key: ${{ secrets.RINOA_GITEA_PRIVATE_SSH_KEY }}
          docker_compose_file: docker-compose.yml
+      - name: Gotify Notification
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.RINOA_GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'Docker Compose Deployment @ Rinoa'
+          notification_message: 'Deployment completed successfully.'
@@ -1,2 +1,2 @@
-**/.env*
-**/*env*
+**/.cache_ggshield
+ansible/collections/ansible_collections/
@@ -34,7 +34,7 @@
 | fastenhealth | ghcr.io/fastenhealth/fasten-onprem:main |
 | flaresolverr | ghcr.io/flaresolverr/flaresolverr:latest |
 | ghost | ghost:latest |
-| gitea | gitea/gitea:1.22.6 |
+| gitea | gitea/gitea:1.23.1 |
 | gitea-db | postgres:14 |
 | gitea-opengist | ghcr.io/thomiceli/opengist:latest |
 | gitea-runner | gitea/act_runner:latest |
@@ -67,17 +67,13 @@
 | jitsi-web | jitsi/web:stable |
 | joplin-db | postgres:17-alpine |
 | joplin | joplin/server:latest |
-| komodo-core | ghcr.io/mbecker20/komodo:latest |
-| komodo-ferretdb | ghcr.io/ferretdb/ferretdb |
-| komodo-periphery | ghcr.io/mbecker20/periphery:latest |
-| komodo-pg-db | postgres:17-alpine |
-| librespeed | lscr.io/linuxserver/librespeed:latest |
 | lidarr | lscr.io/linuxserver/lidarr:latest |
 | lidify | thewicklowwolf/lidify:latest |
 | lldap | lldap/lldap:stable |
 | localai | localai/localai:latest-aio-cpu |
 | maloja | krateng/maloja:latest |
-| mariadb | ghcr.io/linuxserver/mariadb |
+| mariadb | linuxserver/mariadb |
+| mastodon | lscr.io/linuxserver/mastodon:latest |
 | mastodon-pg-db | postgres:17-alpine |
 | minio | minio/minio |
 | mongodb | mongo:7.0 |
@@ -90,6 +86,8 @@
 | ollama | ollama/ollama |
 | ombi | lscr.io/linuxserver/ombi:latest |
 | paperless-ngx | ghcr.io/paperless-ngx/paperless-ngx:latest |
+| pgbackweb | eduardolat/pgbackweb:latest |
+| pgbackweb-db | postgres:16-alpine |
 | plausible | ghcr.io/plausible/community-edition:v2.1.0 |
 | plausible_db | postgres:16-alpine |
 | plausible_events_db | clickhouse/clickhouse-server:24.3.3.102-alpine |
@@ -109,7 +107,6 @@
 | scraperr-api | jpyles0524/scraperr_api:latest |
 | scrutiny | ghcr.io/analogj/scrutiny:master-omnibus |
 | searxng | searxng/searxng:latest |
-| semaphore | semaphoreui/semaphore:v2.10.32 |
 | slurpit-portal | slurpit/portal:latest |
 | slurpit-scanner | slurpit/scanner:latest |
 | slurpit-scraper | slurpit/scraper:latest |
@@ -120,6 +117,7 @@
 | sonashow | thewicklowwolf/sonashow:latest |
 | soularr | mrusse08/soularr:latest |
 | soulseek | slskd/slskd |
+| speedtest-tracker | lscr.io/linuxserver/speedtest-tracker:latest |
 | spotisub | blastbeng/spotisub:latest |
 | swag | lscr.io/linuxserver/swag:latest |
 | synapse | docker.io/matrixdotorg/synapse:latest |
@@ -140,6 +138,7 @@
 | wazuh.manager | wazuh/wazuh-manager: |
 | web-check | lissy93/web-check |
 | whodb | clidey/whodb |
+| yacht | selfhostedpro/yacht |
 | your_spotify | lscr.io/linuxserver/your_spotify:latest |
 | youtubedl | nbr23/youtube-dl-server:latest |
 | zammad-backup | postgres: |
@@ -0,0 +1,167 @@
+.logs/*
+*.retry
+*.vault
+# https://raw.githubusercontent.com/github/gitignore/main/Python.gitignore
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+.cache_ggshield
+# Ansible Vault Password Files
+*.pass
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#pdm.lock
+#   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
+#   in version control.
+#   https://pdm.fming.dev/#use-with-ide
+.pdm.toml
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#  and can be added to the global gitignore or merged into this file.  For a more nuclear
+#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
+#.idea/
@@ -0,0 +1,45 @@
+# Rinoa Docker_configs Ansible Project
+
+## Included content/ Directory Structure
+
+The directory structure follows best practices recommended by the Ansible community. Feel free to customize this template according to your specific project requirements.
+
+```
+ ansible-project/
+ |── .devcontainer/
+ |    └── docker/
+ |        └── devcontainer.json
+ |    └── podman/
+ |        └── devcontainer.json
+ |    └── devcontainer.json
+ |── .github/
+ |    └── workflows/
+ |        └── tests.yml
+ |    └── ansible-code-bot.yml
+ |── .vscode/
+ |    └── extensions.json
+ |── collections/
+ |   └── requirements.yml
+ |   └── ansible_collections/
+ |       └── project_org/
+ |           └── project_repo/
+ |               └── README.md
+ |               └── roles/sample_role/
+ |                         └── README.md
+ |                         └── tasks/main.yml
+ |── inventory/
+ |   └── groups_vars/
+ |   └── host_vars/
+ |   └── hosts.yml
+ |── ansible-navigator.yml
+ |── ansible.cfg
+ |── devfile.yaml
+ |── linux_playbook.yml
+ |── network_playbook.yml
+ |── README.md
+ |── site.yml
+```
+
+## Compatible with Ansible-lint
+
+Tested with ansible-lint >=24.2.0 releases and the current development version of ansible-core.
@@ -0,0 +1,25 @@
+[defaults]
+# Specify the inventory file
+inventory = inventory/hosts.yml
+
+collections_path = ./collections
+# Set the logging verbosity level
+verbosity = 2
+
+# Set the default user for SSH connections
+remote_user = charish
+
+# Define the default become method
+become_method = sudo
+
+host_key_checking = false
+
+[persistent_connection]
+# Controls how long the persistent connection will remain idle before it is destroyed
+connect_timeout=30
+
+# Controls the amount of time to wait for response from remote device before timing out persistent connection
+command_timeout=30
+
+[hashi_vault_collection]
+auth_method = token
@@ -0,0 +1,16 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+tunnel: 52bdee6e-8ccb-47be-ba9e-f8010b905e41
+credentials-file: /etc/cloudflared/52bdee6e-8ccb-47be-ba9e-f8010b905e41.json
+warp-routing:
+  enabled: true
+
+ingress:
+  - hostname: git-ssh.trez.wtf
+    service: ssh://gitea:22
+  - hostname: gist-ssh.trez.wtf
+    service: ssh://gitea-opengist:2222
+  - hostname: ssh.trez.wtf
+    service: ssh://192.168.1.254:22
+  - service: http_status:404  # Default for unmatched requests
@@ -0,0 +1,15 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+
+source: journalctl
+journalctl_filter: 
+  - "--directory=/var/log/host/"
+labels:
+  type: syslog
+---
+filenames:
+  - /var/log/swag/*
+labels:
+  type: nginx
+---
@@ -0,0 +1,17 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+name: default_ip_remediation
+#debug: true
+filters:
+ - Alert.Remediation == true && Alert.GetScope() == "Ip"
+decisions:
+ - type: ban
+   duration: 4h
+#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
+# notifications:
+#   - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
+#   - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
+#   - http_default   # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
+#   - email_default  # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
+on_success: break
@@ -0,0 +1,125 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+APP_NAME = Gitea: Git with a cup of tea
+RUN_MODE = prod
+RUN_USER = git
+WORK_PATH = /data/gitea
+
+[repository]
+ROOT = /data/git/repositories
+DEFAULT_PRIVATE = last
+EMABLE_PUSH_CREATE_USER = true
+
+[repository.local]
+LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
+
+[repository.upload]
+TEMP_PATH = /data/gitea/uploads
+
+[server]
+APP_DATA_PATH = /data/gitea
+DOMAIN = git.trez.wtf
+SSH_DOMAIN = git-ssh.trez.wtf
+HTTP_PORT = 3000
+ROOT_URL = https://git.trez.wtf/
+DISABLE_SSH = false
+SSH_PORT = 22
+SSH_LISTEN_PORT = 22
+LFS_START_SERVER = true
+LFS_JWT_SECRET = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_LFS_JWT_SECRET'] }}
+OFFLINE_MODE = true
+
+[database]
+PATH = /data/gitea/gitea.db
+DB_TYPE = postgres
+HOST = gitea-db:5432
+NAME = gitea
+USER = gitea
+PASSWD = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_PG_DB_PASSWORD'] }}
+LOG_SQL = false
+SCHEMA =
+SSL_MODE = disable
+
+[indexer]
+ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
+REPO_INDEXER_ENABLED = true
+REPO_INDEXER_PATH = indexers/repos.bleve
+MAX_FILE_SIZE = 1048576
+REPO_INDEXER_INCLUDE =
+REPO_INDEXER_EXCLUDE = resources/bin/**
+
+[session]
+PROVIDER_CONFIG = /data/gitea/sessions
+PROVIDER = file
+
+[picture]
+AVATAR_UPLOAD_PATH = /data/gitea/avatars
+REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
+
+[attachment]
+PATH = /data/gitea/attachments
+
+[log]
+MODE = console
+LEVEL = info
+ROOT_PATH = root
+
+[security]
+INSTALL_LOCK = true
+SECRET_KEY =
+REVERSE_PROXY_LIMIT = 1
+REVERSE_PROXY_TRUSTED_PROXIES = *
+INTERNAL_TOKEN = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_INTERNAL_TOKEN'] }}
+PASSWORD_HASH_ALGO = pbkdf2
+
+[service]
+DISABLE_REGISTRATION = false
+REQUIRE_SIGNIN_VIEW = false
+REGISTER_EMAIL_CONFIRM = true
+ENABLE_NOTIFY_MAIL = true
+ALLOW_ONLY_EXTERNAL_REGISTRATION = false
+ENABLE_CAPTCHA = true
+DEFAULT_KEEP_EMAIL_PRIVATE = true
+DEFAULT_ALLOW_CREATE_ORGANIZATION = false
+DEFAULT_ENABLE_TIMETRACKING = false
+NO_REPLY_ADDRESS = noreply@trez.wtf
+
+[lfs]
+PATH = /data/git/lfs
+
+[mailer]
+PASSWD = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
+PROTOCOL = smtp
+ENABLED = true
+FROM = '"Gitea" <noreply@trez.wtf>'
+SMTP_PORT = 25
+USER = rinoa/postal-smtp
+SMTP_ADDR = postal-smtp
+IS_TLS_ENABLED = faLse
+
+[openid]
+ENABLE_OPENID_SIGNIN = true
+ENABLE_OPENID_SIGNUP = true
+
+[cron.update_checker]
+ENABLED = false
+
+[repository.pull-request]
+DEFAULT_MERGE_STYLE = merge
+
+[repository.signing]
+DEFAULT_TRUST_MODEL = committer
+
+[oauth2]
+JWT_SECRET = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_OAUTH2_JWT_SECRET'] }}
+
+[ui]
+THEMES = theme-catppuccin-blue-auto.css,theme-catppuccin-sapphire-auto.css,theme-catppuccin-yellow-auto.css,theme-catppuccin-maroon-auto.css,theme-catppuccin-mauve-auto.css,theme-catppuccin-peach-auto.css,theme-catppuccin-teal-auto.css,theme-catppuccin-flamingo-auto.css,theme-catppuccin-lavender-auto.css,theme-catppuccin-pink-auto.css,theme-catppuccin-red-auto.css,theme-catppuccin-rosewater-auto.css,theme-catppuccin-sky-auto.css,theme-catppuccin-green-auto.css
+
+[actions]
+ENABLED = true
+
+[webhook]
+ALLOWED_HOST_LIST = private,104.21.1.234,172.67.152.146
+SKIP_TLS_VERIFY = true
@@ -0,0 +1,81 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+# Gitea related configuration. Necessary for adding/updating comments on repository pull requests
+gitea:
+  # Endpoint of your Gitea instance. Must be expandable by '/api/v1' to form the API base path as shown in Swagger UI.
+  url: https://git.trez.wtf
+
+  # Created access token for the user that shall be used as bot account.
+  # User needs "Read project" permissions with access to "Pull Requests"
+  token:
+    value: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}"
+    # # or path to file containing the plain text secret
+    # file: /path/to/gitea/token
+
+  # If the sent webhook has a signature header, the bot validates the request payload. If the value does not match, the
+  # request will be ignored.
+  # The bot looks for `X-Gitea-Signature` header containing the sha256 hmac hash of the plain text secret. If the header
+  # exists and no webhookSecret is defined here, the bot will ignore the request, because it cannot be validated.
+  webhook:
+    secret: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_WEBHOOK_SECRET'] }}"
+    # # or path to file containing the plain text secret
+    # secretFile: /path/to/gitea/webhook/secret
+
+  # Pull Request status check settings.
+  statusCheck:
+    # Configure the label/name of the PR status check.
+    name: "gitea-sonarqube-bot"
+
+# SonarQube related configuration. Necessary for requesting data from the API and processing the webhook.
+sonarqube:
+  # Endpoint of your SonarQube instance. Must be expandable by '/api' to form the API base path.
+  url: https://sqube.trez.wtf
+
+  # Created access token for the user that shall be used as bot account.
+  # User needs "Browse on project" permissions
+  token:
+    value: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_SQUBE_TOKEN'] }}"
+    # # or path to file containing the plain text secret
+    # file: /path/to/sonarqube/token
+
+  # If the sent webhook has a signature header, the bot validates the request payload. If the value does not match, the
+  # request will be ignored.
+  # The bot looks for `X-Sonar-Webhook-HMAC-SHA256` header containing the sha256 hmac hash of the plain text secret.
+  # If the header exists and no webhookSecret is defined here, the bot will ignore the request, because it cannot be
+  # validated.
+  webhook:
+    secret: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_SQUBE_WEBHOOK_SECRET'] }}"
+    # # or path to file containing the plain text secret
+    # secretFile: /path/to/sonarqube/webhook/secret
+
+  # Some useful metrics depend on the edition in use. There are various ones like code_smells, vulnerabilities, bugs, etc.
+  # By default, the bot will extract "bugs,vulnerabilities,code_smells"
+  # Setting this option you can extend that default list by your own metrics.
+  # additionalMetrics: []
+  # - "new_security_hotspots"
+
+# List of project mappings to take care of. Webhooks for other projects will be ignored.
+# At least one must be configured. Otherwise, all webhooks (no matter which source) because the bot cannot map on its own.
+projects:
+  - sonarqube:
+      key: rinoa-docker
+    # A repository specification contains the owner name and the repository name itself. The owner can be the name of a
+    # real account or an organization in which the repository is located.
+    gitea:
+      owner: Trez.One
+      name: rinoa-docker
+
+# Define pull request names from SonarScanner analysis. Default pattern matches the Jenkins Gitea plugin schema.
+namingPattern:
+  # Regular expression that MUST HAVE exactly ONE GROUP that matches the integer part of the PR.
+  # That integer part is identical to the pull request ID in Gitea.
+  regex: "^.*$"
+
+  # Valid Go format string. It MUST have one integer placeholder which will be replaced by the pull request ID.
+  # See: https://pkg.go.dev/fmt#hdr-Printing
+  template: "%s"
+
+  # Example for integer-only names
+  # # regex: "^(\\d+)$"
+  # # template: "%d"
@@ -0,0 +1,404 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Agent globals
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////
+local.file "endpoints" {
+    // The endpoints file is used to define the endpoints, credentials and options
+    // for the Agent export to.
+    filename = "/etc/alloy/endpoints.json"
+}
+
+discovery.docker "rinoadocker" {
+        host = env("DOCKER_HOST")
+}
+
+tracing {
+    write_to = [otelcol.exporter.otlp.tempo.input]
+}
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Metrics
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////
+prometheus.remote_write "mimir" {
+  endpoint {
+    url = json_path(local.file.endpoints.content, ".metrics.url")[0]
+    basic_auth {
+        username = json_path(local.file.endpoints.content, ".metrics.basicAuth.username")[0]
+        password = json_path(local.file.endpoints.content, ".metrics.basicAuth.password")[0]
+    }
+  }
+}
+
+prometheus.scrape "prometheus" {
+        targets = [{
+                __address__ = "localhost:12345",
+        }]
+        forward_to = [prometheus.remote_write.mimir.receiver]
+        job_name   = "prometheus"
+}
+
+prometheus.exporter.unix "rinoa" {
+        procfs_path = "/host/proc"
+        sysfs_path  = "/host/sys"
+        rootfs_path = "/rootfs"
+}
+
+prometheus.scrape "rinoa" {
+        targets    = prometheus.exporter.unix.rinoa.targets
+        forward_to = [prometheus.remote_write.mimir.receiver]
+        job_name   = "rinoa_host"
+}
+
+prometheus.exporter.cadvisor "docker" {
+        docker_host      = env("DOCKER_HOST")
+        storage_duration = "5m"
+}
+
+prometheus.scrape "docker" {
+        targets    = prometheus.exporter.cadvisor.docker.targets
+        forward_to = [prometheus.remote_write.mimir.receiver]
+        job_name   = "docker_stats"
+}
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Logging
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////
+loki.write "loki" {
+        endpoint {
+                url = json_path(local.file.endpoints.content, ".logs.url")[0]
+                basic_auth {
+                        username = json_path(local.file.endpoints.content, ".logs.basicAuth.username")[0]
+                        password = json_path(local.file.endpoints.content, ".logs.basicAuth.password")[0]
+                }
+        }
+        external_labels = {}
+}
+
+loki.source.journal "hostjournal" {
+        forward_to = [loki.write.loki.receiver]
+        max_age = "24h"
+        path = "/rootfs/var/log/journal/"
+        labels = {
+                job = "host-journal",
+        }
+}
+
+local.file_match "system" {
+        path_targets = [{
+                __address__ = "localhost",
+                __path__    = "/rootfs/var/log/*log",
+                job         = "varlogs",
+        }]
+}
+
+loki.source.file "system" {
+        targets    = local.file_match.system.targets
+        forward_to = [loki.write.loki.receiver]
+}
+
+loki.source.docker "containers" {
+        host       = env("DOCKER_HOST")
+        targets    = discovery.docker.rinoadocker.targets
+        forward_to = [loki.write.loki.receiver]
+        labels     = {
+                job = "containerlogs",
+        }
+}
+
+loki.process "containers" {
+        forward_to = [loki.write.loki.receiver]
+        // stage.docker {}
+        stage.json {
+		expressions = {
+			attrs  = "",
+			output = "log",
+			stream = "stream",
+		}
+	}
+
+	stage.json {
+		expressions = {
+			tag = "",
+		}
+		source = "attrs"
+	}
+
+	stage.regex {
+		expression = "(?P<image_name>(?:[^|]*[^|])).(?P<container_name>(?:[^|]*[^|])).(?P<image_id>(?:[^|]*[^|])).(?P<container_id>(?:[^|]*[^|]))"
+		source     = "tag"
+	}
+
+	stage.timestamp {
+		source = "time"
+		format = "RFC3339Nano"
+	}
+
+	stage.labels {
+		values = {
+			container_id   = null,
+			container_name = null,
+			image_id       = null,
+			image_name     = null,
+			stream         = null,
+			tag            = null,
+		}
+	}
+
+	stage.output {
+		source = "output"
+	}
+}
+
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Traces
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////
+beyla.ebpf "rinoadocker" {
+    open_port = "80-65535"
+    routes {
+        unmatched = "heauristic"
+    }
+    output {
+        traces = [
+            otelcol.connector.servicegraph.tracemetrics.input,
+            otelcol.connector.spanmetrics.tracemetrics.input,
+            otelcol.processor.batch.default.input,
+            otelcol.connector.spanlogs.autologging.input,
+        ]
+    }
+}
+
+prometheus.scrape "beyla" { 
+    targets = beyla.ebpf.rinoadocker.targets
+    forward_to = [prometheus.remote_write.mimir.receiver]
+}
+
+otelcol.auth.headers "tempo" {
+    header {
+        key = "Authorization"
+        value = join(["Basic ", json_path(local.file.endpoints.content, ".traces.basicAuthToken")[0]], "")
+    }
+}
+
+otelcol.processor.batch "default" {
+    // Wait until we've received 16K of data.
+    send_batch_size = 16384
+    send_batch_max_size = 16384
+    // Or until 2 seconds have elapsed.
+    timeout = "2s"
+    // When the Agent has enough batched data, send it to the OpenTelemetry exporter named 'tempo'.
+    output {
+        traces = [otelcol.exporter.otlp.tempo.input]
+    }
+}
+
+otelcol.exporter.otlp "tempo" {
+    // Define the client for exporting.
+    client {
+        // Authentication block.
+        auth = otelcol.auth.headers.tempo.handler
+
+        // Send to the locally running Tempo instance, on port 4317 (OTLP gRPC).
+        endpoint = json_path(local.file.endpoints.content, ".traces.url")[0]
+
+        // Configure TLS settings for communicating with the endpoint.
+        tls {
+            // The connection is insecure.
+            insecure = json_path(local.file.endpoints.content, ".traces.tls.insecure")[0]
+            // Do not verify TLS certificates when connecting.
+            insecure_skip_verify = json_path(local.file.endpoints.content, ".traces.tls.insecureSkipVerify")[0]
+        }
+    }
+}
+
+otelcol.connector.spanlogs "autologging" {
+    // We only want to output a line for each root span (ie. every single trace), and not for every
+    // process or span (outputting a line for every span would be extremely verbose).
+    spans = false
+    roots = true
+    processes = false
+    // We want to ensure that the following three span attributes are included in the log line, if
+    // present.
+    span_attributes = [ "http.method", "http.target", "http.status_code" ]
+
+    // Overrides the default key in the log line to be `traceId`, which is then used by Grafana to
+    // identify the trace ID for correlation with the Tempo datasource.
+    overrides {
+        trace_id_key = "traceId"
+    }
+    // Send to the OpenTelemetry Loki exporter.
+    output {
+        logs = [otelcol.exporter.loki.autologging.input]
+    }
+}
+
+// Simply forwards the incoming OpenTelemetry log format out as a Loki log.
+// We need this stage to ensure we can then process the logline as a Loki object.
+otelcol.exporter.loki "autologging" {
+    forward_to = [loki.process.autologging.receiver]
+}
+
+// The Loki processor allows us to accept a correctly formatted Loki log and mutate it into
+// a set of fields for output.
+loki.process "autologging" {
+    // The JSON stage simply extracts the `body` (the actual logline) from the Loki log, ignoring
+    // all other fields.
+    stage.json {
+        expressions = { "body" = "" }
+    }
+    // The output stage takes the body (the main logline) and uses this as the source for the output
+    // logline. In this case, it essentially turns it into logfmt.
+    stage.output {
+        source = "body"
+    }
+
+    // Finally send the processed logline onto the Loki exporter.
+    forward_to = [loki.write.autologging.receiver]
+}
+
+// The Loki writer receives a processed Loki log and then writes it to a Loki instance.
+loki.write "autologging" {
+    // Add the `agent` value to the `job` label, so we can identify it as having been generated
+    // by Grafana Agent when querying.
+    external_labels = {
+        job = "agent",
+    }
+
+    // Output the Loki log to the local Loki instance.
+    endpoint {
+        url = json_path(local.file.endpoints.content, ".logs.url")[0]
+
+        // The basic auth credentials for the Loki instance.
+        basic_auth {
+            username = json_path(local.file.endpoints.content, ".logs.basicAuth.username")[0]
+            password = json_path(local.file.endpoints.content, ".logs.basicAuth.password")[0]
+        }
+    }
+}
+
+// The Tail Sampling processor will use a set of policies to determine which received traces to keep
+// and send to Tempo.
+otelcol.processor.tail_sampling "errors" {
+    // Total wait time from the start of a trace before making a sampling decision. Note that smaller time
+    // periods can potentially cause a decision to be made before the end of a trace has occurred.
+    decision_wait = "30s"
+
+    // The following policies follow a logical OR pattern, meaning that if any of the policies match,
+    // the trace will be kept. For logical AND, you can use the `and` policy. Every span of a trace is
+    // examined by each policy in turn. A match will cause a short-circuit.
+
+    // This policy defines that traces that contain errors should be kept.
+    policy {
+        // The name of the policy can be used for logging purposes.
+        name = "sample-erroring-traces"
+        // The type must match the type of policy to be used, in this case examing the status code
+        // of every span in the trace.
+        type = "status_code"
+        // This block determines the error codes that should match in order to keep the trace,
+        // in this case the OpenTelemetry 'ERROR' code.
+        status_code {
+            status_codes = [ "ERROR" ]
+        }
+    }
+
+    // This policy defines that only traces that are longer than 200ms in total should be kept.
+    policy {
+        // The name of the policy can be used for logging purposes.
+        name = "sample-long-traces"
+        // The type must match the policy to be used, in this case the total latency of the trace.
+        type = "latency"
+        // This block determines the total length of the trace in milliseconds.
+        latency {
+            threshold_ms = 200
+        }
+    }
+
+    // The output block forwards the kept traces onto the batch processor, which will marshall them
+    // for exporting to Tempo.
+    output {
+        traces = [otelcol.processor.batch.default.input]
+    }
+}
+
+// The Spanmetrics Connector will generate RED metrics based on the incoming trace span data.
+otelcol.connector.spanmetrics "tracemetrics" {
+    // The namespace explicit adds a prefix to all the generated span metrics names.
+    // In this case, we'll ensure they match as closely as possible those generated by Tempo.
+    namespace = "traces.spanmetrics"
+
+    // Each extra dimension (metrics label) to be added to the generated metrics from matching span attributes. These
+    // need to be defined with a name and optionally a default value (in the following cases, we do not want a default
+    // value if the span attribute is not present).
+    dimension {
+        name = "http.method"
+    }
+    dimension {
+        name = "http.target"
+    }
+    dimension {
+        name = "http.status_code"
+    }
+    dimension {
+        name = "service.version"
+    }
+
+    // A histogram block must be present, either explicitly defining bucket values or via an exponential block.
+    // We do the latter here.
+    histogram {
+        explicit {
+        }
+    }
+
+    // The exemplar block is added to ensure we generate exemplars for traces on relevant metric values.
+    exemplars {
+        enabled = true
+    }
+
+    // Generated metrics data is in OTLP format. We send this data to the OpenTelemetry Prometheus exporter to ensure
+    // it gets transformed into Prometheus format data.
+    output {
+        metrics = [otelcol.exporter.prometheus.tracemetrics.input]
+    }
+}
+
+// The Servicegraph Connector will generate service graph metrics (edges and nodes) based on incoming trace spans.
+otelcol.connector.servicegraph "tracemetrics" {
+    // Extra dimensions (metrics labels) to be added to the generated metrics from matching span attributes.
+    // For this component, this is defined as an array. There are no default values and the labels will not be generated
+    // for missing span attributes.
+    dimensions = [
+        "http.method",
+        "http.target",
+        "http.status_code",
+        "service.version",
+    ]
+
+    // Generated metrics data is in OTLP format. We send this data to the OpenTelemetry Prometheus exporter to ensure
+    // it gets transformed into Prometheus format data.
+    output {
+        metrics = [otelcol.exporter.prometheus.tracemetrics.input]
+    }
+}
+
+otelcol.exporter.prometheus "tracemetrics" {
+    // Forward to our local Prometheus remote writer which will send the metrics to Mimir.
+    forward_to = [prometheus.remote_write.mimir.receiver]
+}
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Profiling
+/////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+pyroscope.write "pyroscope" {
+        endpoint {
+                url = json_path(local.file.endpoints.content, ".profiles.url")[0]
+                basic_auth {
+                        username = json_path(local.file.endpoints.content, ".profiles.basicAuth.username")[0]
+                        password = json_path(local.file.endpoints.content, ".profiles.basicAuth.password")[0]
+                }
+        }
+        external_labels = {}
+}
+
+pyroscope.ebpf "rinoadocker" {
+        forward_to = [pyroscope.write.pyroscope.receiver]
+        targets = discovery.docker.rinoadocker.targets
+}
@@ -0,0 +1,34 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+{
+    "metrics": {
+        "url": "http://grafana-mimir:9009/api/v1/push",
+        "basicAuth": {
+            "username": "",
+            "password": ""
+        }
+    },
+    "logs": {
+        "url": "http://grafana-loki:3100/loki/api/v1/push",
+        "basicAuth": {
+            "username": "",
+            "password": ""
+        }
+    },
+    "traces": {
+        "url": "http://grafana-tempo:4317",
+        "basicAuthToken": "",
+        "tls": {
+            "insecure": true,
+            "insecureSkipVerify": true
+        }
+    },
+    "profiles": {
+        "url": "http://grafana-pyroscope:4040",
+        "basicAuth": {
+            "username": "",
+            "password": ""
+        }
+    }
+}
@@ -0,0 +1,7 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+routes:
+  patterns:
+    - /*
+  unmatched: heuristic
@@ -0,0 +1,77 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+multitenancy_enabled: false
+no_auth_tenant: rinoa_mimir
+# target: query-frontend
+# api:
+#   prometheus_http_prefix: '/prometheus'
+server:
+  http_listen_port: 9009
+# frontend:
+#   split_queries_by_interval: 24h
+#   align_queries_with_step: true
+  # cache_results: true
+  # results_cache:
+  #   backend: "memcached"
+  #   memcached:
+  #     addresses: "memcached-mimir:11211"
+#   downstream_url: http://grafana-agent:12345
+
+common:
+  storage:
+    backend: s3
+    s3:
+      endpoint: minio:9000
+      access_key_id: "Q8KAihuXtGgmretKNh7C"
+      secret_access_key: "hOlRODtnvFlNlL26Bj3GizZG6Ys3rlpG8p6Vo3NX"
+      bucket_name: "mimir"
+      insecure: true
+
+blocks_storage:
+  storage_prefix: rinoa
+  tsdb:
+    dir: /tmp/mimir/tsdb
+
+memberlist:
+  tls_enabled: false
+
+compactor:
+  # Directory to temporarily store blocks underdoing compaction.
+  data_dir: /tmp/mimir/compactor
+  # The sharding ring type used to share the hashed ring for the compactor.
+  sharding_ring:
+    # Use memberlist backend store (the default).
+    kvstore:
+      store: memberlist
+
+# The distributor receives incoming metrics data for the system.
+distributor:
+  # The ring to share hash ring data across instances.
+  ring:
+    # The address advertised in the ring. Localhost.
+    instance_addr: 127.0.0.1
+    # Use memberlist backend store (the default).
+    kvstore:
+      store: memberlist
+
+# The ingester receives data from the distributor and processes it into indices and blocks.
+ingester:
+  # The ring to share hash ring data across instances.
+  ring:
+    # The address advertised in the ring. Localhost.
+    instance_addr: 127.0.0.1
+    # Use memberlist backend store (the default).
+    kvstore:
+      store: memberlist
+    # Only run one instance of the ingesters.
+    # Note: It is highly recommended to run more than one ingester in production, the default is an RF of 3.
+    replication_factor: 1
+
+# The store gateway block configures gateway storage.
+store_gateway:
+  # Configuration for the hash ring.
+  sharding_ring:
+    # Only run a single instance. In production setups, the replication factor must
+    # be set on the querier and ruler as well.
+    replication_factor: 1
@@ -0,0 +1,12 @@
+storage:
+  backend: s3
+  s3:
+    bucket_name: pyroscope
+    endpoint: minio:9000
+    region: us-east-fh-pln
+    access_key_id: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_PYROSCOPE_STORAGE_ACCESS_KEY'] }}
+    secret_access_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_PYROSCOPE_STORAGE_SECRET_KEY'] }}
+    insecure: true
+
+analytics:
+  reporting_enabled: false
@@ -0,0 +1,787 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+target: all
+http_api_prefix: ""
+autocomplete_filtering_enabled: true
+server:
+    http_listen_network: tcp
+    http_listen_address: ""
+    http_listen_port: 80
+    http_listen_conn_limit: 0
+    grpc_listen_network: tcp
+    grpc_listen_address: ""
+    grpc_listen_port: 9095
+    grpc_listen_conn_limit: 0
+    tls_cipher_suites: ""
+    tls_min_version: ""
+    http_tls_config:
+        cert: ""
+        key: null
+        client_ca: ""
+        cert_file: ""
+        key_file: ""
+        client_auth_type: ""
+        client_ca_file: ""
+    grpc_tls_config:
+        cert: ""
+        key: null
+        client_ca: ""
+        cert_file: ""
+        key_file: ""
+        client_auth_type: ""
+        client_ca_file: ""
+    register_instrumentation: true
+    report_grpc_codes_in_instrumentation_label_enabled: false
+    graceful_shutdown_timeout: 30s
+    http_server_read_timeout: 30s
+    http_server_read_header_timeout: 0s
+    http_server_write_timeout: 30s
+    http_server_idle_timeout: 2m0s
+    http_log_closed_connections_without_response_enabled: false
+    grpc_server_max_recv_msg_size: 16777216
+    grpc_server_max_send_msg_size: 16777216
+    grpc_server_max_concurrent_streams: 100
+    grpc_server_max_connection_idle: 2562047h47m16.854775807s
+    grpc_server_max_connection_age: 2562047h47m16.854775807s
+    grpc_server_max_connection_age_grace: 2562047h47m16.854775807s
+    grpc_server_keepalive_time: 2h0m0s
+    grpc_server_keepalive_timeout: 20s
+    grpc_server_min_time_between_pings: 10s
+    grpc_server_ping_without_stream_allowed: true
+    grpc_server_num_workers: 0
+    log_format: logfmt
+    log_level: info
+    log_source_ips_enabled: false
+    log_source_ips_header: ""
+    log_source_ips_regex: ""
+    log_request_headers: false
+    log_request_at_info_level_enabled: false
+    log_request_exclude_headers_list: ""
+    http_path_prefix: ""
+internal_server:
+    http_listen_network: tcp
+    http_listen_address: ""
+    http_listen_port: 3101
+    http_listen_conn_limit: 0
+    grpc_listen_network: ""
+    grpc_listen_address: ""
+    grpc_listen_port: 0
+    grpc_listen_conn_limit: 0
+    tls_cipher_suites: ""
+    tls_min_version: ""
+    http_tls_config:
+        cert: ""
+        key: null
+        client_ca: ""
+        cert_file: ""
+        key_file: ""
+        client_auth_type: ""
+        client_ca_file: ""
+    grpc_tls_config:
+        cert: ""
+        key: null
+        client_ca: ""
+        cert_file: ""
+        key_file: ""
+        client_auth_type: ""
+        client_ca_file: ""
+    register_instrumentation: false
+    report_grpc_codes_in_instrumentation_label_enabled: false
+    graceful_shutdown_timeout: 30s
+    http_server_read_timeout: 30s
+    http_server_read_header_timeout: 0s
+    http_server_write_timeout: 30s
+    http_server_idle_timeout: 2m0s
+    http_log_closed_connections_without_response_enabled: false
+    grpc_server_max_recv_msg_size: 0
+    grpc_server_max_send_msg_size: 0
+    grpc_server_max_concurrent_streams: 0
+    grpc_server_max_connection_idle: 0s
+    grpc_server_max_connection_age: 0s
+    grpc_server_max_connection_age_grace: 0s
+    grpc_server_keepalive_time: 0s
+    grpc_server_keepalive_timeout: 0s
+    grpc_server_min_time_between_pings: 0s
+    grpc_server_ping_without_stream_allowed: false
+    grpc_server_num_workers: 0
+    log_format: logfmt
+    log_level: info
+    log_source_ips_enabled: false
+    log_source_ips_header: ""
+    log_source_ips_regex: ""
+    log_request_headers: false
+    log_request_at_info_level_enabled: false
+    log_request_exclude_headers_list: ""
+    http_path_prefix: ""
+    enable: false
+distributor:
+    ring:
+        kvstore:
+            store: memberlist
+            prefix: collectors/
+            consul:
+                host: localhost:8500
+                acl_token: ""
+                http_client_timeout: 20s
+                consistent_reads: false
+                watch_rate_limit: 1
+                watch_burst_size: 1
+                cas_retry_delay: 1s
+            etcd:
+                endpoints: []
+                dial_timeout: 10s
+                max_retries: 10
+                tls_enabled: false
+                tls_cert_path: ""
+                tls_key_path: ""
+                tls_ca_path: ""
+                tls_server_name: ""
+                tls_insecure_skip_verify: false
+                tls_cipher_suites: ""
+                tls_min_version: ""
+                username: ""
+                password: ""
+            multi:
+                primary: ""
+                secondary: ""
+                mirror_enabled: false
+                mirror_timeout: 2s
+        heartbeat_period: 5s
+        heartbeat_timeout: 5m0s
+        instance_id: local-instance
+        instance_interface_names:
+            - eth0
+            - en0
+        instance_port: 0
+        instance_addr: ""
+    receivers: {}
+    override_ring_key: distributor
+    forwarders: []
+    extend_writes: true
+    retry_after_on_resource_exhausted: 0s
+ingester_client:
+    pool_config:
+        checkinterval: 15s
+        healthcheckenabled: true
+        healthchecktimeout: 1s
+        maxconcurrenthealthchecks: 0
+    remote_timeout: 5s
+    grpc_client_config:
+        max_recv_msg_size: 104857600
+        max_send_msg_size: 104857600
+        grpc_compression: snappy
+        rate_limit: 0
+        rate_limit_burst: 0
+        backoff_on_ratelimits: false
+        backoff_config:
+            min_period: 100ms
+            max_period: 10s
+            max_retries: 10
+        initial_stream_window_size: 63KiB1023B
+        initial_connection_window_size: 63KiB1023B
+        tls_enabled: false
+        tls_cert_path: ""
+        tls_key_path: ""
+        tls_ca_path: ""
+        tls_server_name: ""
+        tls_insecure_skip_verify: false
+        tls_cipher_suites: ""
+        tls_min_version: ""
+        connect_timeout: 5s
+        connect_backoff_base_delay: 1s
+        connect_backoff_max_delay: 5s
+metrics_generator_client:
+    pool_config:
+        checkinterval: 15s
+        healthcheckenabled: true
+        healthchecktimeout: 1s
+        maxconcurrenthealthchecks: 0
+    remote_timeout: 5s
+    grpc_client_config:
+        max_recv_msg_size: 104857600
+        max_send_msg_size: 104857600
+        grpc_compression: snappy
+        rate_limit: 0
+        rate_limit_burst: 0
+        backoff_on_ratelimits: false
+        backoff_config:
+            min_period: 100ms
+            max_period: 10s
+            max_retries: 10
+        initial_stream_window_size: 63KiB1023B
+        initial_connection_window_size: 63KiB1023B
+        tls_enabled: false
+        tls_cert_path: ""
+        tls_key_path: ""
+        tls_ca_path: ""
+        tls_server_name: ""
+        tls_insecure_skip_verify: false
+        tls_cipher_suites: ""
+        tls_min_version: ""
+        connect_timeout: 5s
+        connect_backoff_base_delay: 1s
+        connect_backoff_max_delay: 5s
+querier:
+    search:
+        query_timeout: 30s
+        prefer_self: 10
+        external_hedge_requests_at: 8s
+        external_hedge_requests_up_to: 2
+        external_backend: ""
+        google_cloud_run: null
+        external_endpoints: []
+    trace_by_id:
+        query_timeout: 10s
+    max_concurrent_queries: 20
+    frontend_worker:
+        frontend_address: 127.0.0.1:9095
+        dns_lookup_duration: 10s
+        parallelism: 2
+        match_max_concurrent: true
+        id: ""
+        grpc_client_config:
+            max_recv_msg_size: 104857600
+            max_send_msg_size: 16777216
+            grpc_compression: gzip
+            rate_limit: 0
+            rate_limit_burst: 0
+            backoff_on_ratelimits: false
+            backoff_config:
+                min_period: 100ms
+                max_period: 1s
+                max_retries: 5
+            initial_stream_window_size: 0B
+            initial_connection_window_size: 0B
+            tls_enabled: false
+            tls_cert_path: ""
+            tls_key_path: ""
+            tls_ca_path: ""
+            tls_server_name: ""
+            tls_insecure_skip_verify: false
+            tls_cipher_suites: ""
+            tls_min_version: ""
+            connect_timeout: 0s
+            connect_backoff_base_delay: 0s
+            connect_backoff_max_delay: 0s
+    query_relevant_ingesters: false
+query_frontend:
+    max_outstanding_per_tenant: 2000
+    querier_forget_delay: 0s
+    max_batch_size: 5
+    max_retries: 2
+    search:
+        concurrent_jobs: 1000
+        target_bytes_per_job: 104857600
+        default_result_limit: 20
+        max_result_limit: 0
+        max_duration: 168h0m0s
+        query_backend_after: 15m0s
+        query_ingesters_until: 30m0s
+    trace_by_id:
+        query_shards: 50
+        hedge_requests_at: 2s
+        hedge_requests_up_to: 2
+    metrics:
+        concurrent_jobs: 1000
+        target_bytes_per_job: 104857600
+        max_duration: 0s
+        query_backend_after: 1h0m0s
+        interval: 5m0s
+    multi_tenant_queries_enabled: true
+compactor:
+    ring:
+        kvstore:
+            store: ""
+            prefix: collectors/
+            consul:
+                host: localhost:8500
+                acl_token: ""
+                http_client_timeout: 20s
+                consistent_reads: false
+                watch_rate_limit: 1
+                watch_burst_size: 1
+                cas_retry_delay: 1s
+            etcd:
+                endpoints: []
+                dial_timeout: 10s
+                max_retries: 10
+                tls_enabled: false
+                tls_cert_path: ""
+                tls_key_path: ""
+                tls_ca_path: ""
+                tls_server_name: ""
+                tls_insecure_skip_verify: false
+                tls_cipher_suites: ""
+                tls_min_version: ""
+                username: ""
+                password: ""
+            multi:
+                primary: ""
+                secondary: ""
+                mirror_enabled: false
+                mirror_timeout: 2s
+        heartbeat_period: 5s
+        heartbeat_timeout: 1m0s
+        wait_stability_min_duration: 1m0s
+        wait_stability_max_duration: 5m0s
+        instance_id: local-instance
+        instance_interface_names:
+            - eth0
+            - en0
+        instance_port: 0
+        instance_addr: ""
+        enable_inet6: false
+        wait_active_instance_timeout: 10m0s
+    compaction:
+        v2_in_buffer_bytes: 5242880
+        v2_out_buffer_bytes: 20971520
+        v2_prefetch_traces_count: 1000
+        compaction_window: 1h0m0s
+        max_compaction_objects: 6000000
+        max_block_bytes: 107374182400
+        block_retention: 336h0m0s
+        compacted_block_retention: 1h0m0s
+        retention_concurrency: 10
+        max_time_per_tenant: 5m0s
+        compaction_cycle: 30s
+    override_ring_key: compactor
+ingester:
+    lifecycler:
+        ring:
+            kvstore:
+                store: inmemory
+                prefix: collectors/
+                consul:
+                    host: localhost:8500
+                    acl_token: ""
+                    http_client_timeout: 20s
+                    consistent_reads: false
+                    watch_rate_limit: 1
+                    watch_burst_size: 1
+                    cas_retry_delay: 1s
+                etcd:
+                    endpoints: []
+                    dial_timeout: 10s
+                    max_retries: 10
+                    tls_enabled: false
+                    tls_cert_path: ""
+                    tls_key_path: ""
+                    tls_ca_path: ""
+                    tls_server_name: ""
+                    tls_insecure_skip_verify: false
+                    tls_cipher_suites: ""
+                    tls_min_version: ""
+                    username: ""
+                    password: ""
+                multi:
+                    primary: ""
+                    secondary: ""
+                    mirror_enabled: false
+                    mirror_timeout: 2s
+            heartbeat_timeout: 5m0s
+            replication_factor: 1
+            zone_awareness_enabled: false
+            excluded_zones: ""
+        num_tokens: 128
+        heartbeat_period: 5s
+        heartbeat_timeout: 1m0s
+        observe_period: 0s
+        join_after: 0s
+        min_ready_duration: 15s
+        interface_names:
+            - en0
+            - bridge100
+        enable_inet6: false
+        final_sleep: 0s
+        tokens_file_path: ""
+        availability_zone: ""
+        unregister_on_shutdown: true
+        readiness_check_ring_health: true
+        address: 127.0.0.1
+        port: 0
+        id: local-instance
+    concurrent_flushes: 4
+    flush_check_period: 10s
+    flush_op_timeout: 5m0s
+    trace_idle_period: 10s
+    max_block_duration: 30m0s
+    max_block_bytes: 524288000
+    complete_block_timeout: 15m0s
+    override_ring_key: ring
+    flush_all_on_shutdown: false
+metrics_generator:
+    ring:
+        kvstore:
+            store: inmemory
+            prefix: collectors/
+            consul:
+                host: localhost:8500
+                acl_token: ""
+                http_client_timeout: 20s
+                consistent_reads: false
+                watch_rate_limit: 1
+                watch_burst_size: 1
+                cas_retry_delay: 1s
+            etcd:
+                endpoints: []
+                dial_timeout: 10s
+                max_retries: 10
+                tls_enabled: false
+                tls_cert_path: ""
+                tls_key_path: ""
+                tls_ca_path: ""
+                tls_server_name: ""
+                tls_insecure_skip_verify: false
+                tls_cipher_suites: ""
+                tls_min_version: ""
+                username: ""
+                password: ""
+            multi:
+                primary: ""
+                secondary: ""
+                mirror_enabled: false
+                mirror_timeout: 2s
+        heartbeat_period: 5s
+        heartbeat_timeout: 1m0s
+        instance_id: local-instance
+        instance_interface_names:
+            - eth0
+            - en0
+        instance_addr: 127.0.0.1
+        instance_port: 0
+        enable_inet6: false
+    processor:
+        service_graphs:
+            wait: 10s
+            max_items: 10000
+            workers: 10
+            histogram_buckets:
+                - 0.1
+                - 0.2
+                - 0.4
+                - 0.8
+                - 1.6
+                - 3.2
+                - 6.4
+                - 12.8
+            dimensions: []
+            enable_client_server_prefix: false
+            peer_attributes:
+                - peer.service
+                - db.name
+                - db.system
+            span_multiplier_key: ""
+        span_metrics:
+            histogram_buckets:
+                - 0.002
+                - 0.004
+                - 0.008
+                - 0.016
+                - 0.032
+                - 0.064
+                - 0.128
+                - 0.256
+                - 0.512
+                - 1.024
+                - 2.048
+                - 4.096
+                - 8.192
+                - 16.384
+            intrinsic_dimensions:
+                service: true
+                span_name: true
+                span_kind: true
+                status_code: true
+            dimensions: []
+            dimension_mappings: []
+            enable_target_info: false
+            span_multiplier_key: ""
+            subprocessors:
+                0: true
+                1: true
+                2: true
+            filter_policies: []
+            target_info_excluded_dimensions: []
+        local_blocks:
+            block:
+                bloom_filter_false_positive: 0.01
+                bloom_filter_shard_size_bytes: 102400
+                version: vParquet3
+                search_encoding: snappy
+                search_page_size_bytes: 1048576
+                v2_index_downsample_bytes: 1048576
+                v2_index_page_size_bytes: 256000
+                v2_encoding: zstd
+                parquet_row_group_size_bytes: 100000000
+                parquet_dedicated_columns: []
+            search:
+                chunk_size_bytes: 1000000
+                prefetch_trace_count: 1000
+                read_buffer_count: 32
+                read_buffer_size_bytes: 1048576
+                cache_control:
+                    footer: false
+                    column_index: false
+                    offset_index: false
+            flush_check_period: 10s
+            trace_idle_period: 10s
+            max_block_duration: 1m0s
+            max_block_bytes: 500000000
+            complete_block_timeout: 1h0m0s
+            max_live_traces: 0
+            concurrent_blocks: 10
+            filter_server_spans: true
+    registry:
+        collection_interval: 15s
+        stale_duration: 15m0s
+        max_label_name_length: 1024
+        max_label_value_length: 2048
+    storage:
+        path: ""
+        wal:
+            wal_segment_size: 134217728
+            wal_compression: none
+            stripe_size: 16384
+            truncate_frequency: 2h0m0s
+            min_wal_time: 300000
+            max_wal_time: 14400000
+            no_lockfile: false
+        remote_write_flush_deadline: 1m0s
+        remote_write_add_org_id_header: true
+    traces_storage:
+        path: ""
+        completedfilepath: ""
+        blocksfilepath: ""
+        v2_encoding: none
+        search_encoding: none
+        ingestion_time_range_slack: 0s
+        version: vParquet3
+    metrics_ingestion_time_range_slack: 30s
+    query_timeout: 30s
+    override_ring_key: metrics-generator
+storage:
+    trace:
+        pool:
+            max_workers: 400
+            queue_depth: 20000
+        wal:
+            path: /tmp/tempo/wal
+            completedfilepath: /tmp/tempo/wal/completed
+            blocksfilepath: /tmp/tempo/wal/blocks
+            v2_encoding: snappy
+            search_encoding: none
+            ingestion_time_range_slack: 2m0s
+            version: vParquet3
+        block:
+            bloom_filter_false_positive: 0.01
+            bloom_filter_shard_size_bytes: 102400
+            version: vParquet3
+            search_encoding: snappy
+            search_page_size_bytes: 1048576
+            v2_index_downsample_bytes: 1048576
+            v2_index_page_size_bytes: 256000
+            v2_encoding: zstd
+            parquet_row_group_size_bytes: 100000000
+            parquet_dedicated_columns: []
+        search:
+            chunk_size_bytes: 1000000
+            prefetch_trace_count: 1000
+            read_buffer_count: 32
+            read_buffer_size_bytes: 1048576
+            cache_control:
+                footer: false
+                column_index: false
+                offset_index: false
+        blocklist_poll: 5m0s
+        blocklist_poll_concurrency: 50
+        blocklist_poll_fallback: true
+        blocklist_poll_tenant_index_builders: 2
+        blocklist_poll_stale_tenant_index: 0s
+        blocklist_poll_jitter_ms: 0
+        blocklist_poll_tolerate_consecutive_errors: 1
+        backend: local
+        local:
+            path: /tmp/tempo/traces
+        gcs:
+            bucket_name: ""
+            prefix: ""
+            chunk_buffer_size: 10485760
+            endpoint: ""
+            hedge_requests_at: 0s
+            hedge_requests_up_to: 2
+            insecure: false
+            object_cache_control: ""
+            object_metadata: {}
+            list_blocks_concurrency: 3
+        s3:
+            tls_cert_path: ""
+            tls_key_path: ""
+            tls_ca_path: ""
+            tls_server_name: ""
+            tls_insecure_skip_verify: false
+            tls_cipher_suites: ""
+            tls_min_version: VersionTLS12
+            bucket: ""
+            prefix: ""
+            endpoint: ""
+            region: ""
+            access_key: ""
+            secret_key: ""
+            session_token: ""
+            insecure: false
+            part_size: 0
+            hedge_requests_at: 0s
+            hedge_requests_up_to: 2
+            signature_v2: false
+            forcepathstyle: false
+            bucket_lookup_type: 0
+            tags: {}
+            storage_class: ""
+            metadata: {}
+            native_aws_auth_enabled: false
+            list_blocks_concurrency: 3
+        azure:
+            storage_account_name: ""
+            storage_account_key: ""
+            use_managed_identity: false
+            use_federated_token: false
+            user_assigned_id: ""
+            container_name: ""
+            prefix: ""
+            endpoint_suffix: blob.core.windows.net
+            max_buffers: 4
+            buffer_size: 3145728
+            hedge_requests_at: 0s
+            hedge_requests_up_to: 2
+            use_v2_sdk: false
+        cache: ""
+        background_cache:
+            writeback_goroutines: 10
+            writeback_buffer: 10000
+        memcached: null
+        redis: null
+        cache_min_compaction_level: 0
+        cache_max_block_age: 0s
+overrides:
+    defaults:
+        ingestion:
+            rate_strategy: local
+            rate_limit_bytes: 15000000
+            burst_size_bytes: 20000000
+            max_traces_per_user: 10000
+        read:
+            max_bytes_per_tag_values_query: 5000000
+        global:
+            max_bytes_per_trace: 5000000
+    per_tenant_override_config: ""
+    per_tenant_override_period: 10s
+    user_configurable_overrides:
+        enabled: false
+        poll_interval: 1m0s
+        client:
+            backend: ""
+            confirm_versioning: true
+            local:
+                path: ""
+            gcs:
+                bucket_name: ""
+                prefix: ""
+                chunk_buffer_size: 10485760
+                endpoint: ""
+                hedge_requests_at: 0s
+                hedge_requests_up_to: 2
+                insecure: false
+                object_cache_control: ""
+                object_metadata: {}
+                list_blocks_concurrency: 3
+            s3:
+                tls_cert_path: ""
+                tls_key_path: ""
+                tls_ca_path: ""
+                tls_server_name: ""
+                tls_insecure_skip_verify: false
+                tls_cipher_suites: ""
+                tls_min_version: VersionTLS12
+                bucket: ""
+                prefix: ""
+                endpoint: ""
+                region: ""
+                access_key: ""
+                secret_key: ""
+                session_token: ""
+                insecure: false
+                part_size: 0
+                hedge_requests_at: 0s
+                hedge_requests_up_to: 2
+                signature_v2: false
+                forcepathstyle: false
+                bucket_lookup_type: 0
+                tags: {}
+                storage_class: ""
+                metadata: {}
+                native_aws_auth_enabled: false
+                list_blocks_concurrency: 3
+            azure:
+                storage_account_name: ""
+                storage_account_key: ""
+                use_managed_identity: false
+                use_federated_token: false
+                user_assigned_id: ""
+                container_name: ""
+                prefix: ""
+                endpoint_suffix: blob.core.windows.net
+                max_buffers: 4
+                buffer_size: 3145728
+                hedge_requests_at: 0s
+                hedge_requests_up_to: 2
+                use_v2_sdk: false
+        api:
+            check_for_conflicting_runtime_overrides: false
+memberlist:
+    node_name: ""
+    randomize_node_name: true
+    stream_timeout: 2s
+    retransmit_factor: 2
+    pull_push_interval: 30s
+    gossip_interval: 1s
+    gossip_nodes: 2
+    gossip_to_dead_nodes_time: 30s
+    dead_node_reclaim_time: 0s
+    compression_enabled: false
+    advertise_addr: ""
+    advertise_port: 7946
+    cluster_label: ""
+    cluster_label_verification_disabled: false
+    join_members: []
+    min_join_backoff: 1s
+    max_join_backoff: 1m0s
+    max_join_retries: 10
+    abort_if_cluster_join_fails: false
+    rejoin_interval: 0s
+    left_ingesters_timeout: 5m0s
+    leave_timeout: 20s
+    message_history_buffer_bytes: 0
+    bind_addr: []
+    bind_port: 7946
+    packet_dial_timeout: 2s
+    packet_write_timeout: 5s
+    tls_enabled: false
+    tls_cert_path: ""
+    tls_key_path: ""
+    tls_ca_path: ""
+    tls_server_name: ""
+    tls_insecure_skip_verify: false
+    tls_cipher_suites: ""
+    tls_min_version: ""
+usage_report:
+    reporting_enabled: true
+    backoff:
+        min_period: 100ms
+        max_period: 10s
+        max_retries: 0
+cache:
+    background:
+        writeback_goroutines: 10
+        writeback_buffer: 10000
+    caches: []
@@ -0,0 +1,54 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+
+server:
+  http_listen_port: 3200
+
+distributor:
+  receivers:                           # this configuration will listen on all ports and protocols that tempo is capable of.
+    jaeger:                            # the receives all come from the OpenTelemetry collector.  more configuration information can
+      protocols:                       # be found there: https://github.com/open-telemetry/opentelemetry-collector/tree/main/receiver
+        thrift_http:                   #
+        grpc:                          # for a production deployment you should only enable the receivers you need!
+        thrift_binary:
+        thrift_compact:
+    zipkin:
+    otlp:
+      protocols:
+        http:
+        grpc:
+    opencensus:
+
+ingester:
+  max_block_duration: 5m               # cut the headblock when this much time passes. this is being set for demo purposes and should probably be left alone normally
+
+compactor:
+  compaction:
+    block_retention: 1h                # overall Tempo trace retention. set for demo purposes
+
+# metrics_generator:
+#   registry:
+#     external_labels:
+#       source: tempo
+#       cluster: docker-compose
+#   storage:
+#     path: /tmp/tempo/generator/wal
+#     remote_write:
+#       - url: http://grafana-alloy:12345/api/v1/write
+#         send_exemplars: true
+
+storage:
+  trace:
+    backend: s3                        # backend configuration to use
+    wal:
+      path: /tmp/tempo/wal             # where to store the the wal locally
+    s3:
+      bucket: tempo                    # how to store data in s3
+      endpoint: minio:9000
+      access_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_TEMPO_STORAGE_ACCESS_KEY'] }}
+      secret_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_TEMPO_STORAGE_SECRET_KEY'] }}
+      insecure: true
+
+usage_report:
+  reporting_enabled: false
@@ -0,0 +1,22 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+
+---
+# For configuration options and examples, please see:
+# https://gethomepage.dev/en/configs/bookmarks
+
+#- Developer:
+#    - Github:
+#        - abbr: GH
+#          href: https://github.com/
+#
+#- Social:
+#    - Reddit:
+#        - abbr: RE
+#          href: https://reddit.com/
+#
+#- Entertainment:
+#    - YouTube:
+#        - abbr: YT
+#          href: https://youtube.com/
@@ -0,0 +1,15 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+
+---
+# For configuration options and examples, please see:
+# https://gethomepage.dev/en/configs/docker/
+
+# my-docker:
+#   host: 127.0.0.1
+#   port: 2375
+
+ my-docker:
+   host: dockerproxy
+   port: 2375
@@ -0,0 +1,6 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+
+---
+# sample kubernetes config
@@ -0,0 +1,33 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+---
+# For configuration options and examples, please see:
+# https://gethomepage.dev/en/configs/services
+
+#- My First Group:
+#    - My First Service:
+#        href: http://localhost/
+#        description: Homepage is awesome
+#
+#- My Second Group:
+#    - My Second Service:
+#        href: http://localhost/
+#        description: Homepage is the best
+#
+#- My Third Group:
+#    - My Third Service:
+#        href: http://localhost/
+#        description: Homepage is 😎
+
+- Automation:
+    - Home Assistant (Rikku):
+        href: https://ha.trez.wtf
+        description: Smart Home
+        icon: home-assistant.png
+        weight: 0
+        widget:
+            type: homeassistant
+            url: http://192.168.1.252:8123
+            key: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI5MTFlMDZiMzNlODc0MWYyYjM3Mzg0NDhiMzMyNzMxYiIsImlhdCI6MTcxMzEzODc3MiwiZXhwIjoyMDI4NDk4NzcyfQ.CXFBjf0sJAGdMrRd_PTCkkzU3LsCgkckG8HvbdSYEhs
+
@@ -0,0 +1,60 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+---
+# For configuration options and examples, please see:
+# https://gethomepage.dev/en/configs/settings
+
+providers:
+  openweathermap: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }}
+  # weatherapi: weatherapiapikey
+title: Rinoa Dashboard (trez.WTF)
+headerStyle: underlined
+color: slate
+showStats: true
+statusStyle: "dot"
+favicon: /icons/favicon.ico
+useEqualHeights: false
+hideErrors: false
+searchDescriptions: true
+showSearchSuggestions: true
+provider: duckduckgo
+
+layout:
+  System Administration:
+    style: row
+    columns: 4
+    # fiveColumns: true
+  Infrastructure/App Performance Monitoring:
+    style: row
+    columns: 4
+  Automation:
+    style: columns
+    row: 2
+  Code/DevOps:
+    style: columms
+    row: 2
+  Privacy/Security:
+    style: columns
+    row: 5
+  Social:
+    style: columns
+    row: 4
+  Lifestyle:
+    style: row
+    columns: 4
+  Personal Services:
+    style: row
+    columns: 4
+  Professional Services:
+    style: row
+    columns: 3
+  Servarr Stack:
+    style: row
+    columns: 3
+  Downloaders:
+    style: row
+    columns: 3
+  Media Library:
+    style: row
+    columns: 4
@@ -0,0 +1,33 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+---
+# For configuration options and examples, please see:
+# https://gethomepage.dev/en/configs/widgets
+
+- resources:
+    label: System
+    cpu: true
+    memory: true
+    cputemp: true
+    uptime: true
+
+- resources:
+    label: Storage
+    expanded: true
+    disk:
+        - /
+        - /rinoa-storage
+
+- search:
+    provider: custom
+    url: https://search.trez.wtf/search?q=
+    target: _blank
+
+- openweathermap:
+    label: New York
+    latitude: 40.72
+    longitude: -73.85
+    units: imperial
+    provider: openweathermap
+    cache: 10
@@ -0,0 +1,52 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+# IN application vars
+IN_APP_URL=http://in.localhost:8003
+IN_APP_KEY=<insert your generated key in here>
+IN_APP_DEBUG=true
+IN_REQUIRE_HTTPS=false
+IN_PHANTOMJS_PDF_GENERATION=false
+IN_PDF_GENERATOR=snappdf
+IN_TRUSTED_PROXIES='*'
+
+
+IN_QUEUE_CONNECTION=database
+
+# DB connection
+IN_DB_HOST=db
+IN_DB_PORT=3306
+IN_DB_DATABASE=ninja
+IN_DB_USERNAME=ninja
+IN_DB_PASSWORD=ninja
+
+# Create initial user
+# Default to these values if empty
+# IN_USER_EMAIL=admin@example.com
+# IN_PASSWORD=changeme!
+IN_USER_EMAIL=
+IN_PASSWORD=
+
+# Mail options
+IN_MAIL_MAILER=log
+IN_MAIL_HOST=smtp.mailtrap.io
+IN_MAIL_PORT=2525
+IN_MAIL_USERNAME=null
+IN_MAIL_PASSWORD=null
+IN_MAIL_ENCRYPTION=null
+IN_MAIL_FROM_ADDRESS='user@example.com'
+IN_MAIL_FROM_NAME='Self Hosted User'
+
+# MySQL
+IN_MYSQL_ROOT_PASSWORD=ninjaAdm1nPassword
+IN_MYSQL_USER=ninja
+IN_MYSQL_PASSWORD=ninja
+IN_MYSQL_DATABASE=ninja
+
+# GoCardless/Nordigen API key for banking integration
+NORDIGEN_SECRET_ID=
+NORDIGEN_SECRET_KEY=
+
+# V4 env vars
+# DB_STRICT=false
+# APP_CIPHER=AES-256-CBC
@@ -0,0 +1,477 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+###########################
+# 🦎 KOMODO CORE CONFIG 🦎 #
+###########################
+
+## This is the offical "Default" config file for Komodo Core.
+## It serves as documentation for the meaning of the fields.
+## It is located at `https://github.com/mbecker20/komodo/blob/main/config/core.config.toml`.
+
+## All fields with a "Default" provided are optional. If they are
+## left out of the file, the "Default" value will be used.
+
+## This file is bundled into the official image, `ghcr.io/mbecker20/komodo`,
+## as the default config at `/config/config.toml`.
+## Komodo can start with no external config file mounted.
+
+## There is usually no need to create this file on your host.
+## Most fields can instead be configured using environment variables.
+## Environment variables will override values set in this file.
+
+## This will be the document title on the web page.
+## Env: KOMODO_TITLE
+## Default: 'Komodo'
+title = "Komodo @ Rinoa"
+
+## This should be the url used to access Komodo in browser, potentially behind DNS.
+## Eg https://komodo.example.com or http://12.34.56.78:9120. This should match the address configured in your Oauth app.
+## Env: KOMODO_HOST
+## Required, no default.
+host = "https://komodo.trez.wtf"
+
+## The port the core system will run on.
+## Env: KOMODO_PORT
+## Default: 9120
+port = 9120
+
+## This is the token used to authenticate core requests to periphery.
+## Ensure this matches a passkey in the connected periphery configs.
+## If the periphery servers don't have passkeys configured, this doesn't need to be changed.
+## Env: KOMODO_PASSKEY or KOMODO_PASSKEY_FILE
+## Required, no default
+passkey = "JgzFdZYbE7JfH5zhrh5pWUEQEWA4MCXG"
+
+## Ensure a server with this address exists on Core
+## upon first startup. Example: `https://periphery:8120`
+## Env: KOMODO_FIRST_SERVER
+## Optional, no default.
+first_server = ""
+
+## Disables write support on resources in the UI.
+## This protects users that that would normally have write priviledges during their UI usage,
+## when they intend to fully rely on ResourceSyncs to manage config.
+## Env: KOMODO_UI_WRITE_DISABLED
+## Default: false
+ui_write_disabled = false
+
+## Disables the confirm dialogs on all actions. All buttons will now be double-click.
+## Useful when only having http connection to core, as UI quick-copy button won't work.
+## Env: KOMODO_DISABLE_CONFIRM_DIALOG
+## Default: false
+disable_confirm_dialog = false
+
+## Configure the directory for sync files (inside the container).
+## There shouldn't be a need to change this, just mount a volume.
+## Env: KOMODO_SYNC_DIRECTORY
+## Default: /syncs
+sync_directory = "/syncs"
+
+## Configure the repo directory (inside the container).
+## There shouldn't be a need to change this, just mount a volume.
+## Env: KOMODO_REPO_DIRECTORY
+## Default: /repo-cache
+repo_directory = "/repo-cache"
+
+## Configure the action directory (inside the container).
+## There shouldn't be a need to change this, or even mount a volume.
+## Env: KOMODO_ACTION_DIRECTORY
+## Default: /action-cache
+action_directory = "/action-cache"
+
+################
+# AUTH / LOGIN #
+################
+
+## Allow user login with a username / password.
+## The password will be hashed and stored in the db for login comparison.
+##
+## NOTE:
+## Komodo has no API to recover account logins, but if this happens you can doctor the database using Mongo Compass.
+## Create a new Komodo user (Sign Up button), login to the database with Compass, note down your old users username and _id.
+## Then delete the old user, and update the new user to have the same username and _id. 
+## Make sure to set `enabled: true` and maybe `admin: true` on the new user as well, while using Compass.
+##
+## Env: KOMODO_LOCAL_AUTH
+## Default: false
+local_auth = true
+
+## Normally new users will be registered, but not enabled until an Admin enables them.
+## With `disable_user_registration = true`, only the first user to log in will registered as a user.
+## Env: KOMODO_DISABLE_USER_REGISTRATION
+## Default: false
+disable_user_registration = false
+
+## New users will be automatically enabled when they sign up.
+## Otherwise, new users will be disabled on first login.
+## The first user to login will always be enabled on creation.
+## Env: KOMODO_ENABLE_NEW_USERS
+## Default: false
+enable_new_users = false
+
+## Allows all users to have Read level access to all resources.
+## Env: KOMODO_TRANSPARENT_MODE
+## Default: false
+transparent_mode = false
+
+## Normally all enabled users can create resources.
+## If `disable_non_admin_create = true`, only admin users can create resources.
+## Env: KOMODO_DISABLE_NON_ADMIN_CREATE
+## Default: false
+disable_non_admin_create = false
+
+## Optionally provide a specific jwt secret.
+## Passing nothing or an empty string will cause one to be generated on every startup.
+## This means users will have to log in again if Komodo restarts.
+## Env: KOMODO_JWT_SECRET or KOMODO_JWT_SECRET_FILE
+## Default: empty string, meaning a random secret will be generated at startup.
+jwt_secret = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['KOMODO_JWT_SECRET'] }}"
+
+## Specify how long a user can stay logged in before they have to log in again.
+## All jwts are invalidated on application restart unless `jwt_secret` is set.
+## Env: KOMODO_JWT_TTL
+## Options: 1-hr, 12-hr, 1-day, 3-day, 1-wk, 2-wk, 30-day
+## Default: 1-day. 
+jwt_ttl = "1-day"
+
+#############
+# OIDC Auth #
+#############
+
+## Enable logins with configured OIDC provider.
+## Env: KOMODO_OIDC_ENABLED
+## Default: false
+oidc_enabled = false
+
+## Give the provider address.
+##
+## The path, ie /application/o/komodo for Authentik,
+## is provider and configuration specific.
+##
+## Note. this address must be reachable from Komodo Core container.
+##
+## Env: KOMODO_OIDC_PROVIDER
+## Optional, no default.
+oidc_provider = "https://oidc.provider.internal/application/o/komodo"
+
+## Configure OIDC user redirect host.
+##
+## This is the host address users are redirected to in their browser,
+## and may be different from `oidc_provider` host depending on your networking.
+## If not provided (or empty string ""), the `oidc_provider` will be used.
+##
+## Note. DO NOT include the `path` part of the URL.
+## Example: `https://oidc.provider.external`
+##
+## Env: KOMODO_OIDC_REDIRECT_HOST
+## Optional, no default.
+oidc_redirect_host = ""
+
+## Give the OIDC Client ID.
+## Env: KOMODO_OIDC_CLIENT_ID or KOMODO_OIDC_CLIENT_ID_FILE
+oidc_client_id = ""
+
+## Give the OIDC Client Secret.
+## Env: KOMODO_OIDC_CLIENT_SECRET or KOMODO_OIDC_CLIENT_SECRET_FILE
+oidc_client_secret = ""
+
+## If true, use the full email for usernames.
+## Otherwise, the @address will be stripped,
+## making usernames more concise.
+## Env: KOMODO_OIDC_USE_FULL_EMAIL
+## Default: false.
+oidc_use_full_email = false
+
+## Some providers attach other audiences in addition to the client_id.
+## If you have this issue, `Invalid audiences: `...` is not a trusted audience"`,
+## you can add the audience `...` to the list here (assuming it should be trusted).
+## Env: KOMODO_OIDC_ADDITIONAL_AUDIENCES or KOMODO_OIDC_ADDITIONAL_AUDIENCES_FILE
+## Default: empty
+oidc_additional_audiences = []
+
+#########
+# OAUTH #
+#########
+
+## Google
+
+## Env: KOMODO_GOOGLE_OAUTH_ENABLED
+## Default: false
+google_oauth.enabled = false
+
+## Env: KOMODO_GOOGLE_OAUTH_ID or KOMODO_GOOGLE_OAUTH_ID_FILE
+## Required if google_oauth is enabled.
+google_oauth.id = ""
+
+## Env: KOMODO_GOOGLE_OAUTH_SECRET or KOMODO_GOOGLE_OAUTH_SECRET_FILE
+## Required if google_oauth is enabled.
+google_oauth.secret = ""
+
+## Github
+
+## Env: KOMODO_GITHUB_OAUTH_ENABLED
+## Default: false
+github_oauth.enabled = false
+
+## Env: KOMODO_GITHUB_OAUTH_ID or KOMODO_GITHUB_OAUTH_ID_FILE
+## Required if github_oauth is enabled.
+github_oauth.id = ""
+
+## Env: KOMODO_GITHUB_OAUTH_SECRET or KOMODO_GITHUB_OAUTH_SECRET_FILE
+## Required if github_oauth is enabled.
+github_oauth.secret = ""
+
+############
+# Security #
+############
+
+## Enable HTTPS server using the given key and cert.
+## Env: KOMODO_SSL_ENABLED
+## Default: false
+ssl_enabled = false
+
+## Path to the ssl key.
+## Env: KOMODO_SSL_KEY_FILE
+## Default: /config/ssl/key.pem
+ssl_key_file = "/config/ssl/key.pem"
+
+## Path to the ssl cert.
+## Env: KOMODO_SSL_CERT_FILE
+## Default: /config/ssl/cert.pem
+ssl_cert_file = "/config/ssl/cert.pem"
+
+############
+# DATABASE #
+############
+
+## Configure the database connection in one of the following ways:
+
+## Pass a full Mongo URI to the database.
+## Example: mongodb://username:password@localhost:27017
+## Env: KOMODO_DATABASE_URI or KOMODO_DATABASE_URI_FILE
+## Optional, can usually use `address`, `username`, `password` instead.
+database.uri = "mongodb://komodo:jtyl2U8KZPUe8V9MOTXQDYRlg7QemGuF@komodo-ferretdb:27017/komodo?authMechanism=PLAIN"
+
+## ==== * OR * ==== ##
+
+# Construct the address as mongodb://{username}:{password}@{address}
+## Env: KOMODO_DATABASE_ADDRESS
+# database.address = "localhost:27017"
+## Env: KOMODO_DATABASE_USERNAME or KOMODO_DATABASE_USERNAME_FILE
+# database.username = ""
+## Env: KOMODO_DATABASE_PASSWORD or KOMODO_DATABASE_PASSWORD_FILE
+# database.password = ""
+
+## ==== other ====
+
+## Komodo will create its collections under this database name.
+## The only reason to change this is if multiple Komodo Cores share the same db.
+## Env: KOMODO_DATABASE_DB_NAME
+## Default: komodo.
+database.db_name = "komodo"
+
+## This is the assigned app_name of the mongo client.
+## The only reason to change this is if multiple Komodo Cores share the same db.
+## Env: KOMODO_DATABASE_APP_NAME
+## Default: komodo_core.
+database.app_name = "komodo_core"
+
+############
+# WEBHOOKS #
+############
+
+## This token must be given to git provider during repo webhook config.
+## The secret configured on the git provider side must match the secret configured here.
+## If not provided, 
+## Env: KOMODO_WEBHOOK_SECRET or KOMODO_WEBHOOK_SECRET_FILE
+## Optional, no default.
+webhook_secret = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['KOMODO_WEBHOOK_SECRET'] }}"
+
+## An alternate base url that is used to recieve git webhook requests.
+## If empty or not specified, will use 'host' address as base.
+## This is useful if Komodo is on an internal network, but can have a
+## proxy just allowing through the webhook listener api using NGINX.
+## Env: KOMODO_WEBHOOK_BASE_URL
+## Default: empty (none)
+webhook_base_url = ""
+
+## Configure Github webhook app. Enables webhook management apis.
+## <INSERT LINK TO GUIDE>
+## Env: KOMODO_GITHUB_WEBHOOK_APP_APP_ID or KOMODO_GITHUB_WEBHOOK_APP_APP_ID_FILE
+# github_webhook_app.app_id = 1234455 # Find on the app page.
+## Env: 
+##   - KOMODO_GITHUB_WEBHOOK_APP_INSTALLATIONS_IDS or KOMODO_GITHUB_WEBHOOK_APP_INSTALLATIONS_IDS_FILE
+##   - KOMODO_GITHUB_WEBHOOK_APP_INSTALLATIONS_NAMESPACES
+# github_webhook_app.installations = [
+#   ## Find the id after installing the app to user / organization. "namespace" is the username / organization name.
+#   { id = 1234, namespace = "mbecker20" }
+# ]
+
+## The path to Github webhook app private key. <INSERT LINK TO GUIDE>
+## This is defaulted to `/github/private-key.pem`, and doesn't need to be changed if running core in Docker.
+## Just mount the private key pem file on the host to `/github/private-key.pem` in the container.
+## Eg. `/your/path/to/key.pem : /github/private-key.pem`
+## Env: KOMODO_GITHUB_WEBHOOK_APP_PK_PATH
+# github_webhook_app.pk_path = "/path/to/pk.pem"
+
+###########
+# LOGGING #
+###########
+
+## Specify the logging verbosity
+## Env: KOMODO_LOGGING_LEVEL
+## Options: off, error, warn, info, debug, trace
+## Default: info
+logging.level = "info"
+
+## Specify the logging format for stdout / stderr.
+## Env: KOMODO_LOGGING_STDIO
+## Options: standard, json, none
+## Default: standard
+logging.stdio = "standard"
+
+## Optionally specify a opentelemetry otlp endpoint to send traces to.
+## Example: http://localhost:4317
+## Env: KOMODO_LOGGING_OTLP_ENDPOINT
+logging.otlp_endpoint = ""
+
+## Set the opentelemetry service name.
+## This will be attached to the telemetry Komodo will send.
+## Env: KOMODO_LOGGING_OPENTELEMETRY_SERVICE_NAME
+## Default: "Komodo"
+logging.opentelemetry_service_name = "Komodo"
+
+###########
+# PRUNING #
+###########
+
+## The number of days to keep historical system stats around, or 0 to disable pruning. 
+## Stats older that are than this number of days are deleted on a daily cycle.
+## Env: KOMODO_KEEP_STATS_FOR_DAYS
+## Default: 14
+keep_stats_for_days = 14
+
+## The number of days to keep alerts around, or 0 to disable pruning. 
+## Alerts older that are than this number of days are deleted on a daily cycle.
+## Env: KOMODO_KEEP_ALERTS_FOR_DAYS
+## Default: 14
+keep_alerts_for_days = 14
+
+##################
+# POLL INTERVALS #
+##################
+
+## Controls the rate at which servers are polled for health, system stats, and container status.
+## This affects network usage, and the size of the stats stored in mongo.
+## Env: KOMODO_MONITORING_INTERVAL
+## Options: 1-sec, 5-sec, 15-sec, 30-sec, 1-min, 2-min, 5-min, 15-min
+## Default: 15-sec
+monitoring_interval = "15-sec"
+
+## Interval at which to poll Resources for any updates / automated actions.
+## Env: KOMODO_RESOURCE_POLL_INTERVAL
+## Options: `15-sec`, `1-min`, `5-min`, `15-min`, `1-hr`.
+## Default: 5-min
+resource_poll_interval = "5-min"
+
+###################
+# CLOUD PROVIDERS #
+###################
+
+## Komodo can build images by deploying AWS EC2 instances,
+## running the build, and afterwards destroying the instance.
+
+## Additionally, Komodo can deploy cloud VPS on AWS EC2 and Hetzner.
+## Use the Template resource to configure launch preferences.
+## Hetzner is not supported for builds as their pricing model is by the hour,
+## while AWS is by the minute. This is very important for builds.
+
+## Provide AWS api keys for ephemeral builders / server launch
+## Env: KOMODO_AWS_ACCESS_KEY_ID or KOMODO_AWS_ACCESS_KEY_ID_FILE
+aws.access_key_id = ""
+## Env: KOMODO_AWS_SECRET_ACCESS_KEY or KOMODO_AWS_SECRET_ACCESS_KEY_FILE
+aws.secret_access_key = ""
+
+## Provide Hetzner api token for server launch
+## Env: KOMODO_HETZNER_TOKEN or KOMODO_HETZNER_TOKEN_FILE
+hetzner.token = ""
+
+#################
+# GIT PROVIDERS #
+#################
+
+## These will be available to attach to Builds, Repos, Stacks, and Syncs.
+## They allow these Resources to clone private repositories.
+## They cannot be configured on the environment.
+
+## configure git providers
+# [[git_provider]]
+# domain = "github.com"
+# accounts = [
+# 	{ username = "mbecker20", token = "access_token_for_account" },
+# 	{ username = "moghtech", token = "access_token_for_other_account" },
+# ]
+
+# [[git_provider]]
+# domain = "git.mogh.tech" # use a custom provider, like self-hosted gitea
+# accounts = [
+# 	{ username = "mbecker20", token = "access_token_for_account" },
+# ]
+
+# [[git_provider]]
+# domain = "localhost:8000" # use a custom provider, like self-hosted gitea
+# https = false # use http://localhost:8000 as base-url for clone
+# accounts = [
+# 	{ username = "mbecker20", token = "access_token_for_account" },
+# ]
+
+######################
+# REGISTRY PROVIDERS #
+######################
+
+## These will be available to attach to Builds and Stacks.
+## They allow these Resources to pull private images.
+## They cannot be configured on the environment.
+
+## configure docker registries
+# [[docker_registry]]
+# domain = "docker.io"
+# accounts = [
+# 	{ username = "mbecker2020", token = "access_token_for_account" }
+# ]
+# organizations = ["DockerhubOrganization"]
+
+[[gitea_rinoa]]
+domain = "git.trez.wtf"
+accounts = [
+	{ username = "gitea-sonarqube-bot", token = "594a3a9611bdb508bd6a3575e2ddb3ac4922a4da" }
+]
+
+[[gitea_rinoa_local]]
+domain = "http://gitea:3000"
+accounts = [
+	{ username = "gitea-sonarqube-bot", token = "594a3a9611bdb508bd6a3575e2ddb3ac4922a4da" }
+]
+
+# [[docker_registry]]
+# domain = "git.mogh.tech" # use a custom provider, like self-hosted gitea
+# accounts = [
+# 	{ username = "mbecker20", token = "access_token_for_account" },
+# ]
+# organizations = ["Mogh"] # These become available in the UI
+
+###########
+# SECRETS #
+###########
+
+## Provide Core based secrets.
+## These will be available to interpolate into your Deployment / Stack environments,
+## and will be hidden in the UI and logs.
+## These are available to use on any Periphery (Server),
+## but you can also limit access more by placing them in a single Periphery's config file instead.
+## These cannot be configured in the Komodo Core environment, they must be passed in the file.
+
+# [secrets]
+# SECRET_1 = "value_1"
+# SECRET_2 = "value_2"
@@ -0,0 +1,21 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+<Config>
+  <BindAddress>*</BindAddress>
+  <Port>8686</Port>
+  <SslPort>6868</SslPort>
+  <EnableSsl>False</EnableSsl>
+  <LaunchBrowser>True</LaunchBrowser>
+  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}</ApiKey>
+  <AuthenticationMethod>Forms</AuthenticationMethod>
+  <Branch>master</Branch>
+  <LogLevel>trace</LogLevel>
+  <SslCertPath></SslCertPath>
+  <SslCertPassword></SslCertPassword>
+  <UrlBase></UrlBase>
+  <InstanceName>Lidarr</InstanceName>
+  <UpdateMechanism>Docker</UpdateMechanism>
+  <Theme>auto</Theme>
+  <AuthenticationRequired>Enabled</AuthenticationRequired>
+</Config>
@@ -0,0 +1,25 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+{
+    "lidarr_address": "http://lidarr:8686",
+    "lidarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}",
+    "spotify_client_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
+    "root_folder_path": "/data/media/music",
+    "spotify_client_id": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_ID'] }}",
+    "spotify_client_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}",
+    "fallback_to_top_result": false,
+    "lidarr_api_timeout": 120.0,
+    "quality_profile_id": 1,
+    "metadata_profile_id": 1,
+    "search_for_missing_albums": false,
+    "dry_run_adding_to_lidarr": true,
+    "app_name": "lidify",
+    "app_rev": "0.09",
+    "app_url": "lidify.trez.wtf",
+    "last_fm_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
+    "last_fm_api_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
+    "mode": "LastFM",
+    "auto_start": false,
+    "auto_start_delay": 60
+}
@@ -0,0 +1,63 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+{
+    "sourceDefaults": {
+      "maxPollRetries": 0,          // optional, default # of automatic polling restarts on error. can be overridden by property in individual config
+      "maxRequestRetries": 1,       // optional, default # of http request retries a source can make before error is thrown. can be overridden by property in individual config
+      "retryMultiplier": 1.5       // optional, default retry delay multiplier (retry attempt * multiplier = # of seconds to wait before retrying). can be overridden by property in individual config
+    },
+    "clientDefaults": {
+      "maxRequestRetries": 1,       // optional, default # of http request retries a client can make before error is thrown. can be overridden by property in individual config
+      "retryMultiplier": 1.5       // optional, default retry delay multiplier (retry attempt * multiplier = # of seconds to wait before retrying). can be overridden by property in individual config
+    },
+    "clients": [
+        {
+            "name": "Last.fm Client",
+            "enable": true,
+            "configureAs": "client",
+            "data": {
+            "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
+            "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
+            "redirectUri": "http://localhost:9078/lastfm/callback"
+            }
+        },
+        {
+            "name": "Last.fm Source",
+            "enable": true,
+            "configureAs": "source",
+            "data": {
+            "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}",
+            "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}",
+            "redirectUri": "http://localhost:9078/lastfm/callback"
+            }
+        },
+        {
+            "name": "Maloja",
+            "enable": true,
+            "data": {
+            "url": "http://maloja:42010",
+            "apiKey": "myMalojaKey"
+            }
+        },
+        {
+          "name": "ListenBrainz Client",
+          "enable": true,
+          "configureAs": "client",
+          "data": {
+            "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
+            "username": "Trez.One"
+          }
+        },
+        {
+          "name": "ListenBrainz Source",
+          "enable": true,
+          "configureAs": "source",
+          "data": {
+            "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}",
+            "username": "Trez.One"
+          }
+        }
+      ]
+  }
+}
@@ -0,0 +1,11 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+<clickhouse>
+    <profiles>
+        <default>
+            <log_queries>0</log_queries>
+            <log_query_threads>0</log_query_threads>
+        </default>
+    </profiles>
+</clickhouse>
@@ -0,0 +1,59 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+version: 2
+
+postal:
+  web_hostname: post.trez.wtf
+  web_protocol: http
+  smtp_hostname: post.trez.wtf
+  use_ip_pools: false
+  signing_key_path: /config/signing.key
+  trusted_proxies: [ "172.18.0.0/16" ]
+
+web_server:
+  default_port: 5000
+  default_bind_address: 0.0.0.0
+
+main_db:
+  host: mariadb
+  username: postal
+  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_MYSQL_PASSWORD'] }}
+  database: postal
+
+message_db:
+  host: mariadb
+  username: postal
+  password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_MYSQL_PASSWORD'] }}
+  prefix: postal
+
+smtp_server:
+  default_port: 25
+  default_bind_address: "::"
+
+dns:
+  # Specify the DNS records that you have configured. Refer to the documentation at
+  # https://github.com/atech/postal/wiki/Domains-&-DNS-Configuration for further
+  # information about these.
+  mx_records:
+    - mx.post.trez.wtf
+  spf_include: spf.post.trez.wtf
+  return_path_domain: rp.post.trez.wtf
+  route_domain: routes.post.trez.wtf
+  track_domain: track.post.trez.wtf
+
+smtp:
+  # Specify an SMTP server that can be used to send messages from the Postal management
+  # system to users. You can configure this to use a Postal mail server once the
+  # your installation has been set up.
+  host: postal-smtp
+  port: 25
+  username: rinoa/postal-smtp
+  password: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}"
+  from_name: Postal @ Rinoa
+  from_address: noreply@trez.wtf
+
+rails:
+  # This is generated automatically by the config initialization. It should be a random
+  # string unique to your installation.
+  secret_key: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_RAILS_SECRET_KEY'] }}"
@@ -0,0 +1,21 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+<Config>
+  <BindAddress>*</BindAddress>
+  <Port>9696</Port>
+  <SslPort>6969</SslPort>
+  <EnableSsl>False</EnableSsl>
+  <LaunchBrowser>True</LaunchBrowser>
+  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PROWLARR_API_KEY'] }}</ApiKey>
+  <AuthenticationMethod>Forms</AuthenticationMethod>
+  <AuthenticationRequired>Enabled</AuthenticationRequired>
+  <Branch>master</Branch>
+  <LogLevel>info</LogLevel>
+  <SslCertPath></SslCertPath>
+  <SslCertPassword></SslCertPassword>
+  <UrlBase></UrlBase>
+  <InstanceName>Prowlarr</InstanceName>
+  <UpdateMechanism>Docker</UpdateMechanism>
+  <Theme>light</Theme>
+</Config>
@@ -0,0 +1,20 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+{
+    "radarr_address": "http://radarr:7878",
+    "radarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['RADARR_API_KEY'] }}",
+    "root_folder_path": "/data/media/movies",
+    "tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['TMDB_API_KEY'] }}",
+    "fallback_to_top_result": false,
+    "radarr_api_timeout": 120.0,
+    "quality_profile_id": 1,
+    "metadata_profile_id": 1,
+    "search_for_movie": true,
+    "dry_run_adding_to_radarr": false,
+    "minimum_rating": 4.5,
+    "minimum_votes": 50,
+    "language_choice": "all",
+    "auto_start": true,
+    "auto_start_delay": 60.0
+}
@@ -0,0 +1,21 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+<Config>
+  <LogLevel>info</LogLevel>
+  <BindAddress>*</BindAddress>
+  <EnableSsl>False</EnableSsl>
+  <SslCertPath></SslCertPath>
+  <Port>7878</Port>
+  <UrlBase></UrlBase>
+  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['RADARR_API_KEY'] }}</ApiKey>
+  <AuthenticationMethod>Forms</AuthenticationMethod>
+  <UpdateMechanism>Docker</UpdateMechanism>
+  <SslPort>9898</SslPort>
+  <LaunchBrowser>True</LaunchBrowser>
+  <Branch>master</Branch>
+  <SslCertPassword></SslCertPassword>
+  <InstanceName>Radarr</InstanceName>
+  <Theme>auto</Theme>
+  <AuthenticationRequired>Enabled</AuthenticationRequired>
+</Config>
@@ -0,0 +1,21 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+<Config>
+  <BindAddress>*</BindAddress>
+  <Port>8787</Port>
+  <SslPort>6868</SslPort>
+  <EnableSsl>False</EnableSsl>
+  <LaunchBrowser>True</LaunchBrowser>
+  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['READARR_API_KEY'] }}</ApiKey>
+  <AuthenticationMethod>Forms</AuthenticationMethod>
+  <Branch>develop</Branch>
+  <LogLevel>info</LogLevel>
+  <SslCertPath></SslCertPath>
+  <SslCertPassword></SslCertPassword>
+  <UrlBase></UrlBase>
+  <InstanceName>Readarr</InstanceName>
+  <UpdateMechanism>Docker</UpdateMechanism>
+  <Theme>auto</Theme>
+  <AuthenticationRequired>Enabled</AuthenticationRequired>
+</Config>
@@ -0,0 +1,482 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+__version__ = 19
+__encoding__ = utf-8
+[misc]
+pre_script = None
+queue_complete = ""
+queue_complete_pers = 0
+bandwidth_perc = 0
+refresh_rate = 1
+queue_limit = 20
+config_lock = 0
+sched_converted = 2
+notified_new_skin = 2
+direct_unpack_tested = 1
+check_new_rel = 1
+auto_browser = 0
+language = en
+enable_https_verification = 1
+host = 0.0.0.0
+port = 8080
+https_port = 8090
+username = thetrezuredone
+password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_PASSWORD'] }}
+bandwidth_max = 1000M
+cache_limit = 1G
+web_dir = Glitter
+web_color = Auto
+https_cert = server.cert
+https_key = server.key
+https_chain = ""
+enable_https = 1
+inet_exposure = 0
+local_ranges = ,
+api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_API_KEY'] }}
+nzb_key = 3c0fa874bb2748b58c1bd7512e649946
+permissions = 775
+download_dir = /storage/downloads/incomplete
+download_free = ""
+complete_dir = /storage/downloads/completed/nzb
+script_dir = ""
+nzb_backup_dir = ""
+admin_dir = admin
+dirscan_dir = /storage/downloads/watch
+dirscan_speed = 5
+password_file = ""
+log_dir = logs
+max_art_tries = 3
+load_balancing = 2
+top_only = 0
+sfv_check = 1
+quick_check_ext_ignore = nfo, sfv, srr
+script_can_fail = 0
+ssl_ciphers = ""
+enable_recursive = 1
+flat_unpack = 0
+par_option = ""
+pre_check = 1
+nice = ""
+win_process_prio = 3
+ionice = ""
+fail_hopeless_jobs = 1
+fast_fail = 1
+auto_disconnect = 1
+no_dupes = 3
+no_series_dupes = 0
+series_propercheck = 1
+pause_on_pwrar = 2
+ignore_samples = 1
+deobfuscate_final_filenames = 0
+auto_sort = ""
+direct_unpack = 1
+direct_unpack_threads = 3
+propagation_delay = 0
+folder_rename = 1
+replace_spaces = 1
+replace_dots = 1
+safe_postproc = 1
+pause_on_post_processing = 0
+sanitize_safe = 0
+cleanup_list = ,
+unwanted_extensions = ,
+action_on_unwanted_extensions = 0
+new_nzb_on_failure = 1
+history_retention = ""
+enable_meta = 1
+quota_size = ""
+quota_day = ""
+quota_resume = 0
+quota_period = m
+rating_enable = 0
+rating_host = ""
+rating_api_key = ""
+rating_filter_enable = 0
+rating_filter_abort_audio = 0
+rating_filter_abort_video = 0
+rating_filter_abort_encrypted = 0
+rating_filter_abort_encrypted_confirm = 0
+rating_filter_abort_spam = 0
+rating_filter_abort_spam_confirm = 0
+rating_filter_abort_downvoted = 0
+rating_filter_abort_keywords = ""
+rating_filter_pause_audio = 0
+rating_filter_pause_video = 0
+rating_filter_pause_encrypted = 0
+rating_filter_pause_encrypted_confirm = 0
+rating_filter_pause_spam = 0
+rating_filter_pause_spam_confirm = 0
+rating_filter_pause_downvoted = 0
+rating_filter_pause_keywords = ""
+enable_tv_sorting = 1
+tv_sort_string = %sn/Season %s/%sn - %sx%0e - %en.%ext
+tv_sort_countries = 1
+tv_categories = tv,
+enable_movie_sorting = 0
+movie_sort_string = ""
+movie_sort_extra = -cd%1
+movie_extra_folder = 0
+movie_categories = movies,
+enable_date_sorting = 0
+date_sort_string = ""
+date_categories = tv,
+schedlines = ,
+rss_rate = 60
+ampm = 0
+replace_illegal = 1
+start_paused = 0
+enable_all_par = 1
+enable_par_cleanup = 1
+enable_unrar = 1
+enable_unzip = 1
+enable_7zip = 1
+enable_filejoin = 1
+enable_tsjoin = 1
+overwrite_files = 0
+ignore_unrar_dates = 0
+backup_for_duplicates = 1
+empty_postproc = 0
+wait_for_dfolder = 0
+rss_filenames = 0
+api_logging = 1
+html_login = 1
+osx_menu = 1
+osx_speed = 1
+warn_dupl_jobs = 1
+helpfull_warnings = 1
+keep_awake = 1
+win_menu = 1
+allow_incomplete_nzb = 0
+enable_bonjour = 1
+max_art_opt = 0
+ipv6_hosting = 0
+fixed_ports = 1
+api_warnings = 1
+disable_api_key = 0
+no_penalties = 0
+x_frame_options = 1
+require_modern_tls = 0
+num_decoders = 3
+rss_odd_titles = nzbindex.nl/, nzbindex.com/, nzbclub.com/
+req_completion_rate = 100.2
+selftest_host = self-test.sabnzbd.org
+movie_rename_limit = 100M
+size_limit = 0
+show_sysload = 2
+history_limit = 10
+wait_ext_drive = 5
+max_foldername_length = 246
+nomedia_marker = ""
+ipv6_servers = 1
+url_base = /sabnzbd
+host_whitelist = rinoa, sabnzbd.trez.wtf
+max_url_retries = 10
+email_server = ""
+email_to = ,
+email_from = ""
+email_account = ""
+email_pwd = ""
+email_endjob = 0
+email_full = 0
+email_dir = ""
+email_rss = 0
+email_cats = *,
+interface_settings = '{"dateFormat":"fromNow","extraQueueColumns":["category"],"extraHistoryColumns":[],"displayCompact":false,"displayFullWidth":false,"confirmDeleteQueue":true,"confirmDeleteHistory":true,"keyboardShortcuts":true}'
+complete_free = ""
+fulldisk_autoresume = 0
+enable_broadcast = 1
+downloader_sleep_time = 10
+ssdp_broadcast_interval = 15
+unwanted_extensions_mode = 0
+process_unpacked_par2 = 1
+episode_rename_limit = 20M
+socks5_proxy_url = ""
+preserve_paused_state = 0
+helpful_warnings = 1
+allow_old_ssl_tls = 0
+num_simd_decoders = 2
+ext_rename_ignore = ,
+backup_dir = ""
+replace_underscores = 0
+tray_icon = 1
+sorters_converted = 1
+enable_season_sorting = 1
+receive_threads = 2
+switchinterval = 0.005
+end_queue_script = None
+no_smart_dupes = 1
+dupes_propercheck = 1
+enable_multipar = 1
+verify_xff_header = 0
+history_retention_option = all
+history_retention_number = 1
+ipv6_staging = 0
+disable_archive = 0
+config_conversion_version = 4
+disable_par2cmdline = 0
+[logging]
+log_level = 1
+max_log_size = 5242880
+log_backups = 5
+[ncenter]
+ncenter_enable = 0
+ncenter_cats = *,
+ncenter_prio_startup = 0
+ncenter_prio_download = 0
+ncenter_prio_pause_resume = 0
+ncenter_prio_pp = 0
+ncenter_prio_complete = 0
+ncenter_prio_failed = 0
+ncenter_prio_disk_full = 0
+ncenter_prio_new_login = 0
+ncenter_prio_warning = 0
+ncenter_prio_error = 0
+ncenter_prio_queue_done = 0
+ncenter_prio_other = 0
+[acenter]
+acenter_enable = 0
+acenter_cats = *,
+acenter_prio_startup = 0
+acenter_prio_download = 0
+acenter_prio_pause_resume = 0
+acenter_prio_pp = 0
+acenter_prio_complete = 0
+acenter_prio_failed = 0
+acenter_prio_disk_full = 0
+acenter_prio_new_login = 0
+acenter_prio_warning = 0
+acenter_prio_error = 0
+acenter_prio_queue_done = 0
+acenter_prio_other = 0
+[ntfosd]
+ntfosd_enable = 0
+ntfosd_cats = *,
+ntfosd_prio_startup = 0
+ntfosd_prio_download = 0
+ntfosd_prio_pause_resume = 0
+ntfosd_prio_pp = 0
+ntfosd_prio_complete = 0
+ntfosd_prio_failed = 0
+ntfosd_prio_disk_full = 0
+ntfosd_prio_new_login = 0
+ntfosd_prio_warning = 0
+ntfosd_prio_error = 0
+ntfosd_prio_queue_done = 0
+ntfosd_prio_other = 0
+[prowl]
+prowl_enable = 0
+prowl_cats = *,
+prowl_apikey = ""
+prowl_prio_startup = -3
+prowl_prio_download = -3
+prowl_prio_pause_resume = -3
+prowl_prio_pp = -3
+prowl_prio_complete = 0
+prowl_prio_failed = 1
+prowl_prio_disk_full = 1
+prowl_prio_new_login = -3
+prowl_prio_warning = -3
+prowl_prio_error = -3
+prowl_prio_queue_done = 0
+prowl_prio_other = -3
+[pushover]
+pushover_token = ""
+pushover_userkey = ""
+pushover_device = ""
+pushover_emergency_expire = 3600
+pushover_emergency_retry = 60
+pushover_enable = 0
+pushover_cats = *,
+pushover_prio_startup = -3
+pushover_prio_download = -2
+pushover_prio_pause_resume = -2
+pushover_prio_pp = -3
+pushover_prio_complete = -1
+pushover_prio_failed = -1
+pushover_prio_disk_full = 1
+pushover_prio_new_login = -3
+pushover_prio_warning = 1
+pushover_prio_error = 1
+pushover_prio_queue_done = -1
+pushover_prio_other = -3
+[pushbullet]
+pushbullet_enable = 0
+pushbullet_cats = *,
+pushbullet_apikey = ""
+pushbullet_device = ""
+pushbullet_prio_startup = 0
+pushbullet_prio_download = 0
+pushbullet_prio_pause_resume = 0
+pushbullet_prio_pp = 0
+pushbullet_prio_complete = 1
+pushbullet_prio_failed = 1
+pushbullet_prio_disk_full = 1
+pushbullet_prio_new_login = 0
+pushbullet_prio_warning = 0
+pushbullet_prio_error = 0
+pushbullet_prio_queue_done = 0
+pushbullet_prio_other = 0
+[nscript]
+nscript_enable = 0
+nscript_cats = *,
+nscript_script = None
+nscript_parameters = ""
+nscript_prio_startup = 1
+nscript_prio_download = 0
+nscript_prio_pause_resume = 0
+nscript_prio_pp = 0
+nscript_prio_complete = 1
+nscript_prio_failed = 1
+nscript_prio_disk_full = 1
+nscript_prio_new_login = 0
+nscript_prio_warning = 0
+nscript_prio_error = 0
+nscript_prio_queue_done = 1
+nscript_prio_other = 0
+[servers]
+[[news.newshosting.com]]
+name = news.newshosting.com
+displayname = Newshosting
+host = news.newshosting.com
+port = 563
+timeout = 60
+username = thetrezuredone
+password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_PASSWORD'] }}
+connections = 8
+ssl = 1
+ssl_verify = 3
+ssl_ciphers = ""
+enable = 1
+required = 0
+optional = 0
+retention = 0
+expire_date = ""
+quota = ""
+usage_at_start = 0
+priority = 0
+notes = ""
+[[news.easynews.com]]
+name = news.easynews.com
+displayname = EasyNews
+host = news.easynews.com
+port = 443
+timeout = 60
+username = TrezOne
+password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_EASYNEWS_PASSWORD'] }}
+connections = 60
+ssl = 0
+ssl_verify = 3
+ssl_ciphers = ""
+enable = 1
+required = 0
+optional = 0
+retention = 0
+expire_date = ""
+quota = ""
+usage_at_start = 0
+priority = 0
+notes = ""
+[categories]
+[[software]]
+name = software
+order = 0
+pp = ""
+script = Default
+dir = ""
+newzbin = ""
+priority = -100
+[[*]]
+name = *
+order = 0
+pp = 3
+script = Default
+dir = ""
+newzbin = ""
+priority = 0
+[[tv]]
+name = tv
+order = 0
+pp = ""
+script = Default
+dir = tv
+newzbin = ""
+priority = -100
+[[audio]]
+name = audio
+order = 0
+pp = 2
+script = Default
+dir = music
+newzbin = ""
+priority = 1
+[[movies]]
+name = movies
+order = 0
+pp = ""
+script = Default
+dir = movies
+newzbin = ""
+priority = -100
+[[ebook]]
+name = ebook
+order = 0
+pp = 2
+script = Default
+dir = ebooks
+newzbin = ""
+priority = -100
+[[prowlarr]]
+name = prowlarr
+order = 0
+pp = ""
+script = Default
+dir = ""
+newzbin = ""
+priority = -1
+[[sonarr]]
+name = sonarr
+order = 1
+pp = ""
+script = Default
+dir = tv
+newzbin = ""
+priority = -100
+[sorters]
+[[Series Sorting]]
+name = Series Sorting
+order = 0
+min_size = 20M
+multipart_label = ""
+sort_string = %sn/Season %s/%sn - %sx%0e - %en.%ext
+sort_cats = tv,
+sort_type = 1,
+is_active = 1
+[apprise]
+apprise_enable = 1
+apprise_cats = *,
+apprise_urls = apprise://apprise:8000/aef1ab3765b857585e13340f1f5f879b2babcc47b0eccead98a19e0a93fe1a35
+apprise_target_startup = ""
+apprise_target_startup_enable = 0
+apprise_target_download = ""
+apprise_target_download_enable = 0
+apprise_target_pause_resume = ""
+apprise_target_pause_resume_enable = 1
+apprise_target_pp = ""
+apprise_target_pp_enable = 0
+apprise_target_complete = ""
+apprise_target_complete_enable = 1
+apprise_target_failed = ""
+apprise_target_failed_enable = 1
+apprise_target_disk_full = ""
+apprise_target_disk_full_enable = 0
+apprise_target_new_login = ""
+apprise_target_new_login_enable = 1
+apprise_target_warning = ""
+apprise_target_warning_enable = 1
+apprise_target_error = ""
+apprise_target_error_enable = 1
+apprise_target_queue_done = ""
+apprise_target_queue_done_enable = 0
+apprise_target_other = ""
+apprise_target_other_enable = 1
@@ -0,0 +1,7 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+bolt-path: /opt/scrutiny/influxdb/influxd.bolt
+engine-path: /opt/scrutiny/influxdb/engine
+http-bind-address: ":8086"
+reporting-disabled: true
@@ -0,0 +1,49 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+[uwsgi]
+# Who will run the code
+uid = searxng
+gid = searxng
+
+# Number of workers (usually CPU count)
+workers = %k
+threads = 4
+
+# The right granted on the created socket
+chmod-socket = 666
+
+# Plugin to use and interpreter config
+single-interpreter = true
+master = true
+plugin = python3
+lazy-apps = true
+enable-threads = 4
+
+# Module to import
+module = searx.webapp
+
+# Virtualenv and python path
+pythonpath = /usr/local/searxng/
+chdir = /usr/local/searxng/searx/
+
+# automatically set processes name to something meaningful
+auto-procname = true
+
+# Disable request logging for privacy
+disable-logging = true
+log-5xx = true
+
+# Set the max size of a request (request-body excluded)
+buffer-size = 8192
+
+# No keep alive
+# See https://github.com/searx/searx-docker/issues/24
+add-header = Connection: close
+
+# uwsgi serves the static files
+static-map = /static=/usr/local/searxng/searx/static
+# expires set to one day
+static-expires = /* 86400
+static-gzip-all = True
+offload-threads = 4
@@ -0,0 +1,22 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+<Config>
+  <LogLevel>info</LogLevel>
+  <EnableSsl>False</EnableSsl>
+  <Port>8989</Port>
+  <SslPort>9898</SslPort>
+  <UrlBase></UrlBase>
+  <BindAddress>*</BindAddress>
+  <ApiKey>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SONARR_API_KEY'] }}</ApiKey>
+  <AuthenticationMethod>Forms</AuthenticationMethod>
+  <UpdateMechanism>Docker</UpdateMechanism>
+  <LaunchBrowser>True</LaunchBrowser>
+  <Branch>main</Branch>
+  <InstanceName>Sonarr</InstanceName>
+  <SyslogPort>514</SyslogPort>
+  <AuthenticationRequired>Enabled</AuthenticationRequired>
+  <SslCertPath></SslCertPath>
+  <SslCertPassword></SslCertPassword>
+  <Theme>auto</Theme>
+</Config>
@@ -0,0 +1,21 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+{
+    "sonarr_address": "http://192.168.1.2:8989",
+    "sonarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SONARR_API_KEY'] }}",
+    "root_folder_path": "/data/media/shows",
+    "tvdb_api_key": "",
+    "tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['TMDB_API_KEY'] }}",
+    "fallback_to_top_result": false,
+    "sonarr_api_timeout": 120.0,
+    "quality_profile_id": 1,
+    "metadata_profile_id": 1,
+    "search_for_missing_episodes": true,
+    "dry_run_adding_to_sonarr": false,
+    "minimum_rating": 4.5,
+    "minimum_votes": 50,
+    "language_choice": "all",
+    "auto_start": true,
+    "auto_start_delay": 60.0
+}
@@ -0,0 +1,238 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+# debug: false
+# remote_configuration: false
+# remote_file_management: false
+# instance_name: default
+# flags:
+#   no_logo: false
+#   no_start: false
+#   no_config_watch: false
+#   no_connect: false
+#   no_share_scan: false
+#   force_share_scan: false
+#   no_version_check: false
+#   log_sql: false
+#   experimental: false
+#   volatile: false
+#   case_sensitive_reg_ex: false
+#   legacy_windows_tcp_keepalive: false
+# relay:
+#   enabled: false
+#   mode: controller # controller (default), agent, or debug (for local development)
+#   # controller config is required when running in 'agent' mode
+#   # this specifies the relay controller that will be controlling this agent
+#   controller:
+#     address: https://some.site.com:5000
+#     ignore_certificate_errors: false
+#     api_key: <a 16-255 character string corresponding to one of the controller's 'readwrite' or 'administrator' API keys>
+#     secret: <a 16-255 character shared secret matching the controller's config for this agent>
+#     downloads: false
+#   # agent config is optional when running in 'controller' mode
+#   # this specifies all of the agents capable of connecting
+#   agents:
+#     my_agent:
+#       instance_name: my_agent # make sure the top-level instance_name of the agent matches!
+#       secret: <a 16-255 character string unique to this agent>
+#       cidr: 0.0.0.0/0,::/0
+# permissions:
+#   file:
+#     mode: ~ # not for Windows, chmod syntax, e.g. 644, 777. can't escalate beyond umask
+# directories:
+#   incomplete: ~
+#   downloads: ~
+# shares:
+#   directories:
+#     - ~
+#   filters:
+#     - \.ini$
+#     - Thumbs.db$
+#     - \.DS_Store$
+#   cache:
+#     storage_mode: memory
+#     workers: 16
+#     retention: ~ # retain indefinitely (do not automatically re-scan)
+# rooms:
+#   - ~
+# global:
+#   upload:
+#     slots: 20
+#     speed_limit: 1000 # in kibibytes
+#   limits:
+#     queued:
+#       files: 500
+#       megabytes: 5000
+#     daily:
+#       files: 1000
+#       megabytes: 10000
+#       failures: 200
+#     weekly:
+#       files: 5000
+#       megabytes: 50000
+#       failures: 1000
+#   download:
+#     slots: 500
+#     speed_limit: 1000
+# groups:
+#   default:
+#     upload:
+#       priority: 500
+#       strategy: roundrobin
+#       slots: 10
+#     limits:
+#       queued:
+#         files: 150
+#         megabytes: 1500
+#       daily: ~ # no daily limits (weekly still apply)
+#       weekly:
+#         files: 1500
+#         megabytes: 15000
+#         failures: 150
+#   leechers:
+#     thresholds:
+#       files: 1
+#       directories: 1
+#     upload:
+#       priority: 999
+#       strategy: roundrobin
+#       slots: 1
+#       speed_limit: 100
+#     limits:
+#       queued:
+#         files: 15
+#         megabytes: 150
+#       daily:
+#         files: 30
+#         megabytes: 300
+#         failures: 10
+#       weekly:
+#         files: 150
+#         megabytes: 1500
+#         failures: 30
+#   blacklisted:
+#     members:
+#       - <username to blacklist>
+#     cidrs:
+#       - <CIDR to blacklist, e.g. 255.255.255.255/32>
+#   user_defined:
+#     my_buddies:
+#       upload:
+#         priority: 250
+#         strategy: firstinfirstout
+#         slots: 10
+#       limits:
+#         queued:
+#           files: 1000 # override global default
+#       members:
+#         - alice
+#         - bob
+# blacklist:
+#   enabled: true
+#   file: <path to file containing CIDRs to blacklist>
+# filters:
+#   search:
+#     request:
+#       - ^.{1,2}$
+# web:
+#   port: 5030
+#   https:
+#     disabled: false
+#     port: 5031
+#     force: false
+#     certificate:
+#       pfx: ~
+#       password: ~
+#   url_base: /
+#   content_path: wwwroot
+#   logging: false
+#   authentication:
+#     disabled: false
+#     username: slskd
+#     password: slskd
+#     jwt:
+#       key: ~
+#       ttl: 604800000
+#     api_keys:
+#       my_api_key:
+#         key: <some example string between 16 and 255 characters>
+#         role: readonly # readonly, readwrite, administrator
+#         cidr: 0.0.0.0/0,::/0
+# retention:
+#   transfers:
+#     upload:
+#       succeeded: 1440 # 1 day
+#       errored: 30
+#       cancelled: 5
+#     download:
+#       succeeded: 1440 # 1 day
+#       errored: 20160 # 2 weeks 
+#       cancelled: 5
+#   files:
+#     complete: 20160 # 2 weeks
+#     incomplete: 43200 # 30 days
+#   logs: 259200 # 180 days
+# logger:
+#   disk: false
+#   no_color: false
+#   loki: ~
+# metrics:
+#   enabled: false
+#   url: /metrics
+#   authentication:
+#     disabled: false
+#     username: slskd
+#     password: slskd
+# feature:
+#   swagger: false
+# soulseek:
+#   address: vps.slsknet.org
+#   port: 2271
+#   username: ~
+#   password: ~
+#   description: |
+#     A slskd user. https://github.com/slskd/slskd
+#   listen_ip_address: 0.0.0.0
+#   listen_port: 50300
+#   diagnostic_level: Info
+#   distributed_network:
+#     disabled: false
+#     disable_children: false
+#     child_limit: 25
+#     logging: false
+#   connection:
+#     timeout:
+#       connect: 10000
+#       inactivity: 15000
+#     buffer:
+#       read: 16384
+#       write: 16384
+#       transfer: 262144
+#       write_queue: 250
+#     proxy:
+#       enabled: false
+#       address: ~
+#       port: ~
+#       username: ~
+#       password: ~
+# integration:
+#   ftp:
+#     enabled: false
+#     address: ~
+#     port: ~
+#     username: ~
+#     password: ~
+#     remote_path: /
+#     encryption_mode: auto
+#     ignore_certificate_errors: false
+#     overwrite_existing: true
+#     connection_timeout: 5000
+#     retry_attempts: 3
+#   pushbullet:
+#     enabled: false
+#     access_token: ~
+#     notification_prefix: "From slskd:"
+#     notify_on_private_message: true
+#     notify_on_room_mention: true
+#     retry_attempts: 3
+#     cooldown_time: 900000
@@ -0,0 +1,29 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+<?xml version='1.0' encoding='UTF-8'?>
+
+<!DOCTYPE properties SYSTEM 'http://java.sun.com/dtd/properties.dtd'>
+
+<properties>
+
+    <entry key='config.default'>./conf/default.xml</entry>
+
+    <!--
+
+    This is the main configuration file. All your configuration parameters should be placed in this file.
+
+    Default configuration parameters are located in the "default.xml" file. You should not modify it to avoid issues
+    with upgrading to a new version. Parameters in the main config file override values in the default file. Do not
+    remove "config.default" parameter from this file unless you know what you are doing.
+
+    For list of available parameters see following page: https://www.traccar.org/configuration-file/
+
+    -->
+
+    <entry key='database.driver'>org.postgresql.Driver</entry>
+    <entry key='database.url'>jdbc:postgresql://traccar-pg:5432/traccar-db</entry>
+    <entry key='database.user'>traccar</entry>
+    <entry key='database.password'>{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['WAZUH_API_PASSWORD'] }}</entry>
+
+</properties>
@@ -0,0 +1,29 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+{
+    "always_keep_failed_tasks": true,
+    "auto_manage_completed_tasks": false,
+    "cache_path": "/tmp/unmanic",
+    "clear_pending_tasks_on_restart": false,
+    "concurrent_file_testers": 2,
+    "config_path": "/config/.unmanic/config",
+    "debugging": false,
+    "distributed_worker_count_target": 0,
+    "enable_library_scanner": false,
+    "first_run": false,
+    "follow_symlinks": true,
+    "installation_name": "Unmanic @ Rinoa",
+    "library_path": "/library",
+    "log_path": "/config/.unmanic/logs",
+    "max_age_of_completed_tasks": 91,
+    "number_of_workers": null,
+    "plugins_path": "/config/.unmanic/plugins",
+    "release_notes_viewed": "0.2.8",
+    "remote_installations": [],
+    "run_full_scan_on_start": false,
+    "schedule_full_scan_minutes": 1440,
+    "ui_port": 8888,
+    "userdata_path": "/config/.unmanic/userdata",
+    "worker_event_schedules": null
+}
@@ -0,0 +1,19 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+nodes:
+  # Wazuh indexer server nodes
+  indexer:
+    - name: wazuh.indexer
+      ip: wazuh.indexer
+
+  # Wazuh server nodes
+  # Use node_type only with more than one Wazuh manager
+  server:
+    - name: wazuh.manager
+      ip: wazuh.manager
+
+  # Wazuh dashboard node
+  dashboard:
+    - name: wazuh.dashboard
+      ip: wazuh.dashboard
@@ -0,0 +1,33 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+network.host: "0.0.0.0"
+node.name: "wazuh.indexer"
+path.data: /var/lib/wazuh-indexer
+path.logs: /var/log/wazuh-indexer
+discovery.type: single-node
+http.port: 9200-9299
+transport.tcp.port: 9300-9399
+compatibility.override_main_response_version: true
+plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
+plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
+plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
+plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
+plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
+plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
+plugins.security.ssl.http.enabled: true
+plugins.security.ssl.transport.enforce_hostname_verification: false
+plugins.security.ssl.transport.resolve_hostname: false
+plugins.security.authcz.admin_dn:
+- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
+plugins.security.check_snapshot_restore_write_privileges: true
+plugins.security.enable_snapshot_restore_privilege: true
+plugins.security.nodes_dn:
+- "CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
+plugins.security.restapi.roles_enabled:
+- "all_access"
+- "security_rest_api_access"
+plugins.security.system_indices.enabled: true
+plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
+plugins.security.allow_default_init_securityindex: true
+cluster.routing.allocation.disk.threshold_enabled: false
@@ -0,0 +1,10 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+hosts:
+  - 1513629884013:
+      url: "https://wazuh.manager"
+      port: 55000
+      username: wazuh-wui
+      password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['WAZUH_API_PASSWORD'] }}
+      run_as: false
@@ -0,0 +1,19 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+ydl_server:   # youtube-dl-server specific settings
+  port: 8080      # Port youtube-dl-server should listen on
+  host: 0.0.0.0   # IP youtube-dl-server should bind to
+  debug: False    # Enable/Disable debug mode
+  metadata_db_path: '/youtube-dl/.ydl-metadata.db' # Path to metadata DB
+  output_playlist: '/youtube-dl/%(title)s [%(id)s].%(ext)s' # Playlist output directory template
+  update_poll_delay_min: 1440 # Automatically check for updates every 24h
+  max_log_entries: 100 # Maximum number of job log history to keep
+  forwarded_allow_ips: None # uvicorn Comma seperated list of IPs to trust with proxy headers.
+  proxy_headers: True # uvicorn flag Enable/Disable X-Forwarded-Proto, X-Forwarded-For, X-Forwarded-Port to populate remote address info.
+
+ydl_options:  # youtube-dl options
+  output: '/youtube-dl/%(title)s [%(id)s].%(ext)s' # output directory template
+  cache-dir: '/youtube-dl/.cache' # youtube-dl cache directory
+  ignore-errors: True # instruct youtube-dl to skip errors
+  age-limit: 6 # minimal age requirement / parental control setting
@@ -0,0 +1,43 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+# All possible options and their defaults: https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
+Log:
+  Level: 'debug'
+
+# Make ZITADEL accessible over HTTPs, not HTTP
+ExternalSecure: true
+ExternalDomain: 'id.trez.wtf'
+ExternalPort: 443
+
+# If not using the docker compose example, adjust these values for connecting ZITADEL to your PostgreSQL
+Database:
+  postgres:
+    Host: 'zitadel-pg-db'
+    Port: 5432
+    Database: zitadel
+    User:
+      SSL:
+        Mode: 'disable'
+    Admin:
+      SSL:
+        Mode: 'disable'
+
+DefaultInstance:
+  DomainPolicy:
+    UserLoginMustBeDomain: false
+
+LogStore:
+  Access:
+    Stdout:
+      Enabled: true
+
+SMTPConfiguration:
+    # Configuration of the host
+    SMTP:
+      # must include the port, like smtp.mailtrap.io:2525. IPv6 is also supported, like [2001:db8::1]:2525
+      Host: 'postal-smtp:25'
+      User: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}
+      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}
+    From: 'noreply@trez.wtf'
+    FromName: 'Zitadel @ Rinoa'
@@ -0,0 +1,13 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+# All possible options and their defaults: https://github.com/zitadel/zitadel/blob/main/cmd/setup/steps.yaml
+FirstInstance:
+  Org:
+    Human:
+      # use the loginname root@my-org.my.domain
+      Username: 'root'
+      Password: 'RootPassword1!'
+      Email:
+        Address: 'charish.patel@trez.wtf'
+        Verified: true
@@ -0,0 +1,13 @@
+{% set vault_addr = 'https://vault.trez.wtf' %}
+{% set secrets_path = 'rinoa-docker/env' %}
+
+# If not using the docker compose example, adjust these values for connecting ZITADEL to your PostgreSQL
+Database:
+  postgres:
+    User:
+      # If the user doesn't exist already, it is created
+      Username: 'zitadel'
+      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ZITADEL_DB_PASSWORD'] }}
+    Admin:
+      Username: 'root'
+      Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ZITADEL_DB_ADMIN_PASSWORD'] }}
@@ -0,0 +1,4 @@
+---
+collections:
+  - name: community.hashi_vault
+    version: 6.2.0
@@ -0,0 +1,20 @@
+---
+- name: Deploy Docker Service Configurations
+  hosts: rinoa
+  vars:
+    appdata_base_path: "~/.docker/config/appdata"
+
+  tasks:
+    - name: Ensure target directories exist
+      ansible.builtin.file:
+        path: "{{ appdata_base_path }}/{{ (item | basename | regex_replace('\\.j2$', '') | regex_replace('_', '/') | regex_replace('/[^/]+$', '')) }}"
+        state: directory
+        mode: '0755'
+      loop: "{{ query('fileglob', 'app-configs/*.j2') }}"
+
+    - name: Deploy configuration templates
+      ansible.builtin.template:
+        src: "{{ item }}"
+        dest: "{{ appdata_base_path }}/{{ item | basename | regex_replace('\\.j2$', '') | regex_replace('_', '/') }}"
+        mode: '0644'
+      loop: "{{ query('fileglob', 'app-configs/*.j2') }}"
@@ -0,0 +1,14 @@
+vault_addr: "https://vault.trez.wtf"
+vault_token: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  66373236656261373330343233616231386539616566613864306436613635323533336365383232
+  6636653139393566643265303135343864363632393035380a643566373137316363626438356431
+  64653237313866316537326565386164373564353166346334663638636531353337303937346466
+  3539366634393337620a653133336530333963343638643934303336653935363932643665353234
+  63343565663632633563396131346139666236313863663332386131633831633566373366613738
+  63343634313539336534666632313736343338623538303434316230383764643432646663356238
+  61373132633062346436363036333533623931313037306633616662623032616137613734343638
+  63633031616161623437623935346366636433653435646333313638376161663237323130636433
+  31383031646666626163323966393738386233346137326231366263316532343563
+vault_token_cleaned: "{{ vault_token | regex_replace('\\n', '') }}"
+secrets_path: "rinoa-docker/env"
@@ -0,0 +1,13 @@
+rinoa:
+        ansible_host: 192.168.1.254
+        ansible_python_interpreter: /usr/bin/python3
+        ansible_ssh_port: 22
+        ansible_ssh_user: charish
+        ansible_ssh_pass: !vault |
+                $ANSIBLE_VAULT;1.1;AES256
+                38346631616139316365316566386362396661323163306339303635646331373061323531626431
+                3435373031363739356261656239633835393963636663370a613166653463656337666366633639
+                37373637326633363430633336646165343764303063663636313835326130663532323037663331
+                6332353339656134370a353435396532663932313535646636333262353238386331313764633635
+                63383065623930653134666261353439366535646661383434386261393232373432353937636535
+                3432336137393737643735346665303832653630316439333565
@@ -0,0 +1,12 @@
+---
+all:
+  hosts:
+    benedikta:
+      ansible_host: 192.168.1.241
+      ansible_user: charish
+    rikku:
+      ansible_host: 192.168.1.253
+      ansible_user: pi
+    rinoa:
+      ansible_host: 192.168.1.254
+      ansible_user: charish
@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+65353131326537376561616630666531353731653835306564323565383332653437633533313932
+6239663065306339366536326432323534303364663862350a353034623936363066303164333434
+32666331326332363463383234316136323031626330366132643034376439616339396662636236
+3633393039376438630a326138653031656465373966356564336463643465613638313838393166
+36626366356266636535613862333631386231626134376264363731353264613261633037646662
+6431393837653564366531316332616232336365636533643036
@@ -1157,7 +1157,7 @@ services:
      GITEA__mailer__SMTP_PORT: 25
      GITEA__mailer__USER: ${POSTAL_SMTP_AUTH_USER}
      GITEA__mailer__PASSWD: ${POSTAL_SMTP_AUTH_PASSWORD}
-    image: gitea/gitea:1.22.6
+    image: gitea/gitea:1.23.1
    labels:
      homepage.group: Code/DevOps
      homepage.name: Gitea
@@ -1185,7 +1185,7 @@ services:
    restart: always
    volumes:
      - source: ${DOCKER_VOLUME_CONFIG}/gitea
-        target: /data
+        target: /data/gitea
        type: bind
        bind:
          create_host_path: true
@@ -1806,7 +1806,7 @@ services:
        db:
          dbname: invidious
          user: kemal
-          password: kemal
+          password: ${INVID_PG_DB_PASSWORD}
          host: invidious-db
          port: 5432
        check_tables: true
@@ -1845,7 +1845,7 @@ services:
    container_name: invidious-db
    environment:
      POSTGRES_DB: invidious
-      POSTGRES_PASSWORD: kemal
+      POSTGRES_PASSWORD: ${INVID_PG_DB_PASSWORD}
      POSTGRES_USER: kemal
    healthcheck:
      test:
@@ -2685,121 +2685,6 @@ services:
        published: "22300"
        target: 22300
    restart: unless-stopped
-  komodo-core:
-    container_name: komodo-core
-    depends_on:
-      - komodo-ferretdb
-      - komodo-periphery
-    image: ghcr.io/mbecker20/komodo:latest
-    labels:
-      homepage.group: System Administration
-      homepage.name: Komodo
-      homepage.href: https://komodo.${MY_TLD}
-      homepage.icon: /icons/komodo.png
-      homepage.description: Open-source note taking & to-do
-      komodo.skip: a
-      swag: enable
-      swag_url: komodo.${MY_TLD}
-      swag_port: 9120
-      swag_proto: http
-    ports:
-      - 9120:9120
-    restart: always
-    volumes:
-      - ${DOCKER_VOLUME_CONFIG}/komodo/core.config.toml:/config/config.toml
-  komodo-ferretdb:
-    container_name: komodo-ferretdb
-    depends_on:
-      - komodo-pg-db
-    image: ghcr.io/ferretdb/ferretdb
-    labels:
-      komodo.skip: a
-    restart: unless-stopped
-    expose:
-      - 27017
-    environment:
-      - FERRETDB_POSTGRESQL_URL=postgres://komodo-pg-db:5432/komodo
-  komodo-periphery:
-    container_name: komodo-periphery
-    environment:
-      DOCKER_HOST: tcp://dockerproxy:2375
-      PERIPHERY_PASSKEYS: ${KOMODO_PASSKEY}
-      PERIPHERY_SSL_ENABLED: false
-      PERIPHERY_INCLUDE_DISK_MOUNTS: /etc/hostname
-      # PERIPHERY_EXCLUDE_DISK_MOUNTS: /snap,/etc/repos
-    expose:
-      - 8120
-    image: ghcr.io/mbecker20/periphery:latest
-    labels:
-      komodo.skip: a
-    restart: always
-    volumes:
-      - /proc:/proc
-  komodo-pg-db:
-    container_name: komodo-pg-db
-    environment:
-      POSTGRES_USER: komodo
-      POSTGRES_PASSWORD: ${KOMODO_PG_DB_PASSWORD}
-      POSTGRES_DB: komodo
-    expose:
-      - 5432
-    labels:
-      komodo.skip: a
-    image: postgres:17-alpine
-    restart: unless-stopped
-    volumes:
-      - komodo-pg-data:/var/lib/postgresql/data
-  librespeed:
-    container_name: librespeed
-    environment:
-      DB_HOSTNAME: 
-      DB_NAME: 
-      DB_PASSWORD: 
-      DB_TYPE: sqlite
-      DB_USERNAME: 
-      PASSWORD: 
-      PGID: 1000
-      PUID: 1000
-      TZ: America/New_York
-      DOCKER_MODS: ghcr.io/themepark-dev/theme.park:librespeed
-    hostname: Rinoa
-    image: lscr.io/linuxserver/librespeed:latest
-    labels:
-      homepage.group: System Administration
-      homepage.name: LibreSpeed
-      homepage.href: https://speed.${MY_TLD}
-      homepage.icon: librespeed.png
-      homepage.description: Speed test
-      homepage: enable
-      homepage_proto: http
-      homepage_url: speed.${MY_TLD}
-      homepage.uptime-kuma.enabled: true
-      homepage.uptime-kuma.monitor.url: https://speed.${MY_TLD}
-    networks:
-      default: null
-    ports:
-      - mode: ingress
-        protocol: tcp
-        published: "8014"
-        target: 80
-    restart: unless-stopped
-    volumes:
-      - bind:
-          create_host_path: true
-        read_only: true
-        source: /etc/localtime
-        target: /etc/localtime
-        type: bind
-      - bind:
-          create_host_path: true
-        source: ${DOCKER_VOLUME_CONFIG}/librespeed
-        target: /config
-        type: bind
-      - bind:
-          create_host_path: true
-        source: /rinoa-storage
-        target: /storage
-        type: bind
  lidarr:
    container_name: lidarr
    environment:
@@ -3034,9 +2919,9 @@ services:
      PGID: 1000
      PUID: 1000
      TZ: America/New_York
-      MYSQL_PASSWORD: VQU23wHKRNmfpAPt5E9BxMaSGJdWjLuz
+      MYSQL_PASSWORD: ${NEXTCLOUD_MARIADB_PASSWORD}
    hostname: Rinoa
-    image: ghcr.io/linuxserver/mariadb
+    image: linuxserver/mariadb
    networks:
      default: null
    ports:
@@ -3067,6 +2952,58 @@ services:
        type: bind
        bind:
          create_host_path: true
+  mastodon:
+    container_name: mastodon
+    environment:
+      PUID: ${PUID}
+      PGID: ${PGID}
+      TZ: ${TZ}
+      LOCAL_DOMAIN: trez.wtf
+      REDIS_HOST: redis
+      REDIS_PORT: 6379
+      DB_HOST: mastodon-pg-db
+      DB_USER: mastodon
+      DB_NAME: mastodon
+      DB_PASS: ${MASTODON_PG_DB_PASSWORD}
+      DB_PORT: 5432
+      ES_ENABLED: false
+      ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: 
+      ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: 
+      ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: 
+      SECRET_KEY_BASE: 
+      OTP_SECRET: 
+      VAPID_PRIVATE_KEY: 
+      VAPID_PUBLIC_KEY: 
+      SMTP_SERVER: postal-smtp
+      SMTP_PORT: 25
+      SMTP_LOGIN: ${POSTAL_SMTP_AUTH_USER}
+      SMTP_PASSWORD: ${POSTAL_SMTP_AUTH_PASSWORD}
+      SMTP_FROM_ADDRESS: noreply@trez.wtf
+      S3_ENABLED: true
+      S3_BUCKET: mastodon
+      AWS_ACCESS_KEY_ID: ${MASTODON_MINIO_ACCESS_KEY}
+      AWS_SECRET_ACCESS_KEY: ${MASTODON_MINIO_SECRET_KEY}
+    image: lscr.io/linuxserver/mastodon:latest
+    labels:
+      swag: enable
+      swag_proto: http
+      swag_port: 5678
+      swag_url: mastodon.${MY_TLD}
+      swag.uptime-kuma.enabled: true
+      swag.uptime-kuma.monitor.url: https://mastodon.${MY_TLD}
+      homepage.group: Social
+      homepage.name: Mastodon
+      homepage.href: https://mastodon.${MY_TLD}
+      homepage.icon: mastodon.svg
+      homepage.description: Open-source social network
+      homepage.widget.type: mastodon
+      homepage.widget.url: http://mastodon
+    ports:
+      - 9044:80
+      - 3444:443
+    restart: unless-stopped
+    volumes:
+      - ${DOCKER_VOLUME_CONFIG}/mastodon:/config
  mastodon-pg-db:
    container_name: mastodon-pg-db
    environment:
@@ -3496,6 +3433,50 @@ services:
        type: bind
        bind:
          create_host_path: true
+  pgbackweb:
+    container_name: pgbackweb
+    depends_on:
+      pgbackweb-db:
+        condition: service_healthy
+    environment:
+      PBW_ENCRYPTION_KEY: ${PGBACKWEB_ENCRYPTION_KEY}
+      PBW_POSTGRES_CONN_STRING: "postgresql://pgbackweb:${PGBACKWEB_PG_DB_PASSWD}@pgbackweb-db:5432/pgbackweb?sslmode=disable"
+      TZ: ${TZ}
+    image: eduardolat/pgbackweb:latest
+    labels:
+      homepage.group: System Administration
+      homepage.name: PGBackweb
+      homepage.href: https://pg.${MY_TLD}
+      homepage.icon: sh-pg-back-web.svg
+      homepage.description: Backups for PostgreSQL
+      swag: enable
+      swag_proto: http
+      swag_port: 8085
+      swag_url: pg.${MY_TLD}
+    ports:
+      - "8085:8085" # Access the web interface at http://localhost:8085
+  pgbackweb-db:
+    container_name: pgbackweb-db
+    environment:
+      POSTGRES_USER: pgbackweb
+      POSTGRES_DB: pgbackweb
+      POSTGRES_PASSWORD: ${PGBACKWEB_PG_DB_PASSWD}
+    expose:
+      - 5432
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+    image: postgres:16-alpine
+    volumes:
+      - pgbackweb-data:/var/lib/postgresql/data
+  plantuml-server:
+    container_name: plantuml-server
+    expose:
+      - 8080
+    image: 'plantuml/plantuml-server:jetty'
+    restart: unless-stopped
  plausible:
    command: sh -c "sleep 10 && /entrypoint.sh db createdb && /entrypoint.sh db migrate && /entrypoint.sh run"
    container_name: plausible
@@ -4181,43 +4162,6 @@ services:
        type: bind
        bind:
          create_host_path: true
-  semaphore:
-    container_name: semaphore
-    environment:
-      ANSIBLE_HOST_KEY_CHECKING: false
-      SEMAPHORE_ADMIN_PASSWORD: ${SEMAPHORE_ADMIN_PASSWORD}
-      SEMAPHORE_ADMIN_NAME: admin
-      SEMAPHORE_ADMIN_EMAIL: charish.patel@pm.me
-      SEMAPHORE_ADMIN: admin
-      SEMAPHORE_DB_DIALECT: bolt
-      SEMAPHORE_EMAIL_ALERT: true
-      SEMAPHORE_EMAIL_SENDER: noreply@trez.wtf
-      SEMAPHORE_EMAIL_HOST: postal-smtp
-      SEMAPHORE_EMAIL_PORT: 25
-      SEMAPHORE_EMAIL_USERNAME: ${POSTAL_SMTP_AUTH_USER}  
-      SEMAPHORE_EMAIL_PASSWORD: ${POSTAL_SMTP_AUTH_PASSWORD}
-      SEMAPHORE_EMAIL_SECURE: false
-      SEMAPHORE_USE_REMOTE_RUNNER: true
-    image: semaphoreui/semaphore:v2.10.32
-    labels:
-      homepage.group: Code/DevOps
-      homepage.name: Semaphore
-      homepage.href: https://devops.${MY_TLD}
-      homepage.icon: semaphore.svg
-      homepage.description: Modern UI for Ansible, Terraform, OpenTofu, PowerShell and other DevOps tools
-      swag: enable
-      swag_port: 3000
-      swag_proto: http
-      swag_url: devops.${MY_TLD}
-      swag.uptime-kuma.enabled: true
-      swag.uptime-kuma.monitor.url: https://devops.${MY_TLD}
-    ports:
-      - 3015:3000
-    restart: unless-stopped
-    volumes:
-      - semaphore_config:/etc/semaphore
-      - semaphore_data:/var/lib/semaphore
-      - semaphore_tmp:/tmp/semaphore
  slurpit-portal:
    container_name: slurpit-portal
    environment:
@@ -4508,6 +4452,31 @@ services:
        type: bind
        bind:
          create_host_path: true
+  speedtest-tracker:
+    container_name: speedtest-tracker
+    image: lscr.io/linuxserver/speedtest-tracker:latest
+    environment:
+        PUID: ${PUID}
+        PGID: ${PGID}
+        APP_KEY: ${SPEEDTEST_TRACKER_APP_KEY}
+        DB_CONNECTION: sqlite
+    labels:
+      homepage.name: Speedtest Traccker
+      homepage.group: System Administration
+      homepage.description: Self-hosted internet performance tracking
+      homepage.href: https://speed.${MY_TLD}
+      homepage.icon: speedtest-tracker.png
+      swag: enable
+      swag_proto: http
+      swag_url: speed.${MY_TLD}
+      swag.uptime-kuma.enabled: true
+      swag.uptime-kuma.monitor.url: https://slsk.${MY_TLD}
+    ports:
+        - 47512:80
+        - 62777:443
+    restart: unless-stopped
+    volumes:
+        - ${DOCKER_VOLUME_CONFIG}/speedtest-tracker:/config
  spotisub:
    container_name: spotisub
    environment:
@@ -4663,7 +4632,7 @@ services:
      homepage.group: Lifestyle
      homepage.name: Tandoor Recipes
      homepage.href: https://recipes.${MY_TLD}
-      homepage.icon: tandoor.svg
+      homepage.icon: tandoor-recipes.svg
      homepage.description: Recipes, cookbooks, meal-planning, & grocery lists
      homepage.widget.type: tandoor
      homepage.widget.url: http://tandoor-recipes:8080
@@ -6533,6 +6502,32 @@ services:
        published: "8900"
        target: 8080
    restart: unless-stopped
+  yacht:
+    container_name: yacht
+    depends_on:
+      docker-socket-proxy:
+        condition: service_started
+        required: true
+    environment:
+      DOCKER_HOST: tcp://dockerproxy:2375
+    image: selfhostedpro/yacht
+    labels:
+      homepage.group: System Administration
+      homepage.name: Yacht
+      homepage.href: https://yacht.${MY_TLD}
+      homepage.icon: yacht.svg
+      homepage.description: Web interface for managing docker containers
+      swag: enable
+      swag_proto: http
+      swag_port: 8000
+      swag_url: yacht.${MY_TLD}
+      swag.uptime-kuma.enabled: true
+      swag.uptime-kuma.monitor.url: https://yacht.${MY_TLD}
+    ports:
+      - 19733:8000
+    restart: unless-stopped
+    volumes:
+      - ${DOCKER_VOLUME_CONFIG}/yacht:/config
  your_spotify:
    container_name: your_spotify
    environment:
@@ -7066,8 +7061,6 @@ volumes:
    name: jitsi-web-admin-upload
  joplin_data:
    name: joplin_data
-  komodo-pg-data:
-    name: komodo-pg-data
  lldap_data:
    name: lldap_data
  localai_data:
@@ -7090,6 +7083,8 @@ volumes:
    name: paperless-ngx-media
  paperless-ngx-pg:
    name: paperless-ngx-pg
+  pgbackweb-data:
+    name: pgbackweb-data
  plausible-db-data:
    name: plausible-db-data
  plausible-event-data:
@@ -7098,12 +7093,6 @@ volumes:
    name: plausible-event-logs
  reactive-resume-pg:
    name: reactive-resume-pg
-  semaphore_config:
-    name: semaphore_config
-  semaphore_data:
-    name: semaphore_data
-  semaphore_tmp:
-    name: semaphore_tmp
  sonarqube-data:
    name: sonarqube-data
  sonarqube-db:
@@ -1,842 +0,0 @@
-# Global Settings
-COMPOSE_HTTP_TIMEOUT=''
-DOCKER_GID=''
-DOCKER_HOSTNAME=''
-DOCKER_VOLUME_CONFIG=''
-DOCKER_VOLUME_STORAGE=''
-PGID=''
-PUID=''
-TZ=''
-MY_TLD=''
-# END OF DEFAULT SETTINGS
-
-##
-## ADDY
-##
-ADDY_ANONADDY_ADDITIONAL_USERNAME_LIMIT=''
-ADDY_ANONADDY_ADMIN_USERNAME=''
-ADDY_ANONADDY_ALL_DOMAINS=''
-ADDY_ANONADDY_BANDWIDTH_LIMIT=''
-ADDY_ANONADDY_DKIM_SELECTOR=''
-ADDY_ANONADDY_DKIM_SIGNING_KEY=''
-ADDY_ANONADDY_DNS_RESOLVER=''
-ADDY_ANONADDY_DOMAIN=''
-ADDY_ANONADDY_HOSTNAME=''
-ADDY_ANONADDY_LIMIT=''
-ADDY_ANONADDY_NEW_ALIAS_LIMIT=''
-ADDY_ANONADDY_RETURN_PATH=''
-ADDY_ANONADDY_SECRET=''
-ADDY_ANONADDY_SIGNING_KEY_FINGERPRINT=''
-ADDY_APP_KEY=''
-ADDY_APP_URL=''
-ADDY_DB_PASSWORD=''
-ADDY_MAIL_ENCRYPTION=''
-ADDY_MAIL_FROM_ADDRESS=''
-ADDY_MAIL_FROM_NAME=''
-ADDY_POSTFIX_DEBUG=''
-ADDY_POSTFIX_MESSAGE_SIZE_LIMIT=''
-ADDY_POSTFIX_RELAYHOST=''
-ADDY_POSTFIX_RELAYHOST_AUTH_ENABLE=''
-ADDY_POSTFIX_SMTPD_TLS_CERT_FILE=''
-ADDY_POSTFIX_SMTPD_TLS_KEY_FILE=''
-ADDY_POSTFIX_SPAMHAUS_DQS_KEY=''
-ADDY_REDIS_PASSWORD=''
-ADDY_RSPAMD_NO_LOCAL_ADDRS=''
-ADDY_RSPAMD_WEB_PASSWORD=''
-
-##
-## ADGUARD
-##
-ADGUARD_CONTAINER_NAME=''
-ADGUARD_ENABLED=''
-ADGUARD_ENVIRONMENT_SERVERIP=''
-ADGUARD_NETWORK_MODE=''
-ADGUARD_PORT_3000=''
-ADGUARD_PORT_443=''
-ADGUARD_PORT_53=''
-ADGUARD_PORT_67=''
-ADGUARD_PORT_68=''
-ADGUARD_PORT_80=''
-ADGUARD_PORT_853=''
-ADGUARD_RESTART=''
-ADGUARD_TAG=''
-
-##
-## ADGUARD
-##
-ADGUARD_CF_TUNNEL_PASSWORD=''
-ADGUARD_PASSWORD=''
-
-##
-## ANYTHINGLLM
-##
-ANYTHINGLLM_JWT_SECRET=''
-
-##
-## APPRISE
-##
-APPRISE_CONTAINER_NAME=''
-APPRISE_ENABLED=''
-APPRISE_NETWORK_MODE=''
-APPRISE_PORT_8000=''
-APPRISE_RESTART=''
-APPRISE_TAG=''
-
-##
-## AUDIOBOOKSHELF
-##
-AUDIOBOOKSHELF_CONTAINER_NAME=''
-AUDIOBOOKSHELF_ENABLED=''
-AUDIOBOOKSHELF_NETWORK_MODE=''
-AUDIOBOOKSHELF_PORT_80=''
-AUDIOBOOKSHELF_RESTART=''
-AUDIOBOOKSHELF_TAG=''
-
-##
-## AUDIOBOOKSHELF
-##
-AUDIOBOOKSHELF_ROOT_API_KEY=''
-
-##
-## AUTHELIA
-##
-AUTHELIA_AUTH_BIND_LDAP_PASSWORD=''
-AUTHELIA_JWT_SECRET=''
-AUTHELIA_SESSION_SECRET=''
-AUTHELIA_STORAGE_ENCRYPTION_KEY=''
-AUTHELIA_STORAGE_POSTGRES_PASSWORD=''
-
-##
-## BAZARR
-##
-BAZARR_CONTAINER_NAME=''
-BAZARR_ENABLED=''
-BAZARR_NETWORK_MODE=''
-BAZARR_PORT_6767=''
-BAZARR_RESTART=''
-BAZARR_TAG=''
-BAZARR_API_KEY=''
-##
-## BITMAGNET
-##
-BITMAGNET_POSTGRESQL_PASSWORD=''
-
-##
-## BITWARDEN
-##
-BITWARDEN_CONTAINER_NAME=''
-BITWARDEN_ENABLED=''
-BITWARDEN_ENVIRONMENT_ADMIN_TOKEN=''
-BITWARDEN_ENVIRONMENT_DATABASE_URL=''
-BITWARDEN_ENVIRONMENT_DISABLE_ADMIN_TOKEN=''
-BITWARDEN_ENVIRONMENT_DOMAIN=''
-BITWARDEN_ENVIRONMENT_ENABLE_DB_WAL=''
-BITWARDEN_ENVIRONMENT_INVITATIONS_ALLOWED=''
-BITWARDEN_ENVIRONMENT_SHOW_PASSWORD_HINT=''
-BITWARDEN_ENVIRONMENT_SIGNUPS_ALLOWED=''
-BITWARDEN_ENVIRONMENT_SIGNUPS_VERIFY=''
-BITWARDEN_ENVIRONMENT_WEBSOCKET_ENABLE=''
-BITWARDEN_NETWORK_MODE=''
-BITWARDEN_PORT_3012=''
-BITWARDEN_PORT_80=''
-BITWARDEN_RESTART=''
-BITWARDEN_TAG=''
-
-##
-## CHROMIUM
-##
-CHROMIUM_TOKEN=''
-
-##
-## CLOUDFLARE
-##
-CLOUDFLARE_ACCOUNT_ID=''
-CLOUDFLARE_DNS_API_TOKEN=''
-CLOUDFLARE_ZONE_ID=''
-
-##
-## CLOUDFLAREDDNS
-##
-CLOUDFLAREDDNS_CONTAINER_NAME=''
-CLOUDFLAREDDNS_ENABLED=''
-CLOUDFLAREDDNS_ENVIRONMENT_APIKEY=''
-CLOUDFLAREDDNS_ENVIRONMENT_APITOKEN=''
-CLOUDFLAREDDNS_ENVIRONMENT_ARGS=''
-CLOUDFLAREDDNS_ENVIRONMENT_DETECTION_MODE=''
-CLOUDFLAREDDNS_ENVIRONMENT_HOSTS=''
-CLOUDFLAREDDNS_ENVIRONMENT_INTERVAL=''
-CLOUDFLAREDDNS_ENVIRONMENT_LOG_LEVEL=''
-CLOUDFLAREDDNS_ENVIRONMENT_RECORDTYPES=''
-CLOUDFLAREDDNS_ENVIRONMENT_USER=''
-CLOUDFLAREDDNS_ENVIRONMENT_ZONES=''
-CLOUDFLAREDDNS_RESTART=''
-CLOUDFLAREDDNS_TAG=''
-
-##
-## CROWDSEC
-##
-CROWDSEC_API_KEY=''
-CROWDSEC_LOCAL_API_KEY=''
-
-##
-## DELUGEVPN
-##
-DELUGEVPN_CONTAINER_NAME=''
-DELUGEVPN_ENABLED=''
-DELUGEVPN_ENVIRONMENT_ENABLE_PRIVOXY=''
-DELUGEVPN_ENVIRONMENT_LAN_NETWORK=''
-DELUGEVPN_ENVIRONMENT_NAME_SERVERS=''
-DELUGEVPN_ENVIRONMENT_VPN_CLIENT=''
-DELUGEVPN_ENVIRONMENT_VPN_ENABLE=''
-DELUGEVPN_ENVIRONMENT_VPN_INPUT_PORTS=''
-DELUGEVPN_ENVIRONMENT_VPN_OPTIONS=''
-DELUGEVPN_ENVIRONMENT_VPN_OUTPUT_PORTS=''
-DELUGEVPN_ENVIRONMENT_VPN_PASS=''
-DELUGEVPN_ENVIRONMENT_VPN_PROV=''
-DELUGEVPN_ENVIRONMENT_VPN_USER=''
-DELUGEVPN_NETWORK_MODE=''
-DELUGEVPN_PORT_58846=''
-DELUGEVPN_PORT_58946=''
-DELUGEVPN_PORT_8112=''
-DELUGEVPN_PORT_8118=''
-DELUGEVPN_RESTART=''
-DELUGEVPN_TAG=''
-
-##
-## DELUGEVPN
-##
-DELUGEVPN_PASSWORD=''
-DELUGEVPN_PORT_51413=''
-DELUGEVPN_PORT_6881=''
-
-##
-## DUPLICATI
-##
-DUPLICATI_CONTAINER_NAME=''
-DUPLICATI_ENABLED=''
-DUPLICATI_NETWORK_MODE=''
-DUPLICATI_PORT_8200=''
-DUPLICATI_RESTART=''
-DUPLICATI_TAG=''
-DUPLICATI_VOLUME_BACKUPSDIR=''
-DUPLICATI_VOLUME_SOURCEDIR=''
-
-##
-## DUPLICATI
-##
-DUPLICATI_CF_TUNNEL_PASSWORD=''
-
-##
-## EMBY
-##
-EMBY_CONTAINER_NAME=''
-EMBY_ENABLED=''
-EMBY_NETWORK_MODE=''
-EMBY_PORT_8096=''
-EMBY_PORT_8920=''
-EMBY_RESTART=''
-EMBY_TAG=''
-EMBY_VOLUME_TRANSCODEDIR=''
-
-##
-## EMBY
-##
-EMBY_HOMEPAGE_API_KEY=''
-
-##
-## FLARESOLVERR
-##
-FLARESOLVERR_CONTAINER_NAME=''
-FLARESOLVERR_ENABLED=''
-FLARESOLVERR_ENVIRONMENT_CAPTCHA_SOLVER=''
-FLARESOLVERR_ENVIRONMENT_LOG_HTML=''
-FLARESOLVERR_ENVIRONMENT_LOG_LEVEL=''
-FLARESOLVERR_NETWORK_MODE=''
-FLARESOLVERR_PORT_8191=''
-FLARESOLVERR_RESTART=''
-FLARESOLVERR_TAG=''
-
-##
-## GHOST
-##
-GHOST_DB_PASSWORD=''
-GHOST_DB_USER=''
-
-##
-## GITEA
-##
-GITEA_HOMEPAGE_API_KEY=''
-GITEA_PG_DB_PASSWORD=''
-GITEA_RUNNER_REGISTRATION_TOKEN=''
-
-##
-## GLUETUN
-##
-GLUETUN_SERVER_REGIONS=''
-
-##
-## GOTIFY
-##
-GOTIFY_HOMEPAGE_CLIENT_KEY=''
-GOTIFY_PASSWORD=''
-
-##
-## GRAFANA
-##
-GRAFANA_CONTAINER_NAME=''
-GRAFANA_ENABLED=''
-GRAFANA_ENVIRONMENT_GF_INSTALL_PLUGINS=''
-GRAFANA_NETWORK_MODE=''
-GRAFANA_PORT_3000=''
-GRAFANA_RESTART=''
-GRAFANA_TAG=''
-
-##
-## GRAFANA
-##
-GRAFANA_ADMIN_PASSWORD=''
-GRAFANA_MIMIR_HTTP_AUTH_PASSWORD=''
-
-##
-## GUID
-##
-GUID=''
-
-##
-## HORTUSFOX
-##
-HORTUSFOX_ADMIN_PASSWORD=''
-HORTUSFOX_DB_PASSWORD=''
-
-##
-## HUGINN
-##
-HUGINN_CONTAINER_NAME=''
-HUGINN_ENABLED=''
-HUGINN_ENVIRONMENT_DATABASE_HOST=''
-HUGINN_ENVIRONMENT_DATABASE_NAME=''
-HUGINN_ENVIRONMENT_DATABASE_PASSWORD=''
-HUGINN_ENVIRONMENT_DATABASE_PORT=''
-HUGINN_ENVIRONMENT_DATABASE_USERNAME=''
-HUGINN_NETWORK_MODE=''
-HUGINN_PORT_3000=''
-HUGINN_RESTART=''
-HUGINN_TAG=''
-
-##
-## IN
-##
-IN_APP_KEY=''
-IN_MYSQL_PASSWORD=''
-IN_PASSWORD=''
-
-##
-## JAN
-##
-JAN_AI_S3_ACCESS_KEY=''
-JAN_AI_S3_SECRET_KEY=''
-
-##
-## JITSI
-##
-JITSI__ADMIN_DB_PASSWORD=''
-JITSI__ADMIN_JWT_SECRET=''
-JITSI__ETHERPAD_DEFAULT_PAD_TEXT=''
-JITSI__ETHERPAD_SKIN_NAME=''
-JITSI__ETHERPAD_SKIN_VARIANTS=''
-JITSI__ETHERPAD_TITLE=''
-JITSI__ETHERPAD_URL_BASE=''
-JITSI__HTTP_PORT=''
-JITSI__HTTPS_PORT=''
-JITSI__JIBRI_RECORDER_PASSWORD=''
-JITSI__JIBRI_XMPP_PASSWORD=''
-JITSI__JICOFO_AUTH_PASSWORD=''
-JITSI__JIGAGI_SIP_PASSWORD=''
-JITSI__JIGAGI_SIP_PORT=''
-JITSI__JIGAGI_SIP_SERVER=''
-JITSI__JIGAGI_SIP_TRANSPORT=''
-JITSI__JIGAGI_SIP_URI=''
-JITSI__JIGASI_XMPP_PASSWORD=''
-JITSI__JVB_AUTH_PASSWORD=''
-JITSI__PUBLIC_URL=''
-JITSI__SIP_URI=''
-JITSI__TZ=''
-JITSI__WEBSOCKET_SECRET=''
-
-##
-## JOPLIN
-##
-JOPLIN_APP_BASE_URL=''
-JOPLIN_APP_PORT=''
-JOPLIN_POSTGRES_DATABASE=''
-JOPLIN_POSTGRES_PASSWORD=''
-JOPLIN_POSTGRES_PORT=''
-JOPLIN_POSTGRES_USER=''
-JOPLIN_S3_ACCESS_KEY=''
-JOPLIN_S3_SECRET_KEY=''
-
-##
-## KEYCLOAK
-##
-KEYCLOAK_ADMIN_PASSWORD=''
-
-##
-## LAN
-##
-LAN_NETWORK=''
-
-##
-## LASTFM
-##
-LASTFM_API_KEY=''
-LASTFM_API_SECRET=''
-LASTFM_PASSWORD=''
-LASTFM_USERNAME=''
-
-##
-## LIBRESPEED
-##
-LIBRESPEED_CONTAINER_NAME=''
-LIBRESPEED_ENABLED=''
-LIBRESPEED_ENVIRONMENT_DB_HOSTNAME=''
-LIBRESPEED_ENVIRONMENT_DB_NAME=''
-LIBRESPEED_ENVIRONMENT_DB_PASSWORD=''
-LIBRESPEED_ENVIRONMENT_DB_TYPE=''
-LIBRESPEED_ENVIRONMENT_DB_USERNAME=''
-LIBRESPEED_ENVIRONMENT_PASSWORD=''
-LIBRESPEED_NETWORK_MODE=''
-LIBRESPEED_PORT_80=''
-LIBRESPEED_RESTART=''
-LIBRESPEED_TAG=''
-
-##
-## LIDARR
-##
-LIDARR_CONTAINER_NAME=''
-LIDARR_ENABLED=''
-LIDARR_NETWORK_MODE=''
-LIDARR_PORT_8686=''
-LIDARR_RESTART=''
-LIDARR_TAG=''
-
-##
-## LIDARR
-##
-LIDARR_API_KEY=''
-
-##
-## LLDAP
-##
-LLDAP_JWT_SECRET=''
-LLDAP_KEY_SEED=''
-
-##
-## LOCALAI
-##
-LOCALAI_API_KEY=''
-
-##
-## MALOJA
-##
-MALOJA_FORCE_PASSWORD=''
-
-##
-## MARIADB
-##
-MARIADB_CONTAINER_NAME=''
-MARIADB_ENABLED=''
-MARIADB_ENVIRONMENT_MYSQL_ROOT_PASSWORD=''
-MARIADB_NETWORK_MODE=''
-MARIADB_PORT_3306=''
-MARIADB_RESTART=''
-MARIADB_TAG=''
-
-##
-## MATTERMOST
-##
-MATTERMOST_AWS_S3_ACCESSKEY=''
-MATTERMOST_AWS_S3_SECRETKEY=''
-MATTERMOST_POSTGRES_CONNECTION_URI=''
-MATTERMOST_POSTGRES_PASSWORD=''
-
-##
-## MAYBE
-##
-MAYBE_POSTGRES_PASSWORD=''
-MAYBE_SECRET_KEY_BASE=''
-
-##
-## MEDUSAJS
-##
-MEDUSAJS_COOKIE_SECRET=''
-MEDUSAJS_JWT_TOKEN=''
-MEDUSAJS_POSTGRES_PASSWORD=''
-MEDUSAJS_S3_ACCESS_KEY=''
-MEDUSAJS_S3_SECRET_KEY=''
-
-##
-## MINIO
-##
-MINIO_MIMIR_STORAGE_ACCESS_KEY=''
-MINIO_MIMIR_STORAGE_SECRET_KEY=''
-MINIO_ROOT_PASSWORD=''
-
-##
-## MONGO
-##
-MONGO_INITDB_ROOT_PASSWORD=''
-MONGO_INITDB_ROOT_USERNAME=''
-
-##
-## NAVIDROME
-##
-NAVIDROME_PASSWORD=''
-NAVIDROME_USERNAME=''
-
-##
-## NEXTCLOUD
-##
-NEXTCLOUD_CONTAINER_NAME=''
-NEXTCLOUD_ENABLED=''
-NEXTCLOUD_NETWORK_MODE=''
-NEXTCLOUD_PORT_443=''
-NEXTCLOUD_RESTART=''
-NEXTCLOUD_TAG=''
-NEXTCLOUD_VOLUME_DATADIR=''
-
-##
-## OMBI
-##
-OMBI_CONTAINER_NAME=''
-OMBI_ENABLED=''
-OMBI_NETWORK_MODE=''
-OMBI_PORT_3579=''
-OMBI_RESTART=''
-OMBI_TAG=''
-OMBI_API_KEY=''
-
-##
-## OPENGIST
-##
-OPENGIST_GITEA_CLIENT_KEY=''
-OPENGIST_GITEA_SECRET=''
-
-##
-## PAPERLESS
-##
-PAPERLESS_DBPASS=''
-PAPERLESS_SECRET_KEY=''
-
-##
-## PLAUSIBLE
-##
-PLAUSIBLE_PG_PASSWORD=''
-PLAUSIBLE_SECRET_KEY_BASE=''
-PLAUSIBLE_TOTP_VAULT_KEY=''
-
-##
-## PODINDEX
-##
-PODINDEX_API_KEY=''
-PODINDEX_API_SECRET=''
-
-##
-## PORTAINER
-##
-PORTAINER_CONTAINER_NAME=''
-PORTAINER_ENABLED=''
-PORTAINER_NETWORK_MODE=''
-PORTAINER_PORT_9000=''
-PORTAINER_RESTART=''
-PORTAINER_TAG=''
-PORTAINER_VOLUME_DOCKER_SOCKET=''
-PORTAINER_API_KEY=''
-
-##
-## POSTAL
-##
-POSTAL_MYSQL_PASSWORD=''
-POSTAL_SMTP_AUTH_PASSWORD=''
-POSTAL_SMTP_AUTH_USER=''
-
-##
-## POSTGRES
-##
-POSTGRES_HOST=''
-POSTGRES_PASSWORD=''
-POSTGRES_USER=''
-
-##
-## PROWLARR
-##
-PROWLARR_CONTAINER_NAME=''
-PROWLARR_ENABLED=''
-PROWLARR_NETWORK_MODE=''
-PROWLARR_PORT_9696=''
-PROWLARR_RESTART=''
-PROWLARR_TAG=''
-PROWLARR_API_KEY=''
-
-##
-## RADARR
-##
-RADARR_CONTAINER_NAME=''
-RADARR_ENABLED=''
-RADARR_NETWORK_MODE=''
-RADARR_PORT_7878=''
-RADARR_RESTART=''
-RADARR_TAG=''
-
-##
-## RADARR
-##
-RADARR_API_KEY=''
-
-##
-## REACTIVE
-##
-REACTIVE_RESUME_ACCESS_TOKEN_SECRET=''
-REACTIVE_RESUME_PGSQL_PASSWORD=''
-REACTIVE_RESUME_REFRESH_TOKEN_SECRET=''
-REACTIVE_RESUME_S3_ACCESS_KEY=''
-REACTIVE_RESUME_S3_SECRET_KEY=''
-
-##
-## READARR
-##
-READARR_CONTAINER_NAME=''
-READARR_ENABLED=''
-READARR_NETWORK_MODE=''
-READARR_PORT_8787=''
-READARR_RESTART=''
-READARR_TAG=''
-READARR_API_KEY=''
-
-##
-## REMMINA
-##
-REMMINA_CF_TUNNEL_ID=''
-REMMINA_CF_TUNNEL_PASSWORD=''
-REMMINA_USER_PASSWORD=''
-
-##
-## RUSTDESK
-##
-RUSTDESK_CUSTOM_PASSWORD=''
-
-##
-## SABNZBDVPN
-##
-SABNZBDVPN_CONTAINER_NAME=''
-SABNZBDVPN_ENABLED=''
-SABNZBDVPN_ENVIRONMENT_ENABLE_PRIVOXY=''
-SABNZBDVPN_ENVIRONMENT_LAN_NETWORK=''
-SABNZBDVPN_ENVIRONMENT_NAME_SERVERS=''
-SABNZBDVPN_ENVIRONMENT_VPN_CLIENT=''
-SABNZBDVPN_ENVIRONMENT_VPN_ENABLE=''
-SABNZBDVPN_ENVIRONMENT_VPN_INPUT_PORTS=''
-SABNZBDVPN_ENVIRONMENT_VPN_OPTIONS=''
-SABNZBDVPN_ENVIRONMENT_VPN_OUTPUT_PORTS=''
-SABNZBDVPN_ENVIRONMENT_VPN_PASS=''
-SABNZBDVPN_ENVIRONMENT_VPN_PROV=''
-SABNZBDVPN_ENVIRONMENT_VPN_USER=''
-SABNZBDVPN_NETWORK_MODE=''
-SABNZBDVPN_PORT_8080=''
-SABNZBDVPN_PORT_8090=''
-SABNZBDVPN_PORT_8118=''
-SABNZBDVPN_RESTART=''
-SABNZBDVPN_TAG=''
-SABNZBDVPN_API_KEY=''
-
-##
-## SCRAPERR
-##
-SCRAPERR_SECRET_KEY=''
-
-##
-## SCRUTINY
-##
-SCRUTINY_CF_TUNNEL_PASSWORD=''
-
-##
-## SEARXNG
-##
-SEARXNG_BASE_URL=''
-
-##
-## SLSKD
-##
-SLSKD_PASSWORD=''
-
-##
-## SONARQUBE
-##
-SONARQUBE_POSTGRES_PASSWORD=''
-SONARQUBE_LDAP_BIND_PASSWORD=''
-
-##
-## SONARR
-##
-SONARR_CONTAINER_NAME=''
-SONARR_ENABLED=''
-SONARR_NETWORK_MODE=''
-SONARR_PORT_8989=''
-SONARR_RESTART=''
-SONARR_TAG=''
-SONARR_API_KEY=''
-
-##
-## SWAG
-##
-SWAG_CONTAINER_NAME=''
-SWAG_ENABLED=''
-SWAG_ENVIRONMENT_DNSPLUGIN=''
-SWAG_ENVIRONMENT_EMAIL=''
-SWAG_ENVIRONMENT_EXTRA_DOMAINS=''
-SWAG_ENVIRONMENT_ONLY_SUBDOMAINS=''
-SWAG_ENVIRONMENT_SUBDOMAINS=''
-SWAG_ENVIRONMENT_URL=''
-SWAG_ENVIRONMENT_VALIDATION=''
-SWAG_NETWORK_MODE=''
-SWAG_PORT_443=''
-SWAG_PORT_80=''
-SWAG_RESTART=''
-SWAG_TAG=''
-
-##
-## SWAG
-##
-SWAG_CF_TUNNEL_ID=''
-SWAG_CF_TUNNEL_PASSWORD=''
-SWAG_DUCKDNSTOKEN=''
-SWAG_MAXMINDDB_LICENSE_KEY=''
-
-##
-## TANDOOR
-##
-TANDOOR_API_TOKEN=''
-TANDOOR_POSTGRES_PASSWORD=''
-TANDOOR_SECRET_KEY=''
-
-##
-## TMDB
-##
-TMDB_API_KEY=''
-
-##
-## TRACCAR
-##
-TRACCAR_POSTGRES_DATABASE=''
-TRACCAR_POSTGRES_PASSWORD=''
-TRACCAR_POSTGRES_USER=''
-
-##
-## UPTIME
-##
-UPTIME_KUMA_PASSWORD=''
-UPTIME_KUMA_USERNAME=''
-
-##
-## UPTIMEKUMA
-##
-UPTIMEKUMA_CONTAINER_NAME=''
-UPTIMEKUMA_ENABLED=''
-UPTIMEKUMA_NETWORK_MODE=''
-UPTIMEKUMA_PORT_3001=''
-UPTIMEKUMA_RESTART=''
-UPTIMEKUMA_TAG=''
-
-##
-## VAULT
-##
-VAULT_HASHICORP_AWS_ACCESS_KEY_ID=''
-VAULT_HASHICORP_AWS_SECRET_ACCESS_KEY=''
-
-##
-## VIRUS
-##
-VIRUS_TOTAL_API_KEY=''
-
-##
-## WALLABAG
-##
-WALLABAG_DB=''
-WALLABAG_DB_PASSWORD=''
-
-##
-## WATCHTOWER
-##
-WATCHTOWER_CONTAINER_NAME=''
-WATCHTOWER_ENABLED=''
-WATCHTOWER_ENVIRONMENT_CLEANUP=''
-WATCHTOWER_ENVIRONMENT_INCLUDE_STOPPED=''
-WATCHTOWER_ENVIRONMENT_MONITOR_ONLY=''
-WATCHTOWER_ENVIRONMENT_NOTIFICATION_TEMPLATE=''
-WATCHTOWER_ENVIRONMENT_NOTIFICATION_URL=''
-WATCHTOWER_ENVIRONMENT_NOTIFICATIONS=''
-WATCHTOWER_ENVIRONMENT_NOTIFICATIONS_LEVEL=''
-WATCHTOWER_ENVIRONMENT_REPO_PASS=''
-WATCHTOWER_ENVIRONMENT_REPO_USER=''
-WATCHTOWER_ENVIRONMENT_SCHEDULE=''
-WATCHTOWER_ENVIRONMENT_TIMEOUT=''
-WATCHTOWER_NETWORK_MODE=''
-WATCHTOWER_RESTART=''
-WATCHTOWER_TAG=''
-WATCHTOWER_VOLUME_DOCKER_SOCKET=''
-
-##
-## WATCHTOWER
-##
-WATCHTOWER_HTTP_API_TOKEN=''
-WATCHTOWER_NOTIFICATION_GOTIFY_TLS_SKIP_VERIFY=''
-WATCHTOWER_NOTIFICATION_GOTIFY_TOKEN=''
-WATCHTOWER_NOTIFICATION_GOTIFY_URL=''
-
-##
-## WAZUH
-##
-WAZUH_API_PASSWORD=''
-WAZUH_INDEXER_PASSWORD=''
-WAZUH_KIBANA_PASSWORD=''
-WAZUH_VERSION=''
-
-##
-## YOUR
-##
-YOUR_SPOTIFY_ID=''
-YOUR_SPOTIFY_PORT_443=''
-YOUR_SPOTIFY_PORT_80=''
-YOUR_SPOTIFY_SECRET=''
-
-##
-## YOUTUBEDL
-##
-YOUTUBEDL_CONTAINER_NAME=''
-YOUTUBEDL_ENABLED=''
-YOUTUBEDL_ENVIRONMENT_CONFIG_PATH=''
-YOUTUBEDL_ENVIRONMENT_DEBUG=''
-YOUTUBEDL_NETWORK_MODE=''
-YOUTUBEDL_PORT_8080=''
-YOUTUBEDL_RESTART=''
-YOUTUBEDL_TAG=''
-
-##
-## ZAMMAD
-##
-ZAMMAD_ELASTICSEARCH_VERSION=''
-ZAMMAD_IMAGE_REPO=''
-ZAMMAD_MEMCACHE_SERVERS=''
-ZAMMAD_MEMCACHE_VERSION=''
-ZAMMAD_POSTGRES_DB=''
-ZAMMAD_POSTGRES_HOST=''
-ZAMMAD_POSTGRES_PASS=''
-ZAMMAD_POSTGRES_PORT=''
-ZAMMAD_POSTGRES_USER=''
-ZAMMAD_POSTGRES_VERSION=''
-ZAMMAD_POSTGRESQL_OPTIONS=''
-ZAMMAD_REDIS_URL=''
-ZAMMAD_REDIS_VERSION=''
-ZAMMAD_RESTART=''
-ZAMMAD_S3_ACCESS_KEY=''
-ZAMMAD_S3_SECRET_KEY=''
-ZAMMAD_VERSION=''